OAuth2 support allowing public and user access #2099
Conversation
|
👍 looks good to me!! |
There was a problem hiding this comment.
Code looks fine except:
- for a couple of tests missing
- I think it's worth deploying in the test env and testing there
- this will not really change anything in the front end, right? What will be missing to finish it?
- I think is worth removing the demo@microbio.me default
- it's not clear for me how this generated the client_id for existing users
| # no error, or no authorization header. We should error if | ||
| # oauth is actually attempted but there was an auth issue | ||
| # (e.g., rate limit hit) | ||
| if errtype not in (None, 'invalid_request'): |
| return | ||
| if self.inject_user: | ||
| if cid is None: |
|
Thanks @antgonza! Regarding your comments,
Here, and one is not possible to reach as noted in the code so I'm not sure how to test.
sounds good
It was not intended to change the front end, this was to allow for per-user support against the rest API.
@josenavas suggested this. We're fine with anything but it does need to be a valid qiita account.
We have not touched the existing code which already does this. What is missing though is a UI to generate per-user API tokens, which effectively needs to call the existing logic, and then issue a call to |
|
Oh, I see the test issue now. "Test?" Is somewhat ambiguous fyi... Ya, we
can add one
On Apr 5, 2017 06:33, "Antonio Gonzalez" <notifications@github.com> wrote:
*@antgonza* commented on this pull request.
Code looks fine except:
- for a couple of tests missing
- I think it's worth deploying in the test env and testing there
- this will not really change anything in the front end, right? What
will be missing to finish it?
- I think is worth removing the demo@microbio.me default
- it's not clear for me how this generated the client_id for existing
users
------------------------------
In qiita_db/handlers/oauth2.py
<#2099 (comment)>:
+ Notes
+ -----
+ If an error with oauth2 occurs, a status code of 400 is set, a message
+ about the error is sent out over `write` and the response is ended
+ with `finish`. This happens without control being passed to the
+ handler, and in this situation, the handler is not executed.
+ """
+ @functools.wraps(f)
+ def wrapper(handler, *args, **kwargs):
+ errtype, errdesc, cid = _check_oauth2_header(handler)
+
+ if self.default_public:
+ # no error, or no authorization header. We should error if
+ # oauth is actually attempted but there was an auth issue
+ # (e.g., rate limit hit)
+ if errtype not in (None, 'invalid_request'):
test?
------------------------------
In qiita_db/handlers/oauth2.py
<#2099 (comment)>:
return
+ if self.inject_user:
+ if cid is None:
test?
—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub
<#2099 (review)>,
or mute
the thread
<https://github.com/notifications/unsubscribe-auth/AAc8smaE97zZl0s7KAoGMMEfEt2tssTDks5rs5gNgaJpZM4Mzd0e>
.
|
This was partially pair programmed with @ElDeveloper.
The goal of this PR is to lay the ground work for allowing handlers to optionally allow defaulting to a public user, and to also make the
Useravailable to the handler so that access control can be performed if necessary.What has been done so far is:
client_idwith aUserUserfrom aclient_idUsermodificationsauthenticate_oauthdecorator across all of QiitaThe way the new decorator works is to allow, per method, a means to describe whether it can default to access if a) a valid token is provided or b) if the
Authorizationheader is not provided. If a oauth2 token is provided, and it is invalid, rate limited, etc, the decorator will error as expected. This approach requires the developer indicate explicitly that a method can default to public, and that statement is proximal to the function signature. Second, and per method as well, theUserobject associated with the oauth2client_idcan be made available by monkey patchingget_current_user. As of right now, the public user isdemo@microbio.me. This monkey patching is parameterized as the originalauthenticate_oauthdecorator did not do this, so it was added to minimize possible side effects from replacing the authentication mechanism.