New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
OAuth2 support allowing public and user access #2099
Conversation
👍 looks good to me!! |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Code looks fine except:
- for a couple of tests missing
- I think it's worth deploying in the test env and testing there
- this will not really change anything in the front end, right? What will be missing to finish it?
- I think is worth removing the demo@microbio.me default
- it's not clear for me how this generated the client_id for existing users
# no error, or no authorization header. We should error if | ||
# oauth is actually attempted but there was an auth issue | ||
# (e.g., rate limit hit) | ||
if errtype not in (None, 'invalid_request'): |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
test?
return | ||
if self.inject_user: | ||
if cid is None: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
test?
Thanks @antgonza! Regarding your comments,
Here, and one is not possible to reach as noted in the code so I'm not sure how to test.
sounds good
It was not intended to change the front end, this was to allow for per-user support against the rest API.
@josenavas suggested this. We're fine with anything but it does need to be a valid qiita account.
We have not touched the existing code which already does this. What is missing though is a UI to generate per-user API tokens, which effectively needs to call the existing logic, and then issue a call to |
Oh, I see the test issue now. "Test?" Is somewhat ambiguous fyi... Ya, we
can add one
On Apr 5, 2017 06:33, "Antonio Gonzalez" <notifications@github.com> wrote:
*@antgonza* commented on this pull request.
Code looks fine except:
- for a couple of tests missing
- I think it's worth deploying in the test env and testing there
- this will not really change anything in the front end, right? What
will be missing to finish it?
- I think is worth removing the demo@microbio.me default
- it's not clear for me how this generated the client_id for existing
users
------------------------------
In qiita_db/handlers/oauth2.py
<#2099 (comment)>:
+ Notes
+ -----
+ If an error with oauth2 occurs, a status code of 400 is set, a message
+ about the error is sent out over `write` and the response is ended
+ with `finish`. This happens without control being passed to the
+ handler, and in this situation, the handler is not executed.
+ """
+ @functools.wraps(f)
+ def wrapper(handler, *args, **kwargs):
+ errtype, errdesc, cid = _check_oauth2_header(handler)
+
+ if self.default_public:
+ # no error, or no authorization header. We should error if
+ # oauth is actually attempted but there was an auth issue
+ # (e.g., rate limit hit)
+ if errtype not in (None, 'invalid_request'):
test?
------------------------------
In qiita_db/handlers/oauth2.py
<#2099 (comment)>:
return
+ if self.inject_user:
+ if cid is None:
test?
—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub
<#2099 (review)>,
or mute
the thread
<https://github.com/notifications/unsubscribe-auth/AAc8smaE97zZl0s7KAoGMMEfEt2tssTDks5rs5gNgaJpZM4Mzd0e>
.
|
This was partially pair programmed with @ElDeveloper.
The goal of this PR is to lay the ground work for allowing handlers to optionally allow defaulting to a public user, and to also make the
User
available to the handler so that access control can be performed if necessary.What has been done so far is:
client_id
with aUser
User
from aclient_id
User
modificationsauthenticate_oauth
decorator across all of QiitaThe way the new decorator works is to allow, per method, a means to describe whether it can default to access if a) a valid token is provided or b) if the
Authorization
header is not provided. If a oauth2 token is provided, and it is invalid, rate limited, etc, the decorator will error as expected. This approach requires the developer indicate explicitly that a method can default to public, and that statement is proximal to the function signature. Second, and per method as well, theUser
object associated with the oauth2client_id
can be made available by monkey patchingget_current_user
. As of right now, the public user isdemo@microbio.me
. This monkey patching is parameterized as the originalauthenticate_oauth
decorator did not do this, so it was added to minimize possible side effects from replacing the authentication mechanism.