Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Browse files

Add OAuth2 handling to the main APIController.

  • Loading branch information...
commit e6dcbb7231fe590162ac83602d0abfffceb71d77 1 parent 29fc6d4
Max Goodman authored
View
11 r2/r2/controllers/api.py
@@ -54,6 +54,7 @@
from r2.lib.log import log_text
from r2.lib.filters import safemarkdown
from r2.lib.scraper import str_to_image
+from r2.controllers.oauth2 import OAuth2ResourceController, require_oauth2_scope
import csv
from collections import defaultdict
@@ -88,11 +89,19 @@ def POST_new_captcha(self, form, jquery, *a, **kw):
form._send_data(iden = iden)
-class ApiController(RedditController):
+class ApiController(RedditController, OAuth2ResourceController):
"""
Controller which deals with almost all AJAX site interaction.
"""
+ def pre(self):
+ RedditController.pre(self)
+ if self._get_bearer_token(strict=False):
+ OAuth2ResourceController.pre(self)
+ if c.oauth_user:
+ c.user = c.oauth_user
+ c.user_is_loggedin = True
+
@validatedForm()
def ajax_login_redirect(self, form, jquery, dest):
form.redirect("/login" + query_string(dict(dest=dest)))
View
9 r2/r2/controllers/oauth2.py
@@ -161,7 +161,7 @@ def pre(self):
require_https()
try:
- access_token = self._get_bearer_token()
+ access_token = OAuth2AccessToken.get_token(self._get_bearer_token())
require(access_token)
c.oauth2_access_token = access_token
account = Account._byID(access_token.user_id, data=True)
@@ -183,14 +183,15 @@ def pre(self):
def _auth_error(self, code, error):
abort(code, headers=[("WWW-Authenticate", 'Bearer realm="reddit", error="%s"' % error)])
- def _get_bearer_token(self):
+ def _get_bearer_token(self, strict=True):
auth = request.headers.get("Authorization")
try:
auth_scheme, bearer_token = require_split(auth, 2)
require(auth_scheme.lower() == "bearer")
- return OAuth2AccessToken.get_token(bearer_token)
+ return bearer_token
except RequirementException:
- self._auth_error(400, "invalid_request")
+ if strict:
+ self._auth_error(400, "invalid_request")
def require_oauth2_scope(*scopes):
def oauth2_scope_wrap(fn):
View
6 r2/r2/models/account.py
@@ -228,7 +228,11 @@ def modhash(self, rand=None, test=False):
return modhash(self, rand = rand, test = test)
def valid_hash(self, hash):
- return valid_hash(self, hash)
+ if self == c.oauth_user:
+ # OAuth authenticated requests do not require CSRF protection.
+ return True
+ else:
+ return valid_hash(self, hash)
@classmethod
@memoize('account._by_name')
Please sign in to comment.
Something went wrong with that request. Please try again.