Add OAuth2 handling to the main APIController.

chromakode · Mar 15, 2012 · e6dcbb7 · e6dcbb7
1 parent 29fc6d4
commit e6dcbb7
Show file tree

Hide file tree

Showing 3 changed files with 20 additions and 6 deletions.
diff --git a/r2/r2/controllers/api.py b/r2/r2/controllers/api.py
@@ -54,6 +54,7 @@
 from r2.lib.log import log_text
 from r2.lib.filters import safemarkdown
 from r2.lib.scraper import str_to_image
+from r2.controllers.oauth2 import OAuth2ResourceController, require_oauth2_scope
 
 import csv
 from collections import defaultdict
@@ -88,11 +89,19 @@ def POST_new_captcha(self, form, jquery, *a, **kw):
         form._send_data(iden = iden) 
 
 
-class ApiController(RedditController):
+class ApiController(RedditController, OAuth2ResourceController):
     """
     Controller which deals with almost all AJAX site interaction.  
     """
 
+    def pre(self):
+        RedditController.pre(self)
+        if self._get_bearer_token(strict=False):
+            OAuth2ResourceController.pre(self)
+            if c.oauth_user:
+                c.user = c.oauth_user
+                c.user_is_loggedin = True
+
     @validatedForm()
     def ajax_login_redirect(self, form, jquery, dest):
         form.redirect("/login" + query_string(dict(dest=dest)))

diff --git a/r2/r2/controllers/oauth2.py b/r2/r2/controllers/oauth2.py
@@ -161,7 +161,7 @@ def pre(self):
         require_https()
 
         try:
-            access_token = self._get_bearer_token()
+            access_token = OAuth2AccessToken.get_token(self._get_bearer_token())
             require(access_token)
             c.oauth2_access_token = access_token
             account = Account._byID(access_token.user_id, data=True)
@@ -183,14 +183,15 @@ def pre(self):
     def _auth_error(self, code, error):
         abort(code, headers=[("WWW-Authenticate", 'Bearer realm="reddit", error="%s"' % error)])
 
-    def _get_bearer_token(self):
+    def _get_bearer_token(self, strict=True):
         auth = request.headers.get("Authorization")
         try:
             auth_scheme, bearer_token = require_split(auth, 2)
             require(auth_scheme.lower() == "bearer")
-            return OAuth2AccessToken.get_token(bearer_token)
+            return bearer_token
         except RequirementException:
-            self._auth_error(400, "invalid_request")
+            if strict:
+                self._auth_error(400, "invalid_request")
 
 def require_oauth2_scope(*scopes):
     def oauth2_scope_wrap(fn):

diff --git a/r2/r2/models/account.py b/r2/r2/models/account.py
@@ -228,7 +228,11 @@ def modhash(self, rand=None, test=False):
         return modhash(self, rand = rand, test = test)
 
     def valid_hash(self, hash):
-        return valid_hash(self, hash)
+        if self == c.oauth_user:
+            # OAuth authenticated requests do not require CSRF protection.
+            return True
+        else:
+            return valid_hash(self, hash)
 
     @classmethod
     @memoize('account._by_name')