From c5fcff4085eff47ec3bfa8788725d47111534813 Mon Sep 17 00:00:00 2001
From: redshiftzero <jen@freedom.press>
Date: Fri, 29 Jun 2018 13:15:21 -0700
Subject: [PATCH] Journalist API: Update last_access metadata with token auth

For auditing journalist access to the server
---
 securedrop/journalist_app/api.py | 16 ++++++++++++++--
 1 file changed, 14 insertions(+), 2 deletions(-)

diff --git a/securedrop/journalist_app/api.py b/securedrop/journalist_app/api.py
index fc40cbce241..49bcf547660 100644
--- a/securedrop/journalist_app/api.py
+++ b/securedrop/journalist_app/api.py
@@ -1,3 +1,4 @@
+from datetime import datetime
 from functools import wraps
 import json
 
@@ -56,8 +57,16 @@ def get_token():
         one_time_code = creds['one_time_code']
         try:
             journalist = Journalist.login(username, password, one_time_code)
-            return jsonify({'token': journalist.generate_api_token(
-                 expiration=7200), 'expiration': 7200}), 200
+
+            response = jsonify({'token': journalist.generate_api_token(
+                 expiration=7200), 'expiration': 7200})
+
+            # Update access metadata
+            journalist.last_access = datetime.utcnow()
+            db.session.add(journalist)
+            db.session.commit()
+
+            return response, 200
         except Exception:
             return abort(403, 'Token authentication failed.')
 
@@ -138,6 +147,9 @@ def single_submission(filesystem_id, submission_id):
     @token_required
     def post_reply(filesystem_id):
         source = get_or_404(Source, filesystem_id, Source.filesystem_id)
+        if not request.json:
+            abort(400, 'please send requests in valid JSON')
+
         if 'reply' not in request.json:
             abort(400, 'reply not found in request body')