From b5df6c4416dcbc68ee3c6a6afa52223762185e51 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Stefan=20K=C3=B6gl?= Date: Sat, 20 Aug 2011 23:06:14 +0200 Subject: [PATCH 1/2] update Authentication API http://wiki.gpodder.org/wiki/Web_Services/API/Drafts#Authentication_API --- mygpo/api/advanced/auth.py | 43 +++++--------------------------------- mygpo/api/urls.py | 5 ++--- 2 files changed, 7 insertions(+), 41 deletions(-) diff --git a/mygpo/api/advanced/auth.py b/mygpo/api/advanced/auth.py index 814c4093..b00d0034 100644 --- a/mygpo/api/advanced/auth.py +++ b/mygpo/api/advanced/auth.py @@ -18,10 +18,6 @@ from mygpo.api.basic_auth import require_valid_user, check_username from django.contrib import auth from django.http import HttpResponse -from mygpo.api.httpresponse import JsonResponse -from django.shortcuts import get_object_or_404 -from mygpo.api.models import Device -from django.utils.translation import ugettext as _ from datetime import datetime, timedelta from django.views.decorators.csrf import csrf_exempt @@ -29,50 +25,21 @@ @csrf_exempt @require_valid_user @check_username -def login(request, username, device_uid): +def login(request, username): """ authenticates the user with regular http basic auth - the device is created if it doesn't already exist """ - d, created = Device.objects.get_or_create(user=request.user, uid=device_uid) - - request.session['device'] = device_uid - request.session.set_expiry(datetime.now()+timedelta(days=365)) - - # the user has been logged in at this point already - r = {'valid': True} - return JsonResponse(r) + request.session.set_expiry(datetime.utcnow()+timedelta(days=365)) + return HttpResponse() @csrf_exempt @check_username -def logout(request, username, device_uid): +def logout(request, username): """ logs out the user. does nothing if he wasn't logged in """ - auth.logout(request) + auth.logout(request) return HttpResponse() - - -@csrf_exempt -def validate(request, username, device_uid): - """ - checks if the client has been authenticated for the given useru - """ - if not request.user.is_authenticated(): - return JsonResponse({'valid': False, 'reason': 'Client not authenticated'}) - - if request.user.username != username: - return JsonResponse({'valid': False, 'reason': 'Client authenticated for different username: %s' % request.user.username}) - - get_object_or_404(Device, user=request.user, uid=device_uid) - - # skip if client isn't authenticated for any device - if request.session['device'] and (device_uid != request.session['device']): - return JsonResponse({'valid': False, 'reason': 'Client authenticated for different device: %s' % request.session['device']}) - - return JsonResponse({'valid': True}) - - diff --git a/mygpo/api/urls.py b/mygpo/api/urls.py index 911f357f..0550e9e1 100644 --- a/mygpo/api/urls.py +++ b/mygpo/api/urls.py @@ -22,9 +22,8 @@ (r'^api/[12]/devices/(?P[\w.-]+)/(?P[\w.-]+)\.json', 'device'), (r'^api/[12]/devices/(?P[\w.-]+)\.json', 'devices'), - (r'^api/2/auth/(?P[\w.-]+)/(?P[\w.-]+)/login\.json', 'auth.login'), - (r'^api/2/auth/(?P[\w.-]+)/(?P[\w.-]+)/logout\.json', 'auth.logout'), - (r'^api/2/auth/(?P[\w.-]+)/(?P[\w.-]+)/validate\.json', 'auth.validate'), + (r'^api/2/auth/(?P[\w.-]+)/login\.json', 'auth.login'), + (r'^api/2/auth/(?P[\w.-]+)/logout\.json', 'auth.logout'), (r'^api/2/tags/(?P\d+)\.json', 'directory.top_tags'), (r'^api/2/tag/(?P[^/]+)/(?P\d+)\.json', 'directory.tag_podcasts'), (r'^api/2/data/podcast\.json', 'directory.podcast_info'), From 4ed83ca060285bcd6b3add14d42fe542c26bd7ea Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Stefan=20K=C3=B6gl?= Date: Sat, 27 Aug 2011 10:26:06 +0200 Subject: [PATCH 2/2] require POST requests for Auth API --- mygpo/api/advanced/auth.py | 3 +++ 1 file changed, 3 insertions(+) diff --git a/mygpo/api/advanced/auth.py b/mygpo/api/advanced/auth.py index b00d0034..f7acfaf0 100644 --- a/mygpo/api/advanced/auth.py +++ b/mygpo/api/advanced/auth.py @@ -16,6 +16,7 @@ # from mygpo.api.basic_auth import require_valid_user, check_username +from mygpo.decorators import allowed_methods from django.contrib import auth from django.http import HttpResponse from datetime import datetime, timedelta @@ -25,6 +26,7 @@ @csrf_exempt @require_valid_user @check_username +@allowed_methods(['POST']) def login(request, username): """ authenticates the user with regular http basic auth @@ -36,6 +38,7 @@ def login(request, username): @csrf_exempt @check_username +@allowed_methods(['POST']) def logout(request, username): """ logs out the user. does nothing if he wasn't logged in