Commit c8fcf1b0 authored by Eliot Berriot's avatar Eliot Berriot 💬

Support oauth token in URL

parent e3b0efb2
......@@ -374,6 +374,7 @@ OAUTH2_PROVIDER = {
"REFRESH_TOKEN_EXPIRE_SECONDS": 3600 * 24 * 15,
"AUTHORIZATION_CODE_EXPIRE_SECONDS": 5 * 60,
"ACCESS_TOKEN_EXPIRE_SECONDS": 60 * 60 * 10,
"OAUTH2_SERVER_CLASS": "funkwhale_api.users.oauth.server.OAuth2Server",
}
OAUTH2_PROVIDER_APPLICATION_MODEL = "users.Application"
OAUTH2_PROVIDER_ACCESS_TOKEN_MODEL = "users.AccessToken"
......
import urllib.parse
import oauthlib.oauth2
class OAuth2Server(oauthlib.oauth2.Server):
def verify_request(self, uri, *args, **kwargs):
valid, request = super().verify_request(uri, *args, **kwargs)
if valid:
return valid, request
# maybe the token was given in the querystring?
query = urllib.parse.urlparse(request.uri).query
token = None
if query:
parsed_qs = urllib.parse.parse_qs(query)
token = parsed_qs.get("token", [])
if len(token) > 0:
token = token[0]
if token:
valid = self.request_validator.validate_bearer_token(
token, request.scopes, request
)
return valid, request
......@@ -5,7 +5,7 @@ jwt_payload_handler = api_settings.JWT_PAYLOAD_HANDLER
jwt_encode_handler = api_settings.JWT_ENCODE_HANDLER
def test_can_authenticate_using_token_param_in_url(factories, preferences, client):
def test_can_authenticate_using_jwt_token_param_in_url(factories, preferences, client):
user = factories["users.User"]()
preferences["common__api_authentication_required"] = True
url = reverse("api:v1:tracks-list")
......@@ -17,3 +17,20 @@ def test_can_authenticate_using_token_param_in_url(factories, preferences, clien
token = jwt_encode_handler(payload)
response = client.get(url, data={"jwt": token})
assert response.status_code == 200
def test_can_authenticate_using_oauth_token_param_in_url(
factories, preferences, client, mocker
):
mocker.patch(
"funkwhale_api.users.oauth.permissions.should_allow", return_value=True
)
token = factories["users.AccessToken"]()
preferences["common__api_authentication_required"] = True
url = reverse("api:v1:tracks-list")
response = client.get(url)
assert response.status_code == 401
response = client.get(url, data={"token": token.token})
assert response.status_code == 200
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment