Mercurial > p > roundup > code
comparison doc/rest.txt @ 6519:22cf6ee7ad88
jwt issue example: require input data, lowercase roles
If content-type is not supplied, input data will not be parsed. As a
result the JWT has the user's assigned roles. Prevent this.
Also lowercase all roles supplied in the input payload so "User", "user"
and "useR" all match the case insensitive "user" role.
| author | John Rouillard <rouilj@ieee.org> |
|---|---|
| date | Sat, 30 Oct 2021 23:18:01 -0400 |
| parents | 66a061e52435 |
| children | f8df7fed18f6 |
comparison
equal
deleted
inserted
replaced
| 6518:f4ed324c2ff8 | 6519:22cf6ee7ad88 |
|---|---|
| 1855 | 1855 |
| 1856 class RestfulInstance(object): | 1856 class RestfulInstance(object): |
| 1857 @Routing.route("/jwt/issue", 'POST') | 1857 @Routing.route("/jwt/issue", 'POST') |
| 1858 @_data_decorator | 1858 @_data_decorator |
| 1859 def generate_jwt(self, input): | 1859 def generate_jwt(self, input): |
| 1860 """Create a JSON Web Token (jwt) | |
| 1861 """ | |
| 1860 import jwt | 1862 import jwt |
| 1861 import datetime | 1863 import datetime |
| 1862 from roundup.anypy.strings import b2s | 1864 from roundup.anypy.strings import b2s |
| 1863 | 1865 |
| 1864 # require basic auth to generate a token | 1866 # require basic auth to generate a token |
| 1877 if scheme.lower() != 'basic': | 1879 if scheme.lower() != 'basic': |
| 1878 raise Unauthorised(denialmsg) | 1880 raise Unauthorised(denialmsg) |
| 1879 else: | 1881 else: |
| 1880 raise Unauthorised(denialmsg) | 1882 raise Unauthorised(denialmsg) |
| 1881 | 1883 |
| 1884 # verify we have input data. | |
| 1885 if not input: | |
| 1886 raise UsageError("Missing data payload. " | |
| 1887 "Verify Content-Type is sent") | |
| 1888 | |
| 1882 # If we reach this point we have validated that the user has | 1889 # If we reach this point we have validated that the user has |
| 1883 # logged in with a password using basic auth. | 1890 # logged in with a password using basic auth. |
| 1884 all_roles = list(self.db.security.role.items()) | 1891 all_roles = list(self.db.security.role.items()) |
| 1885 rolenames = [] | 1892 rolenames = [] |
| 1886 for role in all_roles: | 1893 for role in all_roles: |
| 1908 if lifetime: # if lifetime = 0 make unlimited by omitting exp claim | 1915 if lifetime: # if lifetime = 0 make unlimited by omitting exp claim |
| 1909 claim['exp'] = datetime.datetime.utcnow() + lifetime | 1916 claim['exp'] = datetime.datetime.utcnow() + lifetime |
| 1910 | 1917 |
| 1911 newroles = [] | 1918 newroles = [] |
| 1912 if 'roles' in input: | 1919 if 'roles' in input: |
| 1913 for role in input['roles'].value: | 1920 for role in [ r.lower() for r in input['roles'].value ]: |
| 1914 if role not in rolenames: | 1921 if role not in rolenames: |
| 1915 raise UsageError("Role %s is not valid."%role) | 1922 raise UsageError("Role %s is not valid."%role) |
| 1916 if role in user_roles: | 1923 if role in user_roles: |
| 1917 newroles.append(role) | 1924 newroles.append(role) |
| 1918 continue | 1925 continue |