Mercurial > p > roundup > code

diff doc/rest.txt @ 6519:22cf6ee7ad88

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
jwt issue example: require input data, lowercase roles If content-type is not supplied, input data will not be parsed. As a result the JWT has the user's assigned roles. Prevent this. Also lowercase all roles supplied in the input payload so "User", "user" and "useR" all match the case insensitive "user" role.
author John Rouillard <rouilj@ieee.org>
date Sat, 30 Oct 2021 23:18:01 -0400
parents 66a061e52435
children f8df7fed18f6
line wrap: on
line diff
--- a/doc/rest.txt	Thu Oct 21 10:43:20 2021 -0400
+++ b/doc/rest.txt	Sat Oct 30 23:18:01 2021 -0400
@@ -1857,6 +1857,8 @@
         @Routing.route("/jwt/issue", 'POST')
         @_data_decorator
         def generate_jwt(self, input):
+        """Create a JSON Web Token (jwt)
+        """
             import jwt
             import datetime
             from roundup.anypy.strings import b2s
@@ -1879,6 +1881,11 @@
             else:
                 raise Unauthorised(denialmsg)
 
+            # verify we have input data.
+            if not input:
+                raise UsageError("Missing data payload. "
+                             "Verify Content-Type is sent")
+
             # If we reach this point we have validated that the user has
             # logged in with a password using basic auth.
             all_roles = list(self.db.security.role.items())
@@ -1910,7 +1917,7 @@
 
             newroles = []
             if 'roles' in input:
-                for role in input['roles'].value:
+                for role in [ r.lower() for r in input['roles'].value ]:
                     if role not in rolenames:
                         raise UsageError("Role %s is not valid."%role)
                     if role in user_roles:
Roundup Issue Tracker: http://roundup-tracker.org/