Add simple auth-token to get JSON data

2025-01-31 16:36:20 +00:00 · 2016-01-26 23:49:23 -07:00 · 2016-01-26 23:49:23 -07:00 · 2573cf18ef
commit 2573cf18ef
parent 86abe56d91
2 changed files with 17 additions and 3 deletions
--- a/src/allmydata/scripts/magic_folder_cli.py
+++ b/src/allmydata/scripts/magic_folder_cli.py
@ -217,7 +217,7 @@ class StatusOptions(BasedirOptions):
            self['node-url'] = f.read().strip()


-def _get_json_for_fragment(options, fragment):
+def _get_json_for_fragment(options, fragment, method='GET'):
    nodeurl = options['node-url']
    if nodeurl.endswith('/'):
        nodeurl = nodeurl[:-1]
@ -334,7 +334,13 @@ def status(options):
            nice_created = humanize.naturaltime(now - created)
            print "    %s (%s): %s, version=%s, created %s" % (n, nice_size, status, version, nice_created)

-    magicdata = _get_json_for_fragment(options, 'magic_folder?t=json')
+    with open(os.path.join(nodedir, u'private', u'api_auth_token'), 'rb') as f:
+        token = f.read()
+    magicdata = _get_json_for_fragment(
+        options,
+        'magic_folder?t=json&token=' + token,
+        method='POST',
+    )
    if len(magicdata):
        uploads = [item for item in magicdata if item['kind'] == 'upload']
        downloads = [item for item in magicdata if item['kind'] == 'download']
--- a/src/allmydata/web/magic_folder.py
+++ b/src/allmydata/web/magic_folder.py
@ -1,5 +1,7 @@
 import simplejson

+from twisted.web.server import UnsupportedMethod
+
 from nevow import rend, url, tags as T
 from nevow.inevow import IRequest

@ -12,7 +14,6 @@ class MagicFolderWebApi(rend.Page):
    """

    def __init__(self, client):
-        ##rend.Page.__init__(self, storage)
        super(MagicFolderWebApi, self).__init__(client)
        self.client = client

@ -47,6 +48,13 @@ class MagicFolderWebApi(rend.Page):
    def renderHTTP(self, ctx):
        req = IRequest(ctx)
        t = get_arg(req, "t", None)
+        if req.method != 'POST':
+            raise UnsupportedMethod(('POST',))
+
+        token = get_arg(req, "token", None)
+        # XXX need constant-time comparison?
+        if token is None or token != self.client.get_auth_token():
+            raise WebError("Missing or invalid token.", 400)

        if t is None:
            return rend.Page.renderHTTP(self, ctx)