From a36e233051b35d3ca44b5bd38f8f6262c16c1833 Mon Sep 17 00:00:00 2001 From: rubenwardy Date: Tue, 19 May 2020 17:24:57 +0100 Subject: [PATCH] Fix API auth crash and add more error messages --- app/blueprints/api/auth.py | 7 ++++--- app/blueprints/api/endpoints.py | 12 +++++++----- app/blueprints/api/support.py | 4 ++-- app/flatpages/help/api.md | 4 +++- 4 files changed, 16 insertions(+), 11 deletions(-) diff --git a/app/blueprints/api/auth.py b/app/blueprints/api/auth.py index 6eeadde..234d481 100644 --- a/app/blueprints/api/auth.py +++ b/app/blueprints/api/auth.py @@ -16,6 +16,7 @@ from flask import request, make_response, jsonify, abort from app.models import APIToken +from .support import error from functools import wraps def is_api_authd(f): @@ -29,13 +30,13 @@ def is_api_authd(f): elif value[0:7].lower() == "bearer ": access_token = value[7:] if len(access_token) < 10: - abort(400) + error(400, "API token is too short") token = APIToken.query.filter_by(access_token=access_token).first() if token is None: - abort(403) + error(403, "Unknown API token") else: - abort(403) + abort(403, "Unsupported authentication method") return f(token=token, *args, **kwargs) diff --git a/app/blueprints/api/endpoints.py b/app/blueprints/api/endpoints.py index 65af3b0..29a9ec2 100644 --- a/app/blueprints/api/endpoints.py +++ b/app/blueprints/api/endpoints.py @@ -143,19 +143,21 @@ def markdown(): @is_package_page @is_api_authd def create_release(token, package): + if not token: + error(401, "Authentication needed") + if not package.checkPerm(token.owner, Permission.APPROVE_RELEASE): - return error(403, "You do not have the permission to approve releases") + error(403, "You do not have the permission to approve releases") json = request.json if json is None: - return error(400, "JSON post data is required") + error(400, "JSON post data is required") for option in ["method", "title", "ref"]: if json.get(option) is None: - return error(400, option + " is required in the POST data") - + error(400, option + " is required in the POST data") if json["method"].lower() != "git": - return error(400, "Release-creation methods other than git are not supported") + error(400, "Release-creation methods other than git are not supported") return handleCreateRelease(token, package, json["title"], json["ref"]) diff --git a/app/blueprints/api/support.py b/app/blueprints/api/support.py index 0adf3db..92bce2b 100644 --- a/app/blueprints/api/support.py +++ b/app/blueprints/api/support.py @@ -1,12 +1,12 @@ from app.models import PackageRelease, db, Permission from app.tasks.importtasks import makeVCSRelease from celery import uuid -from flask import jsonify, make_response, url_for +from flask import jsonify, abort, url_for import datetime def error(status, message): - return make_response(jsonify({ "success": False, "error": message }), status) + abort(status, jsonify({ "success": False, "error": message })) def handleCreateRelease(token, package, title, ref): diff --git a/app/flatpages/help/api.md b/app/flatpages/help/api.md index 8387caa..2b7bacd 100644 --- a/app/flatpages/help/api.md +++ b/app/flatpages/help/api.md @@ -9,6 +9,8 @@ Authentication is done using Bearer tokens: You can use the `/api/whoami` to check authentication. +Tokens can be attained by visiting "API Tokens" on your profile page. + ## Endpoints ### Misc @@ -16,7 +18,7 @@ You can use the `/api/whoami` to check authentication. * GET `/api/whoami/` - Json dictionary with the following keys: * `is_authenticated` - True on successful API authentication * `username` - Username of the user authenticated as, null otherwise. - * 403 will be thrown on unsupported authentication type, invalid access token, or other errors. + * 4xx status codes will be thrown on unsupported authentication type, invalid access token, or other errors. ### Packages