Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

TNL-782 each request should have valid ID Token #2

Closed
wants to merge 65 commits into from
Closed

TNL-782 each request should have valid ID Token #2

wants to merge 65 commits into from

Conversation

tymofij
Copy link
Contributor

@tymofij tymofij commented Dec 2, 2014

Each incoming request is expected to have signed non-expired JSON Web Token, containing information about user (sub), matching edx-notes client id (to be set in provider's database) and signed with edx-notes client secret (the same).

https://openedx.atlassian.net/browse/TNL-782

olmar and others added 30 commits November 12, 2014 18:22
@olmar
Create app.
e237e94
@olmar
Add gitignore.
96f8e2d
@olmar
Use annotator store in views directly.
95765d5
@olmar
Add empty licence and other.
6e9d2a7
@olmar
Use cors and refactor.
0029c07
@olmar
Add tests.
8b380ad
@olmar
Use EdX Repository Skeleton.
06c069d
@olmar
Add more tests.
988a3e4
@olmar
Add more tests.
97d8ede
@olmar
Add server test.
d9cfbc6
@olmar
Fix test.
0d7e901
@olmar
Remove unused import.
693a928
@tymofij
Permission class for checking OAuth token
c475d4f
@olmar
Add travis yml.
a849820
@tymofij
make things work (through refusing everyone) when DB is not available
c70bd5d
@tymofij
chmod a+x ./manage.py
df5f511
@tymofij
change token check to look for X-Annotator-Auth-Token
0ef2b13
@olmar
Fix tests.
782ed10
@olmar
Remove django_nose from common setting.
0f77d84
@olmar
Move test staff.
b2bb6ca
@olmar
Add debug setting to prod.
78a1e92
@olmar
Add test requirements to travis.
6a032e8
@olmar
Remove mysql-python.
976de54
@olmar
Add coverage for test run.
f977dfe
@olmar
Add ES setting to test.
3dd0846
@olmar
Allow changing ES host and index.
b834963
@olmar
Add test.
a8aaab7
@olmar
Use own convert str.
26854cd
@olmar
Add coverage config.
d97c1ab
@olmar
Fix pep8 violations.
e83952d
@coveralls
Copy link

Coverage Status

Coverage increased (+1.98%) when pulling b75f00f on tim/id-token-auth into 440e47f on oleg/create-app.

@tymofij
Copy link
Contributor Author

tymofij commented Dec 2, 2014

@jimabramson @olmar @polesye please take a look
cc @jzoldak @benpatterson

polesye
polesye reviewed Dec 3, 2014
View reviewed changes
notesapi/v1/views.py
CREATE_FILTER_FIELDS = ('updated', 'created', 'consumer', 'id')
UPDATE_FILTER_FIELDS = ('updated', 'created', 'user', 'consumer')


@permission_classes((HasAccessToken,))
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can we set it globally? http://www.django-rest-framework.org/api-guide/permissions/#setting-the-permission-policy

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

thanks, that is nice. done aa3c503

polesye
polesye reviewed Dec 3, 2014
View reviewed changes
notesapi/v1/permissions.py
raise TokenWrongIssuer
for request_field in ('GET', 'POST', 'DATA'):
if 'user' in getattr(request, request_field):
req_user = getattr(request, request_field)['user']
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'd like to move this code in helper method:

def get_user(self, request):
  for request_field in ('GET', 'POST', 'DATA'):
    data = getattr(request, request_field)
    if 'user' in data:
      return data['user']
  return None

What do you think?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

that would requre returning from get_user not unly user but request_field where it was found, for better error log if it does not match. IMHO not worth it.

@tymofij tymofij changed the title each request should have valid ID Token TNL-782 each request should have valid ID Token Dec 3, 2014
@tymofij tymofij mentioned this pull request Dec 3, 2014
Merged
jimabramson
jimabramson reviewed Dec 4, 2014
View reviewed changes
Makefile
@@ -1,4 +1,5 @@
PACKAGES = notesserver notesapi
.PHONY: requirements
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this allows make requirement to work, otherwise it will just stop seeing requirements directory exists.

@jimabramson
Copy link

@tymofij don't forget to add yourself to AUTHORS

@olmar
Copy link
Contributor

olmar commented Dec 4, 2014

👍 once previously mentioned commnents will be addressed

@tymofij tymofij mentioned this pull request Dec 4, 2014
Merged
@tymofij tymofij closed this Dec 4, 2014
@robrap robrap mentioned this pull request Nov 17, 2023
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@tymofij @coveralls @jimabramson @olmar @polesye