Add API auth for doors

2020-10-08 23:11:35 +03:00 · 2020-10-08 23:11:35 +03:00 · 3551611c85
parent 7878cadb30
commit 3551611c85
3 changed files with 36 additions and 13 deletions
--- a/kdoorweb/kdoorweb/api.py
+++ b/kdoorweb/kdoorweb/api.py
@ -1,29 +1,33 @@
-from bottle import Bottle, request, response
+import hashlib
+from functools import partial
+
+from bottle import Bottle, request, response, HTTPError


 api = Bottle()

+scrypt = partial(hashlib.scrypt, n=16384, r=8, p=1)
+

-# FIXME: Fix door api auth
 def check_api_auth(callback):
    def wrapper(*args, **kwargs):
        print("check api auth")
+        user, api_key = request.auth or (None, None)
        if "db" not in kwargs:
-            request.current_user = None
-            return callback(*args, **kwargs)
-        user = None
-        request.current_user = user
-        if user:
-            print(f"logged in as {user['user']}")
-            print(request.current_user)
+            return "Auth not possible, db not available"
+        user = kwargs["db"].get_door_by_name_and_api_key(user) or {}
+        stored_hash, salt = dict(user).get("api_key", ":").split(":")
+        api_hash = scrypt(api_key, salt=salt)
+        if user and api_hash  == api_key:
+            request.current_door = user
+            print(f"logged in as {user['name']}")
+            print(user)
            return callback(*args, **kwargs)
        else:
            print("not logged in")
            return "Invalid authentication"
    return wrapper

-# FIXME: db plugin not available yet
-api.install(check_api_auth)

@api.route("/")
 def index():
--- a/kdoorweb/kdoorweb/db.py
+++ b/kdoorweb/kdoorweb/db.py
@ -83,7 +83,7 @@ class DB:
            );
            create table doors (
                id integer primary key,
-                name text,
+                name text unique,
                note text,
                api_key text,
                created text,
@ -180,6 +180,24 @@ class DB:
        """)
        return cur.fetchall()

+    def add_door(self, name, note, api_key):
+        self.add_doors([name, note, api_key, ])
+
+    def add_doors(self, doors):
+        self.db.executemany("""
+                    insert into doors(name, note, api_key, created, disabled)
+                    values(?, ?, ?, ?, ?)
+                """, doors)
+        self.db.commit()
+
+    def get_door(self, door_id):
+        cur = self.db.execute("select id, name, note, api_key, created, disabled from doors where id = ?", (door_id,))
+        return cur.fetchone()
+
+    def get_door_by_name(self, name):
+        cur = self.db.execute("select id, name, note, api_key, created, disabled from doors where name = ?", (name,))
+        return cur.fetchone()
+
    @staticmethod
    def import_ad(json_file):
        with open(json_file) as fp:
--- a/kdoorweb/kdoorweb/web.py
+++ b/kdoorweb/kdoorweb/web.py
@ -5,7 +5,7 @@ from bottle import Bottle, view, TEMPLATE_PATH, static_file, \
    request, redirect, response, HTTPError

 from .db import SQLitePlugin
-from .api import api
+from .api import api, check_api_auth

 application = app = Bottle()

@ -56,6 +56,7 @@ app.install(db_plugin)
 app.install(check_auth)

 api.install(db_plugin)
+api.install(check_api_auth)
 app.mount("/api/v1", api)