[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[taler-bank] branch master updated: keep CORS == * only for /api/*
From: |
gnunet |
Subject: |
[taler-bank] branch master updated: keep CORS == * only for /api/* |
Date: |
Fri, 09 Oct 2020 13:00:00 +0200 |
This is an automated email from the git hooks/post-receive script.
ms pushed a commit to branch master
in repository bank.
The following commit(s) were added to refs/heads/master by this push:
new 51d6019 keep CORS == * only for /api/*
51d6019 is described below
commit 51d60190caaab84fc618e11db6ef6797841900fa
Author: MS <ms@taler.net>
AuthorDate: Fri Oct 9 12:59:15 2020 +0200
keep CORS == * only for /api/*
---
talerbank/app/tests.py | 14 +++++++++++---
talerbank/app/views.py | 44 ++++++++++++++++++--------------------------
2 files changed, 29 insertions(+), 29 deletions(-)
diff --git a/talerbank/app/tests.py b/talerbank/app/tests.py
index 6a45515..02d3ad8 100644
--- a/talerbank/app/tests.py
+++ b/talerbank/app/tests.py
@@ -201,17 +201,25 @@ class AccessAndIntegrationApiWithdrawTestCase(TestCase):
def test_integration_api_withdraw_status(self):
wid = self.create_withdrawal()
- r = self.client.get(reverse("api-withdraw-operation",
kwargs=dict(withdraw_id=wid)))
+ r = self.client.get(
+ reverse(
+ "access-api-withdrawal-status",
+ kwargs=dict(
+ acct_id="RandomUser",
+ wid=wid)),
+ HTTP_AUTHORIZATION=make_auth_line("RandomUser", "XYZ")
+ )
self.assertEqual(r.status_code, 200)
def test_integration_api_withdraw_confirm(self):
wid = self.create_withdrawal()
r = self.client.post(
- reverse("api-withdraw-operation", kwargs=dict(withdraw_id=wid)),
+ reverse("access-api-withdrawal-confirm",
kwargs=dict(acct_id="RandomUser", wid=wid)),
data=dict(
reserve_pub="FXWC2JHBY8B0XE2MMGAJ9TGPY307TN12HVEKYSTN6HE3GTHTF8XG",
selected_exchange="payto://x-taler-bank/localhost/RandomUser"),
- content_type="application/json"
+ content_type="application/json",
+ HTTP_AUTHORIZATION=make_auth_line("RandomUser", "XYZ")
)
self.assertEqual(r.status_code, 200)
diff --git a/talerbank/app/views.py b/talerbank/app/views.py
index 9a21ff2..044f784 100644
--- a/talerbank/app/views.py
+++ b/talerbank/app/views.py
@@ -69,6 +69,22 @@ LOGGER = logging.getLogger(__name__)
# can handle (because of the wallet).
UINT64_MAX = (2 ** 64) - 1
+##
+# Decorator function that authenticates requests by fetching
+# the credentials over the HTTP requests headers.
+#
+# @param view_func function that will be called after the
+# authentication, and that will usually serve the requested
+# endpoint.
+# @return FIXME.
+def login_via_headers(view_func):
+ def _decorator(request, *args, **kwargs):
+ user_account = basic_auth(request)
+ if not user_account:
+ raise LoginFailed("authentication failed")
+ return view_func(request, user_account, *args, **kwargs)
+ return wraps(view_func)(_decorator)
+
def allow_origin_star(view_func):
def _decorator(request, *args, **kwargs):
response = view_func(request, *args, **kwargs)
@@ -535,6 +551,7 @@ def config_view(request):
@require_GET
@allow_origin_star
+@login_via_headers
def api_config(request):
"""
Config query of the taler bank integration api
@@ -631,23 +648,6 @@ def serve_public_accounts(request, name=None, page=None):
)
return render(request, "public_accounts.html", context)
-
-##
-# Decorator function that authenticates requests by fetching
-# the credentials over the HTTP requests headers.
-#
-# @param view_func function that will be called after the
-# authentication, and that will usually serve the requested
-# endpoint.
-# @return FIXME.
-def login_via_headers(view_func):
- def _decorator(request, *args, **kwargs):
- user_account = basic_auth(request)
- if not user_account:
- raise LoginFailed("authentication failed")
- return view_func(request, user_account, *args, **kwargs)
- return wraps(view_func)(_decorator)
-
##
# Build the DB query switch based on the "direction" history
# argument given by the user.
@@ -1061,6 +1061,7 @@ def withdraw_headless(request, user):
@csrf_exempt
@allow_origin_star
+@login_via_headers
def api_withdraw_operation(request, withdraw_id):
"""
Endpoint used by the browser and wallet to check withdraw status and
@@ -1143,7 +1144,6 @@ def api_withdraw_operation(request, withdraw_id):
@login_required
@require_POST
-@allow_origin_star
def start_withdrawal(request):
"""
Serve a Taler withdrawal request; takes the amount chosen
@@ -1175,7 +1175,6 @@ def get_qrcode_svg(data):
@login_required
@require_GET
-@allow_origin_star
def show_withdrawal(request, withdraw_id):
op = TalerWithdrawOperation.objects.get(withdraw_id=withdraw_id)
if op.selection_done:
@@ -1196,7 +1195,6 @@ def show_withdrawal(request, withdraw_id):
@login_required
@require_http_methods(["GET", "POST"])
-@allow_origin_star
def confirm_withdrawal(request, withdraw_id):
op = TalerWithdrawOperation.objects.get(withdraw_id=withdraw_id)
if not op.selection_done:
@@ -1320,7 +1318,6 @@ def wire_transfer(amount, debit_account, credit_account,
subject, request_uid=No
@csrf_exempt
@require_GET
@login_via_headers
-@allow_origin_star
def bank_accounts_api_balance(request, user_account, acct_id):
"""
Query the balance for an account.
@@ -1348,7 +1345,6 @@ def bank_accounts_api_balance(request, user_account,
acct_id):
@csrf_exempt
@require_POST
@login_via_headers
-@allow_origin_star
def bank_accounts_api_create_withdrawal(request, user, acct_id):
user_account = BankAccount.objects.get(user=user)
@@ -1378,7 +1374,6 @@ def bank_accounts_api_create_withdrawal(request, user,
acct_id):
@csrf_exempt
@require_GET
@login_via_headers
-@allow_origin_star
def bank_accounts_api_get_withdrawal(request, user, acct_id, wid):
user_account = BankAccount.objects.get(user=user)
if acct_id != user_account.user.username:
@@ -1412,7 +1407,6 @@ def withdraw_abort_internal(wid):
@require_POST
@login_required
-@allow_origin_star
def abort_withdrawal(request, withdraw_id):
internal_status = withdraw_abort_internal(withdraw_id)
set_session_hint(request, success=internal_status["status"] == 200,
hint=internal_status["hint"])
@@ -1422,7 +1416,6 @@ def abort_withdrawal(request, withdraw_id):
@csrf_exempt
@require_POST
@login_via_headers
-@allow_origin_star
def bank_accounts_api_abort_withdrawal(request, user, acct_id, wid):
user_account = BankAccount.objects.get(user=user)
if acct_id != user_account.user.username:
@@ -1438,7 +1431,6 @@ def bank_accounts_api_abort_withdrawal(request, user,
acct_id, wid):
@csrf_exempt
@require_POST
@login_via_headers
-@allow_origin_star
def bank_accounts_api_confirm_withdrawal(request, user, acct_id, wid):
user_account = BankAccount.objects.get(user=user)
if acct_id != user_account.user.username:
--
To stop receiving notification emails like this one, please contact
gnunet@gnunet.org.
[Prev in Thread] |
Current Thread |
[Next in Thread] |
- [taler-bank] branch master updated: keep CORS == * only for /api/*,
gnunet <=