2019-07-25 21:03:35 +02:00
|
|
|
from functools import wraps
|
|
|
|
from typing import Any, Callable, Dict
|
2016-06-01 14:39:58 +02:00
|
|
|
|
2016-06-24 02:26:09 +02:00
|
|
|
from django.utils.module_loading import import_string
|
2016-06-01 14:39:58 +02:00
|
|
|
from django.utils.translation import ugettext as _
|
2019-07-25 21:03:35 +02:00
|
|
|
from django.utils.cache import add_never_cache_headers
|
2013-10-17 19:21:18 +02:00
|
|
|
from django.views.decorators.csrf import csrf_exempt, csrf_protect
|
|
|
|
|
|
|
|
from zerver.decorator import authenticated_json_view, authenticated_rest_api_view, \
|
2019-07-25 21:03:35 +02:00
|
|
|
process_as_post, authenticated_uploads_api_view, RespondAsynchronously, \
|
|
|
|
ReturnT
|
2016-06-23 02:26:47 +02:00
|
|
|
from zerver.lib.response import json_method_not_allowed, json_unauthorized
|
2016-06-03 23:43:58 +02:00
|
|
|
from django.http import HttpRequest, HttpResponse, HttpResponseRedirect
|
2013-10-30 16:33:08 +01:00
|
|
|
from django.conf import settings
|
|
|
|
|
2013-10-17 19:21:18 +02:00
|
|
|
METHODS = ('GET', 'HEAD', 'POST', 'PUT', 'DELETE', 'PATCH')
|
2016-06-25 12:48:33 +02:00
|
|
|
FLAGS = ('override_api_url_scheme')
|
2013-10-17 19:21:18 +02:00
|
|
|
|
2019-10-02 00:10:30 +02:00
|
|
|
def default_never_cache_responses(
|
|
|
|
view_func: Callable[..., HttpResponse]) -> Callable[..., HttpResponse]:
|
|
|
|
"""Patched version of the standard Django never_cache_responses
|
|
|
|
decorator that adds headers to a response so that it will never be
|
|
|
|
cached, unless the view code has already set a Cache-Control
|
|
|
|
header.
|
|
|
|
|
|
|
|
We also need to patch this because our Django+Tornado
|
2019-07-25 21:03:35 +02:00
|
|
|
RespondAsynchronously hack involves returning a value that isn't a
|
|
|
|
Django response object, on which add_never_cache_headers would
|
|
|
|
crash. This only occurs in a case where client-side caching
|
|
|
|
wouldn't be possible anyway (we aren't returning a response to the
|
|
|
|
client yet -- it's for longpolling).
|
|
|
|
"""
|
|
|
|
@wraps(view_func)
|
|
|
|
def _wrapped_view_func(request: HttpRequest, *args: Any, **kwargs: Any) -> ReturnT:
|
|
|
|
response = view_func(request, *args, **kwargs)
|
2019-10-02 00:10:30 +02:00
|
|
|
if response is RespondAsynchronously or response.has_header("Cache-Control"):
|
|
|
|
return response
|
|
|
|
|
|
|
|
add_never_cache_headers(response)
|
2019-07-25 21:03:35 +02:00
|
|
|
return response
|
|
|
|
return _wrapped_view_func
|
|
|
|
|
2019-10-02 00:10:30 +02:00
|
|
|
@default_never_cache_responses
|
2013-10-17 19:21:18 +02:00
|
|
|
@csrf_exempt
|
2017-11-05 11:15:10 +01:00
|
|
|
def rest_dispatch(request: HttpRequest, **kwargs: Any) -> HttpResponse:
|
2013-10-17 19:21:18 +02:00
|
|
|
"""Dispatch to a REST API endpoint.
|
|
|
|
|
2016-06-23 02:26:47 +02:00
|
|
|
Unauthenticated endpoints should not use this, as authentication is verified
|
|
|
|
in the following ways:
|
|
|
|
* for paths beginning with /api, HTTP Basic auth
|
|
|
|
* for paths beginning with /json (used by the web client), the session token
|
|
|
|
|
2013-10-17 19:21:18 +02:00
|
|
|
This calls the function named in kwargs[request.method], if that request
|
|
|
|
method is supported, and after wrapping that function to:
|
|
|
|
|
|
|
|
* protect against CSRF (if the user is already authenticated through
|
|
|
|
a Django session)
|
|
|
|
* authenticate via an API key (otherwise)
|
|
|
|
* coerce PUT/PATCH/DELETE into having POST-like semantics for
|
|
|
|
retrieving variables
|
|
|
|
|
|
|
|
Any keyword args that are *not* HTTP methods are passed through to the
|
|
|
|
target function.
|
|
|
|
|
2016-06-24 02:26:09 +02:00
|
|
|
Never make a urls.py pattern put user input into a variable called GET, POST,
|
|
|
|
etc, as that is where we route HTTP verbs to target functions.
|
2013-10-17 19:21:18 +02:00
|
|
|
"""
|
2017-05-07 17:09:39 +02:00
|
|
|
supported_methods = {} # type: Dict[str, Any]
|
2016-06-25 12:48:33 +02:00
|
|
|
|
2013-10-17 19:21:18 +02:00
|
|
|
# duplicate kwargs so we can mutate the original as we go
|
|
|
|
for arg in list(kwargs):
|
|
|
|
if arg in METHODS:
|
|
|
|
supported_methods[arg] = kwargs[arg]
|
|
|
|
del kwargs[arg]
|
|
|
|
|
2019-08-12 05:44:35 +02:00
|
|
|
if 'GET' in supported_methods:
|
|
|
|
supported_methods.setdefault('HEAD', supported_methods['GET'])
|
|
|
|
|
2014-07-17 02:51:24 +02:00
|
|
|
if request.method == 'OPTIONS':
|
2017-05-07 17:09:39 +02:00
|
|
|
response = HttpResponse(status=204) # No content
|
2017-03-05 09:31:17 +01:00
|
|
|
response['Allow'] = ', '.join(sorted(supported_methods.keys()))
|
2014-07-17 02:51:24 +02:00
|
|
|
return response
|
|
|
|
|
2013-10-17 19:21:18 +02:00
|
|
|
# Override requested method if magic method=??? parameter exists
|
|
|
|
method_to_use = request.method
|
|
|
|
if request.POST and 'method' in request.POST:
|
|
|
|
method_to_use = request.POST['method']
|
|
|
|
|
2016-01-25 01:27:18 +01:00
|
|
|
if method_to_use in supported_methods:
|
2016-06-25 12:48:33 +02:00
|
|
|
entry = supported_methods[method_to_use]
|
|
|
|
if isinstance(entry, tuple):
|
|
|
|
target_function, view_flags = entry
|
|
|
|
target_function = import_string(target_function)
|
|
|
|
else:
|
|
|
|
target_function = import_string(supported_methods[method_to_use])
|
|
|
|
view_flags = set()
|
2013-10-17 19:21:18 +02:00
|
|
|
|
|
|
|
# Set request._query for update_activity_user(), which is called
|
|
|
|
# by some of the later wrappers.
|
|
|
|
request._query = target_function.__name__
|
|
|
|
|
|
|
|
# We want to support authentication by both cookies (web client)
|
|
|
|
# and API keys (API clients). In the former case, we want to
|
|
|
|
# do a check to ensure that CSRF etc is honored, but in the latter
|
|
|
|
# we can skip all of that.
|
|
|
|
#
|
|
|
|
# Security implications of this portion of the code are minimal,
|
|
|
|
# as we should worst-case fail closed if we miscategorise a request.
|
2016-06-23 02:26:47 +02:00
|
|
|
|
2016-06-25 12:48:33 +02:00
|
|
|
# for some special views (e.g. serving a file that has been
|
|
|
|
# uploaded), we support using the same url for web and API clients.
|
2017-01-24 05:50:04 +01:00
|
|
|
if ('override_api_url_scheme' in view_flags and
|
|
|
|
request.META.get('HTTP_AUTHORIZATION', None) is not None):
|
2018-04-13 19:04:39 +02:00
|
|
|
# This request uses standard API based authentication.
|
2018-12-11 20:46:52 +01:00
|
|
|
# For override_api_url_scheme views, we skip our normal
|
|
|
|
# rate limiting, because there are good reasons clients
|
|
|
|
# might need to (e.g.) request a large number of uploaded
|
|
|
|
# files or avatars in quick succession.
|
|
|
|
target_function = authenticated_rest_api_view(skip_rate_limiting=True)(target_function)
|
2018-04-13 19:04:39 +02:00
|
|
|
elif ('override_api_url_scheme' in view_flags and
|
|
|
|
request.GET.get('api_key') is not None):
|
|
|
|
# This request uses legacy API authentication. We
|
2018-12-11 20:46:52 +01:00
|
|
|
# unfortunately need that in the React Native mobile apps,
|
|
|
|
# because there's no way to set HTTP_AUTHORIZATION in
|
|
|
|
# React Native. See last block for rate limiting notes.
|
|
|
|
target_function = authenticated_uploads_api_view(skip_rate_limiting=True)(target_function)
|
2016-06-23 02:26:47 +02:00
|
|
|
# /json views (web client) validate with a session token (cookie)
|
2017-05-18 11:42:19 +02:00
|
|
|
elif not request.path.startswith("/api") and request.user.is_authenticated:
|
2013-10-17 19:21:18 +02:00
|
|
|
# Authenticated via sessions framework, only CSRF check needed
|
2018-12-11 20:46:52 +01:00
|
|
|
auth_kwargs = {}
|
|
|
|
if 'override_api_url_scheme' in view_flags:
|
|
|
|
auth_kwargs["skip_rate_limiting"] = True
|
|
|
|
target_function = csrf_protect(authenticated_json_view(target_function, **auth_kwargs))
|
2016-06-25 12:48:33 +02:00
|
|
|
|
2016-06-23 02:26:47 +02:00
|
|
|
# most clients (mobile, bots, etc) use HTTP Basic Auth and REST calls, where instead of
|
|
|
|
# username:password, we use email:apiKey
|
2013-10-30 16:33:08 +01:00
|
|
|
elif request.META.get('HTTP_AUTHORIZATION', None):
|
2013-10-17 19:21:18 +02:00
|
|
|
# Wrap function with decorator to authenticate the user before
|
|
|
|
# proceeding
|
2017-08-22 19:01:17 +02:00
|
|
|
view_kwargs = {}
|
|
|
|
if 'allow_incoming_webhooks' in view_flags:
|
|
|
|
view_kwargs['is_webhook'] = True
|
2018-03-16 23:37:32 +01:00
|
|
|
target_function = authenticated_rest_api_view(**view_kwargs)(target_function) # type: ignore # likely mypy bug
|
2016-06-23 02:26:47 +02:00
|
|
|
# Pick a way to tell user they're not authed based on how the request was made
|
2013-10-30 16:33:08 +01:00
|
|
|
else:
|
2016-06-23 02:26:47 +02:00
|
|
|
# If this looks like a request from a top-level page in a
|
|
|
|
# browser, send the user to the login page
|
2013-10-30 16:33:08 +01:00
|
|
|
if 'text/html' in request.META.get('HTTP_ACCEPT', ''):
|
2017-03-05 09:39:36 +01:00
|
|
|
# TODO: It seems like the `?next=` part is unlikely to be helpful
|
2018-12-04 02:12:08 +01:00
|
|
|
return HttpResponseRedirect('%s?next=%s' % (settings.HOME_NOT_LOGGED_IN, request.path))
|
2016-06-23 02:26:47 +02:00
|
|
|
# Ask for basic auth (email:apiKey)
|
2016-05-18 03:42:07 +02:00
|
|
|
elif request.path.startswith("/api"):
|
2016-06-01 14:39:58 +02:00
|
|
|
return json_unauthorized(_("Not logged in: API authentication or user session required"))
|
2018-12-17 00:10:20 +01:00
|
|
|
# Logged out user accessing an endpoint with anonymous user access on JSON; proceed.
|
|
|
|
elif request.path.startswith("/json") and 'allow_anonymous_user_web' in view_flags:
|
|
|
|
auth_kwargs = dict(allow_unauthenticated=True)
|
|
|
|
target_function = csrf_protect(authenticated_json_view(
|
|
|
|
target_function, **auth_kwargs))
|
2016-06-23 02:26:47 +02:00
|
|
|
# Session cookie expired, notify the client
|
2016-05-18 03:42:07 +02:00
|
|
|
else:
|
|
|
|
return json_unauthorized(_("Not logged in: API authentication or user session required"),
|
|
|
|
www_authenticate='session')
|
2013-10-30 16:33:08 +01:00
|
|
|
|
2013-10-17 19:21:18 +02:00
|
|
|
if request.method not in ["GET", "POST"]:
|
|
|
|
# process_as_post needs to be the outer decorator, because
|
|
|
|
# otherwise we might access and thus cache a value for
|
|
|
|
# request.REQUEST.
|
|
|
|
target_function = process_as_post(target_function)
|
2013-12-13 21:52:20 +01:00
|
|
|
|
2013-12-17 22:50:49 +01:00
|
|
|
return target_function(request, **kwargs)
|
2013-12-13 21:52:20 +01:00
|
|
|
|
2016-01-25 01:27:18 +01:00
|
|
|
return json_method_not_allowed(list(supported_methods.keys()))
|