[taler-bank] branch master updated: keep CORS == * only for /api/*

gnunet-svn

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[taler-bank] branch master updated: keep CORS == * only for /api/*

From:	gnunet
Subject:	[taler-bank] branch master updated: keep CORS == * only for /api/*
Date:	Fri, 09 Oct 2020 13:00:00 +0200

This is an automated email from the git hooks/post-receive script.

ms pushed a commit to branch master
in repository bank.

The following commit(s) were added to refs/heads/master by this push:
     new 51d6019  keep CORS == * only for /api/*
51d6019 is described below

commit 51d60190caaab84fc618e11db6ef6797841900fa
Author: MS <ms@taler.net>
AuthorDate: Fri Oct 9 12:59:15 2020 +0200

    keep CORS == * only for /api/*
---
 talerbank/app/tests.py | 14 +++++++++++---
 talerbank/app/views.py | 44 ++++++++++++++++++--------------------------
 2 files changed, 29 insertions(+), 29 deletions(-)

diff --git a/talerbank/app/tests.py b/talerbank/app/tests.py
index 6a45515..02d3ad8 100644
--- a/talerbank/app/tests.py
+++ b/talerbank/app/tests.py
@@ -201,17 +201,25 @@ class AccessAndIntegrationApiWithdrawTestCase(TestCase):
 
     def test_integration_api_withdraw_status(self):
         wid = self.create_withdrawal()
-        r = self.client.get(reverse("api-withdraw-operation", 
kwargs=dict(withdraw_id=wid)))
+        r = self.client.get(
+            reverse(
+                "access-api-withdrawal-status",
+                kwargs=dict(
+                    acct_id="RandomUser",
+                    wid=wid)),
+            HTTP_AUTHORIZATION=make_auth_line("RandomUser", "XYZ")
+        )
         self.assertEqual(r.status_code, 200)
 
     def test_integration_api_withdraw_confirm(self):
         wid = self.create_withdrawal()
         r = self.client.post(
-            reverse("api-withdraw-operation", kwargs=dict(withdraw_id=wid)),
+            reverse("access-api-withdrawal-confirm", 
kwargs=dict(acct_id="RandomUser", wid=wid)),
             data=dict(
                 
reserve_pub="FXWC2JHBY8B0XE2MMGAJ9TGPY307TN12HVEKYSTN6HE3GTHTF8XG",
                 selected_exchange="payto://x-taler-bank/localhost/RandomUser"),
-            content_type="application/json"
+            content_type="application/json",
+            HTTP_AUTHORIZATION=make_auth_line("RandomUser", "XYZ")
         )
         self.assertEqual(r.status_code, 200)
 
diff --git a/talerbank/app/views.py b/talerbank/app/views.py
index 9a21ff2..044f784 100644
--- a/talerbank/app/views.py
+++ b/talerbank/app/views.py
@@ -69,6 +69,22 @@ LOGGER = logging.getLogger(__name__)
 # can handle (because of the wallet).
 UINT64_MAX = (2 ** 64) - 1
 
+##
+# Decorator function that authenticates requests by fetching
+# the credentials over the HTTP requests headers.
+#
+# @param view_func function that will be called after the
+#        authentication, and that will usually serve the requested
+#        endpoint.
+# @return FIXME.
+def login_via_headers(view_func):
+    def _decorator(request, *args, **kwargs):
+        user_account = basic_auth(request)
+        if not user_account:
+            raise LoginFailed("authentication failed")
+        return view_func(request, user_account, *args, **kwargs)
+    return wraps(view_func)(_decorator)
+
 def allow_origin_star(view_func):
     def _decorator(request, *args, **kwargs):
         response = view_func(request, *args, **kwargs)
@@ -535,6 +551,7 @@ def config_view(request):
 
 @require_GET
 @allow_origin_star
+@login_via_headers
 def api_config(request):
     """
     Config query of the taler bank integration api
@@ -631,23 +648,6 @@ def serve_public_accounts(request, name=None, page=None):
     )
     return render(request, "public_accounts.html", context)
 
-
-##
-# Decorator function that authenticates requests by fetching
-# the credentials over the HTTP requests headers.
-#
-# @param view_func function that will be called after the
-#        authentication, and that will usually serve the requested
-#        endpoint.
-# @return FIXME.
-def login_via_headers(view_func):
-    def _decorator(request, *args, **kwargs):
-        user_account = basic_auth(request)
-        if not user_account:
-            raise LoginFailed("authentication failed")
-        return view_func(request, user_account, *args, **kwargs)
-    return wraps(view_func)(_decorator)
-
 ##
 # Build the DB query switch based on the "direction" history
 # argument given by the user.
@@ -1061,6 +1061,7 @@ def withdraw_headless(request, user):
 
 @csrf_exempt
 @allow_origin_star
+@login_via_headers
 def api_withdraw_operation(request, withdraw_id):
     """
     Endpoint used by the browser and wallet to check withdraw status and
@@ -1143,7 +1144,6 @@ def api_withdraw_operation(request, withdraw_id):
 
 @login_required
 @require_POST
-@allow_origin_star
 def start_withdrawal(request):
     """
     Serve a Taler withdrawal request; takes the amount chosen
@@ -1175,7 +1175,6 @@ def get_qrcode_svg(data):
 
 @login_required
 @require_GET
-@allow_origin_star
 def show_withdrawal(request, withdraw_id):
     op = TalerWithdrawOperation.objects.get(withdraw_id=withdraw_id)
     if op.selection_done:
@@ -1196,7 +1195,6 @@ def show_withdrawal(request, withdraw_id):
 
 @login_required
 @require_http_methods(["GET", "POST"])
-@allow_origin_star
 def confirm_withdrawal(request, withdraw_id):
     op = TalerWithdrawOperation.objects.get(withdraw_id=withdraw_id)
     if not op.selection_done:
@@ -1320,7 +1318,6 @@ def wire_transfer(amount, debit_account, credit_account, 
subject, request_uid=No
 @csrf_exempt
 @require_GET
 @login_via_headers
-@allow_origin_star
 def bank_accounts_api_balance(request, user_account, acct_id):
     """
     Query the balance for an account.
@@ -1348,7 +1345,6 @@ def bank_accounts_api_balance(request, user_account, 
acct_id):
 @csrf_exempt
 @require_POST
 @login_via_headers
-@allow_origin_star
 def bank_accounts_api_create_withdrawal(request, user, acct_id):
     user_account = BankAccount.objects.get(user=user)
 
@@ -1378,7 +1374,6 @@ def bank_accounts_api_create_withdrawal(request, user, 
acct_id):
 @csrf_exempt
 @require_GET
 @login_via_headers
-@allow_origin_star
 def bank_accounts_api_get_withdrawal(request, user, acct_id, wid):
     user_account = BankAccount.objects.get(user=user)
     if acct_id != user_account.user.username:
@@ -1412,7 +1407,6 @@ def withdraw_abort_internal(wid):
 
 @require_POST
 @login_required
-@allow_origin_star
 def abort_withdrawal(request, withdraw_id):
     internal_status = withdraw_abort_internal(withdraw_id)
     set_session_hint(request, success=internal_status["status"] == 200, 
hint=internal_status["hint"])
@@ -1422,7 +1416,6 @@ def abort_withdrawal(request, withdraw_id):
 @csrf_exempt
 @require_POST
 @login_via_headers
-@allow_origin_star
 def bank_accounts_api_abort_withdrawal(request, user, acct_id, wid):
     user_account = BankAccount.objects.get(user=user)
     if acct_id != user_account.user.username:
@@ -1438,7 +1431,6 @@ def bank_accounts_api_abort_withdrawal(request, user, 
acct_id, wid):
 @csrf_exempt
 @require_POST
 @login_via_headers
-@allow_origin_star
 def bank_accounts_api_confirm_withdrawal(request, user, acct_id, wid):
     user_account = BankAccount.objects.get(user=user)
     if acct_id != user_account.user.username:

-- 
To stop receiving notification emails like this one, please contact
gnunet@gnunet.org.

[Prev in Thread]

Current Thread

[Next in Thread]

[taler-bank] branch master updated: keep CORS == * only for /api/*, gnunet <=

Prev by Date: [taler-anastasis] 08/08: rework add_authentication
Next by Date: [taler-taler-merchant-demos] branch master updated: fix README.md
Previous by thread: [taler-anastasis] branch master updated (f4aa746 -> 1586ccd)
Next by thread: [taler-taler-merchant-demos] branch master updated: fix README.md
Index(es):
- Date
- Thread