Skip to content

Commit

Permalink
split persist token subs by version, 1 min exp
Browse files Browse the repository at this point in the history
  • Loading branch information
@mwfarb
mwfarb committed Aug 8, 2024
1 parent 9a0e82d commit 4ba922f
Show file tree
Hide file tree
Showing 2 changed files with 24 additions and 18 deletions.
25 changes: 18 additions & 7 deletions users/mqtt.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -14,22 +14,33 @@
PUBLIC_NAMESPACE = "public"
ANON_REGEX = "anonymous-(?=.*?[a-zA-Z].*?[a-zA-Z])"
DEF_JWT_DURATION = datetime.timedelta(minutes=1)
TOPIC_SUPPORTED_API_VERSIONS = ["v1", "v2"] # TODO(mwfarb): remove v1
API_V1 = "v1"
API_V2 = "v2"
TOPIC_SUPPORTED_API_VERSIONS = [API_V1, API_V2] # TODO (mwfarb): remove v1


def all_scenes_read_token():
def all_scenes_read_token(version):
config = settings.PUBSUB
privkeyfile = settings.MQTT_TOKEN_PRIVKEY
if not os.path.exists(privkeyfile):
print("Error: keyfile not found" + privkeyfile)
return None
with open(privkeyfile) as privatefile:
private_key = privatefile.read()
payload = {
"sub": config["mqtt_username"],
"exp": datetime.datetime.utcnow() + datetime.timedelta(minutes=5),
"subs": [f"{config['mqtt_realm']}/s/#"],
}

realm = config["mqtt_realm"]
username = config["mqtt_username"]
duration = datetime.timedelta(minutes=1)

payload = {}
payload["sub"] = username
payload["exp"] = datetime.datetime.utcnow() + duration

if version == API_V2:
payload["subs"] = [f"{realm}/s/+/+/o/#"] # v2
else:
payload["subs"] = [f"{realm}/s/#"] # v1

token = jwt.encode(payload, private_key, algorithm="RS256")
return token

Expand Down
17 changes: 6 additions & 11 deletions users/views.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,6 @@
import re
import secrets

import coreapi
from allauth.socialaccount import helpers
from allauth.socialaccount.models import SocialAccount
from allauth.socialaccount.views import SignupView as SocialSignupViewDefault
Expand All @@ -16,14 +15,11 @@
from django.db import transaction
from django.http import HttpResponse, JsonResponse
from django.shortcuts import redirect, render
from django.urls import reverse
from google.auth.transport import requests as grequests
from google.oauth2 import id_token
from rest_framework import permissions, status
from rest_framework.compat import coreapi
from rest_framework.decorators import api_view, permission_classes
from rest_framework.parsers import JSONParser
from rest_framework.schemas import AutoSchema

from .filestore import (delete_filestore_user, login_filestore_user,
set_filestore_scope)
Expand Down Expand Up @@ -375,19 +371,19 @@ def my_scenes(request):
except (ValueError, SocialAccount.DoesNotExist) as err:
return JsonResponse({"error": err}, status=status.HTTP_403_FORBIDDEN)

serializer = SceneNameSerializer(get_my_scenes(user), many=True)
serializer = SceneNameSerializer(get_my_scenes(user, request.version), many=True)
return JsonResponse(serializer.data, safe=False)


def get_my_scenes(user):
def get_my_scenes(user, version):
"""
Internal method to update scene permissions table:
1. Requests list of any scenes with objects saved from /persist/!allscenes to add to scene permissions table.
2. Requests and returns list of user's editable scenes from scene permissions table.
"""
# update scene list from object persistance db
if user.is_authenticated:
token = all_scenes_read_token()
token = all_scenes_read_token(version)
if user.is_staff: # admin/staff
p_scenes = get_persist_scenes_all(token)
else: # standard user
Expand Down Expand Up @@ -474,9 +470,8 @@ def user_profile(request):
- Shows scenes that the user has permissions to edit and a button to edit them.
- Handles account deletes.
"""
# TODO (mwfarb): make remote post status 426, local post redirect to valid
# if request.version not in TOPIC_SUPPORTED_API_VERSIONS:
# return reverse("users:user_profile", current_app="users")
if request.version not in TOPIC_SUPPORTED_API_VERSIONS:
return redirect(f"/{TOPIC_SUPPORTED_API_VERSIONS[0]}/user_profile/")

if request.method == 'POST':
# account delete request
Expand Down Expand Up @@ -512,7 +507,7 @@ def user_profile(request):
except User.DoesNotExist:
messages.error(request, "Unable to complete account delete.")

scenes = get_my_scenes(request.user)
scenes = get_my_scenes(request.user, request.version)
devices = get_my_devices(request.user)
staff = None
if request.user.is_staff: # admin/staff
Expand Down

0 comments on commit 4ba922f

Please sign in to comment.