#31 API basic implementation Token Authentication

* adds token checking to AbstractModelAPIView * adds user accessibility filtering for intervention API v1 * extends fetch_and_serialize() method to take a dict for db filtering instead of a single field and value * organizes urlnames into supporting formats like "api:v1:intervention"
2022-01-21 16:15:16 +01:00 · 2022-01-21 16:15:16 +01:00 · 3938db1893
commit 3938db1893
parent 881da38538
6 changed files with 64 additions and 16 deletions
--- a/api/models/token.py
+++ b/api/models/token.py
@ -1,4 +1,6 @@
+from django.core.exceptions import ObjectDoesNotExist
 from django.db import models
+from django.utils import timezone

 from konova.utils.generators import generate_token

@ -21,3 +23,26 @@ class APIUserToken(models.Model):

    def __str__(self):
        return self.token
+
+    @staticmethod
+    def get_user_from_token(token: str):
+        """ Getter for the related user object
+
+        Args:
+            token (str): The used token
+
+        Returns:
+            user (User): Otherwise None
+        """
+        _today = timezone.now().date()
+        try:
+            token_obj = APIUserToken.objects.get(
+                token=token,
+            )
+            if not token_obj.is_active:
+                raise PermissionError("Token unverified")
+            if token_obj.valid_until is not None and token_obj.valid_until < _today:
+                raise PermissionError("Token validity expired")
+        except ObjectDoesNotExist:
+            raise PermissionError("Token invalid")
+        return token_obj.user
--- a/api/settings.py
+++ b/api/settings.py
@ -0,0 +1,8 @@
+"""
+Author: Michel Peltriaux
+Organization: Struktur- und Genehmigungsdirektion Nord, Rhineland-Palatinate, Germany
+Contact: michel.peltriaux@sgdnord.rlp.de
+Created on: 21.01.22
+
+"""
+KSP_TOKEN_HEADER_IDENTIFIER = "ksptoken"
--- a/api/urls/urls.py
+++ b/api/urls/urls.py
@ -10,5 +10,5 @@ from django.urls import path, include
 app_name = "api"

 urlpatterns = [
-    path("v1/", include("api.urls.v1.urls")),
+    path("v1/", include("api.urls.v1.urls", namespace="v1")),
 ]
--- a/api/urls/v1/urls.py
+++ b/api/urls/v1/urls.py
@ -7,8 +7,9 @@ Created on: 21.01.22
 """
 from django.urls import path

-from api.views.v1.intervention import APIInterventionView
+from api.views.v1.intervention import APIInterventionViewV1

+app_name = "v1"
 urlpatterns = [
-    path("intervention/<identifier>", APIInterventionView.as_view(), name="api-intervention"),
+    path("intervention/<identifier>", APIInterventionViewV1.as_view(), name="intervention"),
 ]
--- a/api/views/v1/intervention.py
+++ b/api/views/v1/intervention.py
@ -13,15 +13,16 @@ from api.views.v1.general import AbstractModelAPIViewV1
 from intervention.models import Intervention


-class APIInterventionView(AbstractModelAPIViewV1):
+class APIInterventionViewV1(AbstractModelAPIViewV1):
    model = Intervention
-    fields_to_serialize = {
-        "identifier",
-        "title",
-    }

    def get(self, request: HttpRequest, identifier):
-        data = self.fetch_and_serialize("identifier", identifier)
+        _filter = {
+            "identifier": identifier,
+            "users__in": [self.user],
+            "deleted__isnull": True,
+        }
+        data = self.fetch_and_serialize(_filter)
        return JsonResponse(data)

    def model_to_json(self, entry: Intervention):
--- a/api/views/views.py
+++ b/api/views/views.py
@ -7,8 +7,12 @@ Created on: 21.01.22
 """
 from abc import abstractmethod

+from django.http import JsonResponse
 from django.views import View

+from api.models import APIUserToken
+from api.settings import KSP_TOKEN_HEADER_IDENTIFIER
+

 class AbstractModelAPIView(View):
    """ Base class for API views
@ -19,6 +23,7 @@ class AbstractModelAPIView(View):

    """
    model = None
+    user = None

    class Meta:
        abstract = True
@ -35,21 +40,29 @@ class AbstractModelAPIView(View):
        """
        raise NotImplementedError("Must be implemented in subclasses")

-    def fetch_and_serialize(self, lookup_field, lookup_val):
+    def fetch_and_serialize(self, _filter):
        """ Serializes the model entry according to the given lookup data

        Args:
-            lookup_field (): Which field used for lookup
-            lookup_val (): Value for lookup
+            _filter (dict): Lookup declarations

        Returns:
            serialized_data (dict)
        """
-        _filters = {
-            lookup_field: lookup_val
-        }
-        qs = self.model.objects.filter(**_filters)
+        qs = self.model.objects.filter(**_filter)
        serialized_data = {}
        for entry in qs:
            serialized_data[str(entry.pk)] = self.model_to_json(entry)
        return serialized_data
+
+    def dispatch(self, request, *args, **kwargs):
+        try:
+            self.user = APIUserToken.get_user_from_token(request.headers.get(KSP_TOKEN_HEADER_IDENTIFIER, None))
+        except PermissionError as e:
+            return JsonResponse(
+                {
+                    "error": e.__str__()
+                },
+                status=403
+            )
+        return super().dispatch(request, *args, **kwargs)