#31 API further credential

* adds Kspuser as another expected header data to resolve the api user * adds/updates translations
2022-01-28 16:35:25 +01:00
parent 1b3adc396f
commit e0f7de37b6
6 changed files with 20 additions and 13 deletions
--- a/api/models/token.py
+++ b/api/models/token.py
@@ -25,11 +25,12 @@ class APIUserToken(models.Model):
        return self.token

    @staticmethod
-    def get_user_from_token(token: str):
+    def get_user_from_token(token: str, username: str):
        """ Getter for the related user object

        Args:
            token (str): The used token
+            username (str): The username

        Returns:
            user (User): Otherwise None
@@ -38,11 +39,12 @@ class APIUserToken(models.Model):
        try:
            token_obj = APIUserToken.objects.get(
                token=token,
+                user__username=username
            )
            if not token_obj.is_active:
                raise PermissionError("Token unverified")
            if token_obj.valid_until is not None and token_obj.valid_until < _today:
                raise PermissionError("Token validity expired")
        except ObjectDoesNotExist:
-            raise PermissionError("Token invalid")
+            raise PermissionError("Credentials invalid")
        return token_obj.user
--- a/api/settings.py
+++ b/api/settings.py
@@ -5,4 +5,5 @@ Contact: michel.peltriaux@sgdnord.rlp.de
 Created on: 21.01.22

 """
-KSP_TOKEN_HEADER_IDENTIFIER = "Ksptoken"
+KSP_TOKEN_HEADER_IDENTIFIER = "Ksptoken"
+KSP_USER_HEADER_IDENTIFIER = "Kspuser"
--- a/api/tests/v1/share/test_api_sharing.py
+++ b/api/tests/v1/share/test_api_sharing.py
@@ -20,6 +20,7 @@ class BaseAPIV1TestCase(BaseTestCase):

        cls.header_data = {
            "HTTP_ksptoken": cls.superuser.api_token.token,
+            "HTTP_kspuser": cls.superuser.username,
        }


--- a/api/views/views.py
+++ b/api/views/views.py
@@ -13,7 +13,7 @@ from django.views import View
 from django.views.decorators.csrf import csrf_exempt

 from api.models import APIUserToken
-from api.settings import KSP_TOKEN_HEADER_IDENTIFIER
+from api.settings import KSP_TOKEN_HEADER_IDENTIFIER, KSP_USER_HEADER_IDENTIFIER
 from compensation.models import EcoAccount
 from ema.models import Ema
 from intervention.models import Intervention
@@ -39,7 +39,9 @@ class AbstractAPIView(View):
    def dispatch(self, request, *args, **kwargs):
        try:
            # Fetch the proper user from the given request header token
-            self.user = APIUserToken.get_user_from_token(request.headers.get(KSP_TOKEN_HEADER_IDENTIFIER, None))
+            ksp_token = request.headers.get(KSP_TOKEN_HEADER_IDENTIFIER, None)
+            ksp_user = request.headers.get(KSP_USER_HEADER_IDENTIFIER, None)
+            self.user = APIUserToken.get_user_from_token(ksp_token, ksp_user)
            if not self.user.is_default_user():
                raise PermissionError("Default permissions required")
        except PermissionError as e: