Implement async TokenAuth for ContentApi

eos87 · eos87 · commit 23fbc605ac71 · 2025-02-04T15:33:17.000+01:00
SDESK-7484
diff --git a/content_api/app/__init__.py b/content_api/app/__init__.py
@@ -24,7 +24,6 @@
 from eve.io.mongo.mongo import MongoJSONEncoder
 
 from superdesk.flask import Config
-from content_api.tokens import SubscriberTokenAuth
 from superdesk.datalayer import SuperdeskDataLayer
 from superdesk.factory.elastic_apm import setup_apm
 from superdesk.validator import SuperdeskValidator
@@ -63,7 +62,6 @@ def get_app(config=None):
     media_storage = get_media_storage_class(app_config)
 
     app = SuperdeskEve(
-        auth=SubscriberTokenAuth,
         settings=app_config,
         data=SuperdeskDataLayer,
         media=media_storage,
diff --git a/content_api/app/settings.py b/content_api/app/settings.py
@@ -55,8 +55,11 @@
 
 MODULES = [
     "content_api.items.module",
+    "superdesk.publish.subscriber_token",
 ]
 
+ASYNC_AUTH_CLASS = "content_api.tokens.auth:SubscriberTokenAuth"
+
 CONTENTAPI_DOMAIN = {}
 
 # NOTE: no trailing slash for the CONTENTAPI_URL setting!
diff --git a/content_api/tokens/__init__.py b/content_api/tokens/__init__.py
@@ -1,49 +1,4 @@
-# -*- coding: utf-8; -*-
-#
-# This file is part of Superdesk.
-#
-# Copyright 2013, 2014, 2015 Sourcefabric z.u. and contributors.
-#
-# For the full copyright and license information, please see the
-# AUTHORS and LICENSE files distributed with this source code, or
-# at https://www.sourcefabric.org/superdesk/license
+from .resource import CompanyTokenResource
+from .service import CompanyTokenService
 
-import superdesk
-
-from eve.auth import TokenAuth
-
-from superdesk.core import get_current_app
-from superdesk.flask import g
-from superdesk.utc import utcnow
-from superdesk.publish.subscriber_token import SubscriberTokenResource, SubscriberTokenService
-
-from content_api.tokens.resource import CompanyTokenResource  # noqa
-from content_api.tokens.service import CompanyTokenService  # noqa
-
-
-TOKEN_RESOURCE = "subscriber_token"
-
-
-class AuthSubscriberTokenResource(SubscriberTokenResource):
-    item_methods = []
-    resource_methods = []
-
-
-class SubscriberTokenAuth(TokenAuth):
-    def check_auth(self, token, allowed_roles, resource, method):
-        """Try to find auth token and if valid put subscriber id into ``g.user``."""
-        app = get_current_app()
-        data = app.data.mongo.find_one(TOKEN_RESOURCE, req=None, _id=token)
-        if not data:
-            return False
-        now = utcnow()
-        if data.get("expiry") and data.get("expiry") < now:
-            app.data.mongo.remove(TOKEN_RESOURCE, {"_id": token})
-            return False
-        g.user = str(data.get("subscriber"))
-        return g.user
-
-
-def init_app(app) -> None:
-    # superdesk.register_resource(TOKEN_RESOURCE, AuthSubscriberTokenResource, SubscriberTokenService, _app=app)
-    pass
+__all__ = ["CompanyTokenResource", "CompanyTokenService"]
diff --git a/content_api/tokens/auth.py b/content_api/tokens/auth.py
@@ -0,0 +1,68 @@
+from typing import Any, cast
+from quart_babel import _
+
+from superdesk.utc import utcnow
+from superdesk.core.types.web import Request
+from superdesk.errors import SuperdeskApiError
+from superdesk.core.auth.user_auth import UserAuthProtocol
+from superdesk.publish.subscriber_token import SubscriberTokenService, SubscriberToken
+
+
+class SubscriberTokenAuth(UserAuthProtocol):
+    def get_token_from_request(self, request: Request) -> str | None:
+        """
+        Extracts the token from `Authorization` header. Code taken partly
+        from eve.Auth module
+        """
+
+        auth = (request.get_header("Authorization") or "").strip()
+        if len(auth):
+            if auth.lower().startswith(("token", "bearer", "basic")):
+                return auth.split(" ")[1] if " " in auth else None
+            return auth
+
+        return None
+
+    async def authenticate(self, request: Request) -> None:
+        """
+        Tries to find the auth token in the request and if valid put subscriber id into ``g.user``.
+        """
+        token_service = SubscriberTokenService()
+        token_missing_exception = SuperdeskApiError.forbiddenError(message=_("Authorization token missing."))
+        token_id = self.get_token_from_request(request)
+
+        if token_id is None:
+            raise token_missing_exception
+
+        token = await token_service.find_by_id(token_id)
+        if token is None:
+            raise token_missing_exception
+
+        await self.check_token_validity(token)
+        await self.start_session(request, None, token=token)
+
+    async def check_token_validity(self, token: SubscriberToken) -> None:
+        """
+        Checks if the token is valid and if it has expired.
+        """
+
+        if token.expiry and token.expiry < utcnow():
+            await SubscriberTokenService().delete(token)
+            raise SuperdeskApiError.forbiddenError(message=_("Authorization token expired."))
+
+    async def start_session(self, request: Request, user: Any, **kwargs) -> None:
+        """
+        Puts the subscriber id into ``g.user``.
+        """
+        token = cast(SubscriberToken, kwargs.get("token"))
+        request.storage.request.set("user", str(token.subscriber))
+
+    async def stop_session(self, request: Request) -> None:
+        """
+        Removes the subscriber id from ``g.user``.
+        """
+        request.storage.request.set("user", None)
+
+    def get_current_user(self, request: Request) -> str | None:
+        """Overrides as it is needed."""
+        return None
diff --git a/superdesk/core/resources/resource_rest_endpoints.py b/superdesk/core/resources/resource_rest_endpoints.py
@@ -10,7 +10,7 @@
 
 import math
 from inspect import get_annotations
-from typing import Annotated, List, Optional, cast, Dict, Any, Type, get_args, get_origin, get_type_hints
+from typing import Annotated, List, Optional, cast, Dict, Any, Type, get_args, get_origin
 
 from dataclasses import dataclass
 from pydantic import ValidationError, BaseModel, NonNegativeInt
diff --git a/superdesk/publish/__init__.py b/superdesk/publish/__init__.py
@@ -85,8 +85,6 @@ def transmit():
 from superdesk.publish.subscribers import SubscribersResource, SubscribersService  # NOQA
 from superdesk.publish.publish_queue import PublishQueueResource, PublishQueueService  # NOQA
 
-from superdesk.publish.subscriber_token import SubscriberTokenResource, SubscriberTokenService  # NOQA
-
 
 def init_app(app) -> None:
     # XXX: we need to do imports for transmitters and formatters here
@@ -104,8 +102,6 @@ def init_app(app) -> None:
     service = PublishQueueService(endpoint_name, backend=get_backend())
     PublishQueueResource(endpoint_name, app=app, service=service)
 
-    # superdesk.register_resource("subscriber_token", SubscriberTokenResource, SubscriberTokenService)
-
     app.client_config.update(
         {
             "transmitter_types": registered_transmitters_list,
diff --git a/superdesk/publish/subscriber_token.py b/superdesk/publish/subscriber_token.py
@@ -1,11 +1,9 @@
-import superdesk
 from pydantic import Field
 from typing import Annotated
 from datetime import timedelta, datetime
 
-from content_api import MONGO_PREFIX
-from superdesk.core.module import Module
 from superdesk.utc import utcnow
+from superdesk.core.module import Module
 from superdesk.utils import get_random_token
 from superdesk.core.auth.privilege_rules import http_method_privilege_based_rules
 from superdesk.core.resources import (
@@ -18,43 +16,14 @@
 from superdesk.core.resources.validators import validate_data_relation_async
 
 
-class SubscriberTokenResource(superdesk.Resource):
-    schema = {
-        "_id": {"type": "string", "unique": True},
-        "expiry": {"readonly": True},
-        "expiry_days": {"type": "integer"},
-        "subscriber": superdesk.Resource.rel("subscribers", required=True),
-    }
-
-    item_url = 'regex(".+")'
-    resource_methods = ["GET", "POST"]
-    item_methods = ["GET", "DELETE"]
-    privileges = {"POST": "subscribers", "DELETE": "subscribers"}
-
-    datasource = {
-        "default_sort": [("_created", 1)],
-    }
-
-    mongo_prefix = MONGO_PREFIX
-
-
-class SubscriberTokenService(superdesk.Service):
-    def create(self, docs, **kwargs):
-        for doc in docs:
-            doc["_id"] = get_random_token()
-            if doc.get("expiry_days"):
-                doc.setdefault("expiry", utcnow() + timedelta(days=doc["expiry_days"]))
-        return super().create(docs, **kwargs)
-
-
 class SubscriberToken(ResourceModel):
     id: Annotated[str, Field(alias="_id", default_factory=get_random_token)]
     expiry: datetime | None = None
     expiry_days: int | None = None
     subscriber: Annotated[fields.ObjectId, validate_data_relation_async("subscribers")]
 
 
-class AsyncSubscriberTokenService(AsyncResourceService[SubscriberToken]):
+class SubscriberTokenService(AsyncResourceService[SubscriberToken]):
     async def on_create(self, docs: list[SubscriberToken]) -> None:
         """
         Calculates and sets expiry dates based on expiry_days param.
@@ -73,7 +42,7 @@ async def on_create(self, docs: list[SubscriberToken]) -> None:
 resource_config = ResourceConfig(
     name="subscriber_token",
     data_class=SubscriberToken,
-    service=AsyncSubscriberTokenService,
+    service=SubscriberTokenService,
     default_sort=[("_created", 1)],
     rest_endpoints=RestEndpointConfig(
         resource_methods=["GET", "POST"],

Original file line number	Diff line number	Diff line change
`@@ -55,8 +55,11 @@`
`55`	`55`
`56`	`56`	`MODULES = [`
`57`	`57`	`"content_api.items.module",`
	`58`	`+ "superdesk.publish.subscriber_token",`
`58`	`59`	`]`
`59`	`60`
	`61`	`+ASYNC_AUTH_CLASS = "content_api.tokens.auth:SubscriberTokenAuth"`
	`62`	`+`
`60`	`63`	`CONTENTAPI_DOMAIN = {}`
`61`	`64`
`62`	`65`	`# NOTE: no trailing slash for the CONTENTAPI_URL setting!`