Update Media Access Request to accept Token in Query

2023-03-30 13:38:46 +03:00 · 2023-03-30 13:38:46 +03:00 · 2258ffce66
commit 2258ffce66
parent 03728447ef
2 changed files with 30 additions and 6 deletions
--- a/server/flask/application/backend/media_access_requests.py
+++ b/server/flask/application/backend/media_access_requests.py
@ -2,10 +2,10 @@ from flask import request, jsonify
 from .require_decorators import get_cropped_token
 from .data.data_models import ResponseCode
 from .data import dao_session
-from .data import dao_users
+from urllib.parse import parse_qs

 def handle_has_media_access():
-    media_token = get_cropped_token(request.headers.get('Media-Authorization'))
+    media_token = get_cropped_token(_get_token_from_request('Media-Authorization'))
    if (media_token is None):
        errorResponse = jsonify({'message':'Missing Authorization!','code':ResponseCode.MISSING_MEDIA_AUTHORIZATION})
        return errorResponse, 401
@ -13,4 +13,19 @@ def handle_has_media_access():
    if (user_id is None):
        errorResponse = jsonify({'message':'Invalid Authorization!','code':ResponseCode.INVALID_MEDIA_AUTHORIZATION})
        return errorResponse, 401
-    return jsonify({'message':'Access Granted','code': ResponseCode.SUCCESS_MEDIA_ACCESS}), 200
+    return jsonify({'message':'Access Granted','code': ResponseCode.SUCCESS_MEDIA_ACCESS}), 200
+
+def _get_token_from_request(key: str):
+    token = request.headers.get(key)
+    if (token is not None):
+        return token
+    original_uri = request.headers.get('X-Original-URI')
+    if not isinstance(original_uri,str):
+        return None
+    query_string = original_uri[original_uri.find('?')+1:]
+    return _get_first_token_from_query_string(query_string = query_string, key = key)
+
+def _get_first_token_from_query_string(query_string: str, key: str):
+    query_dict = parse_qs(query_string)
+    tokens = query_dict.get(key, [None])
+    return tokens[0]
--- a/server/flask/application/nginx-proxy-config
+++ b/server/flask/application/nginx-proxy-config
@ -6,6 +6,7 @@ limit_req_zone $binary_remote_addr zone=restricted_ip:10m rate=10r/m;
 server {
    server_name _;
    listen       8080  default_server;
+
    return       404;
 }

@ -20,13 +21,11 @@ server {
    ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256;
    ssl_prefer_server_ciphers   on;

-    root /server;
-
    # static media
    location /media {
        root /media-data/;
        autoindex on;
-        auth_request /has_media_access;
+        auth_request /require_media_access;
        limit_req zone=ip burst=12 delay=8;

        # enable cache
@ -41,6 +40,16 @@ server {
        # etag off;
    }

+    # auth request, passes query as header
+    location /require_media_access {
+        internal;
+        proxy_pass https://localhost:443/has_media_access;
+        proxy_pass_request_body off;
+        proxy_pass_request_headers on;
+        proxy_set_header      Content-Length: "";
+        proxy_set_header      X-Original-URI $request_uri;
+    }
+
    # flask server
    location / {
        include         uwsgi_params;