diff --git a/doc/nginx.conf.example b/doc/nginx.conf.example index f1ccfdd..8a5b1e9 100644 --- a/doc/nginx.conf.example +++ b/doc/nginx.conf.example @@ -3,6 +3,7 @@ server { location / { try_files $uri @amber; } location @amber { include uwsgi_params; + rewrite /api/(.*) /$1; uwsgi_pass amber:8080; } } diff --git a/project_amber/app.py b/project_amber/app.py index 987ed53..b6eef7b 100644 --- a/project_amber/app.py +++ b/project_amber/app.py @@ -29,21 +29,21 @@ def middleware(): request.user = user -app.add_url_rule("/api/login", "login", login, methods=["POST"]) -app.add_url_rule("/api/logout", "logout", logout, methods=["POST"]) -app.add_url_rule("/api/task", "task", handle_task_request, \ +app.add_url_rule("/v0/login", "login", login, methods=["POST"]) +app.add_url_rule("/v0/logout", "logout", logout, methods=["POST"]) +app.add_url_rule("/v0/task", "task", handle_task_request, \ methods=["GET", "POST"]) -app.add_url_rule("/api/task/", "task_id", handle_task_id_request, \ +app.add_url_rule("/v0/task/", "task_id", handle_task_id_request, \ methods=["GET", "PATCH", "DELETE"]) -app.add_url_rule("/api/user", "user", update_user_data, methods=["PATCH"]) +app.add_url_rule("/v0/user", "user", update_user_data, methods=["PATCH"]) app.add_url_rule( - "/api/session", "session", handle_session_req, methods=["GET"] + "/v0/session", "session", handle_session_req, methods=["GET"] ) -app.add_url_rule("/api/session/", "session_id", \ +app.add_url_rule("/v0/session/", "session_id", \ handle_session_id_req, methods=["GET", "DELETE"]) if config["allow_signup"]: - app.add_url_rule("/api/signup", "signup", signup, methods=["POST"]) + app.add_url_rule("/v0/signup", "signup", signup, methods=["POST"]) @app.before_first_request diff --git a/project_amber/const.py b/project_amber/const.py index 7bc076e..0f27d44 100644 --- a/project_amber/const.py +++ b/project_amber/const.py @@ -16,3 +16,6 @@ MSG_TASK_NOT_FOUND = "This task does not exist" MSG_TEXT_NOT_SPECIFIED = "No text specified" MSG_TASK_DANGEROUS = "Potentially dangerous operation" + +# A regex matching all paths that can be accessed without an auth token. +PUBLIC_PATHS = r"/v\d/(login|signup)" diff --git a/project_amber/helpers/__init__.py b/project_amber/helpers/__init__.py index d4cad47..37cd1ed 100644 --- a/project_amber/helpers/__init__.py +++ b/project_amber/helpers/__init__.py @@ -1,11 +1,12 @@ from time import time as time_lib from functools import wraps +from re import fullmatch from flask import request from project_amber.db import db from project_amber.const import MSG_NO_TOKEN, MSG_INVALID_TOKEN, \ - MSG_USER_NOT_FOUND, MSG_USER_EXISTS + MSG_USER_NOT_FOUND, MSG_USER_EXISTS, PUBLIC_PATHS from project_amber.errors import Unauthorized, BadRequest, NotFound, \ InternalServerError, Conflict from project_amber.models.auth import User, Session @@ -41,7 +42,7 @@ def middleware() -> RequestParams: if not request.is_json and request.method in ["POST", "PUT", "PATCH"]: raise BadRequest params = RequestParams() - if not request.path in ["/api/login", "/api/signup"] \ + if not fullmatch(PUBLIC_PATHS, request.path) \ and request.method != "OPTIONS": params.authenticated = True return params @@ -63,9 +64,7 @@ def handleLogin() -> LoginUser: user = db.session.query(User).filter_by(id=user_session.user).one_or_none() if user is None: raise InternalServerError(MSG_USER_NOT_FOUND) - user_details = LoginUser( - user.name, user.id, token, user_session.login_time - ) + user_details = LoginUser(user.name, user.id, token, user_session.login_time) return user_details