[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[taler-merchant] branch master updated: implement login token mechanism
|
From: |
gnunet |
|
Subject: |
[taler-merchant] branch master updated: implement login token mechanism |
|
Date: |
Wed, 06 Sep 2023 01:29:02 +0200 |
This is an automated email from the git hooks/post-receive script.
grothoff pushed a commit to branch master
in repository merchant.
The following commit(s) were added to refs/heads/master by this push:
new e1b7792a implement login token mechanism
e1b7792a is described below
commit e1b7792a233ef94b2d8639ce5333e3f32410424d
Author: Christian Grothoff <grothoff@gnunet.org>
AuthorDate: Wed Sep 6 01:28:58 2023 +0200
implement login token mechanism
---
src/backend/taler-merchant-httpd.c | 46 +++++++++++++++--
src/backend/taler-merchant-httpd.h | 2 +-
...chant-httpd_private-delete-instances-ID-token.c | 48 ++++++++++++++----
...erchant-httpd_private-post-instances-ID-token.c | 59 ++++++++++++++++------
4 files changed, 125 insertions(+), 30 deletions(-)
diff --git a/src/backend/taler-merchant-httpd.c
b/src/backend/taler-merchant-httpd.c
index ce9f1e8c..475487e7 100644
--- a/src/backend/taler-merchant-httpd.c
+++ b/src/backend/taler-merchant-httpd.c
@@ -183,16 +183,54 @@ static const struct GNUNET_CONFIGURATION_Handle *cfg;
char *TMH_default_auth;
-enum TMH_AuthScope
+/**
+ * Check validity of login @a token for the given @a instance_id.
+ *
+ * @param token the login token given in the request
+ * @param instance_id the instance the login is to be checked against
+ * @return scope of the token if it is valid
+ */
+static enum TMH_AuthScope
TMH_check_token (const char *token,
const char *instance_id)
{
+ enum TMH_AuthScope scope;
+ struct GNUNET_TIME_Timestamp expiration;
+ enum GNUNET_DB_QueryStatus qs;
+ struct TALER_MERCHANTDB_LoginTokenP btoken;
+
if (NULL == token)
return TMH_AS_NONE;
- GNUNET_break (0); // FIXME: not implemented
- return TMH_AS_NONE;
+ if (GNUNET_OK !=
+ GNUNET_STRINGS_string_to_data (token,
+ strlen (token),
+ &btoken,
+ sizeof (btoken)))
+ return TMH_AS_NONE;
+ qs = TMH_db->select_login_token (TMH_db->cls,
+ instance_id,
+ &btoken,
+ &expiration,
+ &scope);
+ if (qs < 0)
+ {
+ /* FIXME: may want to return 500 internal server error
+ in the future in this case... */
+ GNUNET_break (0);
+ return TMH_AS_NONE;
+ }
+ if (GNUNET_DB_STATUS_SUCCESS_NO_RESULTS == qs)
+ return TMH_AS_NONE;
+ if (GNUNET_TIME_absolute_is_past (expiration.abs_time))
+ {
+ /* FIXME: may want to return special EC to indicate
+ (recently) expired token in the future */
+ return TMH_AS_NONE;
+ }
+ return scope;
}
+
enum GNUNET_GenericReturnValue
TMH_check_auth (const char *token,
struct TALER_MerchantAuthenticationSaltP *salt,
@@ -765,7 +803,7 @@ url_handler (void *cls,
/* POST /token: */
{
.url_prefix = "/instances/",
- .auth_scope = TMH_AS_RENEWABLE,
+ .auth_scope = TMH_AS_REFRESHABLE,
.url_suffix = "token",
.method = MHD_HTTP_METHOD_POST,
.have_id_segment = true,
diff --git a/src/backend/taler-merchant-httpd.h
b/src/backend/taler-merchant-httpd.h
index 36f04fb9..30d84751 100644
--- a/src/backend/taler-merchant-httpd.h
+++ b/src/backend/taler-merchant-httpd.h
@@ -425,7 +425,7 @@ enum TMH_AuthScope {
/**
* /login access to renew the token is OK.
*/
- TMH_AS_RENEWABLE = 1 << 30,
+ TMH_AS_REFRESHABLE = 1 << 30,
/**
* Full access is granted to everything.
diff --git
a/src/backend/taler-merchant-httpd_private-delete-instances-ID-token.c
b/src/backend/taler-merchant-httpd_private-delete-instances-ID-token.c
index c5e8cc91..242b583a 100644
--- a/src/backend/taler-merchant-httpd_private-delete-instances-ID-token.c
+++ b/src/backend/taler-merchant-httpd_private-delete-instances-ID-token.c
@@ -35,19 +35,49 @@ TMH_private_delete_instances_ID_token (const struct
TMH_RequestHandler *rh,
{
struct TMH_MerchantInstance *mi = hc->instance;
const char *tok;
+ struct TALER_MERCHANTDB_LoginTokenP btoken;
+ enum GNUNET_DB_QueryStatus qs;
tok = MHD_lookup_connection_value (connection,
MHD_HEADER_KIND,
MHD_HTTP_HEADER_AUTHORIZATION);
- GNUNET_break (0); // FIXME: not implemented
- (void) tok;
- (void) mi;
-
- return TALER_MHD_reply_static (connection,
- MHD_HTTP_NO_CONTENT,
- NULL,
- NULL,
- 0);
+ if (GNUNET_OK !=
+ GNUNET_STRINGS_string_to_data (tok,
+ strlen (tok),
+ &btoken,
+ sizeof (btoken)))
+ {
+ GNUNET_break_op (0);
+ return TALER_MHD_reply_with_ec (connection,
+ TALER_EC_GENERIC_PARAMETER_MALFORMED,
+ "login token (in 'Authorization' header)");
+ }
+ qs = TMH_db->delete_login_token (TMH_db->cls,
+ mi->settings.id,
+ &btoken);
+ switch (qs)
+ {
+ case GNUNET_DB_STATUS_HARD_ERROR:
+ case GNUNET_DB_STATUS_SOFT_ERROR:
+ GNUNET_break (0);
+ return TALER_MHD_reply_with_ec (connection,
+ TALER_EC_GENERIC_DB_STORE_FAILED,
+ "delete_login_token");
+ case GNUNET_DB_STATUS_SUCCESS_NO_RESULTS:
+ /* No 404, as the login token must have existed
+ when we got the request as it was accepted as
+ valid. So we can only get here due to concurrent
+ modification, and then the client should still
+ simply see the success. Hence, fall-through */
+ case GNUNET_DB_STATUS_SUCCESS_ONE_RESULT:
+ return TALER_MHD_reply_static (connection,
+ MHD_HTTP_NO_CONTENT,
+ NULL,
+ NULL,
+ 0);
+ }
+ GNUNET_break (0);
+ return MHD_NO;
}
diff --git a/src/backend/taler-merchant-httpd_private-post-instances-ID-token.c
b/src/backend/taler-merchant-httpd_private-post-instances-ID-token.c
index e5128a56..74de6563 100644
--- a/src/backend/taler-merchant-httpd_private-post-instances-ID-token.c
+++ b/src/backend/taler-merchant-httpd_private-post-instances-ID-token.c
@@ -29,9 +29,9 @@
/**
- * Maximum duration for the validity of a token token.
+ * Default duration for the validity of a login token.
*/
-#define MAX_DURATION GNUNET_TIME_UNIT_DAYS
+#define DEFAULT_DURATION GNUNET_TIME_UNIT_DAYS
MHD_RESULT
@@ -42,9 +42,11 @@ TMH_private_post_instances_ID_token (const struct
TMH_RequestHandler *rh,
struct TMH_MerchantInstance *mi = hc->instance;
json_t *jtoken = hc->request_body;
const char *scope;
+ uint32_t iscope = TMH_AS_NONE;
bool refreshable = false;
+ struct TALER_MERCHANTDB_LoginTokenP btoken;
struct GNUNET_TIME_Relative duration
- = MAX_DURATION;
+ = DEFAULT_DURATION;
struct GNUNET_TIME_Timestamp expiration_time;
struct GNUNET_JSON_Specification spec[] = {
GNUNET_JSON_spec_string ("scope",
@@ -59,9 +61,8 @@ TMH_private_post_instances_ID_token (const struct
TMH_RequestHandler *rh,
NULL),
GNUNET_JSON_spec_end ()
};
- char *token;
- MHD_RESULT ret;
-
+ enum GNUNET_DB_QueryStatus qs;
+
{
enum GNUNET_GenericReturnValue res;
@@ -71,25 +72,51 @@ TMH_private_post_instances_ID_token (const struct
TMH_RequestHandler *rh,
if (GNUNET_OK != res)
return (GNUNET_NO == res) ? MHD_YES : MHD_NO;
}
- duration = GNUNET_TIME_relative_min (duration,
- MAX_DURATION);
expiration_time = GNUNET_TIME_relative_to_timestamp (duration);
- token = GNUNET_strdup ("FIXME-foo");
- (void) mi;
-
- ret = TALER_MHD_REPLY_JSON_PACK (
+ if (0 == strcasecmp (scope,
+ "readonly"))
+ iscope = TMH_AS_READ_ONLY;
+ else if (0 == strcasecmp (scope,
+ "write"))
+ iscope = TMH_AS_ALL;
+ else
+ {
+ GNUNET_break_op (0);
+ return TALER_MHD_reply_with_ec (connection,
+ TALER_EC_GENERIC_PARAMETER_MALFORMED,
+ "scope");
+ }
+ if (refreshable)
+ iscope |= TMH_AS_REFRESHABLE;
+ qs = TMH_db->insert_login_token (TMH_db->cls,
+ mi->settings.id,
+ &btoken,
+ GNUNET_TIME_timestamp_get (),
+ expiration_time,
+ iscope);
+ switch (qs)
+ {
+ case GNUNET_DB_STATUS_HARD_ERROR:
+ case GNUNET_DB_STATUS_SOFT_ERROR:
+ case GNUNET_DB_STATUS_SUCCESS_NO_RESULTS:
+ GNUNET_break (0);
+ return TALER_MHD_reply_with_ec (connection,
+ TALER_EC_GENERIC_DB_STORE_FAILED,
+ "insert_login_token");
+ case GNUNET_DB_STATUS_SUCCESS_ONE_RESULT:
+ break;
+ }
+ return TALER_MHD_REPLY_JSON_PACK (
connection,
MHD_HTTP_OK,
- GNUNET_JSON_pack_string ("token",
- token),
+ GNUNET_JSON_pack_data_auto ("token",
+ &btoken),
GNUNET_JSON_pack_string ("scope",
scope),
GNUNET_JSON_pack_bool ("refreshable",
refreshable),
GNUNET_JSON_pack_timestamp ("expiration",
expiration_time));
- GNUNET_free (token);
- return ret;
}
--
To stop receiving notification emails like this one, please contact
gnunet@gnunet.org.
| [Prev in Thread] |
Current Thread |
[Next in Thread] |
- [taler-merchant] branch master updated: implement login token mechanism,
gnunet <=