Merge pull request #341 from YunoHost/portal-api

Tweaks and fixes for new portal API / ssowat refactoring
2024-09-03 20:06:31 +02:00 · 2023-09-27 18:55:29 +02:00 · 2023-09-27 18:55:29 +02:00 · 75f522be56
commit 75f522be56
parent 8016725604 a6c7e55d1d
2 changed files with 39 additions and 12 deletions
--- a/moulinette/init.py
+++ b/moulinette/init.py
@ -53,7 +53,7 @@ class Moulinette:


 # Easy access to interfaces
-def api(host="localhost", port=80, routes={}, actionsmap=None, locales_dir=None):
+def api(host="localhost", port=80, routes={}, actionsmap=None, locales_dir=None, allowed_cors_origins=[]):
    """Web server (API) interface

    Run a HTTP server with the moulinette for an API usage.
@ -73,6 +73,7 @@ def api(host="localhost", port=80, routes={}, actionsmap=None, locales_dir=None)
        Api(
            routes=routes,
            actionsmap=actionsmap,
+            allowed_cors_origins=allowed_cors_origins,
        ).run(host, port)
    except MoulinetteError as e:
        import logging
--- a/moulinette/interfaces/api.py
+++ b/moulinette/interfaces/api.py
@ -312,6 +312,9 @@ class _ActionsMapPlugin:
            return value

        def wrapper(*args, **kwargs):
+            if request.get_header("Content-Type") == "application/json":
+                return callback((request.method, context.rule), request.json)
+
            params = kwargs
            # Format boolean params
            for a in args:
@ -353,11 +356,18 @@ class _ActionsMapPlugin:

        """

-        if "credentials" not in request.params:
-            raise HTTPResponse("Missing credentials parameter", 400)
-        credentials = request.params["credentials"]
+        if request.get_header("Content-Type") == "application/json":
+            if "credentials" not in request.json:
+                raise HTTPResponse("Missing credentials parameter", 400)
+            credentials = request.json["credentials"]
+            profile = request.json.get("profile", self.actionsmap.default_authentication)
+        else:
+            if "credentials" not in request.params:
+                raise HTTPResponse("Missing credentials parameter", 400)
+            credentials = request.params["credentials"]
+
+            profile = request.params.get("profile", self.actionsmap.default_authentication)

-        profile = request.params.get("profile", self.actionsmap.default_authentication)
        authenticator = self.actionsmap.get_authenticator(profile)

        try:
@ -377,6 +387,7 @@ class _ActionsMapPlugin:
        try:
            session_infos = authenticator.get_session_cookie()
        except Exception:
+            authenticator.delete_session_cookie()
            msg = m18n.g("authentication_required")
            raise HTTPResponse(msg, 401)

@ -707,9 +718,11 @@ class Interface:

    type = "api"

-    def __init__(self, routes={}, actionsmap=None):
+    def __init__(self, routes={}, actionsmap=None, allowed_cors_origins=[]):
        actionsmap = ActionsMap(actionsmap, ActionsMapParser())

+        self.allowed_cors_origins = allowed_cors_origins
+
        # Attempt to retrieve log queues from an APIQueueHandler
        handler = log.getHandlersByClass(APIQueueHandler, limit=1)
        if handler:
@ -719,11 +732,18 @@ class Interface:
        # TODO: Return OK to 'OPTIONS' xhr requests (l173)
        app = Bottle(autojson=True)

-        # Wrapper which sets proper header
-        def apiheader(callback):
+        def cors(callback):
            def wrapper(*args, **kwargs):
-                response.set_header("Access-Control-Allow-Origin", "*")
-                return callback(*args, **kwargs)
+                r = callback(*args, **kwargs)
+                origin = request.headers.environ.get("HTTP_ORIGIN", "")
+                if origin and origin in self.allowed_cors_origins:
+                    resp = r if isinstance(r, HTTPResponse) else response
+                    resp.headers['Access-Control-Allow-Origin'] = origin
+                    resp.headers['Access-Control-Allow-Methods'] = 'GET, HEAD, POST, PUT, OPTIONS, DELETE'
+                    resp.headers['Access-Control-Allow-Headers'] = 'Origin, Accept, Content-Type, X-Requested-With, X-CSRF-Token'
+                    resp.headers['Access-Control-Allow-Credentials'] = 'true'
+
+                return r

            return wrapper

@ -732,7 +752,7 @@ class Interface:
            def wrapper(*args, **kwargs):
                try:
                    locale = request.params.pop("locale")
-                except KeyError:
+                except (KeyError, ValueError):
                    locale = m18n.default_locale
                m18n.set_locale(locale)
                return callback(*args, **kwargs)
@ -741,7 +761,7 @@ class Interface:

        # Install plugins
        app.install(filter_csrf)
-        app.install(apiheader)
+        app.install(cors)
        app.install(api18n)
        actionsmapplugin = _ActionsMapPlugin(actionsmap, log_queues)
        app.install(actionsmapplugin)
@ -750,6 +770,12 @@ class Interface:
        self.display = actionsmapplugin.display
        self.prompt = actionsmapplugin.prompt

+        def handle_options():
+            return HTTPResponse("", 204)
+
+        app.route('/<:re:.*>', method="OPTIONS",
+                  callback=handle_options, skip=["actionsmap"])
+
        # Append additional routes
        # TODO: Add optional authentication to those routes?
        for (m, p), c in routes.items():