Real HAMC authentication

2025-12-23 20:01:59 -05:00 · 2014-01-22 08:55:33 +02:00
parent b5f88c199c
commit ddf3959d4d
1 changed files with 12 additions and 13 deletions
--- a/redash/authentication.py
+++ b/redash/authentication.py
@@ -1,6 +1,9 @@
 import functools
 import hashlib
 import hmac
 from flask import request, make_response
 from flask.ext.googleauth import GoogleFederated
 import time
 from werkzeug.contrib.fixers import ProxyFix
 import werkzeug.wrappers
 from redash import data, settings
@@ -10,27 +13,23 @@ class HMACAuthentication(object):
    def __init__(self, auth):
        self.auth = auth
        #user = super(CsvQueryResultsHandler, self).get_current_user()
        #if not user:
        #    api_key = self.get_argument("api_key", None)
        #    query = data.models.Query.objects.get(pk=self.path_args[0])
        #
        #    if query.api_key and query.api_key == api_key:
        #        user = "API-Key=%s" % api_key
        #
        #return user
    def required(self, fn):
        wrapped_fn = self.auth.required(fn)
        @functools.wraps(fn)
        def decorated(*args, **kwargs):
-            api_key = request.args.get('api_key')
+            signature = request.args.get('signature')
            expires = int(request.args.get('expires') or 0)
            query_id = request.view_args.get('query_id', None)
-            if api_key and query_id:
+            if signature and query_id and time.time() < expires:
                query = data.models.Query.objects.get(pk=query_id)
-                if query.api_key and query.api_key == api_key:
+                h = hmac.new(str(query.api_key), msg=request.path, digestmod=hashlib.sha1)
                h.update(str(expires))
                print h.hexdigest()
                if query.api_key and signature == h.hexdigest():
                    return fn(*args, **kwargs)
            # Work around for flask-restful testing only for flask.wrappers.Resource instead of