Properly implement authentication
This commit is contained in:
parent
69de1606d1
commit
47acecc252
2 changed files with 21 additions and 1 deletions
12
README.md
12
README.md
|
@ -84,3 +84,15 @@ volumes:
|
||||||
| `FORWARDED_ALLOW_IPS` | The list of reverse proxy IPs to trust. See [Uvicorn docs](https://www.uvicorn.org/settings/#http) | * | `127.0.0.1` |
|
| `FORWARDED_ALLOW_IPS` | The list of reverse proxy IPs to trust. See [Uvicorn docs](https://www.uvicorn.org/settings/#http) | * | `127.0.0.1` |
|
||||||
| `LOG_LEVEL` | The log level to use. One of `DEBUG`, `INFO`, `WARNING`, `ERROR`, `CRITICAL`. | `INFO` | `INFO` |
|
| `LOG_LEVEL` | The log level to use. One of `DEBUG`, `INFO`, `WARNING`, `ERROR`, `CRITICAL`. | `INFO` | `INFO` |
|
||||||
| `LOG_DEBUG_TIDY` | When `LOG_LEVEL` is `DEBUG`, silences some really noisy loggers (like HTTP request loggers) to help you debug this program, not a dependency). | `true` | `false` |
|
| `LOG_DEBUG_TIDY` | When `LOG_LEVEL` is `DEBUG`, silences some really noisy loggers (like HTTP request loggers) to help you debug this program, not a dependency). | `true` | `false` |
|
||||||
|
|
||||||
|
## How does it work?
|
||||||
|
|
||||||
|
Given that this server is meant to be a drop-in solution, there's a few differences to how you would expect
|
||||||
|
something this deeply integrated with a homeserver to work.
|
||||||
|
|
||||||
|
Here is a basic flow for how a preview request goes:
|
||||||
|
|
||||||
|
1. The user's client sends a request for a preview
|
||||||
|
2. The server will take the provided access token, and checks that it is valid with the homeserver.
|
||||||
|
3. If the token is invalid, M_INVALID_TOKEN is returned.
|
||||||
|
4. The server then checks if it has a cached entry
|
||||||
|
|
|
@ -260,6 +260,8 @@ def preview_url(
|
||||||
description="Access token to use for the request."
|
description="Access token to use for the request."
|
||||||
),
|
),
|
||||||
):
|
):
|
||||||
|
domain = os.environ.get("PREVIEW_HOMESERVER", "https://" + req.url.hostname)
|
||||||
|
|
||||||
if ts:
|
if ts:
|
||||||
ts = round(ts / 1000)
|
ts = round(ts / 1000)
|
||||||
if access_token_qs is not None:
|
if access_token_qs is not None:
|
||||||
|
@ -269,6 +271,13 @@ def preview_url(
|
||||||
else:
|
else:
|
||||||
return MISSING_TOKEN
|
return MISSING_TOKEN
|
||||||
|
|
||||||
|
response = httpx.get(
|
||||||
|
domain + "/_matrix/client/r0/account/whoami",
|
||||||
|
headers={"Authorization": f"Bearer {access_token}"}
|
||||||
|
)
|
||||||
|
if response.status_code != 200:
|
||||||
|
return INVALID_TOKEN
|
||||||
|
|
||||||
results = db.CachedURLs.select().where(db.CachedURLs.url == url)
|
results = db.CachedURLs.select().where(db.CachedURLs.url == url)
|
||||||
if results:
|
if results:
|
||||||
for result in results:
|
for result in results:
|
||||||
|
@ -296,7 +305,6 @@ def preview_url(
|
||||||
logging.debug("Full cache miss for %r", url)
|
logging.debug("Full cache miss for %r", url)
|
||||||
res.headers["X-Cache"] = "full-miss"
|
res.headers["X-Cache"] = "full-miss"
|
||||||
|
|
||||||
domain = os.environ.get("PREVIEW_HOMESERVER", "https://" + req.url.hostname)
|
|
||||||
with lock:
|
with lock:
|
||||||
with httpx.Client(
|
with httpx.Client(
|
||||||
headers={
|
headers={
|
||||||
|
|
Loading…
Reference in a new issue