Properly implement authentication
This commit is contained in:
parent
69de1606d1
commit
47acecc252
2 changed files with 21 additions and 1 deletions
12
README.md
12
README.md
|
@ -84,3 +84,15 @@ volumes:
|
|||
| `FORWARDED_ALLOW_IPS` | The list of reverse proxy IPs to trust. See [Uvicorn docs](https://www.uvicorn.org/settings/#http) | * | `127.0.0.1` |
|
||||
| `LOG_LEVEL` | The log level to use. One of `DEBUG`, `INFO`, `WARNING`, `ERROR`, `CRITICAL`. | `INFO` | `INFO` |
|
||||
| `LOG_DEBUG_TIDY` | When `LOG_LEVEL` is `DEBUG`, silences some really noisy loggers (like HTTP request loggers) to help you debug this program, not a dependency). | `true` | `false` |
|
||||
|
||||
## How does it work?
|
||||
|
||||
Given that this server is meant to be a drop-in solution, there's a few differences to how you would expect
|
||||
something this deeply integrated with a homeserver to work.
|
||||
|
||||
Here is a basic flow for how a preview request goes:
|
||||
|
||||
1. The user's client sends a request for a preview
|
||||
2. The server will take the provided access token, and checks that it is valid with the homeserver.
|
||||
3. If the token is invalid, M_INVALID_TOKEN is returned.
|
||||
4. The server then checks if it has a cached entry
|
||||
|
|
|
@ -260,6 +260,8 @@ def preview_url(
|
|||
description="Access token to use for the request."
|
||||
),
|
||||
):
|
||||
domain = os.environ.get("PREVIEW_HOMESERVER", "https://" + req.url.hostname)
|
||||
|
||||
if ts:
|
||||
ts = round(ts / 1000)
|
||||
if access_token_qs is not None:
|
||||
|
@ -269,6 +271,13 @@ def preview_url(
|
|||
else:
|
||||
return MISSING_TOKEN
|
||||
|
||||
response = httpx.get(
|
||||
domain + "/_matrix/client/r0/account/whoami",
|
||||
headers={"Authorization": f"Bearer {access_token}"}
|
||||
)
|
||||
if response.status_code != 200:
|
||||
return INVALID_TOKEN
|
||||
|
||||
results = db.CachedURLs.select().where(db.CachedURLs.url == url)
|
||||
if results:
|
||||
for result in results:
|
||||
|
@ -296,7 +305,6 @@ def preview_url(
|
|||
logging.debug("Full cache miss for %r", url)
|
||||
res.headers["X-Cache"] = "full-miss"
|
||||
|
||||
domain = os.environ.get("PREVIEW_HOMESERVER", "https://" + req.url.hostname)
|
||||
with lock:
|
||||
with httpx.Client(
|
||||
headers={
|
||||
|
|
Loading…
Reference in a new issue