views: add a logged-in jsonp web service

Security is obtained through the Referer header.
2014-06-18 22:29:30 +02:00 · 2014-06-18 22:29:30 +02:00 · 1fcee43803
parent b0af1b647c
commit 1fcee43803
3 changed files with 28 additions and 1 deletions
--- a/authentic2/app_settings.py
+++ b/authentic2/app_settings.py
@ -110,6 +110,7 @@ default_settings = dict(
    A2_USERNAME_HELP_TEXT=Setting(default=None, definition='Help text to explain validation rules of usernames'),
    IDP_BACKENDS=[],
    AUTH_FRONTENDS=[],
+    VALID_REFERERS=Setting(default=[], definition='List of prefix to match referers'),
 )

 app_settings = AppSettings(default_settings)
--- a/authentic2/profile_urls.py
+++ b/authentic2/profile_urls.py
@ -1,6 +1,7 @@
 from django.conf.urls import patterns, url

 urlpatterns = patterns('authentic2.views',
+    url(r'^logged-in/$', 'logged_in', name='logged-in'),
    url(r'^edit/$', 'edit_profile', name='profile_edit'),
    url(r'^change-email/$', 'email_change', name='email-change'),
    url(r'^change-email/verify/$', 'email_change_verify',
--- a/authentic2/views.py
+++ b/authentic2/views.py
@ -12,6 +12,7 @@ from django.template import RequestContext
 from django.template.loader import render_to_string
 from django.views.generic.edit import UpdateView, FormView
 from django.views.generic import RedirectView, TemplateView
+from django.views.generic.base import View
 from django.contrib.auth import SESSION_KEY
 from django import http, shortcuts
 from django.core import mail, signing
@ -23,7 +24,8 @@ from django.utils.http import urlencode
 from django.contrib.auth import logout as auth_logout
 from django.contrib.auth import REDIRECT_FIELD_NAME
 from django.contrib.auth.models import SiteProfileNotAvailable
-from django.http import HttpResponseRedirect
+from django.http import (HttpResponseRedirect, HttpResponseForbidden,
+    HttpResponse)
 from django.core.exceptions import ObjectDoesNotExist
 from django.views.decorators.csrf import csrf_protect
 from django.contrib.sites.models import Site, RequestSite
@ -408,3 +410,26 @@ def redirect_to_login(request, next=None, nonce=None, keep_qs=False):
    if nonce is not None:
        qs.update({ constants.NONCE_FIELD_NAME: nonce })
    return HttpResponseRedirect('/login?%s' % urlencode(qs))
+
+
+
+class LoggedInView(View):
+    '''JSONP web service to detect if an user is logged'''
+    http_method_names = [u'get']
+
+    def check_referrer(self):
+        '''Check if the given referer is authorized'''
+        referer = self.request.META.get('HTTP_REFERER', '')
+        for valid_referer in app_settings.VALID_REFERERS:
+            if referer.startswith(valid_referer):
+                return True
+        return False
+
+    def get(self, request, *args, **kwargs):
+        if not self.check_referrer():
+            return HttpResponseForbidden()
+        callback = request.GET.get('callback')
+        content = u'{0}({1})'.format(callback, int(request.user.is_authenticated()))
+        return HttpResponse(content, content_type='application/json')
+
+logged_in = never_cache(LoggedInView.as_view())