add server-side enforcement of authentication for collection add/remove

2016-06-29 18:19:29 -04:00 · 2016-06-29 18:19:29 -04:00 · 2c89c13a64
parent ce9ef7b3e4
commit 2c89c13a64
4 changed files with 41 additions and 12 deletions
--- a/src/mtgcoll/auth.clj
+++ b/src/mtgcoll/auth.clj
@ -0,0 +1,15 @@
+(ns mtgcoll.auth
+  (:require
+    [mtgcoll.config :as config]))
+
+(defn using-authorization?
+  []
+  (boolean (seq (config/get :users))))
+
+(defn validate-credentials
+  [username password]
+  (if (using-authorization?)
+    (->> (config/get :users)
+         (filter #(and (= username (:username %))
+                       (= password (:password %))))
+         (first))))
--- a/src/mtgcoll/middleware.clj
+++ b/src/mtgcoll/middleware.clj
@ -0,0 +1,13 @@
+(ns mtgcoll.middleware
+  (:require
+    [webtools.response :as response]
+    [mtgcoll.auth :as auth]))
+
+(defn wrap-authenticated
+  [handler]
+  (fn [request]
+    (if (or (not (auth/using-authorization?))
+            (get-in request [:session :user]))
+      (handler request)
+      (-> (response/content "unauthorized")
+          (response/status 401)))))
--- a/src/mtgcoll/routes/auth.clj
+++ b/src/mtgcoll/routes/auth.clj
@ -4,15 +4,12 @@
    [compojure.core :refer [routes GET POST]]
    [webtools.response :as response]
    [webtools.session :as session]
-    [mtgcoll.config :as config]))
+    [mtgcoll.auth :as auth]))

 (def auth-routes
  (routes
    (POST "/login" [username password :as request]
-      (if-let [user (->> (config/get :users)
-                         (filter #(and (= username (:username %))
-                                       (= password (:password %))))
-                         (first))]
+      (if-let [user (auth/validate-credentials username password)]
        (do
          (log/info username " logged in.")
          (-> (response/content "ok")
--- a/src/mtgcoll/routes/collection.clj
+++ b/src/mtgcoll/routes/collection.clj
@ -2,14 +2,18 @@
  (:require
    [compojure.core :refer [routes GET POST]]
    [webtools.response :as response]
+    [webtools.routes.core :refer [wrap-middleware]]
+    [mtgcoll.middleware :refer [wrap-authenticated]]
    [mtgcoll.models.collection :as collection]))

 (def collection-routes
-  (routes
-    (POST "/collection/add" [card-id quality foil]
-      (collection/add-to-collection! card-id quality foil)
-      (response/json {:status "ok"}))
+  (wrap-middleware
+    (routes
+      (POST "/collection/add" [card-id quality foil :as request]
+        (collection/add-to-collection! card-id quality foil)
+        (response/json {:status "ok"}))

-    (POST "/collection/remove" [card-id quality foil]
-      (collection/remove-from-collection! card-id quality foil)
-      (response/json {:status "ok"}))))
+      (POST "/collection/remove" [card-id quality foil :as request]
+        (collection/remove-from-collection! card-id quality foil)
+        (response/json {:status "ok"})))
+    (wrap-authenticated)))