Support auth_token given as query string parameter

2024-11-19 04:50:01 +01:00 · 2021-07-21 14:43:06 -03:00 · 2021-07-21 14:43:06 -03:00 · e6cd148bc6
commit e6cd148bc6
parent 19a5e08e91
3 changed files with 25 additions and 12 deletions
--- a/server/order_helpers.py
+++ b/server/order_helpers.py
@ -44,14 +44,16 @@ def adjust_bids(order):
    db.session.commit()


-def get_and_authenticate_order(uuid, args):
+def get_and_authenticate_order(uuid, body_args, query_args):
    order = Order.query.filter_by(uuid=uuid).first()

    if order is None:
        return False, get_http_error_resp('ORDER_NOT_FOUND', uuid)

-    if 'auth_token' in args:
-        in_auth_token = args.get('auth_token')
+    if 'auth_token' in body_args:
+        in_auth_token = body_args.get('auth_token')
+    elif 'auth_token' in query_args:
+        in_auth_token = query_args.get('auth_token')
    elif 'X-Auth-Token' in request.headers:
        in_auth_token = request.headers.get('X-Auth-Token')
    else:
--- a/server/orders.py
+++ b/server/orders.py
@ -36,18 +36,16 @@ def sha256_checksum(filename, block_size=SHA256_BLOCK_SIZE):

 class OrderResource(Resource):
    def get(self, uuid):
-        args = request.form
        success, order_or_error = order_helpers.get_and_authenticate_order(
-            uuid, args)
+            uuid, request.form, request.args)
        if not success:
            return order_or_error
        order = order_or_error
        return order_schema.dump(order)

    def delete(self, uuid):
-        args = request.form
        success, order_or_error = order_helpers.get_and_authenticate_order(
-            uuid, args)
+            uuid, request.form, request.args)
        if not success:
            return order_or_error
        order = order_or_error
@ -139,19 +137,20 @@ class OrderUploadResource(Resource):

 class BumpOrderResource(Resource):
    def post(self, uuid):
-        args = request.form
-        errors = order_bump_schema.validate(args)
+        query_args = request.args
+        form_args = request.form
+        errors = order_bump_schema.validate(form_args)

        if errors:
            return errors, HTTPStatus.BAD_REQUEST

        success, order_or_error = order_helpers.get_and_authenticate_order(
-            uuid, args)
+            uuid, form_args, query_args)
        if not success:
            return order_or_error
        order = order_or_error

-        success, invoice = new_invoice(order, args['bid_increase'])
+        success, invoice = new_invoice(order, form_args['bid_increase'])
        if not success:
            return invoice

--- a/server/tests/test_order.py
+++ b/server/tests/test_order.py
@ -186,7 +186,7 @@ def test_get_order(mock_new_invoice, client):


@patch('orders.new_invoice')
-def test_get_order_auth_token_as_param(mock_new_invoice, client):
+def test_get_order_auth_token_as_form_param(mock_new_invoice, client):
    json_response = generate_test_order(mock_new_invoice, client)
    uuid = json_response['uuid']

@ -197,6 +197,18 @@ def test_get_order_auth_token_as_param(mock_new_invoice, client):
    assert get_json_resp['uuid'] == uuid


+@patch('orders.new_invoice')
+def test_get_order_auth_token_as_query_param(mock_new_invoice, client):
+    json_response = generate_test_order(mock_new_invoice, client)
+    uuid = json_response['uuid']
+
+    auth_token = json_response['auth_token']
+    get_rv = client.get(f'/order/{uuid}?auth_token={auth_token}')
+    get_json_resp = get_rv.get_json()
+    assert get_rv.status_code == HTTPStatus.OK
+    assert get_json_resp['uuid'] == uuid
+
+
 def test_get_nonexistent_order(client):
    uuid = str(uuid4())
    rv = client.get(f'/order/{uuid}',