From 5e842a697bc46a7120d09ce96e9df4ca74c886ce Mon Sep 17 00:00:00 2001 From: Bryce Covert Date: Tue, 19 Dec 2017 09:13:45 -0800 Subject: [PATCH] routes are now secured. --- src/clj/auto_ap/handler.clj | 45 ++++++++++++++++++++++------------- src/cljs/auto_ap/effects.cljs | 21 +++++++++------- src/cljs/auto_ap/events.cljs | 5 ++++ src/cljs/auto_ap/subs.cljs | 1 - src/cljs/auto_ap/views.cljs | 5 ++-- 5 files changed, 48 insertions(+), 29 deletions(-) diff --git a/src/clj/auto_ap/handler.clj b/src/clj/auto_ap/handler.clj index 44650c49..b0dc3fa7 100644 --- a/src/clj/auto_ap/handler.clj +++ b/src/clj/auto_ap/handler.clj @@ -37,21 +37,21 @@ (def jwt-secret "auto ap invoices are awesome") -(defroutes app-routes +(defroutes unauthenticated-routes (GET "/" [] (response/resource-response "index.html" {:root "public"})) (GET "/api/oauth" {{:strs [code]} :query-params} (try (let [token (-> "https://accounts.google.com/o/oauth2/token" - (http/post - {:form-params {"client_id" google-client-id - "client_secret" google-client-secret - "code" code - "redirect_uri" "http://localhost:3449/api/oauth" - "grant_type" "authorization_code"} - :as :json}) - :body - :access_token) + (http/post + {:form-params {"client_id" google-client-id + "client_secret" google-client-secret + "code" code + "redirect_uri" "http://localhost:3449/api/oauth" + "grant_type" "authorization_code"} + :as :json}) + :body + :access_token) profile (-> (http/get "https://www.googleapis.com/oauth2/v1/userinfo" {:headers {"Authorization" (str "Bearer " token)} :as :json}) :body @@ -70,13 +70,17 @@ {:status 401 :body (str "Couldn't authenticate " (.toString e))}))) + (route/resources "/") + (routes (ANY "*" [] (response/resource-response "index.html" {:root "public"})))) + +(defroutes api-routes + (GET "/api/invoices" [] {:status 200 :body (pr-str (invoices/get-all)) :headers {"Content-Type" "application/edn"}}) (GET "/api/invoices/unpaid" {:keys [query-params] :as r} - (println "TEST" r (authenticated? r)) {:status 200 :body (pr-str (invoices/get-unpaid (query-params "company"))) :headers {"Content-Type" "application/edn"}}) @@ -123,15 +127,24 @@ ))) {:status 200 :body (pr-str (invoices/get-pending ((:query-params params ) "company"))) - :headers {"Content-Type" "application/edn"}})) - (route/resources "/") - (routes (ANY "*" [] (response/resource-response "index.html" {:root "public"}))) - (route/not-found "Not Found")) + :headers {"Content-Type" "application/edn"}}))) + +(defn wrap-secure [handler] + (fn [request] + (if (authenticated? request) + (handler request) + {:status 401 + :body "not authenticated"}))) (def auth-backend (jws-backend {:secret jwt-secret :options {:alg :hs512}})) +(def app-routes + (routes + (wrap-routes api-routes + wrap-secure) + unauthenticated-routes)) (def app - (-> #'app-routes + (-> #'app-routes (wrap-authorization auth-backend) (wrap-authentication auth-backend) (wrap-reload) diff --git a/src/cljs/auto_ap/effects.cljs b/src/cljs/auto_ap/effects.cljs index 73058a1b..95dd2bda 100644 --- a/src/cljs/auto_ap/effects.cljs +++ b/src/cljs/auto_ap/effects.cljs @@ -14,13 +14,16 @@ (re-frame/reg-fx :http - (fn [{:keys [method uri on-success body headers]}] + (fn [{:keys [method uri on-success body headers token]}] (go - (->> (http/request {:method method - :body body - :headers headers - :url uri}) - (> (http/request {:method method + :body body + :headers headers + :url uri}) + ( cofx :db :user) :uri (str "/api/invoices/approve" (when-let [company-name (-> cofx :db :company :name)] (str "?company=" company-name))) @@ -52,6 +53,7 @@ (fn [cofx []] {:db (assoc-in (:db cofx) [:status :loading] true) :http {:method :get + :token (-> cofx :db :user) :uri (str "/api/invoices/pending" (when-let [company-name (-> cofx :db :company :name)] (str "?company=" company-name))) @@ -62,6 +64,7 @@ (fn [cofx []] {:db (assoc-in (:db cofx) [:status :loading] true) :http {:method :get + :token (-> cofx :db :user) :uri (str "/api/invoices/unpaid" (when-let [company-name (-> cofx :db :company :name)] (str "?company=" company-name))) @@ -71,6 +74,7 @@ ::reject-invoices (fn [cofx [_]] {:http {:method :post + :token (-> cofx :db :user) :uri (str "/api/invoices/reject" (when-let [company-name (-> cofx :db :company :name)] (str "?company=" company-name))) @@ -86,6 +90,7 @@ (fn [{:keys [db]} [_ invoice]] {:http {:method :post + :token (-> db :user) :uri "/api/invoices" :body (pr-str {:rows [(assoc invoice :imported true)]}) :headers {"Content-Type" "application/edn"} diff --git a/src/cljs/auto_ap/subs.cljs b/src/cljs/auto_ap/subs.cljs index 76643e6c..3b2240a0 100644 --- a/src/cljs/auto_ap/subs.cljs +++ b/src/cljs/auto_ap/subs.cljs @@ -23,7 +23,6 @@ (fn [db] (when (:user db) (let [{:strs [name] :as x} (js->clj (.parse js/JSON (base64/decodeString (second (str/split (:user db) #"\.")))))] - (println x) {:name name})))) (re-frame/reg-sub diff --git a/src/cljs/auto_ap/views.cljs b/src/cljs/auto_ap/views.cljs index 88d43f17..94150ba1 100644 --- a/src/cljs/auto_ap/views.cljs +++ b/src/cljs/auto_ap/views.cljs @@ -220,11 +220,10 @@ (defn login-url [] (let [client-id "264081895820-0nndcfo3pbtqf30sro82vgq5r27h8736.apps.googleusercontent.com" redirect-uri "http%3A%2F%2Flocalhost%3A3449%2Fapi%2Foauth"] - (str "https://accounts.google.com/o/oauth2/auth?access_type=online&client_id=" client-id "&redirect_uri=" redirect-uri "&response_type=code&scope=https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fuserinfo.email+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fuserinfo.profile")) - ) + (str "https://accounts.google.com/o/oauth2/auth?access_type=online&client_id=" client-id "&redirect_uri=" redirect-uri "&response_type=code&scope=https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fuserinfo.email+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fuserinfo.profile"))) + (defn login [] (let [user (re-frame/subscribe [::subs/user])] - (println @user) [:a {:class "navbar-link login" :href (login-url)} (or (:name @user) "Login")])) (defn main-panel []