diff --git a/api/controllers/web/passport.py b/api/controllers/web/passport.py index 219f6e731f..a5d3e388ac 100644 --- a/api/controllers/web/passport.py +++ b/api/controllers/web/passport.py @@ -11,13 +11,13 @@ from libs.passport import PassportService class PassportResource(Resource): """Base resource for passport.""" def get(self): - app_id = request.headers.get('X-App-Code') - if app_id is None: + app_code = request.headers.get('X-App-Code') + if app_code is None: raise Unauthorized('X-App-Code header is missing.') # get site from db and check if it is normal site = db.session.query(Site).filter( - Site.code == app_id, + Site.code == app_code, Site.status == 'normal' ).first() if not site: @@ -41,6 +41,7 @@ class PassportResource(Resource): "iss": site.app_id, 'sub': 'Web API Passport', 'app_id': site.app_id, + 'app_code': app_code, 'end_user_id': end_user.id, } diff --git a/api/controllers/web/wraps.py b/api/controllers/web/wraps.py index 314a4099ee..958c2d793f 100644 --- a/api/controllers/web/wraps.py +++ b/api/controllers/web/wraps.py @@ -6,7 +6,7 @@ from flask_restful import Resource from werkzeug.exceptions import NotFound, Unauthorized from extensions.ext_database import db -from models.model import App, EndUser +from models.model import App, EndUser, Site from libs.passport import PassportService def validate_jwt_token(view=None): @@ -35,9 +35,13 @@ def decode_jwt_token(): if auth_scheme != 'bearer': raise Unauthorized('Invalid Authorization header format. Expected \'Bearer \' format.') decoded = PassportService().verify(tk) + app_model = db.session.query(App).filter(App.id == decoded['app_id']).first() + site = db.session.query(Site).filter(Site.code == decoded['app_code']).first() if not app_model: raise NotFound() + if not site: + raise Unauthorized('Site URL is no longer valid.') if app_model.enable_site is False: raise Unauthorized('Site is disabled.') end_user = db.session.query(EndUser).filter(EndUser.id == decoded['end_user_id']).first()