From d1849b968137c5cd085ca36eed1bb8887949bfd3 Mon Sep 17 00:00:00 2001
From: jonasled <jonas@jonasled.de>
Date: Thu, 27 Feb 2020 20:07:07 +0100
Subject: [PATCH] password support for API

---
 api.py                 | 21 ++++++++++++++++++---
 main.py                |  4 ++--
 templates/apiDocs.html |  9 +++++++++
 3 files changed, 29 insertions(+), 5 deletions(-)

diff --git a/api.py b/api.py
index bf535ec..142c693 100644
--- a/api.py
+++ b/api.py
@@ -2,15 +2,15 @@ from flask import jsonify, render_template
 from sqlite3 import connect
 from makeqr import makeQR
 
-def apiGet(request, url_scheme, s, sAPI):
+def apiGet(request, url_scheme, s, sAPI, passwordProtected):
     try:
         userID = sAPI.dumps(s.loads(request.cookies.get('userID')))
     except:
         userID = ""
 
-    return render_template("apiDocs.html", apikey=userID, domain=request.headers['Host'], url_scheme=url_scheme)
+    return render_template("apiDocs.html", apikey=userID, domain=request.headers['Host'], url_scheme=url_scheme, passwordProtected=passwordProtected)
 
-def apiPost(request, url_scheme, domain, sAPI):
+def apiPost(request, url_scheme, domain, sAPI, passwordProtected, password):
     username = "error"
     try:
         username = sAPI.loads(request.form['apikey'])
@@ -41,6 +41,21 @@ def apiPost(request, url_scheme, domain, sAPI):
             message="domain for short link is not in allowed domain list"
         )
     
+    if passwordProtected:
+        try:
+            pw = request.form["password"]
+            if( pw != password):
+                return jsonify(
+                    status="5",
+                    message="Wrong password."
+                )      
+        except:
+            return jsonify(
+                status="5",
+                message="Wrong password."
+            )   
+
+    
     with connect('db/urls.db') as conn: #Check if another user already used the short link
         cursor = conn.cursor()
         res = cursor.execute('SELECT LONG_URL FROM WEB_URL WHERE SHORT_URL=?', [short])
diff --git a/main.py b/main.py
index 21ab29f..5948b13 100644
--- a/main.py
+++ b/main.py
@@ -199,12 +199,12 @@ def makeQrCode():
 
 @app.route('/user/api', methods=['POST'])
 def api():
-    return apiPost(request, url_scheme, domain, sAPI)
+    return apiPost(request, url_scheme, domain, sAPI, passwordProtected, password)
 
 
 @app.route('/user/api', methods=['GET'])
 def apiDocs():
-    return apiGet(request, url_scheme, s, sAPI)
+    return apiGet(request, url_scheme, s, sAPI, passwordProtected)
 
     
 def startup(production):
diff --git a/templates/apiDocs.html b/templates/apiDocs.html
index 83441f0..915e9b4 100644
--- a/templates/apiDocs.html
+++ b/templates/apiDocs.html
@@ -58,6 +58,9 @@
         <li>long: the long URL you want to short</li>
         <li>qr: if you add this parameter you will get an base64 encoded QR code image</li>
         <li>apikey: you can add this argument, if you want to assign this link to your account.</li>
+        {% if passwordProtected %}
+        <li>password: this value contains the password, that is needed to short a link.</li>
+        {% endif %}
     </ul>
     <p>example API call with curl: <i>curl -d "{% if apikey %}apikey={{apikey}}&{% endif %}short={{domain}}/example&long=http://example.com" -X POST {{url_scheme}}://{{domain}}/user/api</i>
 
@@ -96,6 +99,12 @@
             <td>4</td>
             <td>The short URL is already taken.</td>
         </tr>
+        {% if passwordProtected %}
+        <tr>
+            <td>5</td>
+            <td>Wrong Password</td>
+        </tr>
+        {% endif %}
 
     </table>
 
-- 
GitLab