Added simple API key

clients/.gitignore

@@ -0,0 +1 @@
+authenticated_machines.tsv

clients/example_file.tsv

@@ -0,0 +1,2 @@
+# Only the entries in authenticated_machines.tsv are used, this is an example file
+YDzcmp8JpYHCcvJbDOVT7nEDoyCEND6K	Example Machine

database.py

@@ -5,6 +5,7 @@ import waitress
 import os
 import datetime
 from cleanup import *
+from utilities import *
 import sys
 
 
@@ -15,22 +16,18 @@ TRACKS = []	# Format: tuple(frozenset(artist_ref,...),title)
 timestamps = set()
 
 c = CleanerAgent()
+clients = []
 
 lastsync = 0
 
 
-# by id
+### symmetric keys are fine for now since we hopefully use HTTPS
-#def getScrobbleObject(o):
+def loadAPIkeys():
-#	#return {"artists":getTrackObject(SCROBBLES[o][0])["artists"],"title":getTrackObject(SCROBBLES[o][0])["title"],"time":SCROBBLES[o][1],"saved":SCROBBLES[o][2]}
+	global clients
-#	return {"artists":getTrackObject(SCROBBLES[o][0])["artists"],"title":getTrackObject(SCROBBLES[o][0])["title"],"time":SCROBBLES[o][1]}
+	clients = parseTSV("clients/authenticated_machines.tsv","string","string")
-#	
-#def getArtistObject(o):
-#	return ARTISTS[o]
-#	
-#def getTrackObject(o):
-#	return {"artists":[getArtistObject(a) for a in TRACKS[o][0]],"title":TRACKS[o][1]}
 
-# by object
+def checkAPIkey(k):
+	return (k in [k for [k,d] in clients])
 
 def getScrobbleObject(o):
 	track = getTrackObject(TRACKS[o[0]])
@@ -149,6 +146,11 @@ def post_scrobble():
 	keys = FormsDict.decode(request.forms) # The Dal★Shabet handler
 	artists = keys.get("artist")
 	title = keys.get("title")
+	apikey = keys.get("key")
+	if not (checkAPIkey(apikey)):
+		response.status = 403
+		return ""
+	
 	try:
 		time = int(keys.get("time"))
 	except:
@@ -178,6 +180,8 @@ def runserver(DATABASE_PORT):
 	#buildh()
 	build_db()
 
+	loadAPIkeys()
+
 	run(host='0.0.0.0', port=DATABASE_PORT, server='waitress')
 
 

scrobbler-vivaldi-plex/background.js

@@ -210,9 +210,10 @@ function scrobble(artist,title,seconds) {
 	console.log("Scrobbling " + artist + " - " + title + "; " + seconds + " seconds playtime")
 	artiststring = encodeURIComponent(artist)
 	titlestring = encodeURIComponent(title)
+	APIKEY = "YDzcmp8JpYHCcvJbDOVT7nEDoyCEND6K" ///obviously this will not be hardcoded later
 	var xhttp = new XMLHttpRequest();
 	xhttp.open("POST","http://localhost:42010/db/newscrobble",true);
-	xhttp.send("artist=" + artiststring + "&title=" + titlestring + "&duration=" + seconds)
+	xhttp.send("artist=" + artiststring + "&title=" + titlestring + "&duration=" + seconds + "&key=" + APIKEY)
 }
 
 function setUpdate() {

server.py

@@ -4,6 +4,7 @@ import _thread
 import waitress
 import urllib.request
 import urllib.parse
+from urllib.error import *
 import sys
 import signal
 
@@ -23,7 +24,7 @@ def mainpage():
 # e.g. location /db { rewrite ^/db(.*)$ $1 break; proxy_pass http://yoururl:12349; }
 
 @get("/db/<pth:path>")
-def database(pth):
+def database_get(pth):
 	keys = FormsDict.decode(request.query) # The Dal★Shabet handler
 	keystring = "?"
 	for k in keys:
@@ -35,8 +36,16 @@ def database(pth):
 	return contents
 	
 @post("/db/<pth:path>")
-def database(pth):
+def database_post(pth):
-	contents = urllib.request.urlopen("http://localhost:" + str(DATABASE_PORT) + "/" + pth,request.body).read()
+	try:
+		proxyresponse = urllib.request.urlopen("http://localhost:" + str(DATABASE_PORT) + "/" + pth,request.body)
+		contents = proxyresponse.read()
+		response.status = proxyresponse.getcode()
+	except HTTPError as e:
+		contents = ""
+		response.status = e.code
+		
+		
 	response.content_type = "application/json"
 	response.set_header("Access-Control-Allow-Origin","*")
 	return contents