From b5b09c405232dc20d1777cbe2deb0afba3dcd668 Mon Sep 17 00:00:00 2001
From: Krateng <git.noreply@krateng.ch>
Date: Wed, 29 Jul 2020 20:11:51 +0200
Subject: [PATCH] Updated some methods to new authentication method

---
 maloja/database.py            | 105 +++++++++++++++++++---------------
 maloja/static/js/upload.js    |   4 +-
 maloja/web/jinja/artist.jinja |   2 +-
 maloja/web/jinja/setup.jinja  |   2 +-
 maloja/web/jinja/track.jinja  |   2 +-
 5 files changed, 63 insertions(+), 52 deletions(-)

diff --git a/maloja/database.py b/maloja/database.py
index c3dec71..e1e90d2 100644
--- a/maloja/database.py
+++ b/maloja/database.py
@@ -18,6 +18,7 @@ from doreah.logging import log
 from doreah import tsv
 from doreah import settings
 from doreah.caching import Cache, DeepCache
+from doreah.auth import authenticated_api, authenticated_api_with_alternate
 try:
 	from doreah.persistence import DiskDict
 except: pass
@@ -240,6 +241,23 @@ def normalize_name(name):
 ########
 ########
 
+# skip regular authentication if api key is present in request
+# an api key now ONLY permits scrobbling tracks, no other admin tasks
+def api_key_correct(request):
+	args = request.query
+	print(dict(args))
+	if "key" in args:
+		apikey = args["key"]
+		print(args)
+		del args["key"]
+		print(args)
+	elif "apikey" in args:
+		apikey = args["apikey"]
+		del args["apikey"]
+	else: return False
+
+	return checkAPIkey(apikey)
+
 
 dbserver = API(delay=True,path="api")
 
@@ -669,23 +687,19 @@ def trackInfo(track):
 
 @dbserver.get("newscrobble")
 @dbserver.post("newscrobble")
+@authenticated_api_with_alternate(api_key_correct)
 def post_scrobble(artist:Multi,**keys):
 	artists = "/".join(artist)
 	title = keys.get("title")
 	album = keys.get("album")
 	duration = keys.get("seconds")
-	apikey = keys.get("key")
-	client = checkAPIkey(apikey)
-	if client == False: # empty string allowed!
-		response.status = 403
-		return ""
 
 	try:
 		time = int(keys.get("time"))
 	except:
 		time = int(datetime.datetime.now(tz=datetime.timezone.utc).timestamp())
 
-	log("Incoming scrobble (native API): Client " + client + ", ARTISTS: " + str(artists) + ", TRACK: " + title,module="debug")
+	log("Incoming scrobble (native API): ARTISTS: " + str(artists) + ", TRACK: " + title,module="debug")
 	(artists,title) = cla.fullclean(artists,title)
 
 	## this is necessary for localhost testing
@@ -719,18 +733,18 @@ def sapi(path:Multi,**keys):
 
 
 @dbserver.get("sync")
+@authenticated_api
 def abouttoshutdown():
 	sync()
 	#sys.exit()
 
 @dbserver.post("newrule")
+@authenticated_api
 def newrule(**keys):
-	apikey = keys.pop("key",None)
-	if (checkAPIkey(apikey)):
-		tsv.add_entry(datadir("rules/webmade.tsv"),[k for k in keys])
-		#addEntry("rules/webmade.tsv",[k for k in keys])
-		global db_rulestate
-		db_rulestate = False
+	tsv.add_entry(datadir("rules/webmade.tsv"),[k for k in keys])
+	#addEntry("rules/webmade.tsv",[k for k in keys])
+	global db_rulestate
+	db_rulestate = False
 
 
 @dbserver.get("issues")
@@ -877,39 +891,36 @@ def get_predefined_rulesets():
 	return rulesets
 
 @dbserver.post("importrules")
+@authenticated_api
 def import_rulemodule(**keys):
-	apikey = keys.pop("key",None)
+	filename = keys.get("filename")
+	remove = keys.get("remove") is not None
+	validchars = "-_abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789"
+	filename = "".join(c for c in filename if c in validchars)
 
-	if (checkAPIkey(apikey)):
-		filename = keys.get("filename")
-		remove = keys.get("remove") is not None
-		validchars = "-_abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789"
-		filename = "".join(c for c in filename if c in validchars)
-
-		if remove:
-			log("Deactivating predefined rulefile " + filename)
-			os.remove(datadir("rules/" + filename + ".tsv"))
-		else:
-			log("Importing predefined rulefile " + filename)
-			os.symlink(datadir("rules/predefined/" + filename + ".tsv"),datadir("rules/" + filename + ".tsv"))
+	if remove:
+		log("Deactivating predefined rulefile " + filename)
+		os.remove(datadir("rules/" + filename + ".tsv"))
+	else:
+		log("Importing predefined rulefile " + filename)
+		os.symlink(datadir("rules/predefined/" + filename + ".tsv"),datadir("rules/" + filename + ".tsv"))
 
 
 
 @dbserver.post("rebuild")
+@authenticated_api
 def rebuild(**keys):
-	apikey = keys.pop("key",None)
-	if (checkAPIkey(apikey)):
-		log("Database rebuild initiated!")
-		global db_rulestate
-		db_rulestate = False
-		sync()
-		from .proccontrol.tasks.fixexisting import fix
-		fix()
-		global cla, coa
-		cla = CleanerAgent()
-		coa = CollectorAgent()
-		build_db()
-		invalidate_caches()
+	log("Database rebuild initiated!")
+	global db_rulestate
+	db_rulestate = False
+	sync()
+	from .proccontrol.tasks.fixexisting import fix
+	fix()
+	global cla, coa
+	cla = CleanerAgent()
+	coa = CollectorAgent()
+	build_db()
+	invalidate_caches()
 
 
 
@@ -950,15 +961,15 @@ def search(**keys):
 
 
 @dbserver.post("addpicture")
-def add_picture(b64,key,artist:Multi=[],title=None):
-	if (checkAPIkey(key)):
-		keys = FormsDict()
-		for a in artist:
-			keys.append("artist",a)
-		if title is not None: keys.append("title",title)
-		k_filter, _, _, _ = uri_to_internal(keys)
-		if "track" in k_filter: k_filter = k_filter["track"]
-		utilities.set_image(b64,**k_filter)
+@authenticated_api
+def add_picture(b64,artist:Multi=[],title=None):
+	keys = FormsDict()
+	for a in artist:
+		keys.append("artist",a)
+	if title is not None: keys.append("title",title)
+	k_filter, _, _, _ = uri_to_internal(keys)
+	if "track" in k_filter: k_filter = k_filter["track"]
+	utilities.set_image(b64,**k_filter)
 
 ####
 ## Server operation
diff --git a/maloja/static/js/upload.js b/maloja/static/js/upload.js
index 103ea12..797543a 100644
--- a/maloja/static/js/upload.js
+++ b/maloja/static/js/upload.js
@@ -1,3 +1,3 @@
-function upload(encodedentity,apikey,b64) {
-	neo.xhttprequest("/api/addpicture?key=" + apikey + "&" + encodedentity,{"b64":b64},"POST")
+function upload(encodedentity,b64) {
+	neo.xhttprequest("/api/addpicture?" + encodedentity,{"b64":b64},"POST")
 }
diff --git a/maloja/web/jinja/artist.jinja b/maloja/web/jinja/artist.jinja
index acc6cad..99b030a 100644
--- a/maloja/web/jinja/artist.jinja
+++ b/maloja/web/jinja/artist.jinja
@@ -36,7 +36,7 @@
 		<td class="image">
 			{% if adminmode %}
 			<div
-				class="changeable-image" data-uploader="b64=>upload('{encodedartist}','{apikey}',b64)"
+				class="changeable-image" data-uploader="b64=>upload('{{ encodedartist }}',b64)"
 				style="background-image:url('{{ utilities.getArtistImage(artist=artist,fast=True) }}');"
 			></div>
 			{% else %}
diff --git a/maloja/web/jinja/setup.jinja b/maloja/web/jinja/setup.jinja
index 5fd88fe..0b93561 100644
--- a/maloja/web/jinja/setup.jinja
+++ b/maloja/web/jinja/setup.jinja
@@ -99,7 +99,7 @@
 	After you've scrobbled for a bit, you might want to check the <a class="textlink" href="/issues">Issues page</a> to see if you need to set up some rules. You can also manually add rules in your server's "rules" directory - just add your own .tsv file and read the instructions on how to declare a rule.
 	<br/><br/>
 
-	You can also set up some predefined rulesets right away! Enter your API key and click the buttons.
+	You can also set up some predefined rulesets right away!
 	<br/>
 
 	<br/><br/>
diff --git a/maloja/web/jinja/track.jinja b/maloja/web/jinja/track.jinja
index 0dcefae..d1ff053 100644
--- a/maloja/web/jinja/track.jinja
+++ b/maloja/web/jinja/track.jinja
@@ -30,7 +30,7 @@
 		<td class="image">
 			{% if adminmode %}
 			<div
-				class="changeable-image" data-uploader="b64=>upload('{encodedartist}','{apikey}',b64)"
+				class="changeable-image" data-uploader="b64=>upload('{{ encodedtrack }}',b64)"
 				style="background-image:url('{{ utilities.getTrackImage(artists=track.artists,title=track.title,fast=True) }}');"
 			></div>
 			{% else %}