diff options
author | Daniel Narvaez <dwnarvaez@gmail.com> | 2013-05-01 20:31:27 (GMT) |
---|---|---|
committer | Manuel QuiƱones <manuq@laptop.org> | 2013-05-03 11:40:44 (GMT) |
commit | 671ad1ae3e52b6e06fb58697d37c31e3f492d2de (patch) | |
tree | 14e8245a83f99375e2bae2d50b17c6257dcff7e9 | |
parent | ff5612caee4a3b9830bbe28bc64ac40aa902481a (diff) |
Require authentication before making API calls
Otherwise anything might access the bus.
Note: This will not work if the user moves to another html page. They
will not have a port/key passed in the query string of the URL, so
they won't be able to connect.
-rw-r--r-- | src/sugar3/activity/htmlactivity.py | 15 |
1 files changed, 14 insertions, 1 deletions
diff --git a/src/sugar3/activity/htmlactivity.py b/src/sugar3/activity/htmlactivity.py index 40596a2..61a21d6 100644 --- a/src/sugar3/activity/htmlactivity.py +++ b/src/sugar3/activity/htmlactivity.py @@ -41,12 +41,16 @@ class HTMLActivity(activity.Activity): self.set_canvas(self._web_view) self._web_view.show() + self._authenticated = False + self._server = Server() self._server.connect("session-started", self._session_started_cb) port = self._server.start() index_path = os.path.join(activity.get_bundle_path(), "index.html") - self._web_view.load_uri('file://' + index_path + "?port=%s" % port) + self._key = os.urandom(16).encode("hex") + self._web_view.load_uri("file://%s?port=%s&key=%s" % + (index_path, port, self._key)) self._apis = {} self._apis["activity"] = ActivityAPI(self) @@ -56,6 +60,15 @@ class HTMLActivity(activity.Activity): def _message_received_cb(self, session, message): request = json.loads(message.data) + + if request["method"] == "authenticate": + if self._key == request["params"][0]: + self._authenticated = True + return + + if not self._authenticated: + return + api_name, method_name = request["method"].split(".") method = getattr(self._apis[api_name], method_name) |