Merge pull request #262 from CodeForPhilly/261-JWTs

Requires JWT for all API calls

Author: c-simpson

src/README.md

@@ -48,4 +48,4 @@ Brutally clean all docker related items from your machine
 --------------------------
 Troubleshooting
 ---------------------------------------
-See the [Troubleshooting page](https://github.com/CodeForPhilly/paws-data-pipeline/wiki/Troubleshooting) at the GitHub wiki.
+See the [Troubleshooting page](https://github.com/CodeForPhilly/paws-data-pipeline/wiki/Troubleshooting) at the GitHub wiki. 

src/client/src/App.js

@@ -17,6 +17,7 @@ import Refresh from './components/Refresh';
 import useToken from './components/Login/useToken';
 var jwt = require('jsonwebtoken');
 
+const REFRESH_POPUP_TIME = 300 // seconds
 
 // Triggers token expiration check
 const sleep = time => new Promise(resolve => setTimeout(resolve, time))
@@ -80,7 +81,7 @@ function AuthenticatedApp() {
     var expTime =  decoded?.payload.exp -  Date.now()/1000;
     const jwtExpired = expTime <= 0
 
-    const popRefreshAlert = expTime > 0 && expTime < 30;  // Time in secs to pop up refresh dialog
+    const popRefreshAlert = expTime > 0 && expTime < REFRESH_POPUP_TIME;  // Time in secs to pop up refresh dialog
 
     const hdr = userRole === 'admin' ?  <AdminHeader /> : <Header /> // If we're going to display a header, which one?
 
@@ -102,14 +103,14 @@ function AuthenticatedApp() {
               (!access_token | jwtExpired) ?  <Login setToken={setToken} /> :    <Switch>
 
                 <Route exact path="/">
-                    <HomePage/>
+                    <HomePage access_token = {access_token}/>
                 </Route>
 
 
                 {  /* If an admin, render Upload page       */
                   userRole === 'admin' &&
                     <Route path="/admin">
-                        <Admin/>
+                        <Admin access_token = {access_token}/>
                     </Route>
                     }
 
@@ -119,11 +120,11 @@ function AuthenticatedApp() {
                 </Route>
 
                 <Route path="/360view/search">
-                    <Search360/>
+                    <Search360 access_token = {access_token} />
                 </Route>
 
                 <Route path="/360view/view">
-                     <View360/>
+                     <View360 access_token = {access_token} />
                 </Route>
 
                 <Route path="/check"> 

src/client/src/components/RefreshDlg.js

@@ -17,7 +17,7 @@ export default function  RefreshDlg(props) {
   const handleClose = async (shouldRefresh) => {
     // Could be closed with Yes, No, outclick (which equals No)
     setOpen(false);
-    if (props.shouldOpen){
+    if (shouldRefresh){
       const new_at =  await Refresh(access_token);
       props.setToken(new_at);
     }

src/client/src/pages/Admin.js

@@ -78,7 +78,13 @@ class Admin extends Component {
             formData.append('file', element, element.name)
         })
 
-        await fetch("/api/file", {method: 'POST', body: formData})
+        await fetch("/api/file", {method: 'POST', body: formData, 
+            headers: {
+                'Content-Type': 'application/json',
+                'Authorization': 'Bearer ' + this.props.access_token
+            }})
+
+
 
         await this.handleGetFileList();
 
@@ -95,13 +101,27 @@ class Admin extends Component {
 
         this.setState({isLoading: true});
 
-        await fetch('/api/execute');
+        await fetch('/api/execute',
+            {
+                method: 'GET',
+                headers: {
+                    'Content-Type': 'application/json',
+                    'Authorization': 'Bearer ' + this.props.access_token
+                }
+            });
 
         this.refreshPage();
     }
 
     async handleGetStatistics() {
-        const statsData = await fetch("/api/statistics");
+        const statsData = await fetch("/api/statistics",
+            {
+                method: 'GET',
+                headers: {
+                    'Content-Type': 'application/json',
+                    'Authorization': 'Bearer ' + this.props.access_token
+                }
+            });
         const statsResponse = await statsData.json()
 
         if (statsResponse !== 'executing') {
@@ -115,7 +135,14 @@ class Admin extends Component {
     }
 
     async handleGetFileList() {
-        const filesData = await fetch("/api/listCurrentFiles");
+        const filesData = await fetch("/api/listCurrentFiles",
+            {
+                method: 'GET',
+                headers: {
+                    'Content-Type': 'application/json',
+                    'Authorization': 'Bearer ' + this.props.access_token
+                }
+            });
         const filesResponse = await filesData.json();
         this.setState({fileListHtml: filesResponse});
     }

src/client/src/pages/DataView360/Search/Search.js

@@ -170,7 +170,15 @@ class Search360 extends Component {
         this.setState({isDataBusy: true, search_participant: search_participant});
 
         await new Promise(resolve => setTimeout(resolve, 1000));
-        let response = await fetch(`/api/contacts/${search_participant}`);
+        let response = await fetch(`/api/contacts/${search_participant}`,
+            {
+                method: 'GET',
+                headers: {
+                    'Content-Type': 'application/json',
+                    'Authorization': 'Bearer ' + this.props.access_token
+                }
+            }
+        );
         response = await response.json();
 
         await this.setState({participantList: response.result})

src/client/src/pages/DataView360/View/View.js

@@ -54,7 +54,14 @@ class View360 extends Component {
         });
 
         await new Promise(resolve => setTimeout(resolve, 1000));
-        let response = await fetch(`/api/360/${this.state.matchId}`);
+        let response = await fetch(`/api/360/${this.state.matchId}`,
+            {
+                method: 'GET',
+                headers: {
+                    'Content-Type': 'application/json',
+                    'Authorization': 'Bearer ' + this.props.access_token
+                }
+            }  );
         response = await response.json();
 
         this.setState({

src/server/api/admin_api.py

@@ -11,6 +11,8 @@
 from config import engine
 from flask import request, redirect, jsonify, current_app, abort
 from api.file_uploader import validate_and_arrange_upload
+
+from api import jwt_ops
 from config import (
     RAW_DATA_PATH,
     CURRENT_SOURCE_FILES_PATH,
@@ -26,6 +28,7 @@ def __allowed_file(filename):
 
 # file upload tutorial
 @admin_api.route("/api/file", methods=["POST"])
+@jwt_ops.admin_required
 def uploadCSV():
     if "file" not in request.files:
         return redirect(request.url)
@@ -43,6 +46,7 @@ def uploadCSV():
 
 
 @admin_api.route("/api/listCurrentFiles", methods=["GET"])
+@jwt_ops.admin_required
 def list_current_files():
     result = None
 
@@ -56,6 +60,7 @@ def list_current_files():
 
 
 @admin_api.route("/api/execute", methods=["GET"])
+@jwt_ops.admin_required
 def execute():
     current_app.logger.info("Execute flow")
     flow_script.start_flow()
@@ -109,6 +114,7 @@ def get_statistics():
 
 
 @admin_api.route("/api/statistics", methods=["GET"])
+@jwt_ops.admin_required
 def list_statistics():
     """ Pull Last Execution stats from DB. """
     current_app.logger.info("list_statistics() request")
@@ -134,6 +140,7 @@ def list_statistics():
 
 
 @admin_api.route("/api/get_execution_status/<int:job_id>", methods=["GET"])
+@jwt_ops.admin_required
 def get_exec_status(job_id):
     """ Get the execution status record from the DB for the specified job_id """
 

src/server/api/common_api.py

@@ -9,6 +9,8 @@
 import dateutil.parser
 from secrets import SHELTERLUV_SECRET_TOKEN
 
+from api import jwt_ops
+
 
 @common_api.route('/api/timeout_test/<duration>', methods=['GET'])
 def get_timeout(duration):
@@ -21,6 +23,7 @@ def get_timeout(duration):
     return results
 
 @common_api.route('/api/contacts/<search_text>', methods=['GET'])
+@jwt_ops.jwt_required()
 def get_contacts(search_text):
     with engine.connect() as connection:
         search_text = search_text.lower()
@@ -45,6 +48,7 @@ def get_contacts(search_text):
 
 
 @common_api.route('/api/360/<matching_id>', methods=['GET'])
+@jwt_ops.jwt_required()
 def get_360(matching_id):
     result = {}
 

src/server/app.py

@@ -10,10 +10,10 @@
 
 
 app.config["JWT_SECRET_KEY"] = JWT_SECRET  
-app.config["JWT_MAX_TIMEOUT"] = 7200 #Seconds
+app.config["JWT_MAX_TIMEOUT"] = 30*60 #Seconds
 
  # We'll use max for default but can be reduced for testing
-app.config["JWT_ACCESS_TOKEN_EXPIRES"] = 60               # app.config["JWT_MAX_TIMEOUT"] 
+app.config["JWT_ACCESS_TOKEN_EXPIRES"] =  app.config["JWT_MAX_TIMEOUT"] 
 
 jwt = JWTManager(app)