Implement 0-legged oauth1 #215
Open
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Document usage of require_oauth decorator with require_user=False
…into sign_only
|
@Ryan-K Sorry for the delay. Could you add a test case for it? BTW, it is the |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
After several iterations, this is the cleanest implementation I've found to add support for oauth1 requests that do not include an access token. There are many cases when you an endpoint does not contain any user specific data, but it should still be restricted to known clients and not made public.
I've used this extensively in production environments and updated the documentation, but haven't run the sample code I threw into there. This does introduce one more lint error (for a line that's too long by 1 character) and adds one more untested line of code to the coverage report since I didn't add any tests for this.
The only thing to note is that the realms parameter is only applicable to access tokens. So, when require_user is false, the realms defined on the client is not compared to the realms defined in the require_oauth decorator. This should probably be explained in the docs or code should be added to validate the client has access to the specified realms. I don't use realms heavily in my applications, so I'm not sure what the desired behavior is.