From f28496c8b07086941909ad94cb22f1c5a89a7362 Mon Sep 17 00:00:00 2001 From: Paul Oswald Date: Fri, 13 May 2016 11:17:47 +0900 Subject: [PATCH 1/3] Small documentation fixes --- docs/advanced_topics.rst | 6 +++--- docs/contributing.rst | 4 ++-- docs/tutorial/tutorial_02.rst | 2 +- 3 files changed, 6 insertions(+), 6 deletions(-) diff --git a/docs/advanced_topics.rst b/docs/advanced_topics.rst index 5579e0c69..dd0468f2f 100644 --- a/docs/advanced_topics.rst +++ b/docs/advanced_topics.rst @@ -55,9 +55,9 @@ That's all, now Django OAuth Toolkit will use your model wherever an Application Skip authorization form ======================= -Depending on the OAuth2 flow in use and the access token policy, users might be prompted for the -same authorization multiple times: sometimes this is acceptable or even desiderable but other it isn't. -To control DOT behaviour you can use `approval_prompt` parameter when hitting the authorization endpoint. +Depending on the OAuth2 flow in use and the access token policy, users might be prompted for the +same authorization multiple times: sometimes this is acceptable or even desirable but other times it isn't. +To control DOT behaviour you can use the `approval_prompt` parameter when hitting the authorization endpoint. Possible values are: * `force` - users are always prompted for authorization. diff --git a/docs/contributing.rst b/docs/contributing.rst index 5ebf257a3..6de828be3 100644 --- a/docs/contributing.rst +++ b/docs/contributing.rst @@ -47,7 +47,7 @@ of the pull request. Pull upstream changes into your fork regularly ============================================== -It's a good practice to pull upstream changes from master into your fork on a regular basis, infact if you work on +It's a good practice to pull upstream changes from master into your fork on a regular basis, in fact if you work on outdated code and your changes diverge too far from master, the pull request has to be rejected. To pull in upstream changes:: @@ -85,7 +85,7 @@ Add the tests! -------------- Whenever you add code, you have to add tests as well. We cannot accept untested code, so unless it is a peculiar -situation you previously discussed with the core commiters, if your pull request reduces the test coverage it will be +situation you previously discussed with the core committers, if your pull request reduces the test coverage it will be **immediately rejected**. Code conventions matter diff --git a/docs/tutorial/tutorial_02.rst b/docs/tutorial/tutorial_02.rst index 98fa08314..214abdb74 100644 --- a/docs/tutorial/tutorial_02.rst +++ b/docs/tutorial/tutorial_02.rst @@ -51,7 +51,7 @@ Testing your API Time to make requests to your API. For a quick test, try accessing your app at the url `/api/hello` with your browser -and verify that it reponds with a `403` (in fact no `HTTP_AUTHORIZATION` header was provided). +and verify that it responds with a `403` (in fact no `HTTP_AUTHORIZATION` header was provided). You can test your API with anything that can perform HTTP requests, but for this tutorial you can use the online `consumer client `_. Just fill the form with the URL of the API endpoint (i.e. http://localhost:8000/api/hello if you're on localhost) and From 06378b58f060e9977ff04f97414c5f60429f149b Mon Sep 17 00:00:00 2001 From: Paul Oswald Date: Fri, 13 May 2016 11:19:17 +0900 Subject: [PATCH 2/3] Don't encourage adding the application urls without dealing security restrictions --- docs/tutorial/tutorial_02.rst | 26 ++++++++++++++++++++++++-- 1 file changed, 24 insertions(+), 2 deletions(-) diff --git a/docs/tutorial/tutorial_02.rst b/docs/tutorial/tutorial_02.rst index 214abdb74..7ea8d98dd 100644 --- a/docs/tutorial/tutorial_02.rst +++ b/docs/tutorial/tutorial_02.rst @@ -34,15 +34,37 @@ URL this view will respond to: .. code-block:: python + from django.conf.urls import patterns, url + from oauth2_provider import views + from django.conf import settings from .views import ApiEndpoint urlpatterns = patterns( '', url(r'^admin/', include(admin.site.urls)), - url(r'^o/', include('oauth2_provider.urls', namespace='oauth2_provider')), # look ma, I'm a provider! - url(r'^api/hello', ApiEndpoint.as_view()), # and also a resource server! + + # OAuth2 provider endpoints + url(r'^o/authorize/$', views.AuthorizationView.as_view(), name="authorize"), + url(r'^o/token/$', views.TokenView.as_view(), name="token"), + url(r'^o/revoke-token/$', views.RevokeTokenView.as_view(), name="revoke-token"), + + url(r'^api/hello', ApiEndpoint.as_view()), # a resource endpoint ) + if settings.DEBUG: + # OAuth2 Application management views + + urlpatterns += patterns( + '', + url(r'^o/applications/$', views.ApplicationList.as_view(), name="application-list"), + url(r'^o/applications/register/$', views.ApplicationRegistration.as_view(), name="application-register"), + url(r'^o/applications/(?P\d+)/$', views.ApplicationDetail.as_view(), name="application-detail"), + url(r'^o/applications/(?P\d+)/delete/$', views.ApplicationDelete.as_view(), name="application-delete"), + url(r'^o/applications/(?P\d+)/update/$', views.ApplicationUpdate.as_view(), name="application-update"), + ) + +You will probably want to write your own application views to deal with permissions and access control but the ones packaged with the library can get you started when developing the app. + Since we inherit from `ProtectedResourceView`, we're done and our API is OAuth2 protected - for the sake of the lazy programmer. From fb5cda00dcfffc726257196139dfc5feef0ea6ae Mon Sep 17 00:00:00 2001 From: Paul Oswald Date: Wed, 1 Jun 2016 14:57:58 +0900 Subject: [PATCH 3/3] Define urls such that they are namespaced properly and forward-compatible with newer Django standards --- docs/tutorial/tutorial_02.rst | 52 ++++++++++++++++++++--------------- 1 file changed, 30 insertions(+), 22 deletions(-) diff --git a/docs/tutorial/tutorial_02.rst b/docs/tutorial/tutorial_02.rst index 7ea8d98dd..7b82e5264 100644 --- a/docs/tutorial/tutorial_02.rst +++ b/docs/tutorial/tutorial_02.rst @@ -35,33 +35,41 @@ URL this view will respond to: .. code-block:: python from django.conf.urls import patterns, url - from oauth2_provider import views + import oauth2_provider.views as oauth2_views from django.conf import settings from .views import ApiEndpoint - urlpatterns = patterns( - '', - url(r'^admin/', include(admin.site.urls)), - - # OAuth2 provider endpoints - url(r'^o/authorize/$', views.AuthorizationView.as_view(), name="authorize"), - url(r'^o/token/$', views.TokenView.as_view(), name="token"), - url(r'^o/revoke-token/$', views.RevokeTokenView.as_view(), name="revoke-token"), - - url(r'^api/hello', ApiEndpoint.as_view()), # a resource endpoint - ) + # OAuth2 provider endpoints + oauth2_endpoint_views = [ + url(r'^authorize/$', oauth2_views.AuthorizationView.as_view(), name="authorize"), + url(r'^token/$', oauth2_views.TokenView.as_view(), name="token"), + url(r'^revoke-token/$', oauth2_views.RevokeTokenView.as_view(), name="revoke-token"), + ] if settings.DEBUG: - # OAuth2 Application management views - - urlpatterns += patterns( - '', - url(r'^o/applications/$', views.ApplicationList.as_view(), name="application-list"), - url(r'^o/applications/register/$', views.ApplicationRegistration.as_view(), name="application-register"), - url(r'^o/applications/(?P\d+)/$', views.ApplicationDetail.as_view(), name="application-detail"), - url(r'^o/applications/(?P\d+)/delete/$', views.ApplicationDelete.as_view(), name="application-delete"), - url(r'^o/applications/(?P\d+)/update/$', views.ApplicationUpdate.as_view(), name="application-update"), - ) + # OAuth2 Application Management endpoints + oauth2_endpoint_views += [ + url(r'^applications/$', oauth2_views.ApplicationList.as_view(), name="list"), + url(r'^applications/register/$', oauth2_views.ApplicationRegistration.as_view(), name="register"), + url(r'^applications/(?P\d+)/$', oauth2_views.ApplicationDetail.as_view(), name="detail"), + url(r'^applications/(?P\d+)/delete/$', oauth2_views.ApplicationDelete.as_view(), name="delete"), + url(r'^applications/(?P\d+)/update/$', oauth2_views.ApplicationUpdate.as_view(), name="update"), + ] + + # OAuth2 Token Management endpoints + oauth2_endpoint_views += [ + url(r'^authorized-tokens/$', oauth2_views.AuthorizedTokensListView.as_view(), name="authorized-token-list"), + url(r'^authorized-tokens/(?P\d+)/delete/$', oauth2_views.AuthorizedTokenDeleteView.as_view(), + name="authorized-token-delete"), + ] + + urlpatterns = [ + # OAuth 2 endpoints: + url(r'^o/', include(oauth2_endpoint_views, namespace="oauth2_provider")), + + url(r'^admin/', include(admin.site.urls)), + url(r'^api/hello', ApiEndpoint.as_view()), # an example resource endpoint + ] You will probably want to write your own application views to deal with permissions and access control but the ones packaged with the library can get you started when developing the app.