From d05256f2490a6d5ca3be111a08a8543a652b2337 Mon Sep 17 00:00:00 2001 From: Colin Powell Date: Sat, 21 Jan 2023 23:41:35 -0500 Subject: [PATCH] Add authorization and per-user scrobbling The webhook endpoints now require a token before it will accept a scrobble. That auth then provides the user to assign the scrobble to. --- vrobbler/apps/scrobbles/views.py | 11 ++++++++--- vrobbler/settings.py | 4 ++-- 2 files changed, 10 insertions(+), 5 deletions(-) diff --git a/vrobbler/apps/scrobbles/views.py b/vrobbler/apps/scrobbles/views.py index 12eb9aa..955a9f8 100644 --- a/vrobbler/apps/scrobbles/views.py +++ b/vrobbler/apps/scrobbles/views.py @@ -1,6 +1,7 @@ import json import logging +import pytz from django.conf import settings from django.db.models.fields import timezone from django.http import HttpResponseRedirect @@ -9,9 +10,9 @@ from django.utils import timezone from django.views.decorators.csrf import csrf_exempt from django.views.generic import FormView from django.views.generic.list import ListView -import pytz from rest_framework import status -from rest_framework.decorators import api_view +from rest_framework.decorators import api_view, permission_classes +from rest_framework.permissions import IsAuthenticated from rest_framework.response import Response from scrobbles.constants import ( JELLYFIN_AUDIO_ITEM_TYPES, @@ -48,7 +49,7 @@ class RecentScrobbleList(ListView): data = super().get_context_data(**kwargs) user = self.request.user now = timezone.now() - if self.request.user.is_authenticated: + if user.is_authenticated: if user.profile: timezone.activate(pytz.timezone(user.profile.timezone)) now = timezone.localtime(timezone.now()) @@ -131,6 +132,7 @@ def scrobble_endpoint(request): @csrf_exempt @api_view(['POST']) +@permission_classes([IsAuthenticated]) def jellyfin_websocket(request): data_dict = request.data @@ -156,6 +158,7 @@ def jellyfin_websocket(request): @csrf_exempt @api_view(['POST']) +@permission_classes([IsAuthenticated]) def mopidy_websocket(request): try: data_dict = json.loads(request.data) @@ -181,6 +184,7 @@ def mopidy_websocket(request): @csrf_exempt @api_view(['GET']) +@permission_classes([IsAuthenticated]) def scrobble_finish(request, uuid): user = request.user if not user.is_authenticated: @@ -198,6 +202,7 @@ def scrobble_finish(request, uuid): @csrf_exempt @api_view(['GET']) +@permission_classes([IsAuthenticated]) def scrobble_cancel(request, uuid): user = request.user if not user.is_authenticated: diff --git a/vrobbler/settings.py b/vrobbler/settings.py index 34b9386..8921170 100644 --- a/vrobbler/settings.py +++ b/vrobbler/settings.py @@ -160,8 +160,8 @@ AUTHENTICATION_BACKENDS = [ REST_FRAMEWORK = { "DEFAULT_PERMISSION_CLASSES": ("rest_framework.permissions.AllowAny",), 'DEFAULT_AUTHENTICATION_CLASSES': [ - #'rest_framework.authentication.BasicAuthentication', - #'rest_framework.authentication.TokenAuthentication', + 'rest_framework.authentication.BasicAuthentication', + 'rest_framework.authentication.TokenAuthentication', 'rest_framework.authentication.SessionAuthentication', ], "DEFAULT_PAGINATION_CLASS": "rest_framework.pagination.PageNumberPagination",