Require authentication before making API calls
Otherwise anything might access the bus. Note: This will not work if the user moves to another html page. They will not have a port/key passed in the query string of the URL, so they won't be able to connect.
This commit is contained in:
parent
ff5612caee
commit
671ad1ae3e
@ -41,12 +41,16 @@ class HTMLActivity(activity.Activity):
|
|||||||
self.set_canvas(self._web_view)
|
self.set_canvas(self._web_view)
|
||||||
self._web_view.show()
|
self._web_view.show()
|
||||||
|
|
||||||
|
self._authenticated = False
|
||||||
|
|
||||||
self._server = Server()
|
self._server = Server()
|
||||||
self._server.connect("session-started", self._session_started_cb)
|
self._server.connect("session-started", self._session_started_cb)
|
||||||
port = self._server.start()
|
port = self._server.start()
|
||||||
|
|
||||||
index_path = os.path.join(activity.get_bundle_path(), "index.html")
|
index_path = os.path.join(activity.get_bundle_path(), "index.html")
|
||||||
self._web_view.load_uri('file://' + index_path + "?port=%s" % port)
|
self._key = os.urandom(16).encode("hex")
|
||||||
|
self._web_view.load_uri("file://%s?port=%s&key=%s" %
|
||||||
|
(index_path, port, self._key))
|
||||||
|
|
||||||
self._apis = {}
|
self._apis = {}
|
||||||
self._apis["activity"] = ActivityAPI(self)
|
self._apis["activity"] = ActivityAPI(self)
|
||||||
@ -56,6 +60,15 @@ class HTMLActivity(activity.Activity):
|
|||||||
|
|
||||||
def _message_received_cb(self, session, message):
|
def _message_received_cb(self, session, message):
|
||||||
request = json.loads(message.data)
|
request = json.loads(message.data)
|
||||||
|
|
||||||
|
if request["method"] == "authenticate":
|
||||||
|
if self._key == request["params"][0]:
|
||||||
|
self._authenticated = True
|
||||||
|
return
|
||||||
|
|
||||||
|
if not self._authenticated:
|
||||||
|
return
|
||||||
|
|
||||||
api_name, method_name = request["method"].split(".")
|
api_name, method_name = request["method"].split(".")
|
||||||
method = getattr(self._apis[api_name], method_name)
|
method = getattr(self._apis[api_name], method_name)
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user