Skip to content

Add /v2/user-from-token API and update a few v1/v2 APIs to require bearer token and check for auth user #4680

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 50 commits into
base: dev
Choose a base branch
from
+141 −23
Open

Add /v2/user-from-token API and update a few v1/v2 APIs to require bearer token and check for auth user #4680

Show file tree
Hide file tree
Changes from 19 commits
Commits
Show all changes
50 commits
Select commit Hold shift + click to select a range
7e2222e
Add /v2/user-from-token API and update a few v1/v2 APIs to require be…
lukaszgryglicki Jun 4, 2025
275e4f9
Merge branch 'dev' into unicron-check-for-token-in-v1-v2-apis
lukaszgryglicki Jun 18, 2025
1a21481
Update more V1 and V2 API to require the bearer token and check if au…
lukaszgryglicki Jun 18, 2025
a95477e
Merge branch 'dev' into unicron-check-for-token-in-v1-v2-apis
lukaszgryglicki Jun 18, 2025
c4ee277
Merge branch 'dev' into unicron-check-for-token-in-v1-v2-apis
lukaszgryglicki Jun 25, 2025
50815ad
Updates to test tokens
lukaszgryglicki Jun 25, 2025
2fc5ab1
Merge branch 'dev' into unicron-check-for-token-in-v1-v2-apis
lukaszgryglicki Jun 25, 2025
82c781e
Manual merge
lukaszgryglicki Jun 25, 2025
2f51d6e
Merge branch 'dev' into unicron-check-for-token-in-v1-v2-apis
lukaszgryglicki Jul 1, 2025
f83bc6d
Merge branch 'dev' into unicron-check-for-token-in-v1-v2-apis
lukaszgryglicki Jul 2, 2025
0d299c5
Merge branch 'dev' into unicron-check-for-token-in-v1-v2-apis
lukaszgryglicki Jul 8, 2025
40a1e75
Merge branch 'dev' into unicron-check-for-token-in-v1-v2-apis
lukaszgryglicki Jul 8, 2025
1e05dd3
Merge branch 'dev' into unicron-check-for-token-in-v1-v2-apis
lukaszgryglicki Jul 10, 2025
df5c252
Merge branch 'dev' into unicron-check-for-token-in-v1-v2-apis
lukaszgryglicki Jul 15, 2025
c733936
Merge branch 'dev' into unicron-check-for-token-in-v1-v2-apis
lukaszgryglicki Jul 21, 2025
b869e96
Merge branch 'dev' into unicron-check-for-token-in-v1-v2-apis
lukaszgryglicki Jul 22, 2025
dfa1b8c
Merge branch 'dev' into unicron-check-for-token-in-v1-v2-apis
lukaszgryglicki Jul 23, 2025
517dc22
Merge branch 'dev' into unicron-check-for-token-in-v1-v2-apis
lukaszgryglicki Jul 24, 2025
2e68432
Merge branch 'dev' into unicron-check-for-token-in-v1-v2-apis
lukaszgryglicki Jul 29, 2025
7b08e8c
Merge branch 'dev' into unicron-check-for-token-in-v1-v2-apis
lukaszgryglicki Jul 30, 2025
4efeb16
Merge branch 'dev' into unicron-check-for-token-in-v1-v2-apis
lukaszgryglicki Jul 31, 2025
1942a10
Merge branch 'dev' into unicron-check-for-token-in-v1-v2-apis
lukaszgryglicki Jul 31, 2025
e0401e4
Merge branch 'dev' into unicron-check-for-token-in-v1-v2-apis
lukaszgryglicki Jul 31, 2025
b908892
Merge branch 'dev' into unicron-check-for-token-in-v1-v2-apis
lukaszgryglicki Jul 31, 2025
eec7d94
Merge branch 'dev' into unicron-check-for-token-in-v1-v2-apis
lukaszgryglicki Jul 31, 2025
4c71f02
Merge branch 'dev' into unicron-check-for-token-in-v1-v2-apis
lukaszgryglicki Jul 31, 2025
9209baa
Merge branch 'dev' into unicron-check-for-token-in-v1-v2-apis
lukaszgryglicki Aug 1, 2025
5d9f620
Merge branch 'dev' into unicron-check-for-token-in-v1-v2-apis
lukaszgryglicki Aug 2, 2025
46d1bc4
Merge branch 'dev' into unicron-check-for-token-in-v1-v2-apis
lukaszgryglicki Aug 2, 2025
212eef7
Resolve merge conflicts
lukaszgryglicki Aug 6, 2025
ead98f0
Merge branch 'dev' into unicron-check-for-token-in-v1-v2-apis
lukaszgryglicki Aug 6, 2025
6056152
Merge branch 'dev' into unicron-check-for-token-in-v1-v2-apis
lukaszgryglicki Aug 7, 2025
d77b567
Merge branch 'dev' into unicron-check-for-token-in-v1-v2-apis
lukaszgryglicki Aug 7, 2025
74ed6bc
Merge branch 'dev' into unicron-check-for-token-in-v1-v2-apis
lukaszgryglicki Aug 7, 2025
4895661
Merge branch 'dev' into unicron-check-for-token-in-v1-v2-apis
lukaszgryglicki Aug 7, 2025
46c0e2f
Merge branch 'dev' into unicron-check-for-token-in-v1-v2-apis
lukaszgryglicki Aug 8, 2025
766ad71
Merge branch 'dev' into unicron-check-for-token-in-v1-v2-apis
lukaszgryglicki Aug 19, 2025
b7f056a
Merge branch 'dev' into unicron-check-for-token-in-v1-v2-apis
lukaszgryglicki Aug 20, 2025
e236f60
Merge branch 'dev' into unicron-check-for-token-in-v1-v2-apis
lukaszgryglicki Aug 21, 2025
cad5d33
Merge branch 'dev' into unicron-check-for-token-in-v1-v2-apis
lukaszgryglicki Aug 21, 2025
410d2e2
Merge branch 'dev' into unicron-check-for-token-in-v1-v2-apis
lukaszgryglicki Aug 21, 2025
8a574b6
Merge branch 'dev' into unicron-check-for-token-in-v1-v2-apis
lukaszgryglicki Aug 23, 2025
b7d6543
Merge branch 'dev' into unicron-check-for-token-in-v1-v2-apis
lukaszgryglicki Aug 23, 2025
75fb66d
Merge branch 'dev' into unicron-check-for-token-in-v1-v2-apis
lukaszgryglicki Aug 25, 2025
eed616c
Merge branch 'dev' into unicron-check-for-token-in-v1-v2-apis
lukaszgryglicki Aug 26, 2025
cd2913a
Merge branch 'dev' into unicron-check-for-token-in-v1-v2-apis
lukaszgryglicki Aug 26, 2025
92bf4f0
Merge branch 'dev' into unicron-check-for-token-in-v1-v2-apis
lukaszgryglicki Aug 27, 2025
51bc25c
Merge branch 'dev' into unicron-check-for-token-in-v1-v2-apis
lukaszgryglicki Aug 28, 2025
b0be84b
Merge branch 'dev' into unicron-check-for-token-in-v1-v2-apis
lukaszgryglicki Sep 3, 2025
7fa0efa
Merge branch 'dev' into unicron-check-for-token-in-v1-v2-apis
lukaszgryglicki Sep 4, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
72 changes: 56 additions & 16 deletions cla-backend/cla/routes.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -37,6 +37,14 @@
get_log_middleware
)

# Check if authenticated user (via bearer token) is the same as user_id - if not raise exception permission denied
# LG: comment this out to tunr off this chekc added after LFID is required everywhere in EasyCLA
Copy link
Preview

Copilot AI Jul 29, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There are spelling errors in the comment: 'tunr' should be 'turn' and 'chekc' should be 'check'.

Suggested change
# LG: comment this out to tunr off this chekc added after LFID is required everywhere in EasyCLA
# LG: comment this out to turn off this check added after LFID is required everywhere in EasyCLA

Copilot uses AI. Check for mistakes.

def check_user_id_is_current(auth_user, user_id):
auth_user_id = cla.controllers.user.get_or_create_user(auth_user).get_user_id()
if str(user_id) != auth_user_id:
cla.log.debug(f'request_individual_signature - auth user UUID {auth_user_id} is not the same as requested signature UUID {str(user_id)}')
raise cla.auth.AuthError('permission denied')

Comment on lines +40 to +47
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🛠️ Refactor suggestion

Potential side effects in validation function - consider refactoring

The validation function calls get_or_create_user(auth_user) which may create a user as a side effect during what should be a pure validation operation. Additionally, the debug log message contains context-specific text that doesn't match the generic function name.

Consider refactoring to separate user creation from validation:

-def check_user_id_is_current(auth_user, user_id):
-    auth_user_id = cla.controllers.user.get_or_create_user(auth_user).get_user_id()
-    if str(user_id) != auth_user_id:
-        cla.log.debug(f'request_individual_signature - auth user UUID {auth_user_id} is not the same as requested signature UUID {str(user_id)}')
-        raise cla.auth.AuthError('permission denied')
+def check_user_id_is_current(auth_user, user_id):
+    # Get existing user without creating - validation should not have side effects
+    try:
+        auth_user_id = cla.controllers.user.get_user_by_username(auth_user.username).get_user_id()
+    except:
+        raise cla.auth.AuthError('user not found')
+    
+    if str(user_id) != auth_user_id:
+        cla.log.debug(f'check_user_id_is_current - auth user UUID {auth_user_id} is not the same as requested user UUID {str(user_id)}')
+        raise cla.auth.AuthError('permission denied')
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
# Check if authenticated user (via bearer token) is the same as user_id - if not raise exception permission denied
# LG: comment this out to tunr off this chekc added after LFID is required everywhere in EasyCLA
def check_user_id_is_current(auth_user, user_id):
auth_user_id = cla.controllers.user.get_or_create_user(auth_user).get_user_id()
if str(user_id) != auth_user_id:
cla.log.debug(f'request_individual_signature - auth user UUID {auth_user_id} is not the same as requested signature UUID {str(user_id)}')
raise cla.auth.AuthError('permission denied')
# Check if authenticated user (via bearer token) is the same as user_id - if not raise exception permission denied
# LG: comment this out to tunr off this chekc added after LFID is required everywhere in EasyCLA
def check_user_id_is_current(auth_user, user_id):
# Get existing user without creating - validation should not have side effects
try:
auth_user_id = cla.controllers.user.get_user_by_username(auth_user.username).get_user_id()
except:
raise cla.auth.AuthError('user not found')
if str(user_id) != auth_user_id:
cla.log.debug(f'check_user_id_is_current - auth user UUID {auth_user_id} is not the same as requested user UUID {str(user_id)}')
raise cla.auth.AuthError('permission denied')
🧰 Tools
🪛 Flake8 (7.2.0)

[error] 42-42: expected 2 blank lines, found 1

(E302)

🤖 Prompt for AI Agents 
In cla-backend/cla/routes.py around lines 40 to 47, the function
check_user_id_is_current calls get_or_create_user(auth_user), which may create a
user as a side effect during validation, and the debug log message contains
context-specific text unrelated to this generic function. Refactor by separating
user creation from validation so that this function only validates the user ID
without causing side effects, and update the debug log message to be generic and
relevant to this function's purpose.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It should indeed create user if needed, so this is expected.


#
# Middleware
Expand Down Expand Up @@ -102,7 +110,10 @@ def get_health(request):

# LG: This is ported to golang and no longer used in dev (still used in prod)
@hug.get("/user/{user_id}", versions=2)
def get_user(user_id: hug.types.uuid):
def get_user(
auth_user: check_auth,
user_id: hug.types.uuid
):
"""
GET: /user/{user_id}

Expand All @@ -117,6 +128,7 @@ def get_user(user_id: hug.types.uuid):
# else:
# raise auth_err

check_user_id_is_current(auth_user, user_id)
return cla.controllers.user.get_user(user_id=user_id)


Expand All @@ -138,6 +150,7 @@ def get_user_signatures(auth_user: check_auth, user_id: hug.types.uuid):

Returns a list of signatures associated with a user.
"""
check_user_id_is_current(auth_user, user_id)
return cla.controllers.user.get_user_signatures(user_id)


Expand All @@ -155,6 +168,7 @@ def get_users_company(auth_user: check_auth, user_company_id: hug.types.uuid):

@hug.post("/user/{user_id}/request-company-whitelist/{company_id}", versions=2)
def request_company_whitelist(
auth_user: check_auth,
user_id: hug.types.uuid,
company_id: hug.types.uuid,
user_name: hug.types.text,
Expand All @@ -172,6 +186,7 @@ def request_company_whitelist(
Performs the necessary actions (ie: send email to manager) when the specified user requests to
be added the the specified company's whitelist.
"""
# check_user_id_is_current(auth_user, user_id)
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue

🧩 Verification correct

Inconsistent security enforcement - clarify requirements

Several endpoints have the check_user_id_is_current call commented out, creating inconsistent authorization enforcement. This could allow unauthorized access to user data in some endpoints while preventing it in others.

The following endpoints have inconsistent security checks:

  • Lines 188, 220, 239: Company whitelist and invite endpoints
  • Lines 1427, 1441: GitLab and Gerrit callback endpoints

Please clarify the security requirements for these endpoints. If they should enforce user identity verification, uncomment the checks. If not, document why these endpoints are exempt from this security requirement.

Also applies to: 220-220, 239-239, 1427-1427, 1441-1441

🏁 Script executed:

#!/bin/bash
# Description: Find all endpoints that accept user_id parameter but don't call check_user_id_is_current

# Search for route functions with user_id parameter
ast-grep --pattern $'@hug.$_($_)
def $_($_: $_auth, $_user_id: hug.types.uuid$$$):
    $$$'

# Search for uncommented check_user_id_is_current calls  
rg -n "check_user_id_is_current" --type py

# Search for commented check_user_id_is_current calls
rg -n "# check_user_id_is_current" --type py

Length of output: 1947

Inconsistent security enforcement - clarify requirements

Several endpoints have the check_user_id_is_current call commented out, creating inconsistent authorization enforcement. This could allow unauthorized access to user data in some endpoints while preventing it in others.

The following endpoints have inconsistent security checks:

  • Lines 188, 220, 239: Company whitelist and invite endpoints
  • Lines 1427, 1441: GitLab and Gerrit callback endpoints

Please clarify the security requirements for these endpoints. If they should enforce user identity verification, uncomment the checks. If not, document why these endpoints are exempt from this security requirement.

#!/bin/bash
# Description: Find all endpoints that accept user_id parameter but don't call check_user_id_is_current

# Search for route functions with user_id parameter
ast-grep --pattern $'@hug.$_($_)
def $_($_: $_auth, $_user_id: hug.types.uuid$$$):
    $$$'

# Search for uncommented check_user_id_is_current calls  
rg -n "check_user_id_is_current" --type py

# Search for commented check_user_id_is_current calls
rg -n "# check_user_id_is_current" --type py

Also applies to: 220-220, 239-239, 1427-1427, 1441-1441

🤖 Prompt for AI Agents 
In cla-backend/cla/routes.py at lines 188, 220, 239, 1427, and 1441, the call to
check_user_id_is_current is commented out, causing inconsistent enforcement of
user identity verification across endpoints. Review the security requirements
for these endpoints and either uncomment the check_user_id_is_current call to
enforce user identity verification or add clear documentation explaining why
these endpoints are exempt from this security check to maintain consistent
authorization enforcement.

return cla.controllers.user.request_company_whitelist(
user_id, str(company_id), str(user_name), str(user_email), str(project_id), message,
str(recipient_name), str(recipient_email),
Expand All @@ -180,6 +195,7 @@ def request_company_whitelist(

@hug.post("/user/{user_id}/invite-company-admin", versions=2)
def invite_company_admin(
auth_user: check_auth,
user_id: hug.types.uuid,
contributor_name: hug.types.text,
contributor_email: cla.hug_types.email,
Expand All @@ -202,6 +218,7 @@ def invite_company_admin(

Sends an Email to the prospective CLA Manager to sign up through the ccla console.
"""
# check_user_id_is_current(auth_user, user_id)
return cla.controllers.user.invite_cla_manager(
str(user_id), str(contributor_name), str(contributor_email),
str(cla_manager_name), str(cla_manager_email),
Expand All @@ -211,6 +228,7 @@ def invite_company_admin(

@hug.post("/user/{user_id}/request-company-ccla", versions=2)
def request_company_ccla(
auth_user: check_auth,
user_id: hug.types.uuid, user_email: cla.hug_types.email, company_id: hug.types.uuid,
project_id: hug.types.uuid,
):
Expand All @@ -219,6 +237,7 @@ def request_company_ccla(

Sends an Email to an admin of an existing company to sign a CCLA.
"""
# check_user_id_is_current(auth_user, user_id)
return cla.controllers.user.request_company_ccla(str(user_id), str(user_email), str(company_id), str(project_id))


Expand All @@ -235,7 +254,10 @@ def request_company_ccla(

# LG: This is ported to golang and no longer used in dev (still used in prod)
@hug.get("/user/{user_id}/active-signature", versions=2)
def get_user_active_signature(user_id: hug.types.uuid):
def get_user_active_signature(
auth_user: check_auth,
user_id: hug.types.uuid
):
"""
GET: /user/{user_id}/active-signature

Expand All @@ -249,28 +271,35 @@ def get_user_active_signature(user_id: hug.types.uuid):

Returns null if the user does not have an active signature.
"""
check_user_id_is_current(auth_user, user_id)
return cla.controllers.user.get_active_signature(user_id)


@hug.get("/user/{user_id}/project/{project_id}/last-signature", versions=2)
def get_user_project_last_signature(user_id: hug.types.uuid, project_id: hug.types.uuid):
def get_user_project_last_signature(
auth_user: check_auth,
user_id: hug.types.uuid, project_id: hug.types.uuid
):
"""
GET: /user/{user_id}/project/{project_id}/last-signature

Returns the user's latest ICLA signature for the project specified.
"""
check_user_id_is_current(auth_user, user_id)
return cla.controllers.user.get_user_project_last_signature(user_id, project_id)


@hug.get("/user/{user_id}/project/{project_id}/last-signature/{company_id}", versions=1)
def get_user_project_company_last_signature(
auth_user: check_auth,
user_id: hug.types.uuid, project_id: hug.types.uuid, company_id: hug.types.uuid
):
"""
GET: /user/{user_id}/project/{project_id}/last-signature/{company_id}

Returns the user's latest employee signature for the project and company specified.
"""
check_user_id_is_current(auth_user, user_id)
return cla.controllers.user.get_user_project_company_last_signature(user_id, project_id, company_id)


Expand Down Expand Up @@ -411,6 +440,7 @@ def get_signatures_user(auth_user: check_auth, user_id: hug.types.uuid):

Get all signatures for user specified.
"""
check_user_id_is_current(auth_user, user_id)
return cla.controllers.signature.get_user_signatures(user_id)


Expand All @@ -421,6 +451,7 @@ def get_signatures_user_project(auth_user: check_auth, user_id: hug.types.uuid,

Get all signatures for user, filtered by project_id specified.
"""
check_user_id_is_current(auth_user, user_id)
return cla.controllers.signature.get_user_project_signatures(user_id, project_id)


Expand All @@ -436,6 +467,7 @@ def get_signatures_user_project(

Get all signatures for user, filtered by project_id and signature type specified.
"""
check_user_id_is_current(auth_user, user_id)
return cla.controllers.signature.get_user_project_signatures(user_id, project_id, signature_type)


Expand All @@ -460,7 +492,7 @@ def get_signatures_project(auth_user: check_auth, project_id: hug.types.uuid):


@hug.get("/signatures/company/{company_id}/project/{project_id}", versions=1)
def get_signatures_project_company(company_id: hug.types.uuid, project_id: hug.types.uuid):
def get_signatures_project_company(auth_user: check_auth, company_id: hug.types.uuid, project_id: hug.types.uuid):
"""
GET: /signatures/company/{company_id}/project/{project_id}

Expand All @@ -470,7 +502,7 @@ def get_signatures_project_company(company_id: hug.types.uuid, project_id: hug.t


@hug.get("/signatures/company/{company_id}/project/{project_id}/employee", versions=1)
def get_project_employee_signatures(company_id: hug.types.uuid, project_id: hug.types.uuid):
def get_project_employee_signatures(auth_user: check_auth, company_id: hug.types.uuid, project_id: hug.types.uuid):
"""
GET: /signatures/company/{company_id}/project/{project_id}

Expand Down Expand Up @@ -623,7 +655,7 @@ def get_companies(auth_user: check_auth):


@hug.get("/company", versions=2)
def get_all_companies():
def get_all_companies(auth_user: check_auth):
"""
GET: /company

Expand All @@ -633,7 +665,7 @@ def get_all_companies():


@hug.get("/company/{company_id}", versions=2)
def get_company(company_id: hug.types.text):
def get_company(auth_user: check_auth, company_id: hug.types.text):
"""
GET: /company/{company_id}

Expand All @@ -643,7 +675,7 @@ def get_company(company_id: hug.types.text):


@hug.get("/company/{company_id}/project/unsigned", versions=1)
def get_unsigned_projects_for_company(company_id: hug.types.text):
def get_unsigned_projects_for_company(auth_user: check_auth, company_id: hug.types.text):
"""
GET: /company/{company_id}/project/unsigned

Expand Down Expand Up @@ -748,7 +780,7 @@ def put_company_whitelist_csv(body, auth_user: check_auth, company_id: hug.types


@hug.get("/companies/{manager_id}", version=1)
def get_manager_companies(manager_id: hug.types.uuid):
def get_manager_companies(auth_user: check_auth, manager_id: hug.types.uuid):
"""
GET: /companies/{manager_id}

Expand Down Expand Up @@ -777,7 +809,7 @@ def get_projects(auth_user: check_auth):

# LG: This is ported to golang and no longer used in dev (still used in prod).
@hug.get("/project/{project_id}", versions=2)
def get_project(project_id: hug.types.uuid):
def get_project(auth_user: check_auth, project_id: hug.types.uuid):
"""
GET: /project/{project_id}

Expand Down Expand Up @@ -1012,6 +1044,7 @@ def get_project_configuration_orgs_and_repos(auth_user: check_auth, project_id:

@hug.get("/project/{project_id}/document/{document_type}", versions=2)
def get_project_document(
auth_user: check_auth,
project_id: hug.types.uuid, document_type: hug.types.one_of(["individual", "corporate"]),
):
"""
Expand Down Expand Up @@ -1064,7 +1097,7 @@ def get_project_document_matching_version(


@hug.get("/project/{project_id}/companies", versions=2)
def get_project_companies(project_id: hug.types.uuid):
def get_project_companies(auth_user: check_auth, project_id: hug.types.uuid):
"""
GET: /project/{project_id}/companies
s
Expand Down Expand Up @@ -1214,7 +1247,7 @@ def delete_project_document(
'user_id': 'some-user-uuid'}",
)
def request_individual_signature(
request, project_id: hug.types.uuid, user_id: hug.types.uuid, return_url_type=None, return_url=None,
auth_user: check_auth, request, project_id: hug.types.uuid, user_id: hug.types.uuid, return_url_type=None, return_url=None,
):
"""
POST: /request-individual-signature
Expand All @@ -1237,8 +1270,10 @@ def request_individual_signature(
User should hit the provided URL to initiate the signing process through the
signing service provider.
"""
return cla.controllers.signing.request_individual_signature(project_id, user_id, return_url_type, return_url,
request=request)
check_user_id_is_current(auth_user, user_id)
return cla.controllers.signing.request_individual_signature(
project_id, user_id, return_url_type, return_url, request=request
)


@hug.post(
Expand Down Expand Up @@ -1284,7 +1319,7 @@ def request_corporate_signature(

Returns a dict of the format:

{'company_id': <user_id>,
{'company_id': <company_id>,
'signature_id': <signature_id>,
'project_id': <project_id>,
'sign_url': <sign_url>}
Expand All @@ -1308,6 +1343,7 @@ def request_corporate_signature(

@hug.post("/request-employee-signature", versions=2)
def request_employee_signature(
auth_user: check_auth,
project_id: hug.types.uuid,
company_id: hug.types.uuid,
user_id: hug.types.uuid,
Expand All @@ -1327,13 +1363,15 @@ def request_employee_signature(
require a full DocuSign signature process, which means the sign/callback URLs and document
versions may not be populated or reliable.
"""
check_user_id_is_current(auth_user, user_id)
return cla.controllers.signing.request_employee_signature(
project_id, company_id, user_id, return_url_type, return_url
)


@hug.post("/check-prepare-employee-signature", versions=2)
def check_and_prepare_employee_signature(
auth_user: check_auth,
project_id: hug.types.uuid, company_id: hug.types.uuid, user_id: hug.types.uuid
):
"""
Expand All @@ -1346,6 +1384,7 @@ def check_and_prepare_employee_signature(

Checks if an employee is ready to sign a CCLA for a company.
"""
check_user_id_is_current(auth_user, user_id)
return cla.controllers.signing.check_and_prepare_employee_signature(project_id, company_id, user_id)


Expand Down Expand Up @@ -1387,6 +1426,7 @@ def post_individual_signed_gitlab(
Callback URL from signing service upon ICLA signature for a Gitlab user.
"""
content = body.read()
# check_user_id_is_current(auth_user, user_id)
return cla.controllers.signing.post_individual_signed_gitlab(
content, user_id, organization_id, gitlab_repository_id, merge_request_id
)
Expand All @@ -1400,6 +1440,7 @@ def post_individual_signed_gerrit(body, user_id: hug.types.uuid):
Callback URL from signing service upon ICLA signature for a Gerrit user.
"""
content = body.read()
# check_user_id_is_current(auth_user, user_id)
return cla.controllers.signing.post_individual_signed_gerrit(content, user_id)


Expand Down Expand Up @@ -1876,7 +1917,6 @@ def user_from_token(auth_user: check_auth, request, response):
"""
return cla.controllers.user.get_or_create_user(auth_user).to_dict()


@hug.post("/events", versions=1)
def create_event(
event_data: hug.types.text,
Expand Down
3 changes: 3 additions & 0 deletions utils/get_oauth_token.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
#!/bin/bash
source .venv/bin/activate
~/get_oauth_token.py --stage dev
3 changes: 3 additions & 0 deletions utils/get_oauth_token_prod.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
#!/bin/bash
source .venv/bin/activate
~/get_oauth_token.py --stage prod
30 changes: 28 additions & 2 deletions utils/request_corporate_signature_py_post.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,10 +4,13 @@
# project_id='88ee12de-122b-4c46-9046-19422054ed8d'
# return_url_type='github'
# return_url='http://localhost'
# TOKEN='...' - Auth0 JWT bearer token
# XACL='...' - X-ACL
# DEBUG=1 ./utils/request_corporate_signature_py_post.sh 862ff296-6508-4f10-9147-2bc2dd7bfe80 88ee12de-122b-4c46-9046-19422054ed8d github 'http://localhost'
# ./utils/request_corporate_signature_py_post.sh 0ca30016-6457-466c-bc41-a09560c1f9bf 88ee12de-122b-4c46-9046-19422054ed8d github 'http://localhost'
# ./utils/request_corporate_signature_py_post.sh 10bde6b1-3061-4972-9c6a-17dd9a175a5c 88ee12de-122b-4c46-9046-19422054ed8d github 'http://localhost'
# Note: this is only for internal usage, it requires 'check_auth' function update in cla-backend/cla/routes.py (see LG:) and can only be tested locally (LG:)
# Note: you can run it in a similar way to utils/get_user_from_token_py.sh

if [ -z "$1" ]
then
Expand Down Expand Up @@ -37,13 +40,36 @@ then
fi
export return_url="$4"

if [ -z "$TOKEN" ]
then
# source ./auth0_token.secret
TOKEN="$(cat ./auth0.token.secret)"
fi

if [ -z "$TOKEN" ]
then
echo "$0: TOKEN not specified and unable to obtain one"
exit 5
fi

if [ -z "$XACL" ]
then
XACL="$(cat ./x-acl.secret)"
fi

if [ -z "$XACL" ]
then
echo "$0: XACL not specified and unable to obtain one"
exit 6
fi

if [ -z "$API_URL" ]
then
export API_URL="http://localhost:5000"
fi

if [ ! -z "$DEBUG" ]
then
echo "curl -s -XPOST -H 'Content-Type: application/json' '${API_URL}/v1/request-corporate-signature' -d '{\"project_id\":\"${project_id}\",\"company_id\":\"${company_id}\",\"return_url_type\":\"${return_url_type}\",\"return_url\":\"${return_url}\"}' | jq -r '.'"
echo "curl -s -XPOST -H 'X-ACL: ${XACL}' -H 'Authorization: Bearer ${TOKEN}' -H 'Content-Type: application/json' '${API_URL}/v1/request-corporate-signature' -d '{\"project_id\":\"${project_id}\",\"company_id\":\"${company_id}\",\"return_url_type\":\"${return_url_type}\",\"return_url\":\"${return_url}\"}' | jq -r '.'"
fi
curl -s -XPOST -H "Content-Type: application/json" "${API_URL}/v1/request-corporate-signature" -d "{\"project_id\":\"${project_id}\",\"company_id\":\"${company_id}\",\"return_url_type\":\"${return_url_type}\",\"return_url\":\"${return_url}\"}" | jq -r '.'
curl -s -XPOST -H "X-ACL: ${XACL}" -H "Authorization: Bearer ${TOKEN}" -H "Content-Type: application/json" "${API_URL}/v1/request-corporate-signature" -d "{\"project_id\":\"${project_id}\",\"company_id\":\"${company_id}\",\"return_url_type\":\"${return_url_type}\",\"return_url\":\"${return_url}\"}" | jq -r '.'
Loading
Loading