# HG changeset patch # User Paul Fisher # Date 1569772368 14400 # Node ID b42c4bfe57c7d967d72c50033d492daf4dd6fc17 # Parent cda47993a1937ab0939fb720e5dcba4c2fa1dffe server: Use a "preamble" object in the POST to auth. diff -r cda47993a193 -r b42c4bfe57c7 weather_server/server.py --- a/weather_server/server.py Sun Sep 29 01:18:18 2019 -0400 +++ b/weather_server/server.py Sun Sep 29 11:52:48 2019 -0400 @@ -1,5 +1,6 @@ import bson import flask +import hmac from . import common from . import locations @@ -21,28 +22,25 @@ @app.route('/_submit', methods=['POST']) def submit(): req = flask.request - target = req.args.get('location') - if not target: - flask.abort(404) - try: - target_loc, logger = locs.get(target) - except KeyError: - flask.abort(404) - - password = req.args.get('password') - if password != target_loc.password: - flask.abort(401) - reader = bson.decode_file_iter( req.stream, codec_options=common.BSON_OPTIONS) - entries = [ - types.Reading.from_now( - sample_time=item['sample_time'], - temp_c=item['temp_c'], - rh_pct=item['rh_pct'], - ) - for item in reader - ] + try: + preamble = next(reader) + loc_name = preamble['location'] + password = str(preamble['password']) + loc, logger = locs.get(loc_name) + if not hmac.compare_digest(password, loc.password): + flask.abort(400) + entries = [ + types.Reading.from_now( + sample_time=item['sample_time'], + temp_c=item['temp_c'], + rh_pct=item['rh_pct'], + ) + for item in reader + ] + except (KeyError, bson.InvalidBSON): + flask.abort(400) logger.write_rows(entries) return flask.jsonify({'status': 'OK'})