diff --git a/app.py b/app.py index 1352a0a..b879263 100644 --- a/app.py +++ b/app.py @@ -4,8 +4,9 @@ from external import apply_external, update_status_external, get_applications_external from internal import apply_internal, update_status_internal, get_applications_internal from applications import get_application_by_id -from utils import app +from utils import app, validate_authentication +auth_error = "You must be authenticated to perform this call." @app.route('/') def index(): @@ -25,8 +26,12 @@ def apply_external_endpoint(): - `date_posted`: When the application was posted - `deadline`: Deadline to apply for the job - `user_id`: ID of the user applying + - `auth`: Authentication token """ content = request.json + if not validate_authentication(content): + return jsonify({"status": auth_error}) + url, position, company = content.get("url", ""), content.get('position', ""), content.get('company', "") date_posted, deadline = content.get('date_posted', ""), content.get('deadline', "") user_id, resume, status = content['user_id'], content.get('resume', ""), content.get("status", "Applied") @@ -43,7 +48,10 @@ def apply_internal_endpoint(): - `user_id`: ID of the user applying - `job_id`: ID of the job the user is applying to - `resume`: Handy tool for applying to jobs + - `auth`: Authentication token """ + if not validate_authentication(content): + return jsonify({"status": auth_error}) content = request.json job_id = content['job_id'] user_id, resume = content['user_id'], content['resume'] @@ -58,7 +66,11 @@ def update_status_external_endpoint(): Request body: - `id`: Job application ID - `new_status`: New status of the job application + - `auth`: Authentication token """ + if not validate_authentication(content): + return jsonify({"status": auth_error}) + content = request.json application_id = content['id'] new_status = content['new_status'] @@ -73,7 +85,11 @@ def update_status_internal_endpoint(): Request body: - `id`: Job application ID - `new_status`: New status of the job application + - `auth`: Authentication token """ + if not validate_authentication(content, admin=True): + return jsonify({"status": auth_error}) + content = request.json application_id = content['id'] new_status = content['new_status'] @@ -85,7 +101,11 @@ def update_status_internal_endpoint(): def get_application_by_user_endpoint(user_id, application_type=None): """ Gets job postings for a specific user. + - `auth`: Authentication token """ + if not validate_authentication(content, user=user_id): + return jsonify({"status": auth_error}) + applications_external, applications_internal = [], [] if application_type == "external" or not application_type: applications_external = get_applications_external(user_id) @@ -99,6 +119,9 @@ def get_application_by_job_endpoint(job_id): """ Gets all job postings to an internal job """ + if not validate_authentication(content, admin=True): + return jsonify({"status": auth_error}) + return jsonify(get_applications_internal(job_id, 'job')) @@ -107,6 +130,9 @@ def get_application(application_id): """ Gets a single application by its unique ID """ + if not validate_authentication(content, admin=True): + return jsonify({"status": auth_error}) + return jsonify(get_application_by_id(application_id)) diff --git a/requirements.txt b/requirements.txt index 74caccc..ff805d3 100644 --- a/requirements.txt +++ b/requirements.txt @@ -5,3 +5,5 @@ flask-heroku==0.1.9 gunicorn==19.9.0 pytest==4.2.0 psycopg2==2.7.7 +requests==2.21.0 + diff --git a/utils.py b/utils.py index e35b09c..230ca4e 100644 --- a/utils.py +++ b/utils.py @@ -2,8 +2,9 @@ from flask_heroku import Heroku from flask_sqlalchemy import SQLAlchemy import os +import requests - +auth_base_url = "https://jobhub-authentication-staging.herokuapp.com" # app initialization app = Flask(__name__) app.debug = True @@ -20,3 +21,20 @@ heroku = Heroku(app) db = SQLAlchemy(app) + + +def validate_authentication(content, user=None, admin=False): + if 'auth' not in content: + return False + headers = {'content-type': 'application/json', 'Authorization': f"Bearer {content['auth']}"} + response = requests.get(f"{auth_base_url}/users/self", headers=headers) + if 'verified' not in response: + return False + + if admin and response['type'] != 'recruiter': + return False + + if user: + return response['_id'] == user + else: + return response['verified']