Merge pull request #352 from MerginMaps/fix_v2_apis

Fix issues in new v2 API
MerginMaps · Jan 10, 2025 · 8f6a611 · 8f6a611
2 parents 32270a8 + 61313dc
commit 8f6a611
Show file tree

Hide file tree

Showing 7 changed files with 11 additions and 9 deletions.
diff --git a/server/mergin/app.py b/server/mergin/app.py
@@ -252,7 +252,7 @@ def custom_protect():
     _get_csrf_token = csrf._get_csrf_token
 
     def get_csrf_token():
-        if request.path.startswith("/v1/"):
+        if request.path.startswith("/v1/") or request.path.startswith("/v2/"):
             for header_name in app.app.config["WTF_CSRF_HEADERS"]:
                 csrf_token = request.headers.get(header_name)
                 if csrf_token:

diff --git a/server/mergin/auth/controller.py b/server/mergin/auth/controller.py
@@ -510,7 +510,9 @@ def create_user():
     username = request.json.get(
         "username", User.generate_username(request.json["email"])
     )
-    form = UserRegistrationForm()
+
+    # in public endpoint we want to disable form csrf - for browser clients endpoint is protected anyway
+    form = UserRegistrationForm(meta={"csrf": False})
     form.confirm.data = form.password.data
     form.username.data = username
     if not form.validate():

diff --git a/server/mergin/sync/public_api_v2.yaml b/server/mergin/sync/public_api_v2.yaml
@@ -136,10 +136,10 @@ paths:
             schema:
               type: object
               required:
-                - username
+                - user
                 - role
               properties:
-                username:
+                user:
                   type: string
                   example: john.doe
                   description: username or email

diff --git a/server/mergin/sync/public_api_v2_controller.py b/server/mergin/sync/public_api_v2_controller.py
@@ -93,7 +93,7 @@ def get_project_collaborators(id):
 def add_project_collaborator(id):
     """Add project collaborator"""
     project = require_project_by_uuid(id, ProjectPermissions.Update)
-    user = User.get_by_login(request.json["username"])
+    user = User.get_by_login(request.json["user"])
     if not user:
         abort(404)
 

diff --git a/server/mergin/tests/test_public_api_v2.py b/server/mergin/tests/test_public_api_v2.py
@@ -90,7 +90,7 @@ def test_project_members(client):
     assert response.status_code == 404
 
     # add direct access
-    response = client.post(url, json={"role": role, "username": user.email})
+    response = client.post(url, json={"role": role, "user": user.email})
     assert response.status_code == 201
     assert response.json["id"] == user.id
     assert response.json["project_role"] == role

diff --git a/web-app/packages/lib/src/modules/project/store.ts b/web-app/packages/lib/src/modules/project/store.ts
@@ -811,7 +811,7 @@ export const useProjectStore = defineStore('projectModule', {
         if (!payload.access.project_role) {
           await ProjectApi.addProjectCollaborator(payload.projectId, {
             ...payload.data,
-            username: payload.access.username
+            user: payload.access.username
           })
         } else {
           await ProjectApi.updateProjectCollaborator(
@@ -844,7 +844,7 @@ export const useProjectStore = defineStore('projectModule', {
         if (!payload.collaborator.project_role) {
           await ProjectApi.addProjectCollaborator(payload.projectId, {
             ...payload.data,
-            username: payload.collaborator.username
+            user: payload.collaborator.username
           })
         } else {
           await ProjectApi.updateProjectCollaborator(

diff --git a/web-app/packages/lib/src/modules/project/types.ts b/web-app/packages/lib/src/modules/project/types.ts
@@ -295,7 +295,7 @@ export type EnhancedProjectDetail = ProjectDetail & {
 
 export interface AddProjectCollaboratorPayload {
   role: ProjectRoleName
-  username: string
+  user: string
 }
 
 export interface UpdateProjectCollaboratorPayload {