feat: use signed url's for single user photo (#158)

rmoesbergen · web-flow · commit 1d0c40225ee0 · 2025-10-23T12:37:54.000+02:00
diff --git a/LedenAdministratie/api.py b/LedenAdministratie/api.py
@@ -12,7 +12,7 @@
 
 from LedenAdministratie.mixins import AllowListedClientCredentialsMixin
 from LedenAdministratie.models import Member
-from LedenAdministratie.templatetags.photo_filter import img2base64
+from LedenAdministratie.utils import Utils
 
 
 class ApiV1Smoelenboek(AllowListedClientCredentialsMixin):
@@ -29,21 +29,19 @@ def get(self, request, *args, **kwargs):
         )
 
         response = []
-        expiry = int((timezone.now() + timezone.timedelta(days=1)).timestamp())
+        expiry = int((timezone.now() + timezone.timedelta(hours=2)).timestamp())
         for member in members:
             # Generate a signed URL for the image
-            url = request.build_absolute_uri(f"{member.id}/{expiry}/?large={large}")
-            signature = hmac.new(
-                settings.SECRET_KEY.encode(), url.encode(), hashlib.sha256
-            ).hexdigest()
-            url += f"&signature={signature}"
+            photo_url = Utils.get_signed_url(
+                request, f"{member.id}/{expiry}/?large={large}"
+            )
             memberdict = {
                 "id": member.id,
                 "user_id": f"idp-{member.user.pk}",
                 "first_name": member.first_name,
                 "last_name": member.last_name,
                 "types": ",".join([tmptype.slug for tmptype in member.types.all()]),
-                "photo": url,
+                "photo": photo_url,
             }
             response.append(memberdict)
 
@@ -86,19 +84,15 @@ def get(self, request, *args, **kwargs):
         except Member.DoesNotExist:
             return HttpResponse(status=404)
 
-        if large:
-            photo = member.foto
-        else:
-            photo = member.thumbnail
-            if photo is None:
-                photo = member.foto
+        expiry = int((timezone.now() + timezone.timedelta(hours=2)).timestamp())
+        photo_url = Utils.get_signed_url(request, f"{expiry}/?large={large}")
 
         memberdict = {
             "id": member.id,
             "first_name": member.first_name,
             "last_name": member.last_name,
             "types": ",".join([tmptype.slug for tmptype in member.types.all()]),
-            "photo": img2base64(photo),
+            "photo": photo_url,
         }
         return JsonResponse(data=memberdict)
 
diff --git a/LedenAdministratie/mixins.py b/LedenAdministratie/mixins.py
@@ -27,6 +27,9 @@ def dispatch(self, request, *args, **kwargs):
             return super().dispatch(request, *args, **kwargs)
 
         # Set by oauth2_provider.middleware.OAuth2ExtraTokenMiddleware
+        if not hasattr(request, "access_token"):
+            return HttpResponseForbidden()
+
         client_id = request.access_token.application.client_id
         if client_id not in self.allowed_client_ids:
             return HttpResponseForbidden()
diff --git a/LedenAdministratie/utils.py b/LedenAdministratie/utils.py
@@ -1,5 +1,8 @@
+import hashlib
+import hmac
 from urllib.parse import urlparse
 
+from django.conf import settings
 from django.core.mail import EmailMessage
 from django.http.request import HttpRequest
 from django.shortcuts import reverse
@@ -34,3 +37,12 @@ def get_safe_return_url(request: HttpRequest) -> str:
             if path.startswith("/"):
                 return path
         return reverse("members")
+
+    @staticmethod
+    def get_signed_url(request: HttpRequest, path: str) -> str:
+        url = request.build_absolute_uri(path)
+        signature = hmac.new(
+            settings.SECRET_KEY.encode(), url.encode(), hashlib.sha256
+        ).hexdigest()
+        url += f"&signature={signature}"
+        return url
