Added authentication on external feedback endpoint

chris-adam · chris-adam · commit 809a7c666053 · 2026-01-16T10:23:30.000+01:00
diff --git a/src/imio/esign/services/external_session_feedback.py b/src/imio/esign/services/external_session_feedback.py
@@ -1,6 +1,7 @@
 # -*- coding: utf-8 -*-
 from datetime import datetime
 from imio.esign.utils import get_session_annotation
+from imio.helpers.ws import verify_auth_token
 from plone.restapi.deserializer import json_body
 from plone.restapi.services import Service
 
@@ -99,7 +100,15 @@ def reply(self):  # noqa C901
 
     def authorized(self):
         """Check if the user is authorized to access this service."""
-        return True
+        # TODO test this code works correctly
+        auth_header = self.request._auth
+        if not auth_header or not auth_header.startswith("Bearer "):
+            return False
+        try:
+            token = auth_header.split(" ")[1]
+        except IndexError:
+            return False
+        return verify_auth_token(token, groups=["access_apims-esign"])
 
 
 """
