Added authentication on external feedback endpoint

chris-adam · chris-adam · commit d30cc2902e63 · 2026-01-16T10:32:50.000+01:00
diff --git a/setup.py b/setup.py
@@ -56,7 +56,7 @@
         "collective.compoundcriterion",
         "collective.eeafaceted.z3ctable",
         "eea.facetednavigation",
-        "imio.helpers>1.3.8",
+        "imio.helpers>1.3.10",
         "imio.prettylink",
         "imio.pyutils",
         # 'z3c.jbot',
diff --git a/src/imio/esign/services/external_session_feedback.py b/src/imio/esign/services/external_session_feedback.py
@@ -1,6 +1,7 @@
 # -*- coding: utf-8 -*-
 from datetime import datetime
 from imio.esign.utils import get_session_annotation
+from imio.helpers.ws import verify_auth_token
 from plone.restapi.deserializer import json_body
 from plone.restapi.services import Service
 
@@ -99,7 +100,14 @@ def reply(self):  # noqa C901
 
     def authorized(self):
         """Check if the user is authorized to access this service."""
-        return True
+        auth_header = self.request._auth
+        if not auth_header or not auth_header.startswith("Bearer "):
+            return False
+        try:
+            token = auth_header.split(" ")[1]
+        except IndexError:
+            return False
+        return verify_auth_token(token, groups=["access_apims-esign"])
 
 
 """
