Necessary Changes for Updating the Langman API

Updating games API

With the JWT creation mechanism in hand, we must update the game API to use it correctly. We could add the decorator to require that the user is logged in, but then any user could still visit any other user’s games. One way to address that would be to query the database and see if the user is the right player for the game before allowing further access. This is problematic because it adds an additional and unnecessary database access. The better approach is to codify the access to that game within the token itself. Since a player can have multiple active games, their token should make claims for those game identifiers. Then, when the player accesses a particular game, the method will check whether the corresponding claim exists or not. The fact that the signature will ensure its validity is valid, and the token has not expired, which is checked by the decorator.

Updating the POST method

The general pattern for the update is that everything at the root game route, that is, within the Games resource, requires the token but not the claim on game_id, and then it potentially returns the game_id claim. The routes of the form /<game_id>, meaning those within the OneGame resource, require the token with the game_id claim. This will prevent valid users from accessing other users’ games.

So, in Games.post we add the @JWT.jwt_required() decorator and change the part that checked whether the payload had the right information or not:

if not (games_api.payload and
        'username' in games_api.payload and
        'language' in games_api.payload):
    games_api.abort(400, 'New game POST requires username and language')
lang = games_api.payload['language']
name = games_api.payload['username']