Create the auth decorator

isso/views/api.py

@@ -50,6 +50,20 @@ def xhr(func):
 
     return dec
 
+def auth(func):
+    """A decorator to check the validity of an auth cookie."""
+
+    def dec(self, env, req, *args, **kwargs):
+
+        if not self.conf.getboolean("auth", "enabled"):
+            return func(self, env, req, *args, **kwargs)
+        try:
+            self.load(req.cookies.get("auth", ""))
+        except (SignatureExpired, BadSignature):
+            raise Forbidden
+        return func(self, env, req, *args, **kwargs)
+
+    return dec
 
 class API(object):
 
@@ -100,6 +114,7 @@ class API(object):
         return obj
 
     @xhr
+    @auth
     @requires(str, 'uri')
     def new(self, environ, request, uri):
         data = request.get_json()