First stab at submitting spots upstream. POTA is working, all other providers still to do. #95

2026-06-24 05:35:10 +00:00 · 2026-06-12 09:14:21 +01:00
parent 930d5357fe
commit 1afb407ca5
29 changed files with 640 additions and 92 deletions
--- a/server/handlers/api/addspot.py
+++ b/server/handlers/api/addspot.py
@@ -4,9 +4,10 @@ import re
 from datetime import datetime

 import pytz
+import requests
 import tornado

-from core.config import ALLOW_SPOTTING, MAX_SPOT_AGE
+from core.config import ALLOW_SPOTTING, ALLOW_UPSTREAM_SPOTTING, MAX_SPOT_AGE, RECAPTCHA_SECRET_KEY
 from core.constants import UNKNOWN_BAND
 from core.lookup_helper import infer_band_from_freq
 from core.prometheus_metrics_handler import api_requests_counter
@@ -15,13 +16,16 @@ from core.utils import serialize_everything
 from data.sig_ref import SIGRef
 from data.spot import Spot

+RECAPTCHA_VERIFY_URL = "https://www.google.com/recaptcha/api/siteverify"
+

 class APISpotHandler(tornado.web.RequestHandler):
    """API request handler for /api/v1/spot (POST)"""

-    def initialize(self, spots, web_server_metrics):
+    def initialize(self, spots, web_server_metrics, spot_providers=None):
        self._spots = spots
        self._web_server_metrics = web_server_metrics
+        self._spot_providers = spot_providers or []

    def post(self):
        try:
@@ -58,15 +62,43 @@ class APISpotHandler(tornado.web.RequestHandler):
                self.set_header("Content-Type", "application/json")
                return

-            # Read in the request body as JSON then convert to a Spot object
-            json_spot = tornado.escape.json_decode(post_data)
-            spot = Spot(**json_spot)
+            # Read in the request body as JSON
+            json_body = tornado.escape.json_decode(post_data)
+
+            # Extract fields relating to how we handle the spot, such as CAPTCHA and upstream submission. Remove these
+            # from the data so they don't accidentally end up in the spot object itself.
+            # todo: Better way of separating these out. Possible without API change or not?
+            submit_upstream = json_body.pop("submit_upstream", False)
+            upstream_provider_name = json_body.pop("upstream_provider", None)
+            upstream_credentials = json_body.pop("upstream_credentials", {})
+            captcha_token = json_body.pop("captcha_token", None)
+
+            # Verify CAPTCHA if required
+            if RECAPTCHA_SECRET_KEY:
+                if not captcha_token:
+                    self.set_status(422)
+                    self.write(json.dumps("Error - CAPTCHA token is required for spot submission.",
+                                          default=serialize_everything))
+                    self.set_header("Cache-Control", "no-store")
+                    self.set_header("Content-Type", "application/json")
+                    return
+                if not self._verify_recaptcha(captcha_token):
+                    self.set_status(422)
+                    self.write(json.dumps("Error - CAPTCHA verification failed.",
+                                          default=serialize_everything))
+                    self.set_header("Cache-Control", "no-store")
+                    self.set_header("Content-Type", "application/json")
+                    return
+
+            # Convert remaining fields to a Spot object
+            spot = Spot(**json_body)

            # Converting to a spot object this way won't have coped with sig_ref objects, so fix that. (Would be nice to
            # redo this in a functional style)
-            if spot.sig_refs:
+            if spot.sig and spot.sig_refs:
                real_sig_refs = []
                for dict_obj in spot.sig_refs:
+                    dict_obj = {**dict_obj, "sig": spot.sig}
                    real_sig_refs.append(json.loads(json.dumps(dict_obj), object_hook=lambda d: SIGRef(**d)))
                spot.sig_refs = real_sig_refs

@@ -126,13 +158,47 @@ class APISpotHandler(tornado.web.RequestHandler):
                self.set_header("Content-Type", "application/json")
                return

-            # infer missing data, and add it to our database.
-            spot.source = "API"
-            spot.infer_missing()
-            self._spots.add(spot.id, spot, expire=MAX_SPOT_AGE)
+            # Reject upstream submission if not permitted
+            if submit_upstream and not ALLOW_UPSTREAM_SPOTTING:
+                self.set_status(403)
+                self.write(json.dumps("Error - this server does not allow upstream spot submission.",
+                                      default=serialize_everything))
+                self.set_header("Cache-Control", "no-store")
+                self.set_header("Content-Type", "application/json")
+                return

-            self.write(json.dumps("OK", default=serialize_everything))
-            self.set_status(201)
+            # Submit upstream if requested
+            upstream_warning = None
+            if submit_upstream and upstream_provider_name and spot.sig:
+                provider = self._find_provider(upstream_provider_name, spot.sig)
+                if provider:
+                    try:
+                        # Submit spot to the upstream provider
+                        provider.submit_spot(spot, upstream_credentials)
+                        # Trigger an immediate re-poll so the spot appears quickly
+                        provider.force_poll()
+                    except NotImplementedError as e:
+                        upstream_warning = str(e)
+                    except Exception as e:
+                        logging.warning("Failed to submit spot upstream to " + upstream_provider_name + ": " + str(e))
+                        upstream_warning = "Spot was saved locally but upstream submission to " + upstream_provider_name + " failed: " + str(
+                            e)
+                else:
+                    upstream_warning = "No enabled provider named '" + upstream_provider_name + "' supports upstream submission for " + spot.sig + " spots."
+
+            # If we successfully submitted the spot upstream, don't add it direct to Spothole, otherwise it will be a
+            # duplicate with what immediately comes back from the API. But if we weren't asked to send it upstream, or
+            # we were but it failed, we should still add it to our database anyway.
+            if not submit_upstream or upstream_warning:
+                spot.infer_missing()
+                self._spots.add(spot.id, spot, expire=MAX_SPOT_AGE)
+
+            if upstream_warning:
+                self.write(json.dumps("Warning - " + upstream_warning, default=serialize_everything))
+                self.set_status(201)
+            else:
+                self.write(json.dumps("OK", default=serialize_everything))
+                self.set_status(201)
            self.set_header("Cache-Control", "no-store")
            self.set_header("Content-Type", "application/json")

@@ -142,3 +208,23 @@ class APISpotHandler(tornado.web.RequestHandler):
            self.set_status(500)
            self.set_header("Cache-Control", "no-store")
            self.set_header("Content-Type", "application/json")
+
+    def _find_provider(self, provider_name, sig):
+        """Find an enabled provider by name that can submit spots for the given SIG."""
+
+        for p in self._spot_providers:
+            if p.enabled and p.name == provider_name and p.can_submit_spot(sig):
+                return p
+        return None
+
+    def _verify_recaptcha(self, token):
+        """Verify a Google reCAPTCHA v2 token. Returns True if valid."""
+
+        try:
+            response = requests.post(RECAPTCHA_VERIFY_URL,
+                                     data={"secret": RECAPTCHA_SECRET_KEY, "response": token},
+                                     timeout=(5, 10))
+            return response.ok and response.json().get("success", False)
+        except Exception as e:
+            logging.warning("reCAPTCHA verification request failed: " + str(e))
+            return False
--- a/server/handlers/api/options.py
+++ b/server/handlers/api/options.py
@@ -13,9 +13,10 @@ from core.utils import serialize_everything
 class APIOptionsHandler(tornado.web.RequestHandler):
    """API request handler for /api/v1/options"""

-    def initialize(self, status_data, web_server_metrics):
+    def initialize(self, status_data, web_server_metrics, spot_providers=None):
        self._status_data = status_data
        self._web_server_metrics = web_server_metrics
+        self._spot_providers = spot_providers or []

    def get(self):
        # Metrics
@@ -24,6 +25,15 @@ class APIOptionsHandler(tornado.web.RequestHandler):
        self._web_server_metrics["status"] = "OK"
        api_requests_counter.inc()

+        # Build a map of SIG name -> list of provider names that can submit spots for that SIG
+        spot_submit_providers = {}
+        for provider in self._spot_providers:
+            if not provider.enabled:
+                continue
+            for sig in SIGS:
+                if provider.can_submit_spot(sig.name):
+                    spot_submit_providers.setdefault(sig.name, []).append(provider.name)
+
        options = {"bands": BANDS,
                   "modes": ALL_MODES,
                   "mode_types": MODE_TYPES,
@@ -35,7 +45,8 @@ class APIOptionsHandler(tornado.web.RequestHandler):
                       map(lambda p: p["name"], filter(lambda p: p["enabled"], self._status_data["alert_providers"]))),
                   "continents": CONTINENTS,
                   "max_spot_age": MAX_SPOT_AGE,
-                   "spot_allowed": ALLOW_SPOTTING}
+                   "spot_allowed": ALLOW_SPOTTING,
+                   "spot_submit_providers": spot_submit_providers}
        # If spotting to this server is enabled, "API" is another valid spot source even though it does not come from
        # one of our proviers.
        if ALLOW_SPOTTING:
--- a/server/webserver.py
+++ b/server/webserver.py
@@ -22,7 +22,7 @@ from server.handlers.pagetemplate import PageTemplateHandler
 class WebServer:
    """Provides the public-facing web server."""

-    def __init__(self, spots, alerts, solar_conditions, status_data):
+    def __init__(self, spots, alerts, solar_conditions, status_data, spot_providers=None):
        """Constructor"""

        self._spots = spots
@@ -31,6 +31,7 @@ class WebServer:
        self._sse_spot_queues = []
        self._sse_alert_queues = []
        self._status_data = status_data
+        self._spot_providers = spot_providers or []
        self._port = WEB_SERVER_PORT
        self._api_only_mode = API_ONLY_MODE
        self._shutdown_event = asyncio.Event()
@@ -69,12 +70,12 @@ class WebServer:
             {"sse_alert_queues": self._sse_alert_queues, **handler_opts}),
            (r"/api/v1/solar", APISolarConditionsHandler, {"solar_conditions": self._solar_conditions, **handler_opts}),
            (r"/api/v1/dxstats", APIDxStatsHandler, {"spots": self._spots, **handler_opts}),
-            (r"/api/v1/options", APIOptionsHandler, {"status_data": self._status_data, **handler_opts}),
+            (r"/api/v1/options", APIOptionsHandler, {"status_data": self._status_data, "spot_providers": self._spot_providers, **handler_opts}),
            (r"/api/v1/status", APIStatusHandler, {"status_data": self._status_data, **handler_opts}),
            (r"/api/v1/lookup/call", APILookupCallHandler, {**handler_opts}),
            (r"/api/v1/lookup/sigref", APILookupSIGRefHandler, {**handler_opts}),
            (r"/api/v1/lookup/grid", APILookupGridHandler, {**handler_opts}),
-            (r"/api/v1/spot", APISpotHandler, {"spots": self._spots, **handler_opts}),
+            (r"/api/v1/spot", APISpotHandler, {"spots": self._spots, "spot_providers": self._spot_providers, **handler_opts}),
        ]

        # If in API-only mode, serve a basic homepage; in normal mode, serve the usual UI routes