From 08bdba70036d7c3c6a60cced0884d887ab33d059 Mon Sep 17 00:00:00 2001
From: mishaschwartz <4380924+mishaschwartz@users.noreply.github.com>
Date: Fri, 22 May 2026 10:37:32 -0400
Subject: [PATCH] verify hook

---
 twitcher/adapter/base.py    | 11 +++++++++++
 twitcher/adapter/default.py |  3 +++
 twitcher/owsproxy.py        |  4 +++-
 3 files changed, 17 insertions(+), 1 deletion(-)

diff --git a/twitcher/adapter/base.py b/twitcher/adapter/base.py
index 0d67950..1f9f7e0 100644
--- a/twitcher/adapter/base.py
+++ b/twitcher/adapter/base.py
@@ -75,6 +75,17 @@ def response_hook(self, response: Response, service: ServiceConfig) -> Response:
         """
         raise NotImplementedError
 
+    def verify_hook(self, request: Request, service: ServiceConfig) -> bool:
+        """
+        Apply additional logic used to verify whether a request should be rejected.
+
+        .. versionadded:: 0.11.2
+
+        Return False to indicate that the verify endpoint should return a "forbidden"
+        response regardless of whether the request is verified.
+        """
+        raise NotImplementedError
+
     def send_request(self, request: Request, service: ServiceConfig) -> Response:
         """
         Performs the provided request in order to obtain a proxied response.
diff --git a/twitcher/adapter/default.py b/twitcher/adapter/default.py
index d47f55e..553045c 100644
--- a/twitcher/adapter/default.py
+++ b/twitcher/adapter/default.py
@@ -48,5 +48,8 @@ def request_hook(self, request, service):
     def response_hook(self, response, service):
         return response
 
+    def verify_hook(self, request, service):
+        return True
+
     def send_request(self, request: Request, service: ServiceConfig) -> Response:
         return send_request(request, service)
diff --git a/twitcher/owsproxy.py b/twitcher/owsproxy.py
index 0f7ffbb..b84e91a 100644
--- a/twitcher/owsproxy.py
+++ b/twitcher/owsproxy.py
@@ -190,7 +190,9 @@ def owsverify_view(request: Request) -> Response:
     try:
         service_name = request.matchdict.get('service_name')
         service = request.owsregistry.get_service_by_name(service_name)
-        if service and request.is_verified:
+        adapter = request.adapter
+        hook_success = adapter.verify_hook(request, service)
+        if service and hook_success and request.is_verified:
             message, status, access = "allowed", 200, True
     except Exception as exc:
         LOGGER.exception("Security check failed due to unhandled error.", exc_info=exc)