aboutsummaryrefslogtreecommitdiff
path: root/gn2/wqflask/oauth2
AgeCommit message (Collapse)Author
2024-08-28Consistently use JSON for all endpoints.Frederick Muriuki Muriithi
2024-08-28bug: add missing `count_per_page` variable.Frederick Muriuki Muriithi
2024-08-28Use auto-created and auto-rotated JSON Web KeysFrederick Muriuki Muriithi
Use auto-created JWKs for better security.
2024-08-28Use JWKs from auth server public endpointFrederick Muriuki Muriithi
* Fetch keys from auth server * Validate token is signed with one of the keys from server * Ensure refreshing of token is still synchronised
2024-08-28Add module to help with rotation of JSON Web Keys.Frederick Muriuki Muriithi
2024-08-28Synchronise token refreshesFrederick Muriuki Muriithi
The application can be run in a multi-threaded server, leading to a situation where the multiple threads attempt to get a new JWT using the exact same refresh token. This synchronises the various threads ensuring only a single thread is able to retrieve the new JWT that all the rest of the threads then use.
2024-08-28Use JSON rather than X-Form-URL-encoded data with auth server.Frederick Muriuki Muriithi
2024-08-28Provide PoC public-jwks endpoint.Frederick Muriuki Muriithi
2024-08-28Fix premature session expirationFrederick Muriuki Muriithi
With the change to JWTs the time-to-live for each token is severely curtailed to help with security in case of a token theft. We, therefore, can no longer rely on the TTL for session expiration, rather, we will rely of the token-refresh mechanism to expire a token after a long while.
2024-08-28Remove redundant import.Frederick Muriuki Muriithi
2024-08-28Remove token and user detail handling from @app.before_requestFrederick Muriuki Muriithi
The token and user details information is handled in the `gn2.wqflask.oauth2.session`. Other parts of the system should make use of that. It also helps avoid some weird "action-at-a-distance" interactions - this forces the code to request what it needs when it needs it and not rely on some global variables.
2024-08-28Remove flawed "group role" idea: use just "role".Frederick Muriuki Muriithi
2024-08-28Remove deprecated endpoints/views and templatesFrederick Muriuki Muriithi
2024-08-28Fix error display logicFrederick Muriuki Muriithi
2024-08-28Fetch the active user's roles on a particular resource.Frederick Muriuki Muriithi
2024-08-28Use privilege objects rather than IDS.Frederick Muriuki Muriithi
2024-08-28Delete request to obsoleted endpoint.Frederick Muriuki Muriithi
2024-08-28Create a new resource role.Frederick Muriuki Muriithi
2024-08-28Update URI formsFrederick Muriuki Muriithi
2024-08-28Use json for communication with gn-authFrederick Muriuki Muriithi
2024-08-28List user assigned role of interest.Frederick Muriuki Muriithi
2024-08-28Unassign privilege from resource role.Frederick Muriuki Muriithi
2024-08-28Import the UUID class directly.Frederick Muriuki Muriithi
2024-08-28Implement "Resource Role Page"Frederick Muriuki Muriithi
Show the page, providing all UI elements necessary, even if the elements themselves are not active.
2024-08-28Generalise `render_ur` for the resources pagesFrederick Muriuki Muriithi
2024-08-28Set default headers for OAuth2Client requests.Frederick Muriuki Muriithi
2024-08-28Update UI: Use resource roles rather than obsolete group rolesFrederick Muriuki Muriithi
In a fix to fix a privilege-escalation bug, the `…/group/roles` endpoint was entirely removed and replaced with the less error-prone `…/resource/…/roles` endpoint. This commit updates the code to use the new endpoint's data as appropriate. We also fix typos in some url_for routing arguments.
2024-08-28Fix displayed error messageFrederick Muriuki Muriithi
2024-08-28Remove the "Roles" page.Frederick Muriuki Muriithi
2024-08-28Deactivate the "create_role" functionFrederick Muriuki Muriithi
The `create_role` function could lead to privilege escalation. This commit deactivates it completely to prevent the chance of that happening.
2024-08-28Bug: Add missing data to search query.Frederick Muriuki Muriithi
2024-08-28Build search URI endpoint on server rather than on JSFrederick Muriuki Muriithi
To help with maintenance, build the search URI on the server rather than in the javascript.
2024-08-28Build phenotype results template URI on backendFrederick Muriuki Muriithi
Build the template URI on the backend to remove the need to remember to update the javascript if the URI changes in the future.
2024-08-28Provide client data used for user verification.Frederick Muriuki Muriithi
2024-08-28Ensure endpoint returns a response.Frederick Muriuki Muriithi
2024-08-28Bug: Compute numeric timestamp for the claims.Frederick Muriuki Muriithi
2024-05-14Use correct URL when redirecting user after a new registration.Munyoki Kilyungi
Signed-off-by: Munyoki Kilyungi <me@bonfacemunyoki.com>
2024-05-14Consistently use the same OAuthSession clientFrederick Muriuki Muriithi
2024-05-14Enable client to automatically request a refresh token.Frederick Muriuki Muriithi
2024-05-14Redirect to index rather than no-longer supported loginFrederick Muriuki Muriithi
Redirect to index of the site rather that the no-longer supported "Password Grant"-using login page. Disable the login route entirely.
2024-04-30Revert "Create constructors for encoding and decoding a token."Munyoki Kilyungi
This reverts commit e7a3bf22da1b63a01343f2cd30cd13c234fe508c.
2024-04-30Make returning an json object from oauth2_get optional.Munyoki Kilyungi
* gn2/wqflask/oauth2/client.py (oauth2_get): Add a jsonify_p key word that defaults to False. Signed-off-by: Munyoki Kilyungi <me@bonfacemunyoki.com>
2024-04-30Create constructors for encoding and decoding a token.Munyoki Kilyungi
* gn2/tests/unit/wqflask/oauth2/(__init__.py, test_tokens.py): Test cases for jwt token creation. * gn2/wqflask/oauth2/tokens.py (JWTToken): New module for creating jwt tokens. Signed-off-by: Munyoki Kilyungi <me@bonfacemunyoki.com>
2024-04-24Bug: use dict object on Response object.Frederick Muriuki Muriithi
2024-04-24Fetch message for authlib errors.Frederick Muriuki Muriithi
2024-04-24Send assertion as a string, not bytes.Frederick Muriuki Muriithi
2024-04-24DEBUG: log out request detailsFrederick Muriuki Muriithi
There is a failure on CI/CD that is not obvious - the logs should help with debugging the issue.
2024-04-23Separate the auth server's public key from app's private keyFrederick Muriuki Muriithi
* Use the app's private key to sign the initial assertions used for retrieving an authorisation token from the auth server. * Use auth server's public key to validate the authorisation tokens got from the auth server.
2024-04-23Generate assertions to be used to get the token from the auth serverFrederick Muriuki Muriithi
2024-04-23Use the JWT Bearer grant typeFrederick Muriuki Muriithi