auth: Implement "Authorization Code Flow" auth/implement-authorization-code-flow

Implement the "Authorization Code Flow" for the authentication of users. * gn3/auth/authentication/oauth2/grants/authorisation_code_grant.py: query and save the authorisation code. * gn3/auth/authentication/oauth2/models/authorization_code.py: Implement the `AuthorisationCode` model * gn3/auth/authentication/oauth2/models/oauth2client.py: Fix typo * gn3/auth/authentication/oauth2/server.py: Register the `AuthorisationCodeGrant` grant with the server. * gn3/auth/authentication/oauth2/views.py: Implement `/authorise` endpoint * gn3/templates/base.html: New HTML Templates of authorisation UI * gn3/templates/common-macros.html: New HTML Templates of authorisation UI * gn3/templates/oauth2/authorise-user.html: New HTML Templates of authorisation UI * main.py: Allow both "code" and "token" response types.
author: Frederick Muriuki Muriithi 2023-05-08 16:31:38 +0300
committer: Frederick Muriuki Muriithi 2023-05-09 13:15:47 +0300
commit: 5526f0316c2714d30e47a90f81e0ff686a29042f (patch)
tree: 64b6422984a6e3ce8bee3850b47a16c822677073 /gn3/auth/authentication/oauth2/grants
parent: f2c09dc2dc2528c75fcf5b80aa4b530a0b5eef08 (diff)
download: genenetwork3-5526f0316c2714d30e47a90f81e0ff686a29042f.tar.gz
1 files changed, 44 insertions, 4 deletions
diff --git a/gn3/auth/authentication/oauth2/grants/authorisation_code_grant.py b/gn3/auth/authentication/oauth2/grants/authorisation_code_grant.py
index d398192..f80d02e 100644
--- a/gn3/auth/authentication/oauth2/grants/authorisation_code_grant.py
+++ b/gn3/auth/authentication/oauth2/grants/authorisation_code_grant.py
@@ -1,24 +1,45 @@
 """Classes and function for Authorisation Code flow."""
 import uuid
+import string
+import random
 from typing import Optional
+from datetime import datetime
 
 from flask import current_app as app
 from authlib.oauth2.rfc6749 import grants
+from authlib.oauth2.rfc7636 import create_s256_code_challenge
 
 from gn3.auth import db
+from gn3.auth.db_utils import with_db_connection
 from gn3.auth.authentication.users import User
 
+from ..models.oauth2client import OAuth2Client
+from ..models.authorization_code import (
+    AuthorisationCode, authorisation_code, save_authorisation_code)
+
 class AuthorisationCodeGrant(grants.AuthorizationCodeGrant):
     """Implement the 'Authorisation Code' grant."""
-    TOKEN_ENDPOINT_AUTH_METHODS = ["client_secret_basic", "client_secret_post"]
+    TOKEN_ENDPOINT_AUTH_METHODS: list[str] = [
+        "client_secret_basic", "client_secret_post"]
+    AUTHORIZATION_CODE_LENGTH: int = 48
+    TOKEN_ENDPOINT_HTTP_METHODS = ['POST']
+    GRANT_TYPE = "authorization_code"
+    RESPONSE_TYPES = {'code'}
 
     def save_authorization_code(self, code, request):
         """Persist the authorisation code to database."""
-        raise Exception("NOT IMPLEMENTED!", self, code, request)
+        client = request.client
+        nonce = "".join(random.sample(string.ascii_letters + string.digits,
+                                      k=self.AUTHORIZATION_CODE_LENGTH))
+        return __save_authorization_code__(AuthorisationCode(
+            uuid.uuid4(), code, client, request.redirect_uri, request.scope,
+            nonce, int(datetime.now().timestamp()),
+            create_s256_code_challenge(app.config["SECRET_KEY"]),
+            "S256", request.user))
 
     def query_authorization_code(self, code, client):
         """Retrieve the code from the database."""
-        raise Exception("NOT IMPLEMENTED!", self, code, client)
+        return __query_authorization_code__(code, client)
 
     def delete_authorization_code(self, authorization_code):# pylint: disable=[no-self-use]
         """Delete the authorisation code."""
@@ -36,10 +57,29 @@ class AuthorisationCodeGrant(grants.AuthorizationCodeGrant):
             "WHERE authorisation_code.code=?")
         with db.connection(app.config["AUTH_DB"]) as conn:
             with db.cursor(conn) as cursor:
-                cursor.execute(query, (str(authorization_code.user_id),))
+                cursor.execute(query, (str(authorization_code.code),))
                 res = cursor.fetchone()
                 if res:
                     return User(
                         uuid.UUID(res["user_id"]), res["email"], res["name"])
 
         return None
+
+def __query_authorization_code__(
+        code: str, client: OAuth2Client) -> AuthorisationCode:
+    """A helper function that creates a new database connection.
+
+    This is found to be necessary since the `AuthorizationCodeGrant` class(es)
+    do not have a way to pass the database connection."""
+    def __auth_code__(conn) -> str:
+        the_code = authorisation_code(conn, code, client)
+        return the_code.maybe(None, lambda cde: cde) # type: ignore[misc, arg-type, return-value]
+
+    return with_db_connection(__auth_code__)
+
+def __save_authorization_code__(code: AuthorisationCode) -> AuthorisationCode:
+    """A helper function that creates a new database connection.
+
+    This is found to be necessary since the `AuthorizationCodeGrant` class(es)
+    do not have a way to pass the database connection."""
+    return with_db_connection(lambda conn: save_authorisation_code(conn, code))
author	Frederick Muriuki Muriithi	2023-05-08 16:31:38 +0300
committer	Frederick Muriuki Muriithi	2023-05-09 13:15:47 +0300
commit	5526f0316c2714d30e47a90f81e0ff686a29042f (patch)
tree	64b6422984a6e3ce8bee3850b47a16c822677073 /gn3/auth/authentication/oauth2/grants
parent	f2c09dc2dc2528c75fcf5b80aa4b530a0b5eef08 (diff)
download	genenetwork3-5526f0316c2714d30e47a90f81e0ff686a29042f.tar.gz