aboutsummaryrefslogtreecommitdiff
path: root/gn3/auth/authentication/oauth2/grants
diff options
context:
space:
mode:
authorFrederick Muriuki Muriithi2022-12-19 16:02:19 +0300
committerFrederick Muriuki Muriithi2022-12-22 09:05:53 +0300
commitb0641272491eb51d321b1b8a7d062e395e70800f (patch)
treec9b2065ea60399579c4c4d84c648b61ed67402ba /gn3/auth/authentication/oauth2/grants
parente9031e28594fcd21371adb2b9b26e17a1df95599 (diff)
downloadgenenetwork3-b0641272491eb51d321b1b8a7d062e395e70800f.tar.gz
auth: implement OAuth2 flow.oauth2_auth_flow
Add code to implement the OAuth2 flow. * Add test fixtures for setting up users and OAuth2 clients * Add tests for token generation with the "Password Grant" flow * Fix some issues with test due to changes in the database connection's row_factory
Diffstat (limited to 'gn3/auth/authentication/oauth2/grants')
-rw-r--r--gn3/auth/authentication/oauth2/grants/__init__.py0
-rw-r--r--gn3/auth/authentication/oauth2/grants/authorisation_code_grant.py45
-rw-r--r--gn3/auth/authentication/oauth2/grants/password_grant.py18
3 files changed, 63 insertions, 0 deletions
diff --git a/gn3/auth/authentication/oauth2/grants/__init__.py b/gn3/auth/authentication/oauth2/grants/__init__.py
new file mode 100644
index 0000000..e69de29
--- /dev/null
+++ b/gn3/auth/authentication/oauth2/grants/__init__.py
diff --git a/gn3/auth/authentication/oauth2/grants/authorisation_code_grant.py b/gn3/auth/authentication/oauth2/grants/authorisation_code_grant.py
new file mode 100644
index 0000000..d398192
--- /dev/null
+++ b/gn3/auth/authentication/oauth2/grants/authorisation_code_grant.py
@@ -0,0 +1,45 @@
+"""Classes and function for Authorisation Code flow."""
+import uuid
+from typing import Optional
+
+from flask import current_app as app
+from authlib.oauth2.rfc6749 import grants
+
+from gn3.auth import db
+from gn3.auth.authentication.users import User
+
+class AuthorisationCodeGrant(grants.AuthorizationCodeGrant):
+ """Implement the 'Authorisation Code' grant."""
+ TOKEN_ENDPOINT_AUTH_METHODS = ["client_secret_basic", "client_secret_post"]
+
+ def save_authorization_code(self, code, request):
+ """Persist the authorisation code to database."""
+ raise Exception("NOT IMPLEMENTED!", self, code, request)
+
+ def query_authorization_code(self, code, client):
+ """Retrieve the code from the database."""
+ raise Exception("NOT IMPLEMENTED!", self, code, client)
+
+ def delete_authorization_code(self, authorization_code):# pylint: disable=[no-self-use]
+ """Delete the authorisation code."""
+ with db.connection(app.config["AUTH_DB"]) as conn:
+ with db.cursor(conn) as cursor:
+ cursor.execute(
+ "DELETE FROM authorisation_code WHERE code_id=?",
+ (str(authorization_code.code_id),))
+
+ def authenticate_user(self, authorization_code) -> Optional[User]:
+ """Authenticate the user who own the authorisation code."""
+ query = (
+ "SELECT users.* FROM authorisation_code LEFT JOIN users "
+ "ON authorisation_code.user_id=users.user_id "
+ "WHERE authorisation_code.code=?")
+ with db.connection(app.config["AUTH_DB"]) as conn:
+ with db.cursor(conn) as cursor:
+ cursor.execute(query, (str(authorization_code.user_id),))
+ res = cursor.fetchone()
+ if res:
+ return User(
+ uuid.UUID(res["user_id"]), res["email"], res["name"])
+
+ return None
diff --git a/gn3/auth/authentication/oauth2/grants/password_grant.py b/gn3/auth/authentication/oauth2/grants/password_grant.py
new file mode 100644
index 0000000..91fdb7c
--- /dev/null
+++ b/gn3/auth/authentication/oauth2/grants/password_grant.py
@@ -0,0 +1,18 @@
+"""Allows users to authenticate directly."""
+
+from flask import current_app as app
+from authlib.oauth2.rfc6749 import grants
+
+from gn3.auth import db
+from gn3.auth.authentication.users import valid_login, user_by_email
+
+class PasswordGrant(grants.ResourceOwnerPasswordCredentialsGrant):
+ """Implement the 'Password' grant."""
+ TOKEN_ENDPOINT_AUTH_METHODS = ["client_secret_basic", "client_secret_post"]
+
+ def authenticate_user(self, username, password):
+ "Authenticate the user with their username and password."
+ with db.connection(app.config["AUTH_DB"]) as conn:
+ return user_by_email(conn, username).maybe(
+ None,
+ lambda user: valid_login(conn, user, password))