aboutsummaryrefslogtreecommitdiff
path: root/gn3/auth/authentication
diff options
context:
space:
mode:
authorFrederick Muriuki Muriithi2023-03-09 04:39:37 +0300
committerFrederick Muriuki Muriithi2023-03-09 04:39:37 +0300
commitdee42dd14dc7786b1ccf9465bb28dfe74024166c (patch)
tree31af463e825d03776ac46cd859e65610dfcc5457 /gn3/auth/authentication
parenta35d16f9a191afbb31e2c185e87e5eec5e23122f (diff)
downloadgenenetwork3-dee42dd14dc7786b1ccf9465bb28dfe74024166c.tar.gz
auth: introspection: Protect introspection endpoint
The introspection endpoint could contain privileged information, thus requires that the endpoint be protected. This commit ensures that a user has authenticated to the system and that the client they are using be one of the allowed clients.
Diffstat (limited to 'gn3/auth/authentication')
-rw-r--r--gn3/auth/authentication/oauth2/views.py19
1 files changed, 15 insertions, 4 deletions
diff --git a/gn3/auth/authentication/oauth2/views.py b/gn3/auth/authentication/oauth2/views.py
index e440c6e..3a14a48 100644
--- a/gn3/auth/authentication/oauth2/views.py
+++ b/gn3/auth/authentication/oauth2/views.py
@@ -1,8 +1,11 @@
"""Endpoints for the oauth2 server"""
import uuid
-from flask import Blueprint, current_app as app
+from flask import Response, Blueprint, current_app as app
+from gn3.auth.authorisation.errors import ForbiddenAccess
+
+from .resource_server import require_oauth
from .endpoints.revocation import RevocationEndpoint
from .endpoints.introspection import IntrospectionEndpoint
@@ -36,7 +39,15 @@ def revoke_token():
RevocationEndpoint.ENDPOINT_NAME)
@auth.route("/introspect", methods=["POST"])
-def introspect_token():
+@require_oauth("introspect")
+def introspect_token() -> Response:
"""Provide introspection information for the token."""
- return app.config["OAUTH2_SERVER"].create_endpoint_response(
- IntrospectionEndpoint.ENDPOINT_NAME)
+ # This is dangerous to provide publicly
+ authorised_clients = app.config.get(
+ "OAUTH2_CLIENTS_WITH_INTROSPECTION_PRIVILEGE", [])
+ with require_oauth.acquire("introspect") as the_token:
+ if the_token.client.client_id in authorised_clients:
+ return app.config["OAUTH2_SERVER"].create_endpoint_response(
+ IntrospectionEndpoint.ENDPOINT_NAME)
+
+ raise ForbiddenAccess("You cannot access this endpoint")