diff options
author | Frederick Muriuki Muriithi | 2023-03-09 04:39:37 +0300 |
---|---|---|
committer | Frederick Muriuki Muriithi | 2023-03-09 04:39:37 +0300 |
commit | dee42dd14dc7786b1ccf9465bb28dfe74024166c (patch) | |
tree | 31af463e825d03776ac46cd859e65610dfcc5457 /gn3/auth/authentication | |
parent | a35d16f9a191afbb31e2c185e87e5eec5e23122f (diff) | |
download | genenetwork3-dee42dd14dc7786b1ccf9465bb28dfe74024166c.tar.gz |
auth: introspection: Protect introspection endpoint
The introspection endpoint could contain privileged information, thus requires
that the endpoint be protected. This commit ensures that a user has
authenticated to the system and that the client they are using be one of the
allowed clients.
Diffstat (limited to 'gn3/auth/authentication')
-rw-r--r-- | gn3/auth/authentication/oauth2/views.py | 19 |
1 files changed, 15 insertions, 4 deletions
diff --git a/gn3/auth/authentication/oauth2/views.py b/gn3/auth/authentication/oauth2/views.py index e440c6e..3a14a48 100644 --- a/gn3/auth/authentication/oauth2/views.py +++ b/gn3/auth/authentication/oauth2/views.py @@ -1,8 +1,11 @@ """Endpoints for the oauth2 server""" import uuid -from flask import Blueprint, current_app as app +from flask import Response, Blueprint, current_app as app +from gn3.auth.authorisation.errors import ForbiddenAccess + +from .resource_server import require_oauth from .endpoints.revocation import RevocationEndpoint from .endpoints.introspection import IntrospectionEndpoint @@ -36,7 +39,15 @@ def revoke_token(): RevocationEndpoint.ENDPOINT_NAME) @auth.route("/introspect", methods=["POST"]) -def introspect_token(): +@require_oauth("introspect") +def introspect_token() -> Response: """Provide introspection information for the token.""" - return app.config["OAUTH2_SERVER"].create_endpoint_response( - IntrospectionEndpoint.ENDPOINT_NAME) + # This is dangerous to provide publicly + authorised_clients = app.config.get( + "OAUTH2_CLIENTS_WITH_INTROSPECTION_PRIVILEGE", []) + with require_oauth.acquire("introspect") as the_token: + if the_token.client.client_id in authorised_clients: + return app.config["OAUTH2_SERVER"].create_endpoint_response( + IntrospectionEndpoint.ENDPOINT_NAME) + + raise ForbiddenAccess("You cannot access this endpoint") |