Age | Commit message (Collapse) | Author |
|
We are saving the client secret in an encrypted form, meaning we have to
verify that the CLIENT_SECRET that is provided is the same one as was
generated at registration in a different way.
Initially, I was doing a direct comparison, having saved the CLIENT_SECRET
value as unencrypted plain-text.
|
|
Add UI and code to enable the administrative user to register new OAuth2
clients that can access the API server.
|
|
* gn3/auth/authentication/oauth2/views.py: Remove endpoint
* gn3/auth/authorisation/users/admin/__init__.py: New admin module
* gn3/auth/authorisation/users/admin/ui.py: New admin module
* gn3/auth/authorisation/users/admin/views.py: New admin module
* gn3/auth/views.py: Use new admin module
* gn3/errors.py: Fix linting errors
* gn3/templates/login.html: New html template
* main.py: Fix linting errors
|
|
* docs/authentication_and_authorisation/oauth2_clients.md: New documentation
* gn3/auth/authentication/oauth2/server.py: Raise appropriate error if no
client is found.
* gn3/auth/authentication/oauth2/views.py: Handle exception in the case where
a UI should be presented to the user, rather than presenting the raw JSON
response to the user.
* gn3/errors.py: Handle any authlib OAuth2Error at the application's top-level
* gn3/templates/oauth2/oauth2_error.html: Handle any authlib OAuth2Error at
the application's top-level
|
|
Check only that the email format is correct, but don't bother with the
deliverability check during authentication. The deliverability check is done
at registration.
|
|
Implement the "Authorization Code Flow" for the authentication of users.
* gn3/auth/authentication/oauth2/grants/authorisation_code_grant.py: query and
save the authorisation code.
* gn3/auth/authentication/oauth2/models/authorization_code.py: Implement the
`AuthorisationCode` model
* gn3/auth/authentication/oauth2/models/oauth2client.py: Fix typo
* gn3/auth/authentication/oauth2/server.py: Register the
`AuthorisationCodeGrant` grant with the server.
* gn3/auth/authentication/oauth2/views.py: Implement `/authorise` endpoint
* gn3/templates/base.html: New HTML Templates of authorisation UI
* gn3/templates/common-macros.html: New HTML Templates of authorisation UI
* gn3/templates/oauth2/authorise-user.html: New HTML Templates of
authorisation UI
* main.py: Allow both "code" and "token" response types.
|
|
Fix the bug where the system was trying to load a user from a non-existing
OAuth2 client, leading to an exception.
|
|
Due to the fact that the data migration requires higher privileges than the
user details, separate the user details migration endpoint from the data
migrations endpoint.
|
|
The introspection endpoint could contain privileged information, thus requires
that the endpoint be protected. This commit ensures that a user has
authenticated to the system and that the client they are using be one of the
allowed clients.
|
|
Fetching the user by id should return the user, or raise an exception. We get
rid of the Maybe monad here since it is leading to some weird code flows -
probably the wrong monad to use here.
|
|
|
|
Split the views/routes into separate modules each dealing with a narrower
scope of the application to aid in maintenance, and help with making the
development easier.
|
|
Setting the scope as a list of strings was leading to errors when attempting
to logout. This commit leaves the scope as a string to avoid the errors.
|
|
|
|
|
|
|
|
If the token already exists, then update the details rather than trying to
insert.
|
|
* gn3/auth/authentication/oauth2/grants/password_grant.py: Return user rather
than boolean
* gn3/auth/authentication/oauth2/models/oauth2client.py: provide optional
`user` argument to allow flexibility in setting up the client's user
* gn3/auth/authentication/oauth2/models/oauth2token.py: Set token and client
user correctly
* gn3/auth/authentication/oauth2/server.py: Set token user from the request
|
|
To avoid having to manually rebuild some default data for exploration of
concepts while developing the system, add a way to build up the test users and
oauth2 clients to use for testing.
|
|
* gn3/app.py: register top-level error handlers. reorganise oauth2 blueprint.
* gn3/auth/__init__.py: reorganise oaut2 blueprint.
* gn3/auth/authentication/oauth2/views.py: reorganise oauth2 blueprint.
* gn3/auth/authorisation/exceptions.py -> gn3/auth/authorisation/errors.py
* gn3/auth/authorisation/groups.py: rename file/module
* gn3/auth/authorisation/resources.py: rename file/module
* gn3/auth/authorisation/views.py: Add `/register-user` endpoint
* gn3/auth/blueprint.py: reorganise oauth2 blueprint.
* gn3/errors.py: register top-level error handlers.
|
|
* gn3/app.py: import blueprint from authorisation views inorder to get all
endpoints
* gn3/auth/authentication/oauth2/views.py: remove the `/user` endpoint
* gn3/auth/authorisation/views.py: add the `/user` endpoint and add the group
information to the user details.
|
|
* gn3/auth/authorisation/roles.py: Fetch roles from DB
* gn3/auth/authorisation/views.py: Provide API endpoint for user roles
* tests/unit/auth/test_roles.py: Tests to check fetching roles works correctly
Fix linting and typing issues in the following files:
* gn3/auth/authentication/oauth2/resource_server.py
* gn3/auth/authentication/oauth2/views.py
* tests/unit/auth/fixtures/oauth2_client_fixtures.py
|
|
Add a resource server with the validator for the bearer token to protect the
resources endpoints.
Add a protected `/user` endpoint that returns the user details for valid
tokens.
* gn3/auth/authentication/oauth2/resource_server.py: new file
* gn3/auth/authentication/oauth2/views.py: add /user endpoint
|
|
Add code to implement the OAuth2 flow.
* Add test fixtures for setting up users and OAuth2 clients
* Add tests for token generation with the "Password Grant" flow
* Fix some issues with test due to changes in the database connection's
row_factory
|