Age | Commit message (Collapse) | Author |
|
|
|
We are saving the client secret in an encrypted form, meaning we have to
verify that the CLIENT_SECRET that is provided is the same one as was
generated at registration in a different way.
Initially, I was doing a direct comparison, having saved the CLIENT_SECRET
value as unencrypted plain-text.
|
|
Add UI and code to enable the administrative user to register new OAuth2
clients that can access the API server.
|
|
* gn3/auth/authentication/oauth2/views.py: Remove endpoint
* gn3/auth/authorisation/users/admin/__init__.py: New admin module
* gn3/auth/authorisation/users/admin/ui.py: New admin module
* gn3/auth/authorisation/users/admin/views.py: New admin module
* gn3/auth/views.py: Use new admin module
* gn3/errors.py: Fix linting errors
* gn3/templates/login.html: New html template
* main.py: Fix linting errors
|
|
* docs/authentication_and_authorisation/oauth2_clients.md: New documentation
* gn3/auth/authentication/oauth2/server.py: Raise appropriate error if no
client is found.
* gn3/auth/authentication/oauth2/views.py: Handle exception in the case where
a UI should be presented to the user, rather than presenting the raw JSON
response to the user.
* gn3/errors.py: Handle any authlib OAuth2Error at the application's top-level
* gn3/templates/oauth2/oauth2_error.html: Handle any authlib OAuth2Error at
the application's top-level
|
|
Check only that the email format is correct, but don't bother with the
deliverability check during authentication. The deliverability check is done
at registration.
|
|
Implement the "Authorization Code Flow" for the authentication of users.
* gn3/auth/authentication/oauth2/grants/authorisation_code_grant.py: query and
save the authorisation code.
* gn3/auth/authentication/oauth2/models/authorization_code.py: Implement the
`AuthorisationCode` model
* gn3/auth/authentication/oauth2/models/oauth2client.py: Fix typo
* gn3/auth/authentication/oauth2/server.py: Register the
`AuthorisationCodeGrant` grant with the server.
* gn3/auth/authentication/oauth2/views.py: Implement `/authorise` endpoint
* gn3/templates/base.html: New HTML Templates of authorisation UI
* gn3/templates/common-macros.html: New HTML Templates of authorisation UI
* gn3/templates/oauth2/authorise-user.html: New HTML Templates of
authorisation UI
* main.py: Allow both "code" and "token" response types.
|
|
Fix the bug where the system was trying to load a user from a non-existing
OAuth2 client, leading to an exception.
|
|
Due to the fact that the data migration requires higher privileges than the
user details, separate the user details migration endpoint from the data
migrations endpoint.
|
|
The introspection endpoint could contain privileged information, thus requires
that the endpoint be protected. This commit ensures that a user has
authenticated to the system and that the client they are using be one of the
allowed clients.
|
|
To avoid repeating the same thing in multiple places, leading to errors and
breakages, reuse the same basic functions for password hashing.
|
|
Bcrypt is now somewhat vulnerable to offline cracking, so we move our password
hashing over to Argon2.
|
|
Fetching the user by id should return the user, or raise an exception. We get
rid of the Maybe monad here since it is leading to some weird code flows -
probably the wrong monad to use here.
|
|
|
|
|
|
Split the views/routes into separate modules each dealing with a narrower
scope of the application to aid in maintenance, and help with making the
development easier.
|
|
The @authenticated_p decorator (and function), is an artifact of the original
development ideas and should be removed from use.
|
|
Setting the scope as a list of strings was leading to errors when attempting
to logout. This commit leaves the scope as a string to avoid the errors.
|
|
Define a Protocol type to use with the `dictify` function and implement the
`dictify` methods for the various classes.
|
|
|
|
|
|
|
|
If the token already exists, then update the details rather than trying to
insert.
|
|
* gn3/auth/authentication/oauth2/grants/password_grant.py: Return user rather
than boolean
* gn3/auth/authentication/oauth2/models/oauth2client.py: provide optional
`user` argument to allow flexibility in setting up the client's user
* gn3/auth/authentication/oauth2/models/oauth2token.py: Set token and client
user correctly
* gn3/auth/authentication/oauth2/server.py: Set token user from the request
|
|
To avoid having to manually rebuild some default data for exploration of
concepts while developing the system, add a way to build up the test users and
oauth2 clients to use for testing.
|
|
|
|
If the registration details pass the validations steps, then persist the
details in the database and respond with details about the newly created user.
* gn3/auth/authentication/users.py: new functions
* `save_user`: create and persist a new user
* `set_user_password`: hash and persist the new password for the given user
* gn3/auth/authorisation/views.py: Persist the user details and respond with
the newly persisted user details.
|
|
* gn3/app.py: register top-level error handlers. reorganise oauth2 blueprint.
* gn3/auth/__init__.py: reorganise oaut2 blueprint.
* gn3/auth/authentication/oauth2/views.py: reorganise oauth2 blueprint.
* gn3/auth/authorisation/exceptions.py -> gn3/auth/authorisation/errors.py
* gn3/auth/authorisation/groups.py: rename file/module
* gn3/auth/authorisation/resources.py: rename file/module
* gn3/auth/authorisation/views.py: Add `/register-user` endpoint
* gn3/auth/blueprint.py: reorganise oauth2 blueprint.
* gn3/errors.py: register top-level error handlers.
|
|
* gn3/app.py: import blueprint from authorisation views inorder to get all
endpoints
* gn3/auth/authentication/oauth2/views.py: remove the `/user` endpoint
* gn3/auth/authorisation/views.py: add the `/user` endpoint and add the group
information to the user details.
|
|
* gn3/auth/authorisation/roles.py: Fetch roles from DB
* gn3/auth/authorisation/views.py: Provide API endpoint for user roles
* tests/unit/auth/test_roles.py: Tests to check fetching roles works correctly
Fix linting and typing issues in the following files:
* gn3/auth/authentication/oauth2/resource_server.py
* gn3/auth/authentication/oauth2/views.py
* tests/unit/auth/fixtures/oauth2_client_fixtures.py
|
|
Add a resource server with the validator for the bearer token to protect the
resources endpoints.
Add a protected `/user` endpoint that returns the user details for valid
tokens.
* gn3/auth/authentication/oauth2/resource_server.py: new file
* gn3/auth/authentication/oauth2/views.py: add /user endpoint
|
|
Add code to implement the OAuth2 flow.
* Add test fixtures for setting up users and OAuth2 clients
* Add tests for token generation with the "Password Grant" flow
* Fix some issues with test due to changes in the database connection's
row_factory
|
|
* gn3/auth/authentication/users.py: authlib expects the user object to have a
`get_user_id` method.
|
|
* gn3/auth/authentication/routes.py: Add `/login` endpoint and a function to
validate the login credentials.
* gn3/auth/authentication/users.py: add function to fetch user details by
email
|
|
* gn3/auth/authentication/checks.py: new `authenticated_p` decorator to apply
on any function that requires the user to be authenticated before it runs.
* gn3/auth/authorisation/checks.py: use a `auth.authentication.users.User`
object rather than a UUID object in the global `g`.
* gn3/auth/authorisation/groups.py: Implement the `authenticated_user_group`
function to get the group(s) in which the currently authenticated user
belongs.
* gn3/auth/authorisation/resources.py: Implement the `create_resource`
function correctly.
* tests/unit/auth/conftest.py: extract the User objects into a global variable
for reusability with the tests.
* tests/unit/auth/test_resources.py: Use global user objects from conftest in
the tests. Set a User object (rather than UUID) in the global `g` variable.
|
|
* gn3/auth/authentication/exceptions.py: define `AuthenticationError`
* gn3/auth/authorisation/exceptions.py: define `AuthorisationError`
|
|
* gn3/auth/authentication.py -> gn3/auth/authentication/__init__.py: Convert
module to package
* gn3/auth/authentication/users.py: Define the `User` type
|
|
* gn3/auth/authentication.py: new function `credentials_in_database`
* gn3/auth/authentication/__init__.py: replace package with module
* gn3/settings.py: new `AUTH_MIGRATIONS` configuration variable
* migrations/auth/20221103_02_sGrIs-create-user-credentials-table.py: new
migration
* tests/unit/auth/test_credentials.py: test the `credentials_in_database`
function
* tests/unit/conftest.py: more test fixtures
|
|
Initialise the authentication/authorisation system packages and set up the
initial database migrations to set up the system.
* README.md: Add documentation on migrations
* gn3/auth/__init__.py: init package
* gn3/auth/authentication/__init__.py: init package
* gn3/auth/authorisation/__init__.py: init package
* gn3/migrations.py: provide migration utilities
* migrations/auth/20221103_01_js9ub-initialise-the-auth-entic-oris-ation-database.py:
new migration
* tests/unit/auth/test_init_database.py: test new migration applies and rolls
back as expected
* tests/unit/conftest.py: fixtures for unit tests
* yoyo.auth.ini: basic configuration for yoyo-migration for auth system
migrations
|