Age | Commit message (Collapse) | Author | |
---|---|---|---|
10 days | Revert "Debug: Add debug logging to trace JWK fetching." | Frederick Muriuki Muriithi | |
This reverts commit 5a6dc1fb81bf223750f42f4697f3cd7d86b39e71. Remove debugging statements and restore original code. | |||
13 days | Debug: Add debug logging to trace JWK fetching. | Frederick Muriuki Muriithi | |
13 days | Output KeySet retrieved from the client. | Frederick Muriuki Muriithi | |
2024-10-09 | Linting: Fix minor linting errors | Frederick Muriuki Muriithi | |
2024-10-09 | Add a client to the JWTBearerToken objects. | Frederick Muriuki Muriithi | |
2024-10-03 | Provide a way to change OAuth2 client secrets. | Frederick Muriuki Muriithi | |
2024-08-19 | Show "Forgot Password" link. | Frederick Muriuki Muriithi | |
Provide the user with the "Forgot Password" link, if the backend supports it. | |||
2024-08-15 | Fix a bunch of linting errors. | Frederick Muriuki Muriithi | |
2024-08-14 | refactor: move newest_jwk_with_rotation function to jwks.py | John Nduli | |
We have a similar jwk module in gn2 that does similar functionality. Moving the newest_jwk_with_rotation function to the module ensures that there's some consistency between both modules so that when we ever want to remove the duplication (e.g. by creating some python pip package) it's easier. | |||
2024-08-08 | Forward email to email verification page. | Frederick Muriuki Muriithi | |
2024-08-05 | Fix linting errors. | Frederick Muriuki Muriithi | |
2024-08-02 | fix: use json to support parsing oauth2 requests | John Nduli | |
The local sign in request used by gn2 uses json. However, the default parsing assumes form data, see: - https://github.com/lepture/authlib/blob/v1.2.0/authlib/integrations/flask_oauth2/authorization_server.py#L72 - https://github.com/lepture/authlib/blob/v1.2.0/authlib/integrations/flask_helpers.py#L5 We create a custom Authorization server that defaults to `use_json=True` when creating the oauth request object | |||
2024-07-31 | Update all endpoints to use the `client_secret_post` auth method. | Frederick Muriuki Muriithi | |
2024-07-31 | Use customised JWTBearerToken class | Frederick Muriuki Muriithi | |
2024-07-31 | Extend default JWTBearerToken to include a user member. | Frederick Muriuki Muriithi | |
2024-07-31 | Authenticate JWTs using all available keys. | Frederick Muriuki Muriithi | |
2024-07-31 | Bug: Pass in app rather than path. | Frederick Muriuki Muriithi | |
2024-07-31 | Fetch a client's JWKs from a URI | Frederick Muriuki Muriithi | |
2024-07-31 | Validate JWTs against all existing JWKs. | Frederick Muriuki Muriithi | |
2024-07-31 | Remove obsoleted SSL_PRIVATE_KEY configuration | Frederick Muriuki Muriithi | |
With the key rotation in place, eliminate the use of the SSL_PRIVATE_KEY configuration which pointed to a specific non-changing JWK. | |||
2024-07-31 | Update datetime references on changed import. | Frederick Muriuki Muriithi | |
2024-07-31 | Retrieve newest JWK, creating a new JWK where necessary. | Frederick Muriuki Muriithi | |
To help with key rotation, we fetch the latest key, creating a new JWK in any of the following 2 conditions: * There is no JWK in the first place * The "newest" key is older than a specified number of days | |||
2024-07-30 | JWT refresh: Deactivate the checks and revocation | Frederick Muriuki Muriithi | |
The checks for whether a token is already linked, and then revoking it and raising an error were causing issues in multi-threaded environments, where there'd be multiple requests to the auth server all using an expired token. This just links the refresh token and avoids the check and revocation for the time being. | |||
2024-07-18 | List any/all existing JWKs | Frederick Muriuki Muriithi | |
List any/all existing JWKs that the server currently supports. | |||
2024-06-17 | Bug: use or's short-circuiting to prevent evaluation of statements | Frederick Muriuki Muriithi | |
Without the `or` later statements were being evaluated, before the final value was computed. This commit short-circuits that behaviour. | |||
2024-06-04 | Approximate the GN2 look-and-feel. | Frederick Muriuki Muriithi | |
2024-06-04 | Redirect appropriately when verifying emails. | Frederick Muriuki Muriithi | |
2024-06-03 | Raise explicit error messages for more graceful handling.enable-sending-emails | Frederick Muriuki Muriithi | |
2024-06-03 | Handle unverified emails | Frederick Muriuki Muriithi | |
If a user provides the correct credentials to login, but they are unverified, redirect them to the email verification page, where they are provided with a chance to verify their email, or send a new verification code. | |||
2024-06-03 | Move user creation from db resultset into static method | Frederick Muriuki Muriithi | |
Creation of a User object from the database resultset will mostly be the same. This commit moves the repetitive code into a static method that can be called wherever we need it. This improves maintainability, since we only ever need to do an update in one place now. | |||
2024-05-29 | Remove unused import. | Frederick Muriuki Muriithi | |
2024-05-29 | Revert "jwt: add user roles to the jwt token." | Frederick Muriuki Muriithi | |
This reverts commit 0582565fa7db4b95e86fb0dde8d83e3170e566a7. Adding the user roles to the token makes the token ridiculously large. Rather than doing that, we'll use an endpoint on the auth server to get the user roles and privileges instead. | |||
2024-05-24 | Revoke refresh token, and all its children. | Frederick Muriuki Muriithi | |
2024-05-24 | Check whether a refresh token has been used before | Frederick Muriuki Muriithi | |
Check whether a refresh token has been used before using it to generate a new JWT token. If the refresh token has been used previously, it should be revoked, and an error raised. As of this commit the actual revocation process hasn't been implemented. | |||
2024-05-24 | Linting: reorganise imports. | Frederick Muriuki Muriithi | |
2024-05-24 | Use monads consistently to reduce chances of errors. | Frederick Muriuki Muriithi | |
2024-05-23 | jwt: add user roles to the jwt token. | Frederick Muriuki Muriithi | |
2024-05-13 | Fix myriad of linting error | Frederick Muriuki Muriithi | |
These linting errors can't be rebased into the newer commits. | |||
2024-05-13 | Link old refresh token to newly issued refresh token | Frederick Muriuki Muriithi | |
We need to track the "lineage" of refresh tokens in order to detect possible stolen tokens and mitigate damage. | |||
2024-05-13 | Register the RefreshTokenGrant with the server | Frederick Muriuki Muriithi | |
Register the RefreshTokenGrant with the server to enable refreshing of the tokens. | |||
2024-05-13 | Use None as default for expires_in | Frederick Muriuki Muriithi | |
2024-05-13 | Save refresh token when it is generated. | Frederick Muriuki Muriithi | |
2024-05-13 | Save token with same ID as JWT's "jti" value. | Frederick Muriuki Muriithi | |
2024-05-13 | Initialise JWTRefreshToken model | Frederick Muriuki Muriithi | |
Add a model for the JWT refresh tokens. | |||
2024-05-06 | Add `jti` claim | Frederick Muriuki Muriithi | |
Have each JWT token have a `jti` claim (JWT ID) to help with tracking refreshes, and therefore validity of the JWTs. If a refresh token is used more than once, then that refresh token, and all its progeny/descendants are considered invalid, since that token could have been stolen. | |||
2024-05-02 | Include refresh tokens with generated JWT | Frederick Muriuki Muriithi | |
This shim enables us to have a refresh token with the JWT. This might not be the way to refresh JWTs - this is because the `authlib.oauth2.rfc7523.token.JWTBearerTokenGenerator.__call__(…)` method has a comment that states: # there is absolutely no refresh token in JWT format Searching on the internet, however, seems to indicate that JWTs can be used in conjunction with refresh tokens... We need to verify this and fix this if necessary. | |||
2024-05-02 | Compute and cache the client's KeySet. | Frederick Muriuki Muriithi | |
2024-04-26 | UX: use correct class for flash messages. | Frederick Muriuki Muriithi | |
2024-04-26 | Pass redirect_uri fields in POST. Use full URL | Frederick Muriuki Muriithi | |
Pass in the missing redirect_uri value along with login data. Use the full URI (complete with request args) as the form's action. This resolves the error raised when wrong credentials are provided. | |||
2024-04-24 | Move the errors module up one level to break circular dependencies. | Frederick Muriuki Muriithi | |