diff options
Diffstat (limited to 'uploader/oauth2/views.py')
| -rw-r--r-- | uploader/oauth2/views.py | 56 |
1 files changed, 15 insertions, 41 deletions
diff --git a/uploader/oauth2/views.py b/uploader/oauth2/views.py index db4ef61..b1b740f 100644 --- a/uploader/oauth2/views.py +++ b/uploader/oauth2/views.py @@ -1,26 +1,22 @@ """Views for OAuth2 related functionality.""" -import uuid -from datetime import datetime, timedelta from urllib.parse import urljoin, urlparse, urlunparse -from authlib.jose import jwt from flask import ( flash, jsonify, - url_for, request, redirect, Blueprint, current_app as app) from uploader import session +from uploader.flask_extensions import url_for from uploader import monadic_requests as mrequests from uploader.monadic_requests import make_error_handler from . import jwks +from .tokens import request_token from .client import ( - SCOPE, - oauth2_get, user_logged_in, authserver_uri, oauth2_clientid, @@ -33,20 +29,20 @@ oauth2 = Blueprint("oauth2", __name__) @oauth2.route("/code") def authorisation_code(): """Receive authorisation code from auth server and use it to get token.""" - def __process_error__(resp_or_exception): - app.logger.debug("ERROR: (%s)", resp_or_exception) + def __process_error__(error_response): + app.logger.debug("ERROR: (%s)", error_response.content) flash("There was an error retrieving the authorisation token.", "alert alert-danger") - return redirect("/") + return redirect(url_for("base.index")) def __fail_set_user_details__(_failure): app.logger.debug("Fetching user details fails: %s", _failure) flash("Could not retrieve the user details", "alert alert-danger") - return redirect("/") + return redirect(url_for("base.index")) def __success_set_user_details__(_success): app.logger.debug("Session info: %s", _success) - return redirect("/") + return redirect(url_for("base.index")) def __success__(token): session.set_user_token(token) @@ -57,39 +53,17 @@ def authorisation_code(): code = request.args.get("code", "").strip() if not bool(code): flash("AuthorisationError: No code was provided.", "alert alert-danger") - return redirect("/") + return redirect(url_for("base.index")) baseurl = urlparse(request.base_url, scheme=request.scheme) - issued = datetime.now() - jwtkey = jwks.newest_jwk_with_rotation( - jwks.jwks_directory(app, "UPLOADER_SECRETS"), - int(app.config["JWKS_ROTATION_AGE_DAYS"])) - return mrequests.post( - urljoin(authserver_uri(), "auth/token"), - json={ - "grant_type": "urn:ietf:params:oauth:grant-type:jwt-bearer", + return request_token( + token_uri=urljoin(authserver_uri(), "auth/token"), + user_id=request.args["user_id"], + extra_params={ "code": code, - "scope": SCOPE, "redirect_uri": urljoin( urlunparse(baseurl), url_for("oauth2.authorisation_code")), - "assertion": jwt.encode( - header={ - "alg": "RS256", - "typ": "JWT", - "kid": jwtkey.as_dict()["kid"] - }, - payload={ - "iss": str(oauth2_clientid()), - "sub": request.args["user_id"], - "aud": urljoin(authserver_uri(),"auth/token"), - "exp": (issued + timedelta(minutes=5)).timestamp(), - "nbf": int(issued.timestamp()), - "iat": int(issued.timestamp()), - "jti": str(uuid.uuid4()) - }, - key=jwtkey).decode("utf8"), - "client_id": oauth2_clientid() }).either(__process_error__, __success__) @oauth2.route("/public-jwks") @@ -113,7 +87,7 @@ def logout(): _user_str = f"{_user['name']} ({_user['email']})" session.clear_session_info() flash("Successfully signed out.", "alert alert-success") - return redirect("/") + return redirect(url_for("base.index")) if user_logged_in(): return session.user_token().then( @@ -126,9 +100,9 @@ def logout(): "client_secret": oauth2_clientsecret() })).either( make_error_handler( - redirect_to=redirect("/"), + redirect_to=redirect(url_for("base.index")), cleanup_thunk=lambda: __unset_session__( session.session_info())), lambda res: __unset_session__(session.session_info())) flash("There is no user that is currently logged in.", "alert alert-info") - return redirect("/") + return redirect(url_for("base.index")) |