def validate_token(email, oauth_token):
try:
idinfo = id_token.verify_oauth2_token(oauth_token, requests.Request(),
settings.GOOGLE_OAUTH2_CLIENT_ID)
issuers = ['accounts.google.com', 'https://accounts.google.com']
if idinfo['iss'] not in issuers:
raise EventFactory.Conflict(
'GOOGLE_OAUTH2_USER_INFO_ERROR_DETECTED')
gmail_email = idinfo['email']
except ValueError:
raise EventFactory.Conflict('GOOGLE_OAUTH2_USER_INFO_ERROR_DETECTED')
# -- validate email
if gmail_email != email:
raise EventFactory.BrokenRequest('EMAIL_MISMATCH_DETECTED')
# -- validate domain
domain = email.split('@')[1]
if domain not in settings.GOOGLE_OAUTH2_ALLOWED_DOMAINS:
raise EventFactory.AuthError('WRONG_EMAIL_DOMAIN')
return gmail_email
def decode(token):
# -- token decode
try:
payload = jwt.decode(jwt=token,
key=settings.AUTH_TOKEN_SECRET_KEY,
verify=True,
algorithm=settings.AUTH_TOKEN_ALGORITHM,
options={'verify_exp': True})
except jwt.ExpiredSignature:
raise EventFactory.AuthError('AUTH_TOKEN_EXPIRED')
except jwt.DecodeError:
raise EventFactory.AuthError('AUTH_TOKEN_WAS_BROKEN')
# -- payload decode
try:
account_id = payload['id']
account_email = payload['email']
account_type = payload['type']
except KeyError:
raise EventFactory.AuthError('AUTH_TOKEN_MISSING_FIELDS_DETECTED')
# -- payload to account
from account.models import Account # -- avoid cyclic imports
# -- make sure that account exists
try:
return Account.objects.get(id=account_id,
email=account_email,
type=account_type)
except Account.DoesNotExist:
raise EventFactory.AuthError('AUTH_TOKEN_MISSING_ACCOUNT')