def configure_app(app, production=True, debug=True):
app.debug = debug
app.use_evalex = False
if production:
config = frontend_config()
if config.get('session-secret') is None:
raise Exception("Configure a sesssion-secret in the configuration for production usage")
app.secret_key = config.get('session-secret')
else:
app.secret_key = "ThisIsOnlyForDevelopmentMode"
return app
def configure_app(app, production=True, debug=True):
app.debug = debug
app.use_evalex = False
if production:
config = frontend_config()
if config.get('session-secret') is None:
raise Exception("Configure a sesssion-secret in the configuration for production usage")
app.secret_key = config.get('session-secret')
else:
app.secret_key = "ThisIsOnlyForDevelopmentMode"
return app
def get_api_login_oauth_providers():
providers = frontend_config().get('login', {}).get('oauth', {}).get('providers', {})
# The list of providers with a client_secret set
result = {
'success': True,
'data': {
'providers': [provider for provider in providers.keys() if providers.get(provider, {}).get('client_secret', '')]
}
}
# Put the reason in the API response, if a previous oauth login had failed
if 'reason' in session:
result['reason'] = session.pop('reason')
return jsonify(result)
import datetime
import functools
import json
import pprint
import sys
from flask import render_template, redirect, url_for, session, jsonify, request, session, Response, g
from minion.frontend import app
from minion.frontend.persona import verify_assertion
from minion.frontend.utils import frontend_config
import requests
config = frontend_config()
#
# Simple wrappers around common backend functionality
#
def login_user(email):
r = requests.put(config['backend-api']['url'] + "/login",
headers={'Content-Type': 'application/json'},
data=json.dumps({'email': email}))
r.raise_for_status()
j = r.json()
if not j.get('success'):
return None
return j.get('user')
# file, You can obtain one at http://mozilla.org/MPL/2.0/.
import functools
import json
import ldap
import uuid
from flask import jsonify, request, session, Response, g
from minion.frontend import app
from minion.frontend.persona import verify_assertion
from minion.frontend.utils import frontend_config
import requests
config = frontend_config()
#
# Simple wrappers around common backend functionality
#
def login_user(email):
r = requests.put(config['backend-api']['url'] + "/login",
headers={'Content-Type': 'application/json'},
data=json.dumps({'email': email}))
r.raise_for_status()
j = r.json()
if not j.get('success'):
return None
return j.get('user')
def get_api_login_oauth_facebook():
ACCESS_TOKEN_URL = 'https://graph.facebook.com/v2.3/oauth/access_token'
AUTHORIZATION_URL = 'https://www.facebook.com/dialog/oauth'
API_URL = 'https://graph.facebook.com/me/'
config = frontend_config()['login']['oauth']['providers']['facebook']
# Called when we need to send them to Facebook
if not request.args:
# Facebook requires a client_id, redirect_uri, and scope
parameters = {
'client_id': config['client_id'],
'redirect_uri': request.base_url,
'scope': 'email'
}
# It also requires a nonce (state) as an anti-CSRF token
parameters['state'] = session['state'] = str(uuid.uuid4())
# Redirect to Facebook for authorization
url = AUTHORIZATION_URL + '?' + urlencode(parameters)
return redirect(url)
# Called when Facebook redirects back to us
else:
# Get the code and state from Facebook
code = request.args.get('code')
state = request.args.get('state')
# Facebook auth fails
if code == None or state == None:
return __oauth_failed_login_redirect()
# Validate the nonce
if not session.get('state') or session.get('state') != state:
return __oauth_failed_login_redirect('error')
# Get the session information from Facebook
try:
r = requests.post(url=ACCESS_TOKEN_URL,
data={
'client_id': config['client_id'],
'client_secret': config['client_secret'],
'code': code,
'redirect_uri': request.base_url,
'state': state
})
r = loads(r.text)
except:
return __oauth_failed_login_redirect()
# Check for error's in Facebook's response
if 'error' in r or 'access_token' not in r:
return __oauth_failed_login_redirect()
# Get the user's email address from Facebook
parameters = {
'access_token': r['access_token'],
'fields': 'email'
}
r = requests.get(API_URL + '?' + urlencode(parameters))
r = loads(r.text)
if 'email' not in r:
return __oauth_failed_login_redirect()
return __oauth_create_api_session(r['email'])
def get_api_login_oauth_google():
ACCESS_TOKEN_URL = 'https://www.googleapis.com/oauth2/v3/token'
AUTHORIZATION_URL = 'https://accounts.google.com/o/oauth2/auth'
API_URL = 'https://www.googleapis.com/oauth2/v2/userinfo'
config = frontend_config()['login']['oauth']['providers']['google']
# Called when we need to send them to Google
if not request.args:
# Google requires a client_id, redirect_url, response_type, and scope
parameters = {
'client_id': config['client_id'],
'response_type': 'code',
'redirect_uri': request.base_url,
'scope': 'email'
}
# It also requires a nonce (state) as an anti-CSRF token
parameters['state'] = session['state'] = str(uuid.uuid4())
# Redirect to Google for authorization
url = AUTHORIZATION_URL + '?' + urlencode(parameters)
return redirect(url)
# Called when Google redirects back to us
else:
# Get the code and state from Google
code = request.args.get('code')
state = request.args.get('state')
# Google auth fails
if code == None or state == None:
return __oauth_failed_login_redirect()
# Validate the nonce
if not session.get('state') or session.get('state') != state:
return __oauth_failed_login_redirect('error')
# Get the session information from Google
try:
r = requests.post(url=ACCESS_TOKEN_URL,
data={
'client_id': config['client_id'],
'client_secret': config['client_secret'],
'code': code,
'grant_type': 'authorization_code',
'redirect_uri': request.base_url,
'state': state
})
r = loads(r.text)
except:
return __oauth_failed_login_redirect()
# Check for error's in Google's response
if 'error' in r or 'access_token' not in r:
return __oauth_failed_login_redirect()
# Get the user's email address from Google
r = requests.get(API_URL, headers={'Authorization': 'Bearer ' + r.get('access_token')})
r = loads(r.text)
# Make sure it's a verified email address
if 'email' not in r or not r.get('verified_email', False):
return __oauth_failed_login_redirect()
return __oauth_create_api_session(r['email'])
def get_api_login_oauth_github():
ACCESS_TOKEN_URL = 'https://github.com/login/oauth/access_token'
AUTHORIZATION_URL = 'https://github.com/login/oauth/authorize'
API_URL = 'https://api.github.com/user/emails'
config = frontend_config()['login']['oauth']['providers']['github']
# Called when we need to send them to GitHub
if not request.args:
# GitHub requires a client_id, redirect_url, and scope
parameters = {
'client_id': config['client_id'],
'redirect_url': request.base_url,
'scope': 'user:email'
}
# It also requires a nonce (state) as an anti-CSRF token
parameters['state'] = session['state'] = str(uuid.uuid4())
# Redirect to GitHub for authorization
url = AUTHORIZATION_URL + '?' + urlencode(parameters)
return redirect(url)
# Called when GitHub redirects back to us
else:
# Get the code and state from GitHub
code = request.args.get('code')
state = request.args.get('state')
# GitHub auth fails
if code == None or state == None:
return __oauth_failed_login_redirect()
# Validate the nonce
if not session.get('state') or session.get('state') != state:
return __oauth_failed_login_redirect('error')
# Get the session information from GitHub
try:
r = requests.post(url=ACCESS_TOKEN_URL,
headers={
'Accept': 'application/json'
},
data={
'client_id': config['client_id'],
'client_secret': config['client_secret'],
'code': code,
'state': state
})
r = loads(r.text)
except:
return __oauth_failed_login_redirect()
# Check for error's in GitHub's response
if 'error' in r or 'access_token' not in r or 'user:email' not in r.get('scope'):
return __oauth_failed_login_redirect()
# Get the user's email address from GitHub
r = requests.get(API_URL, headers={'Authorization': 'token ' + r.get('access_token')})
r = loads(r.text)
email = None
for address in r:
if 'email' not in address:
return __oauth_failed_login_redirect()
if address.get('primary', False) and address.get('verified', False):
email = address.get('email')
return __oauth_create_api_session(email)
def get_api_login_oauth_firefoxaccounts():
# Development OAuth
# ACCESS_TOKEN_URL = 'https://oauth-latest.dev.lcip.org/v1/token'
# AUTHORIZATION_URL = 'https://oauth-latest.dev.lcip.org/v1/authorization'
# API_URL = 'https://latest.dev.lcip.org/profile/v1/email'
# OAUTH_URL = 'https://oauth-latest.dev.lcip.org/v1'
# Production OAuth
ACCESS_TOKEN_URL = 'https://oauth.accounts.firefox.com/v1/token'
AUTHORIZATION_URL = 'https://oauth.accounts.firefox.com/v1/authorization'
API_URL = 'https://profile.accounts.firefox.com/v1/email'
OAUTH_URL = 'https://oauth.accounts.firefox.com/v1'
config = frontend_config()['login']['oauth']['providers']['firefoxaccounts']
# Called when we need to send them to FxA
if not request.args:
# GitHub requires a client_id, oauth_uri, redirect_uri, and scope
parameters = {
'client_id': config['client_id'],
'oauth_uri': OAUTH_URL,
'redirect_uri': request.base_url,
'scope': 'profile:email'
}
# It also requires a nonce (state) as an anti-CSRF token
parameters['state'] = session['state'] = str(uuid.uuid4())
# Redirect to FxA for authorization
url = AUTHORIZATION_URL + '?' + urlencode(parameters)
return redirect(url)
# Called when FxA redirects back to us
else:
# Get the code and state from FxA
code = request.args.get('code')
state = request.args.get('state')
# FxA auth fails
if code == None or state == None:
return __oauth_failed_login_redirect()
# Validate the nonce
if not session.get('state') or session.get('state') != state:
return __oauth_failed_login_redirect('error')
# Get the session information from FxA
try:
r = requests.post(url=ACCESS_TOKEN_URL,
data={
'client_id': config['client_id'],
'client_secret': config['client_secret'],
'code': code,
'state': state,
'ttl': 3600 # one hour
})
r = loads(r.text)
except:
return __oauth_failed_login_redirect()
# Check for error's in FxA's response
if 'error' in r or 'access_token' not in r or 'profile:email' not in r.get('scope'):
return __oauth_failed_login_redirect()
# Get the user's email address from FxA
r = requests.get(API_URL,
headers = {'Authorization': 'Bearer ' + r.get('access_token')})
r = loads(r.text)
if 'email' not in r:
return __oauth_failed_login_redirect()
return __oauth_create_api_session(r['email'])