def _authorize(handler, *args, **kwargs):
redirect_uri = handler.get_argument('redirect_uri', None)
try:
if handler.request.method == 'POST':
rv = _post(handler, *args, **kwargs)
else:
rv = _get(handler, *args, **kwargs)
except FatalClientError as e:
log.debug('Fatal client error %r', e)
return handler.redirect(e.in_uri(self.error_uri))
except OAuth2Error as e:
log.debug('OAuth2Error: %r', e)
return handler.redirect(
e.in_uri(redirect_uri or self.error_uri))
except Exception as e:
log.warn('Exception: %r', e)
return handler.redirect(
add_params_to_uri(self.error_uri, {'error': 'unknown'}))
if not isinstance(rv, bool):
# if is a response or redirect
return rv
if not rv:
# denied by user
e = AccessDeniedError()
return handler.redirect(e.in_uri(redirect_uri))
return self.confirm_authorization_request(handler)
def _authorize(handler, *args, **kwargs):
redirect_uri = handler.get_argument('redirect_uri', None)
try:
if handler.request.method == 'POST':
rv = _post(handler, *args, **kwargs)
else:
rv = _get(handler, *args, **kwargs)
except FatalClientError as e:
log.debug('Fatal client error %r', e)
return handler.redirect(e.in_uri(self.error_uri))
except OAuth2Error as e:
log.debug('OAuth2Error: %r', e)
return handler.redirect(e.in_uri(redirect_uri or
self.error_uri))
except Exception as e:
log.warn('Exception: %r', e)
return handler.redirect(add_params_to_uri(
self.error_uri, {'error': 'unknown'}
))
if not isinstance(rv, bool):
# if is a response or redirect
return rv
if not rv:
# denied by user
e = AccessDeniedError()
return handler.redirect(e.in_uri(redirect_uri))
return self.confirm_authorization_request(handler)
def post(self):
uri, http_method, body, headers = extract_params(self.request)
redirect_uri = self.request.POST.get('redirect_uri')
if 'submit' in self.request.POST:
scope = self.request.POST.get('scope', '')
scopes = scope.split()
credentials = {
'client_id': self.request.POST.get('client_id'),
'redirect_uri': redirect_uri,
'response_type': self.request.POST.get('response_type'),
'state': self.request.POST.get('state'),
'user': self.request.user,
}
try:
server_response = self.server.create_authorization_response(
uri,
http_method,
body,
headers,
scopes,
credentials,
)
app = Session.query(Application).filter(
Application.id == credentials['client_id'], ).one()
try:
auth_app = Session.query(AuthorizedApplication).filter(
AuthorizedApplication.user == self.request.user,
AuthorizedApplication.application == app,
).one()
except NoResultFound:
auth_app = AuthorizedApplication(
user=self.request.user,
application=app,
)
auth_app.redirect_uri = credentials['redirect_uri']
auth_app.response_type = credentials['response_type']
auth_app.scope = scopes
Session.add(auth_app)
return create_response(*server_response)
except FatalClientError as e:
return response_from_error(e)
elif 'cancel' in self.request.POST:
e = AccessDeniedError()
return HTTPFound(e.in_uri(redirect_uri))
def post(self):
uri, http_method, body, headers = extract_params(self.request)
redirect_uri = self.request.POST.get('redirect_uri')
if 'submit' in self.request.POST:
scope = self.request.POST.get('scope', '')
scopes = scope.split()
credentials = {
'client_id': self.request.POST.get('client_id'),
'redirect_uri': redirect_uri,
'response_type': self.request.POST.get('response_type'),
'state': self.request.POST.get('state'),
'user': self.request.user,
}
try:
server_response = self.server.create_authorization_response(
uri, http_method, body, headers, scopes, credentials,
)
app = Session.query(Application).filter(
Application.id == credentials['client_id'],
).one()
try:
auth_app = Session.query(AuthorizedApplication).filter(
AuthorizedApplication.user == self.request.user,
AuthorizedApplication.application == app,
).one()
except NoResultFound:
auth_app = AuthorizedApplication(
user=self.request.user,
application=app,
)
auth_app.redirect_uri = credentials['redirect_uri']
auth_app.response_type = credentials['response_type']
auth_app.scope = scopes
Session.add(auth_app)
return create_response(*server_response)
except FatalClientError as e:
return response_from_error(e)
elif 'cancel' in self.request.POST:
e = AccessDeniedError()
return HTTPFound(e.in_uri(redirect_uri))
def validate_code(self, client_id, code, client, request, *args, **kwargs):
try:
grant = Grant.objects.get(code=code, application=client)
if not grant.is_expired():
# Additionally check that this user has 2FA enabled
if len(grant.user.totpdevice_set.all()) > 0:
request.scopes = grant.scope.split(" ")
request.user = grant.user
return True
else:
raise AccessDeniedError(
description="The requesting user has not enabled 2FA",
request=request)
return False
except Grant.DoesNotExist:
return False