def save_token(token_data, request): requested_scopes = set(scope_to_list(token_data.get('scope', ''))) application = OAuthApplication.query.filter_by( client_id=request.client.client_id).one() link = OAuthApplicationUserLink.query.with_parent(application).with_parent( request.user).first() if link is None: link = OAuthApplicationUserLink(application=application, user=request.user, scopes=requested_scopes) else: if not requested_scopes: # for already-authorized apps not specifying a scope uses all scopes the # user previously granted to the app requested_scopes = set(link.scopes) token_data['scope'] = list_to_scope(requested_scopes) new_scopes = requested_scopes - set(link.scopes) if new_scopes: logger.info('New scopes for %r: %s', link, new_scopes) link.update_scopes(new_scopes) link.tokens.append( OAuthToken(access_token=token_data['access_token'], scopes=requested_scopes)) # get rid of old tokens if there are too many q = (db.session.query(OAuthToken.id).with_parent(link).filter_by( _scopes=db.cast(sorted(requested_scopes), ARRAY(db.String))).order_by( OAuthToken.created_dt.desc()).offset( MAX_TOKENS_PER_SCOPE).scalar_subquery()) OAuthToken.query.filter( OAuthToken.id.in_(q)).delete(synchronize_session='fetch')
def get_scope(self): # scopes are restricted by what's authorized for the particular user and what's whitelisted for the app return list_to_scope(sorted(self.scopes))
def get_allowed_scope(self, scope): if not scope: return '' allowed = set(self.allowed_scopes) scopes = set(scope_to_list(scope)) return list_to_scope(allowed & scopes)
def get_scope(self): # scopes are restricted by what's authorized for the particular user and what's whitelisted for the app scopes = self.scopes & set(self.app_user_link.scopes) & set( self.application.allowed_scopes) return list_to_scope(sorted(scopes))
def get_allowed_scope(self, scope): if not scope: return '' allowed = set(self.scope.split()) scopes = scope_to_list(scope) return list_to_scope([s for s in scopes if s in allowed])