def receive_messages_handler():
# Verify that the request originates from the application.
if (request.args.get('token', '') !=
current_app.config['PUBSUB_VERIFICATION_TOKEN']):
return 'Invalid request', 400
# Verify that the push request originates from Cloud Pub/Sub.
try:
# Get the Cloud Pub/Sub-generated JWT in the "Authorization" header.
bearer_token = request.headers.get('Authorization')
token = bearer_token.split(' ')[1]
TOKENS.append(token)
# Verify and decode the JWT. `verify_oauth2_token` verifies
# the JWT signature, the `aud` claim, and the `exp` claim.
claim = id_token.verify_oauth2_token(token, requests.Request(),
audience='example.com')
# Must also verify the `iss` claim.
if claim['iss'] not in [
'accounts.google.com',
'https://accounts.google.com'
]:
raise ValueError('Wrong issuer.')
CLAIMS.append(claim)
except Exception as e:
return 'Invalid token: {}\n'.format(e), 400
envelope = json.loads(request.data.decode('utf-8'))
payload = base64.b64decode(envelope['message']['data'])
MESSAGES.append(payload)
# Returning any 2xx status indicates successful receipt of the message.
return 'OK', 200
def call():
'''
Main API route.
'''
message = flask.request.get_json(force=True)
# Extract and verify the ID token
username = None
if '_token' in message:
request = google.auth.transport.requests.Request(session=SESSION)
idinfo = verify_oauth2_token(message.pop('_token'), request, CLIENT_ID)
if idinfo['iss'] not in ('accounts.google.com', 'https://accounts.google.com'):
raise RuntimeError('Bad issuer in ID token')
username = idinfo['email']
# Process the message inside an appropriate transaction
client = datastore.Client()
with client.transaction():
key = client.key('Party', '.')
entity = client.get(key) or datastore.Entity(key=key, exclude_from_indexes=('state',))
if 'state' in entity:
state = json.loads(entity['state'])
else:
state = {}
result, new_state = process(state, username, message)
if new_state != state:
entity['state'] = json.dumps(new_state, ensure_ascii=False)
client.put(entity)
return flask.jsonify(result)
def tokensignin(request):
if request.method == 'POST':
try:
idinfo = id_token.verify_oauth2_token(request.POST['id_token'], requests.Request(),
'408025391021-l8s6ddt0rv3ejaqdqmktgg5vsumb8nh5.apps.googleusercontent.com')
if idinfo['iss'] not in ['accounts.google.com', 'https://accounts.google.com']:
raise ValueError('Wrong issuer.')
# ID token is valid. Get the user's Google Account ID from the decoded token.
try:
authorized_user = User.objects.get(username=idinfo['email'])
except User.DoesNotExist:
authorized_user = User.objects.create_user(username=idinfo['email'], picture=idinfo['picture'],
last_name=idinfo['family_name'],
first_name=idinfo['given_name'])
login(request, authorized_user)
return JsonResponse({
'id': authorized_user.id,
'first_name': authorized_user.first_name,
'last_name': authorized_user.last_name
})
except ValueError:
# Invalid token
pass
return JsonResponse({})
def validate_token(token, client_id):
# Specify the CLIENT_ID of the app that accesses the backend:
idinfo = id_token.verify_oauth2_token(token, requests.Request(), client_id)
# Or, if multiple clients access the backend server:
# idinfo = id_token.verify_oauth2_token(token, requests.Request())
# if idinfo['aud'] not in [CLIENT_ID_1, CLIENT_ID_2, CLIENT_ID_3]:
# raise ValueError('Could not verify audience.')
if idinfo['iss'] not in ['accounts.google.com', 'https://accounts.google.com']:
raise ValueError('Wrong issuer.')
# If auth request is from a G Suite domain:
# if idinfo['hd'] != GSUITE_DOMAIN_NAME:
# raise ValueError('Wrong hosted domain.')
# ID token is valid. Get the user's Google Account ID from the decoded token.
return idinfo
def login_callback():
if not flow:
return redirect(url_for('.info'))
flow.fetch_token(authorization_response=request.url)
credentials = flow.credentials
request_session = requests.session()
cached_session = cachecontrol.CacheControl(request_session)
token_request = google.auth.transport.requests.Request(
session=cached_session)
id_info = id_token.verify_oauth2_token(id_token=credentials._id_token,
request=token_request)
session['google_id'] = id_info.get('sub')
session['name'] = id_info.get('name')
return redirect('/')
def get_user_id_info(request):
auth_header = request.headers.get('Authorization')
if not auth_header:
raise Exception('No auth header provided')
auth_type, token = auth_header.split(' ')
if auth_type != 'Bearer':
raise Exception('Incorrect auth type. Should be Bearer')
try:
id_info = id_token.verify_oauth2_token(token, requests.Request(),
CLIENT_ID)
if id_info['iss'] not in [
'accounts.google.com', 'https://accounts.google.com'
]:
raise Exception('Wrong issuer')
return id_info
except:
raise Exception('User token invalid')
def validate_token(token, platform):
GOOGLE_CLIENT_ID = GOOGLE_ANDROID_ID if platform == 'android' else GOOGLE_IOS_ID
request = requests.Request()
try:
id_info = id_token.verify_oauth2_token(
token,
request,
GOOGLE_CLIENT_ID
)
if id_info['iss'] != 'https://accounts.google.com':
raise ValueError('Wrong issuer.')
return id_info
except Exception as e:
raise e
def post(self, request, **kwargs):
"""
POST: /api/v1/ouath/google/login/
Register or login user if exists
Returns: user token and/or user data
"""
serializer = self.serializer_class(data=request.data)
serializer.is_valid(raise_exception=True)
access_token = serializer.data.get('access_token')
try:
user_info = id_token.verify_oauth2_token(
access_token, requests.Request())
user_info = get_user_info(user_info)
except:
return custom_reponse('error', 400, message='Invalid token.')
google_auth = SocialAuth()
return google_auth.social_login_signup(user_info, **kwargs)
def to_internal_value(self, data):
token: str = super().to_internal_value(data)
try:
id_info: tp.Mapping[str, tp.Any] = id_token.verify_oauth2_token(
token, requests.Request(), settings.GOOGLE_OAUTH_CLIENT_ID)
except ValueError as e:
raise serializers.ValidationError(str(e))
if id_info['iss'] not in [
'accounts.google.com', 'https://accounts.google.com'
]:
raise serializers.ValidationError('Wrong issuer')
return {
"id_token": token,
"id_info": id_info,
}
def gconnect():
# Validate state token
if request.args.get('state') != login_session['state']:
response = make_response(json.dumps('Invalid state parameter.'), 401)
response.headers['Content-Type'] = 'application/json'
return response
# Obtain authorization code
token = request.data
try:
# Specify the CLIENT_ID of the app that accesses the backend:
idinfo = id_token.verify_oauth2_token(token, requests.Request(),
CLIENT_ID)
# Or, if multiple clients access the backend server:
# idinfo = id_token.verify_oauth2_token(token, requests.Request())
# if idinfo['aud'] not in [CLIENT_ID_1, CLIENT_ID_2, CLIENT_ID_3]:
# raise ValueError('Could not verify audience.')
google_api = 'https://accounts.google.com'
if idinfo['iss'] not in ['accounts.google.com', google_api]:
raise ValueError('Wrong issuer.')
# If auth request is from a G Suite domain:
# if idinfo['hd'] != GSUITE_DOMAIN_NAME:
# raise ValueError('Wrong hosted domain.')
# ID token is valid. Get the user's Google Account ID from the decoded
# token.
# userid = idinfo['sub']
except ValueError:
# Invalid token
raise ValueError('Invalid token.')
login_session['username'] = idinfo['name']
login_session['email'] = idinfo['email']
login_session['picture'] = idinfo['picture']
user_id = get_user_id(login_session['email'])
if not user_id:
user_id = create_user(login_session)
login_session['user_id'] = user_id
flash("you are now logged in as %s" % login_session['username'])
return login_session['username']
def Google_Callback():
"""
Callback for login request.
"""
user_data = None
try:
# Check if the POST request is trying to log in
if 'idtoken' in request.form:
# Get the token from the POST form
token = request.form['idtoken']
# Specify the CLIENT_ID of the app that accesses the backend:
idinfo = id_token.verify_oauth2_token(token, requests.Request(),
CLIENT_ID)
verified_providers = [
'accounts.google.com', 'https://accounts.google.com'
]
if idinfo['iss'] not in verified_providers:
raise ValueError('Wrong issuer.')
# ID token is valid.
# Get the user's Google Account ID from the decoded token.
userid = idinfo['sub']
# Add the token to the flask session variable
user_data = {
'name': idinfo['name'],
'email': idinfo['email'],
'picture': idinfo['picture']
}
except ValueError as e:
print('error ->', e)
# Invalid token
print('Error: Unable to verify the token id')
if user_data:
user_data_json = json.dumps(user_data)
else:
user_data_json = None
return user_data_json
def verifyUserToken(self, token):
try:
# attempt to validate token on the client-side
logging.debug("Using the google auth library to verify id token of length %d from android phones" % len(token))
tokenFields = goi.verify_oauth2_token(token, gatr.Request())
logging.debug("tokenFields from library = %s" % tokenFields)
verifiedEmail = self.__verifyTokenFields(tokenFields, "aud", "iss")
logging.debug("Found user email %s" % tokenFields['email'])
return verifiedEmail
except:
logging.debug("OAuth failed to verify id token, falling back to constructedURL")
#fallback to verifying using Google API
constructedURL = ("https://www.googleapis.com/oauth2/v1/tokeninfo?id_token=%s" % token)
r = requests.get(constructedURL)
tokenFields = json.loads(r.content)
logging.debug("tokenFields from constructedURL= %s" % tokenFields)
verifiedEmail = self.__verifyTokenFields(tokenFields, "audience", "issuer")
logging.debug("Found user email %s" % tokenFields['email'])
return verifiedEmail
def token_signin_view(request):
if request.method == 'GET':
return HttpResponse('hello')
else:
token = request.POST.get('idtoken', None)
if token == None:
raise APIException('idtoken is required')
idinfo = id_token.verify_oauth2_token(token, requests.Request(), settings.CLIENT_ID)
if idinfo['iss'] not in ['accounts.google.com', 'https://accouts.google.com']:
raise APIException('Wrong issuer.')
pattern = r"[bcemdh]\d{7}[a-z0-9]{2}@edu.teu.ac.jp"
if not re.match(pattern, idinfo['email']):
raise APIException("invalid email. use [email protected]")
user, created = User.objects.get_or_create(
email=idinfo['email'],
defaults={'username': idinfo['name']}
)
user.save()
login(request, user)
request.session['user_id'] = idinfo['sub']
request.session.set_expiry(60 * 60 * 24 * 365)
request.session.set_test_cookie()
response = HttpResponse()
message = 'yes\r\n' if request.user.is_authenticated else 'no\r\n'
message2 = 'yes\r\n' if request.session.test_cookie_worked() else 'no\r\n'
response.write(message)
response.write(message2)
response.write(request.user.username + "\r\n")
return response
def GetAuthEnvironment(token):
if settings.TMC_DISABLE_AUTH:
return {
'email': '*****@*****.**',
'name': 'Test User',
'image_url': '',
'is_logged_in': True,
'is_admin': True,
}
try:
idinfo = id_token.verify_oauth2_token(
token, requests.Request(), GetGapiClientId())
email = idinfo.get('email', '')
return {
'email': email,
'name': idinfo.get('name', ''),
'image_url': idinfo.get('picture', ''),
'is_admin': (email == _GetAdminEmail()),
'is_logged_in': True,
}
except Exception as e:
return {'is_logged_in': False, 'reason': str(e)}
def authenticate_request(user_token):
CLIENT_ID = os.environ.get('CLIENT_ID')
idinfo = id_token.verify_oauth2_token(user_token, requests.Request(), CLIENT_ID)
if idinfo['iss'] not in ['accounts.google.com', 'https://accounts.google.com']:
raise ValueError('Wrong issuer.')
return idinfo
