async def validate_internal_auth_token(
internal_auth_token: str) -> InternalUser:
""" Checks the validity of an internal authentication token.
If the token is valid it also checks whether there is an
associated user in the cache, and returns it.
Args:
internal_auth_token: Internal authentication token
Returns:
internal_user: A user object as defined in this application
"""
try:
jwt_decode(internal_auth_token,
config.JWT_SECRET_KEY,
algorithms=[config.ALGORITHM])
except PyJWTError as exc:
raise UnauthorizedUser(f"Failed to validate auth token: {exc}")
internal_sub_id = await cache.get(internal_auth_token)
if not internal_sub_id:
raise UnauthorizedUser(f"User {internal_sub_id} not cached")
# Invalidate cache. Authentication token can only be used once
await cache.delete(internal_auth_token)
internal_user = await db_client.get_user_by_internal_sub_id(internal_sub_id
)
return internal_user
async def user_cred(request):
print("!!!")
print(jwt_decode(request.headers['authorization'][7:], "secret"))
return json({
"userid":
jwt_decode(request.headers['authorization'][7:], "secret"),
"username":
"******"
})
async def jwt_authorization(request: Request, handler):
origins = await _check_origins(request)
socket = True if request.headers.get("Upgrade") == "websocket" else False
token = request.headers.get("token")
try:
jwt_decode(token, **jwe_settings)
request["token_dict"] = await _jwt_access_token_decode(token)
if not all(request["token_dict"].values()) or not origins:
return await _socket_unauth(request) if socket else HTTPForbidden()
except Exception as e:
log.error(f"Can't decode the token:\n{e}")
return await _socket_unauth(request) if socket else HTTPForbidden()
resp = await handler(request)
return resp
def verify_token(self, token):
try:
data = jwt_decode(token, self.secret, algorithms='HS512')
except Exception:
data = None
return data
def user_data(self, access_token, *args, **kwargs):
response = kwargs.get('response')
id_token = response.get('id_token')
# decode the JWT header as JSON dict
jwt_header = json.loads(
base64.b64decode(id_token.split('.', 1)[0]).decode()
)
# get key id and algorithm
key_id = jwt_header['kid']
algorithm = jwt_header['alg']
try:
# retrieve certificate for key_id
certificate = self.get_certificate(key_id)
return jwt_decode(
id_token,
key=certificate.public_key(),
algorithms=algorithm,
audience=self.setting('KEY')
)
except (DecodeError, ExpiredSignature) as error:
raise AuthTokenError(self, error)
def validate_and_return_id_token(self, id_token):
"""
Validates the id_token according to the steps at
http://openid.net/specs/openid-connect-core-1_0.html#IDTokenValidation.
"""
client_id, _client_secret = self.get_key_and_secret()
decryption_key = self.setting('ID_TOKEN_DECRYPTION_KEY')
try:
# Decode the JWT and raise an error if the secret is invalid or
# the response has expired.
id_token = jwt_decode(id_token, decryption_key, audience=client_id,
issuer=self.ID_TOKEN_ISSUER)
except InvalidTokenError as err:
raise AuthTokenError(self, err)
# Verify the token was issued in the last 10 minutes
utc_timestamp = timegm(datetime.datetime.utcnow().utctimetuple())
if id_token['iat'] < (utc_timestamp - 600):
raise AuthTokenError(self, 'Incorrect id_token: iat')
# Validate the nonce to ensure the request was not modified
nonce = id_token.get('nonce')
if not nonce:
raise AuthTokenError(self, 'Incorrect id_token: nonce')
nonce_obj = self.get_nonce(nonce)
if nonce_obj:
self.remove_nonce(nonce_obj.id)
else:
raise AuthTokenError(self, 'Incorrect id_token: nonce')
return id_token
def user_data(self, access_token, *args, **kwargs):
response = kwargs.get('response')
id_token = response.get('id_token')
if six.PY2:
# str() to fix a bug in Python's base64
# https://stackoverflow.com/a/2230623/161278
id_token = str(id_token)
jwt_header_json = base64url_decode(id_token.split('.')[0])
jwt_header = json.loads(jwt_header_json.decode('ascii'))
# `kid` is short for key id
key = self.get_public_key(jwt_header['kid'])
try:
return jwt_decode(
id_token,
key=key,
algorithms=jwt_header['alg'],
audience=self.setting('KEY'),
leeway=self.setting('JWT_LEEWAY', default=0),
)
except (DecodeError, ExpiredSignature) as error:
raise AuthTokenError(self, error)
def get_access_token(social_auth):
'''Return the access token for the given user, after ensuring that it
has not expired, or refreshing it if so.'''
access_token = social_auth.extra_data['access_token']
decoded_token = jwt_decode(access_token,
options={
'verify_signature': False,
'verify_nbf': False,
'verify_exp': False,
'verify_aud': False
})
expires_on = decoded_token['exp']
if expires_on - 60 <= int(time.time()):
if 'refresh_token' in social_auth.extra_data:
refresh_token = social_auth.extra_data['refresh_token']
backend = social_auth.get_backend_instance()
new_token_response = backend.refresh_token(token=refresh_token)
access_token = new_token_response['access_token']
social_auth.extra_data['access_token'] = access_token
social_auth.save()
else:
return
return access_token
def decode(token,
options=DEFAULT_DECODE_OPTIONS,
check_claims=MANDATORY_CLAIMS):
"""Decode JWT payload and check for 'jti', 'sub' claims."""
decoded = jwt_decode(token, settings.SECRET_KEY, options=options)
check_mandatory_claims(decoded, claims=check_claims)
return decoded
async def _jwt_access_token_decode(token):
try:
decoded = jwt_decode(token.encode(), **jwe_settings)
return {"expires": decoded.get("expires"), "session_id": decoded.get("session_id")}
except DecodeError as e:
log.error(e)
raise InvalidTokenError("Invalid token")
def __call__(self, scope):
# Get the token
token = ''
try:
token = dict(scope['headers'])[b'authorization'].decode(
'utf8').split(' ')[1]
except KeyError as e:
return self.inner(dict(scope, user='******'))
# Try to authenticate the user
try:
# This will automatically validate the token and raise an error if token is invalid
UntypedToken(token, 34)
except (InvalidToken, TokenError) as e:
# Token is invalid
return self.inner(dict(scope, user='******'))
else:
# Then token is valid, decode it
decoded_data = jwt_decode(token,
settings.SECRET_KEY,
algorithms=["HS256"])
# Will return a dictionary like -
# {
# "token_type": "access",
# "exp": 1568770772,
# "jti": "5c15e80d65b04c20ad34d77b6703251b",
# "user_id": 6
# }
# Get the user using ID
# Return the inner application directly and let it run everything else
user = Member.objects.get(auth=decoded_data['user_id'])
print(user, 3324)
return self.inner(dict(scope, user=decoded_data['user_id']))
def user_data(self, access_token, *args, **kwargs):
response = kwargs.get('response')
id_token = response.get('id_token')
if six.PY2:
# str() to fix a bug in Python's base64
# https://stackoverflow.com/a/2230623/161278
id_token = str(id_token)
jwt_header_json = base64url_decode(id_token.split('.')[0])
jwt_header = json.loads(jwt_header_json.decode('ascii'))
# `kid` is short for key id
key = self.get_public_key(jwt_header['kid'])
try:
return jwt_decode(
id_token,
key=key,
algorithms=jwt_header['alg'],
audience=self.setting('KEY'),
leeway=self.setting('JWT_LEEWAY', default=0),
)
except (DecodeError, ExpiredSignature) as error:
raise AuthTokenError(self, error)
def __call__(self, scope):
# Close old database connections to prevent usage of timed out connections
close_old_connections()
headers = dict(scope['headers'])
if b'Token' in headers:
# try:
# token_name, token_key = headers[b'token'].decode().split()
# if token_name == 'Token':
# token = Token.objects.get(key=token_key)
# scope['user'] = token.user
# # close_old_connections()
# except Token.DoesNotExist:
# scope['user'] = AnonymousUser()
token = headers[b'Token'].decode()
else:
# Get the token
token = parse_qs(scope["query_string"].decode("utf8"))["token"][0]
# Try to authenticate the user
try:
# This will automatically validate the token and raise an error if token is invalid
UntypedToken(token)
except (InvalidToken, TokenError) as e:
# Token is invalid
# print(e)
user = AnonymousUser()
else:
# Then token is valid, decode it
decoded_data = jwt_decode(token, settings.SECRET_KEY, algorithms=["HS256"])
# print(decoded_data)
# Get the user using ID
user = get_user_model().objects.get(id=decoded_data["user_id"])
# Return the inner application directly and let it run everything else
return self.inner(dict(scope, user=user))
async def validate_internal_access_token(
internal_access_token: str) -> InternalUser:
""" Checks the validity of an internal access token. If the token
is valid it also checks whether there is an associated user
in the database, and returns it.
Args:
internal_access_token: Internal access token
Returns:
internal_user: A user object as defined in this application
"""
try:
payload = jwt_decode(internal_access_token,
config.JWT_SECRET_KEY,
algorithms=[config.ALGORITHM])
internal_sub_id: str = payload.get("sub")
if internal_sub_id is None:
raise UnauthorizedUser("Missing 'sub' id from access token")
except PyJWTError as exc:
raise UnauthorizedUser(f"Failed to validate access token: {exc}")
internal_user = await db_client.get_user_by_internal_sub_id(internal_sub_id
)
if internal_user is None:
raise UnauthorizedUser(f"User {internal_sub_id} does not exist")
return internal_user
def is_valid_token(self):
'''
check if the given token is still valid
TODO check whether token was revoked
'''
try:
jwt_decode(self.token,
options={
'verify_signature': False,
'verify_nbf': False,
'verify_exp': True,
'verify_aud': False
})
return True
except ExpiredSignatureError as ex:
return False
def decodeRequest(
self, recquiredFields: Sequence[str] = tuple()) -> Dict[str, Any]:
request = self.get_body_argument(
'request',
None) if self.request.method != 'GET' else self.get_argument(
'request', None)
if not request:
raise tornado.web.HTTPError(400, "Bad request")
try:
decoded_request = jwt_decode(
request,
key=self.settings['api_key'],
audience=
f'{self.settings["options"].base_uri}{self.request.path}',
options={
'require_exp': True,
'require_nbf': True
})
if 'jti' not in decoded_request:
raise MissingRequiredClaimError('jti')
self.jti = decoded_request['jti']
except InvalidTokenError as e:
logging.warning(f"Invalid token: {e}")
raise tornado.web.HTTPError(403, "Invalid request")
logging.debug(f"Request: {decoded_request}")
if not all(param in decoded_request for param in recquiredFields):
raise tornado.web.HTTPError(400, "Too few request parameters")
return decoded_request
def __call__(self, scope):
# Close old database connections to prevent usage of timed out connections
close_old_connections()
# Get the token
token = parse_qs(scope["query_string"].decode("utf8"))["token"][0]
# Try to authenticate the user
try:
# This will automatically validate the token and raise an error if token is invalid
UntypedToken(token)
except (InvalidToken, TokenError) as e:
# Token is invalid
print(e)
return None
else:
# Then token is valid, decode it
decoded_data = jwt_decode(token,
settings.SECRET_KEY,
algorithms=["HS256"])
print(decoded_data)
# Will return a dictionary like -
# {
# "token_type": "access",
# "exp": 1568770772,
# "jti": "5c15e80d65b04c20ad34d77b6703251b",
# "user_id": 6
# }
# Get the user using ID
user = get_user_model().objects.get(id=decoded_data["user_id"])
# Return the inner application directly and let it run everything else
return self.inner(dict(scope, user=user))
def _authenticate_credentials(self, request, token):
"""
Try to authenticate the given credentials. If authentication is
successful, return the user and token. If not, throw an error.
"""
try:
payload = jwt_decode(token, settings.SECRET_KEY)
except DecodeError:
msg = 'Invalid authentication. Could not decode token.'
raise AuthenticationFailed(msg)
User = get_user_model()
try:
id_ = payload.get('id', None)
user = User.objects.get(pk=id_)
except User.DoesNotExist:
msg = 'No user matching this token was found.'
raise AuthenticationFailed(msg)
if not user.is_active:
msg = 'This user has been deactivated.'
raise AuthenticationFailed(msg)
return (user, token)
async def __call__(self, scope, receive, send):
# close_old_connections()
token = ''
for name, value in scope.get("headers", []):
if name == b"authorization":
try:
token = value.decode("latin1").split()[1]
except IndexError:
token = ''
break
# token = parse_qs(scope["query_string"].decode("utf8"))["token"][0]
try:
UntypedToken(token)
except (InvalidToken, TokenError) as e:
print(e)
scope['user'] = AnonymousUser()
else:
decoded_data = jwt_decode(token,
settings.SECRET_KEY,
algorithms=["HS256"])
scope['user'] = await self.get_user(decoded_data)
# print('middl', scope['user'])
return await super().__call__(scope, receive, send)
def validate_and_return_id_token(self, id_token):
"""
Validates the id_token according to the steps at
http://openid.net/specs/openid-connect-core-1_0.html#IDTokenValidation.
"""
client_id, _client_secret = self.get_key_and_secret()
decryption_key = self.setting('ID_TOKEN_DECRYPTION_KEY')
try:
# Decode the JWT and raise an error if the secret is invalid or
# the response has expired.
id_token = jwt_decode(id_token,
decryption_key,
audience=client_id,
issuer=self.ID_TOKEN_ISSUER,
algorithms=['HS256'])
except InvalidTokenError as err:
raise AuthTokenError(self, err)
# Verify the token was issued in the last 10 minutes
utc_timestamp = timegm(datetime.datetime.utcnow().utctimetuple())
if id_token['iat'] < (utc_timestamp - 600):
raise AuthTokenError(self, 'Incorrect id_token: iat')
# Validate the nonce to ensure the request was not modified
nonce = id_token.get('nonce')
if not nonce:
raise AuthTokenError(self, 'Incorrect id_token: nonce')
nonce_obj = self.get_nonce(nonce)
if nonce_obj:
self.remove_nonce(nonce_obj.id)
else:
raise AuthTokenError(self, 'Incorrect id_token: nonce')
return id_token
async def verify_jwt_token(request: Request, handler):
if any([
request.path.startswith(path) and request.method == method
for path, method in WITHOUT_VERIFY
]):
resp = await handler(request)
return resp
else: # 对jwt token检验
try:
if match('/ws/.*', request.path):
token = request.query['token']
else:
token = request.headers.get('Authorization').split(' ')[-1]
app = request.app
except (AttributeError, KeyError, IndexError):
return code_response(InvalidTokenResponse)
try:
content = jwt_decode(token,
app['config']['jwt-secret'],
algorithms=['HS256'])
# 检查功能模块的权限
for pattern in MODULE_PERMISSION.keys():
if match(pattern, request.path):
if content.get('rol') & MODULE_PERMISSION[pattern]:
break
else:
return code_response(RepetitionLoginResponse)
# 检测重复登录
try:
_key = '{}:{}:jwt'.format(content.get('name'),
content.get('dep'))
_value = await request.app['redis'].get(_key)
if _value:
assert token == _value
except AssertionError:
return code_response(InvalidTokenResponse)
request['jwt_content'] = content
if await app['black_bf'].is_contain(token):
# 是否在缓冲表中
if await app['redis'].exists('it:tmp-list:{}'.format(token)):
resp = await handler(request)
resp.headers['jwt_new_token'] = await app['redis'].get(
'it:tmp-list:{}'.format(token))
return resp
else:
return code_response(InvalidTokenResponse)
else:
resp = await handler(request)
# 离过期不足5分钟,更新token
if content.get('exp') <= (datetime.now() +
timedelta(minutes=5)).timestamp():
# 在header加上新token,通过前端axios拦截下来,然后更新
resp.headers['jwt_new_token'] = await update_token(
content, token, app)
return resp
except (InvalidSignatureError, ExpiredSignatureError, DecodeError):
return code_response(InvalidTokenResponse)
def user_data(self, access_token, *args, **kwargs):
response = kwargs.get('response')
id_token = response.get('id_token')
# decode the JWT header as JSON dict
jwt_header = json.loads(
base64.b64decode(id_token.split('.', 1)[0]).decode()
)
# get key id and algorithm
key_id = jwt_header['kid']
algorithm = jwt_header['alg']
try:
# retrieve certificate for key_id
certificate = self.get_certificate(key_id)
return jwt_decode(
id_token,
key=certificate.public_key(),
algorithms=algorithm,
audience=self.setting('KEY')
)
except (DecodeError, ExpiredSignature) as error:
raise AuthTokenError(self, error)
def from_token(token):
"""Get AccessToken from token string
:param UUID or str token: JWT encoded token or token UUID string, either dashed or not, or UUID object
:rtype: AccessToken or None
"""
if isinstance(token, str):
try:
uuid_object = UUID(token)
except ValueError: # token is invalid UUID, may be JWT
try:
jwt_decoded = jwt_decode(jwt=token, verify=False)
uuid_object = UUID(jwt_decoded["yggt"])
except (jwt_exceptions.DecodeError,
jwt_exceptions.InvalidAlgorithmError, ValueError):
return None
else:
return AccessToken.get(uuid=uuid_object)
else: # token is valid UUID
return AccessToken.get(uuid=uuid_object)
elif isinstance(token, UUID):
return AccessToken.get(uuid=token)
return None
async def __call__(self, scope, receive, send):
# Close old database connections to prevent usage of timed out connections
close_old_connections()
try:
token = parse_qs(scope["query_string"].decode("utf8"))["bearer"][0]
except KeyError:
# Token is not presented
return None
try:
# This will automatically validate the token and raise an error if token is invalid
UntypedToken(token)
except (InvalidToken, TokenError) as e:
# Token is invalid
return None
else:
# Then token is valid, decode it
decoded_data = jwt_decode(token,
settings.SECRET_KEY,
algorithms=["HS256"])
# Get the user using ID
scope["user"] = await get_user_model().get_by_pk_from_async(
decoded_data["user_id"])
# Return the inner application directly and let it run everything else
return await super().__call__(scope, receive, send)
def user_data(self, access_token, *args, **kwargs):
response = kwargs.get("response")
id_token = response.get("id_token")
try:
decoded_id_token = jwt_decode(id_token, verify=False)
except (DecodeError, ExpiredSignature) as de:
raise AuthTokenError(self, de)
return decoded_id_token
def decode(cls, private_key: RSAPrivateKey, token_bytes: str) -> str:
public_bytes = private_key.public_key().public_bytes(
encoding=Encoding.PEM, format=PublicFormat.SubjectPublicKeyInfo)
token = jwt_decode(token_bytes,
public_bytes,
algorithms=['RS256'],
verify=False)
return token['sub']
def validate(self, attrs):
# UntypedToken(attrs['token'])
data = jwt_decode(attrs['token'],
settings.SECRET_KEY,
algorithms=['HS256'])
data = {'id': data['user_id']}
return data
def user_data(self, access_token, *args, **kwargs):
response = kwargs.get('response')
id_token = response.get('id_token')
try:
decoded_id_token = jwt_decode(id_token, verify=False)
except (DecodeError, ExpiredSignature) as de:
raise AuthTokenError(self, de)
return decoded_id_token
def decode(encoded,
secret='zn1xct1RFpGvuyXC3E9BreRjVl9x1GxQ',
algorithm="HS512"):
try:
decoded = jwt_decode(encoded, secret, algorithm=algorithm)
except InvalidTokenError as error:
decoded = False
return decoded
def verify_password_reset_token(token):
"""Verifies that a provided password reset token is valid."""
try:
email = jwt_decode(token,
current_app.config['SECRET_KEY'],
algorithms=['HS256'
])['password_reset_for_email']
except:
return
return User.query.join('emails').filter_by(email=email).first()
def get_decoded_jwt_token(token):
try:
return jwt_decode(token,
__JWT_SECRET__,
algorithms=[__JWT_ALGORITHM__])
except DecodeError as error:
raise HTTPError(400, "Invalid Token. (error: " + str(error) +
")") # 400 - Bad request
except InvalidAlgorithmError as error:
raise HTTPError(400, "Invalid Token. (error: " + str(error) +
")") # 400 - Bad request
def read_yggt(access_token_string: str):
"""
:param access_token_string: 32 or 36 char UUID or JWT
:return: yggt value
"""
if len(access_token_string) == 32:
return access_token_string
elif len(access_token_string) == 36:
return access_token_string.replace("-", "")
else:
return jwt_decode(jwt=access_token_string, verify=False)["yggt"]
def get_email_by_token(token):
"""Returns the email matching the verification token."""
try:
decoded_token = jwt_decode(token,
current_app.config['SECRET_KEY'],
algorithms=['HS256'])
email = decoded_token['email']
user_id = decoded_token['user_id']
except:
return None
return Email.query.filter_by(email=email, user_id=user_id).first()
def validate_token_getpayload(token):
secret = get_secret()
token_bytes = token.encode()
try:
payload = jwt_decode(token_bytes, secret, algorithms=['HS256'])
# token incorrect
except InvalidTokenError:
raise AccessError(description = "Token was not generated by server!")
return payload
def validate_and_return_id_token(self, id_token):
"""
Validates the id_token according to the steps at
http://openid.net/specs/openid-connect-core-1_0.html#IDTokenValidation.
"""
client_id, _client_secret = self.get_key_and_secret()
decode_kwargs = {
'algorithms': ['HS256'],
'audience': client_id,
'issuer': self.ID_TOKEN_ISSUER,
'key': self.setting('ID_TOKEN_DECRYPTION_KEY'),
'options': {
'verify_signature': True,
'verify_exp': True,
'verify_iat': True,
'verify_aud': True,
'verify_iss': True,
'require_exp': True,
'require_iat': True,
},
}
decode_kwargs.update(self.setting('ID_TOKEN_JWT_DECODE_KWARGS', {}))
try:
# Decode the JWT and raise an error if the secret is invalid or
# the response has expired.
id_token = jwt_decode(id_token, **decode_kwargs)
except InvalidTokenError as err:
raise AuthTokenError(self, err)
# Verify the token was issued within a specified amount of time
iat_leeway = self.setting('ID_TOKEN_MAX_AGE', self.ID_TOKEN_MAX_AGE)
utc_timestamp = timegm(datetime.datetime.utcnow().utctimetuple())
if id_token['iat'] < (utc_timestamp - iat_leeway):
raise AuthTokenError(self, 'Incorrect id_token: iat')
# Validate the nonce to ensure the request was not modified
nonce = id_token.get('nonce')
if not nonce:
raise AuthTokenError(self, 'Incorrect id_token: nonce')
nonce_obj = self.get_nonce(nonce)
if nonce_obj:
self.remove_nonce(nonce_obj.id)
else:
raise AuthTokenError(self, 'Incorrect id_token: nonce')
return id_token
def user_data(self, access_token, *args, **kwargs):
response = kwargs.get('response')
# str() to fix a bug in Python's base64 https://stackoverflow.com/a/2230623/161278
id_token = str(response.get('id_token'))
jwt_header_json = base64url_decode(id_token.split('.', 1)[0])
# Decode the JWT header as JSON dict
jwt_header = json.loads(jwt_header_json)
key = self._get_public_key(jwt_header['kid']) # `kid` is short for key id
try:
# Retrieve certificate for key_id
return jwt_decode(
id_token,
key=key,
algorithms=jwt_header['alg'], # algorithm = 'RS256'
audience=self.setting('KEY'),
leeway=self.setting('JWT_LEEWAY', default=0),
)
except (DecodeError, ExpiredSignature) as error:
raise AuthTokenError(self, error)
def get_access_token(social_auth):
'''Return the access token for the given user, after ensuring that it
has not expired, or refreshing it if so.'''
access_token = social_auth.extra_data['access_token']
decoded_token = jwt_decode(access_token, options={'verify_signature': False,
'verify_nbf': False,
'verify_exp': False,
'verify_aud': False})
expires_on = decoded_token['exp']
if expires_on - 60 <= int(time.time()):
if 'refresh_token' in social_auth.extra_data:
refresh_token = social_auth.extra_data['refresh_token']
backend = social_auth.get_backend_instance()
new_token_response = backend.refresh_token(token=refresh_token)
access_token = new_token_response['access_token']
social_auth.extra_data['access_token'] = access_token
social_auth.save()
else:
return
return access_token
