def authenticate(self, token=None): try: idinfo = client.verify_id_token(token, settings.CLIENT_ID) # If multiple clients access the backend server: if idinfo['iss'] not in [ 'accounts.google.com', 'https://accounts.google.com' ]: raise crypt.AppIdentityError("Wrong issuer.") return None ''' if idinfo['aud'] not in [ANDROID_CLIENT_ID, IOS_CLIENT_ID, WEB_CLIENT_ID]: raise crypt.AppIdentityError("Unrecognized client.") if idinfo['hd'] != APPS_DOMAIN_NAME: raise crypt.AppIdentityError("Wrong hosted domain.") ''' except crypt.AppIdentityError: # Invalid token raise crypt.AppIdentityError("Invalid token.") return None userid = idinfo['sub'] print(idinfo.items()) try: user = User.objects.get(username=userid) except User.DoesNotExist: user = User(username=userid, email=idinfo['email'], first_name=idinfo['given_name'], last_name=idinfo['family_name']) user.set_unusable_password() user.save() student = Student(user=user) student.save() return user
def sign_in(): """Authenticate a user with Google sign in""" try: token = request.form['idtoken'] except KeyError: return 'No idtoken provided', 401 try: idinfo = client.verify_id_token(token, KEYS['OAUTH_CLIENT_ID']) if idinfo['aud'] != KEYS['OAUTH_CLIENT_ID']: raise crypt.AppIdentityError('Unrecognized client.') if idinfo['iss'] not in [ 'accounts.google.com', 'https://accounts.google.com' ]: raise crypt.AppIdentityError('Wrong issuer.') except ValueError: url = "https://www.googleapis.com/oauth2/v3/tokeninfo?id_token={}".format( token) req = urllib2.Request(url) response = urllib2.urlopen(url=req, timeout=30) res = response.read() idinfo = json.loads(res) except crypt.AppIdentityError, e: return 'Did not successfully authenticate'
def remove(): if request.method == 'GET': return redirect(url_for('index')) elif request.method == 'POST': token = request.json['idtoken'] row = request.json['id'] try: idinfo = client.verify_id_token(token, CLIENT_ID) if idinfo['iss'] not in ['accounts.google.com', 'https://accounts.google.com']: raise crypt.AppIdentityError("Wrong issuer.") if idinfo['aud'] != CLIENT_ID: raise crypt.AppIdentityError("Wrong Client.") admin_email = idinfo['email'] if admin_email not in ADMIN: return "Not Admin", 200 query = CheckIn.query.filter(CheckIn.id == row).first() db.session.delete(query) db.session.commit() return "Removed: " + str(id), 200 except crypt.AppIdentityError: # Invalid token return "OAuth Identity Error", 200 return redirect(url_for('index'))
def verify_token(token_string): """Verify the given Google auth token string & return the 'sub' portion as stated in the docs. See: https://goo.gl/MIKN9X Returns None upon failure. """ token = None valid_accounts = ['accounts.google.com', 'https://accounts.google.com'] try: idinfo = client.verify_id_token(token_string, settings.GOOGLE_OAUTH_CLIENT_ID) # If multiple clients access the backend server: if idinfo['aud'] not in CLIENT_IDS: raise crypt.AppIdentityError("Unrecognized client.") if idinfo['iss'] not in valid_accounts: raise crypt.AppIdentityError("Wrong issuer.") # Save the portion we want to keep. token = idinfo['sub'] except crypt.AppIdentityError: # Invalid token token = None return token
def checkin(): if request.method == 'GET': return redirect(url_for('index')) elif request.method == 'POST': location = request.json['location'] token = request.json['idtoken'] try: idinfo = client.verify_id_token(token, CLIENT_ID) if idinfo['iss'] not in ['accounts.google.com', 'https://accounts.google.com']: raise crypt.AppIdentityError("Wrong issuer.") if idinfo['aud'] != CLIENT_ID: raise crypt.AppIdentityError("Wrong Client.") name = idinfo['name'] email = idinfo['email'] u = CheckIn(name, email, location) db.session.add(u) db.session.commit() return "Name: " + name + ", Email: " + email, 200 except crypt.AppIdentityError: # Invalid token return "OAuth Identity Error", 200 return redirect(url_for('index'))
def SecurityCheck(self, func, request, *args, **kwargs): """Check if access should be allowed for the request.""" try: auth_header = request.headers.get("Authorization", "") if not auth_header.startswith(self.BEARER_PREFIX): raise crypt.AppIdentityError("JWT token is missing.") token = auth_header[len(self.BEARER_PREFIX):] auth_domain = config.CONFIG["AdminUI.firebase_auth_domain"] project_id = auth_domain.split(".")[0] idinfo = client.verify_id_token(token, project_id, cert_uri=self.CERT_URI) if idinfo["iss"] != self.SECURE_TOKEN_PREFIX + project_id: raise crypt.AppIdentityError("Wrong issuer.") request.user = idinfo["email"] except crypt.AppIdentityError as e: # For a homepage, just do a pass-through, otherwise JS code responsible # for the Firebase auth won't ever get executed. This approach is safe, # because wsgiapp.HttpRequest object will raise on any attempt to # access uninitialized HttpRequest.user attribute. if request.path != "/": return self.AuthError("JWT token validation failed: %s" % e) return func(request, *args, **kwargs)
def _validate_gapi_token(token): import api_helper idinfo = client.verify_id_token(token, api_helper.API_CLIENT_ID) now = anticsrf.microtime() for key in ["exp", "iat"]: idinfo[key] *= (10**6) # to microseconds from seconds # print("idinfo:", idinfo) if idinfo["iss"] not in [ "accounts.google.com", "https://accounts.google.com" ]: raise crypt.AppIdentityError("Token has wrong issuer: {}".format( idinfo["iss"])) elif ((not DEV_VARS["no_check_timestamp"]) and (idinfo["iat"] >= now) or (idinfo["exp"] <= now)): raise client.AccessTokenCredentialsError( "Token has expired or invalid timestamps: issued-at {} expires {}". format(idinfo["iat"], idinfo["exp"])) elif idinfo["aud"] != api_helper.API_CLIENT_ID: # or idinfo["azd"] != API_CLIENT_ID: raise crypt.AppIdentityError("Token has wrong API token id") hd = None if "hd" in idinfo: hd = idinfo["hd"] idinfo["is_elevated"] = \ api_helper.is_elevated_id(idinfo["email"], hd=hd) # print(idinfo) return idinfo
def google_info_from_token(token): idinfo = client.verify_id_token(token, settings.GOOGLE_CLIENT_ID) if idinfo['aud'] != settings.GOOGLE_CLIENT_ID: raise crypt.AppIdentityError('aud dont match') if idinfo['iss'] not in [ 'accounts.google.com', 'https://accounts.google.com' ]: raise crypt.AppIdentityError("Wrong issuer.") return idinfo
def markhere(): if request.method == 'GET': return redirect(url_for('index')) elif request.method == 'POST': email = request.json['email'] token = request.json['idtoken'] week = request.json['week'] try: idinfo = client.verify_id_token(token, CLIENT_ID) if idinfo['iss'] not in ['accounts.google.com', 'https://accounts.google.com']: raise crypt.AppIdentityError("Wrong issuer.") if idinfo['aud'] != CLIENT_ID: raise crypt.AppIdentityError("Wrong Client.") admin_email = idinfo['email'] if admin_email not in ADMIN: return "Not Admin", 200 name = PEOPLE[email] location = HALL date_arr = WEEKS[week].split("-") date = datetime(int(date_arr[0]), int(date_arr[1]), int(date_arr[2]), tzinfo=pst) delta = timedelta(days=1) dayQs = CheckIn.query.filter(CheckIn.time > date).filter(CheckIn.time < date + delta).all() admin_checks = [] for q in dayQs: if q.email in ADMIN: admin_checks.append(q) if q.email == email: db.session.delete(q) if len(admin_checks) <= 0: return "Needs Admin Check Ins", 200 for check in admin_checks: time = check.time u = CheckIn(name, email, location, time) db.session.add(u) db.session.commit() return "Name: " + name + ", Email: " + email, 200 except crypt.AppIdentityError: # Invalid token return "OAuth Identity Error", 200 return redirect(url_for('index'))
def _verify_google_id_token(request): if "google_id_token" not in request.POST: raise crypt.AppIdentityError("google_id_token missing.") token = request.POST.get("google_id_token", None) idinfo = client.verify_id_token(token, django_settings.GOOGLE_CLIENT_ID) if idinfo["iss"] not in ["accounts.google.com", "https://accounts.google.com"]: raise crypt.AppIdentityError("Invalid issuer.") return token, idinfo
def tokenGoogle(): id_token = request.form['idtoken'] try: idinfo = client.verify_id_token(id_token, CLIENT_ID) if idinfo['aud'] not in [CLIENT_ID]: raise crypt.AppIdentityError("Unrecognized client.") if idinfo['iss'] not in [ 'accounts.google.com', 'https://accounts.google.com' ]: raise crypt.AppIdentityError("Wrong issuer.") '''if idinfo['hd'] != APPS_DOMAIN_NAME: raise crypt.AppIdentityError("Wrong hosted domain.")''' except crypt.AppIdentityError: print "Invalid Token" picture = "/static/assets/img/user.png" url = '/dashboard' connection = r.connect(host='localhost', port=28015) count = r.db('taggem').table('user').filter({ 'user_id': idinfo['email'] }).count().run(connection) try: picture = idinfo['picture'] except: picture = "/static/assets/img/user.png" if count > 0: print id_token print "User exist" else: print dir(idinfo) new_user = user_save(user_id=idinfo['email'], connection=connection, full_name=idinfo['name'], profile_url=picture) new_user.save_to_db() print("New user created in database") session['logged_user_ID'] = idinfo['email'] session['profile'] = picture session['email'] = idinfo['email'] t = list( r.db('taggem').table('user').filter({ 'user_id': session['email'] }).run(connection)) session['id'] = t session['name'] = idinfo['name'] return url
def verifyToken(): payload = request.get_json() if payload is None: abort(400) try: idinfo = client.verify_id_token(payload['token'], creds.CLIENT_ID) if idinfo['aud'] != creds.ANDROID_CLIENT_ID: raise crypt.AppIdentityError("Unrecognized client.") if idinfo['iss'] not in [ 'accounts.google.com', 'https://accounts.google.com' ]: raise crypt.AppIdentityError("Wrong issuer.") except crypt.AppIdentityError: abort(500) accId = idinfo['sub'] res, status = cntrl.getUser(ent.User, ent.Account, accId) #if new user if status == 204: payload = { 'account': idinfo['sub'], 'email': idinfo['email'], 'fname': idinfo['given_name'], 'lname': idinfo['family_name'] } res, status = cntrl.addUser(payload) #if returning user elif status == 200: res, status = { 'message': 'Signed in as ' + idinfo['given_name'] + ' ' + idinfo['family_name'], 'email': idinfo['email'], 'fname': idinfo['given_name'], 'lname': idinfo['family_name'], 'account': idinfo['sub'], 'user': res['user'] }, 200 res = jsonify(res) res.headers['Status'] = status return res
def gconnect(): # Validate state token if request.args.get('state') != session['state']: response = make_response(json.dumps('Invalid state parameter.'), 401) response.headers['Content-Type'] = 'application/json' return response code = request.data try: idinfo = client.verify_id_token(code, WEB_CLIENT_ID) # If multiple clients access the backend server: if idinfo['aud'] not in [WEB_CLIENT_ID]: raise crypt.AppIdentityError("Unrecognized client.") if idinfo['iss'] not in [ 'accounts.google.com', 'https://accounts.google.com' ]: raise crypt.AppIdentityError("Wrong issuer.") except crypt.AppIdentityError as e: response = make_response(json.dumps(e.message), 401) response.headers['Content-Type'] = 'application/json' return response gplus_id = idinfo['sub'] stored_gplus_id = session.get('gplus_id') if gplus_id == stored_gplus_id: response = make_response( json.dumps('Current user is already connected.'), 200) response.headers['Content-Type'] = 'application/json' return response # set session variables session['auth_type'] = 'gplus' session['username'] = idinfo['name'] session['picture'] = idinfo['picture'] session['email'] = idinfo['email'] # see if user exists, if it doesn't make a new one user_id = get_user_id(idinfo["email"]) print user_id if not user_id: user_id = create_user(session) session['user_id'] = user_id # response to be shown output = '<h3>Welcome, {}!</h3><img src="{}" class="google-img">'.format( session['username'], session['picture']) flash("You are now logged in as {}".format(session['username'])) return output
def validate_g_token(self, id_token): # validate on sign in and submit try: idinfo = client.verify_id_token(id_token, CLIENT_ID) if idinfo["aud"] not in [CLIENT_ID]: raise crypt.AppIdentityError("Unrecognized client.") if idinfo["iss"] not in [ "accounts.google.com", "https://accounts.google.com" ]: raise crypt.AppIdentityError("Wrong issuer.") # if idinfo['hd'] != #APPS_DOMAIN_NAME: # raise crypt.AppIdentityError("Wrong hosted domain.") return idinfo except crypt.AppIdentityError: pass # Invalid token
def verify_user(self, token, user_id): try: idinfo = client.verify_id_token(token, user_id) # If multiple clients access the backend server: if idinfo['aud'] is not ANDROID_CLIENT_ID: raise crypt.AppIdentityError("Unrecognized client.") if idinfo['iss'] not in [ 'accounts.google.com', 'https://accounts.google.com' ]: raise crypt.AppIdentityError("Wrong issuer.") if idinfo['hd'] != "com.attender": raise crypt.AppIdentityError("Wrong hosted domain.") except crypt.AppIdentityError: userid = idinfo['sub']
def request_google_auth_service(client_id, token): idinfo = client.verify_id_token(token, client_id) if idinfo['aud'] not in GOOGLE_ACCEPT_CLIENT_IDS: raise crypt.AppIdentityError("Unrecognized client.") if idinfo['iss'] not in [ 'accounts.google.com', 'https://accounts.google.com' ]: raise crypt.AppIdentityError("Wrong issuer.") idinfo['uid'] = idinfo['sub'] for (x, y) in (('name', 'username'), ('given_name', 'first_name'), ('family_name', 'last_name')): idinfo[y] = idinfo[x] if x in idinfo else '' idinfo['provider'] = 'google-oauth2' # logger.debug('idinfo = {}'.format(idinfo)) return idinfo
def verify_token(): """Verifies the identify of the user through their oauth token Returns a 200 HTTP response if the token is valid Returns a 401 HTTP response on error. """ token = request.form.get('token') csrftoken = request.form.get('csrftoken') provider = request.form.get('provider') if csrftoken != session['csrf']: response = make_response(json.dumps('Invalid CSRF token.'), 401) response.headers['Content-Type'] = 'application/json' return response session['csrf'] = '' try: token_info = client.verify_id_token( token, config.oauth['google']['client_id']) if token_info['iss'] not in [ 'accounts.google.com', 'https://accounts.google.com' ]: raise crypt.AppIdentityError("Wrong issuer.") session['provider'] = 'google' session['name'] = token_info['name'] session['email'] = token_info['email'] user = User.by_email(token_info['email']) or User.create_user(session) session['user_id'] = user.id response = make_response(json.dumps('You have logged in.'), 200) response.headers['Content-Type'] = 'application/json' return response except crypt.AppIdentityError: response = make_response(json.dumps('Invalid token.'), 401) response.headers['Content-Type'] = 'application/json' return response
def verify_google_id_token(id_token): """ Verifies if id_token is a valid google account token :param id_token: :return: None or sub """ try: # id_info = client.verify_id_token(id_token, CLIENT_ID) # Or, if multiple clients access the backend server: id_info = client.verify_id_token(id_token, None) # if id_info['aud'] not in [CLIENT_ID_1, CLIENT_ID_2, CLIENT_ID_3]: # raise crypt.AppIdentityError("Unrecognized client.") if id_info['iss'] not in [ 'accounts.google.com', 'https://accounts.google.com' ]: raise crypt.AppIdentityError("Wrong issuer.") # If auth request is from a G Suite domain: # if idinfo['hd'] != GSUITE_DOMAIN_NAME: # raise crypt.AppIdentityError("Wrong hosted domain.") except crypt.AppIdentityError: # Invalid token return None user_id = id_info['sub'] return user_id
def authenticate(self, token=None): try: idinfo = client.verify_id_token(token, settings.GOOGLE_CLIENT_ID) if idinfo['iss'] not in [ 'accounts.google.com', 'https://accounts.google.com' ]: raise crypt.AppIdentityError("Wrong issuer.") except crypt.AppIdentityError: return None user = User.objects.filter(email=idinfo['email']).first() if not user: user = User.objects.create(username=idinfo['sub'], email=idinfo['email']) user.is_active = idinfo['email_verified'] user.set_unusable_password() user.username_set = False user.save() user.profile.first_name = idinfo['given_name'] user.profile.last_name = idinfo['family_name'] user.profile.email_confirmed = idinfo['email_verified'] user.profile.save() return user
def login(): # To verify using ID Token and send access, refresh tokens content=request.get_json(force=True) token=content['idToken'] print(token) try: idinfo = client.verify_id_token(token, CLIENT_ID) if idinfo['iss'] not in ['accounts.google.com', 'https://accounts.google.com']: raise crypt.AppIdentityError("Wrong issuer.") except crypt.AppIdentityError: #Invalid ID token return 'fail' print(idinfo['sub']) #Create refresh and access token refreshKey=random.getrandbits(32); secs=int(time.time()) refreshToken = jwt.encode({'refreshSecret': refreshKey}, SIGNING_SECRET_KEY, algorithm='HS256') accessToken = jwt.encode( {'userID': idinfo['sub'],'iat':secs,'exp':secs+3000}, SIGNING_SECRET_KEY, algorithm='HS256') print('refreshtoken') print(refreshToken) #New User if not user_datastore.find_user(userID=idinfo['sub']): user_datastore.create_user(email=idinfo['email'], picture=idinfo['picture'], userID=idinfo['sub'], name=idinfo['name'], refreshSecret=refreshKey) print('new user created') return refreshToken #Existing User else : user=user_datastore.find_user(userID=idinfo['sub']) refreshKey=user.refreshSecret print(refreshKey) return jwt.encode({'refreshSecret': refreshKey}, SIGNING_SECRET_KEY, algorithm='HS256')
def login(request): template = loader.get_template('search/afterlogin.html') if request.method=='POST': token=request.POST.get('idtoken','deftok77') CLIENT_ID='535075582690-pianvlpvq9lm07lbv71dh5fdgklvoe8n.apps.googleusercontent.com' try: idinfo = client.verify_id_token(token, CLIENT_ID) # Or, if multiple clients access the backend server: #idinfo = client.verify_id_token(token, None) #if idinfo['aud'] not in [CLIENT_ID_1, CLIENT_ID_2, CLIENT_ID_3]: # raise crypt.AppIdentityError("Unrecognized client.") if idinfo['iss'] not in ['accounts.google.com', 'https://accounts.google.com']: raise crypt.AppIdentityError("Wrong issuer.") user = User.objects.create_user('luis') user.save() # If auth request is from a G Suite domain: #if idinfo['hd'] != GSUITE_DOMAIN_NAME: # raise crypt.AppIdentityError("Wrong hosted domain.") except crypt.AppIdentityError: print("ivalid token") #nothing here # Invalid token user2 = User.objects.create_user('mike12') user2.save() userid=idinfo['sub'] user3 = User.objectes.create_user(userid) user3.save() context={'userid':userid} return HttpResponse(template.render(context,request))
def authenticate_credentials(self, token): User = get_user_model() _token = self.request.session.get('token') email = self.request.session.get('email') if token != _token: try: idinfo = client.verify_id_token(token, settings.GOOGLE_CLIENT_ID) auth_domains = [ 'accounts.google.com', 'https://accounts.google.com' ] if idinfo['iss'] not in auth_domains: raise crypt.AppIdentityError("Wrong issuer.") email = idinfo['email'] except crypt.AppIdentityError: raise AuthenticationFailed('Invalid token.') try: user = User.objects.get(username=email) self.request.session['token'] = token self.request.session['email'] = email return (user, token) except User.DoesNotExist: raise AuthenticationFailed('User does not exist.')
def signin(): """ This function handles the signin process """ if request.method == 'POST': token = request.form['id_token'] try: idinfo = client.verify_id_token( token, '1072405718300-7kdr08dkvn4hkg' + 'ceimh4c7p679rbsmol.apps.goog' + 'leusercontent.com') if idinfo['iss'] not in [ 'accounts.google.com', 'https://accounts.google.com' ]: raise crypt.AppIdentityError("Wrong issuer.") except crypt.AppIdentityError: return 'Error AppIdentityError' userid = idinfo['sub'] username = idinfo['name'] user_exists = db_get('SELECT id, name FROM users WHERE' + ' id = ? ', [userid]) if not user_exists: db_insert('INSERT INTO users VALUES (?, ?)', [(username, userid)]) user_exists = db_get( 'SELECT id, name FROM users WHERE' + ' id = ? ', [userid]) user = User(user_exists[0][0], user_exists[0][1]) login_user(user) return redirect(url_for('landing_page'))
def google_auth(): try: data = json.loads(request.data.decode()) idinfo = client.verify_id_token( data['data'], '192085420693-gnet8a4sjhn89ll6ejjho1tudv3l2oaa.apps.googleusercontent.com' ) if idinfo['iss'] not in [ 'accounts.google.com', 'https://accounts.google.com' ]: raise crypt.AppIdentityError("Wrong issuer.") else: userid = idinfo['sub'] registered_user = User.query.filter_by( email=idinfo['email']).first() if not registered_user: user = User(email=idinfo['email']) db.session.add(user) db.session.commit() registered_user = User.query.filter_by( email=idinfo['email']).first() return login_registered_user(registered_user) except crypt.AppIdentityError: return json.dumps({'message': 'Invalid token'}), 400
def validate_user_id(userId): # (Receive token by HTTPS POST) if userId == -1: print('USER ID ENTERED AS -1') return -1 try: idinfo = client.verify_id_token(userId, CLIENT_ID) # Or, if multiple clients access the backend server: # idinfo = client.verify_id_token(token, None) # if idinfo['aud'] not in [CLIENT_ID_1, CLIENT_ID_2, CLIENT_ID_3]: # raise crypt.AppIdentityError("Unrecognized client.") if idinfo['iss'] not in ['accounts.google.com', 'https://accounts.google.com']: raise crypt.AppIdentityError("Wrong issuer.") # If auth request is from a G Suite domain: # if idinfo['hd'] != GSUITE_DOMAIN_NAME: # raise crypt.AppIdentityError("Wrong hosted domain.") except crypt.AppIdentityError: print('USER ID PARSED TO -1') return -1 return idinfo['sub']
def gconnect(): """Endpoint that authenticates user.""" try: idinfo = client.verify_id_token( request.data, '1014623565180-lm2sl4gftjv5r8jhgikg0ti9lcldol8c' '.apps.googleusercontent.com') if idinfo['iss'] not in [ 'accounts.google.com', 'https://accounts.google.com' ]: raise crypt.AppIdentityError("Wrong issuer.") except crypt.AppIdentityError: return (jsonify({ 'data': 'Invalid authentication issuer', 'error': '401' }), 401) user = get_user(idinfo['email']) if user is None: user = add_user(idinfo['email'], idinfo['name']) if user is None: return (jsonify({'data': 'Internal Error', 'error': '500'}), 500) login_session['userid'] = user.id return Response({ 'user_id': user.id, 'user_name': idinfo['name'], 'user_picture': idinfo['picture'] })
def do_auth(better_data): pprint(better_data) CLIENT_ID = "711592045166-4o6ndv014o7l0jfq6dce74n3bh4l6o59.apps.googleusercontent.com" token = str(better_data['token']) try: idinfo = client.verify_id_token(token, CLIENT_ID) if idinfo['iss'] not in [ 'accounts.google.com', 'https://accounts.google.com' ]: raise crypt.AppIdentityError("Wrong issuer.") print("Wrong Issuer.") else: print("Beginning query for authen") # do we add a user ? i don't know. we could try usr = User.query.filter_by(uid=int(idinfo['sub'])) pprint(usr) if usr is None or usr.count() < 0: print("User is not in count! Attemping to add") # add user u = User(int(idinfo['sub']), idinfo['family_name'], idinfo['given_name'], idinfo['picture']) db.session.add(u) db.session.commit() return json.dumps({'type': 'auth', 'success': 1}) else: print("User exists... now what?") return json.dumps({'type': 'auth', 'success': 1}) return json.dumps({'type': 'auth', 'success': 0}) except crypt.AppIdentityError: return json.dumps({'type': 'auth', 'success': 0})
def post(self): """Post method for GoogleLogin resource""" args = self.reqparse.parse_args() token = args['id_token'] try: idinfo = client.verify_id_token(token, CLIENT_ID) # Or, if multiple clients access the backend server: # idinfo = client.verify_id_token(token, None) # if idinfo['aud'] not in [CLIENT_ID_1, CLIENT_ID_2, CLIENT_ID_3]: # raise crypt.AppIdentityError("Unrecognized client.") if idinfo['iss'] not in [ 'accounts.google.com', 'https://accounts.google.com' ]: raise crypt.AppIdentityError("Wrong issuer.") # If auth request is from a G Suite domain: # if idinfo['hd'] != GSUITE_DOMAIN_NAME: # raise crypt.AppIdentityError("Wrong hosted domain.") except crypt.AppIdentityError: # Invalid token pass else: userid = idinfo['sub'] user, created = User.get_or_create(user_id=userid, user_type='google') return make_response( jsonify({ "message": "Login successful!", "token": user.generate_auth_token().decode('ascii') }), 200)
def inner(requestHandler): headers = requestHandler.request.headers if "Authorization" in headers and headers["Authorization"].split( )[0] == "Bearer:": id_token = headers["Authorization"].split()[1] else: oauth_failed(requestHandler) return try: idinfo = client.verify_id_token(id_token, credentials.client_id) if idinfo["iss"] not in [ "accounts.google.com", "https://accounts.google.com" ]: raise crypt.AppIdentityError("Wrong issuer.") except crypt.AppIdentityError: oauth_failed(requestHandler) return current_time = int(time.time()) if not (int(idinfo["iat"]) < current_time and current_time < int(idinfo["exp"])): oauth_failed(requestHandler) return userid = idinfo["sub"] logging.debug("Request authentication success") return http_handler_function(requestHandler)
def decode(token): """Decodes the provided JWT into dictionaries. Parses the provided token and extracts its header values and claims. Note that this function does not perform any verification on the token content. Nor does it attempt to verify the token signature. Th only validation it performs is for the proper formatting/encoding of the JWT token, which is necessary to parse it. Simply use this function to unpack, and inspect the contents of a JWT. Args: token: A signed JWT token as a string. Returns: tuple: A 2-tuple where the first element is a dictionary of JWT headers, and the second element is a dictionary of payload claims. Raises: AppIdentityError: If the token is malformed or badly formatted """ if token.count(b'.') != 2: raise crypt.AppIdentityError(('Wrong number of segments' ' in token: {0}').format(token)) header, payload, _ = token.split(b'.') header_dict = json.loads(_urlsafe_b64decode(header).decode('utf-8')) payload_dict = json.loads(_urlsafe_b64decode(payload).decode('utf-8')) return (header_dict, payload_dict)