def _authorize(handler, *args, **kwargs): redirect_uri = handler.get_argument('redirect_uri', None) try: if handler.request.method == 'POST': rv = _post(handler, *args, **kwargs) else: rv = _get(handler, *args, **kwargs) except FatalClientError as e: log.debug('Fatal client error %r', e) return handler.redirect(e.in_uri(self.error_uri)) except OAuth2Error as e: log.debug('OAuth2Error: %r', e) return handler.redirect( e.in_uri(redirect_uri or self.error_uri)) except Exception as e: log.warn('Exception: %r', e) return handler.redirect( add_params_to_uri(self.error_uri, {'error': 'unknown'})) if not isinstance(rv, bool): # if is a response or redirect return rv if not rv: # denied by user e = AccessDeniedError() return handler.redirect(e.in_uri(redirect_uri)) return self.confirm_authorization_request(handler)
def _authorize(handler, *args, **kwargs): redirect_uri = handler.get_argument('redirect_uri', None) try: if handler.request.method == 'POST': rv = _post(handler, *args, **kwargs) else: rv = _get(handler, *args, **kwargs) except FatalClientError as e: log.debug('Fatal client error %r', e) return handler.redirect(e.in_uri(self.error_uri)) except OAuth2Error as e: log.debug('OAuth2Error: %r', e) return handler.redirect(e.in_uri(redirect_uri or self.error_uri)) except Exception as e: log.warn('Exception: %r', e) return handler.redirect(add_params_to_uri( self.error_uri, {'error': 'unknown'} )) if not isinstance(rv, bool): # if is a response or redirect return rv if not rv: # denied by user e = AccessDeniedError() return handler.redirect(e.in_uri(redirect_uri)) return self.confirm_authorization_request(handler)
def post(self): uri, http_method, body, headers = extract_params(self.request) redirect_uri = self.request.POST.get('redirect_uri') if 'submit' in self.request.POST: scope = self.request.POST.get('scope', '') scopes = scope.split() credentials = { 'client_id': self.request.POST.get('client_id'), 'redirect_uri': redirect_uri, 'response_type': self.request.POST.get('response_type'), 'state': self.request.POST.get('state'), 'user': self.request.user, } try: server_response = self.server.create_authorization_response( uri, http_method, body, headers, scopes, credentials, ) app = Session.query(Application).filter( Application.id == credentials['client_id'], ).one() try: auth_app = Session.query(AuthorizedApplication).filter( AuthorizedApplication.user == self.request.user, AuthorizedApplication.application == app, ).one() except NoResultFound: auth_app = AuthorizedApplication( user=self.request.user, application=app, ) auth_app.redirect_uri = credentials['redirect_uri'] auth_app.response_type = credentials['response_type'] auth_app.scope = scopes Session.add(auth_app) return create_response(*server_response) except FatalClientError as e: return response_from_error(e) elif 'cancel' in self.request.POST: e = AccessDeniedError() return HTTPFound(e.in_uri(redirect_uri))
def validate_code(self, client_id, code, client, request, *args, **kwargs): try: grant = Grant.objects.get(code=code, application=client) if not grant.is_expired(): # Additionally check that this user has 2FA enabled if len(grant.user.totpdevice_set.all()) > 0: request.scopes = grant.scope.split(" ") request.user = grant.user return True else: raise AccessDeniedError( description="The requesting user has not enabled 2FA", request=request) return False except Grant.DoesNotExist: return False