def signin(email, password) -> Tuple[str, str]:
user = None
user = authenticate(username=email, password=password)
if user is None:
raise UnAuthorizedException()
claim = Claim(user_id=user.id)
refresh_token = claim.to_token(
exp_seconds=TokenUtils.REFRESH_TOKEN_EXPIRY_SEC)
access_token = claim.to_token(
exp_seconds=TokenUtils.ACCESS_TOKEN_EXPIRY_SEC)
return (refresh_token, access_token)
def signup(email, first_name, last_name, password) -> Tuple[str, str]:
if User.objects.filter(username=email).exists():
raise UnAuthorizedException()
user = User.objects.create(first_name=first_name,
last_name=last_name,
email=email,
username=email,
password=make_password(password))
claim = Claim(user_id=user.id)
refresh_token = claim.to_token(
exp_seconds=TokenUtils.REFRESH_TOKEN_EXPIRY_SEC)
access_token = claim.to_token(
exp_seconds=TokenUtils.ACCESS_TOKEN_EXPIRY_SEC)
return (refresh_token, access_token)
def __call__(self, request):
# Code to be executed for each request before
# the view (and later middleware) are called.
if 'HTTP_AUTHORIZATION' in request.META and len(
request.META['HTTP_AUTHORIZATION']) > 7:
access_token = request.META['HTTP_AUTHORIZATION'][7:]
claim = Claim.from_token(token=access_token)
request.claim = claim
else:
request.claim = Claim.empty()
response = self.get_response(request)
# Code to be executed for each request/response after
# the view is called.
return response
def access_token(refresh_token) -> str:
claim = Claim.from_token(token=refresh_token)
if not claim.user_id:
raise UnAuthorizedException()
# TODO: should check if role is disabled
access_token = claim.to_token(
exp_seconds=TokenUtils.ACCESS_TOKEN_EXPIRY_SEC)
return access_token
def switch_workspace(user_id, workspace_id) -> Tuple[str, str]:
if not user_id or not workspace_id:
raise UnAuthorizedException()
user = None
workspace = None
role = None
try:
user = User.objects.get(id=user_id)
workspace = Workspace.objects.get(id=workspace_id)
role = Role.objects.get(workspace=workspace, user=user)
except ObjectDoesNotExist:
raise UnAuthorizedException()
claim = Claim(user_id=user.id,
workspace_id=workspace.id,
scope=role.scope)
refresh_token = claim.to_token(
exp_seconds=TokenUtils.REFRESH_TOKEN_EXPIRY_SEC)
access_token = claim.to_token(
exp_seconds=TokenUtils.ACCESS_TOKEN_EXPIRY_SEC)
return (refresh_token, access_token)
def oauth2_refresh_token(client_id, code, client_secret,
code_verifier) -> Tuple[str, str]:
if not client_secret and not code_verifier:
raise UnAuthorizedException(
"Must specify client_secret or code_verifier")
if client_secret and code_verifier:
raise ParseError(
'Cannot specify both client_secret and code_verifier')
claim = Claim.from_token(token=code)
tpa = ThirdPartyApp.objects.get(id=client_id)
if client_secret:
if not check_password(client_secret, tpa.secret):
raise UnAuthorizedException()
else:
if not TokenUtils.check_code_verifier(
code_challenge=claim.code_challenge,
code_verifier=code_verifier):
raise UnAuthorizedException("Invalid code_verifier")
tpa = ThirdPartyApp.objects.get(id=claim.tpa_id)
workspace = Workspace.objects.get(id=claim.workspace_id)
user = User.objects.get(id=claim.user_id)
try:
atpa = ThirdPartyAppInstall.objects.get(workspace=workspace,
user=user,
tpa=tpa)
except ObjectDoesNotExist:
raise PermissionDenied()
claim1 = Claim(user_id=user.id,
workspace_id=workspace.id,
tpa_id=tpa.id,
scope=claim.scope,
code_challenge=claim.code_challenge)
refresh_token = claim1.to_token(
exp_seconds=TokenUtils.REFRESH_TOKEN_EXPIRY_SEC
) # consider 10 years
access_token = claim1.to_token(
exp_seconds=TokenUtils.ACCESS_TOKEN_EXPIRY_SEC)
return (refresh_token, access_token)
def oauth2_code(claim, client_id, scope, code_challenge) -> str:
if not claim.user_id:
raise UnAuthorizedException()
if not claim.workspace_id:
raise UnAuthorizedException('Workspace to link is not specified')
workspace = Workspace.objects.get(id=claim.workspace_id)
user = User.objects.get(id=claim.user_id)
role = Role.objects.get(workspace=workspace, user=user)
tpa = ThirdPartyApp.objects.get(id=client_id)
extra_scope = set(scope.split(',')) - set(role.scope.split(','))
if len(extra_scope) > 0:
raise PermissionDenied(
f'Requested scopes {extra_scope} cannot be granted by user')
atpa = ThirdPartyAppInstall.objects.create(workspace=workspace,
user=user,
tpa=tpa)
claim1 = Claim(user_id=user.id,
tpa_id=tpa.id,
workspace_id=workspace.id,
scope=scope,
code_challenge=code_challenge)
code = claim1.to_token(exp_seconds=300)
return code
def oauth2_access_token(client_id, client_secret, refresh_token,
code_verifier) -> Tuple[str, str]:
if not client_secret and not code_verifier:
raise UnAuthorizedException(
"Must specify client_secret or code_verifier")
if client_secret and code_verifier:
raise ParseError(
'Cannot specify both client_secret and code_verifier')
tpa = ThirdPartyApp.objects.get(id=client_id)
claim = Claim.from_token(token=refresh_token)
if client_secret:
if not check_password(client_secret, tpa.secret):
raise UnAuthorizedException()
else:
if not TokenUtils.check_code_verifier(
code_challenge=claim.code_challenge,
code_verifier=code_verifier):
raise UnAuthorizedException("Invalid code_verifier")
access_token = claim.to_token(
exp_seconds=TokenUtils.ACCESS_TOKEN_EXPIRY_SEC)
return (refresh_token, access_token)
def post(self, request):
jwt = request.data['jwt']
claim = Claim.from_token(token=jwt)
return Response({'claim': claim.__dict__})