def user_loader(session_token): """Populate user object, check expiry""" if "expires" not in session: return None expires = datetime.utcfromtimestamp(session["expires"]) expires_seconds = (expires - datetime.utcnow()).total_seconds() if expires_seconds < 0: return None user = User() user.id = session_token user.nickname = session["nickname"] return user
def callback(): """Exchange the 'code' for a Cognito token""" # http://docs.aws.amazon.com/cognito/latest/developerguide/token-endpoint.html app.logger.debug(pprint.pformat(request.__dict__, depth=5)) csrf_state = request.args.get("state") code = request.args.get("code") request_parameters = { "grant_type": "authorization_code", "client_id": app.config["COGNITO_APP_CLIENT_ID"], "code": code, "redirect_uri": f"https://{request.headers['Host']}/callback", } response = requests.post( f"https://{app.config['COGNITO_DOMAIN']}/oauth2/token", data=request_parameters, auth=HTTPBasicAuth(app.config["COGNITO_APP_CLIENT_ID"], app.config["COGNITO_APP_CLIENT_SECRET"]), ) # the response: # http://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-using-tokens-with-identity-providers.html # and csrf_state == session['csrf_state']: if response.status_code == 200 and csrf_state == session["csrf_state"]: response_json = response.json() verify_token(response_json["access_token"]) id_token = verify_token(response_json["id_token"], response_json["access_token"]) user = User() user.id = id_token["cognito:username"] session["nickname"] = id_token["email"] session["expires"] = id_token["exp"] session["refresh_token"] = response_json["refresh_token"] login_user(user, remember=True) return redirect(url_for("home")) else: abort(401)