def test_verify_wrong_app_fails(fake_email, fake_client_app, create_fake_client_app): fake_client_app2 = create_fake_client_app() token = security_token.generate(fake_email, fake_client_app) with pytest.raises(security_token.TokenVerificationError): security_token.verify(token, fake_client_app2)
def test_verify(fake_email, fake_client_app): token = security_token.generate(fake_email, fake_client_app) headers, claims = security_token.verify(token, fake_client_app) assert headers["alg"] == "ES256" assert claims["sub"] == fake_email assert claims["iss"] == f"{config.ISSUER}/app/{fake_client_app.app_id}" assert claims.get("iat") is not None assert claims.get("exp") is not None
def test_exported_key_verifies_token(fake_client_app, fake_email): token = security_token.generate(fake_email, fake_client_app) exported_key_dict = security_client_app.export_public_key(fake_client_app) key = jwk.JWK(**exported_key_dict) headers, claims = jwt.verify_jwt(token, key, allowed_algs=["ES256"]) assert headers["alg"] == "ES256" assert claims["sub"] == fake_email assert claims["iss"] == f"{config.ISSUER}/app/{fake_client_app.app_id}"
def test_exported_key_doesnt_verify_invalid_token( fake_client_app, fake_email, create_fake_client_app ): fake_client_app2 = create_fake_client_app() token = security_token.generate(fake_email, fake_client_app) exported_key_dict = security_client_app.export_public_key(fake_client_app2) key = jwk.JWK(**exported_key_dict) assert fake_client_app.get_key() != fake_client_app2.get_key() with pytest.raises(InvalidJWSSignature): jwt.verify_jwt(token, key, allowed_algs=["ES256"])
def test_generate(fake_email, fake_client_app): token = security_token.generate(fake_email, fake_client_app) assert token is not None headers, claims = jwt.verify_jwt(token, fake_client_app.get_key(), allowed_algs=["ES256"]) assert headers["alg"] == "ES256" assert claims["sub"] == fake_email assert claims["iss"] == f"{config.ISSUER}/app/{fake_client_app.app_id}"
async def confirm_otp( confirm_code: ConfirmCode, client_app: ClientApp = Depends(check_client_app), ): """Confirm authentication by one time code""" if not security_otp.verify(confirm_code.email, confirm_code.code, client_app.app_id): raise HTTPException(status_code=401, detail="Invalid Code.") id_token = security_token.generate(confirm_code.email, client_app) refresh_token = None if client_app.get_refresh_key(): refresh_token = await security_token.generate_refresh_token( confirm_code.email, client_app) return IssueToken(idToken=id_token, refreshToken=refresh_token)
async def confirm_magic( secret: str = Query(...), id_: str = Query(..., alias="id"), client_app: ClientApp = Depends(check_client_app), ): """This endpoint confirms magic links. Do not use directly.""" if email := security_magic.verify(id_, secret, client_app.app_id): id_token = security_token.generate(email, client_app) redirect_url = f"{client_app.redirect_url}?idToken={quote_plus(id_token)}" if client_app.get_refresh_key(): refresh_token = await security_token.generate_refresh_token( email, client_app ) redirect_url = f"{redirect_url}&refreshToken={quote_plus(refresh_token)}" return RedirectResponse(redirect_url)