async def refresh(self, scopes):
client = utils.get_client(self._validated_jwt['client'],
**self._validated_jwt['client_args'])
refresh_token = self._validated_jwt['client_args']['refresh_token']
otoken, otoken_data = await client.get_access_token(
refresh_token, grant_type='refresh_token')
client_args = dict(access_token=otoken, refresh_token=refresh_token)
if 'expires_in' in otoken_data:
timeout = otoken_data['expires_in']
else:
timeout = 60 * 60 * 1
user, user_data = await client.user_info()
jwt_token, data = authenticate_user(
user.id, {
'first_name': user.first_name,
'last_name': user.last_name,
'email': user.email,
'username': user.username,
'client': self._validated_jwt['client'],
'client_args': client_args,
'allowed_scopes': user_data.get('allowed_scopes'),
'scope': scopes,
'identifier': 'oauth'
},
timeout=timeout)
result = {'exp': data['exp'], 'token': jwt_token}
return result
async def run(token_data, payload):
# Payload : {
# 'new_password': '******',
# }
container = get_current_container()
user_folders = await container.async_get("users")
data = {}
valid_data = ["username", "email", "name", "password", "properties"]
for key in valid_data:
if key in token_data:
data[key] = token_data[key]
user = await create_content_in_container(
user_folders,
"User",
token_data.get("username", token_data.get("id")),
creators=(token_data.get("username", token_data.get("id")),),
check_security=False,
**data,
)
user.user_roles = ["guillotina.Member"]
await notify(ObjectAddedEvent(user))
jwt_token, data = authenticate_user(user.id, timeout=app_settings["jwt"]["token_expiration"])
await notify(UserLogin(user, jwt_token))
return {"exp": data["exp"], "token": jwt_token}
async def __call__(self):
data = await self.request.json()
creds = {
'type': 'basic',
'token': data['password'],
'id': data.get('username', data.get('login'))
}
for validator in app_settings['auth_token_validators']:
if (validator.for_validators is not None and
'basic' not in validator.for_validators):
continue
user = await validator(self.request).validate(creds)
if user is not None:
break
if user is None:
raise HTTPUnauthorized(content={
'text': 'login failed'
})
jwt_token, data = authenticate_user(user.id)
await notify(UserLogin(user, jwt_token))
return {
'exp': data['exp'],
'token': jwt_token
}
async def __call__(self):
data = await self.request.json()
creds = {"type": "basic", "token": data["password"], "id": data.get("username", data.get("login"))}
for validator in app_settings["auth_token_validators"]:
if validator.for_validators is not None and "basic" not in validator.for_validators:
continue
user = await validator().validate(creds)
if user is not None:
break
if user is None:
raise HTTPUnauthorized(content={"text": "login failed"})
session_manager = query_utility(ISessionManagerUtility)
if session_manager is not None:
data = json.dumps(dict(self.request.headers))
session = await session_manager.new_session(user.id, data=data)
data = {"session": session}
else:
data = {}
jwt_token, data = authenticate_user(
user.id, timeout=app_settings["jwt"]["token_expiration"], data=data
)
await notify(UserLogin(user, jwt_token))
return {"exp": data["exp"], "token": jwt_token}
async def run(token_data, payload):
user_to_change_password = token_data["v_user"]
user = await find_user({"id": user_to_change_password})
await user.set_password(payload.get("password", None))
jwt_token, data = authenticate_user(
user.id, timeout=app_settings["jwt"]["token_expiration"])
await notify(UserLogin(user, jwt_token))
return {"exp": data["exp"], "token": jwt_token}
async def __call__(self):
data = await self.request.json()
creds = {"type": "basic", "token": data["password"], "id": data.get("username", data.get("login"))}
for validator in app_settings["auth_token_validators"]:
if validator.for_validators is not None and "basic" not in validator.for_validators:
continue
user = await validator().validate(creds)
if user is not None:
break
if user is None:
raise HTTPUnauthorized(content={"text": "login failed"})
jwt_token, data = authenticate_user(user.id)
await notify(UserLogin(user, jwt_token))
return {"exp": data["exp"], "token": jwt_token}
async def run(token_data, payload):
util = get_utility(ILDAPUsers)
try:
await util.add_user(token_data["id"], token_data.get("fullname", ""))
except bonsai.AlreadyExists:
pass
if "password" in token_data:
await util.set_password(token_data["id"], token_data['password'])
elif "password" in payload:
await util.set_password(token_data["id"], payload['password'])
user = util.create_g_user(token_data['id'], token_data.get("fullname", ""))
jwt_token, data = authenticate_user(
user.id, timeout=app_settings["jwt"]["token_expiration"])
await notify(UserLogin(user, jwt_token))
return {"exp": data["exp"], "token": jwt_token}
async def auth_callback(context, request):
provider = request.matchdict['provider']
if provider in utils.oauth1_providers:
oauth_verifier = request.url.query.get('oauth_verifier')
oauth_token = request.url.query.get('oauth_token')
client = utils.get_client(provider, oauth_token=oauth_token)
cache_utility = get_utility(ICacheUtility)
request_token = await cache_utility.get(CACHE_PREFIX + oauth_token)
if request_token is None:
raise web.HTTPBadRequest(
reason='Failed to obtain proper request token.')
oauth_token, oauth_token_secret, otoken_data = await client.get_access_token( # noqa
oauth_verifier, oauth_token)
client_args = dict(oauth_token=oauth_token,
oauth_token_secret=oauth_token_secret)
else:
client = utils.get_client(provider)
if 'error' in request.url.query:
raise HTTPBadRequest(content=dict(request.url.query))
if 'code' not in request.url.query:
raise HTTPBadRequest(content=dict(request.url.query))
code = request.url.query['code']
if 'callback' not in request.url.query:
callback = str(request.url.with_path('@callback/' + provider))
else:
callback = request.url.query['callback']
forwarded_proto = request.headers.get('X-Forwarded-Proto', None)
if forwarded_proto and forwarded_proto != request.scheme:
callback = callback.replace(request.scheme + '://',
forwarded_proto + '://')
otoken, otoken_data = await client.get_access_token(
code, redirect_uri=callback)
client_args = dict(access_token=otoken,
refresh_token=otoken_data['refresh_token'])
if 'expires_in' in otoken_data:
timeout = otoken_data['expires_in']
else:
timeout = 60 * 60 * 1
client = utils.get_client(provider, **client_args)
user, user_data = await client.user_info()
jwt_token, data = authenticate_user(
user.id, {
'first_name': user.first_name,
'last_name': user.last_name,
'email': user.email,
'username': user.username,
'client': provider,
'client_args': client_args,
'allowed_scopes': user_data.get('allowed_scopes'),
'scope': request.url.query.get('scope').split(' '),
'identifier': 'oauth'
},
timeout=timeout)
await notify(UserLogin(user, jwt_token))
result = {'exp': data['exp'], 'token': jwt_token}
if app_settings.get('auth_callback_url'):
url = yarl.URL(app_settings['auth_callback_url']).with_query(result)
return HTTPFound(str(url))
return result
async def _login_user(request, accept_data, user):
# log user in directly now
async with aiohttp.ClientSession() as session:
csrf = await utils.get_csrf_cookie_str(request)
async with session.get(
accept_data['redirect_to'], headers={
'Cookie': csrf
}, allow_redirects=False) as resp:
assert resp.status == 302
url = URL(resp.headers['Location'])
challenge = url.query['consent_challenge']
consent = await _get_consent(challenge)
accept_request = await hydra_admin_request(
'put', os.path.join('consent', challenge, 'accept'),
json={
'grant_scope': consent['requested_scope'],
# The session allows us to set session data for id
# and access tokens
'session': {
'access_token': {
'username': user['username'],
},
'id_token': {
'username': user['username'],
'email': user['email'],
'phone': user['phone'],
'data': user['data'],
'allowed_scopes': user['allowed_scopes'],
}
},
'remember': False,
'remember_for': 3600
}
)
auth_url = URL(accept_request['redirect_to'])
async with session.get(
auth_url, headers={
'Cookie': csrf
}, allow_redirects=False) as resp:
url = URL(resp.headers['Location'])
assert 'code' in url.query
code = url.query['code']
client = auth_utils.get_client('hydra')
callback = auth_url.query['redirect_uri']
otoken, _ = await client.get_access_token(
code, redirect_uri=callback)
client_args = dict(access_token=otoken)
user, user_data = await client.user_info()
jwt_token, data = authenticate_user(user.id, {
'first_name': user.first_name,
'last_name': user.last_name,
'email': user.email,
'username': user.username,
'client': 'hydra',
'client_args': client_args,
'allowed_scopes': user_data.get('allowed_scopes'),
'scope': consent['requested_scope'],
})
await notify(UserLogin(user, jwt_token))
return {
'exp': data['exp'],
'token': jwt_token
}
