def access_token():
oauth_server, oauth_request = initialize_server_request(request)
if oauth_server is None:
return oauth_error_response(OAuthError('Invalid request parameters.'))
try:
# Create our access token
token = oauth_server.fetch_access_token(oauth_request)
if not token:
return oauth_error_response(
OAuthError("Cannot find corresponding "
"access token."))
# Grab the mapping of access tokens to our identity providers
oauth_map = OAuthMap.get_from_request_token(
oauth_request.get_parameter("oauth_token"))
if not oauth_map:
return oauth_error_response(
OAuthError("Cannot find oauth mapping "
"for request token."))
oauth_map.access_token = token.key_
oauth_map.access_token_secret = token.secret
oauth_map.put()
except OAuthError, e:
return oauth_error_response(e)
def wrapper(*args, **kwargs):
if is_valid_request(request):
try:
consumer, token, parameters = validate_token(request)
if (not consumer) or (not token):
return oauth_error_response(OAuthError(
"Not valid consumer or token"))
# If this API method requires an anointed consumer,
# restrict any that haven't been manually approved.
if require_anointed_consumer and not consumer.anointed:
return oauth_error_response(OAuthError(
"Consumer access denied."))
# Store the OAuthMap containing all auth info in the request
# global for easy access during the rest of this request.
flask.g.oauth_map = OAuthMap.get_from_access_token(token.key_)
if not util.get_current_user_id():
# If our OAuth provider thinks you're logged in but the
# identity providers we consume (Google/Facebook)
# disagree, we act as if our token is no longer valid.
return oauth_error_response(OAuthError(
"Unable to get current user from oauth token"))
except OAuthError, e:
return oauth_error_response(e)
def access_token():
oauth_server, oauth_request = initialize_server_request(request)
if oauth_server is None:
return oauth_error_response(OAuthError('Invalid request parameters.'))
try:
# Create our access token
token = oauth_server.fetch_access_token(oauth_request)
if not token:
return oauth_error_response(OAuthError("Cannot find corresponding access token."))
# Grab the mapping of access tokens to our identity providers
oauth_map = OAuthMap.get_from_request_token(oauth_request.get_parameter("oauth_token"))
if not oauth_map:
return oauth_error_response(OAuthError("Cannot find oauth mapping for request token."))
oauth_map.access_token = token.key_
oauth_map.access_token_secret = token.secret
oauth_map.put()
# Flush the "apply phase" of the above put() to ensure that subsequent
# retrievals of this OAuthmap returns fresh data. GAE's HRD can
# otherwise take a second or two to propagate the data, and the
# client may use the access token quicker than that.
oauth_map = OAuthMap.get(oauth_map.key())
except OAuthError, e:
return oauth_error_response(e)
def access_token():
oauth_server, oauth_request = initialize_server_request(request)
if oauth_server is None:
return oauth_error_response(OAuthError('Invalid request parameters.'))
try:
# Create our access token
token = oauth_server.fetch_access_token(oauth_request)
if not token:
return oauth_error_response(OAuthError("Cannot find corresponding "
"access token."))
# Grab the mapping of access tokens to our identity providers
oauth_map = OAuthMap.get_from_request_token(
oauth_request.get_parameter("oauth_token"))
if not oauth_map:
return oauth_error_response(OAuthError("Cannot find oauth mapping "
"for request token."))
oauth_map.access_token = token.key_
oauth_map.access_token_secret = token.secret
oauth_map.put()
except OAuthError, e:
return oauth_error_response(e)
def request_token():
oauth_server, oauth_request = initialize_server_request(request)
if oauth_server is None:
return oauth_error_response(OAuthError('Invalid request parameters.'))
try:
# Create our request token
token = oauth_server.fetch_request_token(oauth_request)
except OAuthError, e:
return oauth_error_response(e)
def request_token():
oauth_server, oauth_request = initialize_server_request(request)
if oauth_server is None:
return oauth_error_response(OAuthError('Invalid request parameters.'))
try:
# Create our request token
token = oauth_server.fetch_request_token(oauth_request)
except OAuthError, e:
return oauth_error_response(e)
def google_token_callback():
oauth_map = OAuthMap.get_by_id_safe(request.values.get("oauth_map_id"))
if not oauth_map:
return oauth_error_response(OAuthError("Unable to find OAuthMap by id."))
if oauth_map.google_verification_code:
return oauth_error_response(OAuthError("Request token already has google verification code."))
oauth_map.google_verification_code = request.values.get("oauth_verifier")
try:
oauth_map = retrieve_google_access_token(oauth_map)
except OAuthError, e:
return oauth_error_response(e)
def facebook_token_callback():
oauth_map = OAuthMap.get_by_id_safe(request.values.get("oauth_map_id"))
if not oauth_map:
return oauth_error_response(OAuthError("Unable to find OAuthMap by id."))
if oauth_map.facebook_authorization_code:
return oauth_error_response(OAuthError("Request token already has facebook authorization code."))
oauth_map.facebook_authorization_code = request.values.get("code")
try:
oauth_map = retrieve_facebook_access_token(oauth_map)
except OAuthError, e:
return oauth_error_response(e)
def google_request_token_handler(oauth_map):
# Start Google request token process
try:
google_client = GoogleOAuthClient()
google_token = google_client.fetch_request_token(oauth_map)
except Exception, e:
return oauth_error_response(OAuthError(e.message))
def google_request_token_handler(oauth_map):
# Start Google request token process
try:
google_client = GoogleOAuthClient()
google_token = google_client.fetch_request_token(oauth_map)
except Exception, e:
return oauth_error_response(OAuthError(e.message))
def authorize_token():
try:
oauth_server, oauth_request = initialize_server_request(request)
if oauth_server is None:
raise OAuthError('Invalid request parameters.')
# get the request token
token = oauth_server.fetch_request_token(oauth_request)
oauth_map = OAuthMap.get_from_request_token(token.key_)
if not oauth_map:
raise OAuthError("Unable to find oauth_map from request token "
"during authorization.")
# Get user from oauth map using either FB or Google access token
user_data = oauth_map.get_user_data()
if not user_data:
raise OAuthError("User not logged in during authorize_token "
"process.")
# For now we don't require user intervention to authorize our tokens,
# since the user already authorized FB/Google. If we need to do this
# for security reasons later, there's no reason we can't.
token = oauth_server.authorize_token(token, user_data.user)
oauth_map.verifier = token.verifier
oauth_map.put()
return custom_scheme_redirect(
oauth_map.callback_url_with_request_token_params(
include_verifier=True))
except OAuthError, e:
return oauth_error_response(e)
def authorize_token():
try:
oauth_server, oauth_request = initialize_server_request(request)
if oauth_server is None:
raise OAuthError('Invalid request parameters.')
# get the request token
token = oauth_server.fetch_request_token(oauth_request)
oauth_map = OAuthMap.get_from_request_token(token.key_)
if not oauth_map:
raise OAuthError("Unable to find oauth_map from request token "
"during authorization.")
# Get user from oauth map using either FB or Google access token
user_data = oauth_map.get_user_data()
if not user_data:
raise OAuthError("User not logged in during authorize_token "
"process.")
# For now we don't require user intervention to authorize our tokens,
# since the user already authorized FB/Google. If we need to do this
# for security reasons later, there's no reason we can't.
token = oauth_server.authorize_token(token, user_data.user)
oauth_map.verifier = token.verifier
oauth_map.put()
return custom_scheme_redirect(
oauth_map.callback_url_with_request_token_params(
include_verifier=True))
except OAuthError, e:
return oauth_error_response(e)
def facebook_token_callback():
oauth_map = OAuthMap.get_by_id_safe(request.values.get("oauth_map_id"))
if not oauth_map:
return oauth_error_response(OAuthError(
"Unable to find OAuthMap by id."))
if oauth_map.facebook_authorization_code:
return oauth_error_response(OAuthError(
"Request token already has facebook authorization code."))
oauth_map.facebook_authorization_code = request.values.get("code")
try:
oauth_map = retrieve_facebook_access_token(oauth_map)
except OAuthBadRequestError, e:
return pretty_error_response('Unable to log in with Facebook.')
def request_token_callback(provider, oauth_map_id):
oauth_map = OAuthMap.get_by_id_safe(oauth_map_id)
if not oauth_map:
return oauth_error_response(OAuthError("Unable to find OAuthMap by id during request token callback."))
if provider == "google":
return google_request_token_handler(oauth_map)
elif provider == "facebook":
return facebook_request_token_handler(oauth_map)
def request_token_callback(provider, oauth_map_id):
oauth_map = OAuthMap.get_by_id_safe(oauth_map_id)
if not oauth_map:
return oauth_error_response(OAuthError("Unable to find OAuthMap by id during request token callback."))
if provider == "google":
return google_request_token_handler(oauth_map)
elif provider == "facebook":
return facebook_request_token_handler(oauth_map)
def wrapper(*args, **kwargs):
try:
# This sets flask.g.is_anointed, though only if the
# request was an oauth request (and not a cookie request).
# So for oauth requests, we're always using
# flask.g.is_anointed, and for cookie requests, we're
# always using the default value (3rd arg to getattr).
if is_valid_request(request): # only check if we're an oauth req.
verify_and_cache_oauth_or_cookie(request)
if not getattr(flask.g, "is_anointed", True):
raise OAuthError("Consumer access denied.")
except OAuthError, e:
return oauth_error_response(e)
def wrapper(*args, **kwargs):
# This checks flask.g.is_anointed, though only if the
# request was an oauth request (and not a cookie request).
if is_valid_request(request): # only check if we're an oauth req.
try:
verify_and_cache_oauth_or_cookie(request)
if not getattr(flask.g, "is_anointed", False):
raise OAuthError("Consumer access denied.")
except OAuthError, e:
return oauth_error_response(e)
except NotLoggedInError, e:
# TODO(csilvers): just count how often this happens intead
# of logging. Why warn about something we can't control?
# The only reason is it's possible this is caused by a bug.
logging.warning('is_anointed: no login info found via %s' % e)
return unauthorized_response()
def wrapper(*args, **kwargs):
# This checks flask.g.is_anointed, though only if the
# request was an oauth request (and not a cookie request).
if is_valid_request(request): # only check if we're an oauth req.
try:
verify_and_cache_oauth_or_cookie(request)
if not getattr(flask.g, "is_anointed", False):
raise OAuthError("Consumer access denied.")
except OAuthError, e:
return oauth_error_response(e)
except NotLoggedInError, e:
# TODO(csilvers): just count how often this happens intead
# of logging. Why warn about something we can't control?
# The only reason is it's possible this is caused by a bug.
logging.warning('is_anointed: no login info found via %s' % e)
return unauthorized_response()
def wrapper(*args, **kwargs):
try:
verify_and_cache_oauth_or_cookie(request)
except OAuthError, e:
return oauth_error_response(e)
@route("/api/auth/request_token", methods=["GET", "POST"])
def request_token():
oauth_server, oauth_request = initialize_server_request(request)
if oauth_server is None:
return oauth_error_response(OAuthError('Invalid request parameters.'))
try:
# Create our request token
token = oauth_server.fetch_request_token(oauth_request)
except OAuthError, e:
return oauth_error_response(e)
if OAuthMap.get_from_request_token(token.key_):
return oauth_error_response(OAuthError("OAuth parameters already used."))
# Start a new OAuth mapping
oauth_map = OAuthMap()
oauth_map.request_token_secret = token.secret
oauth_map.request_token = token.key_
oauth_map.callback_url = requested_oauth_callback()
if request.values.get("view") == "mobile":
oauth_map.view = "mobile"
oauth_map.put()
chooser_url = "/login/mobileoauth?oauth_map_id=%s&view=%s" % (oauth_map.key().id(), oauth_map.view)
oauth_consumer = oauth_server._get_consumer(oauth_request)
if oauth_server is None:
return oauth_error_response(OAuthError('Invalid request parameters.'))
try:
# Create our request token
token = oauth_server.fetch_request_token(oauth_request)
except OAuthError, e:
return oauth_error_response(e)
if OAuthMap.get_from_request_token(token.key_):
logging.error("OAuth key %s already used" % token.key_)
params = dict([(key, request.get(key)) for key in request.arguments()])
logging.info("params: %r" % params)
logging.info("Authorization: %s", request.headers.get('Authorization'))
return oauth_error_response(OAuthError("OAuth parameters already "
"used."))
# Start a new OAuth mapping
oauth_map = OAuthMap()
oauth_map.request_token_secret = token.secret
oauth_map.request_token = token.key_
oauth_map.callback_url = requested_oauth_callback()
if request.values.get("view") == "mobile":
oauth_map.view = "mobile"
oauth_map.put()
chooser_url = ("/login/mobileoauth?oauth_map_id=%s&view=%s" %
(oauth_map.key().id(), oauth_map.view))
def wrapper(*args, **kwargs):
try:
verify_and_cache_oauth_or_cookie(request)
except OAuthError, e:
return oauth_error_response(e)
logging.error(google_token.secret)
return oauth_map
@route("/api/auth/google_token_callback", methods=["GET"])
@decorators.manual_access_checking
def google_token_callback():
oauth_map = OAuthMap.get_by_id_safe(request.values.get("oauth_map_id"))
if not oauth_map:
return oauth_error_response(
OAuthError("Unable to find OAuthMap by id."))
if oauth_map.google_verification_code:
return oauth_error_response(OAuthError("Request token already has "
"google verification code."))
oauth_map.google_verification_code = request.values.get("oauth_verifier")
try:
oauth_map = retrieve_google_access_token(oauth_map)
except OAuthBadRequestError, e:
return pretty_error_response('Unable to log in with Google.')
except OAuthError, e:
return oauth_error_response(e)
oauth_map.put()
return authorize_token_redirect(oauth_map)
oauth_map.google_access_token_secret = google_token.secret
return oauth_map
@route("/api/auth/google_token_callback", methods=["GET"])
@decorators.manual_access_checking
def google_token_callback():
oauth_map = OAuthMap.get_by_id_safe(request.values.get("oauth_map_id"))
if not oauth_map:
return oauth_error_response(
OAuthError("Unable to find OAuthMap by id."))
if oauth_map.google_verification_code:
return oauth_error_response(
OAuthError("Request token already has google verification code."))
oauth_map.google_verification_code = request.values.get("oauth_verifier")
try:
oauth_map = retrieve_google_access_token(oauth_map)
except OAuthBadRequestError, e:
return pretty_error_response('Unable to log in with Google.')
except OAuthError, e:
return oauth_error_response(e)
oauth_map.put()
return authorize_token_redirect(oauth_map)
if not util.get_current_user_id():
# If our OAuth provider thinks you're logged in but the
# identity providers we consume (Google/Facebook)
# disagree, we act as if our token is no longer valid.
return oauth_error_response(OAuthError(
"Unable to get current user from oauth token"))
except OAuthError, e:
return oauth_error_response(e)
elif util.allow_cookie_based_auth():
if not util.get_current_user_id():
return oauth_error_response(OAuthError(
"Unable to read user value from cookies/oauth map"))
else:
return oauth_error_response(OAuthError(
"Invalid parameters to Oauth request"))
# Request validated - proceed with the method.
return func(*args, **kwargs)
return wrapper
return outer_wrapper
def oauth_optional(require_anointed_consumer = False):
""" Decorator for validating an oauth request and storing the OAuthMap for use
in the rest of the request.
If oauth credentials don't pass, continue on,
but util.get_current_user_id() may return None.
"""
if oauth_server is None:
return oauth_error_response(OAuthError('Invalid request parameters.'))
try:
# Create our request token
token = oauth_server.fetch_request_token(oauth_request)
except OAuthError, e:
return oauth_error_response(e)
if OAuthMap.get_from_request_token(token.key_):
logging.error("OAuth key %s already used" % token.key_)
params = dict([(key, request.get(key)) for key in request.arguments()])
logging.info("params: %r" % params)
logging.info("Authorization: %s", request.headers.get('Authorization'))
return oauth_error_response(
OAuthError("OAuth parameters already "
"used."))
# Start a new OAuth mapping
oauth_map = OAuthMap()
oauth_map.request_token_secret = token.secret
oauth_map.request_token = token.key_
oauth_map.callback_url = requested_oauth_callback()
if request.values.get("view") == "mobile":
oauth_map.view = "mobile"
oauth_map.put()
chooser_url = ("/login/mobileoauth?oauth_map_id=%s&view=%s" %
(oauth_map.key().id(), oauth_map.view))