def get_auth_type_and_token_from_header(raw_auth_header_val):
"""
Return an Auth Header's Type and Token
Input should be in the form of 'Barer token data' or 'Basic token data'
"""
if not raw_auth_header_val:
raise AuthenticationError("No Header Value Given")
return raw_auth_header_val.split(' ', 1)
def get_user_by_token(token):
"""
Given a raw token, attempt to validate it
TODO: Rename this credential_token?
"""
try:
decoded_token = base64.b64decode(token)
except TypeError, e:
raise AuthenticationError(e)
def get_user_and_login_from_access_token(access_token):
"""
Resolve an internal AuthUser and AuthLogin for a given JWT access_token
"""
user_data = read_access_token(access_token)
if not user_data:
raise AuthenticationError('Unable to get data off valid token. Version error?')
# Get version stamp
version = user_data.get(TOKEN_KEYS_V1.VERSION, None)
if (version != 1):
raise AuthenticationError('Unsupported token version: %s ' % version)
# Get critical bits off user token
user_id = user_data.get(TOKEN_KEYS_V1.USER_ID, None) # i.e. resource id
login_auth_type = user_data.get(TOKEN_KEYS_V1.LOGIN_TYPE, None) # i.e "google"
login_auth_key = user_data.get(TOKEN_KEYS_V1.LOGIN_KEY, None) # i.e. google uid or user id
# Resolve User Model
user = users_api.get_user_by_id(user_id)
if not user:
raise AuthenticationError('Could not resolve user. Have they been deleted?')
user_key = get_key_from_resource_id(user.id)
# Resolve the active login used originally regardless of type
if not login_auth_type:
# How did you originally login?
raise AuthenticationError("Could not determine login auth type from key")
if not login_auth_key:
# How did you originally login?
raise AuthenticationError("Could not determine login auth key from key")
l_key = users_api.AuthUserMethodEntity.generate_key(user_key, login_auth_type, login_auth_key)
login = l_key.get()
return user, login
def authenticate(auth_scheme, auth_credentials):
"""
Given a auth_type and auth_token, attempt to authenticate
:returns: A 2-tuple of AuthUser, AuthLogin
"""
if (auth_scheme.lower() == 'basic'):
# Using Basic Auth - dip into service
return basic.get_user_by_token(auth_credentials)
elif (auth_scheme.lower() == 'bearer'):
# This is our internal access token
return access_tokens_api.get_user_and_login_from_access_token(auth_credentials)
else:
raise AuthenticationError("Unsupported authentication type: %s" % auth_scheme)
def read_access_token(access_token):
"""
Attempt to decode the JWT Access Token
:param access_token: A string access token
:returns: A dict data payload encoded into the token
"""
try:
jwt_payload = jwt.decode(access_token,
auth_settings.JWT_SECRET,
algorithm=JWT_ALGORITHM,
audience=auth_settings.JWT_AUDIENCE,
issuer=auth_settings.JWT_ISSUER)
return jwt_payload.get('data', {})
except jwt.ExpiredSignatureError, e:
# Token has expired
logging.error("JWT Expired: " + str(e))
raise AuthenticationError("JWT Token Expired")
jwt_payload = jwt.decode(access_token,
auth_settings.JWT_SECRET,
algorithm=JWT_ALGORITHM,
audience=auth_settings.JWT_AUDIENCE,
issuer=auth_settings.JWT_ISSUER)
return jwt_payload.get('data', {})
except jwt.ExpiredSignatureError, e:
# Token has expired
logging.error("JWT Expired: " + str(e))
raise AuthenticationError("JWT Token Expired")
except jwt.InvalidTokenError, e:
# Log the JWT exception for debugging
logging.error("JWT Decode Error" + str(e))
raise AuthenticationError("Unable to decode JWT token")
def get_user_and_login_from_access_token(access_token):
"""
Resolve an internal AuthUser and AuthLogin for a given JWT access_token
"""
user_data = read_access_token(access_token)
if not user_data:
raise AuthenticationError('Unable to get data off valid token. Version error?')
# Get version stamp
version = user_data.get(TOKEN_KEYS_V1.VERSION, None)
if (version != 1):
raise AuthenticationError('Unsupported token version: %s ' % version)
def get_user_by_token(token):
"""
Given a raw token, attempt to validate it
TODO: Rename this credential_token?
"""
try:
decoded_token = base64.b64decode(token)
except TypeError, e:
raise AuthenticationError(e)
try:
un, pw = decoded_token.split(':')
except ValueError, e:
raise AuthenticationError(e)
# TODO: Replace with internal.api.users.get_by_username
user = AuthUserEntity.query(AuthUserEntity.username == un).get()
if not user:
raise AuthenticationError('Username is invalid')
# TODO: Reduce this to an api method
l_key = AuthUserMethodEntity.generate_key(
user.key, 'basic', get_resource_id_from_key(user.key))
login = l_key.get()
if not login:
raise AuthenticationError("Could not find login for user")
pwhash, pwsalt = login.auth_data.split(":")