def AuthPage(svc, rduri, cid, name, pw, state, resptype, scope):
clients = clientdb.ClientDB()
try:
# check client_id valid
client = clients.find_client(cid)
if client is None:
raise AuthClientError()
# check redirect_uri match client_id
if not client.check_redirect_uri(rduri):
raise AuthClientError()
# check client_id may use response_type
if not client.check_response_type(resptype):
raise AuthError(rduri, 'invalid_client')
user = UserManager.LoadUser(name)
if (user == None):
raise AuthError(rduri, 'access_denied')
if not scope:
scopes = client.get_scopes()
else:
scopes = scope.split(' ')
for one_scope in scopes:
if not client.check_scope(one_scope):
raise AuthError(rduri, 'invalid_scope')
if (user.Authorize(pw)):
session = Session(user, svc.client_address[0], scopes=scopes)
session.RecordLogin(True)
if resptype == "code":
# give session, so other info may be recorded
code = Auth.RecordSession(session, cid)
target_uri = "%s?code=%s" % (rduri, code)
if state:
target_uri += "&state=%s" % state
elif resptype == "token":
token = session.GetID()
target_uri = "%s?access_token=%s&token_type=session&expires_in=%d&scope=%s" % (
rduri, token, Config.SESSION_TIMEOUT_SECONDS,
' '.join(scopes))
if state:
target_uri += "&state=%s" % state
else:
raise AuthError(rduri, 'unsupported_response_type')
svc.send_response(302)
svc.send_header('Location', target_uri)
svc.send_header('Content-Length', 0)
svc.end_headers()
svc.wfile.flush()
else:
raise AuthError(rduri, 'access_denied')
finally:
clients.close()
def HandleLogin(svc, username, passwd):
user = UserManager.LoadUser(username)
if (user == None):
raise Unauthorized('Login failed')
if (user.Authorize(passwd)):
session = Session(user, svc.client_address[0])
ret = {}
ret['session'] = session.GetID()
svc.writedata(json.dumps(ret))
else:
raise Unauthorized('Login failed')
def GetToken(svc, params, rduri, type, cid, csec):
clients = clientdb.ClientDB()
try:
# check client_id valid // invalid_client
client = clients.find_client(cid)
if client is None:
raise AuthClientError()
# check client_secret match client_id // invalid_client
if not client.check_secret(csec):
raise AuthClientError()
if not rduri:
rduri = client.get_default_redirect_uri()
else:
# check redirect_uri match client_id // invalid_client
if not client.check_redirect_uri(rduri):
raise AuthClientError()
if not type:
raise AuthError(rduri, 'invalid_request')
# check client_id may use grant_type // unauthorized_client
if not client.check_grant_type(type):
raise AuthError(rduri, 'unauthorized_client')
if type == 'authorization_code':
if (not params.has_key('code')):
raise AuthError(rduri, 'invalid_request')
code = params['code']
(sessid, uid, scopes) = Auth.SessionInfoFromCode(code, cid)
if (sessid == None):
raise AuthError(rduri, 'invalid_grant')
Auth.RemoveCode(code)
elif type == "refresh_token":
if not params.has_key('refresh_token'):
raise AuthError(rduri, 'invalid_grant')
old_refresh_token = svc.get_str(params, "refresh_token")
refreshments = RefreshTokens()
try:
old_token = refreshments.find(old_refresh_token)
if old_token is None:
raise AuthError(rduri, 'invalid_grant')
if old_token['client_id'] != cid:
raise AuthError(rduri, 'invalid_grant')
uid = old_token['uid']
scopes = old_token['scopes']
user = UserManager.LoadUserByUid(uid)
session = Session(user,
svc.client_address[0],
scopes=scopes.split(','))
session.RecordLogin(True)
sessid = session.GetID()
refreshments.remove(old_refresh_token)
finally:
refreshments.close()
else:
raise AuthError(rduri, 'unsupported_grant_type')
resp = {}
resp['access_token'] = sessid
resp['token_type'] = 'session'
resp['expires_in'] = Config.SESSION_TIMEOUT_SECONDS
resp['scope'] = ' '.join(scopes)
if client.check_grant_type('refresh_token'):
refreshments = RefreshTokens()
try:
refresh_token = refreshments.new(uid, cid,
svc.client_address[0],
scopes)
finally:
refreshments.close()
resp['refresh_token'] = refresh_token
svc.writedata(json.dumps(resp))
finally:
clients.close()
