def _decode_header(auth_header, client_id, client_secret):
"""
Takes the header and tries to return an active token and decoded
payload.
:param auth_header:
:param client_id:
:param client_secret:
:return: (token, profile)
"""
try:
token = auth_header.split()[1]
payload = jwt.decode(
token,
client_secret,
audience=client_id)
except jwt.ExpiredSignature:
raise exceptions.NotAuthorizedException(
'Token has expired, please log in again.')
# is valid client
except jwt.InvalidAudienceError:
message = 'Incorrect audience, expected: {}'.format(
client_id)
raise exceptions.NotAuthorizedException(message)
# is valid token
except jwt.DecodeError:
raise exceptions.NotAuthorizedException(
'Token signature could not be validated.')
except Exception as e:
raise exceptions.NotAuthorizedException(
'Token signature was malformed. {}'.format(e.message))
return token, payload
def callback_handling():
code = flask.request.args.get('code')
if code is None:
raise exceptions.NotAuthorizedException(
'The callback expects a well '
'formatted code, {} was provided'.format(code))
json_header = {'content-type': 'application/json'}
# Get auth token
token_url = "https://{domain}/oauth/token".format(domain=domain)
token_payload = {
'client_id': client_id,
'client_secret': client_secret,
'redirect_uri': redirect_uri,
'code': code,
'grant_type': 'authorization_code'}
try:
token_info = requests.post(
token_url,
data=json.dumps(token_payload),
headers=json_header).json()
id_token = token_info['id_token']
access_token = token_info['access_token']
except Exception as e:
raise exceptions.NotAuthorizedException(
'The callback from Auth0 did not'
'include the expected tokens: \n'
'{}'.format(e.message))
# Get profile information
try:
user_url = \
"https://{domain}/userinfo?access_token={access_token}".format(
domain=domain, access_token=access_token)
user_info = requests.get(user_url).json()
email = user_info['email']
except Exception as e:
raise exceptions.NotAuthorizedException(
'The user profile from Auth0 did '
'not contain the expected data: \n {}'.format(e.message))
# Log token in
user = cache.get(email)
if user and user['authorized']:
cache.set(id_token, user_info)
return flask.redirect('/login?code={}'.format(id_token))
else:
return flask.redirect('/login')
def index():
response = flask.render_template('index.html', info=app.serverStatus)
if app.config.get('AUTH0_ENABLED'):
key = (flask.request.args.get('key'))
try:
print(key)
profile = app.cache.get(key)
except:
raise exceptions.NotAuthorizedException()
if (profile):
return response
else:
exceptions.NotAuthenticatedException()
else:
return response
def decorated(*args, **kwargs):
# This decorator will only apply with AUTH0_ENABLED set to True.
if app.config.get('AUTH0_ENABLED', False):
client_id = app.config.get("AUTH0_CLIENT_ID")
client_secret = app.config.get("AUTH0_CLIENT_SECRET")
auth_header = flask.request.headers.get('Authorization', None)
# Each of these functions will throw a 401 is there is a
# problem decoding the token with some helpful error message.
if auth_header:
token, profile = decode_header(
auth_header, client_id, client_secret)
else:
raise exceptions.NotAuthorizedException()
# We store the token in the session so that later
# stages can use it to connect identity and authorization.
flask.session['auth0_key'] = token
# Now we need to make sure that on top of having a good token
# They are authorized, and if not provide an error message
is_authorized(app.cache, profile['email'])
is_active(app.cache, token)
return f(*args, **kwargs)
def _well_formed(auth_header):
parts = auth_header.split()
if len(parts) > 2:
raise exceptions.NotAuthorizedException(
'Authorization header must be Bearer + \s + token.')
return auth_header
def _has_token(auth_header):
parts = auth_header.split()
if len(parts) == 1:
raise exceptions.NotAuthorizedException(
'Token not found in header.')
return auth_header
def _has_bearer(auth_header):
parts = auth_header.split()
if parts[0].lower() != 'bearer':
raise exceptions.NotAuthorizedException(
'Authorization header must start with "Bearer".')
return auth_header
def _has_header(auth_header):
if not auth_header:
raise exceptions.NotAuthorizedException(
'Authorization header is expected.')
return auth_header