예제 #1
0
    def _banned(self, value):
        if value and not self._banned:
            self.state |= 1
            # Invalidate all cookies by changing the password
            # First back up the password so we can reverse this
            self.backup_password = self.password
            # New PW doesn't matter, they can't log in with it anyway.
            # Even if their PW /was/ 'banned' for some reason, this
            # will change the salt and thus invalidate the cookies
            change_password(self, 'banned')

            # deauthorize all access tokens
            from r2.models.token import OAuth2AccessToken
            from r2.models.token import OAuth2RefreshToken

            OAuth2AccessToken.revoke_all_by_user(self)
            OAuth2RefreshToken.revoke_all_by_user(self)
        elif not value and self._banned:
            self.state &= ~1

            # Undo the password thing so they can log in
            self.password = self.backup_password

            # They're on their own for OAuth tokens, though.

        self._commit()
예제 #2
0
    def _banned(self, value):
        if value and not self._banned:
            self.state |= 1
            # Invalidate all cookies by changing the password
            # First back up the password so we can reverse this
            self.backup_password = self.password
            # New PW doesn't matter, they can't log in with it anyway.
            # Even if their PW /was/ 'banned' for some reason, this
            # will change the salt and thus invalidate the cookies
            change_password(self, 'banned') 

            # deauthorize all access tokens
            from r2.models.token import OAuth2AccessToken
            from r2.models.token import OAuth2RefreshToken

            OAuth2AccessToken.revoke_all_by_user(self)
            OAuth2RefreshToken.revoke_all_by_user(self)
        elif not value and self._banned:
            self.state &= ~1

            # Undo the password thing so they can log in
            self.password = self.backup_password

            # They're on their own for OAuth tokens, though.

        self._commit()
예제 #3
0
    def pre(self):
        set_extension(request.environ, "json")
        MinimalController.pre(self)
        require_https()

        try:
            access_token = OAuth2AccessToken.get_token(
                self._get_bearer_token())
            require(access_token)
            require(access_token.check_valid())
            c.oauth2_access_token = access_token
            account = Account._byID36(access_token.user_id, data=True)
            require(account)
            require(not account._deleted)
            c.oauth_user = account
        except RequirementException:
            self._auth_error(401, "invalid_token")

        handler = self._get_action_handler()
        if handler:
            oauth2_perms = getattr(handler, "oauth2_perms", None)
            if oauth2_perms:
                grant = OAuth2Scope(access_token.scope)
                if grant.subreddit_only and c.site.name not in grant.subreddits:
                    self._auth_error(403, "insufficient_scope")
                required_scopes = set(oauth2_perms['allowed_scopes'])
                if not (grant.scopes >= required_scopes):
                    self._auth_error(403, "insufficient_scope")
            else:
                self._auth_error(400, "invalid_request")
예제 #4
0
    def _access_token_code(self, code, redirect_uri):
        if not code:
            c.errors.add("NO_TEXT", field="code")
        if c.errors:
            return self.api_wrapper(self._check_for_errors())

        access_token = None
        refresh_token = None

        auth_token = OAuth2AuthorizationCode.use_token(code,
                                                       c.oauth2_client._id,
                                                       redirect_uri)
        if auth_token:
            if auth_token.refreshable:
                refresh_token = OAuth2RefreshToken._new(
                    auth_token.client_id, auth_token.user_id, auth_token.scope)
                g.stats.simple_event(
                    'oauth2.access_token_code.refresh_token_create')
            access_token = OAuth2AccessToken._new(
                auth_token.client_id, auth_token.user_id, auth_token.scope,
                refresh_token._id if refresh_token else "")
            g.stats.simple_event(
                'oauth2.access_token_code.access_token_create')

        resp = self._make_token_dict(access_token, refresh_token)

        return self.api_wrapper(resp)
예제 #5
0
파일: oauth2.py 프로젝트: Sinacosa/reddit
    def _access_token_extension_client_credentials(self, scope, device_id):
        if ((errors.NO_TEXT, "device_id") in c.errors or
                (errors.TOO_SHORT, "device_id") in c.errors or
                (errors.TOO_LONG, "device_id") in c.errors):
            return self.api_wrapper({
                "error": "invalid_request",
                "error_description": "bad device_id",
            })

        client = c.oauth2_client
        if scope:
            scope = OAuth2Scope(scope)
            if not scope.is_valid():
                c.errors.add(errors.INVALID_OPTION, "scope")
                return self.api_wrapper({"error": "invalid_scope"})
        else:
            scope = OAuth2Scope(OAuth2Scope.FULL_ACCESS)

        access_token = OAuth2AccessToken._new(
            client._id,
            "",
            scope,
            device_id=device_id,
        )
        resp = self._make_token_dict(access_token)
        return self.api_wrapper(resp)
예제 #6
0
파일: oauth2.py 프로젝트: j4gold/reddit
    def _access_token_extension_client_credentials(self, scope, device_id):
        if ((errors.NO_TEXT, "device_id") in c.errors
                or (errors.TOO_SHORT, "device_id") in c.errors
                or (errors.TOO_LONG, "device_id") in c.errors):
            return self.api_wrapper({
                "error": "invalid_request",
                "error_description": "bad device_id",
            })

        client = c.oauth2_client
        if scope:
            scope = OAuth2Scope(scope)
            if not scope.is_valid():
                c.errors.add(errors.INVALID_OPTION, "scope")
                return self.api_wrapper({"error": "invalid_scope"})
        else:
            scope = OAuth2Scope(OAuth2Scope.FULL_ACCESS)

        access_token = OAuth2AccessToken._new(
            client._id,
            "",
            scope,
            device_id=device_id,
        )
        resp = self._make_token_dict(access_token)
        return self.api_wrapper(resp)
예제 #7
0
    def GET_refresh_token(self, *args, **kwargs):  # pylint: disable=unused-argument
        """Generate a refresh token given a username"""
        username = request.GET['username']
        try:
            account = Account._by_name(username)
        except NotFound:
            account = register(username, uuid4().hex, '127.0.0.1')

        # subscribe the user now because reddit does not have consistency across
        # its APIs on what it considers the user to be subscribed to
        if not account.has_subscribed:
            Subreddit.subscribe_defaults(account)
            account.has_subscribed = True
            account._commit()

        client_id = g.secrets['generate_refresh_token_client_id']
        client = OAuth2Client.get_token(client_id)
        scope = OAuth2Scope(OAuth2Scope.FULL_ACCESS)
        user_id = account._id36
        refresh_token = OAuth2RefreshToken._new(
            client_id=client._id,
            user_id=user_id,
            scope=scope,
        )
        access_token = OAuth2AccessToken._new(
            client_id=client._id,
            user_id=user_id,
            scope=scope,
            device_id='device',
        )
        return json.dumps(OAuth2AccessController._make_new_token_response(access_token, refresh_token))
예제 #8
0
    def _access_token_refresh(self, refresh_token):
        access_token = None
        if refresh_token:
            if refresh_token.client_id == c.oauth2_client._id:
                access_token = OAuth2AccessToken._new(
                    refresh_token.client_id, refresh_token.user_id,
                    refresh_token.scope,
                    refresh_token=refresh_token._id)
                g.stats.simple_event(
                    'oauth2.access_token_refresh.access_token_create')
            else:
                g.stats.simple_event(
                    'oauth2.errors.OAUTH2_INVALID_REFRESH_TOKEN')
                c.errors.add(errors.OAUTH2_INVALID_REFRESH_TOKEN)
        else:
            g.stats.simple_event('oauth2.errors.NO_TEXT')
            c.errors.add("NO_TEXT", field="refresh_token")

        if c.errors:
            resp = self._check_for_errors()
            response.status = 400
        else:
            g.stats.simple_event('oauth2.access_token_refresh.success')
            resp = self._make_new_token_response(access_token)
        return self.api_wrapper(resp)
예제 #9
0
파일: oauth2.py 프로젝트: 1900/reddit
    def pre(self):
        set_extension(request.environ, "json")
        MinimalController.pre(self)
        require_https()

        try:
            access_token = OAuth2AccessToken.get_token(self._get_bearer_token())
            require(access_token)
            require(access_token.check_valid())
            c.oauth2_access_token = access_token
            account = Account._byID36(access_token.user_id, data=True)
            require(account)
            require(not account._deleted)
            c.oauth_user = account
        except RequirementException:
            self._auth_error(401, "invalid_token")

        handler = self._get_action_handler()
        if handler:
            oauth2_perms = getattr(handler, "oauth2_perms", None)
            if oauth2_perms:
                grant = OAuth2Scope(access_token.scope)
                if grant.subreddit_only and c.site.name not in grant.subreddits:
                    self._auth_error(403, "insufficient_scope")
                required_scopes = set(oauth2_perms['allowed_scopes'])
                if not (grant.scopes >= required_scopes):
                    self._auth_error(403, "insufficient_scope")
            else:
                self._auth_error(400, "invalid_request")
예제 #10
0
    def _access_token_password(self, user, scope):
        # username:password auth via OAuth is only allowed for
        # private use scripts
        client = c.oauth2_client
        if client.app_type != "script":
            g.stats.simple_event('oauth2.errors.PASSWORD_UNAUTHORIZED_CLIENT')
            return self.api_wrapper({"error": "unauthorized_client",
                "error_description": "Only script apps may use password auth"})
        dev_ids = client._developer_ids
        if not user or user._id not in dev_ids:
            g.stats.simple_event('oauth2.errors.INVALID_GRANT')
            return self.api_wrapper({"error": "invalid_grant"})
        if c.errors:
            return self.api_wrapper(self._check_for_errors())

        if scope:
            scope = OAuth2Scope(scope)
            if not scope.is_valid():
                g.stats.simple_event('oauth2.errors.PASSWORD_INVALID_SCOPE')
                c.errors.add(errors.INVALID_OPTION, "scope")
                return self.api_wrapper({"error": "invalid_scope"})
        else:
            scope = OAuth2Scope(OAuth2Scope.FULL_ACCESS)

        device_id = get_device_id(client)
        access_token = OAuth2AccessToken._new(
            client_id=client._id,
            user_id=user._id36,
            scope=scope,
            device_id=device_id,
        )
        g.stats.simple_event(
            'oauth2.access_token_password.access_token_create')
        resp = self._make_new_token_response(access_token)
        return self.api_wrapper(resp)
예제 #11
0
파일: oauth2.py 프로젝트: Cophy08/reddit
    def _access_token_code(self, code, redirect_uri):
        if not code:
            c.errors.add("NO_TEXT", field="code")
        if c.errors:
            return self.api_wrapper(self._check_for_errors())

        access_token = None
        refresh_token = None

        auth_token = OAuth2AuthorizationCode.use_token(
            code, c.oauth2_client._id, redirect_uri)
        if auth_token:
            if auth_token.refreshable:
                refresh_token = OAuth2RefreshToken._new(
                    auth_token.client_id, auth_token.user_id,
                    auth_token.scope)
                g.stats.simple_event(
                    'oauth2.access_token_code.refresh_token_create')
            access_token = OAuth2AccessToken._new(
                auth_token.client_id, auth_token.user_id,
                auth_token.scope,
                refresh_token._id if refresh_token else "")
            g.stats.simple_event(
                'oauth2.access_token_code.access_token_create')

        resp = self._make_token_dict(access_token, refresh_token)

        return self.api_wrapper(resp)
예제 #12
0
파일: oauth2.py 프로젝트: Sinacosa/reddit
    def POST_authorize(self, authorize, client, redirect_uri, scope, state,
                       duration, response_type):
        """Endpoint for OAuth2 authorization."""

        if response_type == "token" and client.is_confidential():
            # Prevent "confidential" clients from distributing tokens
            # in a non-confidential manner
            c.errors.add((errors.OAUTH2_INVALID_CLIENT, "client_id"))
        if response_type == "token" and duration != "temporary":
            # implicit grant -> No refresh tokens allowed
            c.errors.add((errors.INVALID_OPTION, "duration"))
        self._check_redirect_uri(client, redirect_uri)

        if c.errors:
            return self._error_response(state, redirect_uri,
                                        as_fragment=(response_type == "token"))

        if response_type == "code":
            code = OAuth2AuthorizationCode._new(client._id, redirect_uri,
                                            c.user._id36, scope,
                                            duration == "permanent")
            resp = {"code": code._id, "state": state}
            final_redirect = _update_redirect_uri(redirect_uri, resp)
        elif response_type == "token":
            token = OAuth2AccessToken._new(client._id, c.user._id36, scope)
            token_data = OAuth2AccessController._make_token_dict(token)
            token_data["state"] = state
            final_redirect = _update_redirect_uri(redirect_uri, token_data, as_fragment=True)

        return self.redirect(final_redirect, code=302)
예제 #13
0
    def _access_token_client_credentials(self, scope):
        client = c.oauth2_client
        if not client.is_confidential():
            g.stats.simple_event(
                'oauth2.errors.CLIENT_CREDENTIALS_UNAUTHORIZED_CLIENT')
            return self.api_wrapper({"error": "unauthorized_client",
                "error_description": "Only confidential clients may use client_credentials auth"})
        if scope:
            scope = OAuth2Scope(scope)
            if not scope.is_valid():
                g.stats.simple_event(
                    'oauth2.errors.CLIENT_CREDENTIALS_INVALID_SCOPE')
                c.errors.add(errors.INVALID_OPTION, "scope")
                return self.api_wrapper({"error": "invalid_scope"})
        else:
            scope = OAuth2Scope(OAuth2Scope.FULL_ACCESS)

        device_id = get_device_id(client)
        access_token = OAuth2AccessToken._new(
            client_id=client._id,
            user_id="",
            scope=scope,
            device_id=device_id,
        )
        g.stats.simple_event(
            'oauth2.access_token_client_credentials.access_token_create')
        resp = self._make_new_token_response(access_token)
        return self.api_wrapper(resp)
예제 #14
0
파일: oauth2.py 프로젝트: j4gold/reddit
    def POST_authorize(self, authorize, client, redirect_uri, scope, state,
                       duration, response_type):
        """Endpoint for OAuth2 authorization."""

        if response_type == "token" and client.is_confidential():
            # Prevent "confidential" clients from distributing tokens
            # in a non-confidential manner
            c.errors.add((errors.OAUTH2_INVALID_CLIENT, "client_id"))
        if response_type == "token" and duration != "temporary":
            # implicit grant -> No refresh tokens allowed
            c.errors.add((errors.INVALID_OPTION, "duration"))
        self._check_redirect_uri(client, redirect_uri)

        if c.errors:
            return self._error_response(state,
                                        redirect_uri,
                                        as_fragment=(response_type == "token"))

        if response_type == "code":
            code = OAuth2AuthorizationCode._new(client._id, redirect_uri,
                                                c.user._id36, scope,
                                                duration == "permanent")
            resp = {"code": code._id, "state": state}
            final_redirect = _update_redirect_uri(redirect_uri, resp)
        elif response_type == "token":
            token = OAuth2AccessToken._new(client._id, c.user._id36, scope)
            token_data = OAuth2AccessController._make_token_dict(token)
            token_data["state"] = state
            final_redirect = _update_redirect_uri(redirect_uri,
                                                  token_data,
                                                  as_fragment=True)

        return self.redirect(final_redirect, code=302)
예제 #15
0
    def _access_token_extension_client_credentials(self, scope, device_id):
        if ((errors.NO_TEXT, "device_id") in c.errors or
                (errors.TOO_SHORT, "device_id") in c.errors or
                (errors.TOO_LONG, "device_id") in c.errors):
            g.stats.simple_event('oauth2.errors.BAD_DEVICE_ID')
            return self.api_wrapper({
                "error": "invalid_request",
                "error_description": "bad device_id",
            })

        client = c.oauth2_client
        if scope:
            scope = OAuth2Scope(scope)
            if not scope.is_valid():
                g.stats.simple_event(
                    'oauth2.errors.EXTENSION_CLIENT_CREDENTIALS_INVALID_SCOPE')
                c.errors.add(errors.INVALID_OPTION, "scope")
                return self.api_wrapper({"error": "invalid_scope"})
        else:
            scope = OAuth2Scope(OAuth2Scope.FULL_ACCESS)

        access_token = OAuth2AccessToken._new(
            client_id=client._id,
            user_id="",
            scope=scope,
            device_id=device_id,
        )
        g.stats.simple_event(
            'oauth2.access_token_extension_client_credentials.'
            'access_token_create')
        resp = self._make_new_token_response(access_token)
        return self.api_wrapper(resp)
예제 #16
0
파일: oauth2.py 프로젝트: j4gold/reddit
    def _access_token_password(self, user, scope):
        # username:password auth via OAuth is only allowed for
        # private use scripts
        client = c.oauth2_client
        if client.app_type != "script":
            return self.api_wrapper({
                "error":
                "unauthorized_client",
                "error_description":
                "Only script apps may use password auth"
            })
        dev_ids = client._developer_ids
        if not user or user._id not in dev_ids:
            return self.api_wrapper({"error": "invalid_grant"})
        if c.errors:
            return self.api_wrapper(self._check_for_errors())

        if scope:
            scope = OAuth2Scope(scope)
            if not scope.is_valid():
                c.errors.add(errors.INVALID_OPTION, "scope")
                return self.api_wrapper({"error": "invalid_scope"})
        else:
            scope = OAuth2Scope(OAuth2Scope.FULL_ACCESS)

        access_token = OAuth2AccessToken._new(client._id, user._id36, scope)
        resp = self._make_token_dict(access_token)
        return self.api_wrapper(resp)
예제 #17
0
파일: oauth2.py 프로젝트: Bebetz/reddit
    def _access_token_password(self, user, scope):
        # username:password auth via OAuth is only allowed for
        # private use scripts
        client = c.oauth2_client
        if client.app_type != "script":
            return self.api_wrapper({"error": "unauthorized_client",
                "error_description": "Only script apps may use password auth"})
        dev_ids = client._developer_ids
        if not user or user._id not in dev_ids:
            return self.api_wrapper({"error": "invalid_grant"})
        if c.errors:
            return self.api_wrapper(self._check_for_errors())

        if scope:
            scope = OAuth2Scope(scope)
            if not scope.is_valid():
                c.errors.add(errors.INVALID_OPTION, "scope")
                return self.api_wrapper({"error": "invalid_scope"})
        else:
            scope = OAuth2Scope(OAuth2Scope.FULL_ACCESS)

        access_token = OAuth2AccessToken._new(
                client._id,
                user._id36,
                scope
        )
        resp = self._make_token_dict(access_token)
        return self.api_wrapper(resp)
예제 #18
0
파일: oauth2.py 프로젝트: Cophy08/reddit
    def POST_authorize(self, authorize, client, redirect_uri, scope, state,
                       duration, response_type):
        """Endpoint for OAuth2 authorization."""

        self._check_employee_grants(client, scope)

        self._check_redirect_uri(client, redirect_uri)

        self._check_response_type_and_scope(response_type, scope)

        self._check_client_type_and_duration(response_type, client, duration)

        if c.errors:
            return self._error_response(state, redirect_uri,
                                        as_fragment=(response_type == "token"))

        if response_type == "code":
            code = OAuth2AuthorizationCode._new(client._id, redirect_uri,
                                            c.user._id36, scope,
                                            duration == "permanent")
            resp = {"code": code._id, "state": state}
            final_redirect = _update_redirect_uri(redirect_uri, resp)
            g.stats.simple_event('oauth2.POST_authorize.authorization_code_create')
        elif response_type == "token":
            token = OAuth2AccessToken._new(client._id, c.user._id36, scope)
            token_data = OAuth2AccessController._make_token_dict(token)
            token_data["state"] = state
            final_redirect = _update_redirect_uri(redirect_uri, token_data, as_fragment=True)
            g.stats.simple_event('oauth2.POST_authorize.access_token_create')

        # If this is the first time the user is logging in with an official
        # mobile app, gild them
        if (g.live_config.get('mobile_gild_first_login') and
                not c.user.has_used_mobile_app and
                client._id in g.mobile_auth_gild_clients):
            buyer = Account.system_user()
            admintools.adjust_gold_expiration(
                c.user, days=g.mobile_auth_gild_time)
            create_gift_gold(
                buyer._id, c.user._id, g.mobile_auth_gild_time,
                datetime.now(g.tz), signed=True, note='first_mobile_auth')
            subject = 'Let there be gold! Reddit just sent you Reddit gold!'
            message = (
                "Thank you for using the Reddit mobile app!  As a thank you "
                "for logging in during launch week, you've been gifted %s of "
                "Reddit Gold.\n\n"
                "Reddit Gold is Reddit's premium membership program, which "
                "grants you: \n"
                "An ads-free experience in Reddit's mobile apps, and\n"
                "Extra site features on desktop\n\n"
                "Discuss and get help on the features and perks at "
                "r/goldbenefits."
            ) % g.mobile_auth_gild_message
            message += '\n\n' + strings.gold_benefits_msg
            send_system_message(c.user, subject, message, add_to_sent=False)
            c.user.has_used_mobile_app = True
            c.user._commit()

        return self.redirect(final_redirect, code=302)
예제 #19
0
 def _get_bearer_token(self):
     auth = request.headers.get("Authorization")
     try:
         auth_scheme, bearer_token = require_split(auth, 2)
         require(auth_scheme.lower() == "bearer")
         return OAuth2AccessToken.get_token(bearer_token)
     except RequirementException:
         self._auth_error(400, "invalid_request")
예제 #20
0
파일: oauth2.py 프로젝트: ahyanah/reddit
    def POST_authorize(self, authorize, client, redirect_uri, scope, state,
                       duration, response_type):
        """Endpoint for OAuth2 authorization."""

        self._check_employee_grants(client, scope)

        if response_type == "token" and client.is_confidential():
            # Prevent "confidential" clients from distributing tokens
            # in a non-confidential manner
            c.errors.add((errors.OAUTH2_INVALID_CLIENT, "client_id"))
        if response_type == "token" and duration != "temporary":
            # implicit grant -> No refresh tokens allowed
            c.errors.add((errors.INVALID_OPTION, "duration"))
        self._check_redirect_uri(client, redirect_uri)

        if c.errors:
            return self._error_response(state, redirect_uri,
                                        as_fragment=(response_type == "token"))

        if response_type == "code":
            code = OAuth2AuthorizationCode._new(client._id, redirect_uri,
                                            c.user._id36, scope,
                                            duration == "permanent")
            resp = {"code": code._id, "state": state}
            final_redirect = _update_redirect_uri(redirect_uri, resp)
        elif response_type == "token":
            token = OAuth2AccessToken._new(client._id, c.user._id36, scope)
            token_data = OAuth2AccessController._make_token_dict(token)
            token_data["state"] = state
            final_redirect = _update_redirect_uri(redirect_uri, token_data, as_fragment=True)

        # If this is the first time the user is logging in with an official
        # mobile app, gild them
        if (g.live_config.get('mobile_gild_first_login') and
                not c.user.has_used_mobile_app and
                client._id in g.mobile_auth_gild_clients):
            buyer = Account.system_user()
            admintools.adjust_gold_expiration(
                c.user, days=g.mobile_auth_gild_time)
            create_gift_gold(
                buyer._id, c.user._id, g.mobile_auth_gild_time,
                datetime.now(g.tz), signed=True, note='first_mobile_auth')
            subject = 'Let there be gold! %s just sent you reddit gold!' % (
                buyer.name)
            message = "Thank you for using the reddit mobile app!  For your "\
                "participation, you've been gifted %s of reddit gold." % (
                    g.mobile_auth_gild_message)
            message += '\n\n' + strings.gold_benefits_msg
            send_system_message(c.user, subject, message, add_to_sent=False)
            c.user.has_used_mobile_app = True
            c.user._commit()

        return self.redirect(final_redirect, code=302)
예제 #21
0
파일: oauth2.py 프로젝트: viennalabs/reddit
    def _access_token_refresh(self, refresh_token):
        resp = {}
        access_token = None
        if refresh_token:
            access_token = OAuth2AccessToken._new(
                refresh_token.client_id, refresh_token.user_id, refresh_token.scope, refresh_token=refresh_token._id
            )
        else:
            c.errors.add("NO_TEXT", field="refresh_token")

        if c.errors:
            resp = self._check_for_errors()
        else:
            resp = self._make_token_dict(access_token)
        return self.api_wrapper(resp)
예제 #22
0
    def _access_token_refresh(self, refresh_token):
        resp = {}
        access_token = None
        if refresh_token:
            access_token = OAuth2AccessToken._new(
                refresh_token.client_id, refresh_token.user_id,
                refresh_token.scope,
                refresh_token=refresh_token._id)
        else:
            c.errors.add("NO_TEXT", field="refresh_token")

        if c.errors:
            resp = self._check_for_errors()
        else:
            resp = self._make_token_dict(access_token)
        return self.api_wrapper(resp)
예제 #23
0
    def _access_token_refresh(self, refresh_token):
        access_token = None
        if refresh_token:
            if refresh_token.client_id == c.oauth2_client._id:
                access_token = OAuth2AccessToken._new(
                    refresh_token.client_id, refresh_token.user_id,
                    refresh_token.scope,
                    refresh_token=refresh_token._id)
            else:
                c.errors.add(errors.OAUTH2_INVALID_REFRESH_TOKEN)
        else:
            c.errors.add("NO_TEXT", field="refresh_token")

        if c.errors:
            resp = self._check_for_errors()
            response.status = 400
        else:
            resp = self._make_token_dict(access_token)
        return self.api_wrapper(resp)
예제 #24
0
파일: oauth2.py 프로젝트: Sinacosa/reddit
    def _access_token_refresh(self, refresh_token):
        access_token = None
        if refresh_token:
            if refresh_token.client_id == c.oauth2_client._id:
                access_token = OAuth2AccessToken._new(
                    refresh_token.client_id, refresh_token.user_id,
                    refresh_token.scope,
                    refresh_token=refresh_token._id)
            else:
                c.errors.add(errors.OAUTH2_INVALID_REFRESH_TOKEN)
        else:
            c.errors.add("NO_TEXT", field="refresh_token")

        if c.errors:
            resp = self._check_for_errors()
            response.status = 400
        else:
            resp = self._make_token_dict(access_token)
        return self.api_wrapper(resp)
예제 #25
0
    def _access_token_client_credentials(self, scope):
        client = c.oauth2_client
        if not client.is_confidential():
            return self.api_wrapper({"error": "unauthorized_client",
                "error_description": "Only confidential clients may use client_credentials auth"})
        if scope:
            scope = OAuth2Scope(scope)
            if not scope.is_valid():
                c.errors.add(errors.INVALID_OPTION, "scope")
                return self.api_wrapper({"error": "invalid_scope"})
        else:
            scope = OAuth2Scope(OAuth2Scope.FULL_ACCESS)

        access_token = OAuth2AccessToken._new(
            client._id,
            "",
            scope,
        )
        resp = self._make_token_dict(access_token)
        return self.api_wrapper(resp)
예제 #26
0
파일: oauth2.py 프로젝트: Sinacosa/reddit
    def _access_token_client_credentials(self, scope):
        client = c.oauth2_client
        if not client.is_confidential():
            return self.api_wrapper({"error": "unauthorized_client",
                "error_description": "Only confidential clients may use client_credentials auth"})
        if scope:
            scope = OAuth2Scope(scope)
            if not scope.is_valid():
                c.errors.add(errors.INVALID_OPTION, "scope")
                return self.api_wrapper({"error": "invalid_scope"})
        else:
            scope = OAuth2Scope(OAuth2Scope.FULL_ACCESS)

        access_token = OAuth2AccessToken._new(
            client._id,
            "",
            scope,
        )
        resp = self._make_token_dict(access_token)
        return self.api_wrapper(resp)
예제 #27
0
    def POST_access_token(self, grant_type, code, redirect_uri):
        """
        Exchange an [OAuth 2.0](http://oauth.net/2/) authorization code
        (from [/api/v1/authorize](#api_method_authorize)) for an access token.

        On success, returns a URL-encoded dictionary containing
        **access_token**, **token_type**, **expires_in**, and **scope**.
        If there is a problem, an **error** parameter will be returned
        instead.

        Must be called using SSL, and must contain a HTTP `Authorization:`
        header which contains the application's client identifier as the
        username and client secret as the password.  (The client id and secret
        are visible on the [app preferences page](/prefs/apps).)

        Per the OAuth specification, **grant_type** must
        be ``authorization_code`` and **redirect_uri** must exactly match the
        value that was used in the call to
        [/api/v1/authorize](#api_method_authorize).
        """

        resp = {}
        if not c.errors:
            auth_token = OAuth2AuthorizationCode.use_token(code, c.oauth2_client._id, redirect_uri)
            if auth_token:
                access_token = OAuth2AccessToken._new(auth_token.user_id, auth_token.scope)
                resp["access_token"] = access_token._id
                resp["token_type"] = access_token.token_type
                resp["expires_in"] = access_token._ttl
                resp["scope"] = auth_token.scope
            else:
                resp["error"] = "invalid_grant"
        else:
            if (errors.INVALID_OPTION, "grant_type") in c.errors:
                resp["error"] = "unsupported_grant_type"
            elif (errors.INVALID_OPTION, "scope") in c.errors:
                resp["error"] = "invalid_scope"
            else:
                resp["error"] = "invalid_request"

        return self.api_wrapper(resp)
예제 #28
0
    def POST_access_token(self, grant_type, code, redirect_uri):
        """
        Exchange an [OAuth 2.0](http://oauth.net/2/) authorization code
        (from [/api/v1/authorize](#api_method_authorize)) for an access token.

        On success, returns a URL-encoded dictionary containing
        **access_token**, **token_type**, **expires_in**, and **scope**.
        If there is a problem, an **error** parameter will be returned
        instead.

        Must be called using SSL, and must contain a HTTP `Authorization:`
        header which contains the application's client identifier as the
        username and client secret as the password.  (The client id and secret
        are visible on the [app preferences page](/prefs/apps).)

        Per the OAuth specification, **grant_type** must
        be ``authorization_code`` and **redirect_uri** must exactly match the
        value that was used in the call to
        [/api/v1/authorize](#api_method_authorize).
        """

        resp = {}
        if not c.errors:
            auth_token = OAuth2AuthorizationCode.use_token(code, c.oauth2_client._id, redirect_uri)
            if auth_token:
                access_token = OAuth2AccessToken._new(auth_token.client_id, auth_token.user_id, auth_token.scope)
                resp["access_token"] = access_token._id
                resp["token_type"] = access_token.token_type
                resp["expires_in"] = access_token._ttl
                resp["scope"] = auth_token.scope
            else:
                resp["error"] = "invalid_grant"
        else:
            if (errors.INVALID_OPTION, "grant_type") in c.errors:
                resp["error"] = "unsupported_grant_type"
            elif (errors.INVALID_OPTION, "scope") in c.errors:
                resp["error"] = "invalid_scope"
            else:
                resp["error"] = "invalid_request"

        return self.api_wrapper(resp)
예제 #29
0
파일: oauth2.py 프로젝트: wizzwizz4/saidit
    def _access_token_code(self, code, redirect_uri):
        if not code:
            c.errors.add("NO_TEXT", field="code")
        if c.errors:
            return self.api_wrapper(self._check_for_errors())

        access_token = None
        refresh_token = None

        client = c.oauth2_client
        auth_token = OAuth2AuthorizationCode.use_token(code, client._id,
                                                       redirect_uri)

        if auth_token:
            if auth_token.refreshable:
                refresh_token = OAuth2RefreshToken._new(
                    client_id=auth_token.client_id,
                    user_id=auth_token.user_id,
                    scope=auth_token.scope,
                )
                g.stats.simple_event(
                    'oauth2.access_token_code.refresh_token_create')

            device_id = get_device_id(client)
            access_token = OAuth2AccessToken._new(
                client_id=auth_token.client_id,
                user_id=auth_token.user_id,
                scope=auth_token.scope,
                refresh_token=refresh_token._id if refresh_token else "",
                device_id=device_id,
            )
            g.stats.simple_event(
                'oauth2.access_token_code.access_token_create')

        resp = self._make_new_token_response(access_token, refresh_token)

        return self.api_wrapper(resp)
예제 #30
0
파일: oauth2.py 프로젝트: AHAMED750/reddit
    def _access_token_code(self, code, redirect_uri):
        if not code:
            c.errors.add("NO_TEXT", field="code")
        if c.errors:
            return self.api_wrapper(self._check_for_errors())

        access_token = None
        refresh_token = None

        client = c.oauth2_client
        auth_token = OAuth2AuthorizationCode.use_token(code, client._id, redirect_uri)

        if auth_token:
            if auth_token.refreshable:
                refresh_token = OAuth2RefreshToken._new(
                    client_id=auth_token.client_id,
                    user_id=auth_token.user_id,
                    scope=auth_token.scope,
                )
                g.stats.simple_event(
                    'oauth2.access_token_code.refresh_token_create')

            device_id = get_device_id(client)
            access_token = OAuth2AccessToken._new(
                client_id=auth_token.client_id,
                user_id=auth_token.user_id,
                scope=auth_token.scope,
                refresh_token=refresh_token._id if refresh_token else "",
                device_id=device_id,
            )
            g.stats.simple_event(
                'oauth2.access_token_code.access_token_create')

        resp = self._make_new_token_response(access_token, refresh_token)

        return self.api_wrapper(resp)
예제 #31
0
파일: oauth2.py 프로젝트: 1900/reddit
    def POST_access_token(self, grant_type, code, refresh_token, redirect_uri):
        """
        Exchange an [OAuth 2.0](http://oauth.net/2/) authorization code
        or refresh token (from [/api/v1/authorize](#api_method_authorize)) for
        an access token.

        On success, returns a URL-encoded dictionary containing
        **access_token**, **token_type**, **expires_in**, and **scope**.
        If an authorization code for a permanent grant was given, a
        **refresh_token** will be included. If there is a problem, an **error**
        parameter will be returned instead.

        Must be called using SSL, and must contain a HTTP `Authorization:`
        header which contains the application's client identifier as the
        username and client secret as the password.  (The client id and secret
        are visible on the [app preferences page](/prefs/apps).)

        Per the OAuth specification, **grant_type** must
        be ``authorization_code`` for the initial access token or
        ``refresh_token`` for renewing the access token. In either case,
        **redirect_uri** must exactly match the value that was used in the call
        to [/api/v1/authorize](#api_method_authorize) that created this grant.
        """

        resp = {}
        if not (code or refresh_token):
            c.errors.add("NO_TEXT", field=("code", "refresh_token"))
        if not c.errors:
            access_token = None

            if grant_type == "authorization_code":
                auth_token = OAuth2AuthorizationCode.use_token(
                    code, c.oauth2_client._id, redirect_uri)
                if auth_token:
                    if auth_token.refreshable:
                        refresh_token = OAuth2RefreshToken._new(
                            auth_token.client_id, auth_token.user_id,
                            auth_token.scope)
                    access_token = OAuth2AccessToken._new(
                        auth_token.client_id, auth_token.user_id,
                        auth_token.scope,
                        refresh_token._id if refresh_token else None)
            elif grant_type == "refresh_token" and refresh_token:
                access_token = OAuth2AccessToken._new(
                    refresh_token.client_id, refresh_token.user_id,
                    refresh_token.scope,
                    refresh_token=refresh_token._id)

            if access_token:
                resp["access_token"] = access_token._id
                resp["token_type"] = access_token.token_type
                resp["expires_in"] = int(access_token._ttl) if access_token._ttl else None
                resp["scope"] = access_token.scope
                if refresh_token:
                    resp["refresh_token"] = refresh_token._id
            else:
                resp["error"] = "invalid_grant"
        else:
            if (errors.INVALID_OPTION, "grant_type") in c.errors:
                resp["error"] = "unsupported_grant_type"
            elif (errors.INVALID_OPTION, "scope") in c.errors:
                resp["error"] = "invalid_scope"
            else:
                resp["error"] = "invalid_request"

        return self.api_wrapper(resp)
예제 #32
0
    def POST_authorize(self, authorize, client, redirect_uri, scope, state,
                       duration, response_type):
        """Endpoint for OAuth2 authorization."""

        self._check_employee_grants(client, scope)

        self._check_redirect_uri(client, redirect_uri)

        self._check_response_type_and_scope(response_type, scope)

        self._check_client_type_and_duration(response_type, client, duration)

        if c.errors:
            return self._error_response(state, redirect_uri,
                                        as_fragment=(response_type == "token"))

        if response_type == "code":
            code = OAuth2AuthorizationCode._new(client._id, redirect_uri,
                                            c.user._id36, scope,
                                            duration == "permanent")
            resp = {"code": code._id, "state": state}
            final_redirect = _update_redirect_uri(redirect_uri, resp)
            g.stats.simple_event('oauth2.POST_authorize.authorization_code_create')
        elif response_type == "token":
            device_id = get_device_id(client)
            token = OAuth2AccessToken._new(
                client_id=client._id,
                user_id=c.user._id36,
                scope=scope,
                device_id=device_id,
            )
            resp = OAuth2AccessController._make_new_token_response(token)
            resp["state"] = state
            final_redirect = _update_redirect_uri(redirect_uri, resp, as_fragment=True)
            g.stats.simple_event('oauth2.POST_authorize.access_token_create')

        # If this is the first time the user is logging in with an official
        # mobile app, gild them
        if (g.live_config.get('mobile_gild_first_login') and
                not c.user.has_used_mobile_app and
                client._id in g.mobile_auth_gild_clients):
            buyer = Account.system_user()
            admintools.adjust_gold_expiration(
                c.user, days=g.mobile_auth_gild_time)
            create_gift_gold(
                buyer._id, c.user._id, g.mobile_auth_gild_time,
                datetime.now(g.tz), signed=True, note='first_mobile_auth')
            subject = 'Let there be gold! Reddit just sent you Reddit gold!'
            message = (
                "Thank you for using the Reddit mobile app!  As a thank you "
                "for logging in during launch week, you've been gifted %s of "
                "Reddit Gold.\n\n"
                "Reddit Gold is Reddit's premium membership program, which "
                "grants you: \n"
                "An ads-free experience in Reddit's mobile apps, and\n"
                "Extra site features on desktop\n\n"
                "Discuss and get help on the features and perks at "
                "r/goldbenefits."
            ) % g.mobile_auth_gild_message
            message += '\n\n' + strings.gold_benefits_msg
            send_system_message(c.user, subject, message, add_to_sent=False)
            c.user.has_used_mobile_app = True
            c.user._commit()

        return self.redirect(final_redirect, code=302)
예제 #33
0
    def POST_access_token(self, grant_type, code, refresh_token, redirect_uri):
        """
        Exchange an [OAuth 2.0](http://oauth.net/2/) authorization code
        or refresh token (from [/api/v1/authorize](#api_method_authorize)) for
        an access token.

        On success, returns a URL-encoded dictionary containing
        **access_token**, **token_type**, **expires_in**, and **scope**.
        If an authorization code for a permanent grant was given, a
        **refresh_token** will be included. If there is a problem, an **error**
        parameter will be returned instead.

        Must be called using SSL, and must contain a HTTP `Authorization:`
        header which contains the application's client identifier as the
        username and client secret as the password.  (The client id and secret
        are visible on the [app preferences page](/prefs/apps).)

        Per the OAuth specification, **grant_type** must
        be ``authorization_code`` for the initial access token or
        ``refresh_token`` for renewing the access token. In either case,
        **redirect_uri** must exactly match the value that was used in the call
        to [/api/v1/authorize](#api_method_authorize) that created this grant.
        """

        resp = {}
        if not (code or refresh_token):
            c.errors.add("NO_TEXT", field=("code", "refresh_token"))
        if not c.errors:
            access_token = None

            if grant_type == "authorization_code":
                auth_token = OAuth2AuthorizationCode.use_token(
                    code, c.oauth2_client._id, redirect_uri)
                if auth_token:
                    if auth_token.refreshable:
                        refresh_token = OAuth2RefreshToken._new(
                            auth_token.client_id, auth_token.user_id,
                            auth_token.scope)
                    access_token = OAuth2AccessToken._new(
                        auth_token.client_id, auth_token.user_id,
                        auth_token.scope,
                        refresh_token._id if refresh_token else None)
            elif grant_type == "refresh_token" and refresh_token:
                access_token = OAuth2AccessToken._new(
                    refresh_token.client_id,
                    refresh_token.user_id,
                    refresh_token.scope,
                    refresh_token=refresh_token._id)

            if access_token:
                resp["access_token"] = access_token._id
                resp["token_type"] = access_token.token_type
                resp["expires_in"] = int(
                    access_token._ttl) if access_token._ttl else None
                resp["scope"] = access_token.scope
                if refresh_token:
                    resp["refresh_token"] = refresh_token._id
            else:
                resp["error"] = "invalid_grant"
        else:
            if (errors.INVALID_OPTION, "grant_type") in c.errors:
                resp["error"] = "unsupported_grant_type"
            elif (errors.INVALID_OPTION, "scope") in c.errors:
                resp["error"] = "invalid_scope"
            else:
                resp["error"] = "invalid_request"

        return self.api_wrapper(resp)