def authorize(simulation_type, oauth_type):
"""Redirects to an OAUTH request for the specified oauth_type ('github').
If oauth_type is 'anonymous', the current session is cleared.
"""
oauth_next = '/{}#{}'.format(simulation_type,
flask.request.args.get('next', ''))
if oauth_type == _ANONYMOUS_OAUTH_TYPE:
_update_session(_ANONYMOUS)
cookie.clear_user()
return server.javascript_redirect(oauth_next)
state = util.random_base62()
cookie.set_value(_COOKIE_NONCE, state)
cookie.set_value(_COOKIE_NEXT, oauth_next)
callback = cfg.github_callback_uri
if not callback:
from sirepo import uri_router
callback = uri_router.uri_for_api(
'oauthAuthorized',
dict(oauth_type=oauth_type),
)
return _oauth_client(oauth_type).authorize(
callback=callback,
state=state,
)
def api_authGithubLogin(simulation_type):
"""Redirects to Github"""
t = sirepo.template.assert_sim_type(simulation_type)
s = util.random_base62()
cookie.set_value(_COOKIE_NONCE, s)
cookie.set_value(_COOKIE_SIM_TYPE, t)
if not cfg.callback_uri:
# must be executed in an app and request context so can't
# initialize earlier.
cfg.callback_uri = uri_router.uri_for_api('authGithubAuthorized')
return _oauth_client().authorize(callback=cfg.callback_uri, state=s)
def api_authGithubLogin(simulation_type):
"""Redirects to Github"""
req = http_request.parse_params(type=simulation_type)
s = util.random_base62()
cookie.set_value(_COOKIE_NONCE, s)
cookie.set_value(_COOKIE_SIM_TYPE, req.type)
if not cfg.callback_uri:
# must be executed in an app and request context so can't
# initialize earlier.
cfg.callback_uri = uri_router.uri_for_api('authGithubAuthorized')
return _client(s).authorize_redirect(redirect_uri=cfg.callback_uri, state=s)
def auth_hash(req, verify=False):
now = int(time.time())
if not 'authNonce' in req:
if verify:
util.raise_unauthorized('authNonce: missing field in request')
req.authNonce = str(now) + _AUTH_NONCE_SEPARATOR + util.random_base62()
h = hashlib.sha256()
h.update(
_AUTH_HASH_SEPARATOR.join([
req.authNonce,
req.simulationType,
req.simulationId,
cfg.secret,
]),
)
res = 'v1:' + base64.urlsafe_b64encode(h.digest())
if not verify:
req.authHash = res
return
if res != req.authHash:
util.raise_unauthorized(
'{}: hash mismatch expected={} nonce={}',
req.authHash,
res,
req.authNonce,
)
t = req.authNonce.split(_AUTH_NONCE_SEPARATOR)[0]
try:
t = int(t)
except ValueError as e:
util.raise_unauthorized(
'{}: auth_nonce prefix not an int: nonce={}',
t,
req.authNonce,
)
delta = now - t
if abs(delta) > _AUTH_NONCE_REPLAY_SECS:
util.raise_unauthorized(
'{}: auth_nonce time outside replay window={} now={} nonce={}',
t,
_AUTH_NONCE_REPLAY_SECS,
now,
req.authNonce,
)
def auth_hash(req, verify=False):
now = int(time.time())
if not 'authNonce' in req:
if verify:
util.raise_not_found('authNonce: missing field in request')
req.authNonce = str(now) + _AUTH_NONCE_SEPARATOR + util.random_base62()
h = hashlib.sha256()
h.update(
_AUTH_HASH_SEPARATOR.join([
req.authNonce,
req.simulationType,
req.simulationId,
cfg.auth_secret,
]),
)
res = 'v1:' + base64.urlsafe_b64encode(h.digest())
if not verify:
req.authHash = res
return
if res != req.authHash:
util.raise_not_found(
'{}: hash mismatch expected={} nonce={}',
req.authHash,
res,
req.authNonce,
)
t = req.authNonce.split(_AUTH_NONCE_SEPARATOR)[0]
try:
t = int(t)
except ValueError as e:
util.raise_not_found(
'{}: auth_nonce prefix not an int: nonce={}',
t,
req.authNonce,
)
delta = now - t
if abs(delta) > _AUTH_NONCE_REPLAY_SECS:
util.raise_not_found(
'{}: auth_nonce time outside replay window={} now={} nonce={}',
t,
_AUTH_NONCE_REPLAY_SECS,
now,
req.authNonce,
)
def authorize(simulation_type, oauth_type):
"""Redirects to an OAUTH request for the specified oauth_type ('github').
If oauth_type is 'anonymous', the current session is cleared.
"""
oauth_next = '/{}#{}'.format(simulation_type, flask.request.args.get('next', ''))
if oauth_type == _ANONYMOUS_OAUTH_TYPE:
_update_session(_ANONYMOUS)
cookie.clear_user()
return server.javascript_redirect(oauth_next)
state = util.random_base62()
cookie.set_value(_COOKIE_NONCE, state)
cookie.set_value(_COOKIE_NEXT, oauth_next)
callback = cfg.github_callback_uri
if not callback:
from sirepo import uri_router
callback = uri_router.uri_for_api(
'oauthAuthorized',
dict(oauth_type=oauth_type),
)
return _oauth_client(oauth_type).authorize(
callback=callback,
state=state,
)
def create_token(self):
token = util.random_base62(self.TOKEN_SIZE)
self.expires = datetime.datetime.utcnow() + _EXPIRES_DELTA
self.token = token
return token