def test_prompt(self):
self.prepare_data()
params = [('response_type', 'code'), ('client_id', 'code-client'),
('state', 'bar'), ('nonce', 'abc'),
('scope', 'openid profile'), ('redirect_uri', 'https://a.b')]
query = url_encode(params)
rv = self.client.get('/oauth/authorize?' + query)
self.assertEqual(rv.data, b'login')
query = url_encode(params + [('user_id', '1')])
rv = self.client.get('/oauth/authorize?' + query)
self.assertEqual(rv.data, b'ok')
query = url_encode(params + [('prompt', 'login')])
rv = self.client.get('/oauth/authorize?' + query)
self.assertEqual(rv.data, b'login')
def prepare_form_encoded_body(oauth_params, body):
"""Prepare the Form-Encoded Body.
Per `section 3.5.2`_ of the spec.
.. _`section 3.5.2`: https://tools.ietf.org/html/rfc5849#section-3.5.2
"""
# append OAuth params to the existing body
return url_encode(_append_params(oauth_params, body))
def _create_oauth1_request():
if _req.method == 'POST':
body = _req.form.to_dict(flat=True)
else:
body = None
try:
return OAuth1Request(_req.method, _req.url, body, _req.headers)
except OAuth1Error as error:
body = url_encode(error.get_body())
raise_http_exception(error.status_code, body, error.get_headers())
def prepare_request_uri_query(oauth_params, uri):
"""Prepare the Request URI Query.
Per `section 3.5.3`_ of the spec.
.. _`section 3.5.3`: http://tools.ietf.org/html/rfc5849#section-3.5.3
"""
# append OAuth params to the existing set of query components
sch, net, path, par, query, fra = urlparse.urlparse(uri)
query = url_encode(
_append_params(oauth_params, extract_params(query) or []))
return urlparse.urlunparse((sch, net, path, par, query, fra))
def authorize_get(request: Request):
user_id = request.query_params.get("user_id")
request.body = {}
if user_id:
end_user = db.query(User).filter(User.id == int(user_id)).first()
else:
end_user = None
try:
grant = server.validate_consent_request(request=request,
end_user=end_user)
return grant.prompt or "ok"
except OAuth2Error as error:
return url_encode(error.get_body())
def authorize():
if request.method == 'GET':
try:
server.check_authorization_request()
return 'ok'
except OAuth1Error:
return 'error'
user_id = request.form.get('user_id')
if user_id:
grant_user = User.query.get(int(user_id))
else:
grant_user = None
try:
return server.create_authorization_response(grant_user=grant_user)
except OAuth1Error as error:
return url_encode(error.get_body())
def authorize():
if request.method == 'GET':
user_id = request.args.get('user_id')
if user_id:
end_user = User.query.get(int(user_id))
else:
end_user = None
try:
grant = server.get_consent_grant(end_user=end_user)
return grant.prompt or 'ok'
except OAuth2Error as error:
return url_encode(error.get_body())
user_id = request.form.get('user_id')
if user_id:
grant_user = User.query.get(int(user_id))
else:
grant_user = None
return server.create_authorization_response(grant_user=grant_user)
def handle_response(self, status_code, payload, headers):
return Response(url_encode(payload),
status=status_code,
headers=headers)
def test_token_from_fragment(self):
sess = OAuth2Session(self.client_id)
response_url = 'https://i.b/callback#' + url_encode(self.token.items())
self.assertEqual(sess.token_from_fragment(response_url), self.token)
token = sess.fetch_access_token(authorization_response=response_url)
self.assertEqual(token, self.token)
def test_token_from_fragment():
sess = OAuth2Client('foo')
response_url = 'https://i.b/callback#' + url_encode(default_token.items())
assert sess.token_from_fragment(response_url) == default_token
token = sess.fetch_token(authorization_response=response_url)
assert token == default_token
def post(self, url, *, data, headers, auth):
if isinstance(data, dict):
data = url_encode(data.items())
return self.request('POST', url, data=data, headers=headers, auth=auth)
def handle_response(self, status_code, payload, headers):
resp = HttpResponse(url_encode(payload), status=status_code)
for k, v in headers:
resp[k] = v
return resp
def create_token_response(self):
req = _create_oauth1_request()
status, body, headers = self.create_valid_token_response(req)
return Response(url_encode(body), status=status, headers=headers)
def create_authorization_response(self, grant_user=None):
req = _create_oauth1_request()
status, body, headers = self.create_valid_authorization_response(
req, grant_user)
return Response(url_encode(body), status=status, headers=headers)
def create_temporary_credential_response(self):
req = _create_oauth1_request()
status, body, headers = self.create_valid_temporary_credentials_response(
req)
return Response(url_encode(body), status=status, headers=headers)
async def authorize(
request: Request,
_query_params: OAuthAuthorizeRequestQueryParams = Depends(
OAuthAuthorizeRequestQueryParams),
auth_credentials: AuthCredentials = Body(...),
):
"""Perform authorization from given credentials and returns the result."""
retry_delay, retry_after = await async_throttle(request)
if retry_delay is not None and retry_after is not None:
raise HTTPException(403,
"Wait",
headers={
'X-Retry-After': retry_after,
'X-Retry-Wait': retry_delay
})
potential_users = async_user_collection.find(
{'email': auth_credentials.email})
async for potential_user in potential_users:
if potential_user.get('password') is not None:
password_valid, new_hash = verify_and_update(
auth_credentials.password, potential_user['password'])
if password_valid:
user_data = potential_user
break
else:
retry_after, retry_delay = await async_throttle_failure_request(request
)
raise HTTPException(403,
"Invalid E-Mail or Password",
headers={
'X-Retry-After': retry_after,
'X-Retry-Wait': retry_delay
})
user = User.validate(user_data)
if new_hash is not None:
await async_user_collection.update_one(
{'_id': user.id}, {'$set': {
'password': new_hash
}})
user.password = new_hash
if user.registration_token:
# If the user password is correct, but a registration token is pending, redirect to registration page
from ...manager.api.user_helpers import check_token, create_token
import urllib.parse
registration_token = user.registration_token
try:
check_token(user.registration_token)
except HTTPException:
token_valid_until = int(time.time() +
config.manager.token_valid.registration)
registration_token = create_token(user_data['_id'],
token_valid_until)
await async_user_collection.update_one(
{'_id': user.id},
{'$set': {
'registration_token': registration_token
}},
)
args = dict(url_decode(request.url.query))
args.update((await request.form()) or {})
#: dict of query and body params
return_url = urllib.parse.quote_plus(config.oauth2.base_url +
'/authorize?' +
url_encode(args.items()))
return JSONResponse(
content={
'redirect_uri':
f"{config.manager.frontend_base_url}/register/{registration_token}"
f"?return_url={return_url}"
},
status_code=200,
headers=dict(default_json_headers),
)
user_group_data = await UserWithRoles.async_load_groups(
user, _query_params.client_id)
oauth_request = await oauth2_request(request)
resp = await run_in_threadpool(
authorization.create_authorization_response,
request=oauth_request,
grant_user=user_group_data,
)
if isinstance(resp, ErrorJSONResponse):
return resp
elif isinstance(resp, ErrorRedirectResponse):
return resp.to_json_response()
elif isinstance(resp, RedirectResponse):
expires_in = config.oauth2.token_expiration.session
add_session_state(resp, oauth_request.user)
resp = resp.to_json_response()
if auth_credentials.remember:
now = int(time.time())
sess = Session(
id=generate_token(config.oauth2.token_length),
user_id=user.id,
issued_at=now,
expires_in=expires_in,
expiration_time=datetime.utcnow() +
timedelta(seconds=expires_in),
)
await async_session_collection.insert_one(
sess.dict(exclude_none=True, by_alias=True))
update_session_sid(resp, sess.id)
update_session_state(resp, oauth_request.user)
return resp
assert False
