def save_token(token_data, request):
requested_scopes = set(scope_to_list(token_data.get('scope', '')))
application = OAuthApplication.query.filter_by(
client_id=request.client.client_id).one()
link = OAuthApplicationUserLink.query.with_parent(application).with_parent(
request.user).first()
if link is None:
link = OAuthApplicationUserLink(application=application,
user=request.user,
scopes=requested_scopes)
else:
if not requested_scopes:
# for already-authorized apps not specifying a scope uses all scopes the
# user previously granted to the app
requested_scopes = set(link.scopes)
token_data['scope'] = list_to_scope(requested_scopes)
new_scopes = requested_scopes - set(link.scopes)
if new_scopes:
logger.info('New scopes for %r: %s', link, new_scopes)
link.update_scopes(new_scopes)
link.tokens.append(
OAuthToken(access_token=token_data['access_token'],
scopes=requested_scopes))
# get rid of old tokens if there are too many
q = (db.session.query(OAuthToken.id).with_parent(link).filter_by(
_scopes=db.cast(sorted(requested_scopes), ARRAY(db.String))).order_by(
OAuthToken.created_dt.desc()).offset(
MAX_TOKENS_PER_SCOPE).scalar_subquery())
OAuthToken.query.filter(
OAuthToken.id.in_(q)).delete(synchronize_session='fetch')
def get_scope(self):
# scopes are restricted by what's authorized for the particular user and what's whitelisted for the app
return list_to_scope(sorted(self.scopes))
def get_allowed_scope(self, scope):
if not scope:
return ''
allowed = set(self.allowed_scopes)
scopes = set(scope_to_list(scope))
return list_to_scope(allowed & scopes)
def get_scope(self):
# scopes are restricted by what's authorized for the particular user and what's whitelisted for the app
scopes = self.scopes & set(self.app_user_link.scopes) & set(
self.application.allowed_scopes)
return list_to_scope(sorted(scopes))
def get_allowed_scope(self, scope):
if not scope:
return ''
allowed = set(self.scope.split())
scopes = scope_to_list(scope)
return list_to_scope([s for s in scopes if s in allowed])
