def post(self):
if not self.validate_params():
return
# TODO: check for some sort of cross site request forgery? sign the request?
if self.request.get('authorize').lower() == 'no':
self.authz_error('access_denied', "The user did not allow authorization.")
return
response_type = self.request.get('response_type')
if response_type in ['code', 'code_and_token']:
code = OAuth_Authorization(
## TODO update getting the user_id
user_id = self.user_id,
client_id = self.client.client_id,
redirect_uri = self.redirect_uri, )
code.put()
code = code.serialize(state=self.request.get('state'))
else:
code = None
if response_type in ['token', 'code_and_token']:
token = OAuth_Token(
user_id = self.user.user_id(),
client_id = self.client.client_id,
scope = self.request.get('scope'), )
token.put(can_refresh=False)
token = token.serialize(requested_scope=self.request.get('scope'))
else:
token = None
self.authz_redirect(code, token)
def handle_client_credentials(self, client, scope=None): token = OAuth_Token( client_id = client.client_id, \ scope = scope, \ realm = 'portal',) token.put(can_refresh=False) self.render_response(token)
def wrap(handler):
def check_token(self, *args, **kwargs):
try:
if self.request.headers.get('Authorization', '').startswith('OAuth'):
token = self.request.headers['Authorization'].split(' ')[1]
else:
token = self.request.get('oauth_token', None)
logging.debug("token = " + str(token))
if not token:
self.render_error(int(400), 'invalid_request(1)', 'Not a valid request for an OAuth protected resource, missing TOKEN')
return
except Exception, e:
self.render_error(int(400), 'invalid_request(2)', 'Not a valid request for an OAuth protected resource, missing TOKEN - %s' % str(e))
return
token = OAuth_Token.get_by_access_token(token)
if token:
if token.is_expired():
if token.refresh_token:
self.render_error(int(400), 'expired_token', 'This token has expired, use refresh token to renew.')
return
else:
self.render_error(int(400), 'invalid_token', 'This token is no longer valid')
return
if scope != token.scope:
self.render_error(int(400), 'insufficient_scope', "This resource requires higher priveleges")
return
else:
self.render_error(int(400), 'invalid_token', "This token sent is not a valid token")
return
return handler(self, token=token, *args, **kwargs)
def handle_authorization_code(self, client, scope=None):
code = self.request.get('code')
authorization = OAuth_Authorization.get_by_code(code)
logging.info(code)
redirect_uri = self.request.get('redirect_uri')
if not authorization or not authorization.validate(code, redirect_uri, client.client_id):
self.render_error('invalid_grant', "Authorization code expired or invalid.")
return
token = OAuth_Token(
user_id = authorization.user_id, \
client_id = authorization.client_id, \
scope = scope, \
realm = 'user', \
)
token.put()
authorization.delete()
self.render_response(token)
def handle_refresh_token(self, client, scope=None):
token = OAuth_Token.get_by_refresh_token(self.request.get('refresh_token'))
if not token or token.client_id != client.client_id:
self.render_error('invalid_grant', "Invalid refresh token.")
return
# TODO: refresh token should expire along with grant according to spec
token = token.refresh()
self.render_response(token)
def handle_password(self, client, scope=None):
# Since App Engine doesn't let you programmatically auth,
# and the local SDK environment doesn't need a password,
# we just always grant this w/out auth
# TODO: something better?
username = self.request.get('username')
password = self.request.get('password')
if not username or not password:
self.render_error('invalid_grant', "Invalid end-user credentials.")
return
token = OAuth_Token(
client_id = client.client_id,
user_id = username,
scope = scope, )
token.put()
self.render_response(token)
