Exemplo n.º 1
0
def callback():
    """
    Callback method required by Google's OAuth 2.0
    """
    if current_user is not None and current_user.is_authenticated:
        return redirect(url_for('index'))
    if 'error' in request.args:
        if request.args.get('error') == 'access_denied':
            return 'You denied access.'
        return 'Error encountered.'
    if 'code' not in request.args and 'state' not in request.args:
        return redirect(url_for('login'))
    else:
        google = get_google_auth(state=session['oauth_state'])
        try:
            token = google.fetch_token(Auth.TOKEN_URI,
                                       client_secret=Auth.CLIENT_SECRET,
                                       authorization_response=request.url)
        except HTTPError:
            return 'HTTPError occurred.'
        # Testing the token verification step.
        try:
            # jwt = verify_id_token(token['id_token'], Auth.CLIENT_ID)
            verify_id_token(token['id_token'], Auth.CLIENT_ID)
        except AppIdentityError:
            return 'Could not verify token.'
        # Check if you have the appropriate domain
        # Commenting this section out to let anyone with
        # a google account log in.
        # if 'hd' not in jwt or jwt['hd'] != 'ucsc.edu':
        #     flash('You must login with a ucsc.edu account. \
        #            Please try again.', 'error')
        #     return redirect(url_for('index'))

        google = get_google_auth(token=token)
        resp = google.get(Auth.USER_INFO)
        if resp.status_code == 200:
            user_data = resp.json()
            email = user_data['email']
            user = User.query.filter_by(email=email).first()
            if user is None:
                user = User()
                user.email = email
            user.name = user_data['name']
            print(token)
            user.tokens = json.dumps(token)
            user.access_token = token['access_token']
            user.avatar = user_data['picture']
            user.redwood_token = get_redwood_token(user)
            db.session.add(user)
            db.session.commit()
            login_user(user)
            # Empty flashed messages
            get_flashed_messages()
            # Set a new success flash message
            flash('You are now logged in!', 'success')
            return redirect(url_for('index'))
        return 'Could not fetch your information.'
    def test_verify_id_token_with_certs_uri_fails(self):
        jwt = self._create_signed_jwt()
        test_email = '*****@*****.**'

        http = HttpMockSequence([
            ({'status': '404'}, datafile('certs.json')),
        ])

        with self.assertRaises(VerifyJwtTokenError):
            verify_id_token(jwt, test_email, http=http)
Exemplo n.º 3
0
    def test_verify_id_token_with_certs_uri_fails(self):
        jwt = self._create_signed_jwt()
        test_email = '*****@*****.**'

        http = http_mock.HttpMock(headers={'status': http_client.NOT_FOUND},
                                  data=datafile('certs.json'))

        with self.assertRaises(client.VerifyJwtTokenError):
            client.verify_id_token(jwt, test_email, http=http)

        # Verify mocks.
        self._verify_http_mock(http)
Exemplo n.º 4
0
    def test_verify_id_token_with_certs_uri_fails(self):
        jwt = self._create_signed_jwt()
        test_email = '*****@*****.**'

        http = HttpMockSequence([
            ({
                'status': '404'
            }, datafile('certs.json')),
        ])

        with self.assertRaises(client.VerifyJwtTokenError):
            client.verify_id_token(jwt, test_email, http=http)
Exemplo n.º 5
0
    def test_verify_id_token_with_certs_uri_fails(self):
        jwt = self._create_signed_jwt()
        test_email = '*****@*****.**'

        http = http_mock.HttpMock(
            headers={'status': http_client.NOT_FOUND},
            data=datafile('certs.json'))

        with self.assertRaises(client.VerifyJwtTokenError):
            client.verify_id_token(jwt, test_email, http=http)

        # Verify mocks.
        self._verify_http_mock(http)
Exemplo n.º 6
0
def login(request, access_token):
    """
    Validate a google access token and retrieve user's email.

    Returns
    -------
    user : str
        User email.
    permissions : list
        List of permissions that the user has.

    """
    try:
        idinfo = client.verify_id_token(access_token,
                                        request.registry.GOOGLE_WEB_CLIENT_ID)
        if idinfo['aud'] not in [request.registry.GOOGLE_WEB_CLIENT_ID]:
            raise crypt.AppIdentityError("Unrecognized client.")
        if idinfo['iss'] not in ['accounts.google.com', 'https://accounts.google.com']:
            raise crypt.AppIdentityError("Wrong issuer.")
    except crypt.AppIdentityError as e:
        return request.error('token', e.message, 400)

    email = idinfo.get('email')
    if email is None:
        return request.error('google_data', "Could not find Google email")

    request.response.headers.extend(remember(request, email))
    return {
        'user': email,
        'permissions': request.user_principals(email),
    }
Exemplo n.º 7
0
def google_info_from_token(token):
    idinfo = client.verify_id_token(token, settings.GOOGLE_CLIENT_ID)
    if idinfo['aud'] != settings.GOOGLE_CLIENT_ID:
        raise crypt.AppIdentityError('aud dont match')
    if idinfo['iss'] not in ['accounts.google.com', 'https://accounts.google.com']:
        raise crypt.AppIdentityError("Wrong issuer.")
    return idinfo
Exemplo n.º 8
0
def getUserEmail(token):
	jwt = getJwt(token)
	user_info = verify_id_token(\
		id_token=jwt, \
		audience=AUD)
	
	return user_info['email']
def resolve_google_oauth(request):
    # token should be passed as an object {'ID_Token' : id_token }
    # to this view
    token = request.data.get('ID_Token')
    CLIENT_ID = os.environ.get('CLIENT_ID')

    token.replace(" ", "")


    try:
        idinfo = client.verify_id_token(token, CLIENT_ID)

        if 'hd' not in idinfo:
            raise AuthenticationFailed('Sorry, only Andelans can sign in')

        if idinfo['hd'] != 'andela.com':
            raise AuthenticationFailed('Sorry, only Andelans can sign in')

        if idinfo['iss'] not in ['accounts.google.com', 'https://accounts.google.com']:
            raise PermissionDenied('Wrong Issuer')

        if idinfo['email_verified'] == 'True' and idinfo['aud'] == CLIENT_ID:
            return idinfo

    except crypt.AppIdentityError:
        raise PermissionDenied('Invalid Token')


    return idinfo
Exemplo n.º 10
0
def verify_admin():
    if DEBUG:
        return
    token = request.cookies.get('starbook-token') or (request.json and request.json.pop('starbook-token'))
    google_email = client.verify_id_token(token, CLIENT_ID)['email']
    if google_email not in ADMINS:
        return jsonify({'error': 'You are not allowed to do that'}), 403
Exemplo n.º 11
0
    def authenticate(self, token=None):
        try:
            idinfo = client.verify_id_token(token, settings.CLIENT_ID)
            # If multiple clients access the backend server:
            if idinfo['iss'] not in [
                    'accounts.google.com', 'https://accounts.google.com'
            ]:
                raise crypt.AppIdentityError("Wrong issuer.")
                return None
            '''
            if idinfo['aud'] not in [ANDROID_CLIENT_ID, IOS_CLIENT_ID, WEB_CLIENT_ID]:
                raise crypt.AppIdentityError("Unrecognized client.")
            if idinfo['hd'] != APPS_DOMAIN_NAME:
                raise crypt.AppIdentityError("Wrong hosted domain.")
            '''
        except crypt.AppIdentityError:
            # Invalid token
            raise crypt.AppIdentityError("Invalid token.")
            return None
        userid = idinfo['sub']
        print(idinfo.items())

        try:
            user = User.objects.get(username=userid)
        except User.DoesNotExist:
            user = User(username=userid,
                        email=idinfo['email'],
                        first_name=idinfo['given_name'],
                        last_name=idinfo['family_name'])
            user.set_unusable_password()
            user.save()
            student = Student(user=user)
            student.save()
        return user
def verify_google_token():

    token = 'eyJhbGciOiJSUzI1NiIsImtpZCI6IjgwNDhmNDQ3YzVjNmRiZGI4ODIwOTYyOTJmYTFiNzk2ZWUzZGMyMTUifQ.eyJpc3MiOiJodHRwczovL2FjY291bnRzLmdvb2dsZS5jb20iLCJhdWQiOiI4OTIzMTQ4NjIzMzQtcDA4OHVzNnNmY2NvNjhtdWQ1dmJsMnRnODY2dDRxZDAuYXBwcy5nb29nbGV1c2VyY29udGVudC5jb20iLCJzdWIiOiIxMDA2NDQzODQzNTIzNTk4MzMyNDIiLCJlbWFpbF92ZXJpZmllZCI6dHJ1ZSwiYXpwIjoiODkyMzE0ODYyMzM0LW1uazBqZm9ydnFzMGhyYXVsOWE0bTJtdXBhNDdvZGZqLmFwcHMuZ29vZ2xldXNlcmNvbnRlbnQuY29tIiwiZW1haWwiOiJhbGV4YnVpY2VzY3VAZ21haWwuY29tIiwiaWF0IjoxNDQ3MjU0NzE0LCJleHAiOjE0NDcyNTgzMTQsInBpY3R1cmUiOiJodHRwczovL2xoNC5nb29nbGV1c2VyY29udGVudC5jb20vLUItUGptaXlDZWs0L0FBQUFBQUFBQUFJL0FBQUFBQUFBRjRjL21nYk1ndlJfbFhFL3M5Ni1jL3Bob3RvLmpwZyIsImxvY2FsZSI6ImVuIiwibmFtZSI6IkFsZXhhbmRydSBCdWljZXNjdSIsImdpdmVuX25hbWUiOiJBbGV4YW5kcnUiLCJmYW1pbHlfbmFtZSI6IkJ1aWNlc2N1In0.hVMhMMvLcmMRVrVaG0-zuqJhq_bm6VZ-YVe8ygK1p0Z4Wb46yzhSKu7HFDuGJ6dIbS5yM88LH9yaK-3AUCGdElVSjV3bochZR302xYSNjtT2UC70F_tRLaY5KJiA-6e7bPHfEdljgBhrwaspXxV-sVeCUj6nBW5j2UoJZD2tMWHZzfUlXs8_42UEQ_yqzNQ5BEiGZ2LzW61-6gHIOVuazNAh6Pyly4A6-jycHoMthk2d-wwOdJ6ITMcTdPTDiR52SsQbDMJIDz330yYAp_ct5dFYZsvrwqimy1uibysQw7iQuO7MVEt6p1IY2IYkNtJd1N5J9oQx42-9wBJMGXmtQw'

    CLIENT_ID = 'insert_client_id_here.apps.googleusercontent.com'
    ANDROID_CLIENT_ID = 'insert_android_client_id_here.apps.googleusercontent.com'
    WEB_CLIENT_ID = 'insert_web_client_id_here.apps.googleusercontent.com'

    if cache.get(token) != None:
        print 'From cache:', cache.get(token)
        # print 'time:', cache.get(token)['exp'], current_milli_time()
        return 'From cache:\n ' + ', '.join("%s=%r" % (key,val) for (key,val) in cache.get(token).iteritems())
    else:
        # (Receive token by HTTPS POST)
        try:
            idinfo = client.verify_id_token(token, CLIENT_ID)
            # If multiple clients access the backend server:
            if idinfo['aud'] not in [ANDROID_CLIENT_ID, WEB_CLIENT_ID]:
                raise crypt.AppIdentityError("Unrecognized client.")
            if idinfo['iss'] not in ['accounts.google.com', 'https://accounts.google.com']:
                raise crypt.AppIdentityError("Wrong issuer.")
            userid = idinfo['sub']
            cache.set(token, idinfo, idinfo['exp'] - current_milli_time())
            print 'Not from cache', idinfo
            return 'Not from cache:\n ' + ', '.join("%s=%r" % (key,val) for (key,val) in idinfo.iteritems())
        except crypt.AppIdentityError:
            # Invalid token
            print 'Invalid Token'
            return 'Invalid Token'
Exemplo n.º 13
0
Arquivo: views.py Projeto: aeud/sing
def login_google_callback(request):
    url = 'https://www.googleapis.com/oauth2/v3/token?code='
    url += request.GET.get('code')
    url += '&client_id='
    url += settings.GA_CLIENT_ID
    url += '&client_secret='
    url += settings.GA_CLIENT_SECRET
    url += '&redirect_uri='
    url += request.build_absolute_uri(reverse('login_google_callback'))
    url += '&grant_type=authorization_code'
    r = requests.post(url)
    jwt = verify_id_token(r.json().get('id_token'), settings.GA_CLIENT_ID)
    email = jwt.get('email').lower()
    try:
        user = User.objects.get(email=email)
    except User.DoesNotExist:
        user = User(email=email)
        user.save()
    user.backend = 'django.contrib.auth.backends.ModelBackend'
    try:
        connection = UserConnection.objects.get(token=request.GET.get('state'),
                                                user__isnull=True)
    except UserConnection.DoesNotExist:
        return redirect('home')
    manual_login(request, user)
    connection.user = user
    connection.save()
    if connection.referrer_path:
        return redirect(connection.referrer_path)
    return redirect('home')
Exemplo n.º 14
0
def tokensignin(request):
    token = request.POST['idtoken']
    try:
        idinfo = client.verify_id_token(token, CLIENT_ID)
        if idinfo['iss'] not in [
                'accounts.google.com', 'https://accounts.google.com'
        ]:
            return HttpResponse("Wrong issuer")
    except (crypt.AppIdentityError):
        # Invalid token
        return HttpResponse("Invalid token")

    m = User.objects.filter(username=idinfo['email'])
    if not m.exists():
        new_user = User.objects.create_user(idinfo['email'], idinfo['email'],
                                            'opinawefoinawlkn')
        new_user.last_name = idinfo['family_name']
        new_user.first_name = idinfo['given_name']
        new_user.save()
        user_balance = UserBalance(email=idinfo['email'])
        user_balance.save()
    request.session['member_name'] = idinfo['given_name']
    request.session['member_email'] = idinfo['email']
    request.session['google_account'] = True
    return HttpResponse("ok")
Exemplo n.º 15
0
    def verify_id_token(self, token):
        idinfo = client.verify_id_token(token, self.client_id)

        if idinfo['iss'] not in ['accounts.google.com', 'https://accounts.google.com']:
            raise AuthenticationError("Wrong issuer.")

        return idinfo['email']
Exemplo n.º 16
0
def validate_token():
    """
    Validate token from google
    """
    id_token = request.form['idtoken']
    idinfo = client.verify_id_token(id_token,
                                    current_app.config['GOOGLE_APP_ID'])
    user_id = idinfo['sub']
    email = idinfo['email']
    username = email
    validuser = False
    user = User(username)
    print email
    if user.is_anonymous() == True:
        error = 'Unregistered User'
        redirect = url_for('user_control.login')
    else:
        if idinfo['iss'] not in [
                'accounts.google.com', 'https://accounts.google.com'
        ]:
            error = 'Wrong client'
            redirect = url_for('user_control.login')
        else:
            login_user(user)
            identity_changed.send(current_app._get_current_object(),
                                  identity=Identity(user.get_userid()))
            redirect = url_for('home.homepage')
            validuser = True
            error = 'No error'
    print error
    return json.dumps({'redirect_url': redirect, 'validuser': validuser})
Exemplo n.º 17
0
def gconnect():
    """Endpoint that authenticates user."""
    try:
        idinfo = client.verify_id_token(
            request.data, '1014623565180-lm2sl4gftjv5r8jhgikg0ti9lcldol8c'
            '.apps.googleusercontent.com')

        if idinfo['iss'] not in [
                'accounts.google.com', 'https://accounts.google.com'
        ]:
            raise crypt.AppIdentityError("Wrong issuer.")
    except crypt.AppIdentityError:
        return (jsonify({
            'data': 'Invalid authentication issuer',
            'error': '401'
        }), 401)

    user = get_user(idinfo['email'])

    if user is None:
        user = add_user(idinfo['email'], idinfo['name'])

        if user is None:
            return (jsonify({'data': 'Internal Error', 'error': '500'}), 500)

    login_session['userid'] = user.id

    return Response({
        'user_id': user.id,
        'user_name': idinfo['name'],
        'user_picture': idinfo['picture']
    })
Exemplo n.º 18
0
def login(request):
	template = loader.get_template('search/afterlogin.html')
	if request.method=='POST':
		
		token=request.POST.get('idtoken','deftok77')
		CLIENT_ID='535075582690-pianvlpvq9lm07lbv71dh5fdgklvoe8n.apps.googleusercontent.com'
		try:
			idinfo = client.verify_id_token(token, CLIENT_ID)

    # Or, if multiple clients access the backend server:
    #idinfo = client.verify_id_token(token, None)
    #if idinfo['aud'] not in [CLIENT_ID_1, CLIENT_ID_2, CLIENT_ID_3]:
    #    raise crypt.AppIdentityError("Unrecognized client.")
			if idinfo['iss'] not in ['accounts.google.com', 'https://accounts.google.com']:
				raise crypt.AppIdentityError("Wrong issuer.")
			user = User.objects.create_user('luis')
			user.save()
    # If auth request is from a G Suite domain:
    #if idinfo['hd'] != GSUITE_DOMAIN_NAME:
    #    raise crypt.AppIdentityError("Wrong hosted domain.")
		except crypt.AppIdentityError:
			print("ivalid token")
		#nothing here
		# Invalid token
		user2 = User.objects.create_user('mike12')
		user2.save()
		userid=idinfo['sub']
		user3 = User.objectes.create_user(userid)
		user3.save()		
		context={'userid':userid}
		return HttpResponse(template.render(context,request))
Exemplo n.º 19
0
def resolve_google_oauth(request):
    # token should be passed as an object {'ID_Token' : id_token }
    # to this view
    token = request.GET['ID_Token']
    CLIENT_ID = os.environ.get('CLIENT_ID')  # though we need to configure this

    token.replace(" ", "")

    try:
        idinfo = client.verify_id_token(token, CLIENT_ID)

        if 'hd' not in idinfo:
            return not_allowed()

        if idinfo['iss'] not in [
                'accounts.google.com', 'https://accounts.google.com'
        ]:
            return unauthorized('Wrong Issuer')

        if idinfo['hd'] == 'andela.com' and \
            idinfo['email_verified'] == 'True' and \
            idinfo['aud'] == CLIENT_ID:
            return idinfo

    except crypt.AppIdentityError:
        return unauthorized('Invalid Token')

    return idinfo
Exemplo n.º 20
0
def oauth2callback(request):
    if request.GET.get('state') != unicode(csrf(request)['csrf_token']):
        payload = {
            'error': 'CSRF token verification failed. Your CSRF token is not valid'
        }
        return redirect('results?' + urllib.urlencode(payload))

    endpoints = requests.get('https://accounts.google.com/.well-known/openid-configuration').json()
    payload = {
        'code': request.GET.get('code'),
        'client_id': config.GOOGLE.get('clientID'),
        'client_secret': config.GOOGLE.get('clientSecret'),
        'response_type': 'code',
        'scope': 'openid email',
        'redirect_uri': config.HOST + '/google_login/oauth2callback',
        'grant_type': 'authorization_code'
    }

    r = requests.post(endpoints.get('token_endpoint'), data=payload)
    id_token = r.json().get('id_token')
    user_data = verify_id_token(id_token, config.GOOGLE.get('clientID'))
    user = get_or_create_user(user_data)
    if user is None:
        payload = {
            'error': 'Error creating user'
        }
        return redirect('results?' + urllib.urlencode(payload))
    else:
        login(request, user)
        return redirect(results)
Exemplo n.º 21
0
def verify_token():
    """Verifies the identify of the user through their oauth token

    Returns a 200 HTTP response if the token is valid
    Returns a 401 HTTP response on error.
    """
    token = request.form.get('token')
    csrftoken = request.form.get('csrftoken')
    provider = request.form.get('provider')

    if csrftoken != session['csrf']:
        response = make_response(json.dumps('Invalid CSRF token.'), 401)
        response.headers['Content-Type'] = 'application/json'
        return response
    session['csrf'] = ''
    try:
        token_info = client.verify_id_token(
            token, config.oauth['google']['client_id'])
        if token_info['iss'] not in [
                'accounts.google.com', 'https://accounts.google.com'
        ]:
            raise crypt.AppIdentityError("Wrong issuer.")
        session['provider'] = 'google'
        session['name'] = token_info['name']
        session['email'] = token_info['email']
        user = User.by_email(token_info['email']) or User.create_user(session)
        session['user_id'] = user.id
        response = make_response(json.dumps('You have logged in.'), 200)
        response.headers['Content-Type'] = 'application/json'
        return response
    except crypt.AppIdentityError:
        response = make_response(json.dumps('Invalid token.'), 401)
        response.headers['Content-Type'] = 'application/json'
        return response
Exemplo n.º 22
0
def check_user(token):
    try:
        idinfo = client.verify_id_token(token, CLIENT_ID)
        return True
    except crypt.AppIdentityError as e:
        print e
        return False
Exemplo n.º 23
0
def do_auth(better_data):
    pprint(better_data)
    CLIENT_ID = "711592045166-4o6ndv014o7l0jfq6dce74n3bh4l6o59.apps.googleusercontent.com"
    token = str(better_data['token'])
    try:
        idinfo = client.verify_id_token(token, CLIENT_ID)
        if idinfo['iss'] not in [
                'accounts.google.com', 'https://accounts.google.com'
        ]:
            raise crypt.AppIdentityError("Wrong issuer.")
            print("Wrong Issuer.")
        else:
            print("Beginning query for authen")
            # do we add a user ? i don't know. we could try
            usr = User.query.filter_by(uid=int(idinfo['sub']))
            pprint(usr)
            if usr is None or usr.count() < 0:
                print("User is not in count! Attemping to add")
                # add user
                u = User(int(idinfo['sub']), idinfo['family_name'],
                         idinfo['given_name'], idinfo['picture'])
                db.session.add(u)
                db.session.commit()
                return json.dumps({'type': 'auth', 'success': 1})
            else:
                print("User exists... now what?")
                return json.dumps({'type': 'auth', 'success': 1})
        return json.dumps({'type': 'auth', 'success': 0})
    except crypt.AppIdentityError:
        return json.dumps({'type': 'auth', 'success': 0})
Exemplo n.º 24
0
def googleOAuthTokenVerify():				# authenticate with Google for Icahn accounts
	'''from https://developers.google.com/identity/sign-in/web/backend-auth'''
	token = request.values.get('idtoken', None)
	try:
		idinfo = gauthclient.verify_id_token(token, vm_client_id)
		# If multiple clients access the backend server:
		if idinfo['aud'] not in [vm_client_id]:
			raise crypt.AppIdentityError("Unrecognized client.")
		if idinfo['iss'] not in ['accounts.google.com', 'https://accounts.google.com']:
			raise crypt.AppIdentityError("Wrong issuer.")
	except crypt.AppIdentityError:
		# Invalid token
		sys.stderr.write("Bad token from client.\n")
		return None
							# okay, now we're logged in. yay!
	userid = idinfo['sub']
	useremail = idinfo['email']
	sys.stderr.write("Token sign in user: "******", ".join([useremail, userid]) + "\n")
	user = User.query.get(useremail)
	if user:					# if user has been here before
		user.authenticated=True			# log them in in DB
		db_session.add(user)
		db_session.commit()
		flask_login.login_user(user, remember=True)	# log them in in their browser
	else:
		if ('@icahn.mssm.edu' not in useremail) & ('@mssm.edu' not in useremail):	# not ISMMS account
			return 'Unauthorized e-mail address. You must be a MSSM affiliate with an @icahn.mssm.edu or @mssm.edu address!'
		else:
			user = User(email = useremail, google_token=userid)	# create new user in DB
			user.authenticated=True		# log them in in DB
			db_session.add(user)
			db_session.commit()
			flask_login.login_user(user, remember=False)	# log them in in their browser
	return useremail				# return logged in email to user
Exemplo n.º 25
0
    def post(self):
        data = json.loads(self.request.body)
        user_type = self.get_argument('user_type')
        if 'access_token' in data:
            try:
                details = client.verify_id_token(
                    data['access_token'],
                    config.GOOGLE_OAUTH2_CLIENT_ID
                )
                user = handle_user_authentication(
                    self.dbsession, details, user_type
                )

                self.session['user_type'] = user_type
                if user_type == 'admin':
                    self.session['buid'] = user.id
                    self.session['admin'] = "true"
                elif user_type in ('service_provider', 'service_user'):
                    self.session['buid'] = user.user_id
                    self.session['uid'] = user.id

                self.send_model_response(user)
            except crypt.AppIdentityError:
                self.set_status(403)
        else:
            self.set_status(400)
Exemplo n.º 26
0
    def post(self):
        """Post method for GoogleLogin resource"""
        args = self.reqparse.parse_args()
        token = args['id_token']
        try:
            idinfo = client.verify_id_token(token, CLIENT_ID)

            # Or, if multiple clients access the backend server:
            # idinfo = client.verify_id_token(token, None)
            # if idinfo['aud'] not in [CLIENT_ID_1, CLIENT_ID_2, CLIENT_ID_3]:
            #    raise crypt.AppIdentityError("Unrecognized client.")

            if idinfo['iss'] not in [
                    'accounts.google.com', 'https://accounts.google.com'
            ]:
                raise crypt.AppIdentityError("Wrong issuer.")

                # If auth request is from a G Suite domain:
                # if idinfo['hd'] != GSUITE_DOMAIN_NAME:
                #    raise crypt.AppIdentityError("Wrong hosted domain.")
        except crypt.AppIdentityError:
            # Invalid token
            pass
        else:
            userid = idinfo['sub']
            user, created = User.get_or_create(user_id=userid,
                                               user_type='google')
            return make_response(
                jsonify({
                    "message": "Login successful!",
                    "token": user.generate_auth_token().decode('ascii')
                }), 200)
Exemplo n.º 27
0
def validate_user_id(userId):
    # (Receive token by HTTPS POST)
    if userId == -1:
        print('USER ID ENTERED AS -1')
        return -1

    try:
        idinfo = client.verify_id_token(userId, CLIENT_ID)

        # Or, if multiple clients access the backend server:
        # idinfo = client.verify_id_token(token, None)
        # if idinfo['aud'] not in [CLIENT_ID_1, CLIENT_ID_2, CLIENT_ID_3]:
        #    raise crypt.AppIdentityError("Unrecognized client.")

        if idinfo['iss'] not in ['accounts.google.com', 'https://accounts.google.com']:
            raise crypt.AppIdentityError("Wrong issuer.")

            # If auth request is from a G Suite domain:
            # if idinfo['hd'] != GSUITE_DOMAIN_NAME:
            #    raise crypt.AppIdentityError("Wrong hosted domain.")
    except crypt.AppIdentityError:
        print('USER ID PARSED TO -1')
        return -1

    return idinfo['sub']
Exemplo n.º 28
0
def validate(request):

    if str(Config.get('CLIENT_AUTH_ENABLED')) == 'True':

        token = request.headers.get('google_id_token')
        client_id = Config.get('ALLOWED_CLIENT_ID')

        if token is None:
            if 'google_id_token' not in request.cookies:
                raise ForbiddenException()

            token = request.cookies.get("google_id_token")

        try:
            logging.info("token: %s, client_id: %s" % (token, client_id))
            id_info = client.verify_id_token(token, client_id)
            logging.info(id_info)

            if Config.get('DOMAIN_CHECK') is True:
                if id_info.get('hd') not in Config.get('ALLOWED_DOMAIN').split(
                        ','):
                    raise ForbiddenException()

            if id_info['iss'] not in [
                    'accounts.google.com', 'https://accounts.google.com'
            ]:
                raise ForbiddenException()

        except crypt.AppIdentityError:
            # Invalid token
            raise ForbiddenException()
Exemplo n.º 29
0
    def inner(requestHandler):
        headers = requestHandler.request.headers
        if "Authorization" in headers and headers["Authorization"].split(
        )[0] == "Bearer:":
            id_token = headers["Authorization"].split()[1]
        else:
            oauth_failed(requestHandler)
            return
        try:
            idinfo = client.verify_id_token(id_token, credentials.client_id)
            if idinfo["iss"] not in [
                    "accounts.google.com", "https://accounts.google.com"
            ]:
                raise crypt.AppIdentityError("Wrong issuer.")
        except crypt.AppIdentityError:
            oauth_failed(requestHandler)
            return

        current_time = int(time.time())
        if not (int(idinfo["iat"]) < current_time
                and current_time < int(idinfo["exp"])):
            oauth_failed(requestHandler)
            return

        userid = idinfo["sub"]

        logging.debug("Request authentication success")
        return http_handler_function(requestHandler)
Exemplo n.º 30
0
  def SecurityCheck(self, func, request, *args, **kwargs):
    """Check if access should be allowed for the request."""

    try:
      auth_header = request.headers.get("Authorization", "")
      if not auth_header.startswith(self.BEARER_PREFIX):
        raise crypt.AppIdentityError("JWT token is missing.")

      token = auth_header[len(self.BEARER_PREFIX):]

      auth_domain = config.CONFIG["AdminUI.firebase_auth_domain"]
      project_id = auth_domain.split(".")[0]

      idinfo = client.verify_id_token(token, project_id, cert_uri=self.CERT_URI)

      if idinfo["iss"] != self.SECURE_TOKEN_PREFIX + project_id:
        raise crypt.AppIdentityError("Wrong issuer.")

      request.user = idinfo["email"]
    except crypt.AppIdentityError as e:
      # For a homepage, just do a pass-through, otherwise JS code responsible
      # for the Firebase auth won't ever get executed. This approach is safe,
      # because wsgiapp.HttpRequest object will raise on any attempt to
      # access uninitialized HttpRequest.user attribute.
      if request.path != "/":
        return self.AuthError("JWT token validation failed: %s" % e)

    return func(request, *args, **kwargs)
Exemplo n.º 31
0
    def google_auth(self, request):
        data = request.data

        if 'auth_token' not in data:
            return Response(status=status.HTTP_400_BAD_REQUEST)

        try:
            idinfo = client.verify_id_token(data['auth_token'], '92340928633-a2lv6k929j34994pjcfmpdm9a8kc9lme.apps.googleusercontent.com')
            # If multiple clients access the backend server:
            # if idinfo['aud'] not in [ANDROID_CLIENT_ID, IOS_CLIENT_ID, WEB_CLIENT_ID]:
            #     raise crypt.AppIdentityError("Unrecognized client.")
            if idinfo['iss'] not in ['accounts.google.com', 'https://accounts.google.com']:
                raise crypt.AppIdentityError("Wrong issuer.")
            # if idinfo['hd'] != APPS_DOMAIN_NAME:
            #     raise crypt.AppIdentityError("Wrong hosted domain.")
        except crypt.AppIdentityError as e:
            print e
            # Invalid token
        userid = idinfo['sub']

        if User.objects.filter(google_auth_id=userid).exists():
            user = User.objects.filter(google_auth_id=userid).get()
            user.save()
        else:
            serializer = self.get_serializer(data={'google_auth_id': userid, 'email': idinfo['email']})
            # try:
            serializer.is_valid(raise_exception=True)
            # except ValidationError as e:
            #     print e

            user = serializer.save()

        serializer = UserSerializer(user)
        return Response(serializer.data,status=200)
Exemplo n.º 32
0
Arquivo: views.py Projeto: aeud/sing
def login_google_callback(request):
    url = "https://www.googleapis.com/oauth2/v3/token?code="
    url += request.GET.get("code")
    url += "&client_id="
    url += settings.GA_CLIENT_ID
    url += "&client_secret="
    url += settings.GA_CLIENT_SECRET
    url += "&redirect_uri="
    url += request.build_absolute_uri(reverse("login_google_callback"))
    url += "&grant_type=authorization_code"
    r = requests.post(url)
    jwt = verify_id_token(r.json().get("id_token"), settings.GA_CLIENT_ID)
    email = jwt.get("email").lower()
    try:
        user = User.objects.get(email=email)
    except User.DoesNotExist:
        user = User(email=email)
        user.save()
    user.backend = "django.contrib.auth.backends.ModelBackend"
    try:
        connection = UserConnection.objects.get(token=request.GET.get("state"), user__isnull=True)
    except UserConnection.DoesNotExist:
        return redirect("home")
    manual_login(request, user)
    connection.user = user
    connection.save()
    if connection.referrer_path:
        return redirect(connection.referrer_path)
    return redirect("home")
Exemplo n.º 33
0
  def SecurityCheck(self, func, request, *args, **kwargs):
    """Check if access should be allowed for the request."""

    try:
      auth_header = request.headers.get("Authorization", "")
      if not auth_header.startswith(self.BEARER_PREFIX):
        raise crypt.AppIdentityError("JWT token is missing.")

      token = auth_header[len(self.BEARER_PREFIX):]

      auth_domain = config_lib.CONFIG["AdminUI.firebase_auth_domain"]
      project_id = auth_domain.split(".")[0]

      idinfo = client.verify_id_token(token, project_id, cert_uri=self.CERT_URI)

      if idinfo["iss"] != self.SECURE_TOKEN_PREFIX + project_id:
        raise crypt.AppIdentityError("Wrong issuer.")

      request.user = idinfo["email"]
    except crypt.AppIdentityError as e:
      # For a homepage, just do a pass-through, otherwise JS code responsible
      # for the Firebase auth won't ever get executed. This approach is safe,
      # because wsgiapp.HttpRequest object will raise on any attempt to
      # access uninitialized HttpRequest.user attribute.
      if request.path != "/":
        return self.AuthError("JWT token validation failed: %s" % e)

    return func(request, *args, **kwargs)
Exemplo n.º 34
0
def resolve_google_oauth(request):
    # token should be passed as an object {'ID_Token' : id_token }
    # to this view
    token = request.data.get('ID_Token')
    CLIENT_ID = os.environ.get('CLIENT_ID')

    token.replace(" ", "")

    try:
        idinfo = client.verify_id_token(token, CLIENT_ID)

        if 'hd' not in idinfo:
            raise AuthenticationFailed('Sorry, only Andelans can sign in')

        if idinfo['hd'] != 'andela.com':
            raise AuthenticationFailed('Sorry, only Andelans can sign in')

        if idinfo['iss'] not in [
                'accounts.google.com', 'https://accounts.google.com'
        ]:
            raise PermissionDenied('Wrong Issuer')

        if idinfo['email_verified'] == 'True' and idinfo['aud'] == CLIENT_ID:
            return idinfo

    except crypt.AppIdentityError:
        raise PermissionDenied('Invalid Token')

    return idinfo
Exemplo n.º 35
0
    def authenticate_credentials(self, token):
        User = get_user_model()

        _token = self.request.session.get('token')
        email = self.request.session.get('email')

        if token != _token:
            try:
                idinfo = client.verify_id_token(token,
                                                settings.GOOGLE_CLIENT_ID)
                auth_domains = [
                    'accounts.google.com', 'https://accounts.google.com'
                ]
                if idinfo['iss'] not in auth_domains:
                    raise crypt.AppIdentityError("Wrong issuer.")

                email = idinfo['email']
            except crypt.AppIdentityError:
                raise AuthenticationFailed('Invalid token.')

        try:
            user = User.objects.get(username=email)
            self.request.session['token'] = token
            self.request.session['email'] = email
            return (user, token)
        except User.DoesNotExist:
            raise AuthenticationFailed('User does not exist.')
Exemplo n.º 36
0
 def google_validate(self, token):
     """
     Validates if the request actually comes from Google.
     :param token:
     :return: payload in the format
         azp:GOOGLE_USER_ID, (Unused, for android app)
         aud:GOOGLE_USER_ID, (Used)
         sub: Unused (and not sure what it does)
         email: User email,
         email_verified:bool,
         at_hash: string
         iss: Always accounts.google.com
         iat: timestamp
         exp: timestamp
         name: name family name
         picture: URL,
         given_name: Name,
         family_name: Family name,
         locale: en
     """
     try:
         payload = client.verify_id_token(token, GOOGLE_USER_ID)
         if payload['iss'] not in [
                 'accounts.google.com', 'https://accounts.google.com'
         ] or payload['aud'] != GOOGLE_USER_ID:
             return False
         else:
             return payload
     except crypt.AppIdentityError:
         return False
Exemplo n.º 37
0
def gauth():
    # The POST should include `id_token`
    id_token = request.form.get('id_token', '')[:3072]

    # Verify the `id_token` using API Client Library
    idinfo = client.verify_id_token(id_token, CLIENT_ID)

    # Additional verification: See if `iss` matches Google issuer string
    if idinfo['iss'] not in ['accounts.google.com',
                             'https://accounts.google.com']:
        return make_response('Authentication failed', 401)

    id = idinfo['sub']

    # For now, we'll always store profile data after successfully
    # verifying the token and consider the user authenticated.
    store = CredentialStore.get_by_id(id)

    if store is None:
        store = CredentialStore(id=id)

    # Construct a profile object
    store.profile = {
        'id':        id,
        'imageUrl':  idinfo.get('picture', None),
        'name':      idinfo.get('name', None),
        'email':     idinfo.get('email', None)
    }
    store.put()

    session['id'] = id

    # Not making a session for demo purpose/simplicity
    return make_response('Authenticated', 200)
Exemplo n.º 38
0
def signin():
    """ This function handles the signin process """
    if request.method == 'POST':
        token = request.form['id_token']

        try:
            idinfo = client.verify_id_token(
                token, '1072405718300-7kdr08dkvn4hkg' +
                'ceimh4c7p679rbsmol.apps.goog' + 'leusercontent.com')

            if idinfo['iss'] not in [
                    'accounts.google.com', 'https://accounts.google.com'
            ]:
                raise crypt.AppIdentityError("Wrong issuer.")

        except crypt.AppIdentityError:
            return 'Error AppIdentityError'

        userid = idinfo['sub']
        username = idinfo['name']
        user_exists = db_get('SELECT id, name FROM users WHERE' + ' id = ? ',
                             [userid])

        if not user_exists:
            db_insert('INSERT INTO users VALUES (?, ?)', [(username, userid)])
            user_exists = db_get(
                'SELECT id, name FROM users WHERE' + ' id = ? ', [userid])

        user = User(user_exists[0][0], user_exists[0][1])
        login_user(user)

    return redirect(url_for('landing_page'))
Exemplo n.º 39
0
    def _google_authenticate(self, token_id):
        try:
            id_info = client.verify_id_token(token_id, GOOGLE_SSO_CLIENT_ID)
        except crypt.AppIdentityError as error:
            flask.abort(401, "Mauvais jeton d'authentification : %s" % error)
        if id_info.get('iss') not in _GOOGLE_SSO_ISSUERS:
            flask.abort(
                401, "Fournisseur d'authentification invalide : %s." %
                id_info.get('iss', '<none>'))

        response = user_pb2.AuthResponse()
        user_dict = self._db.user.find_one({'googleId': id_info['sub']})
        user_id = str(user_dict['_id']) if user_dict else ''
        if proto.parse_from_mongo(user_dict, response.authenticated_user):
            response.authenticated_user.user_id = user_id
        else:
            self._assert_user_not_existing(id_info['email'])
            response.authenticated_user.profile.email = id_info['email']
            response.authenticated_user.profile.picture_url = id_info.get(
                'picture', '')
            response.authenticated_user.google_id = id_info['sub']
            self._save_new_user(response.authenticated_user)
            response.is_new_user = True

        return response
Exemplo n.º 40
0
def login():
    # To verify using ID Token and send access, refresh tokens

    content=request.get_json(force=True)
    token=content['idToken']
    print(token)

    try:
        idinfo = client.verify_id_token(token, CLIENT_ID)
        if idinfo['iss'] not in ['accounts.google.com', 'https://accounts.google.com']:
            raise crypt.AppIdentityError("Wrong issuer.")
    except crypt.AppIdentityError:
        #Invalid ID token
        return 'fail'

    print(idinfo['sub'])

    #Create refresh and access token
    refreshKey=random.getrandbits(32);
    secs=int(time.time())
    refreshToken = jwt.encode({'refreshSecret': refreshKey}, SIGNING_SECRET_KEY, algorithm='HS256')
    accessToken = jwt.encode( {'userID': idinfo['sub'],'iat':secs,'exp':secs+3000}, SIGNING_SECRET_KEY, algorithm='HS256')
    print('refreshtoken')
    print(refreshToken)
    #New User
    if not user_datastore.find_user(userID=idinfo['sub']):
        user_datastore.create_user(email=idinfo['email'], picture=idinfo['picture'], userID=idinfo['sub'], name=idinfo['name'], refreshSecret=refreshKey)
        print('new user created')
        return refreshToken
    #Existing User
    else :
        user=user_datastore.find_user(userID=idinfo['sub'])
        refreshKey=user.refreshSecret
        print(refreshKey)
        return jwt.encode({'refreshSecret': refreshKey}, SIGNING_SECRET_KEY, algorithm='HS256')
Exemplo n.º 41
0
def get_info_from_google(token = None):
  try:
    if session['signin_party'] != 'google':
      print 'login_required: Do not verified by Google.'
      return False, {}
  except KeyError:
    print 'login_required: signin_party is missed.'
    return False, {}
  
  if token == None:
    try:
      token = session['token']
    except KeyError:
      print 'login_required: token is missed.'
      return False, {}
  
  try:
    idinfo = client.verify_id_token(token, config.CLIENT_ID)
    # If multiple clients access the backend server:
    #if idinfo['aud'] not in [ANDROID_CLIENT_ID, IOS_CLIENT_ID, WEB_CLIENT_ID]:
    #    raise crypt.AppIdentityError("Unrecognized client.")
    if idinfo['iss'] not in ['accounts.google.com', 'https://accounts.google.com']:
        raise crypt.AppIdentityError("Wrong issuer.")
    #if idinfo['hd'] != APPS_DOMAIN_NAME:
    #    raise crypt.AppIdentityError("Wrong hosted domain.")
  except crypt.AppIdentityError as e:
      # Invalid token
      print e
      return False, {}
  
  return True, idinfo
    def process_request(self, request):

        # do not affect the admin api requests
        if request.get_full_path().startswith('/admin'):
            return None

        try:
            google_sign_in_token = request.META['HTTP_' + GOOGLE_SIGN_IN_TOKEN_HEADER]

            # verify the google id token
            user_info = client.verify_id_token(google_sign_in_token, GOOGLE_OAUTH_WEB_CLIENT_ID)
            if user_info['aud'] != GOOGLE_OAUTH_WEB_CLIENT_ID:
                raise crypt.AppIdentityError("unrecognized client")
            if user_info['iss'] not in ['accounts.google.com', 'https://accounts.google.com']:
                raise crypt.AppIdentityError("wrong issuer")

            email = user_info['email']
            if not email:
                return self.unauthorize()

            request.META['jrn-email'] = email

            # for all apis, except user creation, verify the requested user exists in db
            if not request.get_full_path().startswith('/users') or request.method != 'POST':
                user = User.objects.filter(email=email)
                if user:
                    request.META['jrn-user-id'] = user[0].user_id
                else:
                    return self.unauthorize()

            return None  # return None to continue with middleware and handling the request

        except Exception as e:
            return self.unauthorize()
Exemplo n.º 43
0
def gSignin():
	token = request.data
	try:
	    idinfo = client.verify_id_token(token, CLIENT_ID)
	    if idinfo['aud'] not in [WEB_CLIENT_ID]:
	        raise crypt.AppIdentityError("Unrecognized client.")
	    if idinfo['iss'] not in ['accounts.google.com', 'https://accounts.google.com']:
	        raise crypt.AppIdentityError("Wrong issuer.")
	except crypt.AppIdentityError:
		return json.dumps('No se pudo ingresar al sistema')

	userid = idinfo['sub']
	user = sess.query(User).filter(User.guid == userid).first()
	if user != None:

		session['user_id'] = user.id
		session['guid'] = user.guid
		session['gfolder'] = user.gfolder

		flash('Bienvenido %s' % user.name)

		return json.dumps("%s" % user.name)
	else:
		session['error'] = "eroor"
		return redirect(url_for('auth.signin'))
Exemplo n.º 44
0
def authenticating(request):
    #connect to our local mongodb
    print "About to Authenticate user"
    if request.method == 'GET':
        #get our collection
        print "Inside GET"
        return HttpResponse("OK")
    elif request.method == 'POST':
        #get data from the request and insert the record
        print "Inside POST"
        print request.body
        print "PRINTED PAYLOAD"
        received_json_data=json.loads(request.body)
        token = received_json_data.get("token",False)
        print token
        CLIENT_ID = "979314773329-m6j6e9la8u2o9rt15q8655uqnuuolko5.apps.googleusercontent.com"
        ANDROID_CLIENT_ID = "979314773329-e7kl7cavu9e85hclbbfscruhmtb4t685.apps.googleusercontent.com"
        IOS_CLIENT_ID = ' '
        WEB_CLIENT_ID = ' '
        try:
            idinfo = client.verify_id_token(token, CLIENT_ID)
            if idinfo['aud'] not in [ANDROID_CLIENT_ID, IOS_CLIENT_ID, WEB_CLIENT_ID]:
                raise crypt.AppIdentityError("Unrecognized client.")
            if idinfo['iss'] not in ['accounts.google.com', 'https://accounts.google.com']:
                raise crypt.AppIdentityError("Wrong issuer.")
            if idinfo['hd'] != APPS_DOMAIN_NAME:
                raise crypt.AppIdentityError("Wrong hosted domain.")
        except crypt.AppIdentityError:
            traceback.print_exc()
            # Invalid token
            print "Returning Failure of user auth"
            return HttpResponse("ERROR")
        userid = idinfo['sub']
        print "Returning Success of user auth"    
        return HttpResponse(userid)
Exemplo n.º 45
0
def verify_google_id_token(id_token):
    """
    Verifies if id_token is a valid google account token
    :param id_token: 
    :return: None or sub
    """

    try:
        # id_info = client.verify_id_token(id_token, CLIENT_ID)

        # Or, if multiple clients access the backend server:
        id_info = client.verify_id_token(id_token, None)
        # if id_info['aud'] not in [CLIENT_ID_1, CLIENT_ID_2, CLIENT_ID_3]:
        #    raise crypt.AppIdentityError("Unrecognized client.")

        if id_info['iss'] not in [
                'accounts.google.com', 'https://accounts.google.com'
        ]:
            raise crypt.AppIdentityError("Wrong issuer.")

            # If auth request is from a G Suite domain:
            # if idinfo['hd'] != GSUITE_DOMAIN_NAME:
            #    raise crypt.AppIdentityError("Wrong hosted domain.")
    except crypt.AppIdentityError:
        # Invalid token
        return None
    user_id = id_info['sub']
    return user_id
Exemplo n.º 46
0
def _validate_gapi_token(token):
    import api_helper
    idinfo = client.verify_id_token(token, api_helper.API_CLIENT_ID)
    now = anticsrf.microtime()

    for key in ["exp", "iat"]:
        idinfo[key] *= (10**6)  # to microseconds from seconds

    # print("idinfo:", idinfo)
    if idinfo["iss"] not in [
            "accounts.google.com", "https://accounts.google.com"
    ]:
        raise crypt.AppIdentityError("Token has wrong issuer: {}".format(
            idinfo["iss"]))

    elif ((not DEV_VARS["no_check_timestamp"]) and (idinfo["iat"] >= now)
          or (idinfo["exp"] <= now)):
        raise client.AccessTokenCredentialsError(
            "Token has expired or invalid timestamps: issued-at {} expires {}".
            format(idinfo["iat"], idinfo["exp"]))

    elif idinfo["aud"] != api_helper.API_CLIENT_ID:
        # or idinfo["azd"] != API_CLIENT_ID:
        raise crypt.AppIdentityError("Token has wrong API token id")

    hd = None
    if "hd" in idinfo:
        hd = idinfo["hd"]

    idinfo["is_elevated"] = \
        api_helper.is_elevated_id(idinfo["email"], hd=hd)
    # print(idinfo)

    return idinfo
Exemplo n.º 47
0
    def authenticate(self, token=None):
        try:
            idinfo = client.verify_id_token(token, settings.GOOGLE_CLIENT_ID)

            if idinfo['iss'] not in [
                    'accounts.google.com', 'https://accounts.google.com'
            ]:
                raise crypt.AppIdentityError("Wrong issuer.")
        except crypt.AppIdentityError:
            return None

        user = User.objects.filter(email=idinfo['email']).first()
        if not user:
            user = User.objects.create(username=idinfo['sub'],
                                       email=idinfo['email'])
            user.is_active = idinfo['email_verified']
            user.set_unusable_password()
            user.username_set = False
            user.save()
            user.profile.first_name = idinfo['given_name']
            user.profile.last_name = idinfo['family_name']
            user.profile.email_confirmed = idinfo['email_verified']
            user.profile.save()

        return user
Exemplo n.º 48
0
def google_auth():
    try:
        data = json.loads(request.data.decode())
        idinfo = client.verify_id_token(
            data['data'],
            '192085420693-gnet8a4sjhn89ll6ejjho1tudv3l2oaa.apps.googleusercontent.com'
        )
        if idinfo['iss'] not in [
                'accounts.google.com', 'https://accounts.google.com'
        ]:
            raise crypt.AppIdentityError("Wrong issuer.")
        else:
            userid = idinfo['sub']
            registered_user = User.query.filter_by(
                email=idinfo['email']).first()
            if not registered_user:
                user = User(email=idinfo['email'])
                db.session.add(user)
                db.session.commit()
                registered_user = User.query.filter_by(
                    email=idinfo['email']).first()

            return login_registered_user(registered_user)

    except crypt.AppIdentityError:
        return json.dumps({'message': 'Invalid token'}), 400
Exemplo n.º 49
0
def validate_oauth_token(token):
    """Validate the token code from a mobile client SSO login, then return the user's DRF token
    for use in authenticating future requests to this API.

    https://developers.google.com/identity/sign-in/android/backend-auth#using-a-google-api-client-library
    """
    try:
        idinfo = client.verify_id_token(token, settings.GOOGLE_OAUTH_CLIENT_ID)
        if idinfo['aud'] not in [settings.GOOGLE_OAUTH_CLIENT_ID]:
            return JsonResponse({'error': 'Unrecognized client.'},
                                status=status.HTTP_403_FORBIDDEN)
        if idinfo['iss'] not in [
                'accounts.google.com', 'https://accounts.google.com'
        ]:
            return JsonResponse({'error': 'Wrong issuer.'},
                                status=status.HTTP_403_FORBIDDEN)
        # have a good token; get API token now
        user = authenticate(**idinfo)
        if user:
            logger.debug('validated SSO token code for user: {email}'.format(
                email=user.email))
            token, created = Token.objects.get_or_create(user=user)
            return Response({'token': token.key, 'user': token.user_id})
        else:
            return JsonResponse(
                {'error': 'This login is not valid in this application'},
                status=status.HTTP_403_FORBIDDEN)
    except crypt.AppIdentityError:
        return JsonResponse({'error': 'Invalid token'},
                            status=status.HTTP_403_FORBIDDEN)
    def test_verify_id_token_with_certs_uri(self):
        jwt = self._create_signed_jwt()

        http = HttpMockSequence([({"status": "200"}, datafile("certs.json"))])

        contents = verify_id_token(jwt, "*****@*****.**", http)
        self.assertEqual("billy bob", contents["user"])
        self.assertEqual("data", contents["metadata"]["meta"])
Exemplo n.º 51
0
def fetch_info_from_login_token(token):
    google_api_shmidusic_project_id = "521166378127-6hmr4e9rspkj2amipftmkt4qukb1ljr4.apps.googleusercontent.com"
    try:
        user_info = client.verify_id_token(token, google_api_shmidusic_project_id)
        return user_info
    except crypt.AppIdentityError as exc:
        # log maybe?
        return None
Exemplo n.º 52
0
def signIn():
	data = request.get_json()
	provider_user = {}
	if(data["provider"] == "google"):
		provider_user = client.verify_id_token(data['id'], '1058234090303-derenhna8oi3h32bf47j77rqtrfalrcd.apps.googleusercontent.com')
		user = User(name="<name>", provider="google", provider_id=provider_user['sub'])

	create_user_if_needed(user)
	
	return jsonify(provider_user)
Exemplo n.º 53
0
def verify():
    id_token = request.headers.get('Authorization')
    if not id_token:
        abort(400)
    try:
        jwt = verify_id_token(id_token, app.config.get('GOOGLE_ID'))
        return jsonify(jwt)
    except AppIdentityError as e:
        print "error", e
        abort(403)
Exemplo n.º 54
0
def verify_email_from_request():
    if DEBUG:
        return
    token = request.cookies.get('starbook-token') or (request.json and request.json.pop('starbook-token'))
    google_email = client.verify_id_token(token, CLIENT_ID)['email']
    request_email = request.json.get(PERSON_UNIQUE_KEY, None)
    if request_email is None:
        return
    if request_email != google_email and google_email not in ADMINS:
        return jsonify({'error': 'You are not allowed to do that'}), 403
Exemplo n.º 55
0
    def get(self):
        user_type = self.get_argument('user_type', None)
        next_url = self.get_argument('next', None)

        if next_url:
            self.session['next'] = next_url
            #self.set_secure_cookie('next', next_url)

        if user_type:
            self.session['user_type'] = user_type
            #self.set_secure_cookie('user_type', user_type)

        if self.get_argument('code', False):
            user = yield self.get_authenticated_user(
                redirect_uri=self.REDIRECT_URL,
                code=self.get_argument('code'))

            try:
                details = client.verify_id_token(
                    user['id_token'],
                    config.GOOGLE_OAUTH2_CLIENT_ID
                )
                user_type = self.session['user_type']
                user = handle_user_authentication(
                    self.dbsession, details, user_type
                )

                #self.session['user_type'] = user_type
                if user_type == 'admin':
                    self.session['buid'] = user.id
                    self.session['uid'] = user.id
                    self.session['admin'] = "true"
                elif user_type in ('service_provider', 'service_user'):
                    self.session['buid'] = user.user_id
                    self.session['uid'] = user.id

                next_url = self.session['next']
                if next_url:
                    self.redirect(next_url)
                else:
                    self.send_model_response(user)

            except crypt.AppIdentityError:
                self.set_status(403)
            except AppException:
                self.set_status(400)
                self.write('User is not admin')
        else:
            yield self.authorize_redirect(
                redirect_uri=self.REDIRECT_URL,
                client_id=self.settings['google_oauth']['key'],
                scope=['email', 'profile'],
                response_type='code',
                extra_params={'approval_prompt': 'auto'})
  def test_verify_id_token_with_certs_uri(self):
    jwt = self._create_signed_jwt()

    http = HttpMockSequence([
      ({'status': '200'}, datafile('certs.json')),
      ])

    contents = verify_id_token(jwt,
        '*****@*****.**', http=http)
    self.assertEqual('billy bob', contents['user'])
    self.assertEqual('data', contents['metadata']['meta'])
 def verify(self, id_token):
     try:
         idinfo = client.verify_id_token(id_token, self._client_id)
         # If multiple clients access the backend server:
         if idinfo['aud'] not in self._client_ids:
             raise crypt.AppIdentityError("Unrecognized client.")
         if idinfo['iss'] not in ['accounts.google.com', 'https://accounts.google.com']:
             raise crypt.AppIdentityError("Wrong issuer.")
     except crypt.AppIdentityError:
         return (False, None)
     return (True, idinfo)
Exemplo n.º 58
0
def getIdInfo(token):
    try:
        idinfo = client.verify_id_token(token, CLIENT_ID)
        if idinfo['aud'] not in [CLIENT_ID]:
            # raise crypt.AppIdentityError("Unrecognized client.")
            return None
        if idinfo['iss'] not in ['accounts.google.com', 'https://accounts.google.com']:
            # raise crypt.AppIdentityError("Wrong issuer.")
            return None
    except crypt.AppIdentityError:
        return None
    return idinfo
Exemplo n.º 59
0
def request_google_auth_service(client_id, token):
    idinfo = client.verify_id_token(token, client_id)
    if idinfo['aud'] not in GOOGLE_ACCEPT_CLIENT_IDS:
        raise crypt.AppIdentityError("Unrecognized client.")
    if idinfo['iss'] not in ['accounts.google.com', 'https://accounts.google.com']:
        raise crypt.AppIdentityError("Wrong issuer.")
    idinfo['uid'] = idinfo['sub']
    for (x, y) in (('name', 'username'), ('given_name', 'first_name'), ('family_name', 'last_name')):
        idinfo[y] = idinfo[x] if x in idinfo else ''
    idinfo['provider'] = 'google-oauth2'
    logger.debug('idinfo = {}'.format(idinfo))
    return idinfo