def check_oauth_token():
global_context.url = request.url
exclude_paths = [
"/v1/device/code",
"/v1/device/activate",
"/api/account",
"/v1/auth/token",
"/v1/auth/callback",
"/v1/user/stripe/webhook",
]
exclude = any(request.path.startswith(path) for path in exclude_paths)
if not exclude:
headers = request.headers
if "Authorization" not in headers:
raise AuthenticationError("Oauth token not found")
token_header = headers["Authorization"]
device_authenticated = False
if token_header.startswith("Bearer "):
token = token_header[len("Bearer "):]
session = current_app.config["SELENE_CACHE"].get(
"device.token.access:{access}".format(access=token))
if session:
device_authenticated = True
if not device_authenticated:
raise AuthenticationError("device not authorized")
def _decode_refresh_token(self):
"""Decode the JWT to get the account ID and check for errors."""
self.refresh_token.validate()
if not self.refresh_token.is_valid:
raise AuthenticationError('invalid refresh token')
if self.refresh_token.is_expired:
raise AuthenticationError('authentication tokens expired')
def _get_account_by_email(self):
"""Use email returned by the authentication platform for validation"""
if self.email_address is None:
raise AuthenticationError('could not retrieve email from provider')
acct_repository = AccountRepository(self.db)
self.account = acct_repository.get_account_by_email(self.email_address)
if self.account is None:
raise AuthenticationError('no account found for provided email')
def get(self):
headers = self.request.headers
if 'Authorization' not in headers:
raise AuthenticationError('Oauth token not found')
token_header = self.request.headers['Authorization']
if token_header.startswith('Bearer '):
refresh = token_header[len('Bearer '):]
session = self._refresh_session_token(refresh)
# Trying to fetch a session using the refresh token
if session:
response = session, HTTPStatus.OK
else:
device = self.request.headers.get('Device')
if device:
# trying to fetch a session using the device uuid
session = self._refresh_session_token_device(device)
if session:
response = session, HTTPStatus.OK
else:
response = '', HTTPStatus.UNAUTHORIZED
else:
response = '', HTTPStatus.UNAUTHORIZED
else:
response = '', HTTPStatus.UNAUTHORIZED
return response
def _get_auth_tokens(self):
self.access_token.jwt = self.request.cookies.get(
ACCESS_TOKEN_COOKIE_NAME
)
self.refresh_token.jwt = self.request.cookies.get(
REFRESH_TOKEN_COOKIE_NAME
)
if self.access_token.jwt is None and self.refresh_token.jwt is None:
raise AuthenticationError('no authentication tokens found')
def _validate_account(self, account_id: str):
"""Account must exist and contain have a refresh token matching request.
:raises: AuthenticationError
"""
if self.account is None:
_log.error('account ID {} not on database'.format(account_id))
raise AuthenticationError('account not found')
else:
global_context.account_id = self.account.id
def _authenticate(self, device_id: str = None):
headers = self.request.headers
if "Authorization" not in headers:
raise AuthenticationError("Oauth token not found")
token_header = self.request.headers["Authorization"]
device_authenticated = False
if token_header.startswith("Bearer "):
token = token_header[len("Bearer "):]
session = self.cache.get(
"device.token.access:{access}".format(access=token))
if session is not None:
session = json.loads(session)
device_uuid = session["uuid"]
global_context.device_id = device_uuid
self.device_id = device_uuid
if device_id is not None:
device_authenticated = device_id == device_uuid
else:
device_authenticated = True
if not device_authenticated:
raise AuthenticationError("device not authorized")
def check_oauth_token():
global_context.url = request.url
exclude_paths = [
'/v1/device/code', '/v1/device/activate', '/api/account',
'/v1/auth/token', '/v1/auth/callback', '/v1/user/stripe/webhook'
]
exclude = any(request.path.startswith(path) for path in exclude_paths)
if not exclude:
headers = request.headers
if 'Authorization' not in headers:
raise AuthenticationError('Oauth token not found')
token_header = headers['Authorization']
device_authenticated = False
if token_header.startswith('Bearer '):
token = token_header[len('Bearer '):]
session = current_app.config['SELENE_CACHE'].get(
'device.token.access:{access}'.format(access=token))
if session:
device_authenticated = True
if not device_authenticated:
raise AuthenticationError('device not authorized')
def _authenticate(self, device_id: str = None):
headers = self.request.headers
if 'Authorization' not in headers:
raise AuthenticationError('Oauth token not found')
token_header = self.request.headers['Authorization']
device_authenticated = False
if token_header.startswith('Bearer '):
token = token_header[len('Bearer '):]
session = self.cache.get(
'device.token.access:{access}'.format(access=token))
if session is not None:
session = json.loads(session)
device_uuid = session['uuid']
global_context.device_id = device_uuid
self.device_id = device_uuid
if device_id is not None:
device_authenticated = (device_id == device_uuid)
else:
device_authenticated = True
if not device_authenticated:
raise AuthenticationError('device not authorized')
def _validate_auth_tokens(self):
"""Ensure the tokens are passed in request and are well formed."""
self._get_auth_tokens()
self._decode_access_token()
if self.access_token.is_expired:
self._decode_refresh_token()
account_not_found = (
self.access_token.account_id is None and
self.refresh_token.account_id is None
)
if account_not_found:
raise AuthenticationError(
'failed to retrieve account ID from authentication tokens'
)
return self.access_token.account_id or self.refresh_token.account_id
def _decode_access_token(self):
"""Decode the JWT to get the account ID and check for errors."""
self.access_token.validate()
if not self.access_token.is_valid:
raise AuthenticationError('invalid access token')