def get_current_user():
"""Get the current logged in user, or None."""
if environment.is_local_development():
return User('user@localhost')
current_request = request_cache.get_current_request()
if local_config.AuthConfig().get('enable_loas'):
loas_user = current_request.headers.get(
'X-AppEngine-LOAS-Peer-Username')
if loas_user:
return User(loas_user + '@google.com')
iap_email = get_iap_email(current_request)
if iap_email:
return User(iap_email)
cache_backing = request_cache.get_cache_backing()
oauth_email = getattr(cache_backing, '_oauth_email', None)
if oauth_email:
return User(oauth_email)
cached_email = getattr(cache_backing, '_cached_email', None)
if cached_email:
return User(cached_email)
session_cookie = get_session_cookie()
if not session_cookie:
return None
try:
decoded_claims = decode_claims(get_session_cookie())
except AuthError:
logs.log_warn('Invalid session cookie.')
return None
allowed_firebase_providers = local_config.ProjectConfig().get(
'firebase.auth_providers', ['google.com'])
firebase_info = decoded_claims.get('firebase', {})
sign_in_provider = firebase_info.get('sign_in_provider')
if sign_in_provider not in allowed_firebase_providers:
logs.log_error(f'Firebase provider {sign_in_provider} is not enabled.')
return None
# Per https://docs.github.com/en/authentication/
# keeping-your-account-and-data-secure/authorizing-oauth-apps
# GitHub requires emails to be verified before an OAuth app can be
# authorized, so we make an exception.
if (not decoded_claims.get('email_verified')
and sign_in_provider != 'github.com'):
return None
email = decoded_claims.get('email')
if not email:
return None
# We cache the email for this request if we've validated the user to make
# subsequent get_current_user() calls fast.
setattr(cache_backing, '_cached_email', email)
return User(email)
def get_current_user():
"""Get the current logged in user, or None."""
if environment.is_local_development():
return User('user@localhost')
current_request = request_cache.get_current_request()
if local_config.AuthConfig().get('enable_loas'):
loas_user = current_request.headers.get(
'X-AppEngine-LOAS-Peer-Username')
if loas_user:
return User(loas_user + '@google.com')
iap_email = get_iap_email(current_request)
if iap_email:
return User(iap_email)
cache_backing = request_cache.get_cache_backing()
oauth_email = getattr(cache_backing, '_oauth_email', None)
if oauth_email:
return User(oauth_email)
cached_email = getattr(cache_backing, '_cached_email', None)
if cached_email:
return User(cached_email)
session_cookie = get_session_cookie()
if not session_cookie:
return None
try:
decoded_claims = decode_claims(get_session_cookie())
except AuthError:
logs.log_warn('Invalid session cookie.')
return None
if not decoded_claims.get('email_verified'):
return None
email = decoded_claims.get('email')
if not email:
return None
# We cache the email for this request if we've validated the user to make
# subsequent get_current_user() calls fast.
setattr(cache_backing, '_cached_email', email)
return User(email)
def get_session_cookie():
"""Get the current session cookie."""
return request_cache.get_current_request().cookies.get('session')