def verify_data(self, response):
bot_token = self.setting('BOT_TOKEN')
if bot_token is None:
raise AuthMissingParameter('telegram',
'SOCIAL_AUTH_TELEGRAM_BOT_TOKEN')
received_hash_string = response.get('hash')
auth_date = response.get('auth_date')
if received_hash_string is None or auth_date is None:
raise AuthMissingParameter('telegram', 'hash or auth_date')
data_check_string = [
'{}={}'.format(k, v) for k, v in response.items() if k != 'hash'
]
data_check_string = '\n'.join(sorted(data_check_string))
secret_key = hashlib.sha256(bot_token.encode()).digest()
built_hash = hmac.new(secret_key,
msg=data_check_string.encode(),
digestmod=hashlib.sha256).hexdigest()
current_timestamp = int(time.time())
auth_timestamp = int(auth_date)
if current_timestamp - auth_timestamp > 86400:
raise AuthFailed('telegram', 'Auth date is outdated')
if built_hash != received_hash_string:
raise AuthFailed('telegram', 'Invalid hash supplied')
def auth_complete(self, *args, **kwargs):
self.verify_auth_sig()
response = self.get_response()
fields = ('uid', 'first_name', 'last_name', 'name') + \
self.setting('EXTRA_USER_DATA_LIST', ())
data = {
'method': 'users.getInfo',
'uids': '{0}'.format(response['logged_user_id']),
'fields': ','.join(fields),
}
client_key, client_secret = self.get_key_and_secret()
public_key = self.setting('PUBLIC_NAME')
details = odnoklassniki_api(self, data, response['api_server'],
public_key, client_secret,
'iframe_nosession')
if len(details) == 1 and 'uid' in details[0]:
details = details[0]
auth_data_fields = self.setting('EXTRA_AUTH_DATA_LIST',
('api_server', 'apiconnection',
'session_key', 'authorized',
'session_secret_key'))
for field in auth_data_fields:
details[field] = response[field]
details['extra_data_list'] = fields + auth_data_fields
kwargs.update({'backend': self, 'response': details})
else:
raise AuthFailed(self, 'Cannot get user details: API error')
return self.strategy.authenticate(*args, **kwargs)
def auth_complete(self, *args, **kwargs):
"""
The user has been redirected back from the IdP and we should
now log them in, if everything checks out.
"""
idp_name = self.strategy.request_data()['RelayState']
idp = self.get_idp(idp_name)
auth = self._create_saml_auth(idp)
auth.process_response()
errors = auth.get_errors()
if errors or not auth.is_authenticated():
reason = auth.get_last_error_reason()
raise AuthFailed(
self, 'SAML login failed: {0} ({1})'.format(errors, reason))
attributes = auth.get_attributes()
attributes['name_id'] = auth.get_nameid()
self._check_entitlements(idp, attributes)
response = {
'idp_name': idp_name,
'attributes': attributes,
'session_index': auth.get_session_index(),
}
kwargs.update({'response': response, 'backend': self})
return self.strategy.authenticate(*args, **kwargs)
def process_error(self, data):
if data.get('error'):
if data['error'] == 'denied' or data['error'] == 'access_denied':
raise AuthCanceled(self, data.get('error_description', ''))
raise AuthFailed(self,
data.get('error_description') or data['error'])
elif 'denied' in data:
raise AuthCanceled(self, data['denied'])
def process_error(self, data):
"""
All errors from Untappd are contained in the 'meta' key of the
response.
"""
response_code = data.get('meta', {}).get('http_code')
if response_code is not None and response_code != requests.codes.ok:
raise AuthFailed(self, data['meta']['error_detail'])
def process_error(self, data):
error_code = data.get('errorCode') or \
data.get('statusCode') or \
data.get('error')
error_message = data.get('errorMessage') or \
data.get('statusMessage') or \
data.get('error_description')
if error_code is not None or error_message is not None:
raise AuthFailed(self, error_message or error_code)
def process_error(self, data):
if not data:
raise AuthException(self, 'OpenID relying party endpoint')
elif data.status == FAILURE:
raise AuthFailed(self, data.message)
elif data.status == CANCEL:
raise AuthCanceled(self)
elif data.status != SUCCESS:
raise AuthUnknownError(self, data.status)
def auth_complete(self, *args, **kwargs):
"""Completes loging process, must return user instance"""
if 'assertion' not in self.data:
raise AuthMissingParameter(self, 'assertion')
response = self.get_json('https://browserid.org/verify', data={
'assertion': self.data['assertion'],
'audience': self.strategy.request_host()
}, method='POST')
if response.get('status') == 'failure':
raise AuthFailed(self)
kwargs.update({'response': response, 'backend': self})
return self.strategy.authenticate(*args, **kwargs)
def user_data(self, access_token, *args, **kwargs):
"""Loads user data from service"""
user_data = super(GithubMemberOAuth2,
self).user_data(access_token, *args, **kwargs)
try:
self.request(self.member_url(user_data),
params={'access_token': access_token})
except HTTPError as err:
# if the user is a member of the organization, response code
# will be 204, see http://bit.ly/ZS6vFl
if err.response.status_code != 204:
raise AuthFailed(self,
'User doesn\'t belong to the organization')
return user_data
def auth_complete(self, *args, **kwargs):
"""Completes login process, must return user instance"""
self.process_error(self.data)
access_token = None
key, secret = self.get_key_and_secret()
try:
shop_url = self.data.get('shop')
self.shopifyAPI.Session.setup(api_key=key, secret=secret)
shopify_session = self.shopifyAPI.Session(shop_url, self.data)
access_token = shopify_session.token
except self.shopifyAPI.ValidationException:
raise AuthCanceled(self)
else:
if not access_token:
raise AuthFailed(self, 'Authentication Failed')
return self.do_auth(access_token, shop_url, shopify_session.url, *args,
**kwargs)
def odnoklassniki_api(backend, data, api_url, public_key, client_secret,
request_type='oauth'):
"""Calls Odnoklassniki REST API method
https://apiok.ru/wiki/display/ok/Odnoklassniki+Rest+API"""
data.update({
'application_key': public_key,
'format': 'JSON'
})
if request_type == 'oauth':
data['sig'] = odnoklassniki_oauth_sig(data, client_secret)
elif request_type == 'iframe_session':
data['sig'] = odnoklassniki_iframe_sig(data,
data['session_secret_key'])
elif request_type == 'iframe_nosession':
data['sig'] = odnoklassniki_iframe_sig(data, client_secret)
else:
msg = 'Unknown request type {0}. How should it be signed?'
raise AuthFailed(backend, msg.format(request_type))
return backend.get_json(api_url + 'fb.do', params=data)
def request(self, url, method='GET', *args, **kwargs):
kwargs.setdefault('headers', {})
if self.setting('VERIFY_SSL') is not None:
kwargs.setdefault('verify', self.setting('VERIFY_SSL'))
kwargs.setdefault(
'timeout',
self.setting('REQUESTS_TIMEOUT')
or self.setting('URLOPEN_TIMEOUT'))
if self.SEND_USER_AGENT and 'User-Agent' not in kwargs['headers']:
kwargs['headers']['User-Agent'] = self.setting('USER_AGENT') or \
user_agent()
try:
if self.SSL_PROTOCOL:
session = SSLHttpAdapter.ssl_adapter_session(self.SSL_PROTOCOL)
response = session.request(method, url, *args, **kwargs)
else:
response = request(method, url, *args, **kwargs)
except ConnectionError as err:
raise AuthFailed(self, str(err))
response.raise_for_status()
return response
def _user_id(self, response):
user_id = response.identity_url.rsplit('/', 1)[-1]
if not user_id.isdigit():
raise AuthFailed(self, 'Missing Steam Id')
return user_id
def verify_auth_sig(self):
correct_key = self.get_auth_sig()
key = self.data['auth_sig'].lower()
if correct_key != key:
raise AuthFailed(self, 'Wrong authorization key')
def auth_complete(self, *args, **kwargs):
"""Completes login process, must return user instance"""
token = self.data.get('jwt', {})
if not token:
raise AuthFailed(self, 'Authentication Failed')
return self.do_auth(token, *args, **kwargs)
def process_error(self, data):
if data.get('error'):
error = self.data.get('error_description') or self.data['error']
raise AuthFailed(self, error)