def requires_auth(): request_helper.check_proxy_header_before_request() auth_token = get_auth_token(request) client = __get_token_issuer(auth_token) try: service = dao_fetch_service_by_id_with_api_keys(client) except DataError: raise AuthError("Invalid token: service id is not the right data type", 403) except NoResultFound: raise AuthError("Invalid token: service not found", 403) if not service.api_keys: raise AuthError("Invalid token: service has no API keys", 403, service_id=service.id) if not service.active: raise AuthError("Invalid token: service is archived", 403, service_id=service.id) for api_key in service.api_keys: try: decode_jwt_token(auth_token, api_key.secret) except TokenDecodeError: continue except TokenExpiredError: err_msg = ( "Error: Your system clock must be accurate to within 30 seconds" ) raise AuthError(err_msg, 403, service_id=service.id, api_key_id=api_key.id) if api_key.expiry_date: raise AuthError("Invalid token: API key revoked", 403, service_id=service.id, api_key_id=api_key.id) g.service_id = api_key.service_id _request_ctx_stack.top.authenticated_service = service _request_ctx_stack.top.api_user = api_key current_app.logger.info( 'API authorised for service {} with api key {}, using client {}'. format(service.id, api_key.id, request.headers.get('User-Agent'))) return else: # service has API keys, but none matching the one the user provided raise AuthError("Invalid token: signature, api token not found", 403, service_id=service.id)
def requires_auth(): request_helper.check_proxy_header_before_request() auth_type, auth_token = get_auth_token(request) if auth_type == API_KEY_V1_AUTH_TYPE: _auth_by_api_key(auth_token) return client = __get_token_issuer(auth_token) try: service = dao_fetch_service_by_id_with_api_keys(client) except DataError: raise AuthError("Invalid token: service id is not the right data type", 403) except NoResultFound: raise AuthError("Invalid token: service not found", 403) if not service.api_keys: raise AuthError("Invalid token: service has no API keys", 403, service_id=service.id) if not service.active: raise AuthError("Invalid token: service is archived", 403, service_id=service.id) for api_key in service.api_keys: try: decode_jwt_token(auth_token, api_key.secret) except TokenDecodeError: continue except TokenExpiredError: err_msg = ( "Error: Your system clock must be accurate to within 30 seconds" ) raise AuthError(err_msg, 403, service_id=service.id, api_key_id=api_key.id) _auth_with_api_key(api_key, service) return else: # service has API keys, but none matching the one the user provided raise AuthError("Invalid token: signature, api token not found", 403, service_id=service.id)
def requires_auth(): request_helper.check_proxy_header_before_request() auth_token = get_auth_token(request) issuer = __get_token_issuer( auth_token) # ie the `iss` claim which should be a service ID try: service = dao_fetch_service_by_id_with_api_keys(issuer) except DataError: raise AuthError("Invalid token: service id is not the right data type", 403) except NoResultFound: raise AuthError("Invalid token: service not found", 403) if not service.api_keys: raise AuthError("Invalid token: service has no API keys", 403, service_id=service.id) if not service.active: raise AuthError("Invalid token: service is archived", 403, service_id=service.id) for api_key in service.api_keys: try: decode_jwt_token(auth_token, api_key.secret) except TokenExpiredError: err_msg = "Error: Your system clock must be accurate to within 30 seconds" raise AuthError(err_msg, 403, service_id=service.id, api_key_id=api_key.id) except TokenAlgorithmError: err_msg = "Invalid token: algorithm used is not HS256" raise AuthError(err_msg, 403, service_id=service.id, api_key_id=api_key.id) except TokenDecodeError: # we attempted to validate the token but it failed meaning it was not signed using this api key. # Let's try the next one # TODO: Change this so it doesn't also catch `TokenIssuerError` or `TokenIssuedAtError` exceptions (which # are children of `TokenDecodeError`) as these should cause an auth error immediately rather than # continue on to check the next API key continue except TokenError: # General error when trying to decode and validate the token raise AuthError(GENERAL_TOKEN_ERROR_MESSAGE, 403, service_id=service.id, api_key_id=api_key.id) if api_key.expiry_date: raise AuthError("Invalid token: API key revoked", 403, service_id=service.id, api_key_id=api_key.id) g.service_id = api_key.service_id _request_ctx_stack.top.authenticated_service = service _request_ctx_stack.top.api_user = api_key current_app.logger.info( 'API authorised for service {} with api key {}, using issuer {} for URL: {}' .format(service.id, api_key.id, request.headers.get('User-Agent'), request.base_url)) return else: # service has API keys, but none matching the one the user provided raise AuthError("Invalid token: API key not found", 403, service_id=service.id)