async def authenticate( self, conn: HTTPConnection) -> Tuple[bool, Optional[User]]: """ Main function that AuthenticationMiddleware uses from this backend. Should return whether request is authenticated based on credentials and if it was, return also user instance. :param conn: HTTPConnection of the current request-response cycle :return: 2-tuple: is authenticated & user instance if exists """ authorization: str = conn.headers.get("Authorization") if not authorization: return False, None scheme, credentials = get_authorization_scheme_param(authorization) if not (authorization and scheme and credentials): raise AuthenticationError("Not authenticated") if scheme.lower() != "token": raise AuthenticationError("Invalid authentication credentials") token = await Token.get( key=credentials, is_active=True, expires={"$not": { "$lt": get_now() }}, ) if token is None: return False, None conn.scope["token"] = token user = await User.get(id=token.user_id) if user is None: return False, None return True, user
async def authenticate(self, request): if "Authorization" not in request.headers: return self.users_repository.with_session(request.state.session) auth = request.headers["Authorization"] try: scheme, token = auth.split() if scheme.lower() != "bearer": return jwt_token = decode_token(token) except ( ValueError, UnicodeDecodeError, jwt.ExpiredSignatureError, jwt.DecodeError, jwt.InvalidAudienceError, ): raise AuthenticationError("Invalid auth credentials") user = await self.users_repository.get_by_id(jwt_token.id) if not user or not user.is_active: raise AuthenticationError("Invalid auth credentials") user._authenticated_user = True return user.credentials, user
async def authenticate( self, request: HTTPConnection ) -> Optional[Tuple[AuthCredentials, BaseUser]]: """Authenticate the user.""" if "Authorization" not in request.headers: return authorization_header = request.headers["Authorization"] if not authorization_header.startswith("Bearer "): logger.info(msg=f"Invalid Authorization header sent by user") raise AuthenticationError( "Invalid Authorization header value. The header " "value must have the format Bearer <token>.") user_token = request.headers["Authorization"][ 7:] # length of "Bearer " is 7 try: payload = parse_token(user_token) except Exception: logger.exception(msg=f"Invalid or expired authentication token.") raise AuthenticationError( "Invalid or expired authentication token.") user = await user_repository.find_user_by_id(int(payload.user_id)) if not user: logger.error(msg=f"No user found for id {payload.user_id}.") raise AuthenticationError("No user found for user id.") return AuthCredentials(["authenticated"]), AuthenticatedUser(user)
async def authenticate(self, request): """ Hàm dùng cho việc xác thực Http Request từ client :param request: HTTP request từ client :return: authenticated và JWTUser """ if 'Authorization' not in request.headers: return None auth = request.headers['Authorization'] token = self.get_token_from_header(authorization=auth, prefix=self.prefix) try: payload = self.decode_token(token) except jwt.InvalidTokenError: raise AuthenticationError('error: Token không hợp lệ!') else: # Kiểm tra xem Token có nằm trong danh sách blacklist Token hay không # ** blacklist Token là file chứa danh sách các token đã logout hoặc đã bị vô hiệu hóa with open('security.txt', 'r') as reader: modify_token_for_check = token + '\n' if modify_token_for_check in reader.readlines(): raise AuthenticationError( 'error: Token đã bị vô hiệu hoá!') else: return AuthCredentials( ['authenticated']), JWTUser(user_id=payload['userId'])
async def authenticate( self, request: HTTPConnection ) -> tuple[AuthCredentials, SimpleUser] | None: """Authenticate a Starlette request with HTTP Basic auth.""" if "Authorization" not in request.headers: return None try: auth = request.headers["Authorization"] basic_auth_username = os.getenv("BASIC_AUTH_USERNAME") basic_auth_password = os.getenv("BASIC_AUTH_PASSWORD") if not (basic_auth_username and basic_auth_password): raise AuthenticationError( "Server HTTP Basic auth credentials not set") scheme, credentials = auth.split() decoded = base64.b64decode(credentials).decode("ascii") username, _, password = decoded.partition(":") correct_username = secrets.compare_digest(username, basic_auth_username) correct_password = secrets.compare_digest(password, basic_auth_password) if not (correct_username and correct_password): raise AuthenticationError( "HTTP Basic auth credentials not correct") return AuthCredentials(["authenticated"]), SimpleUser(username) except Exception: raise
async def authenticate(self, request): if 'Authorization' not in request.headers: return auth = request.headers['Authorization'] try: scheme, credentials = auth.split() if scheme.lower() != 'basic': return decoded = base64.b64decode(credentials).decode("ascii") except (ValueError, UnicodeDecodeError, binascii.Error): raise AuthenticationError('Invalid basic auth credentials') pseudo, _, password = decoded.partition(':') db = get_session(DATABASE_URL) user = db.query(User).filter(User.pseudo == pseudo).one_or_none() if user is None or not user.check_password(password): db.close() raise AuthenticationError(f'pseudo or password incorrect') user.is_authenticated = True scopes = ['authenticated'] for group in user.groups: scopes.extend([permission.name for permission in group.permissions]) db.close() return AuthCredentials(scopes), user
async def authenticate(self, request): if "Authorization" not in request.headers: return None authorization = request.headers["Authorization"] token = self.get_token_from_header(authorization=authorization, prefix=self.prefix) try: jwt_payload = jwt.decode(token, key=str(self.secret_key), algorithms=self.algorithm) except jwt.InvalidTokenError: if DEBUG: sprint_f(f"Invalid JWT token", "red") raise AuthenticationError("Invalid JWT token") except jwt.ExpiredSignatureError: if DEBUG: sprint_f(f"Expired JWT token", "red") raise AuthenticationError("Expired JWT token") if DEBUG: sprint_f(f"Decoded JWT payload: {jwt_payload}", "green") # debug part, do not forget to remove it return ( AuthCredentials(["authenticated"]), JWTUser(username=jwt_payload["username"], user_id=jwt_payload["user_id"], email=jwt_payload["email"], token=token), )
async def authenticate(self, request): if request.url.path != "/pretix-webhook": raise ValueError("PretixAuthBackend used outside pretix-webhook") if "Authorization" not in request.headers: return auth = request.headers["Authorization"] try: scheme, credentials = auth.split() if scheme.lower() != "basic": return decoded = base64.b64decode(credentials).decode("ascii") except (ValueError, UnicodeDecodeError, binascii.Error) as exc: raise AuthenticationError( "Invalid basic auth credentials") from exc username, _, password = decoded.partition(":") if username != "pretix": raise AuthenticationError("Invalid auth") if password != str(PRETIX_WEBHOOK_SECRET): raise AuthenticationError("Invalid auth") return AuthCredentials(["authenticated", "pretix"]), SimpleUser("pretix")
async def authenticate(self, conn: HTTPConnection): if "Authorization" not in conn.headers: return AuthCredentials(), None auth_header = conn.headers["Authorization"] try: scheme, token = auth_header.split() if scheme.lower() != "bearer": return AuthCredentials(), None except Exception as error: raise AuthenticationError( "Invalid authentication credentials") from error try: payload: JWTPayloadSchema = TokensHandler.read_code( code=token, convert_to=JWTPayloadSchema) user_model: UserModel = await UsersHandler( request=conn).retrieve_user(request=conn, query={ "_id": payload.object_id, "is_active": True }) except HandlerException as error: raise AuthenticationError(str(error)) from error # request.auth, request.user return AuthCredentials(), user_model
async def authenticate( self, request: Request ) -> Optional[Tuple["AuthCredentials", "BaseUser"]]: token = self._get_token(request.headers) if not token: return # Consider that user is not authenticated try: json_header, json_body = validate( token, self.identity_provider_url, **self.validation_options ) except ( jwt.exceptions.InvalidTokenError or jwt.exceptions.InvalidKeyError ) as e: raise AuthenticationError(str(e)) from e try: username = get(json_body, self.username_field) except jwt.exceptions.InvalidTokenError as e: raise AuthenticationError(str(e)) from e return ( AuthCredentials(scopes=self.scopes_retrieval(json_body)), SimpleUser(username=username), )
def get_token_from_header(cls, authorization: str, prefix: str): """Get token from header.""" try: scheme, token = authorization.split() except ValueError: raise AuthenticationError( 'Could not separate Authorization scheme and token') if scheme.lower() != prefix.lower(): raise AuthenticationError( f'Authorization scheme {scheme} is not supported') return token
async def authenticate(self, request): path = request.url.path if not path.startswith('/api'): return if path == '/api/login': return if request.scope.get('method') == 'OPTIONS': return data = None if request.url.scheme != 'ws': auth = request.headers.get('X-Auth-Pacs') if not auth: auth = request.query_params.get('token') if not auth: raise AuthenticationError('Invalid auth') credentials = auth try: data = jwt.decode(credentials, config['secret'], algorithms=['HS256']) async with get_conn() as conn: active = await Users(conn).is_active(data['id']) if not active: raise AuthenticationError('Deactivated user') except Exception as e: # try share file key async with get_conn() as conn: file_id = await SharedFiles(conn).check(credentials) if file_id and (path.startswith(f'/api/files/{file_id}') or path.startswith(f'/api/ws_token')): data = {'id': credentials, 'admin': False} else: raise AuthenticationError('Invalid auth') else: token = request.query_params.get('token') try: data = jwt.decode(token, config['secret'], algorithms=['HS256']) except Exception as e: raise AuthenticationError('Invalid auth') data = {'id': data['id'], 'admin': data['admin']} if not data: raise AuthenticationError('Invalid auth') return AuthCredentials(["authenticated"]), User(data)
async def get_user(self, token: str) -> User: user_id = await self.token_table.get_user_id(token) if not user_id: raise AuthenticationError() user = (await self.auth_table.select( self.auth_table.username ).where(self.auth_table._meta.primary_key == user_id).first().run()) if not user: raise AuthenticationError() user = User(user=user) return user
def __init__(self): """Virtually private constructor.""" if JWTWrapper.__instance is not None: raise AuthenticationError( 'Attempt made to create multiple JWTWrappers') JWTWrapper.__instance = JWTAuthenticationBackend()
async def __call__(self, request: Request) -> Optional[str]: for url, op in settings.NO_VERIFY_URL.items(): if op == 'eq' and url == request.url.path.lower(): return None elif op == 'in' and url in request.url.path.lower(): return None authorization: str = request.headers.get("Authorization") scheme, param = get_authorization_scheme_param(authorization) if not authorization or scheme.lower() != "bearer": if self.auto_error: raise HTTPException(status_code=status.HTTP_403_FORBIDDEN, detail="Not authenticated") else: return None try: playload = jwt.decode(param, settings.SECRET_KEY, algorithms=[settings.ALGORITHM]) except jwt.ExpiredSignatureError: raise custom_exc.TokenExpired() except (jwt.JWTError, ValidationError, AttributeError): raise custom_exc.TokenAuthError() username = playload.get('username') user = await get_user_by_name(username=username) if not user: raise AuthenticationError("认证失败") """在 Request 对象中设置用户对象,这样在其他地方就能通过 request.state.user 获取到当前用户了""" request.state.user = user
async def authenticate(self, request): if "Authorization" not in request.headers: raise AuthenticationError('You have to authenticate.') auth = request.headers["Authorization"] try: scheme, credentials = auth.split() if scheme.lower() != 'basic': return decoded = base64.b64decode(credentials).decode("ascii") except (ValueError, UnicodeDecodeError, binascii.Error): raise AuthenticationError('Invalid basic auth credentials') username, _, password = decoded.partition(":") if username == config('username') and password == config('password'): return AuthCredentials(["authenticated"]), SimpleUser(username)
def extract_token(self, header: str) -> str: try: token = header.split("Bearer ")[1] except IndexError: raise AuthenticationError("The header is in the wrong format.") return token
def get_user_from_header( auth_header: str ) -> Optional[Tuple[AuthCredentials, AuthenticatedUser]]: try: scheme, token = auth_header.split() if scheme.lower() == 'bearer': payload = decode_token(token) return AuthCredentials( payload['scopes']), AuthenticatedUser(**payload) return except ExpiredSignatureError: raise AuthenticationError('Token expired') except JWTError: raise AuthenticationError("Auth failed") except (ValueError, UnicodeDecodeError, KeyError, ValidationError, AttributeError): return
def get_token_from_header(cls, authorization: str, prefix: str): """ Parses the Authorization header and returns only the token :param authorization: :return: """ if len(authorization.split()) != 2: return None try: scheme, token = authorization.split() except ValueError: raise AuthenticationError( 'Could not separate Authorization scheme and token') if scheme.lower() != prefix.lower(): raise AuthenticationError( f'Authorization scheme {scheme} is not supported') return token
def verify_token(self, token): try: payload = jwt.decode(token, settings.SECRET_KEY, algorithms=[security.ALGORITHM]) token_data = self.token_payload(**payload).dict(exclude_unset=True) except jose.ExpiredSignatureError: raise AuthenticationError({'detail': 'Signature has expired.'}, 401) except (jose.JWTError, ValidationError): raise AuthenticationError( {'detail': 'Invalid bearer auth credentials.'}, 400) scopes = token_data.get(self.user_group_flag) if self.user_group_flag not in token_data: msg = f"AuthenticationMiddleware lacks a required property '{self.user_group_flag}' in jwt" warnings.warn(msg) return AuthCredentials(scopes), AuthUser( str(token_data.get(self.user_id_flag)))
async def authenticate(email: str, password: str) -> User: error = AuthenticationError("Invalid email or password.") user = await _get_user_by_email(email) if not user: raise error if not _verify_password(user.hashed_password, password): raise error return user
def get_token_from_header(authorization: str, prefix: str): """ Hàm dùng cho việc lấy ra Token từ một chuỗi Authorization có trong request headers :param authorization: chuỗi Authorization có trong request headers :param prefix: tiếp đầu ngữ của chuỗi Authorization, mặc định là "lioToken" :return: chuỗi Token """ try: scheme, token = authorization.split() except ValueError: raise AuthenticationError( 'Could not separate Authorization scheme and token') if scheme != prefix: raise AuthenticationError( f'Authorization scheme {scheme} is not supported') return token
def get_token_from_header(cls, authorization: str, prefix: str) -> str: """ Parses the Authorization header and returns only the token :param authorization str: Value of the authorization header :param prefix str: Token prefix in the header :return: The token value :rtype str: :raises AuthenticationError: If prefix in header doesn't match `prefix` or if header value doesn't follow the `<prefix> <token>` pattern """ try: scheme, token = authorization.split() except ValueError: raise AuthenticationError("incorrect authorization header format") if scheme.lower() != prefix.lower(): raise AuthenticationError( f"authorization scheme {scheme} is not supported") return token
async def authenticate(self, request: Request): if request['method'] == 'GET' and \ any((x.match(request.url.path) for x in self.allowed_patterns)): return AuthCredentials(['unauthenticated']), UnauthenticatedUser() host = request.headers.get('host') if 'local' in host or 'internal' in host or \ '.' not in host: return AuthCredentials(['unauthenticated']), UnauthenticatedUser() elif self.id is None: # local dev username = '******' return AuthCredentials(['authenticated' ]), SimpleUser(username=username) elif request.url.path == '/oauth_callback/google': # handle redirect # print('sess', request.session) query = request.query_params state = query.get('state') code = query.get('code') gc = GoogleClient(client_id=self.id, client_secret=self.secret) host = get_hostname(request) if request.url.port: host += f':{request.url.port}' otoken, other = await gc.get_access_token( code, redirect_uri=f'{host}/oauth_callback/google') idt = other['id_token'] id_token = jwt.decode(idt, verify=False) email = id_token.get('email') if not (id_token.get('hd') == self.org == email.split('@')[1]): return AuthenticationError('Bad user') timestamp = time.time() request.session['ts'] = timestamp request.session['user'] = email request.state.redirect_url = state raise RedirectAuthError('need to redirect') elif request.session and request.session.get('user'): # make sure cookie is still valid timestamp = request.session.get('ts') now = time.time() if now - timestamp > 86520: raise StartAuthError user = request.session.get('user') return AuthCredentials(['authenticated' ]), SimpleUser(username=user) else: raise StartAuthError('Not logged in')
def get_token_from_header(cls, authorization: str, prefix: str): if DEBUG: sprint_f(f"JWT token from headers: {authorization}", "cyan") # debug part, do not forget to remove it try: scheme, token = authorization.split() except ValueError: if DEBUG: sprint_f(f"Could not separate Authorization scheme and token", "red") raise AuthenticationError( "Could not separate Authorization scheme and token") if scheme.lower() != prefix.lower(): if DEBUG: sprint_f(f"Authorization scheme {scheme} is not supported", "red") raise AuthenticationError( f"Authorization scheme {scheme} is not supported") return token
def get_identity(self, request: Request, type="access"): name = f"{type}_token_cookie" try: cookie = request.cookies.get(name) if cookie is None: if "Authorization" not in request.headers: raise AuthenticationError(f"Could not find {name} on request") else: value = self._decode(request.headers["Authorization"]) else: value = self._decode(cookie) identity = value.get("identity") if identity is None: raise AuthenticationError(f"{name} has no key identity") if type != value.get("type"): raise AuthenticationError(f"{name} did not have a matching type") return identity except jwt.PyJWTError as e: raise AuthenticationError(*e.args) from None
async def authenticate(self, conn: HTTPConnection): session_token = conn.cookies.get(settings.SESSION_COOKIE_NAME) if not session_token: return token = await Token.get_or_none(value=session_token) if token: await token.user.fetch() return AuthCredentials(), token.user elif conn.url.path == '/auth/login': return raise AuthenticationError('invalid token')
async def authenticate( self, request: Request ) -> typing.Optional[typing.Tuple["AuthCredentials", "BaseUser"]]: header_token = AppAuthenticationBackend.get_token_from_headers(request) cookie_token = AppAuthenticationBackend.get_token_from_cookies(request) if header_token is None and cookie_token is None: return token = header_token if header_token is not None else cookie_token try: user_id = self.auth_service.get_user_id_from_token(token) user = await self.users_service.get_by_id(user_id) return AuthCredentials(["user"]), user except (jwt.ExpiredSignatureError, jwt.DecodeError): raise AuthenticationError("Invalid authorization token") except (KeyError, EntityDoesNotExistError): raise AuthenticationError("Bad credentials")
async def authenticate(self, request: HTTPConnection): if "Authorization" not in request.headers: return auth = request.headers["Authorization"] bearer_token = auth.replace("Bearer", "").strip() try: verified_user = await verified_user_callback(bearer_token) except (jwt.exceptions.DecodeError, ValueError, KeyError) as e: raise AuthenticationError("Invalid token") else: return AuthCredentials(verified_user.auth_roles), verified_user
async def authenticate(self, request): if "Authorization" not in request.headers: return auth = request.headers["Authorization"] try: scheme, username = auth.split() if scheme.lower() != 'custom': return except Exception as exc: logger.debug(f'get exception: {exc}') raise AuthenticationError("Bad auth header") return AuthCredentials(["authenticated"]), SimpleUser(username)