def user_loader(session_token):
"""Populate user object, check expiry"""
if "expires" not in session:
return None
expires = datetime.utcfromtimestamp(session["expires"])
expires_seconds = (expires - datetime.utcnow()).total_seconds()
if expires_seconds < 0:
return None
user = User()
user.id = session_token
user.nickname = session["nickname"]
return user
def callback():
"""Exchange the 'code' for a Cognito token"""
# http://docs.aws.amazon.com/cognito/latest/developerguide/token-endpoint.html
app.logger.debug(pprint.pformat(request.__dict__, depth=5))
csrf_state = request.args.get("state")
code = request.args.get("code")
request_parameters = {
"grant_type": "authorization_code",
"client_id": app.config["COGNITO_APP_CLIENT_ID"],
"code": code,
"redirect_uri": f"https://{request.headers['Host']}/callback",
}
response = requests.post(
f"https://{app.config['COGNITO_DOMAIN']}/oauth2/token",
data=request_parameters,
auth=HTTPBasicAuth(app.config["COGNITO_APP_CLIENT_ID"],
app.config["COGNITO_APP_CLIENT_SECRET"]),
)
# the response:
# http://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-using-tokens-with-identity-providers.html
# and csrf_state == session['csrf_state']:
if response.status_code == 200 and csrf_state == session["csrf_state"]:
response_json = response.json()
verify_token(response_json["access_token"])
id_token = verify_token(response_json["id_token"],
response_json["access_token"])
user = User()
user.id = id_token["cognito:username"]
session["nickname"] = id_token["email"]
session["expires"] = id_token["exp"]
session["refresh_token"] = response_json["refresh_token"]
login_user(user, remember=True)
return redirect(url_for("home"))
else:
abort(401)
