def _expired_token_callback(): """When an expired token attempts to access a protected endpoint, throw a 401 status response. """ exc = Unauthorized() exc.data = { 'message': 'Access denied, token has expired!', 'headers': { 'WWW-Authenticate': '{} realm="{}"'.format( current_app.config.get('JWT_HEADER_TYPE'), current_app.config.get('AUTH_JWT_REALM')) }, } return rest_api.handle_http_exception(exc)
def decorate(*args, **kwargs): resp = Unauthorized() resp.data = {"message": "Invalid token"} target_audit_uuid = "" if "audit_uuid" in kwargs: target_audit_uuid = kwargs["audit_uuid"] elif "scan_uuid" in kwargs: target_audit_uuid = kwargs["scan_uuid"][0:24] + "0" * 8 # Anonymous access configuration is allowed for non administration APIs only if app.config["ALLOW_ANONYMOUS_AUDIT_ACCESS"] is True and self.admin is False: identity = {"name": ""} else: try: # Check if given JWT is valid verify_jwt_in_request() identity = get_jwt_identity() # If the token is valid but already expired except ExpiredSignatureError: encoded_token, _ = _decode_jwt_from_headers() expired_token = decode_token(encoded_token, allow_expired=True) identity = expired_token["sub"] if "auth_endpoint" in identity: # Offer re-authorization endpoint for the target audit url = urlparse(identity["auth_endpoint"]) audit_qs = {"audit": target_audit_uuid} new_qs = {**parse_qs(url.query), **audit_qs} auth_endpoint = url._replace(query=urlencode(new_qs, doseq=True)).geturl() resp.data["reauth_endpoint"] = auth_endpoint raise resp except Exception: raise resp # Anonymous token is not allowed when anonymous access configuration is disabled if "name" not in identity or len(identity["name"]) == 0: raise resp # Check if the token's scope is valid for the specified API's target target_scopes = ["*"] if self.admin is False and len(target_audit_uuid) > 0: target_scopes.append(target_audit_uuid) if identity["scope"] not in target_scopes: raise resp g.identity = identity return f(*args, **kwargs)
def raise_auth_error(errors): """ Raises authorization error Args: errors (list): list of errors Raises: (ValidationError): raise an exception """ error = Unauthorized() error.data = { 'status': 'error', 'errors': errors } raise error
def _unauthorized_callback(error_string): """When a protected endpoint is accessed without a JWT, throw a 401 status response (including an error string explaining why this is unauthorized). :param error_string: String indicating why this request is unauthorized. """ exc = Unauthorized() exc.data = { 'message': ( 'Access denied, authentication required: {}'.format(error_string)), 'headers': { 'WWW-Authenticate': '{} realm="{}"'.format( current_app.config.get('JWT_HEADER_TYPE'), current_app.config.get('AUTH_JWT_REALM')) }, } return rest_api.handle_http_exception(exc)