-
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathauth.py
343 lines (291 loc) · 11.1 KB
/
auth.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
# MIT License
#
# Copyright (c) 2020-2024 Send A Hug
#
# Permission is hereby granted, free of charge, to any person obtaining a copy
# of this software and associated documentation files (the "Software"), to deal
# in the Software without restriction, including without limitation the rights
# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
# copies of the Software, and to permit persons to whom the Software is
# furnished to do so, subject to the following conditions:
#
# The above copyright notice and this permission notice shall be included in all
# copies or substantial portions of the Software.
#
# The provided Software is separate from the idea behind its website. The Send A Hug
# website and its underlying design and ideas are owned by Send A Hug group and
# may not be sold, sub-licensed or distributed in any way. The Software itself may
# be adapted for any purpose and used freely under the given conditions.
#
# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
# SOFTWARE.
import json
import os
from typing import Any, cast, TypedDict
from datetime import datetime
from jose import jwt, exceptions
from urllib.request import urlopen
from functools import wraps
from quart import request
from sqlalchemy import select
from models import User, SendADatabase
# Auth0 Configuration
AUTH0_DOMAIN = os.environ.get("AUTH0_DOMAIN", "")
API_AUDIENCE = os.environ.get("API_AUDIENCE", "")
CLIENT_ID = os.environ.get("CLIENT_ID", "")
ALGORITHMS = ["RS256"]
class RoleData(TypedDict):
id: int
name: str
permissions: list[str]
class UserData(TypedDict):
id: int
auth0Id: str
displayName: str
role: RoleData
blocked: bool
releaseDate: datetime | None
pushEnabled: bool
last_notifications_read: datetime | None
# Authentication Error
class AuthError(Exception):
def __init__(self, error, status_code):
self.error = error
self.status_code = status_code
def get_auth_header() -> str:
"""
Gets the request's 'Authorization' header. Checks to see whether said header
exists; whether the header is comprised of two parts; and whether the
first part is 'bearer'. This serves as preliminary verification that
the JWT is in the correct form.
returns: The JSON web token.
"""
# If there's no auth header, raise an error
if "Authorization" not in request.headers:
raise AuthError(
{"code": 401, "description": "Unauthorised. No Authorization header."}, 401
)
# Gets the auth header and splits it
auth_header: str = cast(str, request.headers.get("Authorization"))
split_auth_header = auth_header.split(" ")
# Checks that there are two parts to the header value and that the first
# part is 'bearer'
if (split_auth_header[0].lower() != "bearer") or (len(split_auth_header) != 2):
raise AuthError(
{
"code": 401,
"description": "Unauthorised. Malformed Authorization header.",
},
401,
)
return split_auth_header[1]
def get_rsa_key(token: str) -> dict[str, Any]:
"""
Fetches the JWKS keys and matches the 'kid' key from the user's
token to the JWKS keys.
param token: The JWT.
returns: The RSA key for decoding the JWT (if decoding the token is possible)
"""
# Gets the JWKS from Auth0
auth_json = urlopen(f"https://{AUTH0_DOMAIN}/.well-known/jwks.json")
jwks = json.loads(auth_json.read())
# Tries to get the token header
try:
token_header = jwt.get_unverified_header(token)
# If there's an error, raise an AuthError
except Exception:
raise AuthError(
{
"code": 401,
"description": "Unauthorised. Malformed Authorization header.",
},
401,
)
rsa_key = {}
# If the 'kid' key doesn't exist in the token header
for key in jwks["keys"]:
if key["kid"] == token_header["kid"]:
rsa_key = {
"kty": key["kty"],
"kid": key["kid"],
"use": key["use"],
"n": key["n"],
"e": key["e"],
}
return rsa_key
def verify_jwt(token: str) -> dict[str, Any]:
"""
Verifies the token using the Auth0 JWKS (JSON Web Key Set) JSON.
Ensures that the JWT is authentic, still valid and hasn't been tampered with.
param token: a JSON Web Token.
"""
rsa_key = get_rsa_key(token=token)
payload = {}
# Try to decode and validate the token
if rsa_key:
try:
payload = jwt.decode(
token,
rsa_key,
algorithms=ALGORITHMS,
audience=API_AUDIENCE,
issuer=f"https://{AUTH0_DOMAIN}/",
)
# If the token expired
except exceptions.ExpiredSignatureError:
raise AuthError(
{"code": 401, "description": "Unauthorised. Your token has expired."},
401,
)
# If any claim in the token is invalid
except exceptions.JWTClaimsError:
raise AuthError(
{
"code": 401,
"description": "Unauthorised. Your token contains invalid claims.",
},
401,
)
# If the signature is invalid
except exceptions.JWTError:
raise AuthError(
{"code": 401, "description": "Unauthorised. Your token is invalid."},
401,
)
# If there's any other error
except Exception:
raise AuthError(
{"code": 401, "description": "Unauthorised. Invalid token."}, 401
)
return payload
def check_permissions_legacy(permission: list[str], payload: dict[str, Any]) -> bool:
"""
Checks the payload from of the decoded, verified JWT for
permissions. Then compares the user's permissions to the
required permission to check whether the user is allowed to
access the given resource.
Currently only used for the 'create user' endpoint.
param permission: The resource's required permissions. Can contain either one
or two allowed types of permissions.
param payload: The payload from the decoded, verified JWT.
returns True - Boolean confirming the user has the required permission.
"""
# Check whether permissions are included in the token payload
if "permissions" not in payload:
raise AuthError(
{
"code": 403,
"description": "Unauthorised. You do not have permission "
"to perform this action.",
},
403,
)
# If there are two possibilities for permissions
if len(permission) == 2:
# Check whether the user has that permission
if (
permission[0] not in payload["permissions"]
and permission[1] not in payload["permissions"]
):
raise AuthError(
{
"code": 403,
"description": "Unauthorised. You do not have permission "
"to perform this action.",
},
403,
)
# If there's only one possibility
else:
# Check whether the user has that permission
if permission[0] not in payload["permissions"]:
raise AuthError(
{
"code": 403,
"description": "Unauthorised. You do not have permission "
"to perform this action.",
},
403,
)
return True
def get_current_user(payload: dict[str, Any], db: SendADatabase) -> dict[str, Any]:
"""
Fetches the details of the currently logged in user from the database.
param payload: The payload from the decoded, verified JWT.
"""
current_user: User | None = db.session.scalar(
select(User).filter(User.auth0_id == payload["sub"])
)
# If the user is not found, raise an AuthError
if current_user is None:
raise AuthError(
{
"code": 401,
"description": "Unauthorised. User not found.",
},
401,
)
return current_user.format()
def check_user_permissions(permission: list[str], current_user: dict[str, Any]) -> bool:
"""
Checks the user's permissions against the required permissions for a given
resource. If the user doesn't have the required permissions, an AuthError
is raised.
param permission: The resource's required permissions.
param current_user: The details of the currently logged in user from the database.
"""
if (
len(permission) == 2
and permission[0] not in current_user["role"]["permissions"]
and permission[1] not in current_user["role"]["permissions"]
) or (
len(permission) == 1
and permission[0] not in current_user["role"]["permissions"]
):
raise AuthError(
{
"code": 403,
"description": "Unauthorised. You do not have permission "
"to perform this action.",
},
403,
)
return True
# TODO: Ideally we shouldn't pass the DB in, but right now because the
# whole app initialisation happens within a function, we kind of have to...
def requires_auth(db: SendADatabase, permission=[""]):
"""
@requires_auth() Decorator Definition
Gets the Authorization header, verifies the JWT and checks
the user has the required permissions using the functions above.
param permission: - The resource's required permission(s).
"""
def requires_auth_decorator(f):
@wraps(f)
async def wrapper(*args, **kwargs):
token = get_auth_header()
payload = verify_jwt(token)
if permission[0] == "post:user":
returned_payload = payload
check_permissions_legacy(permission, payload)
else:
current_user = get_current_user(payload, db)
returned_payload = {
"id": current_user["id"],
"auth0Id": current_user["auth0Id"],
"displayName": current_user["displayName"],
"role": current_user["role"],
"blocked": current_user["blocked"],
"releaseDate": current_user["releaseDate"],
"pushEnabled": current_user["pushEnabled"],
"last_notifications_read": current_user["last_notifications_read"],
}
check_user_permissions(permission, current_user)
return await f(returned_payload, *args, **kwargs)
return wrapper
return requires_auth_decorator