aboutsummaryrefslogtreecommitdiffstats
path: root/python/fatcat_web/auth.py
diff options
context:
space:
mode:
authorBryan Newbold <bnewbold@robocracy.org>2019-01-03 22:10:41 -0800
committerBryan Newbold <bnewbold@robocracy.org>2019-01-03 22:10:41 -0800
commit00c0859a7df360380a479eb9dbc79057c0245969 (patch)
tree19f7da0d9ac3b4ffab71ffc78817dcbb0445bb82 /python/fatcat_web/auth.py
parent94a6c7f58ba23b2c37b0a997fc4a5e2e16692599 (diff)
downloadfatcat-00c0859a7df360380a479eb9dbc79057c0245969.tar.gz
fatcat-00c0859a7df360380a479eb9dbc79057c0245969.zip
basic OIDC auth working
Diffstat (limited to 'python/fatcat_web/auth.py')
-rw-r--r--python/fatcat_web/auth.py57
1 files changed, 32 insertions, 25 deletions
diff --git a/python/fatcat_web/auth.py b/python/fatcat_web/auth.py
index c6e6f04c..0bdb564f 100644
--- a/python/fatcat_web/auth.py
+++ b/python/fatcat_web/auth.py
@@ -1,18 +1,11 @@
from flask import Flask, render_template, send_from_directory, request, \
url_for, abort, g, redirect, jsonify, session, flash
-from fatcat_web import login_manager, api, Config
+from fatcat_web import login_manager, api, priv_api, Config
from flask_login import logout_user, login_user, UserMixin
import pymacaroons
import fatcat_client
-def auth_api(token):
- conf = fatcat_client.Configuration()
- conf.api_key["Authorization"] = token
- conf.api_key_prefix["Authorization"] = "Bearer"
- conf.host = Config.FATCAT_API_HOST
- return fatcat_client.DefaultApi(fatcat_client.ApiClient(conf))
-
def handle_logout():
logout_user()
for k in ('editor', 'token'):
@@ -34,35 +27,49 @@ def handle_token_login(token):
if not editor_id:
abort(400)
# fetch editor info
- editor = api.get_editor(editor_id).to_dict()
+ editor = api.get_editor(editor_id)
session['api_token'] = token
- session['editor'] = editor
- login_user(load_user(editor_id))
+ session['editor'] = editor.to_dict()
+ login_user(load_user(editor.editor_id))
return redirect("/auth/account")
# This will need to login/signup via fatcatd API, then set token in session
def handle_oauth(remote, token, user_info):
- print(remote)
- if token:
- print(remote.name, token)
if user_info:
- print(user_info)
- print(user_info.iss)
- print(user_info.prefered_username)
-
# fetch api login/signup using user_info
- params = AuthOidc(remote.name, user_info.sub, user_info.iss)
- resp = api.auth_oidc(params)
- editor = resp['editor']
- api_token = resp['token']
+ # ISS is basically the API url (though more formal in OIDC)
+ # SUB is the stable internal identifier for the user (not usually the username itself)
+ # TODO: should have the real sub here
+ # TODO: would be nicer to pass preferred_username for account creation
+ iss = remote.OAUTH_CONFIG['api_base_url']
+
+ # we reuse 'preferred_username' for account name auto-creation (but
+ # don't store it otherwise in the backend, at least currently). But i'm
+ # not sure all loginpass backends will set it
+ if user_info.get('preferred_username'):
+ preferred_username = user_info['preferred_username']
+ else:
+ preferred_username = user_info['sub']
+
+ params = fatcat_client.AuthOidc(remote.name, user_info['sub'], iss, user_info['preferred_username'])
+ # this call requires admin privs
+ (resp, http_status, http_headers) = priv_api.auth_oidc_with_http_info(params)
+ editor = resp.editor
+ api_token = resp.token
+
+ if http_status == 201:
+ flash("Welcome to Fatcat! An account has been created for you with a temporary username; you may wish to change it under account settings")
+ flash("You must use the same mechanism ({}) to login in the future".format(remote.name))
+ else:
+ flash("Welcome back!")
# write token and username to session
session['api_token'] = api_token
- session['editor'] = editor.editor_id
+ session['editor'] = editor.to_dict()
# call login_user(load_user(editor_id))
- login_user(load_user(editor_id))
- return redirect("/")
+ login_user(load_user(editor.editor_id))
+ return redirect("/auth/account")
raise some_error