From 10ddca2c2fd6b14bbd94fe57aed66a6de03e1777 Mon Sep 17 00:00:00 2001 From: Bryan Newbold Date: Wed, 2 Jan 2019 17:58:15 -0800 Subject: start on webface oauth2/oidc web auth --- python/fatcat_web/__init__.py | 12 +++++++++++- python/fatcat_web/auth.py | 27 +++++++++++++++++++++++++++ python/fatcat_web/routes.py | 13 +++++++++++++ 3 files changed, 51 insertions(+), 1 deletion(-) create mode 100644 python/fatcat_web/auth.py (limited to 'python/fatcat_web') diff --git a/python/fatcat_web/__init__.py b/python/fatcat_web/__init__.py index 3c790e7a..f8b72fd0 100644 --- a/python/fatcat_web/__init__.py +++ b/python/fatcat_web/__init__.py @@ -2,6 +2,9 @@ from flask import Flask from flask_uuid import FlaskUUID from flask_debugtoolbar import DebugToolbarExtension +from flask_login import LoginManager +from authlib.flask.client import OAuth +from loginpass import create_flask_blueprint, Gitlab from raven.contrib.flask import Sentry from web_config import Config import fatcat_client @@ -12,6 +15,10 @@ app.config.from_object(Config) toolbar = DebugToolbarExtension(app) FlaskUUID(app) +login_manager = LoginManager() +login_manager.init_app(app) +oauth = OAuth(app) + # Grabs sentry config from SENTRY_DSN environment variable sentry = Sentry(app) @@ -19,4 +26,7 @@ conf = fatcat_client.Configuration() conf.host = "http://localhost:9411/v0" api = fatcat_client.DefaultApi(fatcat_client.ApiClient(conf)) -from fatcat_web import routes +from fatcat_web import routes, auth + +gitlab_bp = create_flask_blueprint(Gitlab, oauth, auth.handle_oauth) +app.register_blueprint(gitlab_bp, url_prefix='/auth/gitlab') diff --git a/python/fatcat_web/auth.py b/python/fatcat_web/auth.py new file mode 100644 index 00000000..f6672e87 --- /dev/null +++ b/python/fatcat_web/auth.py @@ -0,0 +1,27 @@ + +from flask import Flask, render_template, send_from_directory, request, \ + url_for, abort, g, redirect, jsonify, session +from fatcat_web import login_manager + + +# This will need to login/signup via fatcatd API, then set token in session +def handle_oauth(remote, token, user_info): + print(remote) + if token: + print(remote.name, token) + if user_info: + # TODO: fetch api login/signup using user_info + print(user_info) + # TODO: write token and username to session + # TODO: call login_user(load_user(editor_id)) + return redirect("/") + raise some_error + + +@login_manager.user_loader +def load_user(editor_id): + # NOTE: this should look for extra info in session, and update the user + # object with that. If session isn't loaded/valid, should return None + user = UserMixin() + user.id = editor_id + return user diff --git a/python/fatcat_web/routes.py b/python/fatcat_web/routes.py index 998697bc..51533a2f 100644 --- a/python/fatcat_web/routes.py +++ b/python/fatcat_web/routes.py @@ -367,6 +367,19 @@ def search(): return render_template('release_search.html', query=query, fulltext_only=fulltext_only) +### Auth #################################################################### + +@app.route('/login') +def login(): + # show the user a list of login options + return render_template('release_search.html', query=query, fulltext_only=fulltext_only) + +@app.route('/login') +def logout(): + # TODO: clear extra session info + logout_user() + return render_template('logout.html') + ### Static Routes ########################################################### @app.errorhandler(404) -- cgit v1.2.3 From 422a8cc47489aa44b852ff0add1ef6ea63cfc1ff Mon Sep 17 00:00:00 2001 From: Bryan Newbold Date: Thu, 3 Jan 2019 20:45:29 -0800 Subject: several auth improvements --- python/fatcat_web/__init__.py | 11 +++++ python/fatcat_web/auth.py | 60 ++++++++++++++++++++--- python/fatcat_web/routes.py | 45 ++++++++++++----- python/fatcat_web/templates/auth_login.html | 17 +++++++ python/fatcat_web/templates/auth_logout.html | 8 +++ python/fatcat_web/templates/auth_token_login.html | 29 +++++++++++ python/fatcat_web/templates/base.html | 15 ++++-- python/web_config.py | 9 +++- 8 files changed, 170 insertions(+), 24 deletions(-) create mode 100644 python/fatcat_web/templates/auth_login.html create mode 100644 python/fatcat_web/templates/auth_logout.html create mode 100644 python/fatcat_web/templates/auth_token_login.html (limited to 'python/fatcat_web') diff --git a/python/fatcat_web/__init__.py b/python/fatcat_web/__init__.py index f8b72fd0..9cd5f812 100644 --- a/python/fatcat_web/__init__.py +++ b/python/fatcat_web/__init__.py @@ -26,6 +26,17 @@ conf = fatcat_client.Configuration() conf.host = "http://localhost:9411/v0" api = fatcat_client.DefaultApi(fatcat_client.ApiClient(conf)) +if Config.FATCAT_API_AUTH_TOKEN: + print("Found and using privileged token (eg, for account signup)") + priv_conf = fatcat_client.Configuration() + priv_conf.api_key["Authorization"] = Config.FATCAT_API_AUTH_TOKEN + priv_conf.api_key_prefix["Authorization"] = "Bearer" + priv_conf.host = 'http://localhost:9411/v0' + priv_api = fatcat_client.DefaultApi(fatcat_client.ApiClient(local_conf)) +else: + print("No privileged token found") + priv_api = None + from fatcat_web import routes, auth gitlab_bp = create_flask_blueprint(Gitlab, oauth, auth.handle_oauth) diff --git a/python/fatcat_web/auth.py b/python/fatcat_web/auth.py index f6672e87..385f5c49 100644 --- a/python/fatcat_web/auth.py +++ b/python/fatcat_web/auth.py @@ -1,27 +1,75 @@ from flask import Flask, render_template, send_from_directory, request, \ url_for, abort, g, redirect, jsonify, session -from fatcat_web import login_manager +from fatcat_web import login_manager, api +from flask_login import logout_user, login_user, UserMixin +import pymacaroons +def handle_logout(): + logout_user() + for k in ('editor', 'token'): + if k in session: + session.pop(k) + +def handle_token_login(token): + try: + m = pymacaroons.Macaroon.deserialize(token) + except pymacaroons.exceptions.MacaroonDeserializationException: + # TODO: what kind of Exceptions? + return abort(400) + # extract editor_id + editor_id = None + for caveat in m.first_party_caveats(): + caveat = caveat.caveat_id + if caveat.startswith(b"editor_id = "): + editor_id = caveat[12:].decode('utf-8') + if not editor_id: + abort(400) + # fetch editor info + editor = api.get_editor(editor_id).to_dict() + session['api_token'] = token + session['editor'] = editor + login_user(load_user(editor_id)) + return redirect("/") + # This will need to login/signup via fatcatd API, then set token in session def handle_oauth(remote, token, user_info): print(remote) if token: print(remote.name, token) if user_info: - # TODO: fetch api login/signup using user_info print(user_info) - # TODO: write token and username to session - # TODO: call login_user(load_user(editor_id)) + print(user_info.iss) + print(user_info.prefered_username) + + # fetch api login/signup using user_info + params = AuthOidc(remote.name, user_info.sub, user_info.iss) + resp = api.auth_oidc(params) + editor = resp['editor'] + api_token = resp['token'] + + # write token and username to session + session['api_token'] = api_token + session['editor'] = editor.editor_id + + # call login_user(load_user(editor_id)) + login_user(load_user(editor_id)) return redirect("/") + raise some_error @login_manager.user_loader def load_user(editor_id): - # NOTE: this should look for extra info in session, and update the user - # object with that. If session isn't loaded/valid, should return None + # looks for extra info in session, and updates the user object with that. + # If session isn't loaded/valid, should return None + if not 'editor' in session or not 'api_token' in session: + return None + editor = session['editor'] + token = session['api_token'] user = UserMixin() user.id = editor_id + user.username = editor['username'] + user.token = token return user diff --git a/python/fatcat_web/routes.py b/python/fatcat_web/routes.py index 51533a2f..5d46fe0b 100644 --- a/python/fatcat_web/routes.py +++ b/python/fatcat_web/routes.py @@ -4,6 +4,7 @@ import json from flask import Flask, render_template, send_from_directory, request, \ url_for, abort, g, redirect, jsonify, session from fatcat_web import app, api +from fatcat_web.auth import handle_token_login, handle_logout from fatcat_client.rest import ApiException from fatcat_web.search import do_search @@ -295,12 +296,6 @@ def work_view(ident): return render_template('deleted_entity.html', entity=entity) return render_template('work_view.html', work=entity, releases=releases) -@app.route('/editgroup/current', methods=['GET']) -def editgroup_current(): - raise NotImplementedError - #eg = api.get_or_create_editgroup() - #return redirect('/editgroup/{}'.format(eg.id)) - @app.route('/editgroup/', methods=['GET']) def editgroup_view(ident): try: @@ -327,6 +322,17 @@ def editor_changelog(ident): return render_template('editor_changelog.html', editor=editor, changelog_entries=changelog_entries) +@app.route('/editor//wip', methods=['GET']) +def editor_wip(ident): + raise NotImplementedError + try: + editor = api.get_editor(ident) + entries = api.get_editor_wip(ident) + except ApiException as ae: + abort(ae.status) + return render_template('editor_changelog.html', editor=editor, + entries=entries) + @app.route('/changelog', methods=['GET']) def changelog_view(): try: @@ -369,16 +375,33 @@ def search(): ### Auth #################################################################### -@app.route('/login') +@app.route('/auth/login') def login(): # show the user a list of login options - return render_template('release_search.html', query=query, fulltext_only=fulltext_only) + return render_template('auth_login.html') + +@app.route('/auth/token_login', methods=['GET', 'POST']) +def token_login(): + # show the user a list of login options + if 'token' in request.args: + return handle_token_login(request.args.get('token')) + if 'token' in request.form: + return handle_token_login(request.form.get('token')) + return render_template('auth_token_login.html') -@app.route('/login') +@app.route('/auth/logout') def logout(): # TODO: clear extra session info - logout_user() - return render_template('logout.html') + handle_logout() + return render_template('auth_logout.html') + +@app.route('/auth/account') +@login_required +def logout(): + # TODO: clear extra session info + handle_logout() + return render_template('auth_logout.html') + ### Static Routes ########################################################### diff --git a/python/fatcat_web/templates/auth_login.html b/python/fatcat_web/templates/auth_login.html new file mode 100644 index 00000000..98b1c7c4 --- /dev/null +++ b/python/fatcat_web/templates/auth_login.html @@ -0,0 +1,17 @@ +{% extends "base.html" %} +{% block body %} +

Login

+ +

via OAuth / OpenID Connect: +

+ +

Other options... +

+ +{% endblock %} diff --git a/python/fatcat_web/templates/auth_logout.html b/python/fatcat_web/templates/auth_logout.html new file mode 100644 index 00000000..819d42fe --- /dev/null +++ b/python/fatcat_web/templates/auth_logout.html @@ -0,0 +1,8 @@ +{% extends "base.html" %} +{% block body %} +

Logout

+ +

If you are seeing this page, you are now logged out. + +

Use the links above to return to the home page or log back in. +{% endblock %} diff --git a/python/fatcat_web/templates/auth_token_login.html b/python/fatcat_web/templates/auth_token_login.html new file mode 100644 index 00000000..4c28f938 --- /dev/null +++ b/python/fatcat_web/templates/auth_token_login.html @@ -0,0 +1,29 @@ +{% extends "base.html" %} +{% block body %} +

Login with Token

+ +

This page is intended for operators and contingencies, not for general use. It +allows editors (users) to use an existing token (macaroon) for authentication; +a new web interface session and cookie are constructed using the token. + +
+
+
+ +{% if current_user.is_authenticated %} +

+
You are already logged in!
+

You should logout first. Re-authenticating would be undefined behavior. +

+{% else %} +
+
+
+ + +
+
+
+{% endif %} + +{% endblock %} diff --git a/python/fatcat_web/templates/base.html b/python/fatcat_web/templates/base.html index 4b3b7e0b..892ca788 100644 --- a/python/fatcat_web/templates/base.html +++ b/python/fatcat_web/templates/base.html @@ -29,17 +29,22 @@ +{% if current_user.is_authenticated %}
- demo-user + {{ current_user.username }}
Edits in Progress - History + History
- Account - Logout + Account + Logout
- +{% else %} +
+ Login/Signup +
+{% endif %} diff --git a/python/web_config.py b/python/web_config.py index 91e43e70..5713738c 100644 --- a/python/web_config.py +++ b/python/web_config.py @@ -17,14 +17,19 @@ basedir = os.path.abspath(os.path.dirname(__file__)) class Config(object): GIT_REVISION = subprocess.check_output(["git", "describe", "--always"]).strip() + # This is, effectively, the QA/PROD flag FATCAT_DOMAIN = os.environ.get("FATCAT_DOMAIN", default="qa.fatcat.wiki") + FATCAT_API_AUTH_TOKEN = os.environ.get("FATCAT_API_AUTH_TOKEN", default=None) + FATCAT_API_HOST = os.environ.get("FATCAT_API_HOST", default="https://{}/v0".format(FATCAT_DOMAIN)) + # can set this to https://search.fatcat.wiki for some experimentation ELASTICSEARCH_BACKEND = os.environ.get("ELASTICSEARCH_BACKEND", default="http://localhost:9200") ELASTICSEARCH_INDEX = os.environ.get("ELASTICSEARCH_INDEX", default="fatcat") - # bogus values for dev/testing - SECRET_KEY = os.environ.get("SECRET_KEY", default="mQLO6DpyR4t91G1tl/LPMvb/5QFV9vIUDZah5PapTUSmP8jVIrvCRw") + # for flask things, like session cookies + FLASK_SECRET_KEY = os.environ.get("FLASK_SECRET_KEY", default=None) + SECRET_KEY = FLASK_SECRET_KEY GITLAB_CLIENT_ID = os.environ.get("GITLAB_CLIENT_ID", default="bogus") GITLAB_CLIENT_SECRET = os.environ.get("GITLAB_CLIENT_SECRET", default="bogus") -- cgit v1.2.3 From 03df0b8a6d1285fa4aa17e6c4216dd2716a9ac47 Mon Sep 17 00:00:00 2001 From: Bryan Newbold Date: Thu, 3 Jan 2019 21:18:10 -0800 Subject: account page and renaming --- python/fatcat_web/__init__.py | 12 +++------ python/fatcat_web/auth.py | 14 +++++++--- python/fatcat_web/routes.py | 31 ++++++++++++++++++----- python/fatcat_web/templates/auth_account.html | 27 ++++++++++++++++++++ python/fatcat_web/templates/base.html | 15 ++++++++++- python/fatcat_web/templates/editor_changelog.html | 4 +-- python/fatcat_web/templates/editor_view.html | 4 +-- 7 files changed, 85 insertions(+), 22 deletions(-) create mode 100644 python/fatcat_web/templates/auth_account.html (limited to 'python/fatcat_web') diff --git a/python/fatcat_web/__init__.py b/python/fatcat_web/__init__.py index 9cd5f812..0afee70e 100644 --- a/python/fatcat_web/__init__.py +++ b/python/fatcat_web/__init__.py @@ -23,21 +23,17 @@ oauth = OAuth(app) sentry = Sentry(app) conf = fatcat_client.Configuration() -conf.host = "http://localhost:9411/v0" +conf.host = Config.FATCAT_API_HOST api = fatcat_client.DefaultApi(fatcat_client.ApiClient(conf)) +from fatcat_web import routes, auth + if Config.FATCAT_API_AUTH_TOKEN: print("Found and using privileged token (eg, for account signup)") - priv_conf = fatcat_client.Configuration() - priv_conf.api_key["Authorization"] = Config.FATCAT_API_AUTH_TOKEN - priv_conf.api_key_prefix["Authorization"] = "Bearer" - priv_conf.host = 'http://localhost:9411/v0' - priv_api = fatcat_client.DefaultApi(fatcat_client.ApiClient(local_conf)) + priv_api = auth.auth_api(Config.FATCAT_API_AUTH_TOKEN) else: print("No privileged token found") priv_api = None -from fatcat_web import routes, auth - gitlab_bp = create_flask_blueprint(Gitlab, oauth, auth.handle_oauth) app.register_blueprint(gitlab_bp, url_prefix='/auth/gitlab') diff --git a/python/fatcat_web/auth.py b/python/fatcat_web/auth.py index 385f5c49..c6e6f04c 100644 --- a/python/fatcat_web/auth.py +++ b/python/fatcat_web/auth.py @@ -1,10 +1,17 @@ from flask import Flask, render_template, send_from_directory, request, \ - url_for, abort, g, redirect, jsonify, session -from fatcat_web import login_manager, api + url_for, abort, g, redirect, jsonify, session, flash +from fatcat_web import login_manager, api, Config from flask_login import logout_user, login_user, UserMixin import pymacaroons +import fatcat_client +def auth_api(token): + conf = fatcat_client.Configuration() + conf.api_key["Authorization"] = token + conf.api_key_prefix["Authorization"] = "Bearer" + conf.host = Config.FATCAT_API_HOST + return fatcat_client.DefaultApi(fatcat_client.ApiClient(conf)) def handle_logout(): logout_user() @@ -31,7 +38,7 @@ def handle_token_login(token): session['api_token'] = token session['editor'] = editor login_user(load_user(editor_id)) - return redirect("/") + return redirect("/auth/account") # This will need to login/signup via fatcatd API, then set token in session def handle_oauth(remote, token, user_info): @@ -70,6 +77,7 @@ def load_user(editor_id): token = session['api_token'] user = UserMixin() user.id = editor_id + user.editor_id = editor_id user.username = editor['username'] user.token = token return user diff --git a/python/fatcat_web/routes.py b/python/fatcat_web/routes.py index 5d46fe0b..07947fd5 100644 --- a/python/fatcat_web/routes.py +++ b/python/fatcat_web/routes.py @@ -2,9 +2,10 @@ import os import json from flask import Flask, render_template, send_from_directory, request, \ - url_for, abort, g, redirect, jsonify, session + url_for, abort, g, redirect, jsonify, session, flash +from flask_login import login_required from fatcat_web import app, api -from fatcat_web.auth import handle_token_login, handle_logout +from fatcat_web.auth import handle_token_login, handle_logout, load_user, auth_api from fatcat_client.rest import ApiException from fatcat_web.search import do_search @@ -389,6 +390,23 @@ def token_login(): return handle_token_login(request.form.get('token')) return render_template('auth_token_login.html') +@app.route('/auth/change_username', methods=['POST']) +@login_required +def change_username(): + # show the user a list of login options + if not 'username' in request.form: + abort(400) + # on behalf of user... + user_api = auth_api(session['api_token']) + editor = user_api.get_editor(session['editor']['editor_id']) + editor.username = request.form['username'] + editor = user_api.update_editor(editor.editor_id, editor) + # update our session + session['editor'] = editor.to_dict() + load_user(editor.editor_id) + flash("Username updated successfully") + return redirect('/auth/account') + @app.route('/auth/logout') def logout(): # TODO: clear extra session info @@ -397,10 +415,11 @@ def logout(): @app.route('/auth/account') @login_required -def logout(): - # TODO: clear extra session info - handle_logout() - return render_template('auth_logout.html') +def auth_account(): + editor = api.get_editor(session['editor']['editor_id']) + session['editor'] = editor.to_dict() + load_user(editor.editor_id) + return render_template('auth_account.html') ### Static Routes ########################################################### diff --git a/python/fatcat_web/templates/auth_account.html b/python/fatcat_web/templates/auth_account.html new file mode 100644 index 00000000..57155722 --- /dev/null +++ b/python/fatcat_web/templates/auth_account.html @@ -0,0 +1,27 @@ +{% extends "base.html" %} +{% block body %} + +

Your Account

+ +

Username: {{ current_user.username }} +

Editor Id: {{ current_user.editor_id }} + +

+

Change username: +

+
+
+ + +
+
+
+
+ +

In the future, you might be able to... +

    +
  • Create a bot user +
  • Generate an API token +
+ +{% endblock %} diff --git a/python/fatcat_web/templates/base.html b/python/fatcat_web/templates/base.html index 892ca788..27b163d2 100644 --- a/python/fatcat_web/templates/base.html +++ b/python/fatcat_web/templates/base.html @@ -34,7 +34,7 @@ {{ current_user.username }}
Edits in Progress - History + History
Account Logout @@ -51,6 +51,19 @@
+{% with messages = get_flashed_messages() %} + {% if messages %} +
+ {# Needs more javascript: #} +
Now Hear This!
+
    + {% for message in messages %} +
  • {{ message }} + {% endfor %} +
+
+ {% endif %} +{% endwith %} {% block fullbody %}
{% block body %}Nothing to see here.{% endblock %} diff --git a/python/fatcat_web/templates/editor_changelog.html b/python/fatcat_web/templates/editor_changelog.html index 79127312..785c19bd 100644 --- a/python/fatcat_web/templates/editor_changelog.html +++ b/python/fatcat_web/templates/editor_changelog.html @@ -3,8 +3,8 @@

Editor Changelog: {{ editor.username }}
- - editor {{ editor.id }} + + editor {{ editor.editor_id }}

diff --git a/python/fatcat_web/templates/editor_view.html b/python/fatcat_web/templates/editor_view.html index c9b61f5d..eef4f040 100644 --- a/python/fatcat_web/templates/editor_view.html +++ b/python/fatcat_web/templates/editor_view.html @@ -3,10 +3,10 @@

{{ editor.username }}
- editor {{ editor.id }} + editor {{ editor.editor_id }}

-

View editor's changelog +

View editor's changelog {% endblock %} -- cgit v1.2.3 From 00c0859a7df360380a479eb9dbc79057c0245969 Mon Sep 17 00:00:00 2001 From: Bryan Newbold Date: Thu, 3 Jan 2019 22:10:41 -0800 Subject: basic OIDC auth working --- python/fatcat_web/__init__.py | 11 +++++-- python/fatcat_web/auth.py | 57 ++++++++++++++++++++--------------- python/fatcat_web/routes.py | 4 +-- python/fatcat_web/templates/base.html | 2 +- 4 files changed, 44 insertions(+), 30 deletions(-) (limited to 'python/fatcat_web') diff --git a/python/fatcat_web/__init__.py b/python/fatcat_web/__init__.py index 0afee70e..34618076 100644 --- a/python/fatcat_web/__init__.py +++ b/python/fatcat_web/__init__.py @@ -26,14 +26,21 @@ conf = fatcat_client.Configuration() conf.host = Config.FATCAT_API_HOST api = fatcat_client.DefaultApi(fatcat_client.ApiClient(conf)) -from fatcat_web import routes, auth +def auth_api(token): + conf = fatcat_client.Configuration() + conf.api_key["Authorization"] = token + conf.api_key_prefix["Authorization"] = "Bearer" + conf.host = Config.FATCAT_API_HOST + return fatcat_client.DefaultApi(fatcat_client.ApiClient(conf)) if Config.FATCAT_API_AUTH_TOKEN: print("Found and using privileged token (eg, for account signup)") - priv_api = auth.auth_api(Config.FATCAT_API_AUTH_TOKEN) + priv_api = auth_api(Config.FATCAT_API_AUTH_TOKEN) else: print("No privileged token found") priv_api = None +from fatcat_web import routes, auth + gitlab_bp = create_flask_blueprint(Gitlab, oauth, auth.handle_oauth) app.register_blueprint(gitlab_bp, url_prefix='/auth/gitlab') diff --git a/python/fatcat_web/auth.py b/python/fatcat_web/auth.py index c6e6f04c..0bdb564f 100644 --- a/python/fatcat_web/auth.py +++ b/python/fatcat_web/auth.py @@ -1,18 +1,11 @@ from flask import Flask, render_template, send_from_directory, request, \ url_for, abort, g, redirect, jsonify, session, flash -from fatcat_web import login_manager, api, Config +from fatcat_web import login_manager, api, priv_api, Config from flask_login import logout_user, login_user, UserMixin import pymacaroons import fatcat_client -def auth_api(token): - conf = fatcat_client.Configuration() - conf.api_key["Authorization"] = token - conf.api_key_prefix["Authorization"] = "Bearer" - conf.host = Config.FATCAT_API_HOST - return fatcat_client.DefaultApi(fatcat_client.ApiClient(conf)) - def handle_logout(): logout_user() for k in ('editor', 'token'): @@ -34,35 +27,49 @@ def handle_token_login(token): if not editor_id: abort(400) # fetch editor info - editor = api.get_editor(editor_id).to_dict() + editor = api.get_editor(editor_id) session['api_token'] = token - session['editor'] = editor - login_user(load_user(editor_id)) + session['editor'] = editor.to_dict() + login_user(load_user(editor.editor_id)) return redirect("/auth/account") # This will need to login/signup via fatcatd API, then set token in session def handle_oauth(remote, token, user_info): - print(remote) - if token: - print(remote.name, token) if user_info: - print(user_info) - print(user_info.iss) - print(user_info.prefered_username) - # fetch api login/signup using user_info - params = AuthOidc(remote.name, user_info.sub, user_info.iss) - resp = api.auth_oidc(params) - editor = resp['editor'] - api_token = resp['token'] + # ISS is basically the API url (though more formal in OIDC) + # SUB is the stable internal identifier for the user (not usually the username itself) + # TODO: should have the real sub here + # TODO: would be nicer to pass preferred_username for account creation + iss = remote.OAUTH_CONFIG['api_base_url'] + + # we reuse 'preferred_username' for account name auto-creation (but + # don't store it otherwise in the backend, at least currently). But i'm + # not sure all loginpass backends will set it + if user_info.get('preferred_username'): + preferred_username = user_info['preferred_username'] + else: + preferred_username = user_info['sub'] + + params = fatcat_client.AuthOidc(remote.name, user_info['sub'], iss, user_info['preferred_username']) + # this call requires admin privs + (resp, http_status, http_headers) = priv_api.auth_oidc_with_http_info(params) + editor = resp.editor + api_token = resp.token + + if http_status == 201: + flash("Welcome to Fatcat! An account has been created for you with a temporary username; you may wish to change it under account settings") + flash("You must use the same mechanism ({}) to login in the future".format(remote.name)) + else: + flash("Welcome back!") # write token and username to session session['api_token'] = api_token - session['editor'] = editor.editor_id + session['editor'] = editor.to_dict() # call login_user(load_user(editor_id)) - login_user(load_user(editor_id)) - return redirect("/") + login_user(load_user(editor.editor_id)) + return redirect("/auth/account") raise some_error diff --git a/python/fatcat_web/routes.py b/python/fatcat_web/routes.py index 07947fd5..ebf7e88a 100644 --- a/python/fatcat_web/routes.py +++ b/python/fatcat_web/routes.py @@ -4,8 +4,8 @@ import json from flask import Flask, render_template, send_from_directory, request, \ url_for, abort, g, redirect, jsonify, session, flash from flask_login import login_required -from fatcat_web import app, api -from fatcat_web.auth import handle_token_login, handle_logout, load_user, auth_api +from fatcat_web import app, api, auth_api +from fatcat_web.auth import handle_token_login, handle_logout, load_user from fatcat_client.rest import ApiException from fatcat_web.search import do_search diff --git a/python/fatcat_web/templates/base.html b/python/fatcat_web/templates/base.html index 27b163d2..e3824213 100644 --- a/python/fatcat_web/templates/base.html +++ b/python/fatcat_web/templates/base.html @@ -33,7 +33,7 @@

{{ current_user.username }}
- Edits in Progress + Edits in Progress History
Account -- cgit v1.2.3 From bb6840ab32d39240442f32c89ac3c4d0722d8372 Mon Sep 17 00:00:00 2001 From: Bryan Newbold Date: Fri, 4 Jan 2019 13:00:38 -0800 Subject: use .env for all config (and document it) --- python/.gitignore | 1 + python/README.md | 4 +++ python/env.example | 8 ++++++ python/fatcat_web/__init__.py | 3 ++- python/fatcat_web/web_config.py | 54 +++++++++++++++++++++++++++++++++++++++++ python/web_config.py | 54 ----------------------------------------- 6 files changed, 69 insertions(+), 55 deletions(-) create mode 100644 python/env.example create mode 100644 python/fatcat_web/web_config.py delete mode 100644 python/web_config.py (limited to 'python/fatcat_web') diff --git a/python/.gitignore b/python/.gitignore index e2dae299..a0bc258b 100644 --- a/python/.gitignore +++ b/python/.gitignore @@ -1,3 +1,4 @@ +.env codegen-out/ build/ dist/ diff --git a/python/README.md b/python/README.md index d8812934..922499f3 100644 --- a/python/README.md +++ b/python/README.md @@ -34,6 +34,10 @@ server on the same machine by default), use: # will listen on http://localhost:9810 by default pipenv run fatcat_webface.py +Almost all configuration is done via environment variables; see `env.example` +for a list of settings. If you copy this file to `.env` it will be sourced by +`pipenv` automatically; you can also load it in your shell like `source .env`. + ## Running Tests Many (though not all) python tests depend on access to a local running API diff --git a/python/env.example b/python/env.example new file mode 100644 index 00000000..c139df07 --- /dev/null +++ b/python/env.example @@ -0,0 +1,8 @@ +FLASK_SECRET_KEY="" +FATCAT_API_AUTH_TOKEN="" +FATCAT_API_HOST="http://localhost:9411/v0" +ELASTICSEARCH_BACKEND="http://localhost:9200" +ELASTICSEARCH_INDEX="fatcat" +GITLAB_CLIENT_ID="" +GITLAB_CLIENT_SECRET="" +SENTRY_DSN="" diff --git a/python/fatcat_web/__init__.py b/python/fatcat_web/__init__.py index 34618076..53947143 100644 --- a/python/fatcat_web/__init__.py +++ b/python/fatcat_web/__init__.py @@ -6,9 +6,10 @@ from flask_login import LoginManager from authlib.flask.client import OAuth from loginpass import create_flask_blueprint, Gitlab from raven.contrib.flask import Sentry -from web_config import Config import fatcat_client +from fatcat_web.web_config import Config + toolbar = DebugToolbarExtension() app = Flask(__name__) app.config.from_object(Config) diff --git a/python/fatcat_web/web_config.py b/python/fatcat_web/web_config.py new file mode 100644 index 00000000..5713738c --- /dev/null +++ b/python/fatcat_web/web_config.py @@ -0,0 +1,54 @@ + +""" +Default configuration for fatcat web interface (Flask application). + +In production, we currently reconfigure these values using environment +variables, not by (eg) deploying a variant copy of this file. + +This config is *only* for the web interface, *not* for any of the workers or +import scripts. +""" + +import os +import raven +import subprocess + +basedir = os.path.abspath(os.path.dirname(__file__)) + +class Config(object): + GIT_REVISION = subprocess.check_output(["git", "describe", "--always"]).strip() + + # This is, effectively, the QA/PROD flag + FATCAT_DOMAIN = os.environ.get("FATCAT_DOMAIN", default="qa.fatcat.wiki") + FATCAT_API_AUTH_TOKEN = os.environ.get("FATCAT_API_AUTH_TOKEN", default=None) + FATCAT_API_HOST = os.environ.get("FATCAT_API_HOST", default="https://{}/v0".format(FATCAT_DOMAIN)) + + # can set this to https://search.fatcat.wiki for some experimentation + ELASTICSEARCH_BACKEND = os.environ.get("ELASTICSEARCH_BACKEND", default="http://localhost:9200") + ELASTICSEARCH_INDEX = os.environ.get("ELASTICSEARCH_INDEX", default="fatcat") + + # for flask things, like session cookies + FLASK_SECRET_KEY = os.environ.get("FLASK_SECRET_KEY", default=None) + SECRET_KEY = FLASK_SECRET_KEY + + GITLAB_CLIENT_ID = os.environ.get("GITLAB_CLIENT_ID", default="bogus") + GITLAB_CLIENT_SECRET = os.environ.get("GITLAB_CLIENT_SECRET", default="bogus") + + try: + GIT_RELEASE = raven.fetch_git_sha('..') + except Exception as e: + print("WARNING: couldn't set sentry git release automatically: " + str(e)) + GIT_RELEASE = None + + SENTRY_CONFIG = { + #'include_paths': ['fatcat_web', 'fatcat_client', 'fatcat_tools'], + 'enable-threads': True, # for uWSGI + 'release': GIT_RELEASE, + 'tags': { + 'fatcat_domain': FATCAT_DOMAIN, + }, + } + + # "Even more verbose" debug options + #SQLALCHEMY_ECHO = True + #DEBUG = True diff --git a/python/web_config.py b/python/web_config.py deleted file mode 100644 index 5713738c..00000000 --- a/python/web_config.py +++ /dev/null @@ -1,54 +0,0 @@ - -""" -Default configuration for fatcat web interface (Flask application). - -In production, we currently reconfigure these values using environment -variables, not by (eg) deploying a variant copy of this file. - -This config is *only* for the web interface, *not* for any of the workers or -import scripts. -""" - -import os -import raven -import subprocess - -basedir = os.path.abspath(os.path.dirname(__file__)) - -class Config(object): - GIT_REVISION = subprocess.check_output(["git", "describe", "--always"]).strip() - - # This is, effectively, the QA/PROD flag - FATCAT_DOMAIN = os.environ.get("FATCAT_DOMAIN", default="qa.fatcat.wiki") - FATCAT_API_AUTH_TOKEN = os.environ.get("FATCAT_API_AUTH_TOKEN", default=None) - FATCAT_API_HOST = os.environ.get("FATCAT_API_HOST", default="https://{}/v0".format(FATCAT_DOMAIN)) - - # can set this to https://search.fatcat.wiki for some experimentation - ELASTICSEARCH_BACKEND = os.environ.get("ELASTICSEARCH_BACKEND", default="http://localhost:9200") - ELASTICSEARCH_INDEX = os.environ.get("ELASTICSEARCH_INDEX", default="fatcat") - - # for flask things, like session cookies - FLASK_SECRET_KEY = os.environ.get("FLASK_SECRET_KEY", default=None) - SECRET_KEY = FLASK_SECRET_KEY - - GITLAB_CLIENT_ID = os.environ.get("GITLAB_CLIENT_ID", default="bogus") - GITLAB_CLIENT_SECRET = os.environ.get("GITLAB_CLIENT_SECRET", default="bogus") - - try: - GIT_RELEASE = raven.fetch_git_sha('..') - except Exception as e: - print("WARNING: couldn't set sentry git release automatically: " + str(e)) - GIT_RELEASE = None - - SENTRY_CONFIG = { - #'include_paths': ['fatcat_web', 'fatcat_client', 'fatcat_tools'], - 'enable-threads': True, # for uWSGI - 'release': GIT_RELEASE, - 'tags': { - 'fatcat_domain': FATCAT_DOMAIN, - }, - } - - # "Even more verbose" debug options - #SQLALCHEMY_ECHO = True - #DEBUG = True -- cgit v1.2.3 From 6eeead67f1d9af4ff2fc3c6c1188bc372e7d05a0 Mon Sep 17 00:00:00 2001 From: Bryan Newbold Date: Fri, 4 Jan 2019 17:59:59 -0800 Subject: one-month default session; lock down cookies --- python/fatcat_web/auth.py | 2 ++ python/fatcat_web/web_config.py | 6 ++++++ 2 files changed, 8 insertions(+) (limited to 'python/fatcat_web') diff --git a/python/fatcat_web/auth.py b/python/fatcat_web/auth.py index 0bdb564f..8b57a8c0 100644 --- a/python/fatcat_web/auth.py +++ b/python/fatcat_web/auth.py @@ -28,6 +28,7 @@ def handle_token_login(token): abort(400) # fetch editor info editor = api.get_editor(editor_id) + session.permanent = True session['api_token'] = token session['editor'] = editor.to_dict() login_user(load_user(editor.editor_id)) @@ -64,6 +65,7 @@ def handle_oauth(remote, token, user_info): flash("Welcome back!") # write token and username to session + session.permanent = True session['api_token'] = api_token session['editor'] = editor.to_dict() diff --git a/python/fatcat_web/web_config.py b/python/fatcat_web/web_config.py index 5713738c..85134762 100644 --- a/python/fatcat_web/web_config.py +++ b/python/fatcat_web/web_config.py @@ -34,6 +34,12 @@ class Config(object): GITLAB_CLIENT_ID = os.environ.get("GITLAB_CLIENT_ID", default="bogus") GITLAB_CLIENT_SECRET = os.environ.get("GITLAB_CLIENT_SECRET", default="bogus") + # protect cookies (which include API tokens) + SESSION_COOKIE_HTTPONLY = True + SESSION_COOKIE_SECURE = True + SESSION_COOKIE_SAMESITE = 'Lax' + PERMANENT_SESSION_LIFETIME = 2678400 # 31 days, in seconds + try: GIT_RELEASE = raven.fetch_git_sha('..') except Exception as e: -- cgit v1.2.3 From 5d5a5648cb480e05c4253c954c71094c7251b65a Mon Sep 17 00:00:00 2001 From: Bryan Newbold Date: Mon, 7 Jan 2019 17:43:34 -0800 Subject: basic/crude IA login --- python/env.example | 2 + python/fatcat_web/auth.py | 57 ++++++++++++++++++++++++-- python/fatcat_web/routes.py | 11 ++++- python/fatcat_web/templates/auth_ia_login.html | 31 ++++++++++++++ python/fatcat_web/templates/auth_login.html | 1 + python/fatcat_web/templates/base.html | 2 +- python/fatcat_web/web_config.py | 8 +++- 7 files changed, 103 insertions(+), 9 deletions(-) create mode 100644 python/fatcat_web/templates/auth_ia_login.html (limited to 'python/fatcat_web') diff --git a/python/env.example b/python/env.example index c139df07..c13c6246 100644 --- a/python/env.example +++ b/python/env.example @@ -5,4 +5,6 @@ ELASTICSEARCH_BACKEND="http://localhost:9200" ELASTICSEARCH_INDEX="fatcat" GITLAB_CLIENT_ID="" GITLAB_CLIENT_SECRET="" +IA_XAUTH_CLIENT_ID="" +IA_XAUTH_CLIENT_SECRET="" SENTRY_DSN="" diff --git a/python/fatcat_web/auth.py b/python/fatcat_web/auth.py index 8b57a8c0..8035cbe5 100644 --- a/python/fatcat_web/auth.py +++ b/python/fatcat_web/auth.py @@ -1,16 +1,19 @@ +from collections import namedtuple +import requests +import pymacaroons from flask import Flask, render_template, send_from_directory, request, \ url_for, abort, g, redirect, jsonify, session, flash from fatcat_web import login_manager, api, priv_api, Config from flask_login import logout_user, login_user, UserMixin -import pymacaroons import fatcat_client def handle_logout(): logout_user() - for k in ('editor', 'token'): + for k in ('editor', 'api_token'): if k in session: session.pop(k) + session.clear() def handle_token_login(token): try: @@ -73,14 +76,59 @@ def handle_oauth(remote, token, user_info): login_user(load_user(editor.editor_id)) return redirect("/auth/account") - raise some_error + # XXX: what should this actually be? + raise Exception("didn't receive OAuth user_info") + +def handle_ia_xauth(email, password): + resp = requests.post(Config.IA_XAUTH_URI, + params={'op': 'authenticate'}, + json={ + 'version': '1', + 'email': email, + 'password': password, + 'access': Config.IA_XAUTH_CLIENT_ID, + 'secret': Config.IA_XAUTH_CLIENT_SECRET, + }) + if resp.status_code == 401 or (not resp.json().get('success')): + flash("Internet Archive email/password didn't match: {}".format(resp.json()['values']['reason'])) + return render_template('auth_ia_login.html', email=email), resp.status_code + elif resp.status_code != 200: + flash("Internet Archive login failed (internal error?)") + # TODO: log.warn + print("IA XAuth fail: {}".format(resp.content)) + return render_template('auth_ia_login.html', email=email), resp.status_code + # Successful login; now fetch info... + resp = requests.post(Config.IA_XAUTH_URI, + params={'op': 'info'}, + json={ + 'version': '1', + 'email': email, + 'access': Config.IA_XAUTH_CLIENT_ID, + 'secret': Config.IA_XAUTH_CLIENT_SECRET, + }) + if resp.status_code != 200: + flash("Internet Archive login failed (internal error?)") + # TODO: log.warn + print("IA XAuth fail: {}".format(resp.content)) + return render_template('auth_ia_login.html', email=email), resp.status_code + ia_info = resp.json()['values'] + + # and pass off "as if" we did OAuth successfully + FakeOAuthRemote = namedtuple('FakeOAuthRemote', ['name', 'OAUTH_CONFIG']) + remote = FakeOAuthRemote(name='archive', OAUTH_CONFIG={'api_base_url': Config.IA_XAUTH_URI}) + oauth_info = { + 'preferred_username': ia_info['screenname'], + 'iss': Config.IA_XAUTH_URI, + 'sub': ia_info['itemname'], + } + return handle_oauth(remote, None, oauth_info) @login_manager.user_loader def load_user(editor_id): # looks for extra info in session, and updates the user object with that. # If session isn't loaded/valid, should return None - if not 'editor' in session or not 'api_token' in session: + if (not session.get('editor')) or (not session.get('api_token')): return None editor = session['editor'] token = session['api_token'] @@ -90,3 +138,4 @@ def load_user(editor_id): user.username = editor['username'] user.token = token return user + diff --git a/python/fatcat_web/routes.py b/python/fatcat_web/routes.py index ebf7e88a..789d7bed 100644 --- a/python/fatcat_web/routes.py +++ b/python/fatcat_web/routes.py @@ -5,7 +5,7 @@ from flask import Flask, render_template, send_from_directory, request, \ url_for, abort, g, redirect, jsonify, session, flash from flask_login import login_required from fatcat_web import app, api, auth_api -from fatcat_web.auth import handle_token_login, handle_logout, load_user +from fatcat_web.auth import handle_token_login, handle_logout, load_user, handle_ia_xauth from fatcat_client.rest import ApiException from fatcat_web.search import do_search @@ -381,6 +381,14 @@ def login(): # show the user a list of login options return render_template('auth_login.html') +@app.route('/auth/ia/login', methods=['GET', 'POST']) +def ia_xauth_login(): + if 'email' in request.form: + # if a login attempt... + return handle_ia_xauth(request.form.get('email'), request.form.get('password')) + # else show form + return render_template('auth_ia_login.html') + @app.route('/auth/token_login', methods=['GET', 'POST']) def token_login(): # show the user a list of login options @@ -409,7 +417,6 @@ def change_username(): @app.route('/auth/logout') def logout(): - # TODO: clear extra session info handle_logout() return render_template('auth_logout.html') diff --git a/python/fatcat_web/templates/auth_ia_login.html b/python/fatcat_web/templates/auth_ia_login.html new file mode 100644 index 00000000..ebf08021 --- /dev/null +++ b/python/fatcat_web/templates/auth_ia_login.html @@ -0,0 +1,31 @@ +{% extends "base.html" %} +{% block body %} +

Login with Internet Archive account

+ +

Warning: still experimental! + +
+
+
+ +{% if current_user.is_authenticated %} +

+
You are already logged in!
+

You should logout first. Re-authenticating would be undefined behavior. +

+{% else %} +
+
+
+ +
+
+ + +
+
+
+ +{% endif %} + +{% endblock %} diff --git a/python/fatcat_web/templates/auth_login.html b/python/fatcat_web/templates/auth_login.html index 98b1c7c4..9ccae816 100644 --- a/python/fatcat_web/templates/auth_login.html +++ b/python/fatcat_web/templates/auth_login.html @@ -12,6 +12,7 @@

Other options...

{% endblock %} diff --git a/python/fatcat_web/templates/base.html b/python/fatcat_web/templates/base.html index e3824213..3b324cba 100644 --- a/python/fatcat_web/templates/base.html +++ b/python/fatcat_web/templates/base.html @@ -55,7 +55,7 @@ {% if messages %}
{# Needs more javascript: #} -
Now Hear This!
+
Now Hear This...
    {% for message in messages %}
  • {{ message }} diff --git a/python/fatcat_web/web_config.py b/python/fatcat_web/web_config.py index 85134762..0ae43a3a 100644 --- a/python/fatcat_web/web_config.py +++ b/python/fatcat_web/web_config.py @@ -31,8 +31,12 @@ class Config(object): FLASK_SECRET_KEY = os.environ.get("FLASK_SECRET_KEY", default=None) SECRET_KEY = FLASK_SECRET_KEY - GITLAB_CLIENT_ID = os.environ.get("GITLAB_CLIENT_ID", default="bogus") - GITLAB_CLIENT_SECRET = os.environ.get("GITLAB_CLIENT_SECRET", default="bogus") + GITLAB_CLIENT_ID = os.environ.get("GITLAB_CLIENT_ID", default=None) + GITLAB_CLIENT_SECRET = os.environ.get("GITLAB_CLIENT_SECRET", default=None) + + IA_XAUTH_URI = "https://archive.org/services/xauthn/" + IA_XAUTH_CLIENT_ID = os.environ.get("IA_XAUTH_CLIENT_ID", default=None) + IA_XAUTH_CLIENT_SECRET = os.environ.get("IA_XAUTH_CLIENT_SECRET", default=None) # protect cookies (which include API tokens) SESSION_COOKIE_HTTPONLY = True -- cgit v1.2.3 From 0e344762101e9cb1f57a139c726fd50f2364ad51 Mon Sep 17 00:00:00 2001 From: Bryan Newbold Date: Tue, 8 Jan 2019 13:57:09 -0800 Subject: decode GIT_REVISION earlier --- python/fatcat_web/templates/base.html | 2 +- python/fatcat_web/web_config.py | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) (limited to 'python/fatcat_web') diff --git a/python/fatcat_web/templates/base.html b/python/fatcat_web/templates/base.html index 3b324cba..cce841e5 100644 --- a/python/fatcat_web/templates/base.html +++ b/python/fatcat_web/templates/base.html @@ -80,7 +80,7 @@ Sources Status Bulk Exports - Source Code ({{ config.GIT_REVISION.decode() }}) + Source Code ({{ config.GIT_REVISION }})
diff --git a/python/fatcat_web/web_config.py b/python/fatcat_web/web_config.py index 0ae43a3a..cbe519b0 100644 --- a/python/fatcat_web/web_config.py +++ b/python/fatcat_web/web_config.py @@ -16,7 +16,7 @@ import subprocess basedir = os.path.abspath(os.path.dirname(__file__)) class Config(object): - GIT_REVISION = subprocess.check_output(["git", "describe", "--always"]).strip() + GIT_REVISION = subprocess.check_output(["git", "describe", "--always"]).strip().decode('utf-8') # This is, effectively, the QA/PROD flag FATCAT_DOMAIN = os.environ.get("FATCAT_DOMAIN", default="qa.fatcat.wiki") -- cgit v1.2.3 From 7f50c87b58e089b17204da63a48a8747a0f9dd44 Mon Sep 17 00:00:00 2001 From: Bryan Newbold Date: Tue, 8 Jan 2019 15:47:38 -0800 Subject: send user to login page if they need to auth to continue --- python/fatcat_web/__init__.py | 1 + 1 file changed, 1 insertion(+) (limited to 'python/fatcat_web') diff --git a/python/fatcat_web/__init__.py b/python/fatcat_web/__init__.py index 53947143..cd7af195 100644 --- a/python/fatcat_web/__init__.py +++ b/python/fatcat_web/__init__.py @@ -18,6 +18,7 @@ FlaskUUID(app) login_manager = LoginManager() login_manager.init_app(app) +login_manager.login_view = "/auth/login" oauth = OAuth(app) # Grabs sentry config from SENTRY_DSN environment variable -- cgit v1.2.3