This repository has been archived by the owner on Mar 8, 2021. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 1
/
auth.py
227 lines (195 loc) · 7.48 KB
/
auth.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
import os
import json
from flask import request, _request_ctx_stack, abort
from jose import jwt
from functools import wraps
from urllib.request import urlopen
from dotenv import load_dotenv
# basedir = os.path.abspath(os.path.dirname(__file__))
load_dotenv()
# AUTH0_DOMAIN = 'gs-prod.auth0.com'
# AUTH0_ALGORITHMS = ['RS256']
# AUTH0_AUDIENCE = 'casting'
AUTH0_DOMAIN = os.environ['AUTH0_DOMAIN']
AUTH0_ALGORITHMS = os.environ['AUTH0_ALGORITHMS']
AUTH0_AUDIENCE = os.environ['AUTH0_AUDIENCE']
print('❌ os.environ', os.getenv('AUTH0_AUDIENCE'))
# AuthError Exception handler
class AuthError(Exception):
'''
AuthError Exception
A standardized way to communicate auth failure modes
'''
def __init__(self, error, status_code):
self.error = error
self.status_code = status_code
# Auth Header
'''
get_token_auth_header() method
it should attempt to get the header from the request
it should raise an AuthError if no header is present
it should attempt to split bearer and the token
it should raise an AuthError if the header is malformed
return the token part of the header
'''
def get_token_auth_header():
"""Grab Access Token from the Authorization Header in request"""
auth = request.headers.get('Authorization', None)
if auth:
print('🚩auth exists in headers:')
if not auth: # ensures auth has a truthy value
print('authorization_header_missing')
raise AuthError({
'code': 'authorization_header_missing',
'description': 'Authorization header is expected.'
}, 401)
parts = auth.split()
if parts[0].lower() != 'bearer':
print('invalid_header')
raise AuthError({
'code': 'invalid_header',
'description': 'Authorization header must start with "Bearer".'
}, 401)
elif len(parts) == 1:
print('Token not found.')
raise AuthError({
# assumes token is not in header
'code': 'invalid_header',
'description': 'Token not found.'
}, 401)
elif len(parts) > 2: # if header has more than two items
print('Authorization header must be bearer token.')
raise AuthError({
'code': 'invalid_header',
'description': 'Authorization header must be bearer token.'
}, 401)
token = parts[1] # return only the token from parts
if token:
print('✅ found token in header:')
return token
'''
verify_decode_jwt(token) method
@INPUTS
token: a json web token (string)
it should be an Auth0 token with key id (kid)
it should verify the token using Auth0 /.well-known/jwks.json
it should decode the payload from the token
it should validate the claims
return the decoded payload
!!NOTE urlopen has a common certificate error described here: https://stackoverflow.com/questions/50236117/scraping-ssl-certificate-verify-failed-error-for-http-en-wikipedia-org
'''
def verify_decode_jwt(token):
"""Uses the Auth0 secret to decode then verify the provided token"""
# print('verifying...')
jsonurl = urlopen("https://{}/.well-known/jwks.json".format(AUTH0_DOMAIN))
# print('jsonurl', jsonurl)
jwks = json.loads(jsonurl.read())
# print('jwks', jwks)
unverified_header = jwt.get_unverified_header(token)
# print('unverified_header', unverified_header)
rsa_key = {}
if 'kid' not in unverified_header:
print("'kid' not in unverified_header")
raise AuthError({
'code': 'invalid_header',
'description': 'Authorization malformed.'
}, 401)
for key in jwks['keys']:
if key['kid'] == unverified_header['kid']:
rsa_key = {
'kty': key['kty'],
'kid': key['kid'],
'use': key['use'],
'n': key['n'],
'e': key['e']
}
if rsa_key:
try:
# print('checking rsa key', rsa_key)
payload = jwt.decode(
token,
rsa_key,
algorithms=AUTH0_ALGORITHMS,
audience=AUTH0_AUDIENCE,
issuer='https://' + AUTH0_DOMAIN + '/'
)
# print('✅ rsa key found', payload)
return payload
except jwt.ExpiredSignatureError:
print('🚩 payload token_expired')
raise AuthError({
'code': 'token_expired',
'description': 'Token expired.'
}, 401)
except jwt.JWTClaimsError:
print('🚩 payload invalid_claims')
raise AuthError({
'code': 'invalid_claims',
'description': 'Incorrect claims. Please, check the audience and issuer.'
}, 401)
except Exception:
print('🚩 payload invalid_header')
raise AuthError({
'code': 'invalid_header',
'description': 'Unable to parse authentication token.'
}, 400)
print('🚩 payload unable to find key')
raise AuthError({
'code': 'invalid_header',
'description': 'Unable to find the appropriate key.'
}, 400)
'''
check_permissions(permission, payload) method
@INPUTS
permission: string permission (i.e. 'post:drink')
payload: decoded jwt payload
it should raise an AuthError if permissions are not included in the payload
!!NOTE check your RBAC settings in Auth0
it should raise an AuthError if the requested permission string is not in the payload permissions array
return true otherwise
'''
def check_permissions(permission, payload):
"""Checks for permission in JWT"""
if 'permissions' not in payload:
# look for permissions in payload
print("❌ 'permissions' not in payload for:", permission)
raise AuthError({
'code': 'invalid_claims',
'description': 'Permission not included in JWT.'
}, 400)
if permission not in payload['permissions']:
# look for permission in payload properties
print(
"❌ matching permission not found in payload['permissions'] for:", permission)
raise AuthError({
'code': 'unauthorized',
'description': 'Permission not found.'
}, 401)
return True
'''
@requires_auth(permission) decorator method
@INPUTS
permission: string permission (i.e. 'post:drink')
it should use the get_token_auth_header method to get the token
it should use the verify_decode_jwt method to decode the jwt
it should use the check_permissions method validate claims and check the requested permission
return the decorator which passes the decoded payload to the decorated method
'''
def requires_auth(permission=''): # defaults permission to empty string
"""Defines a decorator specifically used for Authentication"""
def requires_auth_decorator(f): # wraps auth decorator
@wraps(f)
def wrapper(*args, **kwargs):
# validate token
# print('🚧 validating token in header')
token = get_token_auth_header()
# print('verifying header payload')
payload = verify_decode_jwt(token)
# print('payload', payload)
# check permissions
print('🧐 checking permission for', permission)
check_permissions(permission, payload)
print('permitted')
return f(payload, *args, **kwargs)
return wrapper
return requires_auth_decorator