From 8a20d3f2d81895215ba0dd34e6f14384dc15d153 Mon Sep 17 00:00:00 2001 From: Chris Pritchard Date: Mon, 22 Oct 2018 02:33:46 +0100 Subject: [PATCH] migrated to authlib --- app/__init__.py | 2 - app/models.py | 8 +-- app/oauth.py | 55 ++++++++++--------- .../admin_setting_authentication.html | 10 ++-- app/views.py | 17 ++++-- requirements.txt | 1 - 6 files changed, 48 insertions(+), 45 deletions(-) diff --git a/app/__init__.py b/app/__init__.py index fe9004b..3747067 100644 --- a/app/__init__.py +++ b/app/__init__.py @@ -3,7 +3,6 @@ from flask import Flask, request, session, redirect, url_for from flask_login import LoginManager from flask_sqlalchemy import SQLAlchemy as SA from flask_migrate import Migrate -from flask_oauthlib.client import OAuth from authlib.flask.client import OAuth as AuthlibOAuth from sqlalchemy.exc import OperationalError @@ -30,7 +29,6 @@ login_manager = LoginManager() login_manager.init_app(app) db = SQLAlchemy(app) # database migrate = Migrate(app, db) # flask-migrate -oauth_client = OAuth(app) # oauth authlib_oauth_client = AuthlibOAuth(app) # authlib oauth if app.config.get('SAML_ENABLED') and app.config.get('SAML_ENCRYPT'): diff --git a/app/models.py b/app/models.py index c2306f8..538a83f 100644 --- a/app/models.py +++ b/app/models.py @@ -1836,10 +1836,10 @@ class Setting(db.Model): 'google_oauth_enabled': False, 'google_oauth_client_id':'', 'google_oauth_client_secret':'', - 'google_token_url': 'https://accounts.google.com/o/oauth2/token', - 'google_token_params': {'scope': 'email profile'}, - 'google_authorize_url':'https://accounts.google.com/o/oauth2/auth', - 'google_base_url':'https://www.googleapis.com/oauth2/v1/', + 'google_token_url': 'https://oauth2.googleapis.com/token', + 'google_oauth_scope': 'openid email profile', + 'google_authorize_url':'https://accounts.google.com/o/oauth2/v2/auth', + 'google_base_url':'https://www.googleapis.com/oauth2/v3/', 'oidc_oauth_enabled': False, 'oidc_oauth_key': '', 'oidc_oauth_secret': '', diff --git a/app/oauth.py b/app/oauth.py index bb8e7a9..a578341 100644 --- a/app/oauth.py +++ b/app/oauth.py @@ -1,44 +1,44 @@ from ast import literal_eval from flask import request, session, redirect, url_for -from app import app, oauth_client, authlib_oauth_client +from app import app, authlib_oauth_client from app.models import Setting # TODO: -# - Replace Flask-OAuthlib by authlib # - Fix github/google enabling (Currently need to reload the flask app) def github_oauth(): if not Setting().get('github_oauth_enabled'): return None - github = oauth_client.remote_app( + def fetch_github_token(): + return session.get('github_token') + + github = authlib_oauth_client.register( 'github', - consumer_key = Setting().get('github_oauth_key'), - consumer_secret = Setting().get('github_oauth_secret'), + client_id = Setting().get('github_oauth_key'), + client_secret = Setting().get('github_oauth_secret'), request_token_params = {'scope': Setting().get('github_oauth_scope')}, - base_url = Setting().get('github_oauth_api_url'), + api_base_url = Setting().get('github_oauth_api_url'), request_token_url = None, - access_token_method = 'POST', access_token_url = Setting().get('github_oauth_token_url'), - authorize_url = Setting().get('github_oauth_authorize_url') + authorize_url = Setting().get('github_oauth_authorize_url'), + client_kwargs={'scope': Setting().get('github_oauth_scope')}, + fetch_token=fetch_github_token, ) @app.route('/github/authorized') def github_authorized(): session['github_oauthredir'] = url_for('.github_authorized', _external=True) - resp = github.authorized_response() - if resp is None: + token = github.authorize_access_token() + if token is None: return 'Access denied: reason=%s error=%s' % ( request.args['error'], request.args['error_description'] ) - session['github_token'] = (resp['access_token'], '') + session['github_token'] = (token) return redirect(url_for('.login')) - @github.tokengetter - def get_github_oauth_token(): - return session.get('github_token') return github @@ -47,33 +47,34 @@ def google_oauth(): if not Setting().get('google_oauth_enabled'): return None - google = oauth_client.remote_app( + def fetch_google_token(): + return session.get('google_token') + print("afkafna") + + google = authlib_oauth_client.register( 'google', - consumer_key=Setting().get('google_oauth_client_id'), - consumer_secret=Setting().get('google_oauth_client_secret'), - request_token_params=literal_eval(Setting().get('google_token_params')), - base_url=Setting().get('google_base_url'), + client_id=Setting().get('google_oauth_client_id'), + client_secret=Setting().get('google_oauth_client_secret'), + api_base_url=Setting().get('google_base_url'), request_token_url=None, - access_token_method='POST', access_token_url=Setting().get('google_token_url'), authorize_url=Setting().get('google_authorize_url'), + client_kwargs={'scope': Setting().get('google_oauth_scope')}, + fetch_token=fetch_google_token, ) @app.route('/google/authorized') def google_authorized(): - resp = google.authorized_response() - if resp is None: + session['google_oauthredir'] = url_for('.google_authorized', _external=True) + token = google.authorize_access_token() + if token is None: return 'Access denied: reason=%s error=%s' % ( request.args['error_reason'], request.args['error_description'] ) - session['google_token'] = (resp['access_token'], '') + session['google_token'] = (token) return redirect(url_for('.login')) - @google.tokengetter - def get_google_oauth_token(): - return session.get('google_token') - return google def oidc_oauth(): diff --git a/app/templates/admin_setting_authentication.html b/app/templates/admin_setting_authentication.html index 605f3de..8566bb6 100644 --- a/app/templates/admin_setting_authentication.html +++ b/app/templates/admin_setting_authentication.html @@ -245,8 +245,8 @@
- - + +
@@ -496,14 +496,14 @@ $('#google_oauth_client_id').prop('required', true); $('#google_oauth_client_secret').prop('required', true); $('#google_token_url').prop('required', true); - $('#google_token_params').prop('required', true); + $('#google_oauth_scope').prop('required', true); $('#google_authorize_url').prop('required', true); $('#google_base_url').prop('required', true); } else { $('#google_oauth_client_id').prop('required', false); $('#google_oauth_client_secret').prop('required', false); $('#google_token_url').prop('required', false); - $('#google_token_params').prop('required', false); + $('#google_oauth_scope').prop('required', false); $('#google_authorize_url').prop('required', false); $('#google_base_url').prop('required', false); } @@ -514,7 +514,7 @@ $('#google_oauth_client_id').prop('required', true); $('#google_oauth_client_secret').prop('required', true); $('#google_token_url').prop('required', true); - $('#google_token_params').prop('required', true); + $('#google_oauth_scope').prop('required', true); $('#google_authorize_url').prop('required', true); $('#google_base_url').prop('required', true); {% endif %} diff --git a/app/views.py b/app/views.py index d1fd98a..d86e64c 100644 --- a/app/views.py +++ b/app/views.py @@ -163,7 +163,8 @@ def google_login(): logging.error('Google OAuth is disabled or you have not yet reloaded the pda application after enabling.') return abort(400) else: - return google.authorize(callback=url_for('google_authorized', _external=True)) + redirect_uri = url_for('google_authorized', _external=True) + return google.authorize_redirect(redirect_uri) @app.route('/github/login') @@ -172,7 +173,8 @@ def github_login(): logging.error('Github OAuth is disabled or you have not yet reloaded the pda application after enabling.') return abort(400) else: - return github.authorize(callback=url_for('github_authorized', _external=True)) + redirect_uri = url_for('github_authorized', _external=True) + return github.authorize_redirect(redirect_uri) @app.route('/oidc/login') def oidc_login(): @@ -306,11 +308,13 @@ def login(): return redirect(url_for('dashboard')) if 'google_token' in session: - user_data = google.get('userinfo').data + user_data = json.loads(google.get('userinfo').text) first_name = user_data['given_name'] surname = user_data['family_name'] email = user_data['email'] user = User.query.filter_by(username=email).first() + if user == None: + user = User.query.filter_by(email=email).first() if not user: user = User(username=email, firstname=first_name, @@ -329,13 +333,14 @@ def login(): return redirect(url_for('index')) if 'github_token' in session: - me = github.get('user').data - + me = json.loads(github.get('user').text) github_username = me['login'] github_name = me['name'] github_email = me['email'] user = User.query.filter_by(username=github_username).first() + if user == None: + user = User.query.filter_by(email=github_email).first() if not user: user = User(username=github_username, plain_text_password=None, @@ -1532,7 +1537,7 @@ def admin_setting_authentication(): Setting().set('google_oauth_client_id', request.form.get('google_oauth_client_id')) Setting().set('google_oauth_client_secret', request.form.get('google_oauth_client_secret')) Setting().set('google_token_url', request.form.get('google_token_url')) - Setting().set('google_token_params', request.form.get('google_token_params')) + Setting().set('google_oauth_scope', request.form.get('google_oauth_scope')) Setting().set('google_authorize_url', request.form.get('google_authorize_url')) Setting().set('google_base_url', request.form.get('google_base_url')) result = {'status': True, 'msg': 'Saved successfully. Please reload PDA to take effect.'} diff --git a/requirements.txt b/requirements.txt index 04eaa3b..245d0d0 100644 --- a/requirements.txt +++ b/requirements.txt @@ -1,7 +1,6 @@ Flask==1.0.2 Flask-Assets==0.12 Flask-Login==0.4.1 -Flask-OAuthlib==0.9.4 Flask-SQLAlchemy==2.3.2 Flask-Migrate==2.2.1 SQLAlchemy==1.2.5