app/authentication/auth.py

from flask import request, jsonify, _request_ctx_stack, current_app
from notifications_python_client.authentication import decode_jwt_token, get_token_issuer
from notifications_python_client.errors import TokenDecodeError, TokenExpiredError

from app.dao.api_key_dao import get_model_api_keys


def authentication_response(message, code):
    return jsonify(result='error',
                   message={"token": [message]}
                   ), code


def requires_auth():
    auth_header = request.headers.get('Authorization', None)
    if not auth_header:
        return authentication_response('Unauthorized, authentication token must be provided', 401)

    auth_scheme = auth_header[:7]

    if auth_scheme != 'Bearer ':
        return authentication_response('Unauthorized, authentication bearer scheme must be used', 401)

    auth_token = auth_header[7:]
    try:
        client = get_token_issuer(auth_token)
    except TokenDecodeError:
        return authentication_response("Invalid token: signature", 403)

    if client == current_app.config.get('ADMIN_CLIENT_USER_NAME'):
        errors_resp = get_decode_errors(auth_token, current_app.config.get('ADMIN_CLIENT_SECRET'), expiry_date=None)
        return errors_resp

    secret_keys = get_model_api_keys(client)
    for api_key in secret_keys:
        errors_resp = get_decode_errors(auth_token, api_key.unsigned_secret, api_key.expiry_date)
        if not errors_resp:
            if api_key.expiry_date:
                return authentication_response("Invalid token: revoked", 403)
            else:
                _request_ctx_stack.top.api_user = api_key
                return

    if not secret_keys:
        errors_resp = authentication_response("Invalid token: no api keys for service", 403)
    current_app.logger.info(errors_resp)
    return errors_resp


def get_decode_errors(auth_token, unsigned_secret, expiry_date=None):
    try:
        decode_jwt_token(auth_token, unsigned_secret)
    except TokenExpiredError:
        return authentication_response("Invalid token: expired", 403)
    except TokenDecodeError:
        return authentication_response("Invalid token: signature", 403)
    else:
        return None
Added logging for the authentication errors. Moved the "no api secret" error message to the end and only create it if there are no api client secrets 2016-02-08 11:10:54 +00:00			`from flask import request, jsonify, _request_ctx_stack, current_app`
bumped client version 2016-02-09 18:48:02 +00:00			`from notifications_python_client.authentication import decode_jwt_token, get_token_issuer`
Use the new version of the notifications-python-client. This version no longer adds the req and pay to the claims of the jwt. The change is backward compatible so an older client that sends a jwt with the extra claims will pass authentication. Once all the clients have been updated to not include the extra claims some updates to exclude them from the method signatures will happen as well. 2016-04-14 18:12:33 +01:00			`from notifications_python_client.errors import TokenDecodeError, TokenExpiredError`
refactor authentication code moved api_key secret manipulation (generating and getting) into authentiation/utils, and added a property on the model, to facilitate easier matching of authenticated requests and the api keys they used 2016-06-29 14:15:32 +01:00
attach api_key to app we previously attached the service id and the key's secret also more refactoring of auth.py 2016-06-29 16:33:02 +01:00			`from app.dao.api_key_dao import get_model_api_keys`
Added authorization headers for all requests 2016-01-15 16:22:03 +00:00
First pass at implementing API authentication using new JWT tokens - NOTE - this does not manage secrets. There is only one URL and there is no functionality implemented - prior to rolling out we need to store secrets properly Uses the JWT libraries in [https://github.com/alphagov/notifications-python-client](https://github.com/alphagov/notifications-python-client) - Tokens are checked on every request and will be rejected if token is invalid as per the rules in the python clients. 2015-12-15 10:47:20 +00:00
			`def authentication_response(message, code):`
Format authentication error messages for the client. 2016-03-14 15:51:04 +00:00			`return jsonify(result='error',`
Update auth module to return consistently formed error messages. We are trying to get all the error messages to return in the following format: {result: error, message: ['what caused error': 'reason for error'] } 2016-06-17 14:22:58 +01:00			`message={"token": [message]}`
Format authentication error messages for the client. 2016-03-14 15:51:04 +00:00			`), code`
First pass at implementing API authentication using new JWT tokens - NOTE - this does not manage secrets. There is only one URL and there is no functionality implemented - prior to rolling out we need to store secrets properly Uses the JWT libraries in [https://github.com/alphagov/notifications-python-client](https://github.com/alphagov/notifications-python-client) - Tokens are checked on every request and will be rejected if token is invalid as per the rules in the python clients. 2015-12-15 10:47:20 +00:00

			`def requires_auth():`
			`auth_header = request.headers.get('Authorization', None)`
			`if not auth_header:`
			`return authentication_response('Unauthorized, authentication token must be provided', 401)`

			`auth_scheme = auth_header[:7]`

			`if auth_scheme != 'Bearer ':`
			`return authentication_response('Unauthorized, authentication bearer scheme must be used', 401)`

Allow for multiple api keys for a service. 2016-01-19 18:25:21 +00:00			`auth_token = auth_header[7:]`
First pass at implementing API authentication using new JWT tokens - NOTE - this does not manage secrets. There is only one URL and there is no functionality implemented - prior to rolling out we need to store secrets properly Uses the JWT libraries in [https://github.com/alphagov/notifications-python-client](https://github.com/alphagov/notifications-python-client) - Tokens are checked on every request and will be rejected if token is invalid as per the rules in the python clients. 2015-12-15 10:47:20 +00:00			`try:`
attach api_key to app we previously attached the service id and the key's secret also more refactoring of auth.py 2016-06-29 16:33:02 +01:00			`client = get_token_issuer(auth_token)`
First pass at implementing API authentication using new JWT tokens - NOTE - this does not manage secrets. There is only one URL and there is no functionality implemented - prior to rolling out we need to store secrets properly Uses the JWT libraries in [https://github.com/alphagov/notifications-python-client](https://github.com/alphagov/notifications-python-client) - Tokens are checked on every request and will be rejected if token is invalid as per the rules in the python clients. 2015-12-15 10:47:20 +00:00			`except TokenDecodeError:`
			`return authentication_response("Invalid token: signature", 403)`
Added logging for the authentication errors. Moved the "no api secret" error message to the end and only create it if there are no api client secrets 2016-02-08 11:10:54 +00:00
attach api_key to app we previously attached the service id and the key's secret also more refactoring of auth.py 2016-06-29 16:33:02 +01:00			`if client == current_app.config.get('ADMIN_CLIENT_USER_NAME'):`
			`errors_resp = get_decode_errors(auth_token, current_app.config.get('ADMIN_CLIENT_SECRET'), expiry_date=None)`
			`return errors_resp`

			`secret_keys = get_model_api_keys(client)`
			`for api_key in secret_keys:`
			`errors_resp = get_decode_errors(auth_token, api_key.unsigned_secret, api_key.expiry_date)`
			`if not errors_resp:`
			`if api_key.expiry_date:`
			`return authentication_response("Invalid token: revoked", 403)`
			`else:`
			`_request_ctx_stack.top.api_user = api_key`
			`return`

			`if not secret_keys:`
Update auth module to return consistently formed error messages. We are trying to get all the error messages to return in the following format: {result: error, message: ['what caused error': 'reason for error'] } 2016-06-17 14:22:58 +01:00			`errors_resp = authentication_response("Invalid token: no api keys for service", 403)`
Update python client to version 1.0.0. This version of the client removed the request method, path and body from the encode and decode methods. The biggest changes here is to the unit tests. 2016-05-04 16:08:23 +01:00			`current_app.logger.info(errors_resp)`
Allow for multiple api keys for a service. 2016-01-19 18:25:21 +00:00			`return errors_resp`
First pass at implementing API authentication using new JWT tokens - NOTE - this does not manage secrets. There is only one URL and there is no functionality implemented - prior to rolling out we need to store secrets properly Uses the JWT libraries in [https://github.com/alphagov/notifications-python-client](https://github.com/alphagov/notifications-python-client) - Tokens are checked on every request and will be rejected if token is invalid as per the rules in the python clients. 2015-12-15 10:47:20 +00:00

attach api_key to app we previously attached the service id and the key's secret also more refactoring of auth.py 2016-06-29 16:33:02 +01:00			`def get_decode_errors(auth_token, unsigned_secret, expiry_date=None):`
			`try:`
			`decode_jwt_token(auth_token, unsigned_secret)`
			`except TokenExpiredError:`
			`return authentication_response("Invalid token: expired", 403)`
			`except TokenDecodeError:`
			`return authentication_response("Invalid token: signature", 403)`
Authentication for admin client api calls where a user and service is not required. 2016-01-19 14:01:26 +00:00			`else:`
attach api_key to app we previously attached the service id and the key's secret also more refactoring of auth.py 2016-06-29 16:33:02 +01:00			`return None`