app/authentication/auth.py

from flask import request, _request_ctx_stack, current_app
from sqlalchemy.exc import DataError
from sqlalchemy.orm.exc import NoResultFound

from notifications_python_client.authentication import decode_jwt_token, get_token_issuer
from notifications_python_client.errors import TokenDecodeError, TokenExpiredError

from app.dao.api_key_dao import get_model_api_keys
from app.dao.services_dao import dao_fetch_service_by_id


class AuthError(Exception):
    def __init__(self, message, code):
        self.message = {"token": [message]}
        self.short_message = message
        self.code = code

    def to_dict_v2(self):
        return {'code': self.code,
                'message': self.short_message,
                'fields': self.message,
                'link': 'link to docs'}


def get_auth_token(req):
    auth_header = req.headers.get('Authorization', None)
    if not auth_header:
        raise AuthError('Unauthorized, authentication token must be provided', 401)

    auth_scheme = auth_header[:7].title()

    if auth_scheme != 'Bearer ':
        raise AuthError('Unauthorized, authentication bearer scheme must be used', 401)

    return auth_header[7:]


def requires_auth():
    auth_token = get_auth_token(request)
    try:
        client = get_token_issuer(auth_token)
    except TokenDecodeError:
        raise AuthError("Invalid token: signature", 403)

    if client == current_app.config.get('ADMIN_CLIENT_USER_NAME'):
        return handle_admin_key(auth_token, current_app.config.get('ADMIN_CLIENT_SECRET'))

    try:
        api_keys = get_model_api_keys(client)
    except DataError:
        raise AuthError("Invalid token: service id is not the right data type", 403)
    for api_key in api_keys:
        try:
            get_decode_errors(auth_token, api_key.unsigned_secret)
        except TokenDecodeError:
            continue

        if api_key.expiry_date:
            raise AuthError("Invalid token: API key revoked", 403)

        _request_ctx_stack.top.api_user = api_key
        return

    try:
        dao_fetch_service_by_id(client)
    except NoResultFound:
        raise AuthError("Invalid token: service not found", 403)

    if not api_keys:
        raise AuthError("Invalid token: service has no API keys", 403)
    else:
        raise AuthError("Invalid token: signature, api token is not valid", 403)


def handle_admin_key(auth_token, secret):
    try:
        get_decode_errors(auth_token, secret)
        return
    except TokenDecodeError:
        raise AuthError("Invalid token: signature", 403)


def get_decode_errors(auth_token, unsigned_secret):
    try:
        decode_jwt_token(auth_token, unsigned_secret)
    except TokenExpiredError:
        raise AuthError("Invalid token: expired", 403)
Improve the error message when the service id is not the right data type. Improve the error message is the api key is not valid. 2016-09-23 11:07:49 +01:00			`from flask import request, _request_ctx_stack, current_app`
			`from sqlalchemy.exc import DataError`
Give specifc error when service doesn’t exist If you sign a token with a service ID that doesn’t exist (say, for example, that you get service ID and API key mixed up) then you get an error saying that “no API keys exist for the service”. This is wrong because the service doesn’t even exist. This commit adds: - code to check if the service does exist - a specific error message for this case The check does mean an extra database call to look up the service. However this only happens _after_ looping through all the API keys. So it shouldn’t have a performance implication for anyone using a valid API key. 2016-09-16 08:44:08 +01:00			`from sqlalchemy.orm.exc import NoResultFound`

bumped client version 2016-02-09 18:48:02 +00:00			`from notifications_python_client.authentication import decode_jwt_token, get_token_issuer`
Use the new version of the notifications-python-client. This version no longer adds the req and pay to the claims of the jwt. The change is backward compatible so an older client that sends a jwt with the extra claims will pass authentication. Once all the clients have been updated to not include the extra claims some updates to exclude them from the method signatures will happen as well. 2016-04-14 18:12:33 +01:00			`from notifications_python_client.errors import TokenDecodeError, TokenExpiredError`
refactor authentication code moved api_key secret manipulation (generating and getting) into authentiation/utils, and added a property on the model, to facilitate easier matching of authenticated requests and the api keys they used 2016-06-29 14:15:32 +01:00
attach api_key to app we previously attached the service id and the key's secret also more refactoring of auth.py 2016-06-29 16:33:02 +01:00			`from app.dao.api_key_dao import get_model_api_keys`
Give specifc error when service doesn’t exist If you sign a token with a service ID that doesn’t exist (say, for example, that you get service ID and API key mixed up) then you get an error saying that “no API keys exist for the service”. This is wrong because the service doesn’t even exist. This commit adds: - code to check if the service does exist - a specific error message for this case The check does mean an extra database call to look up the service. However this only happens _after_ looping through all the API keys. So it shouldn’t have a performance implication for anyone using a valid API key. 2016-09-16 08:44:08 +01:00			`from app.dao.services_dao import dao_fetch_service_by_id`
Added authorization headers for all requests 2016-01-15 16:22:03 +00:00
First pass at implementing API authentication using new JWT tokens - NOTE - this does not manage secrets. There is only one URL and there is no functionality implemented - prior to rolling out we need to store secrets properly Uses the JWT libraries in [https://github.com/alphagov/notifications-python-client](https://github.com/alphagov/notifications-python-client) - Tokens are checked on every request and will be rejected if token is invalid as per the rules in the python clients. 2015-12-15 10:47:20 +00:00
refactored the requires_auth handler to raise exceptions hopefully cleans up code flow and readability [a tiny bit]. raise an AuthException in auth.py, and catch it in errors.py to save on returning error_repsonse values throughout the function 2016-06-29 17:37:20 +01:00			`class AuthError(Exception):`
			`def __init__(self, message, code):`
			`self.message = {"token": [message]}`
Improvements to the tests. Update AuthError with a to_dict_v2 method. 2016-11-01 10:33:34 +00:00			`self.short_message = message`
refactored the requires_auth handler to raise exceptions hopefully cleans up code flow and readability [a tiny bit]. raise an AuthException in auth.py, and catch it in errors.py to save on returning error_repsonse values throughout the function 2016-06-29 17:37:20 +01:00			`self.code = code`
First pass at implementing API authentication using new JWT tokens - NOTE - this does not manage secrets. There is only one URL and there is no functionality implemented - prior to rolling out we need to store secrets properly Uses the JWT libraries in [https://github.com/alphagov/notifications-python-client](https://github.com/alphagov/notifications-python-client) - Tokens are checked on every request and will be rejected if token is invalid as per the rules in the python clients. 2015-12-15 10:47:20 +00:00
Improvements to the tests. Update AuthError with a to_dict_v2 method. 2016-11-01 10:33:34 +00:00			`def to_dict_v2(self):`
			`return {'code': self.code,`
			`'message': self.short_message,`
			`'fields': self.message,`
			`'link': 'link to docs'}`

First pass at implementing API authentication using new JWT tokens - NOTE - this does not manage secrets. There is only one URL and there is no functionality implemented - prior to rolling out we need to store secrets properly Uses the JWT libraries in [https://github.com/alphagov/notifications-python-client](https://github.com/alphagov/notifications-python-client) - Tokens are checked on every request and will be rejected if token is invalid as per the rules in the python clients. 2015-12-15 10:47:20 +00:00
refactored the requires_auth handler to raise exceptions hopefully cleans up code flow and readability [a tiny bit]. raise an AuthException in auth.py, and catch it in errors.py to save on returning error_repsonse values throughout the function 2016-06-29 17:37:20 +01:00			`def get_auth_token(req):`
			`auth_header = req.headers.get('Authorization', None)`
First pass at implementing API authentication using new JWT tokens - NOTE - this does not manage secrets. There is only one URL and there is no functionality implemented - prior to rolling out we need to store secrets properly Uses the JWT libraries in [https://github.com/alphagov/notifications-python-client](https://github.com/alphagov/notifications-python-client) - Tokens are checked on every request and will be rejected if token is invalid as per the rules in the python clients. 2015-12-15 10:47:20 +00:00			`if not auth_header:`
refactored the requires_auth handler to raise exceptions hopefully cleans up code flow and readability [a tiny bit]. raise an AuthException in auth.py, and catch it in errors.py to save on returning error_repsonse values throughout the function 2016-06-29 17:37:20 +01:00			`raise AuthError('Unauthorized, authentication token must be provided', 401)`
First pass at implementing API authentication using new JWT tokens - NOTE - this does not manage secrets. There is only one URL and there is no functionality implemented - prior to rolling out we need to store secrets properly Uses the JWT libraries in [https://github.com/alphagov/notifications-python-client](https://github.com/alphagov/notifications-python-client) - Tokens are checked on every request and will be rejected if token is invalid as per the rules in the python clients. 2015-12-15 10:47:20 +00:00
Make bearer prefix on auth header case insensitive From a support ticket: > the "Bearer" prefix on the auth header is case sensitive. Can this be > made case-insensitive? Sure can 🙃 2016-11-07 10:45:18 +00:00			`auth_scheme = auth_header[:7].title()`
First pass at implementing API authentication using new JWT tokens - NOTE - this does not manage secrets. There is only one URL and there is no functionality implemented - prior to rolling out we need to store secrets properly Uses the JWT libraries in [https://github.com/alphagov/notifications-python-client](https://github.com/alphagov/notifications-python-client) - Tokens are checked on every request and will be rejected if token is invalid as per the rules in the python clients. 2015-12-15 10:47:20 +00:00
			`if auth_scheme != 'Bearer ':`
refactored the requires_auth handler to raise exceptions hopefully cleans up code flow and readability [a tiny bit]. raise an AuthException in auth.py, and catch it in errors.py to save on returning error_repsonse values throughout the function 2016-06-29 17:37:20 +01:00			`raise AuthError('Unauthorized, authentication bearer scheme must be used', 401)`

			`return auth_header[7:]`

First pass at implementing API authentication using new JWT tokens - NOTE - this does not manage secrets. There is only one URL and there is no functionality implemented - prior to rolling out we need to store secrets properly Uses the JWT libraries in [https://github.com/alphagov/notifications-python-client](https://github.com/alphagov/notifications-python-client) - Tokens are checked on every request and will be rejected if token is invalid as per the rules in the python clients. 2015-12-15 10:47:20 +00:00
refactored the requires_auth handler to raise exceptions hopefully cleans up code flow and readability [a tiny bit]. raise an AuthException in auth.py, and catch it in errors.py to save on returning error_repsonse values throughout the function 2016-06-29 17:37:20 +01:00			`def requires_auth():`
			`auth_token = get_auth_token(request)`
First pass at implementing API authentication using new JWT tokens - NOTE - this does not manage secrets. There is only one URL and there is no functionality implemented - prior to rolling out we need to store secrets properly Uses the JWT libraries in [https://github.com/alphagov/notifications-python-client](https://github.com/alphagov/notifications-python-client) - Tokens are checked on every request and will be rejected if token is invalid as per the rules in the python clients. 2015-12-15 10:47:20 +00:00			`try:`
attach api_key to app we previously attached the service id and the key's secret also more refactoring of auth.py 2016-06-29 16:33:02 +01:00			`client = get_token_issuer(auth_token)`
First pass at implementing API authentication using new JWT tokens - NOTE - this does not manage secrets. There is only one URL and there is no functionality implemented - prior to rolling out we need to store secrets properly Uses the JWT libraries in [https://github.com/alphagov/notifications-python-client](https://github.com/alphagov/notifications-python-client) - Tokens are checked on every request and will be rejected if token is invalid as per the rules in the python clients. 2015-12-15 10:47:20 +00:00			`except TokenDecodeError:`
refactored the requires_auth handler to raise exceptions hopefully cleans up code flow and readability [a tiny bit]. raise an AuthException in auth.py, and catch it in errors.py to save on returning error_repsonse values throughout the function 2016-06-29 17:37:20 +01:00			`raise AuthError("Invalid token: signature", 403)`
Added logging for the authentication errors. Moved the "no api secret" error message to the end and only create it if there are no api client secrets 2016-02-08 11:10:54 +00:00
attach api_key to app we previously attached the service id and the key's secret also more refactoring of auth.py 2016-06-29 16:33:02 +01:00			`if client == current_app.config.get('ADMIN_CLIENT_USER_NAME'):`
refactored the requires_auth handler to raise exceptions hopefully cleans up code flow and readability [a tiny bit]. raise an AuthException in auth.py, and catch it in errors.py to save on returning error_repsonse values throughout the function 2016-06-29 17:37:20 +01:00			`return handle_admin_key(auth_token, current_app.config.get('ADMIN_CLIENT_SECRET'))`

Improve the error message when the service id is not the right data type. Improve the error message is the api key is not valid. 2016-09-23 11:07:49 +01:00			`try:`
			`api_keys = get_model_api_keys(client)`
			`except DataError:`
			`raise AuthError("Invalid token: service id is not the right data type", 403)`
refactored the requires_auth handler to raise exceptions hopefully cleans up code flow and readability [a tiny bit]. raise an AuthException in auth.py, and catch it in errors.py to save on returning error_repsonse values throughout the function 2016-06-29 17:37:20 +01:00			`for api_key in api_keys:`
			`try:`
			`get_decode_errors(auth_token, api_key.unsigned_secret)`
			`except TokenDecodeError:`
			`continue`

			`if api_key.expiry_date:`
Rewrite authentication error messages more English 2016-09-16 08:45:48 +01:00			`raise AuthError("Invalid token: API key revoked", 403)`
refactored the requires_auth handler to raise exceptions hopefully cleans up code flow and readability [a tiny bit]. raise an AuthException in auth.py, and catch it in errors.py to save on returning error_repsonse values throughout the function 2016-06-29 17:37:20 +01:00
			`_request_ctx_stack.top.api_user = api_key`
			`return`

Give specifc error when service doesn’t exist If you sign a token with a service ID that doesn’t exist (say, for example, that you get service ID and API key mixed up) then you get an error saying that “no API keys exist for the service”. This is wrong because the service doesn’t even exist. This commit adds: - code to check if the service does exist - a specific error message for this case The check does mean an extra database call to look up the service. However this only happens _after_ looping through all the API keys. So it shouldn’t have a performance implication for anyone using a valid API key. 2016-09-16 08:44:08 +01:00			`try:`
			`dao_fetch_service_by_id(client)`
			`except NoResultFound:`
			`raise AuthError("Invalid token: service not found", 403)`

refactored the requires_auth handler to raise exceptions hopefully cleans up code flow and readability [a tiny bit]. raise an AuthException in auth.py, and catch it in errors.py to save on returning error_repsonse values throughout the function 2016-06-29 17:37:20 +01:00			`if not api_keys:`
Rewrite authentication error messages more English 2016-09-16 08:45:48 +01:00			`raise AuthError("Invalid token: service has no API keys", 403)`
refactored the requires_auth handler to raise exceptions hopefully cleans up code flow and readability [a tiny bit]. raise an AuthException in auth.py, and catch it in errors.py to save on returning error_repsonse values throughout the function 2016-06-29 17:37:20 +01:00			`else:`
Improve the error message when the service id is not the right data type. Improve the error message is the api key is not valid. 2016-09-23 11:07:49 +01:00			`raise AuthError("Invalid token: signature, api token is not valid", 403)`
refactored the requires_auth handler to raise exceptions hopefully cleans up code flow and readability [a tiny bit]. raise an AuthException in auth.py, and catch it in errors.py to save on returning error_repsonse values throughout the function 2016-06-29 17:37:20 +01:00

			`def handle_admin_key(auth_token, secret):`
			`try:`
			`get_decode_errors(auth_token, secret)`
			`return`
Improve the error message when the service id is not the right data type. Improve the error message is the api key is not valid. 2016-09-23 11:07:49 +01:00			`except TokenDecodeError:`
refactored the requires_auth handler to raise exceptions hopefully cleans up code flow and readability [a tiny bit]. raise an AuthException in auth.py, and catch it in errors.py to save on returning error_repsonse values throughout the function 2016-06-29 17:37:20 +01:00			`raise AuthError("Invalid token: signature", 403)`


			`def get_decode_errors(auth_token, unsigned_secret):`
attach api_key to app we previously attached the service id and the key's secret also more refactoring of auth.py 2016-06-29 16:33:02 +01:00			`try:`
			`decode_jwt_token(auth_token, unsigned_secret)`
Improve the error message when the service id is not the right data type. Improve the error message is the api key is not valid. 2016-09-23 11:07:49 +01:00			`except TokenExpiredError:`
Fix bug with expired token error response 2016-07-22 15:10:37 +01:00			`raise AuthError("Invalid token: expired", 403)`