app/authentication/auth.py

from flask import request, _request_ctx_stack, current_app, g
from notifications_python_client.authentication import decode_jwt_token, get_token_issuer
from notifications_python_client.errors import TokenDecodeError, TokenExpiredError, TokenIssuerError
from sqlalchemy.exc import DataError
from sqlalchemy.orm.exc import NoResultFound

from app.dao.services_dao import dao_fetch_service_by_id_with_api_keys


class AuthError(Exception):
    def __init__(self, message, code):
        self.message = {"token": [message]}
        self.short_message = message
        self.code = code

    def to_dict_v2(self):
        return {
            'status_code': self.code,
            "errors": [
                {
                    "error": "AuthError",
                    "message": self.short_message
                }
            ]
        }


def get_auth_token(req):
    auth_header = req.headers.get('Authorization', None)
    if not auth_header:
        raise AuthError('Unauthorized, authentication token must be provided', 401)

    auth_scheme = auth_header[:7].title()

    if auth_scheme != 'Bearer ':
        raise AuthError('Unauthorized, authentication bearer scheme must be used', 401)

    return auth_header[7:]


def requires_no_auth():
    pass


def requires_admin_auth():
    auth_token = get_auth_token(request)
    client = __get_token_issuer(auth_token)

    if client == current_app.config.get('ADMIN_CLIENT_USER_NAME'):
        g.service_id = current_app.config.get('ADMIN_CLIENT_USER_NAME')
        return handle_admin_key(auth_token, current_app.config.get('ADMIN_CLIENT_SECRET'))
    else:
        raise AuthError('Unauthorized, admin authentication token required', 401)


def requires_auth():
    auth_token = get_auth_token(request)
    client = __get_token_issuer(auth_token)

    try:
        service = dao_fetch_service_by_id_with_api_keys(client)
    except DataError:
        raise AuthError("Invalid token: service id is not the right data type", 403)
    except NoResultFound:
        raise AuthError("Invalid token: service not found", 403)

    if not service.api_keys:
        raise AuthError("Invalid token: service has no API keys", 403)

    if not service.active:
        raise AuthError("Invalid token: service is archived", 403)

    for api_key in service.api_keys:
        try:
            get_decode_errors(auth_token, api_key.secret)
        except TokenDecodeError:
            continue

        if api_key.expiry_date:
            raise AuthError("Invalid token: API key revoked", 403)

        g.service_id = api_key.service_id
        _request_ctx_stack.top.authenticated_service = service
        _request_ctx_stack.top.api_user = api_key

        return
    else:
        # service has API keys, but none matching the one the user provided
        raise AuthError("Invalid token: signature, api token is not valid", 403)


def __get_token_issuer(auth_token):
    try:
        client = get_token_issuer(auth_token)
    except TokenIssuerError:
        raise AuthError("Invalid token: iss field not provided", 403)
    except TokenDecodeError as e:
        raise AuthError("Invalid token: signature, api token is not valid", 403)
    return client


def handle_admin_key(auth_token, secret):
    try:
        get_decode_errors(auth_token, secret)
        return
    except TokenDecodeError as e:
        raise AuthError("Invalid token: signature, api token is not valid", 403)


def get_decode_errors(auth_token, unsigned_secret):
    try:
        decode_jwt_token(auth_token, unsigned_secret)
    except TokenExpiredError:
        raise AuthError("Invalid token: expired, check that your system clock is accurate", 403)
Minor change in how we inteprete Incoming IP 2017-09-13 17:23:23 +01:00			`from flask import request, _request_ctx_stack, current_app, g`
bumped client version 2016-02-09 18:48:02 +00:00			`from notifications_python_client.authentication import decode_jwt_token, get_token_issuer`
update python client to 2.0.0 this is to prevent 500 errors because <2.0.0 raised AssertionError if supplied JWT tokens were incorrectly formatted tests added 2016-11-03 17:05:25 +00:00			`from notifications_python_client.errors import TokenDecodeError, TokenExpiredError, TokenIssuerError`
Minor change in how we inteprete Incoming IP 2017-09-13 17:23:23 +01:00			`from sqlalchemy.exc import DataError`
			`from sqlalchemy.orm.exc import NoResultFound`
refactor authentication code moved api_key secret manipulation (generating and getting) into authentiation/utils, and added a property on the model, to facilitate easier matching of authenticated requests and the api keys they used 2016-06-29 14:15:32 +01:00
Store the service we have used to authenticate the client API user against the request. We can then use this later - saving an extra DB query on every client facing API call - Note this doesn't affect admin calls which do not use the service from the api key, but use the one passed as part of the URL path. 2017-05-05 15:19:57 +01:00			`from app.dao.services_dao import dao_fetch_service_by_id_with_api_keys`
Added authorization headers for all requests 2016-01-15 16:22:03 +00:00
First pass at implementing API authentication using new JWT tokens - NOTE - this does not manage secrets. There is only one URL and there is no functionality implemented - prior to rolling out we need to store secrets properly Uses the JWT libraries in [https://github.com/alphagov/notifications-python-client](https://github.com/alphagov/notifications-python-client) - Tokens are checked on every request and will be rejected if token is invalid as per the rules in the python clients. 2015-12-15 10:47:20 +00:00
refactored the requires_auth handler to raise exceptions hopefully cleans up code flow and readability [a tiny bit]. raise an AuthException in auth.py, and catch it in errors.py to save on returning error_repsonse values throughout the function 2016-06-29 17:37:20 +01:00			`class AuthError(Exception):`
			`def __init__(self, message, code):`
			`self.message = {"token": [message]}`
Improvements to the tests. Update AuthError with a to_dict_v2 method. 2016-11-01 10:33:34 +00:00			`self.short_message = message`
refactored the requires_auth handler to raise exceptions hopefully cleans up code flow and readability [a tiny bit]. raise an AuthException in auth.py, and catch it in errors.py to save on returning error_repsonse values throughout the function 2016-06-29 17:37:20 +01:00			`self.code = code`
First pass at implementing API authentication using new JWT tokens - NOTE - this does not manage secrets. There is only one URL and there is no functionality implemented - prior to rolling out we need to store secrets properly Uses the JWT libraries in [https://github.com/alphagov/notifications-python-client](https://github.com/alphagov/notifications-python-client) - Tokens are checked on every request and will be rejected if token is invalid as per the rules in the python clients. 2015-12-15 10:47:20 +00:00
Improvements to the tests. Update AuthError with a to_dict_v2 method. 2016-11-01 10:33:34 +00:00			`def to_dict_v2(self):`
Use status_code in error response. Remove code. 2016-11-02 14:58:39 +00:00			`return {`
			`'status_code': self.code,`
update V2 error response to {status_code: 403, errors: [error: AuthError, message: token has expired}] } 2016-11-09 14:56:54 +00:00			`"errors": [`
			`{`
			`"error": "AuthError",`
			`"message": self.short_message`
			`}`
			`]`
Use status_code in error response. Remove code. 2016-11-02 14:58:39 +00:00			`}`
Improvements to the tests. Update AuthError with a to_dict_v2 method. 2016-11-01 10:33:34 +00:00
First pass at implementing API authentication using new JWT tokens - NOTE - this does not manage secrets. There is only one URL and there is no functionality implemented - prior to rolling out we need to store secrets properly Uses the JWT libraries in [https://github.com/alphagov/notifications-python-client](https://github.com/alphagov/notifications-python-client) - Tokens are checked on every request and will be rejected if token is invalid as per the rules in the python clients. 2015-12-15 10:47:20 +00:00
refactored the requires_auth handler to raise exceptions hopefully cleans up code flow and readability [a tiny bit]. raise an AuthException in auth.py, and catch it in errors.py to save on returning error_repsonse values throughout the function 2016-06-29 17:37:20 +01:00			`def get_auth_token(req):`
			`auth_header = req.headers.get('Authorization', None)`
First pass at implementing API authentication using new JWT tokens - NOTE - this does not manage secrets. There is only one URL and there is no functionality implemented - prior to rolling out we need to store secrets properly Uses the JWT libraries in [https://github.com/alphagov/notifications-python-client](https://github.com/alphagov/notifications-python-client) - Tokens are checked on every request and will be rejected if token is invalid as per the rules in the python clients. 2015-12-15 10:47:20 +00:00			`if not auth_header:`
refactored the requires_auth handler to raise exceptions hopefully cleans up code flow and readability [a tiny bit]. raise an AuthException in auth.py, and catch it in errors.py to save on returning error_repsonse values throughout the function 2016-06-29 17:37:20 +01:00			`raise AuthError('Unauthorized, authentication token must be provided', 401)`
First pass at implementing API authentication using new JWT tokens - NOTE - this does not manage secrets. There is only one URL and there is no functionality implemented - prior to rolling out we need to store secrets properly Uses the JWT libraries in [https://github.com/alphagov/notifications-python-client](https://github.com/alphagov/notifications-python-client) - Tokens are checked on every request and will be rejected if token is invalid as per the rules in the python clients. 2015-12-15 10:47:20 +00:00
Make bearer prefix on auth header case insensitive From a support ticket: > the "Bearer" prefix on the auth header is case sensitive. Can this be > made case-insensitive? Sure can 🙃 2016-11-07 10:45:18 +00:00			`auth_scheme = auth_header[:7].title()`
First pass at implementing API authentication using new JWT tokens - NOTE - this does not manage secrets. There is only one URL and there is no functionality implemented - prior to rolling out we need to store secrets properly Uses the JWT libraries in [https://github.com/alphagov/notifications-python-client](https://github.com/alphagov/notifications-python-client) - Tokens are checked on every request and will be rejected if token is invalid as per the rules in the python clients. 2015-12-15 10:47:20 +00:00
			`if auth_scheme != 'Bearer ':`
refactored the requires_auth handler to raise exceptions hopefully cleans up code flow and readability [a tiny bit]. raise an AuthException in auth.py, and catch it in errors.py to save on returning error_repsonse values throughout the function 2016-06-29 17:37:20 +01:00			`raise AuthError('Unauthorized, authentication bearer scheme must be used', 401)`

			`return auth_header[7:]`

First pass at implementing API authentication using new JWT tokens - NOTE - this does not manage secrets. There is only one URL and there is no functionality implemented - prior to rolling out we need to store secrets properly Uses the JWT libraries in [https://github.com/alphagov/notifications-python-client](https://github.com/alphagov/notifications-python-client) - Tokens are checked on every request and will be rejected if token is invalid as per the rules in the python clients. 2015-12-15 10:47:20 +00:00
Register a before_request event for all blueprints, that defines the authentication requirement. There are three authentication methods: - requires_no_auth - public endpoint that does not require an Authorisation header - requires_auth - public endpoints that need an API key in the Authorisation header - requires_admin_auth - private endpoint that requires an Authorisation header which contains the API key for the defined as the client admin user 2017-03-16 18:15:49 +00:00			`def requires_no_auth():`
			`pass`


Testing out adding a admin authentication requirement per blueprint. 2017-03-15 16:52:44 +00:00			`def requires_admin_auth():`
			`auth_token = get_auth_token(request)`
Register a before_request event for all blueprints, that defines the authentication requirement. There are three authentication methods: - requires_no_auth - public endpoint that does not require an Authorisation header - requires_auth - public endpoints that need an API key in the Authorisation header - requires_admin_auth - private endpoint that requires an Authorisation header which contains the API key for the defined as the client admin user 2017-03-16 18:15:49 +00:00			`client = __get_token_issuer(auth_token)`
Testing out adding a admin authentication requirement per blueprint. 2017-03-15 16:52:44 +00:00
			`if client == current_app.config.get('ADMIN_CLIENT_USER_NAME'):`
			`g.service_id = current_app.config.get('ADMIN_CLIENT_USER_NAME')`
			`return handle_admin_key(auth_token, current_app.config.get('ADMIN_CLIENT_SECRET'))`
			`else:`
			`raise AuthError('Unauthorized, admin authentication token required', 401)`


refactored the requires_auth handler to raise exceptions hopefully cleans up code flow and readability [a tiny bit]. raise an AuthException in auth.py, and catch it in errors.py to save on returning error_repsonse values throughout the function 2016-06-29 17:37:20 +01:00			`def requires_auth():`
			`auth_token = get_auth_token(request)`
Register a before_request event for all blueprints, that defines the authentication requirement. There are three authentication methods: - requires_no_auth - public endpoint that does not require an Authorisation header - requires_auth - public endpoints that need an API key in the Authorisation header - requires_admin_auth - private endpoint that requires an Authorisation header which contains the API key for the defined as the client admin user 2017-03-16 18:15:49 +00:00			`client = __get_token_issuer(auth_token)`
refactored the requires_auth handler to raise exceptions hopefully cleans up code flow and readability [a tiny bit]. raise an AuthException in auth.py, and catch it in errors.py to save on returning error_repsonse values throughout the function 2016-06-29 17:37:20 +01:00
Improve the error message when the service id is not the right data type. Improve the error message is the api key is not valid. 2016-09-23 11:07:49 +01:00			`try:`
Store the service we have used to authenticate the client API user against the request. We can then use this later - saving an extra DB query on every client facing API call - Note this doesn't affect admin calls which do not use the service from the api key, but use the one passed as part of the URL path. 2017-05-05 15:19:57 +01:00			`service = dao_fetch_service_by_id_with_api_keys(client)`
Improve the error message when the service id is not the right data type. Improve the error message is the api key is not valid. 2016-09-23 11:07:49 +01:00			`except DataError:`
			`raise AuthError("Invalid token: service id is not the right data type", 403)`
add check for inactive services to auth handler cleaned up some auth code to marginally improve efficiency of error checking and hopefully make it easier to read fixed some incorrect auth headers in the deactivate tests 2016-11-10 11:07:12 +00:00			`except NoResultFound:`
			`raise AuthError("Invalid token: service not found", 403)`

			`if not service.api_keys:`
			`raise AuthError("Invalid token: service has no API keys", 403)`

			`if not service.active:`
			`raise AuthError("Invalid token: service is archived", 403)`

			`for api_key in service.api_keys:`
refactored the requires_auth handler to raise exceptions hopefully cleans up code flow and readability [a tiny bit]. raise an AuthException in auth.py, and catch it in errors.py to save on returning error_repsonse values throughout the function 2016-06-29 17:37:20 +01:00			`try:`
Refactor ApiKeys.secret and ServiceInboundApi.bearer_token to use the same encryption method and get rid of the duplicate code. 2017-06-19 14:32:22 +01:00			`get_decode_errors(auth_token, api_key.secret)`
refactored the requires_auth handler to raise exceptions hopefully cleans up code flow and readability [a tiny bit]. raise an AuthException in auth.py, and catch it in errors.py to save on returning error_repsonse values throughout the function 2016-06-29 17:37:20 +01:00			`except TokenDecodeError:`
			`continue`

			`if api_key.expiry_date:`
Rewrite authentication error messages more English 2016-09-16 08:45:48 +01:00			`raise AuthError("Invalid token: API key revoked", 403)`
refactored the requires_auth handler to raise exceptions hopefully cleans up code flow and readability [a tiny bit]. raise an AuthException in auth.py, and catch it in errors.py to save on returning error_repsonse values throughout the function 2016-06-29 17:37:20 +01:00
Records the service ID if present, or if an ADMIN api call the string admin-api. this is used later in logging of requests. 2016-11-30 10:59:55 +00:00			`g.service_id = api_key.service_id`
Store the service we have used to authenticate the client API user against the request. We can then use this later - saving an extra DB query on every client facing API call - Note this doesn't affect admin calls which do not use the service from the api key, but use the one passed as part of the URL path. 2017-05-05 15:19:57 +01:00			`_request_ctx_stack.top.authenticated_service = service`
refactored the requires_auth handler to raise exceptions hopefully cleans up code flow and readability [a tiny bit]. raise an AuthException in auth.py, and catch it in errors.py to save on returning error_repsonse values throughout the function 2016-06-29 17:37:20 +01:00			`_request_ctx_stack.top.api_user = api_key`
Store the service we have used to authenticate the client API user against the request. We can then use this later - saving an extra DB query on every client facing API call - Note this doesn't affect admin calls which do not use the service from the api key, but use the one passed as part of the URL path. 2017-05-05 15:19:57 +01:00
refactored the requires_auth handler to raise exceptions hopefully cleans up code flow and readability [a tiny bit]. raise an AuthException in auth.py, and catch it in errors.py to save on returning error_repsonse values throughout the function 2016-06-29 17:37:20 +01:00			`return`
			`else:`
add check for inactive services to auth handler cleaned up some auth code to marginally improve efficiency of error checking and hopefully make it easier to read fixed some incorrect auth headers in the deactivate tests 2016-11-10 11:07:12 +00:00			`# service has API keys, but none matching the one the user provided`
Improve the error message when the service id is not the right data type. Improve the error message is the api key is not valid. 2016-09-23 11:07:49 +01:00			`raise AuthError("Invalid token: signature, api token is not valid", 403)`
refactored the requires_auth handler to raise exceptions hopefully cleans up code flow and readability [a tiny bit]. raise an AuthException in auth.py, and catch it in errors.py to save on returning error_repsonse values throughout the function 2016-06-29 17:37:20 +01:00

Register a before_request event for all blueprints, that defines the authentication requirement. There are three authentication methods: - requires_no_auth - public endpoint that does not require an Authorisation header - requires_auth - public endpoints that need an API key in the Authorisation header - requires_admin_auth - private endpoint that requires an Authorisation header which contains the API key for the defined as the client admin user 2017-03-16 18:15:49 +00:00			`def __get_token_issuer(auth_token):`
			`try:`
			`client = get_token_issuer(auth_token)`
			`except TokenIssuerError:`
			`raise AuthError("Invalid token: iss field not provided", 403)`
			`except TokenDecodeError as e:`
			`raise AuthError("Invalid token: signature, api token is not valid", 403)`
			`return client`


refactored the requires_auth handler to raise exceptions hopefully cleans up code flow and readability [a tiny bit]. raise an AuthException in auth.py, and catch it in errors.py to save on returning error_repsonse values throughout the function 2016-06-29 17:37:20 +01:00			`def handle_admin_key(auth_token, secret):`
			`try:`
			`get_decode_errors(auth_token, secret)`
			`return`
update python client to 2.0.0 this is to prevent 500 errors because <2.0.0 raised AssertionError if supplied JWT tokens were incorrectly formatted tests added 2016-11-03 17:05:25 +00:00			`except TokenDecodeError as e:`
Register a before_request event for all blueprints, that defines the authentication requirement. There are three authentication methods: - requires_no_auth - public endpoint that does not require an Authorisation header - requires_auth - public endpoints that need an API key in the Authorisation header - requires_admin_auth - private endpoint that requires an Authorisation header which contains the API key for the defined as the client admin user 2017-03-16 18:15:49 +00:00			`raise AuthError("Invalid token: signature, api token is not valid", 403)`
refactored the requires_auth handler to raise exceptions hopefully cleans up code flow and readability [a tiny bit]. raise an AuthException in auth.py, and catch it in errors.py to save on returning error_repsonse values throughout the function 2016-06-29 17:37:20 +01:00

			`def get_decode_errors(auth_token, unsigned_secret):`
attach api_key to app we previously attached the service id and the key's secret also more refactoring of auth.py 2016-06-29 16:33:02 +01:00			`try:`
			`decode_jwt_token(auth_token, unsigned_secret)`
Improve the error message when the service id is not the right data type. Improve the error message is the api key is not valid. 2016-09-23 11:07:49 +01:00			`except TokenExpiredError:`
Give a more helpful error when token has expired We’ve seen quite a few developers encounter the `Invalid token: expired` error message when they’re getting started using the Notify API. When this happens they either raise a support ticket or ask for help on Slack. In every case this has been because the clock on their machine/environment/container isn’t accurate. The error message doesn’t help them figure this out. This commit adds extra detail to the error message so they can fix the problem without having to come to us for help. 2017-01-17 10:44:00 +00:00			`raise AuthError("Invalid token: expired, check that your system clock is accurate", 403)`