First pass at implementing API authentication using new JWT tokens

- NOTE - this does not manage secrets. There is only one URL and there is no functionality implemented - prior to rolling out we need to store secrets properly Uses the JWT libraries in [https://github.com/alphagov/notifications-python-client](https://github.com/alphagov/notifications-python-client) - Tokens are checked on every request and will be rejected if token is invalid as per the rules in the python clients.
2025-12-15 09:42:38 -05:00 · 2015-12-15 10:47:20 +00:00
parent 6a3bbbf890
commit dbf70ec1eb
6 changed files with 190 additions and 172 deletions
--- a/app/main/authentication/auth.py
+++ b/app/main/authentication/auth.py
@@ -0,0 +1,51 @@
+from flask import request, jsonify, _request_ctx_stack
+from client.jwt import decode_jwt_token, get_token_issuer
+from client.errors import TokenDecodeError, TokenRequestError, TokenExpiredError, TokenPayloadError
+
+
+def authentication_response(message, code):
+    return jsonify(
+        error=message
+    ), code
+
+
+def requires_auth():
+    auth_header = request.headers.get('Authorization', None)
+    if not auth_header:
+        return authentication_response('Unauthorized, authentication token must be provided', 401)
+
+    auth_scheme = auth_header[:7]
+
+    if auth_scheme != 'Bearer ':
+        return authentication_response('Unauthorized, authentication bearer scheme must be used', 401)
+
+    try:
+        auth_token = auth_header[7:]
+        api_client = fetch_client(get_token_issuer(auth_token))
+
+        if api_client is None:
+            authentication_response("Invalid credentials", 403)
+
+        decode_jwt_token(
+            auth_token,
+            api_client['secret'],
+            request.method,
+            request.path,
+            request.data.decode() if request.data else None
+        )
+        _request_ctx_stack.top.api_user = api_client
+    except TokenRequestError:
+        return authentication_response("Invalid token: request", 403)
+    except TokenExpiredError:
+        return authentication_response("Invalid token: expired", 403)
+    except TokenPayloadError:
+        return authentication_response("Invalid token: payload", 403)
+    except TokenDecodeError:
+        return authentication_response("Invalid token: signature", 403)
+
+
+def fetch_client(client):
+    return {
+        "client": client,
+        "secret": "secret"
+    }