mirror of
https://github.com/GSA/notifications-api.git
synced 2025-12-11 15:52:21 -05:00
61 lines
2.0 KiB
Python
61 lines
2.0 KiB
Python
from flask import request, jsonify, _request_ctx_stack
|
|
from client.authentication import decode_jwt_token, get_token_issuer
|
|
from client.errors import TokenDecodeError, TokenRequestError, TokenExpiredError, TokenPayloadError
|
|
|
|
from app.dao.api_key_dao import get_unsigned_secret
|
|
|
|
|
|
def authentication_response(message, code):
|
|
return jsonify(
|
|
error=message
|
|
), code
|
|
|
|
|
|
def requires_auth():
|
|
auth_header = request.headers.get('Authorization', None)
|
|
if not auth_header:
|
|
return authentication_response('Unauthorized, authentication token must be provided', 401)
|
|
|
|
auth_scheme = auth_header[:7]
|
|
|
|
if auth_scheme != 'Bearer ':
|
|
return authentication_response('Unauthorized, authentication bearer scheme must be used', 401)
|
|
|
|
try:
|
|
auth_token = auth_header[7:]
|
|
api_client = fetch_client(get_token_issuer(auth_token))
|
|
|
|
if api_client is None:
|
|
authentication_response("Invalid credentials", 403)
|
|
|
|
decode_jwt_token(
|
|
auth_token,
|
|
api_client['secret'],
|
|
request.method,
|
|
request.path,
|
|
request.data.decode() if request.data else None
|
|
)
|
|
_request_ctx_stack.top.api_user = api_client
|
|
except TokenRequestError:
|
|
return authentication_response("Invalid token: request", 403)
|
|
except TokenExpiredError:
|
|
return authentication_response("Invalid token: expired", 403)
|
|
except TokenPayloadError:
|
|
return authentication_response("Invalid token: payload", 403)
|
|
except TokenDecodeError:
|
|
return authentication_response("Invalid token: signature", 403)
|
|
|
|
|
|
def fetch_client(client):
|
|
from flask import current_app
|
|
if client == current_app.config.get('ADMIN_CLIENT_USER_NAME'):
|
|
return {
|
|
"client": client,
|
|
"secret": current_app.config.get('ADMIN_CLIENT_SECRET')
|
|
}
|
|
else:
|
|
return {
|
|
"client": client,
|
|
"secret": get_unsigned_secret(client)
|
|
}
|