darkhelm/notifications-api
1
0
Fork 0
mirror of https://github.com/GSA/notifications-api.git synced 2025-12-12 00:02:36 -05:00
Code Issues Packages Projects Releases Wiki Activity
Files
dbf70ec1ebf2458cfc93ed0cdec3f3cbca288e07
notifications-api/app/main/authentication/auth.py
Martyn Inglis dbf70ec1eb First pass at implementing API authentication using new JWT tokens 
- NOTE - this does not manage secrets. There is only one URL and there is no functionality implemented
- prior to rolling out we need to store secrets properly

Uses the JWT libraries in [https://github.com/alphagov/notifications-python-client](https://github.com/alphagov/notifications-python-client)

- Tokens are checked on every request and will be rejected if token is invalid as per the rules in the python clients.
2015-12-15 10:47:20 +00:00

52 lines
1.6 KiB
Python
Raw Blame History

from flask import request, jsonify, _request_ctx_stack
from client.jwt import decode_jwt_token, get_token_issuer
from client.errors import TokenDecodeError, TokenRequestError, TokenExpiredError, TokenPayloadError
def authentication_response(message, code):
return jsonify(
error=message
), code
def requires_auth():
auth_header = request.headers.get('Authorization', None)
if not auth_header:
return authentication_response('Unauthorized, authentication token must be provided', 401)
auth_scheme = auth_header[:7]
if auth_scheme != 'Bearer ':
return authentication_response('Unauthorized, authentication bearer scheme must be used', 401)
try:
auth_token = auth_header[7:]
api_client = fetch_client(get_token_issuer(auth_token))
if api_client is None:
authentication_response("Invalid credentials", 403)
decode_jwt_token(
auth_token,
api_client['secret'],
request.method,
request.path,
request.data.decode() if request.data else None
)
_request_ctx_stack.top.api_user = api_client
except TokenRequestError:
return authentication_response("Invalid token: request", 403)
except TokenExpiredError:
return authentication_response("Invalid token: expired", 403)
except TokenPayloadError:
return authentication_response("Invalid token: payload", 403)
except TokenDecodeError:
return authentication_response("Invalid token: signature", 403)
def fetch_client(client):
return {
"client": client,
"secret": "secret"
}
Reference in New Issue View Git Blame Copy Permalink