darkhelm/notifications-api
1
0
Fork 0
mirror of https://github.com/GSA/notifications-api.git synced 2025-12-17 10:42:25 -05:00
Code Issues Packages Projects Releases Wiki Activity
Files
ecd4b76080a24ddfdde7003efe14a62d5a50c49c
notifications-api/app/authentication/auth.py
Rebecca Law ecd4b76080 Fix bug with expired token error response
2016-07-22 15:10:37 +01:00

70 lines
2.1 KiB
Python
Raw Blame History

from flask import request, jsonify, _request_ctx_stack, current_app
from notifications_python_client.authentication import decode_jwt_token, get_token_issuer
from notifications_python_client.errors import TokenDecodeError, TokenExpiredError
from app.dao.api_key_dao import get_model_api_keys
class AuthError(Exception):
def __init__(self, message, code):
self.message = {"token": [message]}
self.code = code
def get_auth_token(req):
auth_header = req.headers.get('Authorization', None)
if not auth_header:
raise AuthError('Unauthorized, authentication token must be provided', 401)
auth_scheme = auth_header[:7]
if auth_scheme != 'Bearer ':
raise AuthError('Unauthorized, authentication bearer scheme must be used', 401)
return auth_header[7:]
def requires_auth():
auth_token = get_auth_token(request)
try:
client = get_token_issuer(auth_token)
except TokenDecodeError:
raise AuthError("Invalid token: signature", 403)
if client == current_app.config.get('ADMIN_CLIENT_USER_NAME'):
return handle_admin_key(auth_token, current_app.config.get('ADMIN_CLIENT_SECRET'))
api_keys = get_model_api_keys(client)
for api_key in api_keys:
try:
get_decode_errors(auth_token, api_key.unsigned_secret)
except TokenDecodeError:
continue
if api_key.expiry_date:
raise AuthError("Invalid token: revoked", 403)
_request_ctx_stack.top.api_user = api_key
return
if not api_keys:
raise AuthError("Invalid token: no api keys for service", 403)
else:
raise AuthError("Invalid token: signature", 403)
def handle_admin_key(auth_token, secret):
try:
get_decode_errors(auth_token, secret)
return
except TokenDecodeError as e:
raise AuthError("Invalid token: signature", 403)
def get_decode_errors(auth_token, unsigned_secret):
try:
decode_jwt_token(auth_token, unsigned_secret)
except TokenExpiredError as e:
raise AuthError("Invalid token: expired", 403)
Reference in New Issue View Git Blame Copy Permalink