271e6e1f26
* refactor(chalice): upgraded dependencies * refactor(chalice): upgraded dependencies feat(chalice): support heatmaps * fix(chalice): fixed Math-operators validation refactor(chalice): search for sessions that have events for heatmaps * refactor(chalice): search for sessions that have at least 1 location event for heatmaps * refactor(chalice): upgraded dependencies * refactor(chalice): upgraded dependencies feat(chalice): support heatmaps * fix(chalice): fixed Math-operators validation refactor(chalice): search for sessions that have events for heatmaps * refactor(chalice): search for sessions that have at least 1 location event for heatmaps * refactor(chalice): upgraded dependencies refactor(crons): upgraded dependencies refactor(alerts): upgraded dependencies * feat(chalice): get top 10 values for autocomplete CH * refactor(chalice): cleaned code refactor(chalice): upgraded dependencies refactor(alerts): upgraded dependencies refactor(crons): upgraded dependencies * feat(chalice): autocomplete return top 10 with stats * fix(chalice): fixed autocomplete top 10 meta-filters * feat(chalice): spot login/logout/refresh * feat(chalice): spot only allow authorized endpoints feat(chalice): spot get Slack channels * refactor(chalice): refactored JWT authorizer refactor(chalice): enhanced Spot endpoint access control
155 lines
8.3 KiB
Python
155 lines
8.3 KiB
Python
import datetime
|
|
import logging
|
|
from typing import Optional
|
|
|
|
from decouple import config
|
|
from fastapi import Request
|
|
from fastapi.security import HTTPBearer, HTTPAuthorizationCredentials
|
|
from starlette import status
|
|
from starlette.exceptions import HTTPException
|
|
|
|
import schemas
|
|
from chalicelib.core import authorizers, users, spot
|
|
|
|
logger = logging.getLogger(__name__)
|
|
|
|
|
|
def _get_current_auth_context(request: Request, jwt_payload: dict) -> schemas.CurrentContext:
|
|
user = users.get(user_id=jwt_payload.get("userId", -1), tenant_id=jwt_payload.get("tenantId", -1))
|
|
if user is None:
|
|
logger.warning("User not found.")
|
|
raise HTTPException(status_code=status.HTTP_403_FORBIDDEN, detail="User not found.")
|
|
request.state.authorizer_identity = "jwt"
|
|
request.state.currentContext = schemas.CurrentContext(tenantId=jwt_payload.get("tenantId", -1),
|
|
userId=jwt_payload.get("userId", -1),
|
|
email=user["email"],
|
|
role=user["role"])
|
|
return request.state.currentContext
|
|
|
|
|
|
async def _process_refresh_call(request: Request) -> schemas.CurrentContext:
|
|
if "refreshToken" not in request.cookies:
|
|
logger.warning("Missing refreshToken cookie.")
|
|
jwt_payload = None
|
|
else:
|
|
jwt_payload = authorizers.jwt_refresh_authorizer(scheme="Bearer", token=request.cookies["refreshToken"])
|
|
|
|
if jwt_payload is None or jwt_payload.get("jti") is None:
|
|
logger.warning("Null refreshToken's payload, or null JTI.")
|
|
raise HTTPException(status_code=status.HTTP_403_FORBIDDEN,
|
|
detail="Invalid refresh-token or expired refresh-token.")
|
|
auth_exists = users.refresh_auth_exists(user_id=jwt_payload.get("userId", -1),
|
|
jwt_jti=jwt_payload["jti"])
|
|
if not auth_exists:
|
|
logger.warning("refreshToken's user not found.")
|
|
logger.warning(jwt_payload)
|
|
raise HTTPException(status_code=status.HTTP_403_FORBIDDEN,
|
|
detail="Invalid refresh-token or expired refresh-token.")
|
|
|
|
credentials: HTTPAuthorizationCredentials = await super(JWTAuth, self).__call__(request)
|
|
if credentials:
|
|
if not credentials.scheme == "Bearer":
|
|
raise HTTPException(status_code=status.HTTP_400_BAD_REQUEST,
|
|
detail="Invalid authentication scheme.")
|
|
old_jwt_payload = authorizers.jwt_authorizer(scheme=credentials.scheme, token=credentials.credentials,
|
|
leeway=datetime.timedelta(
|
|
days=config("JWT_LEEWAY_DAYS", cast=int, default=3)
|
|
))
|
|
if old_jwt_payload is None \
|
|
or old_jwt_payload.get("userId") is None \
|
|
or old_jwt_payload.get("userId") != jwt_payload.get("userId"):
|
|
raise HTTPException(status_code=status.HTTP_403_FORBIDDEN, detail="Invalid token or expired token.")
|
|
|
|
return _get_current_auth_context(request=request, jwt_payload=jwt_payload)
|
|
|
|
logger.warning("Invalid authorization code (refresh logic).")
|
|
raise HTTPException(status_code=status.HTTP_400_BAD_REQUEST, detail="Invalid authorization code for refresh.")
|
|
|
|
|
|
async def _process_spot_refresh_call(request: Request) -> schemas.CurrentContext:
|
|
if "refreshToken" not in request.cookies:
|
|
logger.warning("Missing sopt-refreshToken cookie.")
|
|
jwt_payload = None
|
|
else:
|
|
jwt_payload = authorizers.jwt_refresh_authorizer(scheme="Bearer", token=request.cookies["refreshToken"])
|
|
|
|
if jwt_payload is None or jwt_payload.get("jti") is None:
|
|
logger.warning("Null spot-refreshToken's payload, or null JTI.")
|
|
raise HTTPException(status_code=status.HTTP_403_FORBIDDEN,
|
|
detail="Invalid spot-refresh-token or expired refresh-token.")
|
|
auth_exists = spot.refresh_auth_exists(user_id=jwt_payload.get("userId", -1),
|
|
jwt_jti=jwt_payload["jti"])
|
|
if not auth_exists:
|
|
logger.warning("spot-refreshToken's user not found.")
|
|
logger.warning(jwt_payload)
|
|
raise HTTPException(status_code=status.HTTP_403_FORBIDDEN,
|
|
detail="Invalid spot-refresh-token or expired refresh-token.")
|
|
|
|
credentials: HTTPAuthorizationCredentials = await super(JWTAuth, self).__call__(request)
|
|
if credentials:
|
|
if not credentials.scheme == "Bearer":
|
|
raise HTTPException(status_code=status.HTTP_400_BAD_REQUEST,
|
|
detail="Invalid spot-authentication scheme.")
|
|
old_jwt_payload = authorizers.jwt_authorizer(scheme=credentials.scheme, token=credentials.credentials,
|
|
leeway=datetime.timedelta(
|
|
days=config("JWT_LEEWAY_DAYS", cast=int, default=3)
|
|
))
|
|
if old_jwt_payload is None \
|
|
or old_jwt_payload.get("userId") is None \
|
|
or old_jwt_payload.get("userId") != jwt_payload.get("userId"):
|
|
raise HTTPException(status_code=status.HTTP_403_FORBIDDEN,
|
|
detail="Invalid spot-token or expired token.")
|
|
|
|
return _get_current_auth_context(request=request, jwt_payload=jwt_payload)
|
|
|
|
logger.warning("Invalid authorization code (spot-refresh logic).")
|
|
raise HTTPException(status_code=status.HTTP_400_BAD_REQUEST, detail="Invalid authorization code for spot-refresh.")
|
|
|
|
|
|
class JWTAuth(HTTPBearer):
|
|
def __init__(self, auto_error: bool = True):
|
|
super(JWTAuth, self).__init__(auto_error=auto_error)
|
|
|
|
async def __call__(self, request: Request) -> Optional[schemas.CurrentContext]:
|
|
if request.url.path in ["/refresh", "/api/refresh"]:
|
|
return await _process_refresh_call(request)
|
|
|
|
elif request.url.path in ["/spot/refresh", "/spot/api/refresh"]:
|
|
return await _process_refresh_call(request)
|
|
|
|
else:
|
|
credentials: HTTPAuthorizationCredentials = await super(JWTAuth, self).__call__(request)
|
|
if credentials:
|
|
if not credentials.scheme == "Bearer":
|
|
raise HTTPException(status_code=status.HTTP_400_BAD_REQUEST,
|
|
detail="Invalid authentication scheme.")
|
|
jwt_payload = authorizers.jwt_authorizer(scheme=credentials.scheme, token=credentials.credentials)
|
|
auth_exists = jwt_payload is not None \
|
|
and users.auth_exists(user_id=jwt_payload.get("userId", -1),
|
|
jwt_iat=jwt_payload.get("iat", 100))
|
|
if jwt_payload is None \
|
|
or jwt_payload.get("iat") is None or jwt_payload.get("aud") is None \
|
|
or not auth_exists:
|
|
if jwt_payload is not None:
|
|
logger.debug(jwt_payload)
|
|
if jwt_payload.get("iat") is None:
|
|
logger.debug("iat is None")
|
|
if jwt_payload.get("aud") is None:
|
|
logger.debug("aud is None")
|
|
if not auth_exists:
|
|
logger.warning("not users.auth_exists")
|
|
|
|
raise HTTPException(status_code=status.HTTP_403_FORBIDDEN, detail="Invalid token or expired token.")
|
|
|
|
if jwt_payload.get("aud", "").startswith("spot") and not request.url.path.startswith("/spot"):
|
|
# Allow access to spot endpoints only
|
|
raise HTTPException(status_code=status.HTTP_401_UNAUTHORIZED,
|
|
detail="Unauthorized access (spot).")
|
|
elif jwt_payload.get("aud", "").startswith("front") and request.url.path.startswith("/spot"):
|
|
raise HTTPException(status_code=status.HTTP_401_UNAUTHORIZED,
|
|
detail="Unauthorized access endpoint reserved for Spot only.")
|
|
|
|
return _get_current_auth_context(request=request, jwt_payload=jwt_payload)
|
|
|
|
logger.warning("Invalid authorization code.")
|
|
raise HTTPException(status_code=status.HTTP_400_BAD_REQUEST, detail="Invalid authorization code.")
|