f9c3204ca1
* refactor(chalice): upgraded dependencies refactor(crons): upgraded dependencies refactor(alerts): upgraded dependencies * fix(chalice): return error when updating inexistant webhook * feat(chalice): fixed delete webhook response * feat(chalice): limit webhooks name length * feat(chalice): upgraded dependencies feat(alerts): upgraded dependencies feat(crons): upgraded dependencies * fix(chalice): remove urllib3 dependency * feat(chalice): remove FOSS to pydantic v2 * fix(chalice): freeze urllib3 to not have conflicts between boto3 and requests * feat(chalice): refactoring schema in progress * feat(chalice): refactoring schema in progress * feat(chalice): refactoring schema in progress * feat(chalice): refactoring schema in progress feat(chalice): upgraded dependencies * feat(chalice): refactored schema * feat(DB): transfer size support * feat(chalice): support service account * feat(chalice): support service account * fix(chalice): fixed refactored PayloadSchema-name * feat(chalice): path analysis * feat(chalice): support service account 1/2 * feat(DB): timezone support * feat(chalice): upgraded dependencies feat(alerts): upgraded dependencies feat(crons): upgraded dependencies feat(assist): upgraded dependencies feat(sourcemaps): upgraded dependencies * feat(chalice): path analysis schema changes * feat(chalice): path analysis query change * feat(chalice): path analysis query change * feat(chalice): ios replay support * feat(chalice): ios replay support * feat(chalice): path analysis changes * feat(DB): ios events * feat(chalice): upgraded dependencies * feat(chalice): simple hide minor paths * feat(chalice): path analysis density * feat(chalice): session's replay ios events * feat(chalice): fixed typo * feat(chalice): support project's platform * feat(DB): support project's platform * feat(chalice): path analysis EE in progress * feat(chalice): project's platform API * feat(chalice): fixed create project * feat(chalice): EE path analysis in progress * feat(chalice): EE path analysis refactor(chalice): support specific database name for clickhouse-client * feat(chalice): upgraded dependencies feat(chalice): path analysis specific event type for startPoint feat(chalice): path analysis specific event type for endPoint feat(chalice): path analysis specific event type for exclude * refactoring(chalice): changed IOS click event type * refactoring(chalice): upgraded dependencies refactoring(alerts): upgraded dependencies refactoring(crons): upgraded dependencies refactoring(peers): upgraded dependencies refactoring(assist): upgraded dependencies refactoring(sourcemaps-reader): upgraded dependencies * refactoring(chalice): upgraded dependencies refactoring(alerts): upgraded dependencies refactoring(crons): upgraded dependencies refactoring(peers): upgraded dependencies refactoring(assist): upgraded dependencies refactoring(sourcemaps-reader): upgraded dependencies * feat(chalice): upgraded dependencies feat(alerts): upgraded dependencies feat(crons): upgraded dependencies * refactoring(chalice): refactored cards refactoring(chalice): upgraded dependencies * feat(chalice): get path-analysis issues list * feat(chalice): changed crash_ios feat(DB): changed crash_ios * fix(chalice): fix crashlooping * feat(chalice): support tap-rage feat(DB): support tap-rage * feat(chalice): Exp search support click-selector feat(DB): CH support click-selector * feat(chalice): refresh token feat(DB): refresh token * feat(chalice): refresh token changes * feat(chalice): fixed authorizer context attribute changes * feat(chalice): fixed refresh token path&age * feat(chalice): fixed refresh token RTR * feat(chalice): EE refresh token feat(DB): EE refresh token * feat(chalice): migrated EE refresh token * feat(chalice): fixed crashing changes * feat(chalice): fixed instant expiration * feat(chalice): fix * feat(chalice): fix * feat(chalice): fix * feat(chalice): refresh token debug * feat(chalice): refresh token debug * feat(chalice): refresh token debug * feat(chalice): fix refresh token path * feat(chalice): refresh token on signup * feat(DB): refresh token
87 lines
5.1 KiB
Python
87 lines
5.1 KiB
Python
import datetime
|
|
from typing import Optional
|
|
|
|
from fastapi import Request
|
|
from fastapi.security import HTTPBearer, HTTPAuthorizationCredentials
|
|
from starlette import status
|
|
from starlette.exceptions import HTTPException
|
|
|
|
from chalicelib.core import authorizers, users
|
|
import schemas
|
|
|
|
|
|
def _get_current_auth_context(request: Request, jwt_payload: dict) -> schemas.CurrentContext:
|
|
user = users.get(user_id=jwt_payload.get("userId", -1), tenant_id=jwt_payload.get("tenantId", -1))
|
|
if user is None:
|
|
print("JWTAuth: User not found.")
|
|
raise HTTPException(status_code=status.HTTP_403_FORBIDDEN, detail="User not found.")
|
|
request.state.authorizer_identity = "jwt"
|
|
if user["serviceAccount"]:
|
|
user["permissions"] = [p.value for p in schemas.ServicePermissions]
|
|
request.state.currentContext = schemas.CurrentContext(tenantId=jwt_payload.get("tenantId", -1),
|
|
userId=jwt_payload.get("userId", -1),
|
|
email=user["email"],
|
|
permissions=user["permissions"],
|
|
serviceAccount=user["serviceAccount"])
|
|
return request.state.currentContext
|
|
|
|
|
|
class JWTAuth(HTTPBearer):
|
|
def __init__(self, auto_error: bool = True):
|
|
super(JWTAuth, self).__init__(auto_error=auto_error)
|
|
|
|
async def __call__(self, request: Request) -> Optional[schemas.CurrentContext]:
|
|
if request.url.path in ["/refresh", "/api/refresh"]:
|
|
refresh_token = request.cookies.get("refreshToken")
|
|
jwt_payload = authorizers.jwt_refresh_authorizer(scheme="Bearer", token=refresh_token)
|
|
if jwt_payload is None or jwt_payload.get("jti") is None:
|
|
raise HTTPException(status_code=status.HTTP_403_FORBIDDEN, detail="Invalid token or expired token.")
|
|
auth_exists = users.refresh_auth_exists(user_id=jwt_payload.get("userId", -1),
|
|
tenant_id=jwt_payload.get("tenantId", -1),
|
|
jwt_jti=jwt_payload["jti"])
|
|
if not auth_exists:
|
|
raise HTTPException(status_code=status.HTTP_403_FORBIDDEN, detail="Invalid token or expired token.")
|
|
|
|
credentials: HTTPAuthorizationCredentials = await super(JWTAuth, self).__call__(request)
|
|
if credentials:
|
|
if not credentials.scheme == "Bearer":
|
|
raise HTTPException(status_code=status.HTTP_400_BAD_REQUEST,
|
|
detail="Invalid authentication scheme.")
|
|
old_jwt_payload = authorizers.jwt_authorizer(scheme=credentials.scheme, token=credentials.credentials,
|
|
leeway=datetime.timedelta(days=3))
|
|
if old_jwt_payload is None \
|
|
or old_jwt_payload.get("userId") is None \
|
|
or old_jwt_payload.get("userId") != jwt_payload.get("userId"):
|
|
raise HTTPException(status_code=status.HTTP_403_FORBIDDEN, detail="Invalid token or expired token.")
|
|
|
|
return _get_current_auth_context(request=request, jwt_payload=jwt_payload)
|
|
|
|
else:
|
|
credentials: HTTPAuthorizationCredentials = await super(JWTAuth, self).__call__(request)
|
|
if credentials:
|
|
if not credentials.scheme == "Bearer":
|
|
raise HTTPException(status_code=status.HTTP_400_BAD_REQUEST,
|
|
detail="Invalid authentication scheme.")
|
|
jwt_payload = authorizers.jwt_authorizer(scheme=credentials.scheme, token=credentials.credentials)
|
|
auth_exists = jwt_payload is not None \
|
|
and users.auth_exists(user_id=jwt_payload.get("userId", -1),
|
|
tenant_id=jwt_payload.get("tenantId", -1),
|
|
jwt_iat=jwt_payload.get("iat", 100),
|
|
jwt_aud=jwt_payload.get("aud", ""))
|
|
if jwt_payload is None \
|
|
or jwt_payload.get("iat") is None or jwt_payload.get("aud") is None \
|
|
or not auth_exists:
|
|
if jwt_payload is not None:
|
|
print(jwt_payload)
|
|
if jwt_payload.get("iat") is None:
|
|
print("JWTAuth: iat is None")
|
|
if jwt_payload.get("aud") is None:
|
|
print("JWTAuth: aud is None")
|
|
if not auth_exists:
|
|
print("JWTAuth: not users.auth_exists")
|
|
|
|
raise HTTPException(status_code=status.HTTP_403_FORBIDDEN, detail="Invalid token or expired token.")
|
|
return _get_current_auth_context(request=request, jwt_payload=jwt_payload)
|
|
|
|
print("JWTAuth: Invalid authorization code.")
|
|
raise HTTPException(status_code=status.HTTP_400_BAD_REQUEST, detail="Invalid authorization code.")
|