core/auth/authenticate.py

from functools import wraps
from typing import Optional, Tuple
from datetime import datetime, timedelta
from graphql import GraphQLResolveInfo
from jwt import DecodeError, ExpiredSignatureError
from starlette.authentication import AuthenticationBackend
from starlette.requests import HTTPConnection
from auth.credentials import AuthCredentials, AuthUser
from auth.jwtcodec import JWTCodec
from auth.authorize import Authorize, TokenStorage
from base.exceptions import InvalidToken
from orm.user import User
from services.auth.users import UserStorage
from base.orm import local_session
from settings import JWT_AUTH_HEADER, EMAIL_TOKEN_LIFE_SPAN


class _Authenticate:
	@classmethod
	async def verify(cls, token: str):
		"""
		Rules for a token to be valid.
		1. token format is legal && 
			token exists in redis database && 
			token is not expired
		2. token format is legal &&
			token exists in redis database &&
			token is expired &&
			token is of specified type
		"""
		try:
			payload = JWTCodec.decode(token)
		except ExpiredSignatureError:
			payload = JWTCodec.decode(token, verify_exp=False)
			if not await cls.exists(payload.user_id, token):
				raise InvalidToken("Login expired, please login again")
			if payload.device == "mobile":  # noqa
				"we cat set mobile token to be valid forever"
				return payload
		except DecodeError as e:
			raise InvalidToken("token format error") from e
		else:
			if not await cls.exists(payload.user_id, token):
				raise InvalidToken("Login expired, please login again")
			return payload

	@classmethod
	async def exists(cls, user_id, token):
		return await TokenStorage.exist(f"{user_id}-{token}")


class JWTAuthenticate(AuthenticationBackend):
	async def authenticate(
			self, request: HTTPConnection
	) -> Optional[Tuple[AuthCredentials, AuthUser]]:
		if JWT_AUTH_HEADER not in request.headers:
			return AuthCredentials(scopes=[]), AuthUser(user_id=None)

		token = request.headers[JWT_AUTH_HEADER]
		try:
			payload = await _Authenticate.verify(token)
		except Exception as exc:
			return AuthCredentials(scopes=[], error_message=str(exc)), AuthUser(user_id=None)
		
		if payload is None:
			return AuthCredentials(scopes=[]), AuthUser(user_id=None)

		if not payload.device in ("pc", "mobile"):
			return AuthCredentials(scopes=[]), AuthUser(user_id=None)

		user = await UserStorage.get_user(payload.user_id)
		if not user:
			return AuthCredentials(scopes=[]), AuthUser(user_id=None)

		scopes = await user.get_permission()
		return AuthCredentials(user_id=payload.user_id, scopes=scopes, logged_in=True), user

class EmailAuthenticate:
	@staticmethod
	async def get_email_token(user):
		token = await Authorize.authorize(
			user,
			device="email",
			life_span=EMAIL_TOKEN_LIFE_SPAN
			)
		return token

	@staticmethod
	async def authenticate(token):
		payload = await _Authenticate.verify(token)
		if payload is None:
			raise InvalidToken("invalid token")
		if payload.device != "email":
			raise InvalidToken("invalid token")
		with local_session() as session:
			user = session.query(User).filter_by(id=payload.user_id).first()
			if not user:
				raise Exception("user not exist")
			if not user.emailConfirmed:
				user.emailConfirmed = True
				session.commit()
		auth_token = await Authorize.authorize(user)
		return (auth_token, user)

class ResetPassword:
	@staticmethod
	async def get_reset_token(user):
		exp = datetime.utcnow() + timedelta(seconds=EMAIL_TOKEN_LIFE_SPAN)
		token = JWTCodec.encode(user, exp=exp, device="pc")
		await TokenStorage.save(f"{user.id}-reset-{token}", EMAIL_TOKEN_LIFE_SPAN, True)
		return token

	@staticmethod
	async def verify(token):
		try:
			payload = JWTCodec.decode(token)
		except ExpiredSignatureError:
			raise InvalidToken("Login expired, please login again")
		except DecodeError as e:
			raise InvalidToken("token format error") from e
		else:
			if not await TokenStorage.exist(f"{payload.user_id}-reset-{token}"):
				raise InvalidToken("Login expired, please login again")

		return payload.user_id

def login_required(func):
	@wraps(func)
	async def wrap(parent, info: GraphQLResolveInfo, *args, **kwargs):
		auth: AuthCredentials = info.context["request"].auth
		if not auth.logged_in:
			return {"error" : auth.error_message or "Please login"}
		return await func(parent, info, *args, **kwargs)
	return wrap
fix after merge 2021-07-13 10:14:48 +00:00			`from functools import wraps`
			`from typing import Optional, Tuple`
add reset password api 2022-01-13 12:16:35 +00:00			`from datetime import datetime, timedelta`
fix after merge 2021-07-13 10:14:48 +00:00			`from graphql import GraphQLResolveInfo`
auth fixes 2021-07-14 14:45:31 +00:00			`from jwt import DecodeError, ExpiredSignatureError`
fix after merge 2021-07-13 10:14:48 +00:00			`from starlette.authentication import AuthenticationBackend`
			`from starlette.requests import HTTPConnection`
			`from auth.credentials import AuthCredentials, AuthUser`
wip refactoring: reactions, storages isolated 2022-07-21 11:58:50 +00:00			`from auth.jwtcodec import JWTCodec`
add reset password api 2022-01-13 12:16:35 +00:00			`from auth.authorize import Authorize, TokenStorage`
refactored 2022-08-11 05:53:14 +00:00			`from base.exceptions import InvalidToken`
wip refactoring: reactions, storages isolated 2022-07-21 11:58:50 +00:00			`from orm.user import User`
working-on 2022-08-11 09:09:57 +00:00			`from services.auth.users import UserStorage`
refactored 2022-08-11 05:53:14 +00:00			`from base.orm import local_session`
auth via email 2021-08-25 08:31:51 +00:00			`from settings import JWT_AUTH_HEADER, EMAIL_TOKEN_LIFE_SPAN`
fix after merge 2021-07-13 10:14:48 +00:00

			`class _Authenticate:`
updateShout 2021-08-18 16:53:55 +00:00			`@classmethod`
			`async def verify(cls, token: str):`
			`"""`
			`Rules for a token to be valid.`
			`1. token format is legal &&`
			`token exists in redis database &&`
			`token is not expired`
			`2. token format is legal &&`
			`token exists in redis database &&`
			`token is expired &&`
			`token is of specified type`
			`"""`
			`try:`
wip refactoring: reactions, storages isolated 2022-07-21 11:58:50 +00:00			`payload = JWTCodec.decode(token)`
updateShout 2021-08-18 16:53:55 +00:00			`except ExpiredSignatureError:`
wip refactoring: reactions, storages isolated 2022-07-21 11:58:50 +00:00			`payload = JWTCodec.decode(token, verify_exp=False)`
updateShout 2021-08-18 16:53:55 +00:00			`if not await cls.exists(payload.user_id, token):`
			`raise InvalidToken("Login expired, please login again")`
			`if payload.device == "mobile": # noqa`
			`"we cat set mobile token to be valid forever"`
			`return payload`
			`except DecodeError as e:`
			`raise InvalidToken("token format error") from e`
			`else:`
			`if not await cls.exists(payload.user_id, token):`
			`raise InvalidToken("Login expired, please login again")`
			`return payload`
fix after merge 2021-07-13 10:14:48 +00:00
updateShout 2021-08-18 16:53:55 +00:00			`@classmethod`
			`async def exists(cls, user_id, token):`
add reset password api 2022-01-13 12:16:35 +00:00			`return await TokenStorage.exist(f"{user_id}-{token}")`
fix after merge 2021-07-13 10:14:48 +00:00

			`class JWTAuthenticate(AuthenticationBackend):`
updateShout 2021-08-18 16:53:55 +00:00			`async def authenticate(`
			`self, request: HTTPConnection`
			`) -> Optional[Tuple[AuthCredentials, AuthUser]]:`
			`if JWT_AUTH_HEADER not in request.headers:`
			`return AuthCredentials(scopes=[]), AuthUser(user_id=None)`
fix after merge 2021-07-13 10:14:48 +00:00
updateShout 2021-08-18 16:53:55 +00:00			`token = request.headers[JWT_AUTH_HEADER]`
			`try:`
			`payload = await _Authenticate.verify(token)`
			`except Exception as exc:`
			`return AuthCredentials(scopes=[], error_message=str(exc)), AuthUser(user_id=None)`

			`if payload is None:`
			`return AuthCredentials(scopes=[]), AuthUser(user_id=None)`
fix after merge 2021-07-13 10:14:48 +00:00
confirm and auth email 2021-08-26 09:24:46 +00:00			`if not payload.device in ("pc", "mobile"):`
			`return AuthCredentials(scopes=[]), AuthUser(user_id=None)`

add UserStorage 2021-11-24 12:56:09 +00:00			`user = await UserStorage.get_user(payload.user_id)`
default user role; updateProfile method 2021-12-08 12:51:30 +00:00			`if not user:`
			`return AuthCredentials(scopes=[]), AuthUser(user_id=None)`

add RoleStorage; add mutations for community 2021-11-24 15:53:01 +00:00			`scopes = await user.get_permission()`
add UserStorage 2021-11-24 12:56:09 +00:00			`return AuthCredentials(user_id=payload.user_id, scopes=scopes, logged_in=True), user`
fix after merge 2021-07-13 10:14:48 +00:00
auth via email 2021-08-25 08:31:51 +00:00			`class EmailAuthenticate:`
			`@staticmethod`
			`async def get_email_token(user):`
			`token = await Authorize.authorize(`
			`user,`
			`device="email",`
			`life_span=EMAIL_TOKEN_LIFE_SPAN`
			`)`
			`return token`

			`@staticmethod`
			`async def authenticate(token):`
			`payload = await _Authenticate.verify(token)`
			`if payload is None:`
add email auth endpoint 2021-08-25 13:39:24 +00:00			`raise InvalidToken("invalid token")`
auth via email 2021-08-25 08:31:51 +00:00			`if payload.device != "email":`
add email auth endpoint 2021-08-25 13:39:24 +00:00			`raise InvalidToken("invalid token")`
			`with local_session() as session:`
			`user = session.query(User).filter_by(id=payload.user_id).first()`
confirm and auth email 2021-08-26 09:24:46 +00:00			`if not user:`
			`raise Exception("user not exist")`
			`if not user.emailConfirmed:`
			`user.emailConfirmed = True`
			`session.commit()`
add email auth endpoint 2021-08-25 13:39:24 +00:00			`auth_token = await Authorize.authorize(user)`
			`return (auth_token, user)`
fix after merge 2021-07-13 10:14:48 +00:00
add reset password api 2022-01-13 12:16:35 +00:00			`class ResetPassword:`
			`@staticmethod`
			`async def get_reset_token(user):`
			`exp = datetime.utcnow() + timedelta(seconds=EMAIL_TOKEN_LIFE_SPAN)`
wip refactoring: reactions, storages isolated 2022-07-21 11:58:50 +00:00			`token = JWTCodec.encode(user, exp=exp, device="pc")`
add reset password api 2022-01-13 12:16:35 +00:00			`await TokenStorage.save(f"{user.id}-reset-{token}", EMAIL_TOKEN_LIFE_SPAN, True)`
			`return token`

			`@staticmethod`
			`async def verify(token):`
			`try:`
wip refactoring: reactions, storages isolated 2022-07-21 11:58:50 +00:00			`payload = JWTCodec.decode(token)`
add reset password api 2022-01-13 12:16:35 +00:00			`except ExpiredSignatureError:`
			`raise InvalidToken("Login expired, please login again")`
			`except DecodeError as e:`
			`raise InvalidToken("token format error") from e`
			`else:`
			`if not await TokenStorage.exist(f"{payload.user_id}-reset-{token}"):`
			`raise InvalidToken("Login expired, please login again")`

			`return payload.user_id`

fix after merge 2021-07-13 10:14:48 +00:00			`def login_required(func):`
updateShout 2021-08-18 16:53:55 +00:00			`@wraps(func)`
			`async def wrap(parent, info: GraphQLResolveInfo, args, *kwargs):`
			`auth: AuthCredentials = info.context["request"].auth`
			`if not auth.logged_in:`
			`return {"error" : auth.error_message or "Please login"}`
			`return await func(parent, info, args, *kwargs)`
			`return wrap`