merged-isolated-core

2023-10-23 17:47:11 +03:00
parent b675188013
commit bf241a8fbd
56 changed files with 1683 additions and 2784 deletions
--- a/auth/authenticate.py
+++ b/auth/authenticate.py
@@ -1,95 +0,0 @@
-from functools import wraps
-from typing import Optional, Tuple
-
-from graphql.type import GraphQLResolveInfo
-from sqlalchemy.orm import joinedload, exc
-from starlette.authentication import AuthenticationBackend
-from starlette.requests import HTTPConnection
-
-from auth.credentials import AuthCredentials, AuthUser
-from services.db import local_session
-from orm.user import User, Role
-
-from settings import SESSION_TOKEN_HEADER
-from auth.tokenstorage import SessionToken
-from services.exceptions import OperationNotAllowed
-
-
-class JWTAuthenticate(AuthenticationBackend):
-    async def authenticate(
-        self, request: HTTPConnection
-    ) -> Optional[Tuple[AuthCredentials, AuthUser]]:
-        if SESSION_TOKEN_HEADER not in request.headers:
-            return AuthCredentials(scopes={}), AuthUser(user_id=None, username="")
-
-        token = request.headers.get(SESSION_TOKEN_HEADER)
-        if not token:
-            print("[auth.authenticate] no token in header %s" % SESSION_TOKEN_HEADER)
-            return AuthCredentials(scopes={}, error_message=str("no token")), AuthUser(
-                user_id=None, username=""
-            )
-        
-        token = token.split(" ")[-1]
-
-        if len(token.split(".")) > 1:
-            payload = await SessionToken.verify(token)
-
-            with local_session() as session:
-                try:
-                    user = (
-                        session.query(User)
-                        .options(
-                            joinedload(User.roles).options(
-                                joinedload(Role.permissions)
-                            ),
-                            joinedload(User.ratings),
-                        )
-                        .filter(User.id == payload.user_id)
-                        .one()
-                    )
-
-                    scopes = {}  # TODO: integrate await user.get_permission()
-
-                    return (
-                        AuthCredentials(
-                            user_id=payload.user_id, scopes=scopes, logged_in=True
-                        ),
-                        AuthUser(user_id=user.id, username=""),
-                    )
-                except exc.NoResultFound:
-                    pass
-
-        return AuthCredentials(scopes={}, error_message=str("Invalid token")), AuthUser(
-            user_id=None, username=""
-        )
-
-
-def login_required(func):
-    @wraps(func)
-    async def wrap(parent, info: GraphQLResolveInfo, *args, **kwargs):
-        # print('[auth.authenticate] login required for %r with info %r' % (func, info))  # debug only
-        auth: AuthCredentials = info.context["request"].auth
-        # print(auth)
-        if not auth or not auth.logged_in:
-            # raise Unauthorized(auth.error_message or "Please login")
-            return {"error": "Please login first"}
-        return await func(parent, info, *args, **kwargs)
-
-    return wrap
-
-
-def permission_required(resource, operation, func):
-    @wraps(func)
-    async def wrap(parent, info: GraphQLResolveInfo, *args, **kwargs):
-        print(
-            "[auth.authenticate] permission_required for %r with info %r" % (func, info)
-        )  # debug only
-        auth: AuthCredentials = info.context["request"].auth
-        if not auth.logged_in:
-            raise OperationNotAllowed(auth.error_message or "Please login")
-
-        # TODO: add actual check permission logix here
-
-        return await func(parent, info, *args, **kwargs)
-
-    return wrap
--- a/auth/credentials.py
+++ b/auth/credentials.py
@@ -1,45 +0,0 @@
-from typing import List, Optional, Text
-
-from pydantic import BaseModel
-
-# from base.exceptions import Unauthorized
-
-
-class Permission(BaseModel):
-    name: Text
-
-
-class AuthCredentials(BaseModel):
-    user_id: Optional[int] = None
-    scopes: Optional[dict] = {}
-    logged_in: bool = False
-    error_message: str = ""
-
-    @property
-    def is_admin(self):
-        # TODO: check admin logix
-        return True
-
-    async def permissions(self) -> List[Permission]:
-        if self.user_id is None:
-            # raise Unauthorized("Please login first")
-            return {
-                "error": "Please login first"
-            }
-        else:
-            # TODO: implement permissions logix
-            print(self.user_id)
-        return NotImplemented()
-
-
-class AuthUser(BaseModel):
-    user_id: Optional[int]
-    username: Optional[str]
-
-    @property
-    def is_authenticated(self) -> bool:
-        return self.user_id is not None
-
-    @property
-    def display_id(self) -> int:
-        return self.user_id
--- a/auth/email.py
+++ b/auth/email.py
@@ -1,27 +0,0 @@
-import httpx
-from settings import MAILGUN_API_KEY, MAILGUN_DOMAIN
-
-api_url = f"https://api.mailgun.net/v3/{MAILGUN_DOMAIN or 'discours.io'}/messages"
-noreply = f"discours.io <noreply@{MAILGUN_DOMAIN or 'discours.io'}>"
-lang_subject = {"ru": "Подтверждение почты", "en": "Confirm email"}
-
-async def send_auth_email(user, token, lang="ru", template="email_confirmation"):
-    try:
-        to = f"{user.name} <{user.email}>"
-        if lang not in ["ru", "en"]:
-            lang = "ru"
-        subject = lang_subject.get(lang, lang_subject["en"])
-        template = template + "_" + lang
-        payload = {
-            "from": noreply,
-            "to": to,
-            "subject": subject,
-            "template": template,
-            "h:X-Mailgun-Variables": f'{{ "token": "{token}" }}',
-        }
-        print(f"[auth.email] payload: {payload}")
-        async with httpx.AsyncClient() as client:
-            response = await client.post(api_url, auth=("api", MAILGUN_API_KEY), data=payload)
-            response.raise_for_status()
-    except Exception as e:
-        print(e)
--- a/auth/identity.py
+++ b/auth/identity.py
@@ -1,108 +0,0 @@
-from binascii import hexlify
-from hashlib import sha256
-
-from jwt import DecodeError, ExpiredSignatureError
-from passlib.hash import bcrypt
-from sqlalchemy import or_
-
-from auth.jwtcodec import JWTCodec
-from auth.tokenstorage import TokenStorage
-
-# from base.exceptions import InvalidPassword, InvalidToken
-from services.db import local_session
-from orm import User
-from auth.validators import AuthInput
-
-
-class Password:
-    @staticmethod
-    def _to_bytes(data: str) -> bytes:
-        return bytes(data.encode())
-
-    @classmethod
-    def _get_sha256(cls, password: str) -> bytes:
-        bytes_password = cls._to_bytes(password)
-        return hexlify(sha256(bytes_password).digest())
-
-    @staticmethod
-    def encode(password: str) -> str:
-        password_sha256 = Password._get_sha256(password)
-        return bcrypt.using(rounds=10).hash(password_sha256)
-
-    @staticmethod
-    def verify(password: str, hashed: str) -> bool:
-        """
-        Verify that password hash is equal to specified hash. Hash format:
-
-        $2a$10$Ro0CUfOqk6cXEKf3dyaM7OhSCvnwM9s4wIX9JeLapehKK5YdLxKcm
-        \__/\/ \____________________/\_____________________________/
-        |   |        Salt                     Hash
-        |  Cost
-        Version
-
-        More info: https://passlib.readthedocs.io/en/stable/lib/passlib.hash.bcrypt.html
-
-        :param password: clear text password
-        :param hashed: hash of the password
-        :return: True if clear text password matches specified hash
-        """
-        hashed_bytes = Password._to_bytes(hashed)
-        password_sha256 = Password._get_sha256(password)
-
-        return bcrypt.verify(password_sha256, hashed_bytes)
-
-
-class Identity:
-    @staticmethod
-    def password(orm_user: User, password: str) -> User:
-        user = User(**orm_user.dict())
-        if not user.password:
-            # raise InvalidPassword("User password is empty")
-            return {"error": "User password is empty"}
-        if not Password.verify(password, user.password):
-            # raise InvalidPassword("Wrong user password")
-            return {"error": "Wrong user password"}
-        return user
-
-    @staticmethod
-    def oauth(inp: AuthInput) -> User:
-        with local_session() as session:
-            user = (
-                session.query(User)
-                .filter(or_(User.oauth == inp["oauth"], User.email == inp["email"]))
-                .first()
-            )
-            if not user:
-                user = User.create(**inp)
-            if not user.oauth:
-                user.oauth = inp["oauth"]
-                session.commit()
-
-        user = User(**user.dict())
-        return user
-
-    @staticmethod
-    async def onetime(token: str) -> User:
-        try:
-            print("[auth.identity] using one time token")
-            payload = JWTCodec.decode(token)
-            if not await TokenStorage.exist(
-                f"{payload.user_id}-{payload.username}-{token}"
-            ):
-                # raise InvalidToken("Login token has expired, please login again")
-                return {"error": "Token has expired"}
-        except ExpiredSignatureError:
-            # raise InvalidToken("Login token has expired, please try again")
-            return {"error": "Token has expired"}
-        except DecodeError:
-            # raise InvalidToken("token format error") from e
-            return {"error": "Token format error"}
-        with local_session() as session:
-            user = session.query(User).filter_by(id=payload.user_id).first()
-            if not user:
-                # raise Exception("user not exist")
-                return {"error": "User does not exist"}
-            if not user.emailConfirmed:
-                user.emailConfirmed = True
-                session.commit()
-            return user
--- a/auth/jwtcodec.py
+++ b/auth/jwtcodec.py
@@ -1,50 +0,0 @@
-from datetime import datetime, timezone
-import jwt
-from services.exceptions import ExpiredToken, InvalidToken
-from auth.validators import TokenPayload, AuthInput
-from settings import JWT_ALGORITHM, JWT_SECRET_KEY
-
-
-class JWTCodec:
-    @staticmethod
-    def encode(user: AuthInput, exp: datetime) -> str:
-        payload = {
-            "user_id": user.id,
-            "username": user.email or user.phone,
-            "exp": exp,
-            "iat": datetime.now(tz=timezone.utc),
-            "iss": "discours",
-        }
-        try:
-            return jwt.encode(payload, JWT_SECRET_KEY, JWT_ALGORITHM)
-        except Exception as e:
-            print("[auth.jwtcodec] JWT encode error %r" % e)
-
-    @staticmethod
-    def decode(token: str, verify_exp: bool = True) -> TokenPayload:
-        r = None
-        payload = None
-        try:
-            payload = jwt.decode(
-                token,
-                key=JWT_SECRET_KEY,
-                options={
-                    "verify_exp": verify_exp,
-                    # "verify_signature": False
-                },
-                algorithms=[JWT_ALGORITHM],
-                issuer="discours",
-            )
-            r = TokenPayload(**payload)
-            # print('[auth.jwtcodec] debug token %r' % r)
-            return r
-        except jwt.InvalidIssuedAtError:
-            print("[auth.jwtcodec] invalid issued at: %r" % payload)
-            raise ExpiredToken("check token issued time")
-        except jwt.ExpiredSignatureError:
-            print("[auth.jwtcodec] expired signature %r" % payload)
-            raise ExpiredToken("check token lifetime")
-        except jwt.InvalidTokenError:
-            raise InvalidToken("token is not valid")
-        except jwt.InvalidSignatureError:
-            raise InvalidToken("token is not valid")
--- a/auth/oauth.py
+++ b/auth/oauth.py
@@ -1,89 +0,0 @@
-from authlib.integrations.starlette_client import OAuth
-from starlette.responses import RedirectResponse
-from auth.identity import Identity
-from auth.tokenstorage import TokenStorage
-from settings import OAUTH_CLIENTS, FRONTEND_URL
-
-oauth = OAuth()
-
-oauth.register(
-    name="facebook",
-    client_id=OAUTH_CLIENTS["FACEBOOK"]["id"],
-    client_secret=OAUTH_CLIENTS["FACEBOOK"]["key"],
-    access_token_url="https://graph.facebook.com/v11.0/oauth/access_token",
-    access_token_params=None,
-    authorize_url="https://www.facebook.com/v11.0/dialog/oauth",
-    authorize_params=None,
-    api_base_url="https://graph.facebook.com/",
-    client_kwargs={"scope": "public_profile email"},
-)
-
-oauth.register(
-    name="github",
-    client_id=OAUTH_CLIENTS["GITHUB"]["id"],
-    client_secret=OAUTH_CLIENTS["GITHUB"]["key"],
-    access_token_url="https://github.com/login/oauth/access_token",
-    access_token_params=None,
-    authorize_url="https://github.com/login/oauth/authorize",
-    authorize_params=None,
-    api_base_url="https://api.github.com/",
-    client_kwargs={"scope": "user:email"},
-)
-
-oauth.register(
-    name="google",
-    client_id=OAUTH_CLIENTS["GOOGLE"]["id"],
-    client_secret=OAUTH_CLIENTS["GOOGLE"]["key"],
-    server_metadata_url="https://accounts.google.com/.well-known/openid-configuration",
-    client_kwargs={"scope": "openid email profile"},
-)
-
-
-async def google_profile(client, request, token):
-    profile = await client.parse_id_token(request, token)
-    profile["id"] = profile["sub"]
-    return profile
-
-
-async def facebook_profile(client, request, token):
-    profile = await client.get("me?fields=name,id,email", token=token)
-    return profile.json()
-
-
-async def github_profile(client, request, token):
-    profile = await client.get("user", token=token)
-    return profile.json()
-
-
-profile_callbacks = {
-    "google": google_profile,
-    "facebook": facebook_profile,
-    "github": github_profile,
-}
-
-
-async def oauth_login(request):
-    provider = request.path_params["provider"]
-    request.session["provider"] = provider
-    client = oauth.create_client(provider)
-    redirect_uri = "https://v2.discours.io/oauth-authorize"
-    return await client.authorize_redirect(request, redirect_uri)
-
-
-async def oauth_authorize(request):
-    provider = request.session["provider"]
-    client = oauth.create_client(provider)
-    token = await client.authorize_access_token(request)
-    get_profile = profile_callbacks[provider]
-    profile = await get_profile(client, request, token)
-    user_oauth_info = "%s:%s" % (provider, profile["id"])
-    user_input = {
-        "oauth": user_oauth_info,
-        "email": profile["email"],
-        "username": profile["name"],
-    }
-    user = Identity.oauth(user_input)
-    session_token = await TokenStorage.create_session(user)
-    response = RedirectResponse(url=FRONTEND_URL + "/confirm")
-    response.set_cookie("token", session_token)
-    return response
--- a/auth/tokenstorage.py
+++ b/auth/tokenstorage.py
@@ -1,75 +0,0 @@
-from datetime import datetime, timedelta, timezone
-
-from auth.jwtcodec import JWTCodec
-from auth.validators import AuthInput
-from services.redis import redis
-from settings import SESSION_TOKEN_LIFE_SPAN, ONETIME_TOKEN_LIFE_SPAN
-
-
-async def save(token_key, life_span, auto_delete=True):
-    await redis.execute("SET", token_key, "True")
-    if auto_delete:
-        expire_at = (
-            datetime.now(tz=timezone.utc) + timedelta(seconds=life_span)
-        ).timestamp()
-        await redis.execute("EXPIREAT", token_key, int(expire_at))
-
-
-class SessionToken:
-    @classmethod
-    async def verify(cls, token: str):
-        """
-        Rules for a token to be valid.
-            - token format is legal
-            - token exists in redis database
-            - token is not expired
-        """
-        try:
-            return JWTCodec.decode(token)
-        except Exception as e:
-            raise e
-
-    @classmethod
-    async def get(cls, payload, token):
-        return await TokenStorage.get(f"{payload.user_id}-{payload.username}-{token}")
-
-
-class TokenStorage:
-    @staticmethod
-    async def get(token_key):
-        print("[tokenstorage.get] " + token_key)
-        # 2041-user@domain.zn-eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VyX2lkIjoyMDQxLCJ1c2VybmFtZSI6ImFudG9uLnJld2luK3Rlc3QtbG9hZGNoYXRAZ21haWwuY29tIiwiZXhwIjoxNjcxNzgwNjE2LCJpYXQiOjE2NjkxODg2MTYsImlzcyI6ImRpc2NvdXJzIn0.Nml4oV6iMjMmc6xwM7lTKEZJKBXvJFEIZ-Up1C1rITQ
-        return await redis.execute("GET", token_key)
-
-    @staticmethod
-    async def create_onetime(user: AuthInput) -> str:
-        life_span = ONETIME_TOKEN_LIFE_SPAN
-        exp = datetime.now(tz=timezone.utc) + timedelta(seconds=life_span)
-        one_time_token = JWTCodec.encode(user, exp)
-        await save(f"{user.id}-{user.username}-{one_time_token}", life_span)
-        return one_time_token
-
-    @staticmethod
-    async def create_session(user: AuthInput) -> str:
-        life_span = SESSION_TOKEN_LIFE_SPAN
-        exp = datetime.now(tz=timezone.utc) + timedelta(seconds=life_span)
-        session_token = JWTCodec.encode(user, exp)
-        await save(f"{user.id}-{user.username}-{session_token}", life_span)
-        return session_token
-
-    @staticmethod
-    async def revoke(token: str) -> bool:
-        payload = None
-        try:
-            print("[auth.tokenstorage] revoke token")
-            payload = JWTCodec.decode(token)
-        except:  # noqa
-            pass
-        else:
-            await redis.execute("DEL", f"{payload.user_id}-{payload.username}-{token}")
-        return True
-
-    @staticmethod
-    async def revoke_all(user: AuthInput):
-        tokens = await redis.execute("KEYS", f"{user.id}-*")
-        await redis.execute("DEL", *tokens)
--- a/auth/validators.py
+++ b/auth/validators.py
@@ -1,17 +0,0 @@
-from typing import Optional, Text
-from pydantic import BaseModel
-
-
-class AuthInput(BaseModel):
-    id: Optional[int]
-    email: Optional[Text]
-    phone: Optional[Text]
-    password: Optional[Text]
-
-
-class TokenPayload(BaseModel):
-    user_id: int
-    username: Optional[Text]
-    exp: int
-    iat: int
-    iss: Text