125 lines
4.1 KiB
Python
125 lines
4.1 KiB
Python
# -*- coding: UTF-8 -*
|
|
# Authentication code borrowed from Miguel Grinberg's Mega Tutorial
|
|
# (see https://github.com/miguelgrinberg/microblog)
|
|
# and modified for ScoDoc
|
|
|
|
# Under The MIT License (MIT)
|
|
|
|
# Copyright (c) 2017 Miguel Grinberg
|
|
|
|
# Permission is hereby granted, free of charge, to any person obtaining a copy of
|
|
# this software and associated documentation files (the "Software"), to deal in
|
|
# the Software without restriction, including without limitation the rights to
|
|
# use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
|
|
# the Software, and to permit persons to whom the Software is furnished to do so,
|
|
# subject to the following conditions:
|
|
|
|
# The above copyright notice and this permission notice shall be included in all
|
|
# copies or substantial portions of the Software.
|
|
|
|
# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
|
|
# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
|
|
# FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
|
|
# COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
|
|
# IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
|
|
# CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
|
|
|
|
from functools import wraps
|
|
|
|
from flask import g
|
|
from flask_httpauth import HTTPBasicAuth, HTTPTokenAuth
|
|
from flask_login import current_user
|
|
|
|
from app import log
|
|
from app.auth.models import User
|
|
from app.api.errors import error_response
|
|
|
|
basic_auth = HTTPBasicAuth()
|
|
token_auth = HTTPTokenAuth()
|
|
|
|
|
|
@basic_auth.verify_password
|
|
def verify_password(username, password):
|
|
"Verify password for this user"
|
|
user = User.query.filter_by(user_name=username).first()
|
|
if user and user.check_password(password):
|
|
g.current_user = user
|
|
# note: est aussi basic_auth.current_user()
|
|
return user
|
|
|
|
|
|
@basic_auth.error_handler
|
|
def basic_auth_error(status):
|
|
"error response (401 for invalid auth.)"
|
|
return error_response(status)
|
|
|
|
|
|
@token_auth.verify_token
|
|
def verify_token(token) -> User:
|
|
"""Retrouve l'utilisateur à partir du jeton.
|
|
Si la requête n'a pas de jeton, token == "".
|
|
"""
|
|
|
|
user = User.check_token(token) if token else None
|
|
g.current_user = user
|
|
return user
|
|
|
|
|
|
@token_auth.error_handler
|
|
def token_auth_error(status):
|
|
"Réponse en cas d'erreur d'auth."
|
|
return error_response(status)
|
|
|
|
|
|
@token_auth.get_user_roles
|
|
def get_user_roles(user):
|
|
return user.roles
|
|
|
|
|
|
def token_permission_required(permission):
|
|
"Décorateur pour les fonctions de l'API ScoDoc"
|
|
|
|
def decorator(f):
|
|
@wraps(f)
|
|
def decorated_function(*args, **kwargs):
|
|
# token_auth.login_required()
|
|
current_user = basic_auth.current_user()
|
|
if not current_user or not current_user.has_permission(permission, None):
|
|
if current_user:
|
|
message = f"API permission denied (user {current_user})"
|
|
else:
|
|
message = f"API permission denied (no user supplied)"
|
|
log(message)
|
|
# raise werkzeug.exceptions.Forbidden(description=message)
|
|
return error_response(403, message=None)
|
|
return f(*args, **kwargs)
|
|
|
|
# return decorated_function(token_auth.login_required())
|
|
return decorated_function
|
|
|
|
return decorator
|
|
|
|
|
|
def permission_required_api(permission_web, permission_api):
|
|
"""Décorateur pour les fonctions de l'API accessibles en mode jeton
|
|
ou en mode web.
|
|
Si cookie d'authentification web, utilise pour se logger et calculer les
|
|
permissions.
|
|
Sinon, tente le jeton jwt.
|
|
"""
|
|
|
|
def decorator(f):
|
|
@wraps(f)
|
|
def decorated_function(*args, **kwargs):
|
|
scodoc_dept = getattr(g, "scodoc_dept", None)
|
|
if not current_user.has_permission(permission_web, scodoc_dept):
|
|
# try API
|
|
return token_auth.login_required(
|
|
token_permission_required(permission_api)(f)
|
|
)(*args, **kwargs)
|
|
return f(*args, **kwargs)
|
|
|
|
return decorated_function
|
|
|
|
return decorator
|