ScoDoc/app/auth/logic.py

# -*- coding: UTF-8 -*

"""app.auth.logic.py
"""
import http

import flask
from flask import current_app, g, redirect, request, url_for
from flask_httpauth import HTTPBasicAuth, HTTPTokenAuth
import flask_login

from app import db, login
from app.auth.models import User
from app.models.config import ScoDocSiteConfig
from app.scodoc.sco_utils import json_error

basic_auth = HTTPBasicAuth()
token_auth = HTTPTokenAuth()


@basic_auth.verify_password
def verify_password(username, password):
    """Verify password for this user
    Appelé lors d'une demande de jeton (normalement via la route /tokens)
    """
    user: User = User.query.filter_by(user_name=username).first()
    if user and user.check_password(password):
        g.current_user = user
        # note: est aussi basic_auth.current_user()
        return user


@basic_auth.error_handler
def basic_auth_error(status):
    "error response (401 for invalid auth.)"
    return json_error(status)


@login.user_loader
def load_user(uid: str) -> User:
    "flask-login: accès à un utilisateur"
    return db.session.get(User, int(uid))


@token_auth.verify_token
def verify_token(token) -> User:
    """Retrouve l'utilisateur à partir du jeton.
    Si la requête n'a pas de jeton, token == "".
    """
    user = User.check_token(token) if token else None
    if user is not None:
        flask_login.login_user(user)
    g.current_user = user
    return user


@token_auth.error_handler
def token_auth_error(status):
    "Réponse en cas d'erreur d'auth."
    return json_error(status)


@token_auth.get_user_roles
def get_user_roles(user):
    return user.roles


@login.request_loader
def load_user_from_request(req: flask.Request) -> User:
    """Custom Login using Request Loader"""
    # Try token
    try:
        auth_type, token = req.headers["Authorization"].split(None, 1)
    except (ValueError, KeyError):
        # The Authorization header is either empty or has no token
        return None
    if auth_type == "Bearer" and token:
        return verify_token(token)
    return None


@login.unauthorized_handler
def unauthorized():
    "flask-login: si pas autorisé, redirige vers page login, sauf si API"
    if request.blueprint == "api" or request.blueprint == "apiweb":
        return json_error(http.HTTPStatus.UNAUTHORIZED, "Non autorise (logic)")
    return redirect(url_for("auth.login"))


def logout() -> flask.Response:
    """Logout the current user: If CAS session, logout from CAS. Redirect."""
    if flask_login.current_user:
        user_name = getattr(flask_login.current_user, "user_name", "anonymous")
        current_app.logger.info(f"logout user {user_name}")
    flask_login.logout_user()
    if ScoDocSiteConfig.is_cas_enabled() and flask.session.get("scodoc_cas_login_date"):
        flask.session.pop("scodoc_cas_login_date", None)
        return redirect(url_for("cas.logout"))
    return redirect(url_for("scodoc.index"))
Modification contrôle d'accès. Routes API basic+token. Revision routes API. 2022-07-27 16:03:14 +02:00			`# -- coding: UTF-8 -`

			`"""app.auth.logic.py`
			`"""`
			`import http`

			`import flask`
Anciens formulaires: ajout csrf 2023-03-19 10:26:03 +01:00			`from flask import current_app, g, redirect, request, url_for`
Modification contrôle d'accès. Routes API basic+token. Revision routes API. 2022-07-27 16:03:14 +02:00			`from flask_httpauth import HTTPBasicAuth, HTTPTokenAuth`
			`import flask_login`
Connexion au CAS (WIP) 2023-02-26 21:24:07 +01:00
Modifs pour SA 2.0 (à reporter en 9.5) 2023-07-11 06:57:38 +02:00			`from app import db, login`
Modification contrôle d'accès. Routes API basic+token. Revision routes API. 2022-07-27 16:03:14 +02:00			`from app.auth.models import User`
Anciens formulaires: ajout csrf 2023-03-19 10:26:03 +01:00			`from app.models.config import ScoDocSiteConfig`
Connexion au CAS (WIP) 2023-02-26 21:24:07 +01:00			`from app.scodoc.sco_utils import json_error`
Modification contrôle d'accès. Routes API basic+token. Revision routes API. 2022-07-27 16:03:14 +02:00
			`basic_auth = HTTPBasicAuth()`
			`token_auth = HTTPTokenAuth()`


			`@basic_auth.verify_password`
			`def verify_password(username, password):`
			`"""Verify password for this user`
			`Appelé lors d'une demande de jeton (normalement via la route /tokens)`
			`"""`
			`user: User = User.query.filter_by(user_name=username).first()`
			`if user and user.check_password(password):`
			`g.current_user = user`
			`# note: est aussi basic_auth.current_user()`
			`return user`


			`@basic_auth.error_handler`
			`def basic_auth_error(status):`
			`"error response (401 for invalid auth.)"`
Fix #470 2022-08-08 10:34:13 +02:00			`return json_error(status)`
Modification contrôle d'accès. Routes API basic+token. Revision routes API. 2022-07-27 16:03:14 +02:00

			`@login.user_loader`
			`def load_user(uid: str) -> User:`
			`"flask-login: accès à un utilisateur"`
Modifs pour SA 2.0 (à reporter en 9.5) 2023-07-11 06:57:38 +02:00			`return db.session.get(User, int(uid))`
Modification contrôle d'accès. Routes API basic+token. Revision routes API. 2022-07-27 16:03:14 +02:00

			`@token_auth.verify_token`
			`def verify_token(token) -> User:`
			`"""Retrouve l'utilisateur à partir du jeton.`
			`Si la requête n'a pas de jeton, token == "".`
			`"""`
			`user = User.check_token(token) if token else None`
			`if user is not None:`
			`flask_login.login_user(user)`
			`g.current_user = user`
			`return user`


			`@token_auth.error_handler`
			`def token_auth_error(status):`
			`"Réponse en cas d'erreur d'auth."`
Fix #470 2022-08-08 10:34:13 +02:00			`return json_error(status)`
Modification contrôle d'accès. Routes API basic+token. Revision routes API. 2022-07-27 16:03:14 +02:00

			`@token_auth.get_user_roles`
			`def get_user_roles(user):`
			`return user.roles`


			`@login.request_loader`
			`def load_user_from_request(req: flask.Request) -> User:`
			`"""Custom Login using Request Loader"""`
			`# Try token`
			`try:`
			`auth_type, token = req.headers["Authorization"].split(None, 1)`
			`except (ValueError, KeyError):`
			`# The Authorization header is either empty or has no token`
			`return None`
			`if auth_type == "Bearer" and token:`
			`return verify_token(token)`
			`return None`


			`@login.unauthorized_handler`
			`def unauthorized():`
			`"flask-login: si pas autorisé, redirige vers page login, sauf si API"`
			`if request.blueprint == "api" or request.blueprint == "apiweb":`
API: unifie traitement errors, messages JSON. 2022-08-07 19:56:25 +02:00			`return json_error(http.HTTPStatus.UNAUTHORIZED, "Non autorise (logic)")`
Modification contrôle d'accès. Routes API basic+token. Revision routes API. 2022-07-27 16:03:14 +02:00			`return redirect(url_for("auth.login"))`
Anciens formulaires: ajout csrf 2023-03-19 10:26:03 +01:00

			`def logout() -> flask.Response:`
			`"""Logout the current user: If CAS session, logout from CAS. Redirect."""`
			`if flask_login.current_user:`
			`user_name = getattr(flask_login.current_user, "user_name", "anonymous")`
			`current_app.logger.info(f"logout user {user_name}")`
			`flask_login.logout_user()`
			`if ScoDocSiteConfig.is_cas_enabled() and flask.session.get("scodoc_cas_login_date"):`
			`flask.session.pop("scodoc_cas_login_date", None)`
			`return redirect(url_for("cas.logout"))`
			`return redirect(url_for("scodoc.index"))`