Add an oauth authorization page

2014-03-14 18:57:28 -04:00 · 2014-03-14 18:57:28 -04:00 · d469b41899
commit d469b41899
parent ab60a10a93
10 changed files with 287 additions and 41 deletions
--- a/data/model/oauth.py
+++ b/data/model/oauth.py
@ -11,11 +11,13 @@ class DatabaseAuthorizationProvider(AuthorizationProvider):
    raise NotImplementedError('Subclasses must fill in the ability to get the authorized_user.')

  def validate_client_id(self, client_id):
+    return self.get_application_for_client_id(client_id) is not None
+
+  def get_application_for_client_id(self, client_id):
    try:
-      OAuthApplication.get(client_id=client_id)
-      return True
+      return OAuthApplication.get(client_id=client_id)
    except OAuthApplication.DoesNotExist:
-      return False
+      return None

  def validate_client_secret(self, client_id, client_secret):
    try:
@ -33,12 +35,35 @@ class DatabaseAuthorizationProvider(AuthorizationProvider):
    except OAuthApplication.DoesNotExist:
      return False

-  def validate_scope(self, client_id, scope):
-    return scopes.validate_scope_string(scope)
+  def validate_scope(self, client_id, scopes_string):
+    return scopes.validate_scope_string(scopes_string)

  def validate_access(self):
    return self.get_authorized_user() is not None

+  def lookup_access_token(self, client_id):
+    try:
+      found = (OAuthAccessToken
+        .select()
+        .join(OAuthApplication)
+        .where(OAuthApplication.client_id == client_id)
+        .get())
+      return found
+    except OAuthAccessToken.DoesNotExist:
+      return None
+
+  def validate_has_scopes(self, client_id, scope):
+    access_token = self.lookup_access_token(client_id)
+    if not access_token:
+      return False
+
+    # Make sure the token is not expired.
+    if access_token.expires_at <= datetime.now():
+      return False
+
+    # Make sure the token contains the given scopes (at least).
+    return scopes.is_subset_string(access_token.scope, scope)
+
  def from_authorization_code(self, client_id, code, scope):
    try:
      found = (OAuthAuthorizationCode
@ -109,7 +134,7 @@ class DatabaseAuthorizationProvider(AuthorizationProvider):
    is_valid_client_id = self.validate_client_id(client_id)
    is_valid_access = self.validate_access()
    scope = params.get('scope', '')
-    is_valid_scope = self.validate_scope(client_id, scope)
+    are_valid_scopes = self.validate_scope(client_id, scope)

    # Return proper error responses on invalid conditions
    if not is_valid_client_id:
@ -120,7 +145,7 @@ class DatabaseAuthorizationProvider(AuthorizationProvider):
      err = 'access_denied'
      return self._make_redirect_error_response(redirect_uri, err)

-    if not is_valid_scope:
+    if not are_valid_scopes:
      err = 'invalid_scope'
      return self._make_redirect_error_response(redirect_uri, err)

@ -138,8 +163,8 @@ class DatabaseAuthorizationProvider(AuthorizationProvider):

    return self._make_response(headers={'Location': url}, status_code=302)

-def create_application(org, redirect_uri, **kwargs):
-  return OAuthApplication.create(organization=org, redirect_uri=redirect_uri, **kwargs)
+def create_application(org, name, application_uri, redirect_uri, **kwargs):
+  return OAuthApplication.create(organization=org, name=name, application_uri=application_uri, redirect_uri=redirect_uri, **kwargs)

 def validate_access_token(access_token):
  try:
@ -150,4 +175,4 @@ def validate_access_token(access_token):
      .get())
    return found
  except OAuthAccessToken.DoesNotExist:
-    return None
+    return None