Store Blender ID OAuth scopes in MongoDB + request badge scope too

This also changes the way we treat Blender ID tokens. Before, the Blender ID token was discarded and a random token was generated & stored. Now the actual Blender ID token is stored. The Facebook and Google OAuth code still uses the old approach of generating a new token. Not sure what the added value is, though, because once the Django session is gone there is nothing left to authenticate the user and thus the random token is useless anyway.
2018-09-11 15:36:25 +02:00
parent 6bcce87bb9
commit 0983474e76
6 changed files with 46 additions and 11 deletions
--- a/pillar/api/eve_settings.py
+++ b/pillar/api/eve_settings.py
@@ -391,6 +391,13 @@ tokens_schema = {
            'type': 'string',
        },
    },
+
+    # OAuth scopes granted to this token.
+    'oauth_scopes': {
+        'type': 'list',
+        'default': [],
+        'schema': {'type': 'string'},
+    }
 }

 files_schema = {
--- a/pillar/api/utils/authentication.py
+++ b/pillar/api/utils/authentication.py
@@ -235,8 +235,14 @@ def hash_auth_token(token: str) -> str:
    return base64.b64encode(digest).decode('ascii')


-def store_token(user_id, token: str, token_expiry, oauth_subclient_id=False,
-                org_roles: typing.Set[str] = frozenset()):
+def store_token(user_id,
+                token: str,
+                token_expiry,
+                oauth_subclient_id=False,
+                *,
+                org_roles: typing.Set[str] = frozenset(),
+                oauth_scopes: typing.Optional[typing.List[str]] = None,
+                ):
    """Stores an authentication token.

    :returns: the token document from MongoDB
@@ -253,6 +259,8 @@ def store_token(user_id, token: str, token_expiry, oauth_subclient_id=False,
        token_data['is_subclient_token'] = True
    if org_roles:
        token_data['org_roles'] = sorted(org_roles)
+    if oauth_scopes:
+        token_data['oauth_scopes'] = oauth_scopes

    r, _, _, status = current_app.post_internal('tokens', token_data)

--- a/pillar/auth/oauth.py
+++ b/pillar/auth/oauth.py
@@ -1,8 +1,9 @@
 import abc
-import attr
 import json
 import logging
+import typing

+import attr
 from rauth import OAuth2Service
 from flask import current_app, url_for, request, redirect, session, Response

@@ -15,6 +16,8 @@ class OAuthUserResponse:

    id = attr.ib(validator=attr.validators.instance_of(str))
    email = attr.ib(validator=attr.validators.instance_of(str))
+    access_token = attr.ib(validator=attr.validators.instance_of(str))
+    scopes: typing.List[str] = attr.ib(validator=attr.validators.instance_of(list))


 class OAuthError(Exception):
@@ -127,6 +130,7 @@ class OAuthSignIn(metaclass=abc.ABCMeta):

 class BlenderIdSignIn(OAuthSignIn):
    provider_name = 'blender-id'
+    scopes = ['email', 'badge']

    def __init__(self):
        from urllib.parse import urljoin
@@ -145,7 +149,7 @@ class BlenderIdSignIn(OAuthSignIn):

    def authorize(self):
        return redirect(self.service.get_authorize_url(
-            scope='email',
+            scope=' '.join(self.scopes),
            response_type='code',
            redirect_uri=self.get_callback_url())
        )
@@ -159,7 +163,11 @@ class BlenderIdSignIn(OAuthSignIn):

        session['blender_id_oauth_token'] = access_token
        me = oauth_session.get('user').json()
-        return OAuthUserResponse(str(me['id']), me['email'])
+
+        # Blender ID doesn't tell us which scopes were granted by the user, so
+        # for now assume we got all the scopes we requested.
+        # (see https://github.com/jazzband/django-oauth-toolkit/issues/644)
+        return OAuthUserResponse(str(me['id']), me['email'], access_token, self.scopes)


 class FacebookSignIn(OAuthSignIn):
@@ -189,7 +197,7 @@ class FacebookSignIn(OAuthSignIn):
        me = oauth_session.get('me?fields=id,email').json()
        # TODO handle case when user chooses not to disclose en email
        # see https://developers.facebook.com/docs/graph-api/reference/user/
-        return OAuthUserResponse(me['id'], me.get('email'))
+        return OAuthUserResponse(me['id'], me.get('email'), '', [])


 class GoogleSignIn(OAuthSignIn):
@@ -217,4 +225,4 @@ class GoogleSignIn(OAuthSignIn):
        oauth_session = self.make_oauth_session()

        me = oauth_session.get('userinfo').json()
-        return OAuthUserResponse(str(me['id']), me['email'])
+        return OAuthUserResponse(str(me['id']), me['email'], '', [])
--- a/pillar/web/users/routes.py
+++ b/pillar/web/users/routes.py
@@ -48,6 +48,10 @@ def oauth_authorize(provider):

@blueprint.route('/oauth/<provider>/authorized')
 def oauth_callback(provider):
+    import datetime
+    from pillar.api.utils.authentication import store_token
+    from pillar.api.utils import utcnow
+
    if current_user.is_authenticated:
        return redirect(url_for('main.homepage'))

@@ -65,7 +69,14 @@ def oauth_callback(provider):
    user_info = {'id': oauth_user.id, 'email': oauth_user.email, 'full_name': ''}
    db_user = find_user_in_db(user_info, provider=provider)
    db_id, status = upsert_user(db_user)
-    token = generate_and_store_token(db_id)
+
+    if oauth_user.access_token:
+        # TODO(Sybren): make nr of days configurable, or get from OAuthSignIn subclass.
+        token_expiry = utcnow() + datetime.timedelta(days=15)
+        token = store_token(db_id, oauth_user.access_token, token_expiry,
+                            oauth_scopes=oauth_user.scopes)
+    else:
+        token = generate_and_store_token(db_id)

    # Login user
    pillar.auth.login_user(token['token'], load_from_db=True)