further refactoring, moving out auth into blueprints
This commit is contained in:
parent
336740319d
commit
4d9b37545d
|
@ -1,9 +1,7 @@
|
||||||
import uuid
|
|
||||||
import json
|
import json
|
||||||
import requests
|
from flask import Flask, request, session
|
||||||
from flask import Flask, request, redirect, url_for
|
from flask import render_template, flash
|
||||||
from flask import render_template, flash, session
|
from flask import make_response
|
||||||
from flask import send_from_directory, make_response
|
|
||||||
from flask import jsonify
|
from flask import jsonify
|
||||||
from flask_session import Session
|
from flask_session import Session
|
||||||
from suchwow.models import Post, Profile, Comment, Notification, db
|
from suchwow.models import Post, Profile, Comment, Notification, db
|
||||||
|
@ -16,13 +14,8 @@ app.config.from_envvar("FLASK_SECRETS")
|
||||||
app.secret_key = app.config["SECRET_KEY"]
|
app.secret_key = app.config["SECRET_KEY"]
|
||||||
Session(app)
|
Session(app)
|
||||||
|
|
||||||
OPENID_URL = app.config["OIDC_URL"]
|
|
||||||
OPENID_CLIENT_ID = app.config["OIDC_CLIENT_ID"]
|
|
||||||
OPENID_CLIENT_SECRET = app.config["OIDC_CLIENT_SECRET"]
|
|
||||||
OPENID_REDIRECT_URI = "http://localhost:5000/auth"
|
|
||||||
|
|
||||||
app.register_blueprint(post.bp)
|
app.register_blueprint(post.bp)
|
||||||
|
app.register_blueprint(auth.bp)
|
||||||
|
|
||||||
@app.route("/")
|
@app.route("/")
|
||||||
def index():
|
def index():
|
||||||
|
@ -34,76 +27,6 @@ def index():
|
||||||
posts = Post.select().order_by(Post.timestamp).paginate(int(page), 10)
|
posts = Post.select().order_by(Post.timestamp).paginate(int(page), 10)
|
||||||
return render_template("index.html", posts=posts, page=page)
|
return render_template("index.html", posts=posts, page=page)
|
||||||
|
|
||||||
@app.route("/uploads/<path:filename>")
|
|
||||||
def uploaded_file(filename):
|
|
||||||
return send_from_directory(app.config["UPLOAD_FOLDER"], filename)
|
|
||||||
|
|
||||||
@app.route("/login")
|
|
||||||
def login():
|
|
||||||
state = uuid.uuid4().hex
|
|
||||||
session["auth_state"] = state
|
|
||||||
url = f"{OPENID_URL}/auth?" \
|
|
||||||
f"client_id={OPENID_CLIENT_ID}&" \
|
|
||||||
f"redirect_uri={OPENID_REDIRECT_URI}&" \
|
|
||||||
f"response_type=code&" \
|
|
||||||
f"state={state}"
|
|
||||||
|
|
||||||
if app.debug:
|
|
||||||
debug_login()
|
|
||||||
return redirect(url_for("index"))
|
|
||||||
else:
|
|
||||||
return redirect(url)
|
|
||||||
|
|
||||||
|
|
||||||
@app.route("/auth/")
|
|
||||||
def auth():
|
|
||||||
# todo
|
|
||||||
assert "state" in request.args
|
|
||||||
assert "session_state" in request.args
|
|
||||||
assert "code" in request.args
|
|
||||||
|
|
||||||
# verify state
|
|
||||||
if not session.get("auth_state"):
|
|
||||||
return "session error", 500
|
|
||||||
if request.args["state"] != session["auth_state"]:
|
|
||||||
return "attack detected :)", 500
|
|
||||||
|
|
||||||
# with this authorization code we can fetch an access token
|
|
||||||
url = f"{OPENID_URL}/token"
|
|
||||||
data = {
|
|
||||||
"grant_type": "authorization_code",
|
|
||||||
"code": request.args["code"],
|
|
||||||
"redirect_uri": OPENID_REDIRECT_URI,
|
|
||||||
"client_id": OPENID_CLIENT_ID,
|
|
||||||
"client_secret": OPENID_CLIENT_SECRET,
|
|
||||||
"state": request.args["state"]
|
|
||||||
}
|
|
||||||
try:
|
|
||||||
resp = requests.post(url, data=data)
|
|
||||||
resp.raise_for_status()
|
|
||||||
except:
|
|
||||||
return resp.content, 500
|
|
||||||
|
|
||||||
data = resp.json()
|
|
||||||
assert "access_token" in data
|
|
||||||
assert data.get("token_type") == "bearer"
|
|
||||||
access_token = data["access_token"]
|
|
||||||
|
|
||||||
# fetch user information with the access token
|
|
||||||
url = f"{OPENID_URL}/userinfo"
|
|
||||||
|
|
||||||
try:
|
|
||||||
resp = requests.post(url, headers={"Authorization": f"Bearer {access_token}"})
|
|
||||||
resp.raise_for_status()
|
|
||||||
user_profile = resp.json()
|
|
||||||
except:
|
|
||||||
return resp.content, 500
|
|
||||||
|
|
||||||
# user can now visit /secret
|
|
||||||
session["auth"] = user_profile
|
|
||||||
return redirect(url_for("index"))
|
|
||||||
|
|
||||||
|
|
||||||
@app.route("/debug")
|
@app.route("/debug")
|
||||||
@login_required
|
@login_required
|
||||||
def debug():
|
def debug():
|
||||||
|
@ -113,11 +36,6 @@ def debug():
|
||||||
<a href="/logout">Logout</a>
|
<a href="/logout">Logout</a>
|
||||||
"""
|
"""
|
||||||
|
|
||||||
@app.route("/logout")
|
|
||||||
def logout():
|
|
||||||
session["auth"] = None
|
|
||||||
return redirect(url_for("index"))
|
|
||||||
|
|
||||||
@app.errorhandler(404)
|
@app.errorhandler(404)
|
||||||
def not_found(error):
|
def not_found(error):
|
||||||
return make_response(jsonify({"error": "Page not found"}), 404)
|
return make_response(jsonify({"error": "Page not found"}), 404)
|
||||||
|
|
|
@ -2,7 +2,7 @@ OIDC_URL = 'https://login.wownero.com/auth/realms/master/protocol/openid-connect
|
||||||
OIDC_CLIENT_ID = 'suchwowxxx',
|
OIDC_CLIENT_ID = 'suchwowxxx',
|
||||||
OIDC_CLIENT_SECRET = 'xxxxxxxxxx',
|
OIDC_CLIENT_SECRET = 'xxxxxxxxxx',
|
||||||
OIDC_REDIRECT_URL = 'http://localhost:5000/auth'
|
OIDC_REDIRECT_URL = 'http://localhost:5000/auth'
|
||||||
SECRET = 'yyyyyyyyyyyyy',
|
SECRET_KEY = 'yyyyyyyyyyyyy',
|
||||||
SESSION_TYPE = 'filesystem'
|
SESSION_TYPE = 'filesystem'
|
||||||
UPLOAD_FOLDER = '/path/to/the/uploads'
|
UPLOAD_FOLDER = '/path/to/the/uploads'
|
||||||
ALLOWED_EXTENSIONS = {'png', 'jpg', 'jpeg', 'gif'}
|
ALLOWED_EXTENSIONS = {'png', 'jpg', 'jpeg', 'gif'}
|
||||||
|
|
|
@ -0,0 +1,69 @@
|
||||||
|
import requests
|
||||||
|
from uuid import uuid4
|
||||||
|
from flask import session, redirect, url_for, request, Blueprint
|
||||||
|
from suchwow import config
|
||||||
|
|
||||||
|
|
||||||
|
bp = Blueprint("auth", "auth")
|
||||||
|
|
||||||
|
@bp.route("/login")
|
||||||
|
def login():
|
||||||
|
state = uuid4().hex
|
||||||
|
session["auth_state"] = state
|
||||||
|
url = f"{config.OIDC_URL}/auth?" \
|
||||||
|
f"client_id={config.OIDC_CLIENT_ID}&" \
|
||||||
|
f"redirect_uri={config.OIDC_REDIRECT_URL}&" \
|
||||||
|
f"response_type=code&" \
|
||||||
|
f"state={state}"
|
||||||
|
|
||||||
|
return redirect(url)
|
||||||
|
|
||||||
|
@bp.route("/logout")
|
||||||
|
def logout():
|
||||||
|
session["auth"] = None
|
||||||
|
return redirect(url_for("index"))
|
||||||
|
|
||||||
|
@bp.route("/auth/")
|
||||||
|
def auth():
|
||||||
|
# todo - clean up assertions
|
||||||
|
assert "state" in request.args
|
||||||
|
assert "session_state" in request.args
|
||||||
|
assert "code" in request.args
|
||||||
|
|
||||||
|
# verify state
|
||||||
|
if not session.get("auth_state"):
|
||||||
|
return "session error", 500
|
||||||
|
if request.args["state"] != session["auth_state"]:
|
||||||
|
return "attack detected :)", 500
|
||||||
|
|
||||||
|
# with this authorization code we can fetch an access token
|
||||||
|
url = f"{config.OIDC_URL}/token"
|
||||||
|
data = {
|
||||||
|
"grant_type": "authorization_code",
|
||||||
|
"code": request.args["code"],
|
||||||
|
"redirect_uri": config.OIDC_REDIRECT_URL,
|
||||||
|
"client_id": config.OIDC_CLIENT_ID,
|
||||||
|
"client_secret": config.OIDC_CLIENT_SECRET,
|
||||||
|
"state": request.args["state"]
|
||||||
|
}
|
||||||
|
resp = requests.post(url, data=data)
|
||||||
|
resp.raise_for_status()
|
||||||
|
|
||||||
|
data = resp.json()
|
||||||
|
assert "access_token" in data
|
||||||
|
assert data.get("token_type") == "bearer"
|
||||||
|
access_token = data["access_token"]
|
||||||
|
|
||||||
|
# fetch user information with the access token
|
||||||
|
url = f"{config.OIDC_URL}/userinfo"
|
||||||
|
|
||||||
|
try:
|
||||||
|
resp = requests.post(url, headers={"Authorization": f"Bearer {access_token}"})
|
||||||
|
resp.raise_for_status()
|
||||||
|
user_profile = resp.json()
|
||||||
|
except:
|
||||||
|
return resp.content, 500
|
||||||
|
|
||||||
|
# user can now visit /secret
|
||||||
|
session["auth"] = user_profile
|
||||||
|
return redirect(url_for("index"))
|
|
@ -1,8 +1,10 @@
|
||||||
from os import path
|
from os import path
|
||||||
from flask import render_template, Blueprint, request, session
|
from flask import render_template, Blueprint, request, session
|
||||||
|
from flask import send_from_directory, redirect, url_for, current_app
|
||||||
from werkzeug.utils import secure_filename
|
from werkzeug.utils import secure_filename
|
||||||
from suchwow.models import Post
|
from suchwow.models import Post
|
||||||
from suchwow.utils.decorators import login_required
|
from suchwow.utils.decorators import login_required
|
||||||
|
from suchwow.utils.helpers import allowed_file
|
||||||
|
|
||||||
|
|
||||||
bp = Blueprint("post", "post")
|
bp = Blueprint("post", "post")
|
||||||
|
@ -35,7 +37,7 @@ def create():
|
||||||
return redirect(request.url)
|
return redirect(request.url)
|
||||||
if file and allowed_file(file.filename):
|
if file and allowed_file(file.filename):
|
||||||
filename = secure_filename(file.filename)
|
filename = secure_filename(file.filename)
|
||||||
save_path = path.join(app.config["UPLOAD_FOLDER"], filename)
|
save_path = path.join(current_app.config["UPLOAD_FOLDER"], filename)
|
||||||
file.save(save_path)
|
file.save(save_path)
|
||||||
# gen wallet
|
# gen wallet
|
||||||
post = Post(
|
post = Post(
|
||||||
|
@ -48,4 +50,8 @@ def create():
|
||||||
)
|
)
|
||||||
post.save()
|
post.save()
|
||||||
return redirect(url_for("post.read", id=post.id))
|
return redirect(url_for("post.read", id=post.id))
|
||||||
return render_template("post/create.html")
|
return render_template("post/create.html")
|
||||||
|
|
||||||
|
@bp.route("/uploads/<path:filename>")
|
||||||
|
def uploaded_file(filename):
|
||||||
|
return send_from_directory(current_app.config["UPLOAD_FOLDER"], filename)
|
|
@ -11,9 +11,9 @@
|
||||||
<body>
|
<body>
|
||||||
<a href="/">Home</a><br>
|
<a href="/">Home</a><br>
|
||||||
{% if session.auth == None %}
|
{% if session.auth == None %}
|
||||||
<a href="{{ url_for('login') }}">Login</a><br>
|
<a href="{{ url_for('auth.login') }}">Login</a><br>
|
||||||
{% else %}
|
{% else %}
|
||||||
<a href="{{ url_for('logout') }}">Logout</a><br>
|
<a href="{{ url_for('auth.logout') }}">Logout</a><br>
|
||||||
{% endif %}
|
{% endif %}
|
||||||
<hr>
|
<hr>
|
||||||
{% with messages = get_flashed_messages() %}
|
{% with messages = get_flashed_messages() %}
|
||||||
|
|
|
@ -14,6 +14,6 @@ You cannot see this post
|
||||||
<p>Subtitle: {{ post.subtitle }}</p>
|
<p>Subtitle: {{ post.subtitle }}</p>
|
||||||
<p>Submitted: {{ post.timestamp }}</p>
|
<p>Submitted: {{ post.timestamp }}</p>
|
||||||
<p>Image Name: {{ post.image_name }}</p>
|
<p>Image Name: {{ post.image_name }}</p>
|
||||||
<img src="{{ url_for('uploaded_file', filename=post.image_name) }}" width=500/>
|
<img src="{{ url_for('post.uploaded_file', filename=post.image_name) }}" width=500/>
|
||||||
{% endif %}
|
{% endif %}
|
||||||
{% endblock %}
|
{% endblock %}
|
||||||
|
|
|
@ -1,15 +1,11 @@
|
||||||
from flask import current_app, session, redirect, url_for
|
from flask import session, redirect, url_for
|
||||||
from functools import wraps
|
from functools import wraps
|
||||||
from suchwow.utils.helpers import debug_login
|
|
||||||
|
|
||||||
|
|
||||||
def login_required(f):
|
def login_required(f):
|
||||||
@wraps(f)
|
@wraps(f)
|
||||||
def decorated_function(*args, **kwargs):
|
def decorated_function(*args, **kwargs):
|
||||||
if current_app.debug:
|
|
||||||
debug_login()
|
|
||||||
return f(*args, **kwargs)
|
|
||||||
if "auth" not in session or not session["auth"]:
|
if "auth" not in session or not session["auth"]:
|
||||||
return redirect(url_for("login"))
|
return redirect(url_for("auth.login"))
|
||||||
return f(*args, **kwargs)
|
return f(*args, **kwargs)
|
||||||
return decorated_function
|
return decorated_function
|
|
@ -1,16 +1,6 @@
|
||||||
from flask import current_app, session
|
from flask import current_app
|
||||||
|
|
||||||
|
|
||||||
def allowed_file(filename):
|
def allowed_file(filename):
|
||||||
return "." in filename and \
|
return "." in filename and \
|
||||||
filename.rsplit(".", 1)[1].lower() in current_app.config["ALLOWED_EXTENSIONS"]
|
filename.rsplit(".", 1)[1].lower() in current_app.config["ALLOWED_EXTENSIONS"]
|
||||||
|
|
||||||
def debug_login():
|
|
||||||
session["auth"] = {
|
|
||||||
"state": "active",
|
|
||||||
"session_state": "debug",
|
|
||||||
"code": "abcdefg",
|
|
||||||
"preferred_username": "debuguser",
|
|
||||||
"debug": True
|
|
||||||
}
|
|
||||||
return
|
|
Loading…
Reference in New Issue