Skip to content
Snippets Groups Projects
Normal view Permalink
login.py 4.74 KiB
Newer Older
Jeremy M Fee's avatar
Remove flask application, add fastapi version of login and database sessions
Jeremy M Fee committed
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 
"""Module for authentication.

Requires sessions to store user information (recommend ..db.SessionMiddleware)


Configuration:
    uses environment variables:

    OPENID_CLIENT_ID      - application id, assigned by OIDC provider
    OPENID_CLIENT_SECRET  - application secret, assigned by OIDC provider
    OPENID_METADATA_URL   - url for OIDC provider information


Usage:

    current_user() - get user information if logged in

        def login_optional(user: Optional[User] = Depends(current_user))

    require_user() - require user login and group membership
                     NOTE: this is a function generator that must be called.

        def any_logged_in_user(user: User = Depends(require_user()))

        def admin_users_only(user: User = Depends(require_user(allowed_groups=["admin"])))

    router - APIRouter to be registered with FastAPI application:
        app.include_router(login.router)

        creates routes:
            /authorize  - callback from OpenIDConnect provider after authentication
            /login      - redirect to OpenIDConnect provider to authenticate
            /logout     - logout current user
            /user       - access current user information as json
"""
import logging
import os
from typing import Callable, List, Optional

from authlib.integrations.starlette_client import OAuth
from fastapi import APIRouter, Depends, HTTPException
from pydantic import BaseModel
from starlette.requests import Request
from starlette.responses import RedirectResponse


class User(BaseModel):
Rivers, Travis (Contractor) Creighton's avatar
run black formatter  
Rivers, Travis (Contractor) Creighton committed
48 
    """Information about a logged in user."""
Jeremy M Fee's avatar
Remove flask application, add fastapi version of login and database sessions
Jeremy M Fee committed
49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 

    email: str
    sub: str  # unique outh id
    groups: List[str] = []
    name: str = None
    nickname: str = None
    picture: str = None


async def current_user(request: Request) -> Optional[User]:
    """Get logged in user, or None if not logged in.

    Usage example:
        user: Optional[User] = Depends(current_user)

    """
    if "user" in request.session:
        return User(**request.session["user"])
    return None


def require_user(allowed_groups: List[str] = None,) -> Callable[[Request, User], User]:
    """Create function to verifies user in allowed_groups

    Usage example:
        user: User = Depends(require_user(["admin"]))

    Parameters
    ----------
    allowed_groups: require user to be member of any group in list.
    """

    async def verify_groups(
        request: Request, user: Optional[User] = Depends(current_user)
    ) -> User:
        if not user:
Jeremy M Fee's avatar
Update login check to return 401 instead of redirect  
Jeremy M Fee committed
85 86 
            # not logged in
            raise HTTPException(status_code=401, detail=request.url_for("login"))
Jeremy M Fee's avatar
Remove flask application, add fastapi version of login and database sessions
Jeremy M Fee committed
87 88 89 90 91 92 93 
        if allowed_groups is not None and not any(
            g in user.groups for g in allowed_groups
        ):
            logging.info(
                f"user ({user.email}, sub={user.sub})"
                f" not member of any allowed group ({allowed_groups})"
            )
Jeremy M Fee's avatar
Update login check to return 401 instead of redirect  
Jeremy M Fee committed
94 
            raise HTTPException(403, detail="Forbidden")
Jeremy M Fee's avatar
Remove flask application, add fastapi version of login and database sessions
Jeremy M Fee committed
95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 
        return user

    return verify_groups


oauth = OAuth()
# creates provider "oauth.openid"
oauth.register(
    name="openid",
    client_id=os.getenv("OPENID_CLIENT_ID"),
    client_secret=os.getenv("OPENID_CLIENT_SECRET"),
    server_metadata_url=os.getenv("OPENID_METADATA_URL"),
    client_kwargs={"scope": "openid email profile"},
)
# routes for login/logout
router = APIRouter()


@router.get("/authorize")
async def authorize(request: Request):
Rivers, Travis (Contractor) Creighton's avatar
run black formatter  
Rivers, Travis (Contractor) Creighton committed
115 
    """Authorize callback after authenticating using OpenID"""
Rivers, Travis (Contractor) Creighton's avatar
get docker container working, add gunicorn support  
Rivers, Travis (Contractor) Creighton committed
116
Jeremy M Fee's avatar
Remove flask application, add fastapi version of login and database sessions
Jeremy M Fee committed
117 118 
    # finish login
    token = await oauth.openid.authorize_access_token(request)
Rivers, Travis (Contractor) Creighton's avatar
get docker container working, add gunicorn support  
Rivers, Travis (Contractor) Creighton committed
119
Jeremy M Fee's avatar
Remove flask application, add fastapi version of login and database sessions
Jeremy M Fee committed
120 121 122 123 
    request.session["token"] = token
    # add user to session
    userinfo = await oauth.openid.userinfo(token=token)
    request.session["user"] = dict(userinfo)
Jeremy M Fee's avatar
Update login check to return 401 instead of redirect  
Jeremy M Fee committed
124 125 126 127 128 129 130 
    # redirect
    return RedirectResponse(
        url=request.session.pop(
            "after_authorize_redirect",
            # fall back to index
            request.url_for("index"),
        )
Jeremy M Fee's avatar
Remove flask application, add fastapi version of login and database sessions
Jeremy M Fee committed
131 132 133 134 135 
    )


@router.get("/login")
async def login(request: Request):
Rivers, Travis (Contractor) Creighton's avatar
run black formatter  
Rivers, Travis (Contractor) Creighton committed
136 
    """Redirect to OpenID provider."""
Jeremy M Fee's avatar
Remove flask application, add fastapi version of login and database sessions
Jeremy M Fee committed
137 138 139 140 141 142 143 144 145 146 
    redirect_uri = request.url_for("authorize")
    # save original location
    if "Referer" in request.headers:
        request.session["after_authorize_redirect"] = request.headers["Referer"]
    # redirect to openid login
    return await oauth.openid.authorize_redirect(request, redirect_uri)


@router.get("/logout")
async def logout(request: Request):
Rivers, Travis (Contractor) Creighton's avatar
run black formatter  
Rivers, Travis (Contractor) Creighton committed
147 
    """Clear session and redirect to index page."""
Jeremy M Fee's avatar
Remove flask application, add fastapi version of login and database sessions
Jeremy M Fee committed
148 149 
    request.session.pop("token", None)
    request.session.pop("user", None)
Jeremy M Fee's avatar
Update login check to return 401 instead of redirect  
Jeremy M Fee committed
150 151 152 153 154 155 156 
    return RedirectResponse(
        # referrer when set
        "Referer" in request.headers
        and request.headers["Referer"]
        # otherwise index
        or request.url_for("index")
    )
Jeremy M Fee's avatar
Remove flask application, add fastapi version of login and database sessions
Jeremy M Fee committed
157 158 159 160 


@router.get("/user")
async def user(request: Request, user: User = Depends(require_user())) -> User:
Rivers, Travis (Contractor) Creighton's avatar
run black formatter  
Rivers, Travis (Contractor) Creighton committed
161 
    """Get currently logged in user."""
Jeremy M Fee's avatar
Remove flask application, add fastapi version of login and database sessions
Jeremy M Fee committed
162 
    return user