add session route

id.saladeaula.digital/app/routes/authorize.py

@@ -1,49 +1,40 @@
-from http import HTTPStatus
 from http.cookies import SimpleCookie
-from urllib.parse import ParseResult, quote, urlencode, urlunparse
 
+import jwt
 from authlib.oauth2 import OAuth2Error
 from authlib.oauth2.rfc6749 import errors
 from aws_lambda_powertools import Logger
-from aws_lambda_powertools.event_handler import Response
 from aws_lambda_powertools.event_handler.api_gateway import Router
-from jose.exceptions import JWTError
+from aws_lambda_powertools.event_handler.exceptions import BadRequestError
+from layercake.dynamodb import DynamoDBPersistenceLayer, KeyPair
 
-from jose_ import verify_jwt
+from boto3clients import dynamodb_client
+from config import ISSUER, JWT_ALGORITHM, JWT_SECRET, OAUTH2_TABLE
 from oauth2 import server
 
 router = Router()
 logger = Logger(__name__)
+oauth2_layer = DynamoDBPersistenceLayer(OAUTH2_TABLE, dynamodb_client)
 
 
 @router.get('/authorize')
 def authorize():
     current_event = router.current_event
     cookies = _parse_cookies(current_event.get('cookies', []))
-    id_token = cookies.get('id_token')
-    continue_url = _build_continue_url(
-        current_event.path,
-        current_event.query_string_parameters,
-    )
+    session_id = cookies.get('session_id')
 
-    login_url = f'/login?continue={continue_url}'
-
-    try:
-        if not id_token:
-            raise ValueError('Missing id_token')
-
-        user = verify_jwt(id_token)
-    except (ValueError, JWTError):
-        return Response(
-            status_code=HTTPStatus.FOUND,
-            headers={'Location': login_url},
-        )
+    if not session_id:
+        raise BadRequestError('Missing session_id')
 
     try:
+        user_id = verify_session(session_id)
         grant = server.get_consent_grant(
             request=router.current_event,
-            end_user={'id': user['sub']},
+            end_user={'id': user_id},
         )
+    except jwt.exceptions.InvalidTokenError as err:
+        logger.exception(err)
+        raise BadRequestError(str(err))
     except OAuth2Error as err:
         logger.exception(err)
         return dict(err.get_body())
@@ -51,7 +42,7 @@ def authorize():
     try:
         return server.create_authorization_response(
             request=router.current_event,
-            grant_user={'id': user['sub']},
+            grant_user={'id': user_id},
             grant=grant,
         )
     except errors.OAuth2Error as err:
@@ -59,6 +50,29 @@ def authorize():
         return {}
 
 
+def verify_session(session_id: str) -> str:
+    payload = jwt.decode(
+        session_id,
+        JWT_SECRET,
+        algorithms=[JWT_ALGORITHM],
+        issuer=ISSUER,
+        options={
+            'require': ['exp', 'sub', 'iss', 'sid'],
+            'leeway': 60,
+        },
+    )
+
+    oauth2_layer.collection.get_item(
+        KeyPair(
+            pk='SESSION',
+            sk=payload['sid'],
+        ),
+        exc_cls=SessionRevokedError,
+    )
+
+    return payload['sub']
+
+
 def _parse_cookies(cookies: list[str] | None) -> dict[str, str]:
     parsed_cookies = {}
 
@@ -73,9 +87,6 @@ def _parse_cookies(cookies: list[str] | None) -> dict[str, str]:
     return parsed_cookies
 
 
-def _build_continue_url(
-    path: str,
-    query_string_parameters: dict,
-) -> str:
-    query = urlencode(query_string_parameters)
-    return quote(urlunparse(ParseResult('', '', path, '', query, '')), safe='')
+class SessionRevokedError(BadRequestError):
+    def __init__(self, *_):
+        super().__init__('Session revoked')