add revoke
This commit is contained in:
@@ -6,8 +6,12 @@ from authlib.oauth2.rfc6749 import errors
|
||||
from authlib.oauth2.rfc6749.util import scope_to_list
|
||||
from aws_lambda_powertools import Logger
|
||||
from aws_lambda_powertools.event_handler.api_gateway import Router
|
||||
from aws_lambda_powertools.event_handler.exceptions import BadRequestError, ServiceError
|
||||
from layercake.dynamodb import DynamoDBPersistenceLayer, KeyPair
|
||||
from aws_lambda_powertools.event_handler.exceptions import (
|
||||
BadRequestError,
|
||||
ServiceError,
|
||||
UnauthorizedError,
|
||||
)
|
||||
from layercake.dynamodb import DynamoDBPersistenceLayer, KeyPair, SortKey
|
||||
|
||||
from boto3clients import dynamodb_client
|
||||
from config import ISSUER, JWT_ALGORITHM, JWT_SECRET, OAUTH2_TABLE
|
||||
@@ -15,7 +19,7 @@ from oauth2 import server
|
||||
|
||||
router = Router()
|
||||
logger = Logger(__name__)
|
||||
oauth2_layer = DynamoDBPersistenceLayer(OAUTH2_TABLE, dynamodb_client)
|
||||
dyn = DynamoDBPersistenceLayer(OAUTH2_TABLE, dynamodb_client)
|
||||
|
||||
|
||||
@router.get('/authorize')
|
||||
@@ -36,9 +40,8 @@ def authorize():
|
||||
client_scopes = set(scope_to_list(grant.client.scope))
|
||||
user_scopes = set(scope_to_list(session_scope)) if session_scope else set()
|
||||
|
||||
if not client_scopes.issubset(
|
||||
user_scopes | {'openid', 'email', 'profile', 'offline_access'}
|
||||
):
|
||||
# Deny authorization if user has no scopes matching the client request
|
||||
if not user_scopes & client_scopes:
|
||||
raise errors.InvalidScopeError(status_code=HTTPStatus.UNAUTHORIZED)
|
||||
|
||||
return server.create_authorization_response(
|
||||
@@ -69,15 +72,27 @@ def verify_session(session_id: str) -> tuple[str, str | None]:
|
||||
},
|
||||
)
|
||||
|
||||
oauth2_layer.collection.get_item(
|
||||
user = dyn.collection.get_items(
|
||||
KeyPair(
|
||||
pk='SESSION',
|
||||
sk=payload['sid'],
|
||||
rename_key='session',
|
||||
)
|
||||
+ KeyPair(
|
||||
pk=payload['sub'],
|
||||
sk=SortKey(
|
||||
sk='SCOPE',
|
||||
path_spec='scope',
|
||||
rename_key='scope',
|
||||
),
|
||||
),
|
||||
exc_cls=SessionRevokedError,
|
||||
flatten_top=False,
|
||||
)
|
||||
|
||||
return payload['sub'], payload.get('scope')
|
||||
if 'session' not in user:
|
||||
raise SessionRevokedError('Session revoked')
|
||||
|
||||
return payload['sub'], user.get('scope')
|
||||
|
||||
|
||||
def _parse_cookies(cookies: list[str] | None) -> dict[str, str]:
|
||||
@@ -94,6 +109,4 @@ def _parse_cookies(cookies: list[str] | None) -> dict[str, str]:
|
||||
return parsed_cookies
|
||||
|
||||
|
||||
class SessionRevokedError(BadRequestError):
|
||||
def __init__(self, *_):
|
||||
super().__init__('Session revoked')
|
||||
class SessionRevokedError(UnauthorizedError): ...
|
||||
|
||||
Reference in New Issue
Block a user