add scope

2025-09-05 21:02:24 -03:00
parent 76477f6507
commit b327b6c177
10 changed files with 184 additions and 68 deletions
--- a/id.saladeaula.digital/app/routes/authorize.py
+++ b/id.saladeaula.digital/app/routes/authorize.py
@@ -1,10 +1,12 @@
+from http import HTTPStatus, client
 from http.cookies import SimpleCookie

 import jwt
 from authlib.oauth2.rfc6749 import errors
+from authlib.oauth2.rfc6749.util import scope_to_list
 from aws_lambda_powertools import Logger
 from aws_lambda_powertools.event_handler.api_gateway import Router
-from aws_lambda_powertools.event_handler.exceptions import BadRequestError
+from aws_lambda_powertools.event_handler.exceptions import BadRequestError, ServiceError
 from layercake.dynamodb import DynamoDBPersistenceLayer, KeyPair

 from boto3clients import dynamodb_client
@@ -26,15 +28,24 @@ def authorize():
        raise BadRequestError('Missing session_id')

    try:
-        user_id = verify_session(session_id)
+        sub, session_scope = verify_session(session_id)
        grant = server.get_consent_grant(
            request=router.current_event,
-            end_user={'id': user_id},
+            end_user=sub,
        )
+        req_scopes = set(scope_to_list(grant.request.payload.scope))
+        user_scopes = set(scope_to_list(session_scope)) if session_scope else set()
+        client_scopes = set(scope_to_list(grant.client.scope))
+
+        if not req_scopes.issubset(
+            client_scopes
+            & (user_scopes | {'openid', 'email', 'profile', 'offline_access'})
+        ):
+            raise errors.InvalidScopeError(status_code=HTTPStatus.UNAUTHORIZED)

        return server.create_authorization_response(
            request=router.current_event,
-            grant_user={'id': user_id},
+            grant_user=sub,
            grant=grant,
        )
    except jwt.exceptions.InvalidTokenError as err:
@@ -42,10 +53,13 @@ def authorize():
        raise BadRequestError(str(err))
    except errors.OAuth2Error as err:
        logger.exception(err)
-        return dict(err.get_body())
+        raise ServiceError(
+            status_code=err.status_code,
+            msg=dict(err.get_body()),  # type: ignore
+        )


-def verify_session(session_id: str) -> str:
+def verify_session(session_id: str) -> tuple[str, str | None]:
    payload = jwt.decode(
        session_id,
        JWT_SECRET,
@@ -65,7 +79,7 @@ def verify_session(session_id: str) -> str:
        exc_cls=SessionRevokedError,
    )

-    return payload['sub']
+    return payload['sub'], payload.get('scope')


 def _parse_cookies(cookies: list[str] | None) -> dict[str, str]: