add scope

2025-09-05 21:02:24 -03:00
parent 76477f6507
commit b327b6c177
10 changed files with 184 additions and 68 deletions
--- a/id.saladeaula.digital/app/routes/session.py
+++ b/id.saladeaula.digital/app/routes/session.py
@@ -26,7 +26,11 @@ def session(
    username: Annotated[str, Body()],
    password: Annotated[str, Body()],
 ):
-    user_id, password_hash = _get_user(username)
+    (
+        user_id,
+        password_hash,
+        scope,
+    ) = _get_user(username)

    if not pbkdf2_sha256.verify(password, password_hash):
        raise ForbiddenError('Invalid credentials')
@@ -36,7 +40,7 @@ def session(
        cookies=[
            Cookie(
                name='session_id',
-                value=new_session(user_id),
+                value=new_session(user_id, scope),
                http_only=True,
                secure=True,
                same_site=None,
@@ -46,7 +50,7 @@ def session(
    )


-def _get_user(username: str) -> tuple[str, str]:
+def _get_user(username: str) -> tuple[str, str, str | None]:
    sk = SortKey(username, path_spec='user_id')
    user = oauth2_layer.collection.get_items(
        KeyPair(pk='email', sk=sk, rename_key=sk.path_spec)
@@ -57,15 +61,33 @@ def _get_user(username: str) -> tuple[str, str]:
    if not user:
        raise UserNotFoundError()

-    password = oauth2_layer.collection.get_item(
-        KeyPair(user['user_id'], 'PASSWORD'),
-        exc_cls=UserNotFoundError,
+    userdata = oauth2_layer.collection.get_items(
+        KeyPair(
+            pk=user['user_id'],
+            sk=SortKey(
+                sk='PASSWORD',
+                path_spec='hash',
+                rename_key='password',
+            ),
+        )
+        + KeyPair(
+            pk=user['user_id'],
+            sk=SortKey(
+                sk='SCOPE',
+                path_spec='scope',
+                rename_key='scope',
+            ),
+        ),
+        flatten_top=False,
    )

-    return user['user_id'], password['hash']
+    if not userdata:
+        raise UserNotFoundError()
+
+    return user['user_id'], userdata['password'], userdata.get('scope')


-def new_session(sub: str) -> str:
+def new_session(sub: str, scope: str | None) -> str:
    now_ = now()
    sid = str(uuid4())
    exp = ttl(start_dt=now_, seconds=JWT_EXP_SECONDS)
@@ -76,6 +98,7 @@ def new_session(sub: str) -> str:
            'iss': ISSUER,
            'iat': int(now_.timestamp()),
            'exp': exp,
+            'scope': scope,
        },
        JWT_SECRET,
        algorithm=JWT_ALGORITHM,