add scope to id

2025-10-24 20:05:56 -03:00
parent c68aa98fc9
commit c4509f5072
18 changed files with 173 additions and 58 deletions
--- a/id.saladeaula.digital/app/oauth2.py
+++ b/id.saladeaula.digital/app/oauth2.py
@@ -1,3 +1,5 @@
+from os import rename
+
 from authlib.common.security import generate_token
 from authlib.common.urls import add_params_to_uri
 from authlib.jose import JsonWebKey
@@ -26,6 +28,7 @@ from config import ISSUER, OAUTH2_SCOPES_SUPPORTED, OAUTH2_TABLE
 from integrations.apigateway_oauth2.authorization_server import (
    AuthorizationServer,
 )
+from integrations.apigateway_oauth2.resource_protector import ResourceProtector
 from integrations.apigateway_oauth2.tokens import (
    OAuth2AuthorizationCode,
    OAuth2Token,
@@ -65,15 +68,18 @@ class OpenIDCode(OpenIDCode_):
        }

    def generate_user_info(self, user: User, scope: str) -> UserInfo:
-        print(scope)
-        print('--' * 100)
-        return UserInfo(
+        user_info = UserInfo(
            sub=user.id,
            name=user.name,
            email=user.email,
            email_verified=user.email_verified,
        ).filter(scope)

+        if user.scope:
+            user_info['scope'] = ' '.join(user.scope)
+
+        return user_info
+

 class AuthorizationCodeGrant(grants.AuthorizationCodeGrant):
    TOKEN_ENDPOINT_AUTH_METHODS = [
@@ -166,20 +172,22 @@ class AuthorizationCodeGrant(grants.AuthorizationCodeGrant):
        authorization_code: OAuth2AuthorizationCode,
    ) -> User:
        """Authenticate the user related to this authorization_code."""
-        user = dyn.get_item(
-            KeyPair(
-                pk=authorization_code.user_id,
-                sk='0',
-            ),
+        user = dyn.collection.get_items(
+            TransactKey(authorization_code.user_id)
+            + SortKey('0')
+            + SortKey('SCOPE', path_spec='scope', rename_key='scope'),
        )

-        return User(**pick(('id', 'name', 'email', 'email_verified'), user))
+        return User(**pick(('id', 'name', 'email', 'email_verified', 'scope'), user))


 class TokenExchangeGrant(grants.BaseGrant):
    GRANT_TYPE = 'urn:ietf:params:oauth:grant-type:token-exchange'

-    TOKEN_ENDPOINT_AUTH_METHODS = ['client_secret_basic', 'client_secret_post']
+    TOKEN_ENDPOINT_AUTH_METHODS = [
+        'client_secret_basic',
+        'client_secret_post',
+    ]

    @hooked
    def validate_token_request(self):
@@ -288,6 +296,17 @@ class RevocationEndpoint(rfc7009.RevocationEndpoint):
        token: OAuth2Token,
        request: OAuth2Request,
    ):
+        """
+        Mark token as revoked. Since token MUST be unique, it would be dangerous
+        to delete it. Consider this situation:
+
+        - Jane obtained a token XYZ
+        - Jane revoked (deleted) token XYZ
+        - Bob generated a new token XYZ
+        - Jane can use XYZ to access Bob’s resource
+
+        - https://docs.authlib.org/en/latest/specs/rfc7009.html#authlib.oauth2.rfc7009.RevocationEndpoint.revoke_token
+        """
        user_id = token.user['id']
        r = dyn.collection.query(KeyPair(pk=user_id, sk='SESSION'))

@@ -377,3 +396,5 @@ server.register_grant(TokenExchangeGrant)
 server.register_grant(RefreshTokenGrant)
 server.register_endpoint(RevocationEndpoint)
 server.register_extension(IssuerParameter())
+
+require_oauth = ResourceProtector()