update session

2025-10-10 12:52:41 -03:00
parent 2de2d4dc0e
commit c9438d49fb
15 changed files with 116 additions and 112 deletions
--- a/id.saladeaula.digital/app/routes/authorize.py
+++ b/id.saladeaula.digital/app/routes/authorize.py
@@ -1,6 +1,5 @@
 from http.cookies import SimpleCookie

-import jwt
 from authlib.oauth2.rfc6749 import errors
 from authlib.oauth2.rfc6749.util import scope_to_list
 from aws_lambda_powertools import Logger
@@ -9,12 +8,12 @@ from aws_lambda_powertools.event_handler.exceptions import (
    BadRequestError,
    ForbiddenError,
    ServiceError,
-    UnauthorizedError,
 )
+from joserfc.errors import JoseError
 from layercake.dynamodb import DynamoDBPersistenceLayer, KeyPair, SortKey

 from boto3clients import dynamodb_client
-from config import ISSUER, OAUTH2_TABLE, SESSION_SECRET
+from config import OAUTH2_TABLE
 from oauth2 import server

 router = Router()
@@ -26,19 +25,24 @@ dyn = DynamoDBPersistenceLayer(OAUTH2_TABLE, dynamodb_client)
 def authorize():
    current_event = router.current_event
    cookies = _parse_cookies(current_event.get('cookies', []))
-    session_id = cookies.get('session_id')
+    session = cookies.get('__session')

-    if not session_id:
-        raise BadRequestError('Missing session_id')
+    if not session:
+        raise BadRequestError('Missing session')

    try:
-        sub, session_scope = verify_session(session_id)
+        sid, sub = session.split(':')
+        # Raise if session is not found
+        dyn.collection.get_item(
+            KeyPair('SESSION', sid),
+            exc_cls=InvalidSession,
+        )
        grant = server.get_consent_grant(
            request=router.current_event,
            end_user=sub,
        )
+        user_scopes = _user_scopes(sub)
        client_scopes = set(scope_to_list(grant.client.scope))
-        user_scopes = set(scope_to_list(session_scope)) if session_scope else set()

        # Deny authorization if user lacks scopes requested by client
        if not client_scopes.issubset(user_scopes):
@@ -49,7 +53,7 @@ def authorize():
            grant_user=sub,
            grant=grant,
        )
-    except jwt.exceptions.InvalidTokenError as err:
+    except JoseError as err:
        logger.exception(err)
        raise BadRequestError(str(err))
    except errors.OAuth2Error as err:
@@ -60,39 +64,19 @@ def authorize():
        )


-def verify_session(session_id: str) -> tuple[str, str | None]:
-    payload = jwt.decode(
-        session_id,
-        SESSION_SECRET,
-        algorithms=['HS256'],
-        issuer=ISSUER,
-        options={
-            'require': ['exp', 'sub', 'iss', 'sid'],
-        },
-    )
-
-    user = dyn.collection.get_items(
-        KeyPair(
-            pk='SESSION',
-            sk=payload['sid'],
-            rename_key='session',
+def _user_scopes(sub: str) -> set:
+    return set(
+        scope_to_list(
+            dyn.collection.get_item(
+                KeyPair(
+                    pk=sub,
+                    sk=SortKey(sk='SCOPE', path_spec='scope'),
+                ),
+                exc_cls=BadRequestError,
+            )
        )
-        + KeyPair(
-            pk=payload['sub'],
-            sk=SortKey(
-                sk='SCOPE',
-                path_spec='scope',
-                rename_key='scope',
-            ),
-        ),
-        flatten_top=False,
    )

-    if 'session' not in user:
-        raise SessionRevokedError('Session revoked')
-
-    return payload['sub'], user.get('scope')
-

 def _parse_cookies(cookies: list[str] | None) -> dict[str, str]:
    parsed_cookies = {}
@@ -108,4 +92,4 @@ def _parse_cookies(cookies: list[str] | None) -> dict[str, str]:
    return parsed_cookies


-class SessionRevokedError(UnauthorizedError): ...
+class InvalidSession(BadRequestError): ...