MobileTeleSystems
diff --git a/‎.env.docker‎
Lines changed: 13 additions & 23 deletions b/‎.env.docker‎
Lines changed: 13 additions & 23 deletions
diff --git a/‎.env.local‎
Lines changed: 1 addition & 1 deletion b/‎.env.local‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎pyproject.toml‎
Lines changed: 4 additions & 0 deletions b/‎pyproject.toml‎
Lines changed: 4 additions & 0 deletions
diff --git a/‎syncmaster/backend/api/v1/auth.py‎
Lines changed: 35 additions & 5 deletions b/‎syncmaster/backend/api/v1/auth.py‎
Lines changed: 35 additions & 5 deletions
diff --git a/‎syncmaster/backend/dependencies/__init__.py‎
Lines changed: 1 addition & 0 deletions b/‎syncmaster/backend/dependencies/__init__.py‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎syncmaster/backend/dependencies/get_access_token.py‎
Lines changed: 12 additions & 0 deletions b/‎syncmaster/backend/dependencies/get_access_token.py‎
Lines changed: 12 additions & 0 deletions
diff --git a/‎syncmaster/backend/handler.py‎
Lines changed: 11 additions & 0 deletions b/‎syncmaster/backend/handler.py‎
Lines changed: 11 additions & 0 deletions
diff --git a/‎syncmaster/backend/middlewares/cors.py‎
Lines changed: 8 additions & 1 deletion b/‎syncmaster/backend/middlewares/cors.py‎
Lines changed: 8 additions & 1 deletion
diff --git a/‎syncmaster/backend/providers/auth/__init__.py‎
Lines changed: 3 additions & 1 deletion b/‎syncmaster/backend/providers/auth/__init__.py‎
Lines changed: 3 additions & 1 deletion
diff --git a/‎syncmaster/backend/providers/auth/base.py‎ ‎…/backend/providers/auth/base_provider.py‎syncmaster/backend/providers/auth/base.py renamed to syncmaster/backend/providers/auth/base_provider.py
Lines changed: 14 additions & 1 deletion b/‎syncmaster/backend/providers/auth/base.py‎ ‎…/backend/providers/auth/base_provider.py‎syncmaster/backend/providers/auth/base.py renamed to syncmaster/backend/providers/auth/base_provider.py
Lines changed: 14 additions & 1 deletion
@@ -18,33 +18,23 @@ SYNCMASTER__CRYPTO_KEY=UBgPTioFrtH2unlC4XFDiGf5sYfzbdSf_VgiUSaQc94=
 # Postgres
 SYNCMASTER__DATABASE__URL=postgresql+asyncpg://syncmaster:changeme@db:5432/syncmaster
 
-# Keycloack (MTS)
-SYNCMASTER__AUTH__KEYCLOAK_SERVER_URL=https://isso.mts.ru/auth/
-SYNCMASTER__AUTH__KEYCLOAK_REALM_NAME=mts
-SYNCMASTER__AUTH__KEYCLOAK_CLIENT_ID=syncmaster_dev
-SYNCMASTER__AUTH__KEYCLOAK_CLIENT_SECRET=secret
-SYNCMASTER__AUTH__KEYCLOAK_REDIRECT_URI=http://localhost:8000/callback
-SYNCMASTER__AUTH__KEYCLOAK_ADMIN_REDIRECT_URI=http://localhost:8000/admin/callback
-SYNCMASTER__AUTH__KEYCLOAK_SCOPE=email
+# Keycloack Auth
+SYNCMASTER__AUTH__SERVER_URL=http://keycloak:8080/
+SYNCMASTER__AUTH__REALM_NAME=fastapi-realm
+SYNCMASTER__AUTH__CLIENT_ID=fastapi-client
+SYNCMASTER__AUTH__CLIENT_SECRET=VoLrqGz1HGjp6MiwzRaGWIu7z7imKIHb
+SYNCMASTER__AUTH__REDIRECT_URI=http://localhost:8000/v1/auth/callback
+SYNCMASTER__AUTH__ADMIN_REDIRECT_URI=http://localhost:8000/v1/auth/callback
+SYNCMASTER__AUTH__SCOPE=email
 SYNCMASTER__AUTH__KEYCLOAK_INTROSPECTION_DELAY=60
-SYNCMASTER__AUTH__PROVIDER=syncmaster.backend.providers.auth.keycloak.KeycloakAuthProvider
-SYNCMASTER__AUTH__KEYCLOAK_TOKEN_URL=https://isso.mts.ru/auth/realms/mts/protocol/openid-connect/token
+SYNCMASTER__AUTH__PROVIDER=syncmaster.backend.providers.auth.keycloak_provider.KeycloakAuthProvider
+SYNCMASTER__AUTH__KEYCLOAK_TOKEN_URL=http://keycloak:8080/realms/fastapi-realm/protocol/openid-connect/token
 
 
-SYNCMASTER__AUTH__KEYCLOAK__SERVER_URL=http://localhost:8080/auth/
-SYNCMASTER__AUTH__KEYCLOAK__REALM_NAME=fastapi-realm
-SYNCMASTER__AUTH__KEYCLOAK__CLIENT_ID=fastapi-client
-SYNCMASTER__AUTH__KEYCLOAK__CLIENT_SECRET=VoLrqGz1HGjp6MiwzRaGWIu7z7imKIHb
-SYNCMASTER__AUTH__KEYCLOAK__REDIRECT_URI=http://localhost:8000/callback
-SYNCMASTER__AUTH__KEYCLOAK__ADMIN_REDIRECT_URI=http://localhost:8000/admin/callback
-SYNCMASTER__AUTH__KEYCLOAK__SCOPE=email
-SYNCMASTER__AUTH__KEYCLOAK__INTROSPECTION_DELAY=60
-SYNCMASTER__AUTH__PROVIDER=syncmaster.backend.providers.auth.keycloak.KeycloakAuthProvider
-SYNCMASTER__AUTH__KEYCLOAK__TOKEN_URL=http://localhost:8080/auth/realms/fastapi-realm/protocol/openid-connect/token
-
-
-SYNCMASTER__AUTH__PROVIDER=syncmaster.backend.providers.auth.dummy.DummyAuthProvider
+# Dummy Auth
+SYNCMASTER__AUTH__PROVIDER=syncmaster.backend.providers.auth.dummy_provider.DummyAuthProvider
 SYNCMASTER__AUTH__ACCESS_TOKEN__SECRET_KEY=bae1thahr8Iyaisai0kohvoh1aeg5quu
+SYNCMASTER__AUTH__PROVIDER=syncmaster.backend.providers.auth.keycloak_provider.KeycloakAuthProvider
 
 # RabbitMQ
 SYNCMASTER__BROKER__URL=amqp://guest:guest@rabbitmq:5672/
 
@@ -19,7 +19,7 @@ export SYNCMASTER__CRYPTO_KEY=UBgPTioFrtH2unlC4XFDiGf5sYfzbdSf_VgiUSaQc94=
 export SYNCMASTER__DATABASE__URL=postgresql+asyncpg://syncmaster:changeme@localhost:5432/syncmaster
 
 # Auth
-export SYNCMASTER__AUTH__PROVIDER=syncmaster.backend.providers.auth.dummy.DummyAuthProvider
+export SYNCMASTER__AUTH__PROVIDER=syncmaster.backend.providers.auth.dummy_provider.DummyAuthProvider
 export SYNCMASTER__AUTH__ACCESS_TOKEN__SECRET_KEY=bae1thahr8Iyaisai0kohvoh1aeg5quu
 
 # RabbitMQ
 
@@ -185,6 +185,10 @@ ignore_missing_imports = true
 module = "pyarrow.*"
 ignore_missing_imports = true
 
+[[tool.mypy.overrides]]
+module = "keycloak.*"
+ignore_missing_imports = true
+
 [[tool.mypy.overrides]]
 module = "avro.*"
 ignore_missing_imports = true
 
@@ -1,17 +1,25 @@
 # SPDX-FileCopyrightText: 2023-2024 MTS PJSC
 # SPDX-License-Identifier: Apache-2.0
-from typing import Annotated
+from typing import TYPE_CHECKING, Annotated
 
-from fastapi import APIRouter, Depends
+from fastapi import APIRouter, Depends, HTTPException, status
+from fastapi.responses import RedirectResponse
 from fastapi.security import OAuth2PasswordRequestForm
 
 from syncmaster.backend.dependencies import Stub
 from syncmaster.backend.providers.auth import AuthProvider
+from syncmaster.backend.utils.state import validate_state
 from syncmaster.errors.registration import get_error_responses
 from syncmaster.errors.schemas.invalid_request import InvalidRequestSchema
 from syncmaster.errors.schemas.not_authorized import NotAuthorizedSchema
 from syncmaster.schemas.v1.auth import AuthTokenSchema
 
+if TYPE_CHECKING:
+    from syncmaster.backend.providers.auth import (
+        DummyAuthProvider,
+        KeycloakAuthProvider,
+    )
+
 router = APIRouter(
     prefix="/auth",
     tags=["Auth"],
@@ -20,11 +28,11 @@
 
 
 @router.post("/token")
-async def login(
-    auth_provider: Annotated[AuthProvider, Depends(Stub(AuthProvider))],
+async def token(
+    auth_provider: Annotated["DummyAuthProvider", Depends(Stub(AuthProvider))],
     form_data: OAuth2PasswordRequestForm = Depends(),
 ) -> AuthTokenSchema:
-    token = await auth_provider.get_token(
+    token = await auth_provider.get_token_password_grant(
         grant_type=form_data.grant_type,
         login=form_data.username,
         password=form_data.password,
@@ -33,3 +41,25 @@ async def login(
         client_secret=form_data.client_secret,
     )
     return AuthTokenSchema.parse_obj(token)
+
+
+@router.get("/callback")
+async def auth_callback(
+    code: str,
+    state: str,
+    auth_provider: Annotated["KeycloakAuthProvider", Depends(Stub(AuthProvider))],
+):
+    if not validate_state(state):
+        raise HTTPException(
+            status_code=status.HTTP_400_BAD_REQUEST,
+            detail="Invalid state parameter",
+        )
+    token = await auth_provider.get_token_authorization_code_grant(
+        code=code,
+        redirect_uri=auth_provider.settings.redirect_uri,
+    )
+    access_token = token["access_token"]
+    await auth_provider.get_current_user(access_token)
+    response = RedirectResponse(url="/")
+    response.set_cookie(key="access_token", value=access_token, httponly=True)
+    return AuthTokenSchema.parse_obj(token)
@@ -1,4 +1,5 @@
 # SPDX-FileCopyrightText: 2023-2024 MTS PJSC
 # SPDX-License-Identifier: Apache-2.0
 
+from syncmaster.backend.dependencies.get_access_token import get_access_token
 from syncmaster.backend.dependencies.stub import Stub
@@ -0,0 +1,12 @@
+# SPDX-FileCopyrightText: 2023-2024 MTS PJSC
+# SPDX-License-Identifier: Apache-2.0
+from fastapi import Request
+from fastapi.security.utils import get_authorization_scheme_param
+
+
+async def get_access_token(request: Request):
+    authorization = request.headers.get("Authorization")
+    scheme, token = get_authorization_scheme_param(authorization)
+    if not authorization or scheme.lower() != "bearer":
+        return None
+    return token
@@ -5,11 +5,13 @@
 
 from fastapi import HTTPException, Request, Response, status
 from fastapi.exceptions import RequestValidationError
+from fastapi.responses import RedirectResponse
 from pydantic import ValidationError
 
 from syncmaster.errors.base import APIErrorSchema, BaseErrorSchema
 from syncmaster.errors.registration import get_response_for_exception
 from syncmaster.exceptions import ActionNotAllowedError, SyncmasterError
+from syncmaster.exceptions.auth import AuthorizationError
 from syncmaster.exceptions.connection import (
     ConnectionDeleteError,
     ConnectionNotFoundError,
@@ -31,6 +33,7 @@
     QueueDeleteError,
     QueueNotFoundError,
 )
+from syncmaster.exceptions.redirect import RedirectException
 from syncmaster.exceptions.run import (
     CannotConnectToTaskQueueError,
     CannotStopRunError,
@@ -119,6 +122,14 @@ async def syncmsater_exception_handler(request: Request, exc: SyncmasterError):
             content=content,
         )
 
+    if isinstance(exc, RedirectException):
+        return RedirectResponse(url=exc.redirect_url)
+
+    if isinstance(exc, AuthorizationError):
+        content.code = "unauthorized"
+        content.message = "Not authenticated"
+        return exception_json_response(status=status.HTTP_401_UNAUTHORIZED, content=content)
+
     if isinstance(exc, ConnectionDeleteError):
         content.code = "conflict"
         return exception_json_response(status=status.HTTP_409_CONFLICT, content=content)
 
@@ -11,8 +11,15 @@ def apply_cors_middleware(app: FastAPI, settings: CORSSettings) -> FastAPI:
     if not settings:
         return app
 
+    origins = [
+        "http://localhost:3000",  # React app
+        "http://127.0.0.1:3000",  # Alternative localhost
+    ]
     app.add_middleware(
         CORSMiddleware,
-        **settings.dict(exclude={"enabled"}),
+        allow_origins=origins,  # Allow requests from the specified origins
+        allow_credentials=True,
+        allow_methods=["*"],  # Allow all HTTP methods (GET, POST, etc.)
+        allow_headers=["*"],  # Allow all headers
     )
     return app
@@ -1,3 +1,5 @@
 # SPDX-FileCopyrightText: 2023-2024 MTS PJSC
 # SPDX-License-Identifier: Apache-2.0
-from syncmaster.backend.providers.auth.base import AuthProvider
+from syncmaster.backend.providers.auth.base_provider import AuthProvider
+from syncmaster.backend.providers.auth.dummy_provider import DummyAuthProvider
+from syncmaster.backend.providers.auth.keycloak_provider import KeycloakAuthProvider
@@ -69,7 +69,7 @@ async def get_current_user(self, access_token: str) -> User:
         ...
 
     @abstractmethod
-    async def get_token(
+    async def get_token_password_grant(
         self,
         grant_type: str | None = None,
         login: str | None = None,
@@ -99,3 +99,16 @@ async def get_token(
                 }
         """
         ...
+
+    @abstractmethod
+    async def get_token_authorization_code_grant(
+        self,
+        code: str,
+        redirect_uri: str,
+        scopes: list[str] | None = None,
+        client_id: str | None = None,
+        client_secret: str | None = None,
+    ) -> dict[str, Any]:
+        """
+        Obtain a token using the Authorization Code grant.
+        """