oauth-login-demo/auth.py at master · niuchl/oauth-login-demo · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
from google.appengine.ext import webapp
from google.appengine.ext.webapp import util
from google.appengine.ext.webapp import template
from google.appengine.api import urlfetch
from django.utils import simplejson as json
from gaesessions import get_current_session

import logging
import endpoints
import os
import urllib

def get_params():
    return {
              'scope':endpoints.SCOPE,
              'state':'/profile',
              'redirect_uri': endpoints.REDIRECT_URI,
              'response_type': endpoints.RESPONSE_TYPE,
              'client_id':endpoints.CLIENT_ID
            }


def get_target_url():
    params = get_params()
    return endpoints.AUTH_ENDPOINT + '?' + urllib.urlencode(params)

def validate_access_token(access_token):
        # check the token audience using exact match (TOKENINFO)
        url = endpoints.TOKENINFO_ENDPOINT + '?access_token=' + access_token

        tokeninfo = json.loads(urlfetch.fetch(url).content)

        if('error' in tokeninfo) or (tokeninfo['audience'] != endpoints.CLIENT_ID):
            logging.warn('invalid access token = %s' % access_token)
            return False
        else:
            return True

class LogoutHandler(webapp.RequestHandler):
    def get(self):
        session = get_current_session()
        session.terminate()

        #need to clean this up...
        logouturl = 'https://accounts.google.com/o/oauth2/auth?scope=https://www.googleapis.com/auth/userinfo.email+https://www.googleapis.com/auth/userinfo.profile&state=/profile&redirect_uri=http://localhost:8092/oauthcallback&response_type=token&client_id=812741506391.apps.googleusercontent.com'
        logoutparams = {'continue': logouturl}

        logging.info("encoded params == %s" % urllib.urlencode(logoutparams))

        self.redirect('https://accounts.google.com/logout?service=lso&%s' % urllib.urlencode(logoutparams))

class CallbackHandler(webapp.RequestHandler):
    def get(self):
        template_info = {
                          'catchtoken_uri' : endpoints.CATCHTOKEN_URI
                        }
        self.response.out.write(template.render('templates/scripthandler.html', template_info))

class CatchTokenHandler(webapp.RequestHandler):
    def get(self):
        session = get_current_session()
        a_t = self.request.get('access_token')

        if not validate_access_token(a_t):
            self.error(400)

        session.regenerate_id()
        session['access_token'] = a_t

class CodeHandler(webapp.RequestHandler):
    def get(self):
        a_c = self.request.get('code')
        logging.warn("Code: %s" % a_c)
        ac_payload = {
            'code':a_c,
            'client_id':endpoints.CLIENT_ID,
            'client_secret':endpoints.CLIENT_SECRET,
            'redirect_uri': endpoints.REDIRECT_URI,
            'grant_type':'authorization_code'
        }

        encoded_payload = urllib.urlencode(ac_payload)

        logging.info('encoded payload: %s' % encoded_payload)

        ac_result = json.loads(urlfetch.fetch(url=endpoints.CODE_ENDPOINT,
                                              payload=encoded_payload,
                                              method=urlfetch.POST,
                                              headers={'Content-Type':'application/x-www-form-urlencoded'}).content)

        logging.info('auth code exchange result: %s' % ac_result)

        a_t = ac_result['access_token']
        if not validate_access_token(a_t):
            self.error(400)

        session = get_current_session()
        session.regenerate_id()
        session['access_token'] = a_t

        self.redirect('/profile')


class ProfileHandler(webapp.RequestHandler):
    def get(self):
        session = get_current_session()
        template_info = {'target_url' : get_target_url()}

        if ('access_token' in session):
            # we need to validate the access_token (long-lived sessions, token might have timed out)
            if(validate_access_token(session['access_token'])):
                # get the user profile information (USERINFO)
                userinfo = json.loads(urlfetch.fetch(endpoints.USERINFO_ENDPOINT,
                                                    headers={'Authorization': 'Bearer ' + session['access_token']}).content)

                template_info = {
                                  'target_url' : get_target_url(),
                                  'userinfo' : userinfo
                                }

        self.response.out.write(template.render('templates/profileview.html', template_info))