WIP: OAuth: unbreak, get it to work

Author: intelfx

kvmd/apps/kvmd/api/auth.py

@@ -24,7 +24,7 @@
 
 from aiohttp.web import Request
 from aiohttp.web import Response
-from aiohttp.web_exceptions import HTTPNotFound, HTTPFound, HTTPUnauthorized
+from aiohttp.web_exceptions import HTTPNotFound, HTTPFound, HTTPUnauthorized, HTTPBadRequest
 
 from ....htserver import UnauthorizedError
 from ....htserver import ForbiddenError
@@ -41,6 +41,8 @@
 
 from ..auth import AuthManager
 
+from ....logging import get_logger
+
 
 # =====
 _COOKIE_AUTH_TOKEN = "auth_token"
@@ -139,7 +141,7 @@ async def __logout_handler(self, req: Request) -> Response:
     async def __check_handler(self, _: Request) -> Response:
         return make_json_response()
 
-    @exposed_http("GET", "/auth/oauth/providers", auth_required=False)
+    @exposed_http("GET", "/auth/oauth/providers", auth_required=False, allow_usc=False)
     async def __oauth_providers(self, request: Request) -> Response:
         """
         Return a json containing the available Providers with short_name and long_name and if oauth is enabled
@@ -153,7 +155,7 @@ async def __oauth_providers(self, request: Request) -> Response:
             response.update({'enabled': True, 'providers': self.__auth_manager.oauth_manager.get_providers()})
         return make_json_response(response)
 
-    @exposed_http("GET", "/auth/oauth/login/{provider}", auth_required=False)
+    @exposed_http("GET", "/auth/oauth/login/{provider}", auth_required=False, allow_usc=False)
     async def __oauth(self, request: Request) -> None:
         """
         Creates the redirect to the Provider specified in the URL. Checks if the provider is valid.
@@ -162,12 +164,13 @@ async def __oauth(self, request: Request) -> None:
         @return: redirect to provider
         """
         if self.__auth_manager.oauth_manager is None:
-            return
+            raise HTTPBadRequest(reason="Auth disabled")
+
         provider = format(request.match_info['provider'])
         if not self.__auth_manager.oauth_manager.valid_provider(provider):
             raise HTTPNotFound(reason="Unknown provider %s" % provider)
 
-        redirect_url = request.url.with_path(f"/api/auth/oauth/callback/{provider}/").with_scheme('https')
+        redirect_url = request.url.with_path(f"/api/auth/oauth/callback/{provider}").with_scheme("https")
         oauth_cookie = request.cookies.get(_COOKIE_OAUTH_SESSION, "")
 
         is_valid_session = await self.__auth_manager.oauth_manager.is_valid_session(provider, oauth_cookie)
@@ -186,7 +189,7 @@ async def __oauth(self, request: Request) -> None:
         # 302 redirect to provider:
         raise response
 
-    @exposed_http("GET", "/auth/oauth/callback/{provider}", auth_required=False)
+    @exposed_http("GET", "/auth/oauth/callback/{provider}", auth_required=False, allow_usc=False)
     async def __callback(self, request: Request) -> Response:
         """
         After successful login on the side of the provider, the user gets redirected here. If everything is correct,
@@ -195,7 +198,7 @@ async def __callback(self, request: Request) -> Response:
         @return:
         """
         if self.__auth_manager.oauth_manager is None:
-            return make_json_response()
+            raise HTTPBadRequest(reason="Auth disabled")
 
         if not request.match_info['provider']:
             raise HTTPUnauthorized(reason="Provider is missing")
@@ -210,19 +213,25 @@ async def __callback(self, request: Request) -> Response:
         if not self.__auth_manager.oauth_manager.is_redirect_from_provider(provider=provider, request_query=dict(request.query)):
             raise HTTPUnauthorized(reason="Authorization Code is missing")
 
-        redirect_url = request.url.with_query("").with_path(f"/api/auth/oauth/callback/{provider}").with_scheme('https')
+        redirect_url = request.url.with_path(f"/api/auth/oauth/callback/{provider}").with_scheme("https")
         user = await self.__auth_manager.oauth_manager.get_user_info(
             provider=provider,
             oauth_session=oauth_session,
             request_query=dict(request.query),
             redirect_url=redirect_url
         )
+        if not user:
+            raise ForbiddenError()
 
-        if self.__auth_manager.is_auth_enabled():
-            token = await self.__auth_manager.login_oauth(
-                user=valid_user(user)
-            )
-            if token:
-                return make_json_response(set_cookies={_COOKIE_AUTH_TOKEN: token})
+        token = await self.__auth_manager.login_oauth(
+            user=valid_user(user)
+        )
+        get_logger().info(f"OAUTH CALLBACK: {token=}")
+        if not token:
             raise ForbiddenError()
-        return make_json_response()
+
+        response = HTTPFound(
+            request.url.with_path("").with_scheme("https")
+        )
+        response.set_cookie(name=_COOKIE_AUTH_TOKEN, value=token, samesite="Lax", httponly=True)
+        return response

kvmd/apps/kvmd/auth.py

@@ -197,9 +197,15 @@ async def login_oauth(self, user: str) -> (str | None):
         assert self.__enabled
         assert self.oauth_manager
         token = self.__make_new_token()
-        self.__tokens[token] = user
-
-        get_logger().info("Logged in user with OAuth %r", user)
+        session = _Session(
+            user=user,
+            expire_ts=self.__make_expire_ts(0),
+        )
+        self.__sessions[token] = session
+        get_logger(0).info("Logged in via OAuth (user %r); expire=%s, sessions_now=%d",
+                           session.user,
+                           self.__format_expire_ts(session.expire_ts),
+                           self.__get_sessions_number(session.user))
         return token
 
     def __make_new_token(self) -> str:

kvmd/plugins/auth/oauth2.py

@@ -34,6 +34,8 @@
 from ...yamlconf import Option
 from . import OAuthService, OAuthException
 
+from ...logging import get_logger
+
 
 class Plugin(OAuthService):  # pylint: disable=too-many-instance-attributes
     def __init__(  # pylint: disable=too-many-arguments
@@ -156,7 +158,7 @@ async def get_user_info(
             try:
                 async with session.get(self.__user_info_url, headers=headers) as response:
                     user_info = await response.json()
-                    return user_info[self.__username_attribute]
+                    return user_info.get(self.__username_attribute, "_oauth_user_")
             except aiohttp.ClientConnectorError as error:
                 raise OAuthException(message="could not connect to provider! error message: %s" % str(error))