[Feature] add logout and session abilities

Author: pratapaprasanna

authenticator/adapters/db/api.py

@@ -14,7 +14,15 @@ def get_all_users(self):
             output.append({"name": user["name"], "email": user["email"]})
         return jsonify({"result": output})
 
-    def add_users(self, name, email, creation_time, provider=None, user_type="user"):
+    def add_users(
+        self,
+        name,
+        email,
+        creation_time,
+        user_type="user",
+        provider=None,
+        provider_id=None,
+    ):
         try:
             collection = self.client.db["users"]
             count = collection.count_documents({"email": email})
@@ -24,6 +32,7 @@ def add_users(self, name, email, creation_time, provider=None, user_type="user")
                         "name": name,
                         "email": email,
                         "provider": provider,
+                        "provider_id": provider_id,
                         "creation_time": creation_time,
                         "user_type": user_type,
                     }

authenticator/adapters/login/google_adapter.py

@@ -0,0 +1,34 @@
+import requests
+import google.auth.transport.requests
+
+from google.oauth2 import id_token
+from google_auth_oauthlib.flow import Flow
+from cachecontrol import CacheControl
+
+from authenticator.utils import utils
+
+
+class GoogleLoginAdapter(object):
+    def __init__(self):
+        self.google_obj = utils.read_config()["auth"]["google"]
+        self.flow = Flow.from_client_secrets_file(
+            client_secrets_file=self.google_obj["secrets_file"],
+            scopes=self.google_obj["scopes"],
+            redirect_uri="http://127.0.0.1:5000/callback",
+        )
+
+    def get_basic_info(self, request, session):
+        self.flow.fetch_token(authorization_response=request.url)
+        if not session["state"] == request.args["state"]:
+            abort(500)  # State does not match!
+
+        credentials = self.flow.credentials
+        request_session = requests.session()
+        cached_session = CacheControl(request_session)
+        token_request = google.auth.transport.requests.Request(session=cached_session)
+        id_info = id_token.verify_oauth2_token(
+            id_token=credentials._id_token,
+            request=token_request,
+            audience=self.google_obj["google_client_id"],
+        )
+        return id_info

authenticator/adapters/login/loginmanager.py

@@ -1,12 +1,10 @@
 import os
+import requests
 
-from flask import Flask
-from flask import jsonify
-from flask import request, url_for, redirect, session
-from flask_login import logout_user
+from flask import Flask, session, url_for, abort, redirect, request
 
 from authenticator.adapters.db import api as db_api
-from authenticator.adapters.login import loginmanager
+from authenticator.adapters.login import google_adapter
 from authenticator.utils import utils
 
 database = os.environ.get("db", "authenticator")
@@ -16,69 +14,81 @@
 app = Flask(__name__)
 app.config["MONGO_URI"] = f"mongodb://{host}:{port}/{database}"
 app.config["SECRET_KEY"] = "b9dd1b2f"
+os.environ["OAUTHLIB_INSECURE_TRANSPORT"] = "1"
 app.config["GOOGLE_CLIENT_ID"] = os.environ.get("GOOGLE_CLIENT_ID", None)
 app.config["GOOGLE_CLIENT_SECRET"] = os.environ.get("GOOGLE_CLIENT_SECRET", None)
 
 
 db_obj = db_api.MongoAdapters(app)
-login_obj = loginmanager.loginManager(app)
+google_adapter_obj = google_adapter.GoogleLoginAdapter()
+
+
+def login_is_required(function):
+    def wrapper(*args, **kwargs):
+        if "google_id" not in session:
+            return abort(401)  # Authorization required
+        else:
+            return function()
+
+    return wrapper
 
 
 @app.route("/users", methods=["GET"])
 def get_users():
     return db_obj.get_all_users()
 
 
-@app.route("/", methods=["GET"])
+@app.route("/")
 def index():
-    return "Welcome to nomad Authenticator."
+    return "Hello World <a href='/googlelogin'><button>Sign Up with google</button></a>"
 
 
-def add_users(name, email, provider):
+def add_users(name, email, provider=None, provider_id=None):
     if email == "[email protected]":
-        print("HELOO")
         return db_obj.add_users(
-            name, email, utils.get_current_time(), provider, "admin"
+            name, email, utils.get_current_time(), "admin", provider, provider_id
         )
-    return db_obj.add_users(name, email, utils.get_current_time(), provider, "user")
-
-
-@app.route("/login/google")
-def google_login():
-    login_obj.auth.register(
-        name="google",
-        client_id=app.config["GOOGLE_CLIENT_ID"],
-        client_secret=app.config["GOOGLE_CLIENT_SECRET"],
-        access_token_url="https://accounts.google.com/o/oauth2/token",
-        access_token_params=None,
-        authorize_url="https://accounts.google.com/o/oauth2/auth",
-        authorize_params=None,
-        api_base_url="https://www.googleapis.com/oauth2/v1/",
-        userinfo_endpoint="https://openidconnect.googleapis.com/v1/userinfo",
-        client_kwargs={"scope": "openid email profile"},
+    return db_obj.add_users(
+        name, email, utils.get_current_time(), "user", provider=None, provider_id=None
     )
-    google = login_obj.auth.create_client("google")
-    redirect_uri = url_for("google_authorize", _external=True)
-    return google.authorize_redirect(redirect_uri)
 
 
-@app.route("/login/google/authorize")
-def google_authorize():
-    google = login_obj.auth.create_client("google")
-    try:
-        token = google.authorize_access_token()
-        resp = google.get("userinfo").json()
-        return add_users(resp["name"], resp["email"], "google")
-    except Exception:
-        return redirect("/login/google")
+@app.route("/googlelogin")
+def login():
+    authorization_url, state = google_adapter_obj.flow.authorization_url()
+    session["state"] = state
+    return redirect(authorization_url)
+
+
+@app.route("/callback")
+def callback():
+    id_info = google_adapter_obj.get_basic_info(request, session)
+    if not session["state"] == request.args["state"]:
+        abort(500)  # State does not match!
+
+    name = id_info.get("name")
+    email = id_info.get("email")
+    google_id = id_info.get("sub")
+    session["google_id"] = google_id
+    session["name"] = name
+    session["email"] = email
+    add_users(name, email, "google", google_id)
+    return redirect("/protected_area")
 
 
 @app.route("/logout")
-def user_logout():
-    for key in list(session.keys()):
-        session.pop(key)
+def logout():
+    session.clear()
     return redirect("/")
 
 
+@app.route("/protected_area")
+@login_is_required
+def protected_area():
+    return (
+        f"Hello {session['name']}! <br/> <a href='/logout'><button>Logout</button></a>"
+    )
+
+
 if __name__ == "__main__":
     app.run(debug=True, host="0.0.0.0", port=5000)

authenticator/app.py

@@ -1,5 +1,12 @@
+import json
 import time
 
 
 def get_current_time():
     return int(time.time()) * 1000
+
+
+def read_config():
+    with open("config.json") as fp:
+        data = json.load(fp)
+    return data

authenticator/utils/utils.py

@@ -0,0 +1 @@
+{"web":{"client_id":"1034883885605-gvj78f1cg3urngprb0jjfr3p0olqh8tr.apps.googleusercontent.com","project_id":"horizontal-cab-234208","auth_uri":"https://accounts.google.com/o/oauth2/auth","token_uri":"https://oauth2.googleapis.com/token","auth_provider_x509_cert_url":"https://www.googleapis.com/oauth2/v1/certs","client_secret":"jPbO8Hxm20DkefDqmD4EyhCs","redirect_uris":["http://127.0.0.1:5000/login/google/authorize","http://127.0.0.1:7000/token", "http://127.0.0.1:5000/callback"],"javascript_origins":["http://127.0.0.1:5000","http://127.0.0.1:7000"]}}

client_secret.json

@@ -0,0 +1,18 @@
+{
+    "auth":{
+        "google": {
+            "access_token_url": "https://accounts.google.com/o/oauth2/token",
+            "authorize_url": "https://accounts.google.com/o/oauth2/auth",
+            "api_base_url":"https://www.googleapis.com/oauth2/v1/",
+            "userinfo_endpoint":"https://openidconnect.googleapis.com/v1/userinfo",
+            "secrets_file": "client_secret.json",
+            "redirect_uri": "http://127.0.0.1:5000/callback",
+            "google_client_id": "1034883885605-gvj78f1cg3urngprb0jjfr3p0olqh8tr.apps.googleusercontent.com",
+            "scopes": [
+                "https://www.googleapis.com/auth/userinfo.profile",
+                "https://www.googleapis.com/auth/userinfo.email",
+                "openid"
+            ]
+        }
+    }
+}