Merge pull request #1 from uc-cdis/feat/update-oauth

feat(update-oauth): update final step in auth

Author: rudyardrichter

cdis_oauth2client/__init__.py

@@ -7,4 +7,4 @@
 from .blueprint import blueprint
 from .client import OAuth2Client
 from .exceptions import OAuth2Error
-from .oauth2 import authorize
+from .oauth2 import get_username

cdis_oauth2client/blueprint.py

@@ -18,8 +18,6 @@
 import flask
 from flask import current_app
 
-from .oauth2 import authorize
-
 
 blueprint = flask.Blueprint('oauth', 'oauth_v0')
 
@@ -33,22 +31,19 @@ def get_authorization_url():
 @blueprint.route('/authorize', methods=['GET'])
 def do_authorize():
     """
-    Call ``authorize`` to authorize the user (authorize returns the username)
-    and store the username in the Flask session.
+    Call ``authorize`` to authorize the user by storing the access_token cookie
+    received from the OAuth2Client.
     """
-    flask.session['username'] = authorize(
-        current_app.oauth2,
-        current_app.config['USER_API'],
-        flask.request.args.get('code')
-    )
+    code = flask.request.args.get('code')
+    flask.session['access_token'] = current_app.oauth2.get_access_token(code)
     return ''
 
 
 @blueprint.route('/logout', methods=['GET'])
 def logout_oauth():
     """
     Log out the user by clearing the Flask session (thus removing the
-    username from the session).
+    access_token from the session).
     """
     flask.session.clear()
     return ''

cdis_oauth2client/client.py

@@ -7,9 +7,10 @@
 import urllib
 import urlparse
 
+from cdispyutils.log import get_logger
 import requests
 
-from cdispyutils.log import get_logger
+from .exceptions import OAuth2Error
 
 
 _PDC = 'https://bionimbus-pdc.opensciencedatacloud.org/api/oauth2/'
@@ -68,14 +69,6 @@ def authorization_url(self):
         })
         return urlparse.urljoin(self.oauth_provider, 'authorize') + '?' + tail
 
-    def get_authorization_url(self):
-        """
-        Simply return the authorization URL.
-
-        Helper function useful for adding Flask URL rules, for example.
-        """
-        return self.authorization_url
-
     def _post_to_internal_oauth(self, data):
         """
         Post data to the URL at ``self.internal_oauth``.
@@ -105,15 +98,16 @@ def get_token(self, code):
 
         An example of the credentials returned:
 
-            {u'access_token': u'9ydWQi1SqGU82hAGf8M0JoNJbXhxQ1',
-             u'expires_in': 3600,
-             u'refresh_token': u'Ll6PfksjrCSJHtkEQV41mRRbR4tUxU',
-             u'scope': u'user',
-             u'token_type': u'Bearer'}
+            {
+                u'access_token': u'9ydWQi1SqGU82hAGf8M0JoNJbXhxQ1',
+                u'expires_in': 3600, u'refresh_token':
+                u'Ll6PfksjrCSJHtkEQV41mRRbR4tUxU', u'scope': u'user',
+                u'token_type': u'Bearer'
+            }
 
         :param code: usually flask.request.args.get('code')
         :type code: str
-        :return: dictionary of OAuth credentials
+        :return: dictionary of OAuth credentials (see above)
         :rtype: dict
         """
         # Formulate the data for posting to the OAuth provider.
@@ -126,6 +120,19 @@ def get_token(self, code):
         }
         return self._post_to_internal_oauth(data)
 
+    def get_access_token(self, code):
+        """
+        Get specifically the access_token from the OAuth token response.
+        """
+        token_response = self.get_token(code)
+        access_token = token_response.get('access_token')
+        if not access_token:
+            raise OAuth2Error(
+                message='did not receive access token',
+                json=token_response
+            )
+        return access_token
+
     def refresh_token(self, refresh_token):
         """
         Refresh the OAuth access token.

cdis_oauth2client/oauth2.py

@@ -1,53 +1,55 @@
 """
 cdis_oauth2client.oauth2
-
-Provides :py:func:``authorize`` to perform the OAuth2 authorization. Note that
-this module should be kept entirely Flask-agnostic, i.e. Flask should not be
-imported here and :py:func:``authorize`` should accept an ``OAuth2Client`` with
-a ``get_token`` method, in order to modularize the logic.
 """
 
+import flask
 import requests
 
 from .exceptions import OAuth2Error
 
 
-def authorize(oauth_client, user_api, code):
+def get_username(user_api=None):
     """
-    Authorize an OAuth client.
+    Given the URL for the user API, call user-api to get the username for the
+    current flask session using the current access_token cookie.
+
+    For this function to get the username, the user must already be
+    authenticated with an access_token cookie stored in the flask session:
+
+        flask.session['access_token']
+
+    If the `user_api` argument is not provided, get the user API URL from:
+
+        flask.current_app.config['USER_API']
 
-    :param oauth_client: the OAuth2 client to authorize
-    :type oauth_client: OAuth2Client
     :param user_api: URL for the user API
     :type user_api: str
-    :param code: will usually be flask.request.args.get('code')
-    :type code: str
-    :return: the username
+    :return: the username:
     :rtype: str
     """
-    if not code:
-        raise OAuth2Error('no authorization code provided')
-
-    token_response = oauth_client.get_token(code)
-    access_token = token_response.get('access_token')
-    if not access_token:
-        raise OAuth2Error(
-            message='did not receive access token in response from client',
-            json=token_response
-        )
+    if user_api is None:
+        try:
+            user_api = flask.current_app.config['USER_API']
+        except KeyError as e:
+            raise OAuth2Error("'USER_API' not set in flask.current_app.config")
 
     try:
-        headers = {'Authorization': 'Bearer ' + access_token}
-        request = requests.get(user_api + 'user/', headers=headers)
-        user_api_response = request.json()
+        access_token = flask.session['access_token']
+    except KeyError:
+        code = flask.request.args.get('code')
+        if code is None:
+            raise OAuth2Error('could not obtain access token')
+        access_token = flask.current_app.oauth2.get_access_token(code)
+
+    url = user_api + 'user/'
+    headers = {'Authorization': 'Bearer ' + access_token}
+    try:
+        response = requests.get(url, headers=headers).json()
     except requests.RequestException as e:
-        raise OAuth2Error(
-            'failed to get user info due to requests exception: {}'.format(e)
-        )
-    except Exception as e:
-        raise OAuth2Error('failed due to unexpected exception: {}'.format(e))
-
-    username = user_api_response.get('username')
-    if not username:
-        raise OAuth2Error(json=user_api_response)
+        msg = 'failed to get username due to requests exception: {}'
+        raise OAuth2Error(msg.format(e))
+    username = response.get('username')
+    if username is None:
+        msg = 'username missing from response: {}'
+        raise OAuth2Error(msg.format(response))
     return username