-
Notifications
You must be signed in to change notification settings - Fork 5
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
This commit serves two main purposes. First, it merges the code for the two authentication providers, azure and oauth. To do this, we no longer rely on the azure-specific MSAL library, but use a more general library that we already use for non-azure providers. Second, we change our authentication scheme from a bearer token provided in the header and stored in a frontend service to secure cookies. This eliminates an XSS attack vector as the tokens are no longer accessible on the client side.
- Loading branch information
1 parent
7b8e50e
commit 8ca343b
Showing
38 changed files
with
522 additions
and
857 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,23 +1,2 @@ | ||
# SPDX-FileCopyrightText: Copyright DB InfraGO AG and contributors | ||
# SPDX-License-Identifier: Apache-2.0 | ||
|
||
|
||
from importlib import metadata | ||
|
||
from capellacollab.config import config | ||
|
||
|
||
def get_authentication_entrypoint(): | ||
try: | ||
ep = next( | ||
i | ||
for i in metadata.entry_points().select( | ||
group="capellacollab.authentication.providers" | ||
) | ||
if i.name == config.authentication.provider | ||
) | ||
return ep | ||
except StopIteration: | ||
raise ValueError( | ||
"Unknown authentication provider " + config.authentication.provider | ||
) from None |
49 changes: 49 additions & 0 deletions
49
backend/capellacollab/core/authentication/api_key_cookie.py
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,49 @@ | ||
# SPDX-FileCopyrightText: Copyright DB InfraGO AG and contributors | ||
# SPDX-License-Identifier: Apache-2.0 | ||
|
||
import logging | ||
import typing as t | ||
|
||
import fastapi | ||
from fastapi import security | ||
from jose import exceptions as jwt_exceptions | ||
from jose import jwt | ||
|
||
from capellacollab.config import config | ||
|
||
from . import exceptions, keystore | ||
|
||
log = logging.getLogger(__name__) | ||
|
||
|
||
class JWTAPIKeyCookie(security.APIKeyCookie): | ||
def __init__(self): | ||
super().__init__(name="id_token", auto_error=True) | ||
|
||
async def __call__(self, request: fastapi.Request) -> str: | ||
token: str | None = await super().__call__(request) | ||
|
||
if not token: | ||
raise exceptions.UnauthenticatedError() | ||
|
||
token_decoded = self.validate_token(token) | ||
return self.get_username(token_decoded) | ||
|
||
def get_username(self, token_decoded: dict[str, str]) -> str: | ||
return token_decoded[config.authentication.jwt.username_claim].strip() | ||
|
||
def validate_token(self, token: str) -> dict[str, t.Any]: | ||
try: | ||
jwt_cfg = keystore.get_jwk_cfg(token) | ||
except Exception: | ||
log.exception( | ||
"Couldn't determine JWK configuration", exc_info=True | ||
) | ||
raise exceptions.JWTInvalidToken() | ||
try: | ||
return jwt.decode(token, **jwt_cfg) | ||
except jwt_exceptions.ExpiredSignatureError: | ||
raise exceptions.TokenSignatureExpired() | ||
except (jwt_exceptions.JWTError, jwt_exceptions.JWTClaimsError): | ||
log.exception("JWT validation failed", exc_info=True) | ||
raise exceptions.JWTValidationFailed() |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.