api: implement logout endpoint
This commit is contained in:
parent
a1aa89132d
commit
07c72c752f
3 changed files with 200 additions and 64 deletions
|
|
@ -20,17 +20,25 @@ async def get_oidc_client(req: Request) -> OpenidClient:
|
|||
OpenidClient = Annotated[OpenidClient, Depends(get_oidc_client)]
|
||||
|
||||
|
||||
async def get_current_user(req: Request, resp: Response, oidc_client: OpenidClient) -> Optional[models.CurrentUser]:
|
||||
async def get_current_user(
|
||||
req: Request, resp: Response, oidc_client: OpenidClient
|
||||
) -> Optional[models.CurrentUser]:
|
||||
# easiest case: we still have an access token (which is the most fleeting component)
|
||||
# everything else should still be valid so we can just use it
|
||||
if all(i in req.cookies for i in ("access_token", "id_token", "auth_nonce")):
|
||||
logger.debug("user is fully authenticated, returning current user from existing id_token")
|
||||
id_token = oidc_client.decode_id_token(req.cookies["id_token"], nonce=req.cookies["auth_nonce"])
|
||||
return models.CurrentUser(id_token=id_token)
|
||||
logger.debug(
|
||||
"user is fully authenticated, returning current user from existing id_token"
|
||||
)
|
||||
id_token = oidc_client.decode_id_token(
|
||||
req.cookies["id_token"], nonce=req.cookies["auth_nonce"]
|
||||
)
|
||||
return models.CurrentUser(id_token=id_token, raw_id_token=req.cookies["id_token"])
|
||||
|
||||
# if we have a refresh token, try to get new tokens
|
||||
if all(i in req.cookies for i in ("refresh_token", "auth_nonce")):
|
||||
logger.debug("user has been previously authenticated, trying to recover with refresh_token")
|
||||
logger.debug(
|
||||
"user has been previously authenticated, trying to recover with refresh_token"
|
||||
)
|
||||
auth_start_time = datetime.now(UTC)
|
||||
token_resp = oidc_client.exchange_refresh_token(req.cookies["refresh_token"])
|
||||
if isinstance(token_resp, TokenSuccessResponse):
|
||||
|
|
@ -38,16 +46,24 @@ async def get_current_user(req: Request, resp: Response, oidc_client: OpenidClie
|
|||
|
||||
# return the newly gotten info
|
||||
id_token = oidc_client.decode_id_token(token_resp.id_token)
|
||||
return models.CurrentUser(id_token=id_token)
|
||||
|
||||
return models.CurrentUser(id_token=id_token, raw_id_token=token_resp.id_token)
|
||||
|
||||
# otherwise we can't meaningfully recover any user information or the user is simply not authenticated
|
||||
logger.debug("no currently authenticated user")
|
||||
raise exceptions.HttpProblemException(models.HttpProblemDetail.new_unauthorized(req.url))
|
||||
raise exceptions.HttpProblemException(
|
||||
models.HttpProblemDetail.new_unauthorized(req.url)
|
||||
)
|
||||
|
||||
|
||||
def persist_auth_state(oidc_client: OpenidClient, resp: Response, tokens: TokenSuccessResponse, auth_start_time: datetime, token_nonce: Optional[str] = None):
|
||||
def persist_auth_state(
|
||||
oidc_client: OpenidClient,
|
||||
resp: Response,
|
||||
tokens: TokenSuccessResponse,
|
||||
auth_start_time: datetime,
|
||||
token_nonce: Optional[str] = None,
|
||||
):
|
||||
now = datetime.now(UTC)
|
||||
|
||||
|
||||
# extract the ID token now to validate its authenticity and properly set the cookie lifetime
|
||||
id_token = oidc_client.decode_id_token(tokens.id_token, nonce=token_nonce)
|
||||
|
||||
|
|
@ -56,17 +72,53 @@ def persist_auth_state(oidc_client: OpenidClient, resp: Response, tokens: TokenS
|
|||
id_max_age = datetime.fromtimestamp(id_token.exp, UTC) - now
|
||||
nonce_max_age = max(at_max_age, id_max_age)
|
||||
if tokens.refresh_token is not None and tokens.refresh_expires_in is not None:
|
||||
rt_max_age = auth_start_time - now + timedelta(seconds=tokens.refresh_expires_in)
|
||||
rt_max_age = (
|
||||
auth_start_time - now + timedelta(seconds=tokens.refresh_expires_in)
|
||||
)
|
||||
nonce_max_age = max(at_max_age, rt_max_age, id_max_age)
|
||||
if token_nonce is None:
|
||||
nonce_max_age = timedelta(0)
|
||||
|
||||
# update cookies
|
||||
resp.set_cookie("access_token", tokens.access_token, max_age=int(at_max_age.total_seconds()), httponly=True, secure=True)
|
||||
resp.set_cookie(
|
||||
"access_token",
|
||||
tokens.access_token,
|
||||
max_age=int(at_max_age.total_seconds()),
|
||||
httponly=True,
|
||||
secure=True,
|
||||
)
|
||||
if tokens.refresh_token is not None and tokens.refresh_expires_in is not None:
|
||||
resp.set_cookie("refresh_token", tokens.refresh_token, max_age=int(rt_max_age.total_seconds()), httponly=True, secure=True)
|
||||
resp.set_cookie("id_token", tokens.id_token, max_age=int(id_max_age.total_seconds()), httponly=True, secure=True)
|
||||
resp.set_cookie("auth_nonce", token_nonce, max_age=int(nonce_max_age.total_seconds()), httponly=True, secure=True)
|
||||
resp.set_cookie(
|
||||
"refresh_token",
|
||||
tokens.refresh_token,
|
||||
max_age=int(rt_max_age.total_seconds()),
|
||||
httponly=True,
|
||||
secure=True,
|
||||
)
|
||||
resp.set_cookie(
|
||||
"id_token",
|
||||
tokens.id_token,
|
||||
max_age=int(id_max_age.total_seconds()),
|
||||
httponly=True,
|
||||
secure=True,
|
||||
)
|
||||
resp.set_cookie(
|
||||
"auth_nonce",
|
||||
token_nonce,
|
||||
max_age=int(nonce_max_age.total_seconds()),
|
||||
httponly=True,
|
||||
secure=True,
|
||||
)
|
||||
|
||||
|
||||
def clear_auth_state(resp: Response):
|
||||
resp.set_cookie("access_token", "", max_age=0)
|
||||
resp.set_cookie("refresh_token", "", max_age=0)
|
||||
resp.set_cookie("id_token", "", max_age=0)
|
||||
resp.set_cookie("auth_nonce", "", max_age=0)
|
||||
resp.set_cookie("auth_next", "", max_age=0)
|
||||
resp.set_cookie("auth_state", "", max_age=0)
|
||||
resp.set_cookie("auth_start_time", "", max_age=0)
|
||||
|
||||
|
||||
CurrentUser = Annotated[Optional[models.CurrentUser], Depends(get_current_user)]
|
||||
|
|
@ -84,4 +136,3 @@ def get_ccujack(req: Request) -> CCUJackClient:
|
|||
|
||||
|
||||
CCUJackClient = Annotated[CCUJackClient, Depends(get_ccujack)]
|
||||
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue