api: tentatively make auth_nonce optional after token refresh
All checks were successful
Build Container / Build Container (push) Successful in 1m38s
All checks were successful
Build Container / Build Container (push) Successful in 1m38s
This commit is contained in:
parent
41fd939d30
commit
5bdf04cbb6
SSH key fingerprint:
SHA256:y9T5GFw2A20WVklhetIxG1+kcg/Ce0shnQmbu1LQ37g
1 changed files with 5 additions and 4 deletions
|
|
@ -4,6 +4,7 @@ from datetime import datetime, UTC, timedelta
|
||||||
from fastapi import Request, Depends, Response
|
from fastapi import Request, Depends, Response
|
||||||
from simple_openid_connect.data import TokenSuccessResponse
|
from simple_openid_connect.data import TokenSuccessResponse
|
||||||
from simple_openid_connect.client import OpenidClient
|
from simple_openid_connect.client import OpenidClient
|
||||||
|
from simple_openid_connect.exceptions import ValidationError
|
||||||
|
|
||||||
from dooris_api import models, exceptions
|
from dooris_api import models, exceptions
|
||||||
from dooris_api.ccujack import CCUJackClient
|
from dooris_api.ccujack import CCUJackClient
|
||||||
|
|
@ -24,19 +25,19 @@ async def get_current_user(
|
||||||
) -> Optional[models.CurrentUser]:
|
) -> Optional[models.CurrentUser]:
|
||||||
# easiest case: we still have an access token (which is the most fleeting component)
|
# easiest case: we still have an access token (which is the most fleeting component)
|
||||||
# everything else should still be valid so we can just use it
|
# everything else should still be valid so we can just use it
|
||||||
if all(i in req.cookies for i in ("access_token", "id_token", "auth_nonce")):
|
if all(i in req.cookies for i in ("access_token", "id_token")):
|
||||||
logger.debug(
|
logger.debug(
|
||||||
"user is fully authenticated, returning current user from existing id_token"
|
"user is fully authenticated, returning current user from existing id_token"
|
||||||
)
|
)
|
||||||
id_token = oidc_client.decode_id_token(
|
id_token = oidc_client.decode_id_token(
|
||||||
req.cookies["id_token"], nonce=req.cookies["auth_nonce"]
|
req.cookies["id_token"], nonce=req.cookies.get("auth_nonce", None),
|
||||||
)
|
)
|
||||||
return models.CurrentUser(
|
return models.CurrentUser(
|
||||||
id_token=id_token, raw_id_token=req.cookies["id_token"]
|
id_token=id_token, raw_id_token=req.cookies["id_token"]
|
||||||
)
|
)
|
||||||
|
|
||||||
# if we have a refresh token, try to get new tokens
|
# if we have a refresh token, try to get new tokens
|
||||||
elif all(i in req.cookies for i in ("refresh_token", "auth_nonce")):
|
elif all(i in req.cookies for i in ("refresh_token",)):
|
||||||
logger.debug(
|
logger.debug(
|
||||||
"user has been previously authenticated, trying to recover with refresh_token"
|
"user has been previously authenticated, trying to recover with refresh_token"
|
||||||
)
|
)
|
||||||
|
|
@ -44,7 +45,7 @@ async def get_current_user(
|
||||||
token_resp = oidc_client.exchange_refresh_token(req.cookies["refresh_token"])
|
token_resp = oidc_client.exchange_refresh_token(req.cookies["refresh_token"])
|
||||||
if isinstance(token_resp, TokenSuccessResponse):
|
if isinstance(token_resp, TokenSuccessResponse):
|
||||||
logger.debug("successfully got new tokens from refresh token")
|
logger.debug("successfully got new tokens from refresh token")
|
||||||
persist_auth_state(oidc_client, resp, token_resp, auth_start_time, req.cookies["auth_nonce"])
|
persist_auth_state(oidc_client, resp, token_resp, auth_start_time, None)
|
||||||
|
|
||||||
# return the newly gotten info
|
# return the newly gotten info
|
||||||
id_token = oidc_client.decode_id_token(token_resp.id_token)
|
id_token = oidc_client.decode_id_token(token_resp.id_token)
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue