diff options
Diffstat (limited to 'qvisqve/token_router.py')
-rw-r--r-- | qvisqve/token_router.py | 36 |
1 files changed, 29 insertions, 7 deletions
diff --git a/qvisqve/token_router.py b/qvisqve/token_router.py index 911e899..c510b8b 100644 --- a/qvisqve/token_router.py +++ b/qvisqve/token_router.py @@ -26,10 +26,10 @@ import qvisqve_secrets class TokenRouter(qvisqve.Router): - def __init__(self, token_generator, clients): + def __init__(self, token_generator, clients, authz_attempts): qvisqve.log.log('debug', msg_text='TokenRouter init starts') super().__init__() - args = (clients, token_generator) + args = (clients, token_generator, authz_attempts) self._grants = { 'client_credentials': ClientCredentialsGrant(*args), 'authorization_code': AuthorizationCodeGrant(*args), @@ -75,9 +75,10 @@ class TokenRouter(qvisqve.Router): class Grant: - def __init__(self, clients, generator): + def __init__(self, clients, generator, authz_attempts): self._clients = clients self._generator = generator + self._attempts = authz_attempts class ClientCredentialsGrant(Grant): @@ -123,11 +124,32 @@ class ClientCredentialsGrant(Grant): class AuthorizationCodeGrant(Grant): def get_token(self, request, params): + client_id, client_secret = request.auth + if not self._clients.is_valid_secret(client_id, client_secret): + qvisqve.log.log('error', msg_text='Invalid client creds given') + return qvisqve.unauthorized_response('Access denied') + code = self._get_code(params) - # FIXME - if code is None or code != '123': - return qvisqve.unauthorized_response('Unauthorized') - empty_token = self._generator.new_token('', '') + if code is None: + qvisqve.log.log('error', msg_text='No code given') + return qvisqve.unauthorized_response('Access denied') + + aa = self._attempts.find_by_code(code) + if aa is None: + qvisqve.log.log('error', msg_text='Unknown code given', code=code) + return qvisqve.unauthorized_response('Access denied') + + subject_id = aa.get_subject_id() + scope = aa.get_scope() + allowed = self._clients.get_allowed_scopes(client_id) + scope = ' '.join( + s + for s in scope.split() + if s in allowed + ) + + empty_token = self._generator.new_token( + '', scope, subject_id=subject_id) return qvisqve.ok_response({ 'access_token': empty_token, 'token_type': 'Bearer', |