aiohttp-msal 1.0.4__py3-none-any.whl → 1.0.6__py3-none-any.whl

aiohttp_msal/__init__.py

@@ -15,7 +15,7 @@ from aiohttp_msal.msal_async import AsyncMSAL
 from aiohttp_msal.settings import ENV
 from aiohttp_msal.utils import retry
 
-_LOGGER = logging.getLogger(__name__)
+_LOG = logging.getLogger(__name__)
 
 _T = TypeVar("_T")
 Ts = TypeVarTuple("Ts")
@@ -107,7 +107,7 @@ async def app_init_redis_session(
     else:
         await check_proxy()
 
-    _LOGGER.info("Connect to Redis %s", ENV.REDIS)
+    _LOG.info("Connect to Redis %s", ENV.REDIS)
     try:
         ENV.database = from_url(ENV.REDIS)
         # , encoding="utf-8", decode_responses=True

aiohttp_msal/helpers.py

@@ -1,18 +1,19 @@
 """Graph User Info."""
 
 from collections.abc import Mapping, Sequence
-from typing import Any, Literal, TypeVar
+from typing import TYPE_CHECKING, Any
 
 from aiohttp import web
-from aiohttp_session import get_session
 
-from aiohttp_msal import ENV
-from aiohttp_msal.msal_async import AsyncMSAL
+from aiohttp_msal.settings import ENV
 from aiohttp_msal.utils import retry
 
+if TYPE_CHECKING:
+    from aiohttp_msal.msal_async import AsyncMSAL
+
 
 @retry
-async def get_user_info(aiomsal: AsyncMSAL) -> None:
+async def get_user_info(aiomsal: "AsyncMSAL") -> None:
     """Load user info from MS graph API. Requires User.Read permissions."""
     async with aiomsal.get("https://graph.microsoft.com/v1.0/me") as res:
         body = await res.json()
@@ -26,7 +27,7 @@ async def get_user_info(aiomsal: AsyncMSAL) -> None:
 
 
 @retry
-async def get_manager_info(aiomsal: AsyncMSAL) -> None:
+async def get_manager_info(aiomsal: "AsyncMSAL") -> None:
     """Load manager info from MS graph API. Requires User.Read.All permissions."""
     async with aiomsal.get("https://graph.microsoft.com/v1.0/me/manager") as res:
         body = await res.json()
@@ -69,68 +70,7 @@ def html_wrap(msgs: Sequence[str]) -> str:
     """
 
 
-TA = TypeVar("TA", bound=AsyncMSAL)
-
-
-async def check_auth_response(
-    request: web.Request,
-    asyncmsal_class: type[TA] = AsyncMSAL,  # type:ignore[assignment]
-    get_info: Literal["user", "manager", ""] = "manager",
-) -> tuple[TA | None, list[str]]:
-    """Parse the MS auth response."""
-    # Expecting response_mode="form_post"
-    auth_response = dict(await request.post())
-
-    msg = list[str]()
-
-    # Ensure all expected variables were returned...
-    if not all(auth_response.get(k) for k in ["code", "session_state", "state"]):
-        msg.append("Expected 'code', 'session_state', 'state' in auth_response")
-        msg.append(f"Received auth_response: {list(auth_response)}")
-        return None, msg
-
-    if not request.cookies.get(ENV.COOKIE_NAME):
-        cookies = dict(request.cookies.items())
-        msg.append(f"<b>Expected '{ENV.COOKIE_NAME}' in cookies</b>")
-        msg.append(html_table(cookies))
-        msg.append("Cookie should be set with Samesite:None")
-
-    session = await get_session(request)
-    if session.new:
-        msg.append(
-            "Warning: This is a new session and may not have all expected values."
-        )
-
-    if not session.get(asyncmsal_class.flow_cache_key):
-        msg.append(f"<b>Expected '{asyncmsal_class.flow_cache_key}' in session</b>")
-        msg.append(html_table(session))
-
-    aiomsal = asyncmsal_class(session)
-    aiomsal.redirect = "/" + aiomsal.redirect.lstrip("/")
-
-    if msg:
-        return aiomsal, msg
-
-    try:
-        await aiomsal.async_acquire_token_by_auth_code_flow(auth_response)
-    except Exception as err:
-        msg.append("<b>Could not get token</b> - async_acquire_token_by_auth_code_flow")
-        msg.append(str(err))
-
-    if not msg:
-        try:
-            if get_info in ("user", "manager"):
-                await get_user_info(aiomsal)
-            if get_info == "manager":
-                await get_manager_info(aiomsal)
-        except Exception as err:
-            msg.append("Could not get org info from MS graph")
-            msg.append(str(err))
-            aiomsal.mail = ""
-            aiomsal.name = ""
-
-        if session.get("mail"):
-            for lcb in ENV.login_callback:
-                await lcb(aiomsal)
-
-    return aiomsal, msg
+def get_url(request: web.Request, path: str = "", https_proxy: bool = True) -> str:
+    """Return the full outside URL."""
+    res = str(request.url.with_path(path))
+    return res.replace("http://", "https://") if https_proxy else res

aiohttp_msal/msal_async.py

@@ -7,9 +7,10 @@ Once you have the OAuth tokens store in the session, you are free to make reques
 
 import asyncio
 import json
+import logging
 from collections.abc import Callable
 from functools import cached_property, partialmethod
-from typing import Any, ClassVar, Literal, Unpack, cast
+from typing import Any, ClassVar, Literal, Self, TypeVar, Unpack, cast
 
 import attrs
 from aiohttp import web
@@ -20,12 +21,15 @@ from aiohttp.client import (
     _RequestOptions,
 )
 from aiohttp.typedefs import StrOrURL
-from aiohttp_session import Session
+from aiohttp_session import Session, get_session, new_session
 from msal import ConfidentialClientApplication, SerializableTokenCache
 
+from aiohttp_msal import helpers
 from aiohttp_msal.settings import ENV
 from aiohttp_msal.utils import dict_property
 
+_LOG = logging.getLogger(__name__)
+
 HttpMethods = Literal["get", "post", "put", "patch", "delete"]
 HTTP_GET = "get"
 HTTP_POST = "post"
@@ -34,6 +38,8 @@ HTTP_PATCH = "patch"
 HTTP_DELETE = "delete"
 HTTP_ALLOWED = [HTTP_GET, HTTP_POST, HTTP_PUT, HTTP_PATCH, HTTP_DELETE]
 
+T = TypeVar("T")
+
 
 @attrs.define(slots=False)
 class AsyncMSAL:
@@ -54,14 +60,46 @@ class AsyncMSAL:
     """
     app_kwargs: dict[str, Any] | None = None
     """ConfidentialClientApplication kwargs."""
-    client_session: ClassVar[ClientSession | None] = None
 
+    client_session: ClassVar[ClientSession | None] = None
     token_cache_key: ClassVar[str] = "token_cache"
     user_email_key: ClassVar[str] = "mail"
     flow_cache_key: ClassVar[str] = "flow_cache"
-    redirect_key = "redirect"
+    redirect_key: ClassVar[str] = "redirect"
     default_scopes: ClassVar[list[str]] = ["User.Read", "User.Read.All"]
 
+    @classmethod
+    async def from_request(
+        cls,
+        request: web.Request,
+        /,
+        allow_new: bool = False,
+        app_kwargs: dict[str, Any] | None = None,
+    ) -> Self:
+        """Get the session or raise an exception."""
+        try:
+            session = await get_session(request)
+            return cls(session, app_kwargs=app_kwargs)
+        except TypeError as err:
+            cookie = request.get(ENV.COOKIE_NAME)
+            _LOG.error(
+                "Invalid session, %s: %s [cookie: %s]",
+                "create new" if allow_new else "fail",
+                err,
+                request.get(ENV.COOKIE_NAME),
+                cookie,
+            )
+            if allow_new:
+                return cls(await new_session(request), app_kwargs=app_kwargs)
+
+            text = "Invalid session. Login for a new session: '/usr/login'"
+
+            if not cookie:
+                cookies = dict(request.cookies.items())
+                text = f"Cookie empty. Expected '{ENV.COOKIE_NAME}' in cookies: {list(cookies)}. Cookie should be set with Samesite:None"
+
+            raise web.HTTPException(text=text) from None
+
     @cached_property
     def app(self) -> ConfidentialClientApplication:
         """Get the app."""
@@ -118,7 +156,7 @@ class AsyncMSAL:
     ) -> None:
         """Second step - Acquire token."""
         # Assume we have it in the cache (added by /login)
-        # will raise keryerror if no cache
+        # will raise KeyError if not in cache
         auth_code_flow = self.session.pop(self.flow_cache_key)
         result = self.app.acquire_token_by_auth_code_flow(
             auth_code_flow, auth_response, scopes=scopes
@@ -208,3 +246,67 @@ class AsyncMSAL:
     manager_name = dict_property("session", "m_name")
     manager_mail = dict_property("session", "m_mail")
     redirect = dict_property("session", redirect_key)
+
+    async def async_acquire_token_by_auth_code_flow_plus(
+        self,
+        request: web.Request,
+        get_info: Literal["user", "manager", ""] = "manager",
+    ) -> tuple[bool, list[str]]:
+        """Enhanced version of async_acquire_token_by_auth_code_flow. Returns issues.
+
+        Parse the auth response from the request, checks for valid keys,
+        acquire the token and get_info.
+
+        response_mode for the auth_code flow should be "form_post"
+        """
+        auth_response = dict(await request.post())
+        assert isinstance(self.session, Session)
+
+        msg = list[str]()
+
+        # Ensure all expected variables were returned...
+        if not all(auth_response.get(k) for k in ["code", "session_state", "state"]):
+            msg.append("Expected 'code', 'session_state', 'state' in auth_response")
+            msg.append(f"Received auth_response: {list(auth_response)}")
+            return False, msg
+
+        if self.session.new:
+            msg.append(
+                "Warning: This is a new session and may not have all expected values."
+            )
+
+        if not self.session.get(self.flow_cache_key):
+            msg.append(f"<b>Expected '{self.flow_cache_key}' in session</b>")
+            msg.append(helpers.html_table(self.session))
+
+        self.redirect = "/" + self.redirect.lstrip("/")
+
+        if msg:
+            return False, msg
+
+        try:
+            await self.async_acquire_token_by_auth_code_flow(auth_response)
+        except Exception as err:
+            msg.append(
+                "<b>Could not get token</b> - async_acquire_token_by_auth_code_flow"
+            )
+            msg.append(str(err))
+            return False, msg
+
+        if not msg:
+            try:
+                if get_info in ("user", "manager"):
+                    await helpers.get_user_info(self)
+                if get_info == "manager":
+                    await helpers.get_manager_info(self)
+            except Exception as err:
+                msg.append("Could not get org info from MS graph")
+                msg.append(str(err))
+                self.mail = ""
+                self.name = ""
+
+            if self.session.get("mail"):
+                for lcb in ENV.login_callback:
+                    await lcb(self)
+
+        return True, msg

aiohttp_msal/redis_tools.py

@@ -6,14 +6,14 @@ import logging
 import time
 from collections.abc import AsyncGenerator
 from contextlib import AsyncExitStack, asynccontextmanager
-from typing import Any
+from typing import Any, TypeVar
 
 from redis.asyncio import Redis, from_url
 
 from aiohttp_msal.msal_async import AsyncMSAL
 from aiohttp_msal.settings import ENV as MENV
 
-_LOGGER = logging.getLogger(__name__)
+_LOG = logging.getLogger(__name__)
 
 SES_KEYS = ("mail", "name", "m_mail", "m_name")
 
@@ -22,10 +22,10 @@ SES_KEYS = ("mail", "name", "m_mail", "m_name")
 async def get_redis() -> AsyncGenerator[Redis, None]:
     """Get a Redis connection."""
     if MENV.database:
-        _LOGGER.debug("Using redis from environment")
+        _LOG.debug("Using redis from environment")
         yield MENV.database
         return
-    _LOGGER.info("Connect to Redis %s", MENV.REDIS)
+    _LOG.info("Connect to Redis %s", MENV.REDIS)
     redis = from_url(MENV.REDIS)  # decode_responses=True not allowed aiohttp_session
     MENV.database = redis
     try:
@@ -37,6 +37,7 @@ async def get_redis() -> AsyncGenerator[Redis, None]:
 
 async def session_iter(
     redis: Redis,
+    /,
     *,
     match: dict[str, str] | None = None,
     key_match: str | None = None,
@@ -74,7 +75,7 @@ async def session_iter(
 
 
 async def session_clean(
-    redis: Redis, *, max_age: int = 90, expected_keys: dict[str, Any] | None = None
+    redis: Redis, /, *, max_age: int = 90, expected_keys: dict[str, Any] | None = None
 ) -> None:
     """Clear session entries older than max_age days."""
     rem, keep = 0, 0
@@ -89,12 +90,12 @@ async def session_clean(
                 keep += 1
     finally:
         if rem:
-            _LOGGER.info("Sessions removed: %s (%s total)", rem, keep)
+            _LOG.info("Sessions removed: %s (%s total)", rem, keep)
         else:
-            _LOGGER.debug("No sessions removed (%s total)", keep)
+            _LOG.debug("No sessions removed (%s total)", keep)
 
 
-async def invalid_sessions(redis: Redis) -> None:
+async def invalid_sessions(redis: Redis, /) -> None:
     """Find & clean invalid sessions."""
     async for key in redis.scan_iter(count=100, match=f"{MENV.COOKIE_NAME}*"):
         if not isinstance(key, str):
@@ -107,12 +108,17 @@ async def invalid_sessions(redis: Redis) -> None:
             assert isinstance(val["created"], int)
             assert isinstance(val["session"], dict)
         except Exception as err:
-            _LOGGER.warning("Removing session %s: %s", key, err)
+            _LOG.warning("Removing session %s: %s", key, err)
             await redis.delete(key)
 
 
-def _session_factory(key: str, created: int, session: dict) -> AsyncMSAL:
-    """Create a AsyncMSAL session.
+T = TypeVar("T", bound=AsyncMSAL)
+
+
+def async_msal_factory(
+    cls: type[T], key: str, created: int, session: dict[str, Any], /
+) -> T:
+    """Create a AsyncMSAL session with a save_callback.
 
     When get_token refreshes the token retrieved from Redis, the save_cache callback
     will be responsible to update the cache in Redis.
@@ -130,12 +136,17 @@ def _session_factory(key: str, created: int, session: dict) -> AsyncMSAL:
         except RuntimeError:
             asyncio.run(async_save_cache(*args))
 
-    return AsyncMSAL(session, save_callback=save_cache)
+    return cls(session, save_callback=save_cache)
 
 
 async def get_session(
-    email: str, *, redis: Redis | None = None, scope: str = ""
-) -> AsyncMSAL:
+    cls: type[T],
+    email: str,
+    /,
+    *,
+    redis: Redis | None = None,
+    scope: str = "",
+) -> T:
     """Get a session from Redis."""
     cnt = 0
     async with AsyncExitStack() as stack:
@@ -143,22 +154,22 @@ async def get_session(
             redis = await stack.enter_async_context(get_redis())
         async for key, created, session in session_iter(redis, match={"mail": email}):
             cnt += 1
-            if scope and scope not in str(session.get("token_cache")).lower():
+            if scope and scope not in str(session.get(cls.token_cache_key)).lower():
                 continue
-            return _session_factory(key, created, session)
+            return async_msal_factory(cls, key, created, session)
     msg = f"Session for {email}"
     if not scope:
         raise ValueError(f"{msg} not found")
     raise ValueError(f"{msg} with scope {scope} not found ({cnt} checked)")
 
 
-async def redis_get_json(key: str) -> list | dict | None:
+async def redis_get_json(key: str) -> list[str] | dict[str, Any] | None:
     """Get a key from redis."""
     res = await MENV.database.get(key)
     if isinstance(res, str | bytes | bytearray):
         return json.loads(res)
     if res is not None:
-        _LOGGER.warning("Unexpected type for %s: %s", key, type(res))
+        _LOG.warning("Unexpected type for %s: %s", key, type(res))
     return None
 
 
@@ -170,7 +181,7 @@ async def redis_get(key: str) -> str | None:
     if isinstance(res, bytes | bytearray):
         return res.decode()
     if res is not None:
-        _LOGGER.warning("Unexpected type for %s: %s", key, type(res))
+        _LOG.warning("Unexpected type for %s: %s", key, type(res))
     return None
 
 
@@ -182,16 +193,16 @@ async def redis_set_set(key: str, new_set: set[str]) -> None:
     )
     dif = list(cur_set - new_set)
     if dif:
-        _LOGGER.warning("%s: removing %s", key, dif)
+        _LOG.warning("%s: removing %s", key, dif)
         await MENV.database.srem(key, *dif)
 
     dif = list(new_set - cur_set)
     if dif:
-        _LOGGER.info("%s: adding %s", key, dif)
+        _LOG.info("%s: adding %s", key, dif)
         await MENV.database.sadd(key, *dif)
 
 
-async def redis_scan(match_str: str) -> list[str]:
+async def redis_scan_keys(match_str: str) -> list[str]:
     """Return a list of matching keys."""
     return [
         s if isinstance(s, str) else s.decode()

aiohttp_msal/routes.py

@@ -9,12 +9,7 @@ from aiohttp import web
 from aiohttp_session import get_session, new_session
 
 from aiohttp_msal import ENV, auth_ok, msal_session
-from aiohttp_msal.helpers import (
-    check_auth_response,
-    get_manager_info,
-    get_user_info,
-    html_wrap,
-)
+from aiohttp_msal.helpers import get_manager_info, get_url, get_user_info, html_wrap
 from aiohttp_msal.msal_async import AsyncMSAL
 
 ROUTES = web.RouteTableDef()
@@ -24,17 +19,6 @@ URI_USER_AUTHORIZED = "/user/authorized"
 SESSION_REDIRECT = "redirect"
 
 
-def get_route(request: web.Request, url: str) -> str:
-    """Retrieve server route from request.
-
-    localhost and production on http:// with nginx proxy that adds TLS/SSL.
-    """
-    url = str(request.url.origin() / url)
-    if "localhost" not in url:
-        url = url.replace("http:", "https:", 1)
-    return url
-
-
 @ROUTES.get(URI_USER_LOGIN)
 @ROUTES.get(f"{URI_USER_LOGIN}/{{to:.+$}}")
 async def user_login(request: web.Request) -> web.Response:
@@ -47,7 +31,7 @@ async def user_login(request: web.Request) -> web.Response:
         _to = "/"
     session[SESSION_REDIRECT] = urljoin(_to, request.match_info.get("to", ""))
 
-    msredirect = get_route(request, URI_USER_AUTHORIZED.lstrip("/"))
+    msredirect = get_url(request, URI_USER_AUTHORIZED.lstrip("/"))
     redir = AsyncMSAL(session).initiate_auth_code_flow(redirect_uri=msredirect)
     raise web.HTTPFound(redir)
 
@@ -55,9 +39,10 @@ async def user_login(request: web.Request) -> web.Response:
 @ROUTES.post(URI_USER_AUTHORIZED)
 async def user_authorized(request: web.Request) -> web.Response:
     """Complete the auth code flow."""
-    aiomsal, msg = await check_auth_response(request, AsyncMSAL)
+    aiomsal = await AsyncMSAL.from_request(request)
+    ok, msg = await aiomsal.async_acquire_token_by_auth_code_flow_plus(request)
 
-    if aiomsal and not msg:
+    if ok and not msg:
         try:
             raise web.HTTPFound(aiomsal.redirect)
         finally:
@@ -149,7 +134,7 @@ async def user_logout(request: web.Request, ses: AsyncMSAL) -> web.Response:
     if ref:
         _to = urljoin(ref, _to)
     else:
-        _to = get_route(request, _to)
+        _to = get_url(request, _to)
 
     return web.HTTPFound(
         f"https://login.microsoftonline.com/common/oauth2/logout?post_logout_redirect_uri={_to}"

{aiohttp_msal-1.0.4.dist-info → aiohttp_msal-1.0.6.dist-info}/METADATA

@@ -1,6 +1,6 @@
 Metadata-Version: 2.3
 Name: aiohttp-msal
-Version: 1.0.4
+Version: 1.0.6
 Summary: Helper Library to use the Microsoft Authentication Library (MSAL) with aiohttp
 Keywords: aiohttp,asyncio,msal,oauth
 Author: Johann Kellerman
@@ -137,4 +137,6 @@ uv sync --all-extras
 uv tool install ruff
 uv tool install codespell
 uv tool install pyproject-fmt
+uv tool install prek
+prek install  # add pre-commit hooks
 ```

aiohttp_msal-1.0.6.dist-info/RECORD

@@ -0,0 +1,11 @@
+aiohttp_msal/__init__.py,sha256=bCBQhbjM5IHKnHKzSDkHQ8Lk_YgW3flO11dgaDn8-Yg,4369
+aiohttp_msal/helpers.py,sha256=L0DFIZD9OfCepckfk64ZtxrVX0-y0aAqRFowBYipepE,2474
+aiohttp_msal/msal_async.py,sha256=VG5L6PGBHzRBNg_XfIqvfU1V-Snznv_Srd_kXzBgTts,11702
+aiohttp_msal/redis_tools.py,sha256=vAA3pvMT8jXd1sDL7wUZ8Z1FWO0xfHTWzi3_pnA_f8E,6672
+aiohttp_msal/routes.py,sha256=Cc6FHqs8dyHSTCC6AaT-yPttSDyBlsngoiz7j9QCKRU,5143
+aiohttp_msal/settings.py,sha256=sArlq9vBDMsikLf9sTRw-UXE2_QRK_G-kzmtHvZcbwA,1559
+aiohttp_msal/settings_base.py,sha256=WBI7HS780i9zKWUy1ZnztDbRsfoDMVr3K-otHZOhNCc,3026
+aiohttp_msal/utils.py,sha256=ll303J58nwCEB9QCAm13urUOa6cPqsAE7z_iP9OlRJw,2390
+aiohttp_msal-1.0.6.dist-info/WHEEL,sha256=Jb20R3Ili4n9P1fcwuLup21eQ5r9WXhs4_qy7VTrgPI,79
+aiohttp_msal-1.0.6.dist-info/METADATA,sha256=YvbKSl1STeQhHmyb9n9vKpsoHfalctOKStQIA_NZHNk,4572
+aiohttp_msal-1.0.6.dist-info/RECORD,,

{aiohttp_msal-1.0.4.dist-info → aiohttp_msal-1.0.6.dist-info}/WHEEL

@@ -1,4 +1,4 @@
 Wheel-Version: 1.0
-Generator: uv 0.8.13
+Generator: uv 0.8.15
 Root-Is-Purelib: true
 Tag: py3-none-any

aiohttp_msal-1.0.4.dist-info/RECORD

@@ -1,11 +0,0 @@
-aiohttp_msal/__init__.py,sha256=nrjPAIy0kNbBvHZsy9qUSKs5r_-Kiea-KJM17bsBIkw,4375
-aiohttp_msal/helpers.py,sha256=8sW-7FW4t1Ztazql11ng67SqdKBlbOWuOMjOBRfBc_c,4495
-aiohttp_msal/msal_async.py,sha256=RUV_XlhNNCOZslT1sEkEPyaYcHDOmsIyiGmRpZuA3I0,8097
-aiohttp_msal/redis_tools.py,sha256=6kCw0_zDQcvIcsJaPfG-zHUvT3vzkrNySNTV5y1tckE,6539
-aiohttp_msal/routes.py,sha256=3rAejWcHfL5czVA91TY3wZGT5EkRxmfyvc8vr6rhyxU,5438
-aiohttp_msal/settings.py,sha256=sArlq9vBDMsikLf9sTRw-UXE2_QRK_G-kzmtHvZcbwA,1559
-aiohttp_msal/settings_base.py,sha256=WBI7HS780i9zKWUy1ZnztDbRsfoDMVr3K-otHZOhNCc,3026
-aiohttp_msal/utils.py,sha256=ll303J58nwCEB9QCAm13urUOa6cPqsAE7z_iP9OlRJw,2390
-aiohttp_msal-1.0.4.dist-info/WHEEL,sha256=4n27za1eEkOnA7dNjN6C5-O2rUiw6iapszm14Uj-Qmk,79
-aiohttp_msal-1.0.4.dist-info/METADATA,sha256=OBl_U9OTy602OfSL9-d5myNJPUYuaGjtBF7voW5lu2Y,4514
-aiohttp_msal-1.0.4.dist-info/RECORD,,