PyPI - c2cgeoportal-geoportal - Versions diffs - 2.7.1.156__py2.py3-none-any.whl → 2.8.1.180__py2.py3-none-any.whl - Mend

c2cgeoportal-geoportal 2.7.1.156py2.py3-none-any.whl → 2.8.1.180py2.py3-none-any.whl

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (97) hide show

c2cgeoportal_geoportal/lib/oauth2.py CHANGED Viewed

@@ -27,14 +27,15 @@
 import logging
 from datetime import datetime, timedelta
-from typing import Any, Dict, List, Union
+from typing import Any, Dict, List, Optional, Union
 import basicauth
 import oauthlib.common
 import oauthlib.oauth2
 import pyramid.threadlocal
+from pyramid.httpexceptions import HTTPBadRequest
-import c2cgeoportal_commons  # pylint: disable=unused-import
+import c2cgeoportal_commons
 from c2cgeoportal_geoportal.lib.caching import get_region
 LOG = logging.getLogger(__name__)
@@ -48,7 +49,7 @@ class RequestValidator(oauthlib.oauth2.RequestValidator):  # type: ignore
         # in minutes
         self.authorization_expires_in = authorization_expires_in
-    def authenticate_client(  # pylint: disable=no-self-use,useless-suppression
+    def authenticate_client(
         self,
         request: oauthlib.common.Request,
         *args: Any,
@@ -65,7 +66,7 @@ class RequestValidator(oauthlib.oauth2.RequestValidator):  # type: ignore
         both body and query can be obtained by direct attribute access, i.e.
         request.client_id for client_id in the URL query.
-        Arguments:
+        Keyword Arguments:
             request: oauthlib.common.Request
@@ -85,7 +86,7 @@ class RequestValidator(oauthlib.oauth2.RequestValidator):  # type: ignore
         raise NotImplementedError("Not implemented, the method `authenticate_client_id` should be used.")
-    def authenticate_client_id(  # pylint: disable=no-self-use,useless-suppression
+    def authenticate_client_id(
         self,
         client_id: str,
         request: oauthlib.common.Request,
@@ -133,7 +134,7 @@ class RequestValidator(oauthlib.oauth2.RequestValidator):  # type: ignore
         LOG.debug("authenticate_client_id => %s", request.client is not None)
         return request.client is not None
-    def client_authentication_required(  # pylint: disable=no-self-use,useless-suppression
+    def client_authentication_required(
         self,
         request: oauthlib.common.Request,
         *args: Any,
@@ -153,7 +154,7 @@ class RequestValidator(oauthlib.oauth2.RequestValidator):  # type: ignore
               client credentials or whenever Client provided client authentication, see
               `Section 6`_
-        Arguments:
+        Keyword Arguments:
             request: oauthlib.common.Request
@@ -174,7 +175,7 @@ class RequestValidator(oauthlib.oauth2.RequestValidator):  # type: ignore
         return False
-    def confirm_redirect_uri(  # pylint: disable=no-self-use,useless-suppression
+    def confirm_redirect_uri(
         self,
         client_id: str,
         code: str,
@@ -195,7 +196,7 @@ class RequestValidator(oauthlib.oauth2.RequestValidator):  # type: ignore
         the client's allowed redirect URIs, but against the URI used when the
         code was saved.
-        Arguments:
+        Keyword Arguments:
             client_id: Unicode client identifier
             code: Unicode authorization_code.
@@ -226,33 +227,7 @@ class RequestValidator(oauthlib.oauth2.RequestValidator):  # type: ignore
         LOG.debug("confirm_redirect_uri => %s", authorization_code is not None)
         return authorization_code is not None
-    def get_code_challenge_method(  # pylint: disable=no-self-use,useless-suppression
-        self, code: str, request: oauthlib.common.Request
-    ) -> None:
-        """
-        Is called during the "token" request processing.
-        When a ``code_verifier`` and a ``code_challenge`` has
-        been provided. See ``.get_code_challenge``. Must return ``plain`` or ``S256``. You can return a custom
-        value if you have implemented your own ``AuthorizationCodeGrant`` class.
-        Arguments:
-            code: Authorization code.
-            request: OAuthlib request.
-        Returns: code_challenge_method string
-        Method is used by:
-            - Authorization Code Grant - when PKCE is active
-        """
-        del code, request
-        LOG.debug("get_code_challenge_method")
-        raise NotImplementedError("Not implemented.")
-    def get_default_redirect_uri(  # pylint: disable=no-self-use,useless-suppression
+    def get_default_redirect_uri(
         self,
         client_id: str,
         request: oauthlib.common.Request,
@@ -262,7 +237,7 @@ class RequestValidator(oauthlib.oauth2.RequestValidator):  # type: ignore
         """
         Get the default redirect URI for the client.
-        Arguments:
+        Keyword Arguments:
             client_id: Unicode client identifier
             request: The HTTP Request
@@ -279,7 +254,7 @@ class RequestValidator(oauthlib.oauth2.RequestValidator):  # type: ignore
         raise NotImplementedError("Not implemented.")
-    def get_default_scopes(  # pylint: disable=no-self-use,useless-suppression
+    def get_default_scopes(
         self,
         client_id: str,
         request: oauthlib.common.Request,
@@ -289,7 +264,7 @@ class RequestValidator(oauthlib.oauth2.RequestValidator):  # type: ignore
         """
         Get the default scopes for the client.
-        Arguments:
+        Keyword Arguments:
             client_id: Unicode client identifier
             request: The HTTP Request
@@ -308,7 +283,7 @@ class RequestValidator(oauthlib.oauth2.RequestValidator):  # type: ignore
         return ["geomapfish"]
-    def get_original_scopes(  # pylint: disable=no-self-use,useless-suppression
+    def get_original_scopes(
         self,
         refresh_token: str,
         request: oauthlib.common.Request,
@@ -318,7 +293,7 @@ class RequestValidator(oauthlib.oauth2.RequestValidator):  # type: ignore
         """
         Get the list of scopes associated with the refresh token.
-        Arguments:
+        Keyword Arguments:
             refresh_token: Unicode refresh token
             request: The HTTP Request
@@ -334,7 +309,7 @@ class RequestValidator(oauthlib.oauth2.RequestValidator):  # type: ignore
         return []
-    def introspect_token(  # pylint: disable=no-self-use,useless-suppression
+    def introspect_token(
         self,
         token: str,
         token_type_hint: str,
@@ -366,7 +341,7 @@ class RequestValidator(oauthlib.oauth2.RequestValidator):  # type: ignore
         efficiency, but must fallback to other types to be compliant with RFC.
         The dict of claims is added to request.token after this method.
-        Arguments:
+        Keyword Arguments:
             token: The token string.
             token_type_hint: access_token or refresh_token.
@@ -384,7 +359,7 @@ class RequestValidator(oauthlib.oauth2.RequestValidator):  # type: ignore
         raise NotImplementedError("Not implemented.")
-    def invalidate_authorization_code(  # pylint: disable=no-self-use,useless-suppression
+    def invalidate_authorization_code(
         self,
         client_id: str,
         code: str,
@@ -395,7 +370,7 @@ class RequestValidator(oauthlib.oauth2.RequestValidator):  # type: ignore
         """
         Invalidate an authorization code after use.
-        Arguments:
+        Keyword Arguments:
             client_id: Unicode client identifier
             code: The authorization code grant (request.code).
@@ -419,7 +394,7 @@ class RequestValidator(oauthlib.oauth2.RequestValidator):  # type: ignore
             .one()
         )
-    def is_within_original_scope(  # pylint: disable=no-self-use,useless-suppression
+    def is_within_original_scope(
         self,
         request_scopes: List[str],
         refresh_token: str,
@@ -438,7 +413,7 @@ class RequestValidator(oauthlib.oauth2.RequestValidator):  # type: ignore
         used in situations where returning all valid scopes from the
         get_original_scopes is not practical.
-        Arguments:
+        Keyword Arguments:
             request_scopes: A list of scopes that were requested by client
             refresh_token: Unicode refresh_token
@@ -453,7 +428,7 @@ class RequestValidator(oauthlib.oauth2.RequestValidator):  # type: ignore
         return False
-    def revoke_token(  # pylint: disable=no-self-use,useless-suppression
+    def revoke_token(
         self,
         token: str,
         token_type_hint: str,
@@ -464,7 +439,7 @@ class RequestValidator(oauthlib.oauth2.RequestValidator):  # type: ignore
         """
         Revoke an access or refresh token.
-        Arguments:
+        Keyword Arguments:
             token: The token string.
             token_type_hint: access_token or refresh_token.
@@ -479,9 +454,7 @@ class RequestValidator(oauthlib.oauth2.RequestValidator):  # type: ignore
         raise NotImplementedError("Not implemented.")
-    def rotate_refresh_token(  # pylint: disable=no-self-use,useless-suppression
-        self, request: oauthlib.common.Request
-    ) -> bool:
+    def rotate_refresh_token(self, request: oauthlib.common.Request) -> bool:
         """
         Determine whether to rotate the refresh token. Default, yes.
@@ -489,7 +462,7 @@ class RequestValidator(oauthlib.oauth2.RequestValidator):  # type: ignore
         or replaced with a new one (rotated). Return True to rotate and
         and False for keeping original.
-        Arguments:
+        Keyword Arguments:
             request: oauthlib.common.Request
@@ -502,7 +475,7 @@ class RequestValidator(oauthlib.oauth2.RequestValidator):  # type: ignore
         return True
-    def save_authorization_code(  # pylint: disable=no-self-use,useless-suppression
+    def save_authorization_code(
         self,
         client_id: str,
         code: Dict[str, str],
@@ -523,13 +496,13 @@ class RequestValidator(oauthlib.oauth2.RequestValidator):  # type: ignore
         The 'code' argument is actually a dictionary, containing at least a
         'code' key with the actual authorization code:
-            {'code': 'sdf345jsdf0934f'}
+            {'code': '<secret>'}
         It may also have a 'state' key containing a nonce for the client, if it
         chose to send one.  That value should be saved and used in
         'validate_code'.
-        Arguments:
+        Keyword Arguments:
             client_id: Unicode client identifier
             code: A dict of the authorization code grant and, optionally, state.
@@ -537,6 +510,11 @@ class RequestValidator(oauthlib.oauth2.RequestValidator):  # type: ignore
         Method is used by:
             - Authorization Code Grant
+        To support PKCE, you MUST associate the code with:
+            Code Challenge (request.code_challenge) and
+            Code Challenge Method (request.code_challenge_method)
         """
         del args, kwargs
@@ -544,7 +522,7 @@ class RequestValidator(oauthlib.oauth2.RequestValidator):  # type: ignore
         from c2cgeoportal_commons.models import DBSession, static  # pylint: disable=import-outside-toplevel
-        user = pyramid.threadlocal.get_current_request().user_
+        user = pyramid.threadlocal.get_current_request().user
         # Don't allows to have two authentications for the same user and the same client
         authorization_code = (
@@ -555,20 +533,32 @@ class RequestValidator(oauthlib.oauth2.RequestValidator):  # type: ignore
         )
         if authorization_code is not None:
-            authorization_code.code = code["code"]
             authorization_code.expire_at = datetime.now() + timedelta(minutes=self.authorization_expires_in)
-            authorization_code.redirect_uri = request.redirect_uri
         else:
             authorization_code = static.OAuth2AuthorizationCode()
             authorization_code.client_id = request.client.id
-            authorization_code.code = code["code"]
             authorization_code.user_id = user.id
             authorization_code.expire_at = datetime.now() + timedelta(minutes=self.authorization_expires_in)
-            authorization_code.redirect_uri = request.redirect_uri
+            authorization_code.state = code.get("state")
+        authorization_code.code = code["code"]
+        authorization_code.redirect_uri = request.redirect_uri
+        client = (
+            DBSession.query(static.OAuth2Client)
+            .filter(static.OAuth2Client.client_id == client_id)
+            .one_or_none()
+        )
+        if client and client.state_required and not code.get("state"):
+            raise HTTPBadRequest("Client is missing the state parameter.")
+        if client and client.pkce_required:
+            authorization_code.challenge = request.code_challenge
+            authorization_code.challenge_method = request.code_challenge_method
         DBSession.add(authorization_code)
-    def save_bearer_token(  # pylint: disable=no-self-use,useless-suppression
+    def save_bearer_token(
         self,
         token: Dict[str, Union[str, int]],
         request: oauthlib.common.Request,
@@ -589,17 +579,17 @@ class RequestValidator(oauthlib.oauth2.RequestValidator):  # type: ignore
             {
                 'token_type': 'Bearer',
-                'access_token': 'askfjh234as9sd8',
+                'access_token': '<secret>',
                 'expires_in': 3600,
                 'scope': 'string of space separated authorized scopes',
-                'refresh_token': '23sdf876234',  # if issued
+                'refresh_token': '<secret>',  # if issued
                 'state': 'given_by_client',  # if supplied by client
             }
         Note that while "scope" is a string-separated list of authorized scopes,
         the original list is still available in request.scopes
-        Arguments:
+        Keyword Arguments:
             client_id: Unicode client identifier
             token: A Bearer token dict
@@ -627,21 +617,18 @@ class RequestValidator(oauthlib.oauth2.RequestValidator):  # type: ignore
             .one_or_none()
         )
-        if bearer_token is not None:
-            bearer_token.access_token = token["access_token"]
-            bearer_token.refresh_token = token["refresh_token"]
-            bearer_token.expire_at = datetime.now() + timedelta(seconds=float(token["expires_in"]))
-        else:
+        if bearer_token is None:
             bearer_token = static.OAuth2BearerToken()
             bearer_token.client_id = request.client.id
             bearer_token.user_id = request.user.id
-            bearer_token.access_token = token["access_token"]
-            bearer_token.refresh_token = token["refresh_token"]
-            bearer_token.expire_at = datetime.now() + timedelta(seconds=float(token["expires_in"]))
             DBSession.add(bearer_token)
-    def validate_bearer_token(  # pylint: disable=no-self-use,useless-suppression
+        bearer_token.access_token = token["access_token"]
+        bearer_token.refresh_token = token["refresh_token"]
+        bearer_token.expire_at = datetime.now() + timedelta(seconds=float(token["expires_in"]))
+        bearer_token.state = token.get("state")
+    def validate_bearer_token(
         self,
         token: str,
         scopes: List[str],
@@ -650,7 +637,7 @@ class RequestValidator(oauthlib.oauth2.RequestValidator):  # type: ignore
         """
         Ensure the Bearer token is valid and authorized access to scopes.
-        Arguments:
+        Keyword Arguments:
             token: A string of random characters.
             scopes: A list of scopes associated with the protected resource.
@@ -686,7 +673,7 @@ class RequestValidator(oauthlib.oauth2.RequestValidator):  # type: ignore
         one provided for django these attributes will be made available
         in all protected views as keyword arguments.
-        Arguments:
+        Keyword Arguments:
             token: Unicode Bearer token
             scopes: List of scopes (defined by you)
@@ -705,6 +692,7 @@ class RequestValidator(oauthlib.oauth2.RequestValidator):  # type: ignore
         bearer_token = (
             DBSession.query(static.OAuth2BearerToken)
+            .join(static.User)
             .filter(static.OAuth2BearerToken.access_token == token)
             .filter(static.OAuth2BearerToken.expire_at > datetime.now())
         ).one_or_none()
@@ -715,7 +703,7 @@ class RequestValidator(oauthlib.oauth2.RequestValidator):  # type: ignore
         LOG.debug("validate_bearer_token => %s", bearer_token is not None)
         return bearer_token is not None
-    def validate_client_id(  # pylint: disable=no-self-use,useless-suppression
+    def validate_client_id(
         self,
         client_id: str,
         request: oauthlib.common.Request,
@@ -729,7 +717,7 @@ class RequestValidator(oauthlib.oauth2.RequestValidator):  # type: ignore
         to set request.client to the client object associated with the
         given client_id.
-        Arguments:
+        Keyword Arguments:
             client_id: Unicode client identifier
             request: oauthlib.common.Request
@@ -753,7 +741,7 @@ class RequestValidator(oauthlib.oauth2.RequestValidator):  # type: ignore
             request.client = client
         return client is not None
-    def validate_code(  # pylint: disable=no-self-use,useless-suppression
+    def validate_code(
         self,
         client_id: str,
         code: str,
@@ -775,7 +763,7 @@ class RequestValidator(oauthlib.oauth2.RequestValidator):  # type: ignore
         associated with this authorization code. Similarly request.scopes
         must also be set.
-        Arguments:
+        Keyword Arguments:
             client_id: Unicode client identifier
             code: Unicode authorization code
@@ -791,20 +779,32 @@ class RequestValidator(oauthlib.oauth2.RequestValidator):  # type: ignore
         from c2cgeoportal_commons.models import DBSession, static  # pylint: disable=import-outside-toplevel
-        authorization_code = (
+        authorization_code_query = (
             DBSession.query(static.OAuth2AuthorizationCode)
             .join(static.OAuth2AuthorizationCode.client)
             .filter(static.OAuth2AuthorizationCode.code == code)
-            .filter(static.OAuth2Client.client_id == client_id)
+            .filter(static.OAuth2AuthorizationCode.client_id == client.id)
             .filter(static.OAuth2AuthorizationCode.expire_at > datetime.now())
-            .one_or_none()
         )
-        if authorization_code is not None:
-            request.user = authorization_code.user
-        LOG.debug("validate_code => %s", authorization_code is not None)
-        return authorization_code is not None
+        if client.state_required:
+            authorization_code_query = authorization_code_query.filter(
+                static.OAuth2AuthorizationCode.state == request.state
+            )
+        authorization_code = authorization_code_query.one_or_none()
+        if authorization_code is None:
+            LOG.debug("validate_code => KO, no authorization_code found")
+            return False
-    def validate_grant_type(  # pylint: disable=no-self-use,useless-suppression
+        if authorization_code.client.pkce_required:
+            request.code_challenge = authorization_code.challenge
+            request.code_challenge_method = authorization_code.challenge_method
+        request.user = authorization_code.user
+        LOG.debug("validate_code => OK")
+        return True
+    def validate_grant_type(
         self,
         client_id: str,
         grant_type: str,
@@ -816,7 +816,7 @@ class RequestValidator(oauthlib.oauth2.RequestValidator):  # type: ignore
         """
         Ensure client is authorized to use the grant_type requested.
-        Arguments:
+        Keyword Arguments:
             client_id: Unicode client identifier
             grant_type: Unicode grant type, i.e. authorization_code, password.
@@ -840,7 +840,7 @@ class RequestValidator(oauthlib.oauth2.RequestValidator):  # type: ignore
         return grant_type in ("authorization_code", "refresh_token")
-    def validate_redirect_uri(  # pylint: disable=no-self-use,useless-suppression
+    def validate_redirect_uri(
         self,
         client_id: str,
         redirect_uri: str,
@@ -854,7 +854,7 @@ class RequestValidator(oauthlib.oauth2.RequestValidator):  # type: ignore
         All clients should register the absolute URIs of all URIs they intend
         to redirect to. The registration is outside of the scope of oauthlib.
-        Arguments:
+        Keyword Arguments:
             client_id: Unicode client identifier
             redirect_uri: Unicode absolute URI
@@ -879,7 +879,7 @@ class RequestValidator(oauthlib.oauth2.RequestValidator):  # type: ignore
         LOG.debug("validate_redirect_uri %s", client is not None)
         return client is not None
-    def validate_refresh_token(  # pylint: disable=no-self-use,useless-suppression
+    def validate_refresh_token(
         self,
         refresh_token: str,
         client: "c2cgeoportal_commons.models.static.OAuth2Client",  # noqa: F821
@@ -893,7 +893,7 @@ class RequestValidator(oauthlib.oauth2.RequestValidator):  # type: ignore
         OBS! The request.user attribute should be set to the resource owner
         associated with this refresh token.
-        Arguments:
+        Keyword Arguments:
             refresh_token: Unicode refresh token
             client: Client object set by you, see authenticate_client.
@@ -922,7 +922,7 @@ class RequestValidator(oauthlib.oauth2.RequestValidator):  # type: ignore
         return bearer_token is not None
-    def validate_response_type(  # pylint: disable=no-self-use,useless-suppression
+    def validate_response_type(
         self,
         client_id: str,
         response_type: str,
@@ -934,7 +934,7 @@ class RequestValidator(oauthlib.oauth2.RequestValidator):  # type: ignore
         """
         Ensure client is authorized to use the response_type requested.
-        Arguments:
+        Keyword Arguments:
             client_id: Unicode client identifier
             response_type: Unicode response type, i.e. code, token.
@@ -951,7 +951,7 @@ class RequestValidator(oauthlib.oauth2.RequestValidator):  # type: ignore
         return response_type == "code"
-    def validate_scopes(  # pylint: disable=no-self-use,useless-suppression
+    def validate_scopes(
         self,
         client_id: str,
         scopes: List[str],
@@ -963,7 +963,7 @@ class RequestValidator(oauthlib.oauth2.RequestValidator):  # type: ignore
         """
         Ensure the client is authorized access to requested scopes.
-        Arguments:
+        Keyword Arguments:
             client_id: Unicode client identifier
             scopes: List of scopes (defined by you)
@@ -982,7 +982,7 @@ class RequestValidator(oauthlib.oauth2.RequestValidator):  # type: ignore
         return True
-    def validate_user(  # pylint: disable=no-self-use,useless-suppression
+    def validate_user(
         self,
         username: str,
         password: str,
@@ -999,7 +999,7 @@ class RequestValidator(oauthlib.oauth2.RequestValidator):  # type: ignore
         not set you will be unable to associate a token with a user in the
         persistence method used (commonly, save_bearer_token).
-        Arguments:
+        Keyword Arguments:
             username: Unicode username
             password: Unicode password
@@ -1015,6 +1015,123 @@ class RequestValidator(oauthlib.oauth2.RequestValidator):  # type: ignore
         raise NotImplementedError("Not implemented.")
+    def is_pkce_required(self, client_id: int, request: oauthlib.common.Request) -> bool:
+        """
+        Determine if current request requires PKCE.
+        Default, False. This is called for both “authorization” and “token” requests.
+        Override this method by return True to enable PKCE for everyone. You might want to enable it only
+        for public clients. Note that PKCE can also be used in addition of a client authentication.
+        OAuth 2.0 public clients utilizing the Authorization Code Grant are susceptible to
+        the authorization code interception attack. This specification describes the attack as well as
+        a technique to mitigate against the threat through the use of Proof Key for Code Exchange
+        (PKCE, pronounced “pixy”). See RFC7636.
+        Keyword Arguments:
+            client_id: Client identifier.
+            request (oauthlib.common.Request): OAuthlib request.
+        Method is used by:
+                Authorization Code Grant
+        """
+        from c2cgeoportal_commons.models import DBSession, static  # pylint: disable=import-outside-toplevel
+        client = (
+            DBSession.query(static.OAuth2Client)
+            .filter(static.OAuth2Client.client_id == client_id)
+            .one_or_none()
+        )
+        return client and client.pkce_required  # type: ignore
+    def get_code_challenge(self, code: str, request: oauthlib.common.Request) -> Optional[str]:
+        """
+        Is called for every “token” requests.
+        When the server issues the authorization code in the authorization response, it MUST associate the
+        code_challenge and code_challenge_method values with the authorization code so it can be
+        verified later.
+        Typically, the code_challenge and code_challenge_method values are stored in encrypted form in
+        the code itself but could alternatively be stored on the server associated with the code.
+        The server MUST NOT include the code_challenge value in client requests in a form that other
+        entities can extract.
+        Return the code_challenge associated to the code. If None is returned, code is considered to not
+        be associated to any challenges.
+        Keyword Arguments:
+            code: Authorization code.
+            request: OAuthlib request.
+        Return:
+            code_challenge string
+        Method is used by:
+                Authorization Code Grant - when PKCE is active
+        """
+        from c2cgeoportal_commons.models import DBSession, static  # pylint: disable=import-outside-toplevel
+        LOG.debug("get_code_challenge")
+        authorization_code = (
+            DBSession.query(static.OAuth2AuthorizationCode)
+            .filter(static.OAuth2AuthorizationCode.code == code)
+            .one_or_none()
+        )
+        if authorization_code:
+            return authorization_code.challenge  # type: ignore
+        LOG.debug("get_code_challenge authorization_code not found")
+        return None
+    def get_code_challenge_method(self, code: str, request: oauthlib.common.Request) -> Optional[str]:
+        """
+        Is called during the “token” request processing.
+        When a code_verifier and a code_challenge has been provided.
+        See .get_code_challenge.
+        Must return plain or S256. You can return a custom value if you have implemented your own
+        AuthorizationCodeGrant class.
+        Keyword Arguments:
+            code: Authorization code.
+            request: OAuthlib request.
+        Return type:
+            code_challenge_method string
+        Method is used by:
+                Authorization Code Grant - when PKCE is active
+        """
+        from c2cgeoportal_commons.models import DBSession, static  # pylint: disable=import-outside-toplevel
+        LOG.debug("get_code_challenge_method")
+        authorization_code = (
+            DBSession.query(static.OAuth2AuthorizationCode)
+            .filter(static.OAuth2AuthorizationCode.code == code)
+            .one_or_none()
+        )
+        if authorization_code:
+            return authorization_code.challenge_method  # type: ignore
+        LOG.debug("get_code_challenge_method authorization_code not found")
+        return None
 def get_oauth_client(settings: Dict[str, Any]) -> oauthlib.oauth2.WebApplicationServer:
     """Get the oauth2 client, with a cache."""

c2cgeoportal-geoportal 2.7.1.156__py2.py3-none-any.whl → 2.8.1.180__py2.py3-none-any.whl

c2cgeoportal-geoportal 2.7.1.156py2.py3-none-any.whl → 2.8.1.180py2.py3-none-any.whl