dara-core 1.13.1__py3-none-any.whl → 1.14.0a0__py3-none-any.whl

dara/core/auth/base.py

@@ -18,7 +18,7 @@ limitations under the License.
 import abc
 from typing import Any, ClassVar, Dict, Union
 
-from fastapi import Response
+from fastapi import HTTPException, Response
 from pydantic import BaseModel
 from typing_extensions import TypedDict
 
@@ -91,6 +91,15 @@ class BaseAuthConfig(BaseModel, abc.ABC):
         :param token: encoded token
         """
 
+    def refresh_token(self, refresh_token: str) -> tuple[str, str]:
+        """
+        Create a new session token and refresh token from a refresh token.
+
+        :param refresh_token: encoded refresh token
+        :return: new session token, new refresh token
+        """
+        raise HTTPException(400, f'Auth config {self.__class__.__name__} does not support token refresh')
+
     def revoke_token(self, token: str, response: Response) -> Union[SuccessResponse, RedirectResponse]:
         """
         Revoke a session token.

dara/core/auth/routes.py

@@ -16,9 +16,10 @@ limitations under the License.
 """
 
 from inspect import iscoroutinefunction
+from typing import Union, cast
 
 import jwt
-from fastapi import APIRouter, Depends, HTTPException, Request, Response
+from fastapi import APIRouter, Cookie, Depends, HTTPException, Request, Response
 from fastapi.security import HTTPAuthorizationCredentials, HTTPBearer
 
 from dara.core.auth.base import BaseAuthConfig
@@ -103,6 +104,55 @@ async def _revoke_session(response: Response, credentials: HTTPAuthorizationCred
     raise HTTPException(status_code=400, detail=BAD_REQUEST_ERROR('No auth credentials passed'))
 
 
+@auth_router.post('/refresh-token')
+async def handle_refresh_token(
+    response: Response,
+    dara_refresh_token: Union[str, None] = Cookie(default=None),
+):
+    """
+    Given a refresh token, issues a new session token and refresh token cookie.
+
+    :param response: FastAPI response object
+    :param dara_refresh_token: refresh token cookie
+    :param settings: env settings object
+    """
+    if dara_refresh_token is None:
+        raise HTTPException(status_code=400, detail=BAD_REQUEST_ERROR('No refresh token provided'))
+
+    from dara.core.internal.registries import auth_registry
+
+    auth_config: BaseAuthConfig = auth_registry.get('auth_config')
+
+    try:
+        # Refresh logic up to implementation
+        session_token, refresh_token = auth_config.refresh_token(dara_refresh_token)
+
+        # Using 'Strict' as it is only used for the refresh-token endpoint so cross-site requests are not expected
+        response.set_cookie(
+            key='dara_refresh_token', value=refresh_token, secure=True, httponly=True, samesite='strict'
+        )
+        return {'token': session_token}
+    except BaseException as e:
+        # Regardless of exception type, clear the refresh token cookie
+        response.delete_cookie('dara_refresh_token')
+        headers = {'set-cookie': response.headers['set-cookie']}
+
+        # If an explicit HTTPException was raised, re-raise it with the cookie header
+        if isinstance(e, HTTPException):
+            dev_logger.error('Auth Error', error=e)
+            e.headers = headers
+            raise e
+
+        # Explicitly handle expired signature error
+        if isinstance(e, jwt.ExpiredSignatureError):
+            dev_logger.error('Expired Token Signature', error=e)
+            raise HTTPException(status_code=401, detail=EXPIRED_TOKEN_ERROR, headers=headers)
+
+        # Otherwise show a generic invalid token error
+        dev_logger.error('Invalid Token', error=cast(Exception, e))
+        raise HTTPException(status_code=401, detail=INVALID_TOKEN_ERROR, headers=headers)
+
+
 # Request to retrieve a session token from the backend. The app does this on startup.
 @auth_router.post('/session')
 async def _get_session(body: SessionRequestBody):