dara-core 1.13.1__py3-none-any.whl → 1.14.0a1__py3-none-any.whl

dara/core/auth/base.py

@@ -18,7 +18,7 @@ limitations under the License.
 import abc
 from typing import Any, ClassVar, Dict, Union
 
-from fastapi import Response
+from fastapi import HTTPException, Response
 from pydantic import BaseModel
 from typing_extensions import TypedDict
 
@@ -69,6 +69,14 @@ class BaseAuthConfig(BaseModel, abc.ABC):
     Defines components to use for auth routes
     """
 
+    supports_token_refresh: ClassVar[bool] = False
+    """
+    Whether this auth config supports token refresh.
+
+    If an auth config supports token refresh, it should override the refresh_token method
+    and set this to True.
+    """
+
     @abc.abstractmethod
     def get_token(self, body: SessionRequestBody) -> Union[TokenResponse, RedirectResponse]:
         """
@@ -91,6 +99,18 @@ class BaseAuthConfig(BaseModel, abc.ABC):
         :param token: encoded token
         """
 
+    def refresh_token(self, old_token: TokenData, refresh_token: str) -> tuple[str, str]:
+        """
+        Create a new session token and refresh token from a refresh token.
+
+        Note: the new issued session token should include the same session_id as the old token
+
+        :param old_token: old session token data
+        :param refresh_token: encoded refresh token
+        :return: new session token, new refresh token
+        """
+        raise HTTPException(400, f'Auth config {self.__class__.__name__} does not support token refresh')
+
     def revoke_token(self, token: str, response: Response) -> Union[SuccessResponse, RedirectResponse]:
         """
         Revoke a session token.

dara/core/auth/routes.py

@@ -16,9 +16,10 @@ limitations under the License.
 """
 
 from inspect import iscoroutinefunction
+from typing import Union, cast
 
 import jwt
-from fastapi import APIRouter, Depends, HTTPException, Request, Response
+from fastapi import APIRouter, Cookie, Depends, HTTPException, Request, Response
 from fastapi.security import HTTPAuthorizationCredentials, HTTPBearer
 
 from dara.core.auth.base import BaseAuthConfig
@@ -31,6 +32,7 @@ from dara.core.auth.definitions import (
     AuthError,
     SessionRequestBody,
 )
+from dara.core.auth.utils import decode_token
 from dara.core.logging import dev_logger
 
 auth_router = APIRouter()
@@ -103,6 +105,68 @@ async def _revoke_session(response: Response, credentials: HTTPAuthorizationCred
     raise HTTPException(status_code=400, detail=BAD_REQUEST_ERROR('No auth credentials passed'))
 
 
+@auth_router.post('/refresh-token')
+async def handle_refresh_token(
+    response: Response,
+    dara_refresh_token: Union[str, None] = Cookie(default=None),
+    credentials: HTTPAuthorizationCredentials = Depends(HTTPBearer()),
+):
+    """
+    Given a refresh token, issues a new session token and refresh token cookie.
+
+    :param response: FastAPI response object
+    :param dara_refresh_token: refresh token cookie
+    :param settings: env settings object
+    """
+    if dara_refresh_token is None:
+        raise HTTPException(status_code=400, detail=BAD_REQUEST_ERROR('No refresh token provided'))
+
+    # Check scheme is correct
+    if credentials.scheme != 'Bearer':
+        raise HTTPException(
+            status_code=400,
+            detail=BAD_REQUEST_ERROR(
+                'Invalid authentication scheme, previous Bearer token must be included in the refresh request'
+            ),
+        )
+
+    from dara.core.internal.registries import auth_registry
+
+    auth_config: BaseAuthConfig = auth_registry.get('auth_config')
+
+    try:
+        # decode the old token ignoring expiry date
+        old_token_data = decode_token(credentials.credentials, options={'verify_exp': False})
+
+        # Refresh logic up to implementation - passing in old token data so session_id can be preserved
+        session_token, refresh_token = auth_config.refresh_token(old_token_data, dara_refresh_token)
+
+        # Using 'Strict' as it is only used for the refresh-token endpoint so cross-site requests are not expected
+        response.set_cookie(
+            key='dara_refresh_token', value=refresh_token, secure=True, httponly=True, samesite='strict'
+        )
+        return {'token': session_token}
+    except BaseException as e:
+        # Regardless of exception type, clear the refresh token cookie
+        response.delete_cookie('dara_refresh_token')
+        headers = {'set-cookie': response.headers['set-cookie']}
+
+        # If an explicit HTTPException was raised, re-raise it with the cookie header
+        if isinstance(e, HTTPException):
+            dev_logger.error('Auth Error', error=e)
+            e.headers = headers
+            raise e
+
+        # Explicitly handle expired signature error
+        if isinstance(e, jwt.ExpiredSignatureError):
+            dev_logger.error('Expired Token Signature', error=e)
+            raise HTTPException(status_code=401, detail=EXPIRED_TOKEN_ERROR, headers=headers)
+
+        # Otherwise show a generic invalid token error
+        dev_logger.error('Invalid Token', error=cast(Exception, e))
+        raise HTTPException(status_code=401, detail=INVALID_TOKEN_ERROR, headers=headers)
+
+
 # Request to retrieve a session token from the backend. The app does this on startup.
 @auth_router.post('/session')
 async def _get_session(body: SessionRequestBody):

dara/core/auth/utils.py

@@ -33,12 +33,15 @@ from dara.core.internal.settings import get_settings
 from dara.core.logging import dev_logger
 
 
-def decode_token(token: str) -> TokenData:
+def decode_token(token: str, **kwargs) -> TokenData:
     """
     Decode a JWT token
+
+    :param token: the JWT token to decode
+    :param kwargs: additional arguments to pass to the jwt.decode function
     """
     try:
-        return TokenData.parse_obj(jwt.decode(token, get_settings().jwt_secret, algorithms=[JWT_ALGO]))
+        return TokenData.parse_obj(jwt.decode(token, get_settings().jwt_secret, algorithms=[JWT_ALGO], **kwargs))
     except jwt.ExpiredSignatureError:
         raise AuthError(code=401, detail=EXPIRED_TOKEN_ERROR)
     except jwt.DecodeError:
@@ -52,11 +55,13 @@ def sign_jwt(
     groups: List[str],
     id_token: Optional[str] = None,
     exp: Optional[Union[datetime, int]] = None,
+    session_id: Optional[str] = None,
 ):
     """
     Create a new Dara JWT token
     """
-    session_id = str(uuid.uuid4())
+    if session_id is None:
+        session_id = str(uuid.uuid4())
 
     # Default expiry is 1 day unless specified
     if exp is None:

dara/core/internal/routing.py

@@ -208,9 +208,12 @@ def create_router(config: Configuration):
             'application_name': get_settings().project_name,
         }
 
-    @core_api_router.get('/auth-components')
-    async def get_auth_components():  # pylint: disable=unused-variable
-        return config.auth_config.component_config
+    @core_api_router.get('/auth-config')
+    async def get_auth_config():  # pylint: disable=unused-variable
+        return {
+            'auth_components': config.auth_config.component_config.dict(),
+            'supports_token_refresh': config.auth_config.supports_token_refresh,
+        }
 
     @core_api_router.get('/components', dependencies=[Depends(verify_session)])
     async def get_components(name: Optional[str] = None):  # pylint: disable=unused-variable