dara-core 1.22.3__py3-none-any.whl → 1.23.0__py3-none-any.whl

dara/core/_assets/auto_js/dara.core.umd.cjs

@@ -40389,11 +40389,6 @@ You must set sticky: 'left' | 'right' for the '${bugWithUnderColumnsSticky.Heade
     const mergedInits = React$1.useMemo(() => mergeRequestInits(parentOptions, options), [parentOptions, options]);
     return /* @__PURE__ */ React.createElement(requestExtrasCtx.Provider, { value: { options: mergedInits } }, children);
   }
-  var AuthType = /* @__PURE__ */ ((AuthType2) => {
-    AuthType2["BASIC"] = "BASIC";
-    AuthType2["SSO"] = "SSO";
-    return AuthType2;
-  })(AuthType || {});
   function $constructor(name, initializer2, params) {
     function init(inst, def) {
       var _a;
@@ -74361,6 +74356,178 @@ Inferred class string: "${iconClasses}."`
     }, []);
     return /* @__PURE__ */ React.createElement(Center, null, /* @__PURE__ */ React.createElement(DefaultFallback$1, null));
   }
+  function OIDCAuthLogin() {
+    const navigate = useNavigate();
+    const location2 = useLocation();
+    const token = useSessionToken();
+    const { defaultPath } = useRouterContext();
+    const previousLocation = React$1.useMemo(() => {
+      const queryParams = new URLSearchParams(location2.search);
+      return queryParams.get("referrer") ?? defaultPath;
+    }, [location2, defaultPath]);
+    const verifyToken = React$1.useCallback(async () => {
+      const verified = await verifySessionToken();
+      if (verified) {
+        navigate(decodeURIComponent(previousLocation), { replace: true });
+      } else {
+        navigate("/logout", { replace: true });
+      }
+    }, [previousLocation, navigate]);
+    const getNewToken = React$1.useCallback(async () => {
+      const res = await request("/api/auth/session", {
+        body: JSON.stringify({
+          redirect_to: previousLocation
+        }),
+        method: HTTP_METHOD.POST
+      });
+      const loggedOut = await handleAuthErrors(res, false);
+      if (loggedOut) {
+        return;
+      }
+      if (res.ok) {
+        const resContent = await res.json();
+        window.location.href = resContent.redirect_uri;
+      }
+    }, [previousLocation]);
+    React$1.useEffect(() => {
+      if (token) {
+        verifyToken();
+      } else {
+        getNewToken();
+      }
+    }, [getNewToken, verifyToken, token]);
+    return /* @__PURE__ */ React.createElement(Center, null, /* @__PURE__ */ React.createElement(DefaultFallback$1, null));
+  }
+  function OIDCAuthLogout() {
+    const navigate = useNavigate();
+    React$1.useEffect(() => {
+      revokeSession().then((responseData) => {
+        setSessionToken(null);
+        if (responseData && "redirect_uri" in responseData) {
+          const loginUrl = new URL("/login", window.location.origin);
+          const finalRedirectUrl = new URL(responseData.redirect_uri);
+          finalRedirectUrl.searchParams.append("post_logout_redirect_uri", loginUrl.toString());
+          window.location.href = finalRedirectUrl.toString();
+          return;
+        }
+        navigate("/login");
+      });
+    }, []);
+    return /* @__PURE__ */ React.createElement(Center, null, /* @__PURE__ */ React.createElement(DefaultFallback$1, null));
+  }
+  class InvalidTokenError extends Error {
+  }
+  InvalidTokenError.prototype.name = "InvalidTokenError";
+  function b64DecodeUnicode(str) {
+    return decodeURIComponent(atob(str).replace(/(.)/g, (m, p2) => {
+      let code = p2.charCodeAt(0).toString(16).toUpperCase();
+      if (code.length < 2) {
+        code = "0" + code;
+      }
+      return "%" + code;
+    }));
+  }
+  function base64UrlDecode(str) {
+    let output = str.replace(/-/g, "+").replace(/_/g, "/");
+    switch (output.length % 4) {
+      case 0:
+        break;
+      case 2:
+        output += "==";
+        break;
+      case 3:
+        output += "=";
+        break;
+      default:
+        throw new Error("base64 string is not of the correct length");
+    }
+    try {
+      return b64DecodeUnicode(output);
+    } catch (err2) {
+      return atob(output);
+    }
+  }
+  function jwtDecode(token, options) {
+    if (typeof token !== "string") {
+      throw new InvalidTokenError("Invalid token specified: must be a string");
+    }
+    options || (options = {});
+    const pos = options.header === true ? 0 : 1;
+    const part = token.split(".")[pos];
+    if (typeof part !== "string") {
+      throw new InvalidTokenError(`Invalid token specified: missing part #${pos + 1}`);
+    }
+    let decoded;
+    try {
+      decoded = base64UrlDecode(part);
+    } catch (e2) {
+      throw new InvalidTokenError(`Invalid token specified: invalid base64 for part #${pos + 1} (${e2.message})`);
+    }
+    try {
+      return JSON.parse(decoded);
+    } catch (e2) {
+      throw new InvalidTokenError(`Invalid token specified: invalid json for part #${pos + 1} (${e2.message})`);
+    }
+  }
+  function decodeStateRedirect(state) {
+    if (!state) {
+      return null;
+    }
+    try {
+      const payload = jwtDecode(state);
+      return payload.redirect_to ?? null;
+    } catch {
+      try {
+        return decodeURIComponent(state);
+      } catch {
+        return null;
+      }
+    }
+  }
+  async function getSSOCallbackToken(search, defaultPath) {
+    try {
+      const params = new URLSearchParams(search);
+      const state = params.get("state");
+      const res = await request("/api/auth/sso-callback", {
+        body: JSON.stringify({
+          auth_code: params.get("code"),
+          state
+        }),
+        method: HTTP_METHOD.POST
+      });
+      const shouldLogOut = await handleAuthErrors(res);
+      if (shouldLogOut) {
+        return null;
+      }
+      if (res.ok) {
+        const { token } = await res.json();
+        return {
+          token,
+          redirectTo: decodeStateRedirect(state) ?? defaultPath
+        };
+      }
+      throw new Error(`${res.status}: ${res.statusText}`);
+    } catch {
+      return null;
+    }
+  }
+  function OIDCAuthSSOCallback() {
+    const { search } = useLocation();
+    const navigate = useNavigate();
+    const routerContext = useRouterContext();
+    React$1.useEffect(() => {
+      getSSOCallbackToken(search, routerContext.defaultPath).then((result) => {
+        if (result) {
+          setSessionToken(result.token);
+          navigate(result.redirectTo);
+        }
+      }).catch((err2) => {
+        console.error("Failed to run SSO callback", err2);
+        navigate("/logout");
+      });
+    }, []);
+    return /* @__PURE__ */ React.createElement(Center, null, /* @__PURE__ */ React.createElement(DefaultFallback$1, null));
+  }
   const CenteredDivWithGap$1 = styled(Center)`
     gap: 1rem;
     margin: 10px;
@@ -98864,7 +99031,6 @@ body,
     return /* @__PURE__ */ React.createElement(DynamicComponent$1, { component });
   }
   exports.ActionImpl = ActionImpl;
-  exports.AuthType = AuthType;
   exports.AuthenticatedRoot = AuthenticatedRoot;
   exports.BasicAuthLogin = BasicAuthLogin;
   exports.BasicAuthLogout = BasicAuthLogout;
@@ -98897,6 +99063,9 @@ body,
   exports.NavigateTo = NavigateTo;
   exports.Notifications = index$1;
   exports.Notify = Notify;
+  exports.OIDCAuthLogin = OIDCAuthLogin;
+  exports.OIDCAuthLogout = OIDCAuthLogout;
+  exports.OIDCAuthSSOCallback = OIDCAuthSSOCallback;
   exports.Outlet = Outlet;
   exports.PartialRequestExtrasProvider = PartialRequestExtrasProvider;
   exports.PoweredByCausalens = PoweredByCausalens;

dara/core/auth/__init__.py

@@ -17,6 +17,7 @@ limitations under the License.
 
 from .base import BaseAuthConfig
 from .basic import BasicAuthConfig, DefaultAuthConfig, MultiBasicAuthConfig
+from .oidc import OIDCAuthConfig
 from .routes import auth_router
 
 __all__ = [
@@ -24,5 +25,6 @@ __all__ = [
     'MultiBasicAuthConfig',
     'BasicAuthConfig',
     'DefaultAuthConfig',
+    'OIDCAuthConfig',
     'auth_router',
 ]

dara/core/auth/base.py

@@ -16,7 +16,7 @@ limitations under the License.
 """
 
 import abc
-from typing import Any, ClassVar
+from typing import ClassVar
 
 from fastapi import HTTPException, Response
 from pydantic import model_serializer
@@ -30,6 +30,7 @@ from dara.core.auth.definitions import (
     TokenResponse,
 )
 from dara.core.base_definitions import DaraBaseModel as BaseModel
+from dara.core.definitions import ApiRoute
 
 
 class AuthComponent(TypedDict):
@@ -71,6 +72,17 @@ class BaseAuthConfig(BaseModel, abc.ABC):
     Defines components to use for auth routes
     """
 
+    required_routes: ClassVar[list[ApiRoute]] = []
+    """
+    List of routes the auth config depends on.
+    Will be added to the app if this auth config is used.
+    """
+
+    async def startup_hook(self) -> None:
+        """
+        Called when the server is starting up, can be used to set up e.g. JWKS clients for OIDC auth
+        """
+
     @abc.abstractmethod
     def get_token(self, body: SessionRequestBody) -> TokenResponse | RedirectResponse:
         """
@@ -82,7 +94,7 @@ class BaseAuthConfig(BaseModel, abc.ABC):
         """
 
     @abc.abstractmethod
-    def verify_token(self, token: str) -> Any | TokenData:
+    def verify_token(self, token: str) -> TokenData:
         """
         Verify a session token.
 
@@ -93,7 +105,7 @@ class BaseAuthConfig(BaseModel, abc.ABC):
         :param token: encoded token
         """
 
-    def refresh_token(self, old_token: TokenData, refresh_token: str) -> tuple[str, str]:
+    async def refresh_token(self, old_token: TokenData, refresh_token: str) -> tuple[str, str]:
         """
         Create a new session token and refresh token from a refresh token.
 

dara/core/auth/definitions.py

@@ -18,6 +18,7 @@ limitations under the License.
 from contextvars import ContextVar
 from datetime import datetime
 
+from pydantic import ConfigDict
 from typing_extensions import TypedDict
 
 from dara.core.base_definitions import DaraBaseModel as BaseModel
@@ -60,6 +61,18 @@ class UserData(BaseModel):
     identity_email: str | None = None
     groups: list[str] | None = []
 
+    # allow extra for more flexibility in custom oidc configs
+    model_config = ConfigDict(extra='allow')
+
+    @classmethod
+    def from_token_data(cls, token_data: TokenData):
+        return cls(
+            identity_id=token_data.identity_id,
+            identity_name=token_data.identity_name,
+            identity_email=token_data.identity_email,
+            groups=token_data.groups,
+        )
+
 
 class TokenResponse(TypedDict):
     token: str
@@ -76,6 +89,8 @@ class SuccessResponse(TypedDict):
 class SessionRequestBody(BaseModel):
     username: str | None = None
     password: str | None = None
+    redirect_to: str | None = None
+    """Optional URL to redirect to after successful authentication (used in OIDC flows)"""
 
 
 class AuthError(Exception):
@@ -116,4 +131,6 @@ JWT_ALGO = 'HS256'
 # Context
 SESSION_ID: ContextVar[str | None] = ContextVar('session_id', default=None)
 USER: ContextVar[UserData | None] = ContextVar('user', default=None)
+
 ID_TOKEN: ContextVar[str | None] = ContextVar('id_token', default=None)
+"""Current ID token, set when using OIDC auth"""

dara/core/auth/oidc/__init__.py

@@ -0,0 +1,3 @@
+from .config import OIDCAuthConfig
+
+__all__ = ['OIDCAuthConfig']