PyPI - plain.oauth - Versions diffs - 0.0.0__py3-none-any.whl - Mend

plain.oauth 0.0.0__py3-none-any.whl

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (19) hide show

plain/oauth/README.md +329 -0
plain/oauth/__init__.py +0 -0
plain/oauth/admin.py +47 -0
plain/oauth/config.py +6 -0
plain/oauth/exceptions.py +12 -0
plain/oauth/migrations/0001_initial.py +56 -0
plain/oauth/migrations/0002_alter_oauthconnection_options_and_more.py +24 -0
plain/oauth/migrations/0003_alter_oauthconnection_access_token_and_more.py +23 -0
plain/oauth/migrations/0004_alter_oauthconnection_access_token_and_more.py +23 -0
plain/oauth/migrations/__init__.py +0 -0
plain/oauth/models.py +191 -0
plain/oauth/providers.py +192 -0
plain/oauth/templates/oauth/error.html +6 -0
plain/oauth/urls.py +24 -0
plain/oauth/views.py +87 -0
plain_oauth-0.0.0.dist-info/LICENSE +28 -0
plain_oauth-0.0.0.dist-info/METADATA +352 -0
plain_oauth-0.0.0.dist-info/RECORD +19 -0
plain_oauth-0.0.0.dist-info/WHEEL +4 -0

plain/oauth/models.py ADDED Viewed

@@ -0,0 +1,191 @@
+from typing import TYPE_CHECKING
+from plain import models, transaction
+from plain.auth import get_user_model
+from plain.models.db import IntegrityError, OperationalError, ProgrammingError
+from plain.preflight import Error
+from plain.runtime import settings
+from plain.utils import timezone
+from .exceptions import OAuthUserAlreadyExistsError
+if TYPE_CHECKING:
+    from .providers import OAuthToken, OAuthUser
+# django check for deploy that ensures all provider keys in db are also in settings?
+class OAuthConnection(models.Model):
+    created_at = models.DateTimeField(auto_now_add=True)
+    updated_at = models.DateTimeField(auto_now=True)
+    user = models.ForeignKey(
+        settings.AUTH_USER_MODEL,
+        on_delete=models.CASCADE,
+        related_name="oauth_connections",
+    )
+    # The key used to refer to this provider type (in settings)
+    provider_key = models.CharField(max_length=100, db_index=True)
+    # The unique ID of the user on the provider's system
+    provider_user_id = models.CharField(max_length=100, db_index=True)
+    # Token data
+    access_token = models.CharField(max_length=2000)
+    refresh_token = models.CharField(max_length=2000, blank=True)
+    access_token_expires_at = models.DateTimeField(blank=True, null=True)
+    refresh_token_expires_at = models.DateTimeField(blank=True, null=True)
+    class Meta:
+        unique_together = ("provider_key", "provider_user_id")
+        ordering = ("provider_key",)
+    def __str__(self):
+        return f"{self.provider_key}[{self.user}:{self.provider_user_id}]"
+    def refresh_access_token(self) -> None:
+        from .providers import OAuthToken, get_oauth_provider_instance
+        provider_instance = get_oauth_provider_instance(provider_key=self.provider_key)
+        oauth_token = OAuthToken(
+            access_token=self.access_token,
+            refresh_token=self.refresh_token,
+            access_token_expires_at=self.access_token_expires_at,
+            refresh_token_expires_at=self.refresh_token_expires_at,
+        )
+        refreshed_oauth_token = provider_instance.refresh_oauth_token(
+            oauth_token=oauth_token
+        )
+        self.set_token_fields(refreshed_oauth_token)
+        self.save()
+    def set_token_fields(self, oauth_token: "OAuthToken"):
+        self.access_token = oauth_token.access_token
+        self.refresh_token = oauth_token.refresh_token
+        self.access_token_expires_at = oauth_token.access_token_expires_at
+        self.refresh_token_expires_at = oauth_token.refresh_token_expires_at
+    def set_user_fields(self, oauth_user: "OAuthUser"):
+        self.provider_user_id = oauth_user.id
+    def access_token_expired(self) -> bool:
+        return (
+            self.access_token_expires_at is not None
+            and self.access_token_expires_at < timezone.now()
+        )
+    def refresh_token_expired(self) -> bool:
+        return (
+            self.refresh_token_expires_at is not None
+            and self.refresh_token_expires_at < timezone.now()
+        )
+    @classmethod
+    def get_or_createuser(
+        cls, *, provider_key: str, oauth_token: "OAuthToken", oauth_user: "OAuthUser"
+    ) -> "OAuthConnection":
+        try:
+            connection = cls.objects.get(
+                provider_key=provider_key,
+                provider_user_id=oauth_user.id,
+            )
+            connection.set_token_fields(oauth_token)
+            connection.save()
+            return connection
+        except cls.DoesNotExist:
+            with transaction.atomic():
+                # If email needs to be unique, then we expect
+                # that to be taken care of on the user model itself
+                try:
+                    user = get_user_model()(
+                        username=oauth_user.username,
+                        email=oauth_user.email,
+                    )
+                    user.full_clean()
+                    user.save()
+                except IntegrityError:
+                    raise OAuthUserAlreadyExistsError()
+                return cls.connect(
+                    user=user,
+                    provider_key=provider_key,
+                    oauth_token=oauth_token,
+                    oauth_user=oauth_user,
+                )
+    @classmethod
+    def connect(
+        cls,
+        *,
+        user: settings.AUTH_USER_MODEL,
+        provider_key: str,
+        oauth_token: "OAuthToken",
+        oauth_user: "OAuthUser",
+    ) -> "OAuthConnection":
+        """
+        Connect will either create a new connection or update an existing connection
+        """
+        try:
+            connection = cls.objects.get(
+                user=user,
+                provider_key=provider_key,
+                provider_user_id=oauth_user.id,
+            )
+        except cls.DoesNotExist:
+            # Create our own instance (not using get_or_create)
+            # so that any created signals contain the token fields too
+            connection = cls(
+                user=user,
+                provider_key=provider_key,
+                provider_user_id=oauth_user.id,
+            )
+        connection.set_user_fields(oauth_user)
+        connection.set_token_fields(oauth_token)
+        connection.save()
+        return connection
+    @classmethod
+    def check(cls, **kwargs):
+        """
+        A system check for ensuring that provider_keys in the database are also present in settings.
+        Note that the --database flag is required for this to work:
+          python manage.py check --database default
+        """
+        errors = super().check(**kwargs)
+        databases = kwargs.get("databases", None)
+        if not databases:
+            return errors
+        from .providers import get_provider_keys
+        for database in databases:
+            try:
+                keys_in_db = set(
+                    cls.objects.using(database)
+                    .values_list("provider_key", flat=True)
+                    .distinct()
+                )
+            except (OperationalError, ProgrammingError):
+                # Check runs on manage.py migrate, and the table may not exist yet
+                # or it may not be installed on the particular database intentionally
+                continue
+            keys_in_settings = set(get_provider_keys())
+            if keys_in_db - keys_in_settings:
+                errors.append(
+                    Error(
+                        "The following OAuth providers are in the database but not in the settings: {}".format(
+                            ", ".join(keys_in_db - keys_in_settings)
+                        ),
+                        id="plain.oauth.E001",
+                    )
+                )
+        return errors

plain/oauth/providers.py ADDED Viewed

@@ -0,0 +1,192 @@
+import datetime
+import secrets
+from typing import Any
+from urllib.parse import urlencode
+from plain.auth import login as auth_login
+from plain.http import HttpRequest, Response, ResponseRedirect
+from plain.runtime import settings
+from plain.urls import reverse
+from plain.utils.crypto import get_random_string
+from plain.utils.module_loading import import_string
+from .exceptions import OAuthError, OAuthStateMismatchError
+from .models import OAuthConnection
+SESSION_STATE_KEY = "plainoauth_state"
+SESSION_NEXT_KEY = "plainoauth_next"
+class OAuthToken:
+    def __init__(
+        self,
+        *,
+        access_token: str,
+        refresh_token: str = "",
+        access_token_expires_at: datetime.datetime = None,
+        refresh_token_expires_at: datetime.datetime = None,
+    ):
+        self.access_token = access_token
+        self.refresh_token = refresh_token
+        self.access_token_expires_at = access_token_expires_at
+        self.refresh_token_expires_at = refresh_token_expires_at
+class OAuthUser:
+    def __init__(self, *, id: str, email: str, username: str = ""):
+        self.id = id
+        self.username = username
+        self.email = email
+    def __str__(self):
+        return self.email
+class OAuthProvider:
+    authorization_url = ""
+    def __init__(
+        self,
+        *,
+        # Provided automatically
+        provider_key: str,
+        # Required as kwargs in OAUTH_LOGIN_PROVIDERS setting
+        client_id: str,
+        client_secret: str,
+        # Not necessarily required, but commonly used
+        scope: str = "",
+    ):
+        self.provider_key = provider_key
+        self.client_id = client_id
+        self.client_secret = client_secret
+        self.scope = scope
+    def get_authorization_url_params(self, *, request: HttpRequest) -> dict:
+        return {
+            "redirect_uri": self.get_callback_url(request=request),
+            "client_id": self.get_client_id(),
+            "scope": self.get_scope(),
+            "state": self.generate_state(),
+            "response_type": "code",
+        }
+    def refresh_oauth_token(self, *, oauth_token: OAuthToken) -> OAuthToken:
+        raise NotImplementedError()
+    def get_oauth_token(self, *, code: str, request: HttpRequest) -> OAuthToken:
+        raise NotImplementedError()
+    def get_oauth_user(self, *, oauth_token: OAuthToken) -> OAuthUser:
+        raise NotImplementedError()
+    def get_authorization_url(self, *, request: HttpRequest) -> str:
+        return self.authorization_url
+    def get_client_id(self) -> str:
+        return self.client_id
+    def get_client_secret(self) -> str:
+        return self.client_secret
+    def get_scope(self) -> str:
+        return self.scope
+    def get_callback_url(self, *, request: HttpRequest) -> str:
+        url = reverse("oauth:callback", kwargs={"provider": self.provider_key})
+        return request.build_absolute_uri(url)
+    def generate_state(self) -> str:
+        return get_random_string(length=32)
+    def check_request_state(self, *, request: HttpRequest) -> None:
+        if error := request.GET.get("error"):
+            raise OAuthError(error)
+        state = request.GET["state"]
+        expected_state = request.session.pop(SESSION_STATE_KEY)
+        if not secrets.compare_digest(state, expected_state):
+            raise OAuthStateMismatchError()
+    def handle_login_request(
+        self, *, request: HttpRequest, redirect_to: str = ""
+    ) -> Response:
+        authorization_url = self.get_authorization_url(request=request)
+        authorization_params = self.get_authorization_url_params(request=request)
+        if "state" in authorization_params:
+            # Store the state in the session so we can check on callback
+            request.session[SESSION_STATE_KEY] = authorization_params["state"]
+        # Store next url in session so we can get it on the callback request
+        if redirect_to:
+            request.session[SESSION_NEXT_KEY] = redirect_to
+        elif "next" in request.POST:
+            request.session[SESSION_NEXT_KEY] = request.POST["next"]
+        # Sort authorization params for consistency
+        sorted_authorization_params = sorted(authorization_params.items())
+        redirect_url = authorization_url + "?" + urlencode(sorted_authorization_params)
+        return ResponseRedirect(redirect_url)
+    def handle_connect_request(
+        self, *, request: HttpRequest, redirect_to: str = ""
+    ) -> Response:
+        return self.handle_login_request(request=request, redirect_to=redirect_to)
+    def handle_disconnect_request(self, *, request: HttpRequest) -> Response:
+        provider_user_id = request.POST["provider_user_id"]
+        connection = OAuthConnection.objects.get(
+            provider_key=self.provider_key, provider_user_id=provider_user_id
+        )
+        connection.delete()
+        redirect_url = self.get_disconnect_redirect_url(request=request)
+        return ResponseRedirect(redirect_url)
+    def handle_callback_request(self, *, request: HttpRequest) -> Response:
+        self.check_request_state(request=request)
+        oauth_token = self.get_oauth_token(code=request.GET["code"], request=request)
+        oauth_user = self.get_oauth_user(oauth_token=oauth_token)
+        if request.user:
+            connection = OAuthConnection.connect(
+                user=request.user,
+                provider_key=self.provider_key,
+                oauth_token=oauth_token,
+                oauth_user=oauth_user,
+            )
+            user = connection.user
+        else:
+            connection = OAuthConnection.get_or_createuser(
+                provider_key=self.provider_key,
+                oauth_token=oauth_token,
+                oauth_user=oauth_user,
+            )
+            user = connection.user
+            self.login(request=request, user=user)
+        redirect_url = self.get_login_redirect_url(request=request)
+        return ResponseRedirect(redirect_url)
+    def login(self, *, request: HttpRequest, user: Any) -> Response:
+        auth_login(request=request, user=user)
+    def get_login_redirect_url(self, *, request: HttpRequest) -> str:
+        return request.session.pop(SESSION_NEXT_KEY, "/")
+    def get_disconnect_redirect_url(self, *, request: HttpRequest) -> str:
+        return request.POST.get("next", "/")
+def get_oauth_provider_instance(*, provider_key: str) -> OAuthProvider:
+    OAUTH_LOGIN_PROVIDERS = getattr(settings, "OAUTH_LOGIN_PROVIDERS", {})
+    provider_class_path = OAUTH_LOGIN_PROVIDERS[provider_key]["class"]
+    provider_class = import_string(provider_class_path)
+    provider_kwargs = OAUTH_LOGIN_PROVIDERS[provider_key].get("kwargs", {})
+    return provider_class(provider_key=provider_key, **provider_kwargs)
+def get_provider_keys() -> list[str]:
+    return list(getattr(settings, "OAUTH_LOGIN_PROVIDERS", {}).keys())

plain/oauth/templates/oauth/error.html ADDED Viewed

@@ -0,0 +1,6 @@
+{% extends "base.html" %}
+{% block content %}
+<h1>OAuth Error</h1>
+<p>{{ oauth_error }}</p>
+{% endblock %}

plain/oauth/urls.py ADDED Viewed

@@ -0,0 +1,24 @@
+from plain.urls import include, path
+from . import views
+default_namespace = "oauth"
+urlpatterns = [
+    path(
+        "<str:provider>/",
+        include(
+            [
+                # Login and Signup are both handled here, because the intent is the same
+                path("login/", views.OAuthLoginView, name="login"),
+                path("connect/", views.OAuthConnectView, name="connect"),
+                path(
+                    "disconnect/",
+                    views.OAuthDisconnectView,
+                    name="disconnect",
+                ),
+                path("callback/", views.OAuthCallbackView, name="callback"),
+            ]
+        ),
+    ),
+]

plain/oauth/views.py ADDED Viewed

@@ -0,0 +1,87 @@
+import logging
+from plain.auth.views import AuthViewMixin
+from plain.http import ResponseBadRequest, ResponseRedirect
+from plain.templates import jinja
+from plain.views import View
+from .exceptions import (
+    OAuthError,
+    OAuthStateMismatchError,
+    OAuthUserAlreadyExistsError,
+)
+from .providers import get_oauth_provider_instance
+logger = logging.getLogger(__name__)
+class OAuthLoginView(View):
+    def post(self):
+        request = self.request
+        provider = self.url_kwargs["provider"]
+        if request.user:
+            return ResponseRedirect("/")
+        provider_instance = get_oauth_provider_instance(provider_key=provider)
+        return provider_instance.handle_login_request(request=request)
+class OAuthCallbackView(View):
+    """
+    The callback view is used for signup, login, and connect.
+    """
+    def get(self):
+        request = self.request
+        provider = self.url_kwargs["provider"]
+        provider_instance = get_oauth_provider_instance(provider_key=provider)
+        try:
+            return provider_instance.handle_callback_request(request=request)
+        except OAuthUserAlreadyExistsError:
+            template = jinja.get_template("oauth/error.html")
+            return ResponseBadRequest(
+                template.render(
+                    {
+                        "oauth_error": "A user already exists with this email address. Please log in first and then connect this OAuth provider to the existing account."
+                    }
+                )
+            )
+        except OAuthStateMismatchError:
+            template = jinja.get_template("oauth/error.html")
+            return ResponseBadRequest(
+                template.render(
+                    {
+                        "oauth_error": "The state parameter did not match. Please try again."
+                    }
+                )
+            )
+        except OAuthError as e:
+            logger.exception("OAuth error")
+            template = jinja.get_template("oauth/error.html")
+            return ResponseBadRequest(template.render({"oauth_error": str(e)}))
+class OAuthConnectView(AuthViewMixin, View):
+    def post(self):
+        request = self.request
+        provider = self.url_kwargs["provider"]
+        provider_instance = get_oauth_provider_instance(provider_key=provider)
+        return provider_instance.handle_connect_request(request=request)
+class OAuthDisconnectView(AuthViewMixin, View):
+    def post(self):
+        request = self.request
+        provider = self.url_kwargs["provider"]
+        provider_instance = get_oauth_provider_instance(provider_key=provider)
+        # try:
+        return provider_instance.handle_disconnect_request(request=request)
+        # except OAuthCannotDisconnectError:
+        #     return render(
+        #         request,
+        #         "oauth/error.html",
+        #         {
+        #             "oauth_error": "This connection can't be removed. You must have a usable password or at least one active connection."
+        #         },
+        #         status=400,
+        #     )

plain_oauth-0.0.0.dist-info/LICENSE ADDED Viewed

@@ -0,0 +1,28 @@
+BSD 3-Clause License
+Copyright (c) 2023, Dropseed, LLC
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions are met:
+1. Redistributions of source code must retain the above copyright notice, this
+   list of conditions and the following disclaimer.
+2. Redistributions in binary form must reproduce the above copyright notice,
+   this list of conditions and the following disclaimer in the documentation
+   and/or other materials provided with the distribution.
+3. Neither the name of the copyright holder nor the names of its
+   contributors may be used to endorse or promote products derived from
+   this software without specific prior written permission.
+THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
+FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
+SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
+CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
+OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.