plain.oauth 0.7.3__tar.gz → 0.7.5__tar.gz

plain_oauth-0.7.5/.gitignore

@@ -0,0 +1,7 @@
+node_modules
+/dist
+/.venv
+*.pyc
+__pycache__
+db.sqlite3
+.env

{plain_oauth-0.7.3 → plain_oauth-0.7.5}/PKG-INFO

@@ -1,23 +1,15 @@
-Metadata-Version: 2.1
+Metadata-Version: 2.4
 Name: plain.oauth
-Version: 0.7.3
+Version: 0.7.5
 Summary: OAuth login and API access for Plain.
-Home-page: https://plainframework.com
-License: BSD-3-Clause
-Author: Dave Gaeddert
-Author-email: dave.gaeddert@dropseed.dev
-Requires-Python: >=3.11,<4.0
-Classifier: License :: OSI Approved :: BSD License
-Classifier: Programming Language :: Python :: 3
-Classifier: Programming Language :: Python :: 3.11
-Classifier: Programming Language :: Python :: 3.12
-Classifier: Programming Language :: Python :: 3.13
-Requires-Dist: plain (<1.0.0)
-Requires-Dist: plain.auth (<1.0.0)
-Requires-Dist: plain.models (<1.0.0)
-Requires-Dist: requests
-Project-URL: Documentation, https://plainframework.com/docs/
-Project-URL: Repository, https://github.com/dropseed/plain
+Author-email: Dave Gaeddert <dave.gaeddert@dropseed.dev>
+License-Expression: BSD-3-Clause
+License-File: LICENSE
+Requires-Python: >=3.11
+Requires-Dist: plain-auth<1.0.0
+Requires-Dist: plain-models<1.0.0
+Requires-Dist: plain<1.0.0
+Requires-Dist: requests>=2.0.0
 Description-Content-Type: text/markdown
 
 <!-- This file is compiled from plain-oauth/plain/oauth/README.md. Do not edit this file directly. -->
@@ -323,4 +315,3 @@ This is the Django setting you're probably looking for:
 ```python
 HTTPS_PROXY_HEADER = ("HTTP_X_FORWARDED_PROTO", "https")
 ```
-

{plain_oauth-0.7.3 → plain_oauth-0.7.5}/plain/oauth/providers.py

@@ -107,6 +107,7 @@ class OAuthProvider:
 
         state = request.GET["state"]
         expected_state = request.session.pop(SESSION_STATE_KEY)
+        request.session.save()  # Make sure the pop is saved (won't save on an exception)
         if not secrets.compare_digest(state, expected_state):
             raise OAuthStateMismatchError()
 

plain_oauth-0.7.5/provider_examples/bitbucket.py

@@ -0,0 +1,75 @@
+import datetime
+
+import requests
+
+from plain.oauth.providers import OAuthProvider, OAuthToken, OAuthUser
+from plain.utils import timezone
+
+
+class BitbucketOAuthProvider(OAuthProvider):
+    authorization_url = "https://bitbucket.org/site/oauth2/authorize"
+
+    def _get_token(self, request_data):
+        response = requests.post(
+            "https://bitbucket.org/site/oauth2/access_token",
+            auth=(self.get_client_id(), self.get_client_secret()),
+            headers={
+                "Accept": "application/json",
+            },
+            data=request_data,
+        )
+        response.raise_for_status()
+        data = response.json()
+        return OAuthToken(
+            access_token=data["access_token"],
+            refresh_token=data["refresh_token"],
+            access_token_expires_at=timezone.now()
+            + datetime.timedelta(seconds=data["expires_in"]),
+        )
+
+    def get_oauth_token(self, *, code, request):
+        return self._get_token(
+            {
+                "grant_type": "authorization_code",
+                "code": code,
+                "redirect_uri": self.get_callback_url(request=request),
+            }
+        )
+
+    def refresh_oauth_token(self, *, oauth_token):
+        return self._get_token(
+            {
+                "grant_type": "refresh_token",
+                "refresh_token": oauth_token.refresh_token,
+            }
+        )
+
+    def get_oauth_user(self, *, oauth_token):
+        response = requests.get(
+            "https://api.bitbucket.org/2.0/user",
+            headers={
+                "Authorization": f"Bearer {oauth_token.access_token}",
+            },
+        )
+        response.raise_for_status()
+        user_id = response.json()["uuid"]
+        username = response.json()["username"]
+
+        response = requests.get(
+            "https://api.bitbucket.org/2.0/user/emails",
+            headers={
+                "Authorization": f"Bearer {oauth_token.access_token}",
+            },
+        )
+        response.raise_for_status()
+        confirmed_primary_email = [
+            x["email"]
+            for x in response.json()["values"]
+            if x["is_primary"] and x["is_confirmed"]
+        ][0]
+
+        return OAuthUser(
+            id=user_id,
+            email=confirmed_primary_email,
+            username=username,
+        )

plain_oauth-0.7.5/provider_examples/github.py

@@ -0,0 +1,101 @@
+import datetime
+
+import requests
+
+from plain.oauth.exceptions import OAuthError
+from plain.oauth.providers import OAuthProvider, OAuthToken, OAuthUser
+from plain.utils import timezone
+
+
+class GitHubOAuthProvider(OAuthProvider):
+    authorization_url = "https://github.com/login/oauth/authorize"
+
+    github_token_url = "https://github.com/login/oauth/access_token"
+    github_user_url = "https://api.github.com/user"
+    github_emails_url = "https://api.github.com/user/emails"
+
+    def _get_token(self, request_data):
+        response = requests.post(
+            self.github_token_url,
+            headers={
+                "Accept": "application/json",
+            },
+            data=request_data,
+        )
+        response.raise_for_status()
+        data = response.json()
+
+        oauth_token = OAuthToken(
+            access_token=data["access_token"],
+        )
+
+        # Expiration and refresh tokens are optional in GitHub depending on the app
+        if "expires_in" in data:
+            oauth_token.access_token_expires_at = timezone.now() + datetime.timedelta(
+                seconds=data["expires_in"]
+            )
+
+        if "refresh_token" in data:
+            oauth_token.refresh_token = data["refresh_token"]
+
+        if "refresh_token_expires_in" in data:
+            oauth_token.refresh_token_expires_at = timezone.now() + datetime.timedelta(
+                seconds=data["refresh_token_expires_in"]
+            )
+
+        return oauth_token
+
+    def get_oauth_token(self, *, code, request):
+        return self._get_token(
+            {
+                "client_id": self.get_client_id(),
+                "client_secret": self.get_client_secret(),
+                "code": code,
+            }
+        )
+
+    def refresh_oauth_token(self, *, oauth_token):
+        return self._get_token(
+            {
+                "client_id": self.get_client_id(),
+                "client_secret": self.get_client_secret(),
+                "refresh_token": oauth_token.refresh_token,
+                "grant_type": "refresh_token",
+            }
+        )
+
+    def get_oauth_user(self, *, oauth_token):
+        response = requests.get(
+            self.github_user_url,
+            headers={
+                "Accept": "application/json",
+                "Authorization": f"token {oauth_token.access_token}",
+            },
+        )
+        response.raise_for_status()
+        data = response.json()
+        user_id = data["id"]
+        username = data["login"]
+
+        # Use the verified, primary email address (not the public profile email, which is optional anyway)
+        response = requests.get(
+            self.github_emails_url,
+            headers={
+                "Accept": "application/json",
+                "Authorization": f"token {oauth_token.access_token}",
+            },
+        )
+        response.raise_for_status()
+
+        try:
+            verified_primary_email = [
+                x["email"] for x in response.json() if x["primary"] and x["verified"]
+            ][0]
+        except IndexError:
+            raise OAuthError("A verified primary email address is required on GitHub")
+
+        return OAuthUser(
+            id=user_id,
+            email=verified_primary_email,
+            username=username,
+        )

plain_oauth-0.7.5/provider_examples/gitlab.py

@@ -0,0 +1,57 @@
+import requests
+
+from plain.oauth.providers import OAuthProvider, OAuthToken, OAuthUser
+
+
+class GitLabOAuthProvider(OAuthProvider):
+    authorization_url = "https://gitlab.com/oauth/authorize"
+
+    def _get_token(self, request_data):
+        request_data["client_id"] = self.get_client_id()
+        request_data["client_secret"] = self.get_client_secret()
+        response = requests.post(
+            "https://gitlab.com/oauth/token",
+            headers={
+                "Accept": "application/json",
+            },
+            data=request_data,
+        )
+        response.raise_for_status()
+        data = response.json()
+        return OAuthToken(
+            access_token=data["access_token"],
+            refresh_token=data["refresh_token"],
+            # expires_in is missing in response?
+        )
+
+    def get_oauth_token(self, *, code, request):
+        return self._get_token(
+            {
+                "grant_type": "authorization_code",
+                "code": code,
+                "redirect_uri": self.get_callback_url(request=request),
+            }
+        )
+
+    def refresh_oauth_token(self, *, oauth_token):
+        return self._get_token(
+            {
+                "grant_type": "refresh_token",
+                "refresh_token": oauth_token.refresh_token,
+            }
+        )
+
+    def get_oauth_user(self, *, oauth_token):
+        response = requests.get(
+            "https://gitlab.com/api/v4/user",
+            headers={
+                "Authorization": f"Bearer {oauth_token.access_token}",
+            },
+        )
+        response.raise_for_status()
+        data = response.json()
+        return OAuthUser(
+            id=data["id"],
+            email=data["email"],
+            username=data["username"],
+        )

plain_oauth-0.7.5/pyproject.toml

@@ -0,0 +1,34 @@
+[project]
+name = "plain.oauth"
+version = "0.7.5"
+description = "OAuth login and API access for Plain."
+authors = [{name = "Dave Gaeddert", email = "dave.gaeddert@dropseed.dev"}]
+license = "BSD-3-Clause"
+readme = "README.md"
+requires-python = ">=3.11"
+dependencies = [
+    "plain<1.0.0",
+    "plain.auth<1.0.0",
+    "plain.models<1.0.0",
+    "requests>=2.0.0",
+]
+
+[tool.pytest.ini_options]
+python_files = "tests.py test_*.py *_tests.py"
+PLAIN_SETTINGS_MODULE = "tests.settings"
+FAIL_INVALID_TEMPLATE_VARS = true
+
+[tool.uv]
+dev-dependencies = [
+    "plain.pytest<1.0.0",
+]
+
+[tool.uv.sources]
+"plain.pytest" = {path = "../plain-pytest", editable = true}
+
+[tool.hatch.build.targets.wheel]
+packages = ["plain"]
+
+[build-system]
+requires = ["hatchling"]
+build-backend = "hatchling.build"

plain_oauth-0.7.5/tests/app/settings.py

@@ -0,0 +1,49 @@
+from os import environ
+
+SECRET_KEY = "test"
+INSTALLED_PACKAGES = [
+    "plain.auth",
+    "plain.sessions",
+    "plain.models",
+    "plain.oauth",
+    "app.users",
+]
+DATABASES = {
+    "default": {
+        "ENGINE": "plain.models.backends.sqlite3",
+        "NAME": ":memory:",
+    }
+}
+MIDDLEWARE = [
+    "plain.sessions.middleware.SessionMiddleware",
+    "plain.auth.middleware.AuthenticationMiddleware",
+]
+AUTH_LOGIN_URL = "login"
+AUTH_USER_MODEL = "users.User"
+
+# OAuth providers to use for a real, interactive test
+# (in a real config you'd probably do environ["key"] to raise a KeyError if an env var is forgotten)
+OAUTH_LOGIN_PROVIDERS = {
+    "github": {
+        "class": "providers.github.GitHubOAuthProvider",
+        "kwargs": {
+            "client_id": environ.get("GITHUB_CLIENT_ID"),
+            "client_secret": environ.get("GITHUB_CLIENT_SECRET"),
+        },
+    },
+    "bitbucket": {
+        "class": "providers.bitbucket.BitbucketOAuthProvider",
+        "kwargs": {
+            "client_id": environ.get("BITBUCKET_KEY"),
+            "client_secret": environ.get("BITBUCKET_SECRET"),
+        },
+    },
+    "gitlab": {
+        "class": "providers.gitlab.GitLabOAuthProvider",
+        "kwargs": {
+            "client_id": environ.get("GITLAB_APPLICATION_ID"),
+            "client_secret": environ.get("GITLAB_APPLICATION_SECRET"),
+            "scope": "read_user",
+        },
+    },
+}

plain_oauth-0.7.5/tests/app/templates/base.html

@@ -0,0 +1,13 @@
+<!DOCTYPE html>
+<html lang="en">
+<head>
+    <meta charset="UTF-8">
+    <meta http-equiv="X-UA-Compatible" content="IE=edge">
+    <meta name="viewport" content="width=device-width, initial-scale=1.0">
+    <title>Document</title>
+</head>
+<body>
+    {% block content %}
+    {% endblock %}
+</body>
+</html>

plain_oauth-0.7.5/tests/app/templates/index.html

@@ -0,0 +1,33 @@
+{% extends "base.html" %}
+
+{% block content %}
+Hello {{ request.user }}!
+
+<h2>Existing connections</h2>
+<ul>
+    {% for connection in request.user.oauth_connections.all() %}
+    <li>
+        {{ connection.provider_key }} [ID: {{ connection.provider_user_id }}]
+        <form action="{{ url('oauth:disconnect', connection.provider_key) }}" method="post">
+            {{ csrf_input }}
+            <input type="hidden" name="provider_user_id" value="{{ connection.provider_user_id }}">
+            <button type="submit">Disconnect</button>
+        </form>
+    </li>
+    {% endfor %}
+</ul>
+
+<h2>Add a connection</h2>
+<ul>
+    {% for provider_key in oauth_provider_keys %}
+    <li>
+        {{ provider_key}}
+        <form action="{{ url('oauth:connect', provider_key) }}" method="post">
+            {{ csrf_input }}
+            <button type="submit">Connect</button>
+        </form>
+    </li>
+    {% endfor %}
+</ul>
+
+{% endblock %}

plain_oauth-0.7.5/tests/app/templates/login.html

@@ -0,0 +1,17 @@
+{% extends "base.html" %}
+
+{% block content %}
+<h1>Login</h1>
+<form action="{% url 'oauth:login' 'github' %}" method="post">
+    {{ csrf_input }}
+    <button type="submit">Login with GitHub</button>
+</form>
+<form action="{% url 'oauth:login' 'gitlab' %}" method="post">
+    {{ csrf_input }}
+    <button type="submit">Login with GitLab</button>
+</form>
+<form action="{% url 'oauth:login' 'bitbucket' %}" method="post">
+    {{ csrf_input }}
+    <button type="submit">Login with Bitbucket</button>
+</form>
+{% endblock %}

plain_oauth-0.7.5/tests/app/urls.py

@@ -0,0 +1,26 @@
+import plain.oauth.urls
+from plain.auth.views import AuthViewMixin, LogoutView
+from plain.oauth.providers import get_provider_keys
+from plain.urls import include, path
+from plain.views import TemplateView
+
+
+class LoggedInView(AuthViewMixin, TemplateView):
+    template_name = "index.html"
+
+    def get_template_context(self):
+        context = super().get_template_context()
+        context["oauth_provider_keys"] = get_provider_keys()
+        return context
+
+
+class LoginView(TemplateView):
+    template_name = "login.html"
+
+
+urlpatterns = [
+    path("oauth/", include(plain.oauth.urls)),
+    path("login/", LoginView, name="login"),
+    path("logout/", LogoutView, name="logout"),
+    path("", LoggedInView),
+]

plain_oauth-0.7.5/tests/app/users/models.py

@@ -0,0 +1,9 @@
+from plain import models
+
+
+class User(models.Model):
+    email = models.EmailField(unique=True)
+    username = models.CharField(max_length=100, unique=True)
+
+    def __str__(self):
+        return self.username

plain_oauth-0.7.5/tests/provider_tests/test_github.py

@@ -0,0 +1,66 @@
+from tests.providers.github import GitHubOAuthProvider
+
+from plain.oauth.providers import OAuthToken, OAuthUser
+
+
+class DummyGitHubOAuthProvider(GitHubOAuthProvider):
+    def generate_state(self) -> str:
+        return "dummy_state"
+
+    def get_oauth_token(self, code, request):
+        return OAuthToken(access_token="gho_key")
+
+    def get_oauth_user(self, oauth_token):
+        return OAuthUser(
+            id="99",
+            username="userone",
+            email="user@example.com",
+        )
+
+
+def test_github_provider(db, client, settings):
+    settings.OAUTH_LOGIN_PROVIDERS = {
+        "github": {
+            "class": "provider_tests.test_github.DummyGitHubOAuthProvider",
+            "kwargs": {
+                "client_id": "test_id",
+                "client_secret": "test_secret",
+                "scope": "user",
+            },
+        }
+    }
+
+    # Login required for this view
+    response = client.get("/")
+    assert response.status_code == 302
+    assert response.url == "/login/?next=/"
+
+    # User clicks the login link (form submit)
+    response = client.post("/oauth/github/login/")
+    assert response.status_code == 302
+    assert (
+        response.url
+        == "https://github.com/login/oauth/authorize?client_id=test_id&redirect_uri=https%3A%2F%2Ftestserver%2Foauth%2Fgithub%2Fcallback%2F&response_type=code&scope=user&state=dummy_state"
+    )
+
+    # GitHub redirects to the callback url
+    response = client.get("/oauth/github/callback/?code=test_code&state=dummy_state")
+    assert response.status_code == 302
+    assert response.url == "/"
+
+    # Now logged in
+    response = client.get("/")
+    assert response.status_code == 200
+    assert b"Hello userone!\n" in response.content
+
+    # Check the user and connection that was created
+    user = response.user
+    assert user.username == "userone"
+    assert user.email == "user@example.com"
+    connections = user.oauth_connections.all()
+    assert len(connections) == 1
+    assert connections[0].provider_key == "github"
+    assert connections[0].provider_user_id == "99"
+    assert connections[0].access_token == "gho_key"
+    assert connections[0].refresh_token == ""
+    assert connections[0].access_token_expires_at is None

plain_oauth-0.7.5/tests/providers/bitbucket.py

@@ -0,0 +1,75 @@
+import datetime
+
+import requests
+
+from plain.oauth.providers import OAuthProvider, OAuthToken, OAuthUser
+from plain.utils import timezone
+
+
+class BitbucketOAuthProvider(OAuthProvider):
+    authorization_url = "https://bitbucket.org/site/oauth2/authorize"
+
+    def _get_token(self, request_data):
+        response = requests.post(
+            "https://bitbucket.org/site/oauth2/access_token",
+            auth=(self.get_client_id(), self.get_client_secret()),
+            headers={
+                "Accept": "application/json",
+            },
+            data=request_data,
+        )
+        response.raise_for_status()
+        data = response.json()
+        return OAuthToken(
+            access_token=data["access_token"],
+            refresh_token=data["refresh_token"],
+            access_token_expires_at=timezone.now()
+            + datetime.timedelta(seconds=data["expires_in"]),
+        )
+
+    def get_oauth_token(self, *, code, request):
+        return self._get_token(
+            {
+                "grant_type": "authorization_code",
+                "code": code,
+                "redirect_uri": self.get_callback_url(request=request),
+            }
+        )
+
+    def refresh_oauth_token(self, *, oauth_token):
+        return self._get_token(
+            {
+                "grant_type": "refresh_token",
+                "refresh_token": oauth_token.refresh_token,
+            }
+        )
+
+    def get_oauth_user(self, *, oauth_token):
+        response = requests.get(
+            "https://api.bitbucket.org/2.0/user",
+            headers={
+                "Authorization": f"Bearer {oauth_token.access_token}",
+            },
+        )
+        response.raise_for_status()
+        user_id = response.json()["uuid"]
+        username = response.json()["username"]
+
+        response = requests.get(
+            "https://api.bitbucket.org/2.0/user/emails",
+            headers={
+                "Authorization": f"Bearer {oauth_token.access_token}",
+            },
+        )
+        response.raise_for_status()
+        confirmed_primary_email = [
+            x["email"]
+            for x in response.json()["values"]
+            if x["is_primary"] and x["is_confirmed"]
+        ][0]
+
+        return OAuthUser(
+            id=user_id,
+            email=confirmed_primary_email,
+            username=username,
+        )