udata 9.1.5.dev31308__py2.py3-none-any.whl → 9.1.5.dev31332__py2.py3-none-any.whl

udata/api/oauth2.py

@@ -15,6 +15,7 @@ As well as a sample application:
 """
 
 import fnmatch
+import time
 from datetime import datetime, timedelta
 
 from authlib.integrations.flask_oauth2 import AuthorizationServer, ResourceProtector
@@ -111,7 +112,7 @@ class OAuth2Client(ClientMixin, db.Datetimed, db.Document):
     def check_client_secret(self, client_secret):
         return self.secret == client_secret
 
-    def check_token_endpoint_auth_method(self, method):
+    def check_endpoint_auth_method(self, method, _endpoint):
         if not self.has_client_secret():
             return method == "none"
         return method in ("client_secret_post", "client_secret_basic")
@@ -149,6 +150,9 @@ class OAuth2Token(db.Document):
     def __str__(self):
         return "<OAuth2Token({0.client.name})>".format(self)
 
+    def check_client(self, client):
+        return self.client == client
+
     def get_scope(self):
         return self.scope
 
@@ -161,6 +165,13 @@ class OAuth2Token(db.Document):
     def get_client_id(self):
         return str(self.client.id)
 
+    def is_expired(self):
+        now = time.time()
+        return self.get_expires_at() < now
+
+    def is_revoked(self):
+        return self.revoked
+
     def is_refresh_token_valid(self):
         if self.revoked:
             return False
@@ -238,6 +249,8 @@ class PasswordGrant(grants.ResourceOwnerPasswordCredentialsGrant):
 
 
 class RefreshTokenGrant(grants.RefreshTokenGrant):
+    INCLUDE_NEW_REFRESH_TOKEN = True
+
     def authenticate_refresh_token(self, refresh_token):
         item = OAuth2Token.objects(refresh_token=refresh_token).first()
         if item and item.is_refresh_token_valid():
@@ -252,17 +265,17 @@ class RefreshTokenGrant(grants.RefreshTokenGrant):
 
 
 class RevokeToken(RevocationEndpoint):
-    def query_token(self, token, token_type_hint, client):
-        qs = OAuth2Token.objects(client=client)
+    def query_token(self, token_string, token_type_hint):
+        qs = OAuth2Token.objects()
         if token_type_hint == "access_token":
-            return qs.filter(access_token=token).first()
+            return qs.filter(access_token=token_string).first()
         elif token_type_hint == "refresh_token":
-            return qs.filter(refresh_token=token).first()
+            return qs.filter(refresh_token=token_string).first()
         else:
-            qs = qs(db.Q(access_token=token) | db.Q(refresh_token=token))
+            qs = qs(db.Q(access_token=token_string) | db.Q(refresh_token=token_string))
             return qs.first()
 
-    def revoke_token(self, token):
+    def revoke_token(self, token, _request):
         token.revoked = True
         token.save()
 
@@ -295,7 +308,7 @@ def revoke_token():
 def authorize(*args, **kwargs):
     if request.method == "GET":
         try:
-            grant = oauth.validate_consent_request(end_user=current_user)
+            grant = oauth.get_consent_grant(end_user=current_user)
         except OAuth2Error as error:
             return error.error
         # Bypass authorization screen for internal clients
@@ -324,13 +337,15 @@ def query_client(client_id):
 
 def save_token(token, request):
     scope = token.pop("scope", "")
+    client = request.client
+    user = request.user or client.owner
     if request.grant_type == "refresh_token":
-        credential = request.credential
-        credential.update(scope=scope, **token)
+        old_token = OAuth2Token.objects(
+            refresh_token=request.refresh_token.refresh_token, client=client, user=user, scope=scope
+        ).first()
+        old_token.update(**token)
     else:
-        client = request.client
-        user = request.user or client.owner
-        OAuth2Token.objects.create(client=client, user=user.id, scope=scope, **token)
+        OAuth2Token.objects.create(client=client, user=user, scope=scope, **token)
 
 
 def check_credentials():

udata/tests/api/test_auth_api.py

@@ -301,7 +301,7 @@ class APIAuthTest:
 
         assert_status(response, 400)
         assert "error" in response.json
-        assert "redirect_uri" in response.json["error_description"]
+        assert "Redirect URI" in response.json["error_description"]
 
     @pytest.mark.options(OAUTH2_ALLOW_WILDCARD_IN_REDIRECT_URI=True)
     @pytest.mark.oauth(redirect_uris=["https://*.test.org/callback"])
@@ -327,7 +327,7 @@ class APIAuthTest:
 
         assert_status(response, 400)
         assert "error" in response.json
-        assert "redirect_uri" in response.json["error_description"]
+        assert "Redirect URI" in response.json["error_description"]
 
     def test_authorization_grant_token(self, client, oauth):
         client.login()
@@ -360,6 +360,8 @@ class APIAuthTest:
         assert200(response)
         assert response.content_type == "application/json"
         assert "access_token" in response.json
+        tokens = OAuth2Token.objects(access_token=response.json["access_token"])
+        assert len(tokens) == 1  # A token has been created and saved.
 
     def test_s256_code_challenge_success_client_secret_basic(self, client, oauth):
         code_verifier = generate_token(48)
@@ -582,23 +584,36 @@ class APIAuthTest:
         )
 
         assert_status(response, 400)
-        assert response.json["error"] == "invalid_grant"
+        assert response.json["error"] == "unsupported_response_type"
 
     @pytest.mark.oauth(confidential=True)
     def test_refresh_token(self, client, oauth):
         user = UserFactory()
-        token = OAuth2Token.objects.create(
+        token_to_be_refreshed = OAuth2Token.objects.create(
             client=oauth,
             user=user,
             access_token="access-token",
             refresh_token="refresh-token",
         )
+        token_same_user_not_refreshed = OAuth2Token.objects.create(
+            client=oauth,
+            user=user,
+            access_token="same-user-access-token",
+            refresh_token="same-user-refresh-token",
+        )
+        other_token = OAuth2Token.objects.create(
+            client=oauth,
+            user=UserFactory(),
+            access_token="other-access-token",
+            refresh_token="other-refresh-token",
+        )
+        tokens_count = OAuth2Token.objects.count()
 
         response = client.post(
             url_for("oauth.token"),
             {
                 "grant_type": "refresh_token",
-                "refresh_token": token.refresh_token,
+                "refresh_token": token_to_be_refreshed.refresh_token,
             },
             headers=basic_header(oauth),
         )
@@ -607,6 +622,26 @@ class APIAuthTest:
         assert response.content_type == "application/json"
         assert "access_token" in response.json
 
+        # Reload from the DB.
+        token_to_be_refreshed.reload()
+        token_same_user_not_refreshed.reload()
+        other_token.reload()
+
+        assert tokens_count == OAuth2Token.objects.count()  # No new token created.
+
+        # The access token has been refreshed.
+        assert token_to_be_refreshed.access_token != "access-token"
+        # The refresh token is also updated.
+        assert token_to_be_refreshed.refresh_token != "refresh-token"
+
+        # No change to the user's other token.
+        assert token_same_user_not_refreshed.access_token == "same-user-access-token"
+        assert token_same_user_not_refreshed.refresh_token == "same-user-refresh-token"
+
+        # No change to other token.
+        assert other_token.access_token == "other-access-token"
+        assert other_token.refresh_token == "other-refresh-token"
+
     @pytest.mark.parametrize("token_type", ["access_token", "refresh_token"])
     def test_revoke_token(self, client, oauth, token_type):
         user = UserFactory()

{udata-9.1.5.dev31308.dist-info → udata-9.1.5.dev31332.dist-info}/METADATA

@@ -1,6 +1,6 @@
 Metadata-Version: 2.1
 Name: udata
-Version: 9.1.5.dev31308
+Version: 9.1.5.dev31332
 Summary: Open data portal
 Home-page: https://github.com/opendatateam/udata
 Author: Opendata Team
@@ -25,7 +25,7 @@ Requires-Dist: amqp ==5.2.0
 Requires-Dist: aniso8601 ==9.0.1
 Requires-Dist: appdirs ==1.4.4
 Requires-Dist: attrs ==23.2.0
-Requires-Dist: authlib ==0.14.3
+Requires-Dist: authlib ==1.3.1
 Requires-Dist: awesome-slugify ==1.6.5
 Requires-Dist: babel ==2.12.1
 Requires-Dist: bcrypt ==3.1.7
@@ -156,6 +156,7 @@ It is collectively taken care of by members of the
 - Always add Vary even for non CORS requests [#3132](https://github.com/opendatateam/udata/pull/3132)
 - Add acronym in organization csv catalog [#3134](https://github.com/opendatateam/udata/pull/3134)
 - Limit the number of user suggestions [#3131](https://github.com/opendatateam/udata/pull/3131)
+- Update authlib dependency from 0.14.3 to 1.3.1 [#3135](https://github.com/opendatateam/udata/pull/3135)
 
 ## 9.1.3 (2024-08-01)
 

{udata-9.1.5.dev31308.dist-info → udata-9.1.5.dev31332.dist-info}/RECORD

@@ -29,7 +29,7 @@ udata/api/__init__.py,sha256=p2FcJ1I4k4HERFvYYQNitO23FnfBc-kXpMlWb7u__RM,10644
 udata/api/commands.py,sha256=SwZYuANyGoI-lplWg18d0Ej8e7znmIA5EUKIU0jBA6U,3227
 udata/api/errors.py,sha256=P_UigBf6HAL73LbXKULagmp5Cuw-H1Ms6LmXxOmFIeg,211
 udata/api/fields.py,sha256=BO2bHPWN6CT2bNpEkkosBGVUSV383nl8MUed_wlxLmw,4176
-udata/api/oauth2.py,sha256=80NtFfQpd-DAhRDN-4h0zi5gB2qHoBIrF8NXzbCnMS4,11621
+udata/api/oauth2.py,sha256=4emtZKqVoNrWBNQsg1AEW-K5BMcQabMp7GCY3sF6EO4,12013
 udata/api/parsers.py,sha256=iQEwgMwdVz_gXlVZYaRCGrUFWvcf7_8uCIxw7Iw-hpw,1405
 udata/api/signals.py,sha256=t8s7tF1KYeAygqbR4GdA76_UYvthAsyRbJaqsMmFsK4,162
 udata/auth/__init__.py,sha256=RRMYs8rYIwXncx3Z62NFtVhuQzxQrFQpC1lBhl68WJI,1992
@@ -598,7 +598,7 @@ udata/tests/test_uris.py,sha256=MxafZ0SyzSNRomVpZnH1ChzWaHOi1MQiXe1gmKnBc6o,8517
 udata/tests/test_utils.py,sha256=3BGnlvw-GOE6tLHQteo-uUeYuzq4rsjePOuytFGkpOg,7967
 udata/tests/api/__init__.py,sha256=y4sL7LD1-KwONHF0q_Rhk2W6BmGUlp7Uz2JnX3e27sk,1218
 udata/tests/api/test_activities_api.py,sha256=RjDDeNle3T-ydVnh6BRypqxAE_244-DXaKkuUCT0HVU,2823
-udata/tests/api/test_auth_api.py,sha256=0Y_JXQ4x8jvc_pp4g3H6gZ_X0QVGM6TaZ2IN9LeOWEg,21657
+udata/tests/api/test_auth_api.py,sha256=buWlvWOKLhEH-hS_bDyHePyyitRg8fX86hYy2Euo6AY,23200
 udata/tests/api/test_base_api.py,sha256=2w_vz0eEuq3P3aN-ByvxGc3VZAo7XtgatFfcrzf2uEU,2244
 udata/tests/api/test_contact_points.py,sha256=pyakkKnM4lH_asuEoXq9lQyJC9to6ZxSp4QQrHh1c1U,1041
 udata/tests/api/test_dataservices_api.py,sha256=dfPonOmHcx83KLeUa2uqVaa2DJ_Xx91fHBqmFOlOP10,14636
@@ -697,9 +697,9 @@ udata/translations/pt/LC_MESSAGES/udata.mo,sha256=WpPzAqVd2Onv_kz45ULUySKPLrpjcc
 udata/translations/pt/LC_MESSAGES/udata.po,sha256=18Op9RUITewoDRewlOdYzzq6gjsf1lsvepACV1d7zxs,44976
 udata/translations/sr/LC_MESSAGES/udata.mo,sha256=NIYRNhVoETZUvIvWm3cCW7DtMBAnS2vXzZjMF5ZzD_c,28500
 udata/translations/sr/LC_MESSAGES/udata.po,sha256=rQB-4V4WJ7bURj6g2j653vItr5TMHadcLQxec7_fDmg,51545
-udata-9.1.5.dev31308.dist-info/LICENSE,sha256=V8j_M8nAz8PvAOZQocyRDX7keai8UJ9skgmnwqETmdY,34520
-udata-9.1.5.dev31308.dist-info/METADATA,sha256=zM6nwCbri71NX69yALYHV8N6Yq4wcQTYeVIw0JR9W50,129834
-udata-9.1.5.dev31308.dist-info/WHEEL,sha256=DZajD4pwLWue70CAfc7YaxT1wLUciNBvN_TTcvXpltE,110
-udata-9.1.5.dev31308.dist-info/entry_points.txt,sha256=3SKiqVy4HUqxf6iWspgMqH8d88Htk6KoLbG1BU-UddQ,451
-udata-9.1.5.dev31308.dist-info/top_level.txt,sha256=39OCg-VWFWOq4gCKnjKNu-s3OwFlZIu_dVH8Gl6ndHw,12
-udata-9.1.5.dev31308.dist-info/RECORD,,
+udata-9.1.5.dev31332.dist-info/LICENSE,sha256=V8j_M8nAz8PvAOZQocyRDX7keai8UJ9skgmnwqETmdY,34520
+udata-9.1.5.dev31332.dist-info/METADATA,sha256=UFo6oo3kWJCPd8d-G6ZoEj4_0QyntfwPF4r881KPI7M,129939
+udata-9.1.5.dev31332.dist-info/WHEEL,sha256=DZajD4pwLWue70CAfc7YaxT1wLUciNBvN_TTcvXpltE,110
+udata-9.1.5.dev31332.dist-info/entry_points.txt,sha256=3SKiqVy4HUqxf6iWspgMqH8d88Htk6KoLbG1BU-UddQ,451
+udata-9.1.5.dev31332.dist-info/top_level.txt,sha256=39OCg-VWFWOq4gCKnjKNu-s3OwFlZIu_dVH8Gl6ndHw,12
+udata-9.1.5.dev31332.dist-info/RECORD,,