正在显示
5 个修改的文件
包含
68 行增加
和
14 行删除
... | ... | @@ -14,7 +14,6 @@ import configure |
14 | 14 | from app.decorators.auth_decorator import auth_decorator |
15 | 15 | import time |
16 | 16 | from app.models import SM3, AESHelper |
17 | -from PIL import Image | |
18 | 17 | |
19 | 18 | |
20 | 19 | def current_user(): |
... | ... | @@ -48,14 +47,15 @@ class DataManager(BlueprintApi): |
48 | 47 | except OAuth2Error as error: |
49 | 48 | return jsonify(dict(error.get_body())) |
50 | 49 | if not user: |
51 | - #生成验证码 | |
50 | + # 生成验证码 | |
52 | 51 | |
53 | - return render_template("auth/authorize.html", user=user, grant=grant) | |
52 | + return render_template("auth/authorize.html", | |
53 | + user=user, | |
54 | + grant=grant) | |
54 | 55 | error = "" |
55 | 56 | if not user: |
56 | 57 | # 验证码校验 |
57 | - | |
58 | - | |
58 | + | |
59 | 59 | if not "username" in request.form or not request.form.get("username"): |
60 | 60 | error = "用户名不可为空" |
61 | 61 | elif not "password" in request.form or not request.form.get("password"): |
... | ... | @@ -71,13 +71,14 @@ class DataManager(BlueprintApi): |
71 | 71 | if user: |
72 | 72 | session["id"] = user.id |
73 | 73 | grant_user = user |
74 | - return authorization.create_authorization_response(grant_user=grant_user) | |
74 | + return authorization.create_authorization_response(request=request, grant_user=grant_user) | |
75 | 75 | |
76 | 76 | try: |
77 | 77 | grant = authorization.validate_consent_request(end_user=user) |
78 | 78 | except OAuth2Error as error: |
79 | 79 | return jsonify(dict(error.get_body())) |
80 | - return render_template("auth/authorize.html", user=user, grant=grant, error=error) | |
80 | + # return render_template("auth/authorize.html", user=user, grant=grant, error=error) | |
81 | + return authorization.create_authorization_response(grant_user=None) | |
81 | 82 | |
82 | 83 | @staticmethod |
83 | 84 | @bp.route("/token", methods=["POST"]) | ... | ... |
... | ... | @@ -40,6 +40,13 @@ class OAuth2Client(db.Model, OAuth2ClientMixin): |
40 | 40 | Integer, ForeignKey('dmap_user.id', ondelete='CASCADE')) |
41 | 41 | user = relationship('User') |
42 | 42 | |
43 | + def get_default_redirect_uri(self): | |
44 | + if self.redirect_uris: | |
45 | + return self.redirect_uris[0] | |
46 | + | |
47 | + def check_redirect_uri(self, redirect_uri): | |
48 | + return redirect_uri in self.redirect_uris | |
49 | + | |
43 | 50 | |
44 | 51 | class OAuth2AuthorizationCode(db.Model, OAuth2AuthorizationCodeMixin): |
45 | 52 | __tablename__ = 'dmap_oauth2_code' |
... | ... | @@ -57,4 +64,4 @@ class OAuth2Token(db.Model, OAuth2TokenMixin): |
57 | 64 | user_id = Column( |
58 | 65 | Integer, ForeignKey('dmap_user.id', ondelete='CASCADE')) |
59 | 66 | # name = Column(Text) |
60 | - user = relationship('User') | |
\ No newline at end of file | ||
67 | + user = relationship('User') | ... | ... |
1 | +from authlib.oauth2.rfc6749 import grants | |
1 | 2 | from os import access, remove |
2 | 3 | from time import time |
3 | 4 | from authlib.integrations.flask_oauth2 import ( |
... | ... | @@ -29,10 +30,11 @@ DUMMY_JWT_CONFIG = { |
29 | 30 | 'exp': 7200, |
30 | 31 | } |
31 | 32 | |
33 | + | |
32 | 34 | class myCodeIDToken(CodeIDToken): |
33 | 35 | def validate(self, now, leeway): |
34 | 36 | return super().validate(now=now, leeway=leeway) |
35 | - | |
37 | + | |
36 | 38 | def validate_exp(self, now, leeway): |
37 | 39 | return super().validate_exp(now, leeway) |
38 | 40 | |
... | ... | @@ -68,7 +70,34 @@ def create_authorization_code(client, grant_user, request): |
68 | 70 | return code |
69 | 71 | |
70 | 72 | |
71 | -class AuthorizationCodeGrant(_AuthorizationCodeGrant): | |
73 | +class AuthorizationCodeGrant(grants.AuthorizationCodeGrant): | |
74 | + | |
75 | + def save_authorization_code(self, code, request): | |
76 | + client = request.client | |
77 | + auth_code = OAuth2AuthorizationCode( | |
78 | + code=code, | |
79 | + client_id=client.client_id, | |
80 | + redirect_uri=request.redirect_uri, | |
81 | + scope=request.scope, | |
82 | + user_id=request.user.id, | |
83 | + ) | |
84 | + db.session.add(auth_code) | |
85 | + db.session.commit() | |
86 | + return auth_code | |
87 | + | |
88 | + def query_authorization_code(self, code, client): | |
89 | + item = OAuth2AuthorizationCode.query.filter_by( | |
90 | + code=code, client_id=client.client_id).first() | |
91 | + if item and not item.is_expired(): | |
92 | + return item | |
93 | + | |
94 | + def delete_authorization_code(self, authorization_code): | |
95 | + db.session.delete(authorization_code) | |
96 | + db.session.commit() | |
97 | + | |
98 | + def authenticate_user(self, authorization_code): | |
99 | + return User.query.get(authorization_code.user_id) | |
100 | + | |
72 | 101 | def create_authorization_code(self, client, grant_user, request): |
73 | 102 | return create_authorization_code(client, grant_user, request) |
74 | 103 | |
... | ... | @@ -120,15 +149,14 @@ class HybridGrant(_OpenIDHybridGrant): |
120 | 149 | |
121 | 150 | def generate_user_info(self, user, scope): |
122 | 151 | return generate_user_info(user, scope) |
123 | - | |
124 | -from authlib.oauth2.rfc6749 import grants | |
152 | + | |
125 | 153 | |
126 | 154 | class PasswordGrant(grants.ResourceOwnerPasswordCredentialsGrant): |
127 | 155 | def authenticate_user(self, username, password): |
128 | 156 | user = User.query.filter_by(username=username).first() |
129 | 157 | if user.check_password(password): |
130 | 158 | return user |
131 | - | |
159 | + | |
132 | 160 | TOKEN_ENDPOINT_AUTH_METHODS = [ |
133 | 161 | 'client_secret_basic', 'client_secret_post' |
134 | 162 | ] | ... | ... |
... | ... | @@ -24,7 +24,7 @@ entry_data_thread = 3 |
24 | 24 | scan_module = ["app.modules"] # API所在的模块 |
25 | 25 | SECRET_KEY = b'_5#y2L"F4Q8z\n\xec]/' |
26 | 26 | # 权限 |
27 | -PermissionActive = True | |
27 | +PermissionActive = False | |
28 | 28 | UserPermission = ['admin'] |
29 | 29 | MonitorPermission = ['admin'] |
30 | 30 | DataPermission = ['admin', 'dataman'] | ... | ... |
1 | 1 | 101映射域名 |
2 | 2 | dmap.apps.chinadci.com |
3 | +# 鉴权 | |
4 | +Authlib | |
5 | +## 1 授权服务器 | |
6 | +为授权、颁发令牌、刷新令牌和撤销令牌提供多个端点。当资源拥有者(用户)获得授权时,授权服务器会向客户端颁发访问令牌。 | |
7 | +### 资源拥有者:用户 | |
8 | +### 客户端:客户端是一个代表资源拥有者并在授权情况下请求受保护资源的应用 | |
9 | + * client_id是唯一标识 | |
10 | + * client_secret是密码 | |
11 | + * 客户端令牌端点认证方法 | |
12 | +### 令牌 | |
13 | +使用令牌访问用户资源,令牌发布时带有有效期,有访问范围等等。它至少包括: | |
14 | +* access_token | |
15 | +* refresh_token | |
16 | +*... | |
17 | +### 服务器 | |
18 | +authlib使用工具AuthorizationServer管理请求和响应 | |
19 | + | |
20 | + | |
3 | 21 | |
4 | 22 | # Web安全 |
5 | 23 | ## 1 接口权限控制 | ... | ... |
请
注册
或
登录
后发表评论