Skip to content

Commit

Permalink
Add support for setting and returning account_id (#828)
Browse files Browse the repository at this point in the history
* Add support for setting and returning account_id

* fix get_user_session_from_login_token
  • Loading branch information
hellais authored Mar 21, 2024
1 parent e486936 commit 6258173
Show file tree
Hide file tree
Showing 5 changed files with 25 additions and 1 deletion.
1 change: 1 addition & 0 deletions ooniapi/common/src/common/config.py
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,7 @@ class Settings(BaseSettings):
statsd_prefix: str = "ooniapi"
jwt_encryption_key: str = "CHANGEME"
prometheus_metrics_password: str = "CHANGEME"
account_id_hashing_key: str = "CHANGEME"
session_expiry_days: int = 10
login_expiry_days: int = 10

Expand Down
2 changes: 2 additions & 0 deletions ooniapi/services/ooniauth/src/ooniauth/routers/v1.py
Original file line number Diff line number Diff line change
Expand Up @@ -138,6 +138,7 @@ async def user_login(

token = create_session_token(
key=settings.jwt_encryption_key,
hashing_key=settings.account_id_hashing_key,
email_address=email_address,
role=role,
session_expiry_days=settings.session_expiry_days,
Expand Down Expand Up @@ -173,6 +174,7 @@ async def user_refresh_token(

newtoken = create_session_token(
key=settings.jwt_encryption_key,
hashing_key=settings.account_id_hashing_key,
email_address=tok["email_address"],
role=tok["role"],
session_expiry_days=settings.session_expiry_days,
Expand Down
13 changes: 12 additions & 1 deletion ooniapi/services/ooniauth/src/ooniauth/routers/v2.py
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,7 @@
from ..utils import (
create_session_token,
get_account_role,
hash_email_address,
send_login_email,
format_login_url,
VALID_REDIRECT_TO_FQDN,
Expand Down Expand Up @@ -105,6 +106,7 @@ class UserSession(BaseModel):
session_token: str
redirect_to: str
email_address: str
account_id: str
role: str
login_time: Optional[datetime]
is_logged_in: bool = False
Expand All @@ -120,6 +122,7 @@ def maybe_get_user_session_from_header(
return None

email_address = token["email_address"]
account_id = token["account_id"]
role = get_account_role(admin_emails=admin_emails, email_address=email_address)
login_time = datetime.fromtimestamp(token["login_time"])
redirect_to = ""
Expand All @@ -128,14 +131,15 @@ def maybe_get_user_session_from_header(
session_token="",
redirect_to=redirect_to,
email_address=email_address,
account_id=account_id,
role=role,
login_time=login_time,
is_logged_in=True,
)


def get_user_session_from_login_token(
login_token: str, jwt_encryption_key: str, admin_emails: List[str]
login_token: str, jwt_encryption_key: str, hashing_key: str, admin_emails: List[str]
) -> UserSession:
try:
d = decode_jwt(
Expand All @@ -144,9 +148,13 @@ def get_user_session_from_login_token(
audience="register",
)
email_address = d["email_address"]
account_id = hash_email_address(
email_address=d["email_address"], key=hashing_key
)
role = get_account_role(admin_emails=admin_emails, email_address=email_address)
return UserSession(
session_token="",
account_id=account_id,
redirect_to=d["redirect_to"],
email_address=d["email_address"],
role=role,
Expand Down Expand Up @@ -180,6 +188,7 @@ async def create_user_session(
login_token=req.login_token,
admin_emails=settings.admin_emails,
jwt_encryption_key=settings.jwt_encryption_key,
hashing_key=settings.account_id_hashing_key,
)
else:
user_session = maybe_get_user_session_from_header(
Expand All @@ -194,6 +203,7 @@ async def create_user_session(
assert user_session.login_time
user_session.session_token = create_session_token(
key=settings.jwt_encryption_key,
hashing_key=settings.account_id_hashing_key,
role=user_session.role,
session_expiry_days=settings.session_expiry_days,
login_expiry_days=settings.login_expiry_days,
Expand All @@ -219,6 +229,7 @@ async def get_user_session(
session_token="",
redirect_to="",
email_address="",
account_id="",
role="",
login_time=None,
is_logged_in=False,
Expand Down
8 changes: 8 additions & 0 deletions ooniapi/services/ooniauth/src/ooniauth/utils.py
Original file line number Diff line number Diff line change
@@ -1,3 +1,4 @@
import hashlib
import time
from typing import List, Optional
from textwrap import dedent
Expand All @@ -17,6 +18,11 @@
)


def hash_email_address(email_address: str, key: str) -> str:
em = email_address.encode()
return hashlib.blake2b(em, key=key.encode("utf-8"), digest_size=16).hexdigest()


def format_login_url(redirect_to: str, registration_token: str) -> str:
login_fqdm = urlparse(redirect_to).netloc
e = urlencode(dict(token=registration_token))
Expand All @@ -25,6 +31,7 @@ def format_login_url(redirect_to: str, registration_token: str) -> str:

def create_session_token(
key: str,
hashing_key: str,
email_address: str,
role: str,
session_expiry_days: int,
Expand All @@ -44,6 +51,7 @@ def create_session_token(
"aud": "user_auth",
"login_time": login_time,
"role": role,
"account_id": hash_email_address(email_address, hashing_key),
"email_address": email_address,
}
return create_jwt(payload=payload, key=key)
Expand Down
2 changes: 2 additions & 0 deletions ooniapi/services/ooniauth/tests/test_auth_v2.py
Original file line number Diff line number Diff line change
Expand Up @@ -187,6 +187,8 @@ def test_admin_register_and_get_metadata(
j = client.get("/api/v2/ooniauth/user-session", headers=h).json()
assert j["role"] == "admin"
assert j["is_logged_in"] == True
assert j["email_address"] == admin_email
assert len(j["account_id"]) > 1


def test_user_register_timetravel(
Expand Down

0 comments on commit 6258173

Please sign in to comment.