zcash-grant-system/backend/grant/utils/auth.py

import ast
import json
from functools import wraps

import requests
from flask import request, g, jsonify
from itsdangerous import SignatureExpired, BadSignature
from itsdangerous import TimedJSONWebSignatureSerializer as Serializer
import sentry_sdk

from grant.settings import SECRET_KEY, AUTH_URL
from ..proposal.models import Proposal
from ..user.models import User

TWO_WEEKS = 1209600


def generate_token(user, expiration=TWO_WEEKS):
    s = Serializer(SECRET_KEY, expires_in=expiration)
    token = s.dumps({
        'id': user.id,
        'email': user.email,
    }).decode('utf-8')
    return token


def verify_token(token):
    s = Serializer(SECRET_KEY)
    try:
        data = s.loads(token)
    except (BadSignature, SignatureExpired):
        return None
    return data


# Custom exception for bad auth
class BadSignatureException(Exception):
    pass


def verify_signed_auth(signature, typed_data):
    loaded_typed_data = ast.literal_eval(typed_data)
    if loaded_typed_data['domain']['name'] != 'Grant.io':
        raise BadSignatureException("Signature is not for Grant.io")

    url = AUTH_URL + "/message/recover"
    payload = json.dumps({"sig": signature, "data": loaded_typed_data})
    headers = {'content-type': 'application/json'}
    response = requests.request("POST", url, data=payload, headers=headers)
    json_response = response.json()
    recovered_address = json_response.get('recoveredAddress')
    if not recovered_address:
        raise BadSignatureException("Authorization signature is invalid")

    return recovered_address


# Decorator that requires you to have EIP-712 message signature headers for auth
def requires_sm(f):
    @wraps(f)
    def decorated(*args, **kwargs):
        signature = request.headers.get('MsgSignature', None)
        typed_data = request.headers.get('RawTypedData', None)

        if typed_data and signature:
            try:
                auth_address = verify_signed_auth(signature, typed_data)
            except BadSignatureException:
                return jsonify(message="Invalid auth message signature"), 401

            user = User.get_by_identifier(account_address=auth_address)
            if not user:
                return jsonify(message="No user exists with address: {}".format(auth_address)), 401

            g.current_user = user
            with sentry_sdk.configure_scope() as scope:
                scope.user = {
                    "id": user.id,
                }
            return f(*args, **kwargs)

        return jsonify(message="Authentication is required to access this resource"), 401

    return decorated

# Decorator that requires you to be the user you're interacting with
def requires_same_user_auth(f):
    @wraps(f)
    def decorated(*args, **kwargs):
        user_identity = kwargs["user_identity"]
        if not user_identity:
            return jsonify(message="Decorator requires_same_user_auth requires path variable <user_identity>"), 500

        user = User.get_by_identifier(account_address=user_identity, email_address=user_identity)
        if user.id != g.current_user.id:
            return jsonify(message="You are not authorized to modify this user"), 403

        return f(*args, **kwargs)

    return requires_sm(decorated)


# Decorator that requires you to be a team member of a proposal to access
def requires_team_member_auth(f):
    @wraps(f)
    def decorated(*args, **kwargs):
        proposal_id = kwargs["proposal_id"]
        if not proposal_id:
            return jsonify(message="Decorator requires_team_member_auth requires path variable <proposal_id>"), 500

        proposal = Proposal.query.filter_by(id=proposal_id).first()
        if not proposal:
            return jsonify(message="No proposal exists with id: {}".format(proposal_id)), 404

        if not g.current_user in proposal.team:
            return jsonify(message="You are not authorized to modify this proposal"), 403

        g.current_proposal = proposal
        return f(*args, **kwargs)

    return requires_sm(decorated)
EIP-712 User Authorization (#138) * example auth service * prep for merge * MVP signed transaction based auth * update auth service endpoint and delete checked-in auth service * add readme explanation for AUTH_URL * rename eip-712 headers * fix test errors 2018-10-19 22:18:27 -07:00			`import ast`
			`import json`
initial commit 2018-09-10 09:55:26 -07:00			`from functools import wraps`

EIP-712 User Authorization (#138) * example auth service * prep for merge * MVP signed transaction based auth * update auth service endpoint and delete checked-in auth service * add readme explanation for AUTH_URL * rename eip-712 headers * fix test errors 2018-10-19 22:18:27 -07:00			`import requests`
initial commit 2018-09-10 09:55:26 -07:00			`from flask import request, g, jsonify`
			`from itsdangerous import SignatureExpired, BadSignature`
			`from itsdangerous import TimedJSONWebSignatureSerializer as Serializer`
Sentry Integration (#221) * BE sentry setup w/ user scope * FE sentry integration + user scope * FE env adjustments * FE: use NODE_ENV for Sentry * BE: use FLASK_ENV for Sentry * BE: remove email, acct & ip from Sentry user scope * comment .env.example SENTRY* for CI * fix merge artifact 2018-11-21 21:45:29 -08:00			`import sentry_sdk`
initial commit 2018-09-10 09:55:26 -07:00
EIP-712 User Authorization (#138) * example auth service * prep for merge * MVP signed transaction based auth * update auth service endpoint and delete checked-in auth service * add readme explanation for AUTH_URL * rename eip-712 headers * fix test errors 2018-10-19 22:18:27 -07:00			`from grant.settings import SECRET_KEY, AUTH_URL`
Add auth to endpoints. 2018-11-07 11:19:12 -08:00			`from ..proposal.models import Proposal`
Auth Endpoints Tests (#203) Auth Endpoints Tests 2018-11-13 05:58:02 -08:00			`from ..user.models import User`
initial commit 2018-09-10 09:55:26 -07:00
			`TWO_WEEKS = 1209600`


			`def generate_token(user, expiration=TWO_WEEKS):`
			`s = Serializer(SECRET_KEY, expires_in=expiration)`
			`token = s.dumps({`
			`'id': user.id,`
			`'email': user.email,`
			`}).decode('utf-8')`
			`return token`


			`def verify_token(token):`
			`s = Serializer(SECRET_KEY)`
			`try:`
			`data = s.loads(token)`
			`except (BadSignature, SignatureExpired):`
			`return None`
			`return data`


EIP-712 signatures for login & signup (#189) * Signup requires valid EIP-712 signature. Refactor some auth reducer nomenclature for consistency. * Add auth endpoint for logging in that checks for valid signature, like create user. * Fix tests, move dummy data into test_data.py. * No strict slashes. 2018-11-07 11:08:42 -08:00			`# Custom exception for bad auth`
			`class BadSignatureException(Exception):`
			`pass`

Auth Endpoints Tests (#203) Auth Endpoints Tests 2018-11-13 05:58:02 -08:00
EIP-712 signatures for login & signup (#189) * Signup requires valid EIP-712 signature. Refactor some auth reducer nomenclature for consistency. * Add auth endpoint for logging in that checks for valid signature, like create user. * Fix tests, move dummy data into test_data.py. * No strict slashes. 2018-11-07 11:08:42 -08:00			`def verify_signed_auth(signature, typed_data):`
			`loaded_typed_data = ast.literal_eval(typed_data)`
Properly signing, creating, fetching comments. Fix incorrect types. Setup scaffolding for replies. 2018-11-08 10:29:29 -08:00			`if loaded_typed_data['domain']['name'] != 'Grant.io':`
			`raise BadSignatureException("Signature is not for Grant.io")`

EIP-712 signatures for login & signup (#189) * Signup requires valid EIP-712 signature. Refactor some auth reducer nomenclature for consistency. * Add auth endpoint for logging in that checks for valid signature, like create user. * Fix tests, move dummy data into test_data.py. * No strict slashes. 2018-11-07 11:08:42 -08:00			`url = AUTH_URL + "/message/recover"`
			`payload = json.dumps({"sig": signature, "data": loaded_typed_data})`
			`headers = {'content-type': 'application/json'}`
			`response = requests.request("POST", url, data=payload, headers=headers)`
			`json_response = response.json()`
			`recovered_address = json_response.get('recoveredAddress')`
			`if not recovered_address:`
			`raise BadSignatureException("Authorization signature is invalid")`

			`return recovered_address`
EIP-712 User Authorization (#138) * example auth service * prep for merge * MVP signed transaction based auth * update auth service endpoint and delete checked-in auth service * add readme explanation for AUTH_URL * rename eip-712 headers * fix test errors 2018-10-19 22:18:27 -07:00

Add auth to endpoints. 2018-11-07 11:19:12 -08:00			`# Decorator that requires you to have EIP-712 message signature headers for auth`
EIP-712 User Authorization (#138) * example auth service * prep for merge * MVP signed transaction based auth * update auth service endpoint and delete checked-in auth service * add readme explanation for AUTH_URL * rename eip-712 headers * fix test errors 2018-10-19 22:18:27 -07:00			`def requires_sm(f):`
			`@wraps(f)`
			`def decorated(args, *kwargs):`
			`signature = request.headers.get('MsgSignature', None)`
EIP-712 signatures for login & signup (#189) * Signup requires valid EIP-712 signature. Refactor some auth reducer nomenclature for consistency. * Add auth endpoint for logging in that checks for valid signature, like create user. * Fix tests, move dummy data into test_data.py. * No strict slashes. 2018-11-07 11:08:42 -08:00			`typed_data = request.headers.get('RawTypedData', None)`
EIP-712 User Authorization (#138) * example auth service * prep for merge * MVP signed transaction based auth * update auth service endpoint and delete checked-in auth service * add readme explanation for AUTH_URL * rename eip-712 headers * fix test errors 2018-10-19 22:18:27 -07:00
			`if typed_data and signature:`
EIP-712 signatures for login & signup (#189) * Signup requires valid EIP-712 signature. Refactor some auth reducer nomenclature for consistency. * Add auth endpoint for logging in that checks for valid signature, like create user. * Fix tests, move dummy data into test_data.py. * No strict slashes. 2018-11-07 11:08:42 -08:00			`try:`
			`auth_address = verify_signed_auth(signature, typed_data)`
			`except BadSignatureException:`
			`return jsonify(message="Invalid auth message signature"), 401`

Add auth to endpoints. 2018-11-07 11:19:12 -08:00			`user = User.get_by_identifier(account_address=auth_address)`
EIP-712 User Authorization (#138) * example auth service * prep for merge * MVP signed transaction based auth * update auth service endpoint and delete checked-in auth service * add readme explanation for AUTH_URL * rename eip-712 headers * fix test errors 2018-10-19 22:18:27 -07:00			`if not user:`
EIP-712 signatures for login & signup (#189) * Signup requires valid EIP-712 signature. Refactor some auth reducer nomenclature for consistency. * Add auth endpoint for logging in that checks for valid signature, like create user. * Fix tests, move dummy data into test_data.py. * No strict slashes. 2018-11-07 11:08:42 -08:00			`return jsonify(message="No user exists with address: {}".format(auth_address)), 401`
EIP-712 User Authorization (#138) * example auth service * prep for merge * MVP signed transaction based auth * update auth service endpoint and delete checked-in auth service * add readme explanation for AUTH_URL * rename eip-712 headers * fix test errors 2018-10-19 22:18:27 -07:00
			`g.current_user = user`
Sentry Integration (#221) * BE sentry setup w/ user scope * FE sentry integration + user scope * FE env adjustments * FE: use NODE_ENV for Sentry * BE: use FLASK_ENV for Sentry * BE: remove email, acct & ip from Sentry user scope * comment .env.example SENTRY* for CI * fix merge artifact 2018-11-21 21:45:29 -08:00			`with sentry_sdk.configure_scope() as scope:`
			`scope.user = {`
			`"id": user.id,`
			`}`
EIP-712 User Authorization (#138) * example auth service * prep for merge * MVP signed transaction based auth * update auth service endpoint and delete checked-in auth service * add readme explanation for AUTH_URL * rename eip-712 headers * fix test errors 2018-10-19 22:18:27 -07:00			`return f(args, *kwargs)`

			`return jsonify(message="Authentication is required to access this resource"), 401`

			`return decorated`
Add auth to endpoints. 2018-11-07 11:19:12 -08:00
			`# Decorator that requires you to be the user you're interacting with`
			`def requires_same_user_auth(f):`
			`@wraps(f)`
			`def decorated(args, *kwargs):`
			`user_identity = kwargs["user_identity"]`
			`if not user_identity:`
			`return jsonify(message="Decorator requires_same_user_auth requires path variable <user_identity>"), 500`

			`user = User.get_by_identifier(account_address=user_identity, email_address=user_identity)`
Auth Endpoints Tests (#203) Auth Endpoints Tests 2018-11-13 05:58:02 -08:00			`if user.id != g.current_user.id:`
Add auth to endpoints. 2018-11-07 11:19:12 -08:00			`return jsonify(message="You are not authorized to modify this user"), 403`
Auth Endpoints Tests (#203) Auth Endpoints Tests 2018-11-13 05:58:02 -08:00
Add auth to endpoints. 2018-11-07 11:19:12 -08:00			`return f(args, *kwargs)`
Auth Endpoints Tests (#203) Auth Endpoints Tests 2018-11-13 05:58:02 -08:00
Add auth to endpoints. 2018-11-07 11:19:12 -08:00			`return requires_sm(decorated)`

Auth Endpoints Tests (#203) Auth Endpoints Tests 2018-11-13 05:58:02 -08:00
Add auth to endpoints. 2018-11-07 11:19:12 -08:00			`# Decorator that requires you to be a team member of a proposal to access`
			`def requires_team_member_auth(f):`
			`@wraps(f)`
			`def decorated(args, *kwargs):`
			`proposal_id = kwargs["proposal_id"]`
			`if not proposal_id:`
			`return jsonify(message="Decorator requires_team_member_auth requires path variable <proposal_id>"), 500`

			`proposal = Proposal.query.filter_by(id=proposal_id).first()`
			`if not proposal:`
			`return jsonify(message="No proposal exists with id: {}".format(proposal_id)), 404`

			`if not g.current_user in proposal.team:`
			`return jsonify(message="You are not authorized to modify this proposal"), 403`

			`g.current_proposal = proposal`
			`return f(args, *kwargs)`
Auth Endpoints Tests (#203) Auth Endpoints Tests 2018-11-13 05:58:02 -08:00
			`return requires_sm(decorated)`