MeB OAuth - latest iteration

Dockerfile

@@ -85,11 +85,19 @@ FROM metabrainz-base as metabrainz-prod
 
 RUN pip install --no-cache-dir uWSGI==2.0.23
 
-COPY ./docker/prod/consul-template-uwsgi.conf /etc/
-
-COPY ./docker/prod/uwsgi.service /etc/service/uwsgi/run
-RUN chmod 755 /etc/service/uwsgi/run
-COPY ./docker/prod/uwsgi.ini /etc/uwsgi/uwsgi.ini
+COPY ./docker/web/consul-template-web.conf /etc/
+COPY ./docker/web/web.service /etc/service/web/run
+COPY ./docker/web/web.ini /etc/uwsgi/web.ini
+RUN chmod 755 /etc/service/web/run
+RUN touch /etc/service/web/down
+
+COPY ./docker/oauth/consul-template-oauth.conf /etc/
+COPY ./docker/oauth/oauth.service /etc/service/oauth/run
+COPY ./docker/oauth/oauth.ini /etc/uwsgi/oauth.ini
+RUN chmod 755 /etc/service/oauth/run
+RUN touch /etc/service/oauth/down
+
+COPY ./docker/rc.local /etc/rc.local
 
 # copy the compiled js files and static assets from image to prod
 COPY --from=metabrainz-frontend-prod /code/frontend/robots.txt /static/

admin/sql/create_foreign_keys.sql

@@ -35,29 +35,4 @@ ALTER TABLE access_log
   REFERENCES token (value) MATCH SIMPLE
   ON UPDATE NO ACTION ON DELETE NO ACTION;
 
-ALTER TABLE oauth_client
-  ADD CONSTRAINT oauth_client_supporter_fkey FOREIGN KEY (user_id)
-  REFERENCES supporter (id) MATCH SIMPLE
-  ON UPDATE CASCADE ON DELETE CASCADE;
-
-ALTER TABLE oauth_grant
-  ADD CONSTRAINT oauth_grant_oauth_client_fkey FOREIGN KEY (client_id)
-  REFERENCES oauth_client (client_id) MATCH SIMPLE
-  ON UPDATE CASCADE ON DELETE CASCADE;
-
-ALTER TABLE oauth_grant
-  ADD CONSTRAINT oauth_grant_supporter_fkey FOREIGN KEY (user_id)
-  REFERENCES supporter (id) MATCH SIMPLE
-  ON UPDATE CASCADE ON DELETE CASCADE;
-
-ALTER TABLE oauth_token
-  ADD CONSTRAINT oauth_token_oauth_client_fkey FOREIGN KEY (client_id)
-  REFERENCES oauth_client (client_id) MATCH SIMPLE
-  ON UPDATE CASCADE ON DELETE CASCADE;
-
-ALTER TABLE oauth_token
-  ADD CONSTRAINT oauth_token_supporter_fkey FOREIGN KEY (user_id)
-  REFERENCES supporter (id) MATCH SIMPLE
-  ON UPDATE CASCADE ON DELETE CASCADE;
-
 COMMIT;

admin/sql/create_primary_keys.sql

@@ -6,9 +6,6 @@ ALTER TABLE token ADD CONSTRAINT token_pkey PRIMARY KEY (value);
 ALTER TABLE token_log ADD CONSTRAINT token_log_pkey PRIMARY KEY (token_value, "timestamp", action);
 ALTER TABLE access_log ADD CONSTRAINT access_log_pkey PRIMARY KEY (token, "timestamp");
 ALTER TABLE payment ADD CONSTRAINT payment_pkey PRIMARY KEY (id);
-ALTER TABLE oauth_client ADD CONSTRAINT oauth_client_pkey PRIMARY KEY (client_id);
-ALTER TABLE oauth_grant ADD CONSTRAINT oauth_grant_pkey PRIMARY KEY (id);
-ALTER TABLE oauth_token ADD CONSTRAINT oauth_token_pkey PRIMARY KEY (id);
 ALTER TABLE dataset ADD CONSTRAINT dataset_pkey PRIMARY KEY (id);
 ALTER TABLE dataset_supporter ADD CONSTRAINT dataset_supporter_pkey PRIMARY KEY (id);
 

admin/sql/create_tables.sql

@@ -20,7 +20,7 @@ CREATE TABLE dataset (
 CREATE TABLE supporter (
   id               SERIAL            NOT NULL, -- PK
   is_commercial    BOOLEAN           NOT NULL,
-  musicbrainz_id   CHARACTER VARYING UNIQUE,
+  musicbrainz_id CHARACTER VARYING UNIQUE,
   musicbrainz_row_id INTEGER UNIQUE,
   created          TIMESTAMP WITH TIME ZONE,
   state            state_types       NOT NULL,
@@ -96,34 +96,4 @@ CREATE TABLE payment (
   invoice_number   INTEGER
 );
 
-CREATE TABLE oauth_client (
-  client_id     CHARACTER VARYING, -- PK
-  client_secret CHARACTER VARYING NOT NULL,
-  redirect_uri  CHARACTER VARYING NOT NULL,
-  user_id       INTEGER           NOT NULL, -- FK, user
-  name          CHARACTER VARYING NOT NULL,
-  description   CHARACTER VARYING NOT NULL,
-  website       CHARACTER VARYING NOT NULL
-);
-
-CREATE TABLE oauth_grant (
-  id           SERIAL                   NOT NULL, -- PK
-  client_id    CHARACTER VARYING        NOT NULL, -- FK, oauth_client
-  user_id      INTEGER                  NOT NULL, -- FK, user
-  redirect_uri CHARACTER VARYING        NOT NULL,
-  code         CHARACTER VARYING        NOT NULL,
-  expires      TIMESTAMP WITH TIME ZONE NOT NULL,
-  scopes       CHARACTER VARYING
-);
-
-CREATE TABLE oauth_token (
-  id            SERIAL                   NOT NULL, -- PK
-  client_id     CHARACTER VARYING        NOT NULL, -- FK, oauth_client
-  access_token  CHARACTER VARYING        NOT NULL,
-  user_id       INT                      NOT NULL, -- FK, user
-  refresh_token CHARACTER VARYING        NOT NULL,
-  expires       TIMESTAMP WITH TIME ZONE NOT NULL,
-  scopes        CHARACTER VARYING
-);
-
 COMMIT;

admin/sql/oauth/create_tables.sql

@@ -0,0 +1,109 @@
+CREATE schema oauth;
+
+CREATE TABLE oauth.scope (
+        id INTEGER GENERATED BY DEFAULT AS IDENTITY,
+        name TEXT NOT NULL,
+        description TEXT NOT NULL,
+        UNIQUE (name),
+        PRIMARY KEY (id)
+);
+
+INSERT INTO oauth.scope (name, description)
+     VALUES ('profile', 'View your public account information')
+          , ('tag', 'View and modify your private tags')
+          , ('rating', 'View and modify your private ratings');
+
+CREATE TABLE oauth.client (
+        id INTEGER GENERATED BY DEFAULT AS IDENTITY,
+        client_id TEXT NOT NULL,
+        client_secret TEXT,
+        owner_id INTEGER NOT NULL,
+        name TEXT NOT NULL,
+        description TEXT NOT NULL,
+        website TEXT,
+        redirect_uris TEXT[] NOT NULL,
+        client_id_issued_at TIMESTAMP WITH TIME ZONE NOT NULL,
+        PRIMARY KEY (id)
+-- no FK for now as user data lives in MB db
+--         FOREIGN KEY(owner_id) REFERENCES "user" (id) ON DELETE CASCADE
+);
+
+CREATE TABLE oauth.code (
+        id INTEGER GENERATED BY DEFAULT AS IDENTITY,
+        user_id INTEGER NOT NULL,
+        client_id INTEGER NOT NULL,
+        code TEXT NOT NULL,
+        redirect_uri TEXT NOT NULL,
+        code_challenge TEXT,
+        code_challenge_method TEXT,
+        issued_at TIMESTAMP WITH TIME ZONE NOT NULL,
+        expires_in INTEGER,
+        revoked BOOLEAN,
+        PRIMARY KEY (id),
+-- no FK for now as user data lives in MB db
+--         FOREIGN KEY(user_id) REFERENCES "user" (id) ON DELETE CASCADE,
+        FOREIGN KEY(client_id) REFERENCES oauth.client (id) ON DELETE CASCADE,
+        UNIQUE (code)
+);
+
+CREATE TABLE oauth.access_token (
+        id INTEGER GENERATED BY DEFAULT AS IDENTITY,
+        user_id INTEGER NOT NULL,
+        client_id INTEGER NOT NULL,
+        authorization_code_id INTEGER,
+        access_token TEXT NOT NULL,
+        issued_at TIMESTAMP WITH TIME ZONE,
+        expires_in INTEGER,
+        revoked BOOLEAN,
+        PRIMARY KEY (id),
+-- no FK for now as user data lives in MB db
+--         FOREIGN KEY(user_id) REFERENCES "user" (id) ON DELETE CASCADE,
+        FOREIGN KEY (client_id) REFERENCES oauth.client (id) ON DELETE CASCADE,
+        FOREIGN KEY (authorization_code_id) REFERENCES oauth.code (id) ON DELETE CASCADE,
+        UNIQUE (access_token)
+);
+
+CREATE TABLE oauth.refresh_token (
+        id INTEGER GENERATED BY DEFAULT AS IDENTITY,
+        user_id INTEGER NOT NULL,
+        client_id INTEGER NOT NULL,
+        authorization_code_id INTEGER,
+        refresh_token TEXT NOT NULL,
+        issued_at TIMESTAMP WITH TIME ZONE,
+        expires_in INTEGER,
+        revoked BOOLEAN,
+        PRIMARY KEY (id),
+-- no FK for now as user data lives in MB db
+--         FOREIGN KEY(user_id) REFERENCES "user" (id) ON DELETE CASCADE,
+        FOREIGN KEY (client_id) REFERENCES oauth.client (id) ON DELETE CASCADE,
+        FOREIGN KEY (authorization_code_id) REFERENCES oauth.code (id) ON DELETE CASCADE,
+        UNIQUE (refresh_token)
+);
+
+CREATE TABLE oauth.l_access_token_scope (
+        id INTEGER GENERATED BY DEFAULT AS IDENTITY,
+        access_token_id INTEGER NOT NULL,
+        scope_id INTEGER NOT NULL,
+        PRIMARY KEY (id),
+        FOREIGN KEY(access_token_id) REFERENCES oauth.access_token (id) ON DELETE CASCADE,
+        FOREIGN KEY(scope_id) REFERENCES oauth.scope (id) ON DELETE CASCADE
+);
+
+CREATE TABLE oauth.l_refresh_token_scope (
+        id INTEGER GENERATED BY DEFAULT AS IDENTITY,
+        refresh_token_id INTEGER NOT NULL,
+        scope_id INTEGER NOT NULL,
+        PRIMARY KEY (id),
+        FOREIGN KEY(refresh_token_id) REFERENCES oauth.refresh_token (id) ON DELETE CASCADE,
+        FOREIGN KEY(scope_id) REFERENCES oauth.scope (id) ON DELETE CASCADE
+);
+
+
+CREATE TABLE oauth.l_code_scope (
+        id INTEGER GENERATED BY DEFAULT AS IDENTITY,
+        code_id INTEGER NOT NULL,
+        scope_id INTEGER NOT NULL,
+        PRIMARY KEY (id),
+        FOREIGN KEY(code_id) REFERENCES oauth.code (id) ON DELETE CASCADE,
+        FOREIGN KEY(scope_id) REFERENCES oauth.scope (id) ON DELETE CASCADE
+);

config.py.example

@@ -1,16 +1,15 @@
-# -*- coding: utf-8 -*-
 # CUSTOM CONFIGURATION
 
 DEBUG = True  # set to False in production mode
 
 SECRET_KEY = "CHANGE_THIS"
 
 # DATABASE
-SQLALCHEMY_DATABASE_URI = "postgresql://metabrainz:metabrainz@db:5432/metabrainz"
+SQLALCHEMY_DATABASE_URI = "postgresql://metabrainz:metabrainz@meb_db:5432/metabrainz"
 SQLALCHEMY_MUSICBRAINZ_URI = ""
 SQLALCHEMY_TRACK_MODIFICATIONS = False
 
-POSTGRES_ADMIN_URI = "postgresql://postgres:postgres@db/postgres"
+POSTGRES_ADMIN_URI = "postgresql://postgres:postgres@meb_db/postgres"
 
 # DATABASES
 
@@ -48,8 +47,10 @@ STRIPE_KEYS = {
 }
 
 # if developing payment integration locally, change this to your localhost url
-SERVER_BASE_URL = "https://metabrainz.org"
+SERVER_BASE_URL = "http://localhost:8000"
+SERVER_NAME = "localhost:8000"
 
+MUSICBRAINZ_SERVER = "https://beta.musicbrainz.org"
 
 # REDIS
 REDIS = {
@@ -113,3 +114,12 @@ NOTIFICATION_RECIPIENTS = [
 #PREFERRED_URL_SCHEME = "https"
 #USE_COMPILED_STYLING = True
 USE_NGINX_X_ACCEL = False
+
+OAUTH2_BLUEPRINT_PREFIX = "/oauth2"
+OAUTH2_ACCESS_TOKEN_GENERATOR = "oauth.generator.create_access_token"
+OAUTH2_REFRESH_TOKEN_GENERATOR = "oauth.generator.create_refresh_token"
+OAUTH2_TOKEN_EXPIRES_IN = {
+    "authorization_code": 3600,
+    "implicit": 3600,
+}
+OAUTH2_AUTHORIZATION_CODE_EXPIRES_IN = 600

consul_config.py.ctmpl

@@ -87,6 +87,21 @@ MAIL_FROM_DOMAIN = '''{{template "KEY" "mail_from_domain"}}'''
 PREFERRED_URL_SCHEME = '''{{template "KEY" "preferred_url_scheme"}}'''
 
 SERVER_BASE_URL = f"{PREFERRED_URL_SCHEME}://{MAIL_FROM_DOMAIN}"
+SERVER_NAME = None
+
+{{if service "pgbouncer-slave"}}
+{{with index (service "pgbouncer-slave") 0}}
+MB_DATABASE_URI = "postgresql://musicbrainz_ro@{{.Address}}:{{.Port}}/musicbrainz_db"
+{{end}}
+{{else}}
+MB_DATABASE_URI = ""
+{{end}}
+
+SQLALCHEMY_BINDS = {
+   "musicbrainz": MB_DATABASE_URI
+}
+
+MUSICBRAINZ_SERVER = '''{{template "KEY" "musicbrainz/oauth_server_url"}}'''
 
 # List of email addresses
 NOTIFICATION_RECIPIENTS = [
@@ -108,3 +123,12 @@ JSON_DUMPS_DIR = "/data/json_dumps"
 USE_COMPILED_STYLING = True
 
 DEBUG_TB_INTERCEPT_REDIRECTS = False
+
+OAUTH2_BLUEPRINT_PREFIX = "/new-oauth2"
+OAUTH2_ACCESS_TOKEN_GENERATOR = "oauth.generator.create_access_token"
+OAUTH2_REFRESH_TOKEN_GENERATOR = "oauth.generator.create_refresh_token"
+OAUTH2_TOKEN_EXPIRES_IN = {
+    "authorization_code": 3600,
+    "implicit": 3600,
+}
+OAUTH2_AUTHORIZATION_CODE_EXPIRES_IN = 600

develop.sh

@@ -22,7 +22,7 @@ function invoke_docker_compose {
 }
 
 function invoke_manage {
-    invoke_docker_compose run --rm web \
+    invoke_docker_compose run --rm meb_web \
         python3 manage.py \
         "$@"
 }

docker/docker-compose.dev.yml

@@ -1,6 +1,4 @@
 # Docker Compose file for development
-version: "3.8"
-
 volumes:
   db:
 
@@ -11,26 +9,46 @@ services:
       context: ..
       dockerfile: Dockerfile
       target: metabrainz-dev
-    command: python manage.py runserver -h 0.0.0.0 -p 80
+    command: python manage.py runserver -h 0.0.0.0 -p 8000
     volumes:
       - ../data/replication_packets:/data/replication_packets
       - ../data/json_dumps:/data/json_dumps
       - ..:/code/metabrainz
       - ../frontend:/static
+    depends_on:
+      - meb_db
+      - redis
+    expose:
+      - "8000"
     ports:
-      - "8000:80"
+      - "8000:8000"
+
+  oauth:
+    build:
+      context: ..
+      dockerfile: Dockerfile
+      target: metabrainz-dev
+    command: flask run --debug -h 0.0.0.0 -p 8150
+    environment:
+      FLASK_APP: "oauth:create_app()"
+      AUTHLIB_INSECURE_TRANSPORT: 1
+    volumes:
+      - ..:/code/metabrainz
+      - ../frontend:/static
     depends_on:
-      - db
+      - meb_db
       - redis
+    ports:
+      - "8150:8150"
+    expose:
+      - "8150"
 
-  db:
+  meb_db:
     image: postgres:12.3
     volumes:
       - db:/var/lib/postgresql/data:z
     environment:
       POSTGRES_PASSWORD: postgres
-    ports:
-      - "15432:5432"
 
   redis:
     image: redis:3.2.1

docker/docker-compose.test.yml

@@ -1,6 +1,3 @@
-# Docker Compose file for testing
-version: "3.8"
-
 services:
 
   web:
@@ -11,10 +8,12 @@ services:
     volumes:
       - ..:/code/metabrainz
     depends_on:
-      - db
+      - meb_db
       - redis
+    environment:
+      AUTHLIB_INSECURE_TRANSPORT: 1
 
-  db:
+  meb_db:
     image: postgres:12.3
     environment:
       POSTGRES_PASSWORD: postgres

docker/prod/consul-template-uwsgi.conf → docker/oauth/consul-template-oauth.conf

@@ -4,7 +4,7 @@ template {
 }
 
 exec {
-    command = ["uwsgi", "/etc/uwsgi/uwsgi.ini"]
+    command = ["uwsgi", "/etc/uwsgi/oauth.ini"]
     splay = "5s"
     reload_signal = "SIGHUP"
     kill_signal = "SIGTERM"