-
-
Notifications
You must be signed in to change notification settings - Fork 41
/
gotrue_client.py
981 lines (910 loc) · 34.7 KB
/
gotrue_client.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
from __future__ import annotations
from contextlib import suppress
from functools import partial
from json import loads
from time import time
from typing import Callable, Dict, List, Tuple, Union
from urllib.parse import parse_qs, urlencode, urlparse
from uuid import uuid4
from ..constants import (
DEFAULT_HEADERS,
EXPIRY_MARGIN,
GOTRUE_URL,
MAX_RETRIES,
RETRY_INTERVAL,
STORAGE_KEY,
)
from ..errors import (
AuthApiError,
AuthImplicitGrantRedirectError,
AuthInvalidCredentialsError,
AuthRetryableError,
AuthSessionMissingError,
)
from ..helpers import (
decode_jwt_payload,
generate_pkce_challenge,
generate_pkce_verifier,
model_dump,
model_dump_json,
model_validate,
parse_auth_otp_response,
parse_auth_response,
parse_sso_response,
parse_user_response,
)
from ..http_clients import SyncClient
from ..timer import Timer
from ..types import (
AuthChangeEvent,
AuthenticatorAssuranceLevels,
AuthFlowType,
AuthMFAChallengeResponse,
AuthMFAEnrollResponse,
AuthMFAGetAuthenticatorAssuranceLevelResponse,
AuthMFAListFactorsResponse,
AuthMFAUnenrollResponse,
AuthMFAVerifyResponse,
AuthOtpResponse,
AuthResponse,
CodeExchangeParams,
DecodedJWTDict,
IdentitiesResponse,
MFAChallengeAndVerifyParams,
MFAChallengeParams,
MFAEnrollParams,
MFAUnenrollParams,
MFAVerifyParams,
OAuthResponse,
Options,
Provider,
Session,
SignInWithOAuthCredentials,
SignInWithPasswordCredentials,
SignInWithPasswordlessCredentials,
SignOutOptions,
SignUpWithPasswordCredentials,
Subscription,
UserAttributes,
UserResponse,
VerifyOtpParams,
)
from .gotrue_admin_api import SyncGoTrueAdminAPI
from .gotrue_base_api import SyncGoTrueBaseAPI
from .gotrue_mfa_api import SyncGoTrueMFAAPI
from .storage import SyncMemoryStorage, SyncSupportedStorage
class SyncGoTrueClient(SyncGoTrueBaseAPI):
def __init__(
self,
*,
url: Union[str, None] = None,
headers: Union[Dict[str, str], None] = None,
storage_key: Union[str, None] = None,
auto_refresh_token: bool = True,
persist_session: bool = True,
storage: Union[SyncSupportedStorage, None] = None,
http_client: Union[SyncClient, None] = None,
flow_type: AuthFlowType = "implicit",
) -> None:
SyncGoTrueBaseAPI.__init__(
self,
url=url or GOTRUE_URL,
headers=headers or DEFAULT_HEADERS,
http_client=http_client,
)
self._storage_key = storage_key or STORAGE_KEY
self._auto_refresh_token = auto_refresh_token
self._persist_session = persist_session
self._storage = storage or SyncMemoryStorage()
self._in_memory_session: Union[Session, None] = None
self._refresh_token_timer: Union[Timer, None] = None
self._network_retries = 0
self._state_change_emitters: Dict[str, Subscription] = {}
self._flow_type = flow_type
self.admin = SyncGoTrueAdminAPI(
url=self._url,
headers=self._headers,
http_client=self._http_client,
)
self.mfa = SyncGoTrueMFAAPI()
self.mfa.challenge = self._challenge
self.mfa.challenge_and_verify = self._challenge_and_verify
self.mfa.enroll = self._enroll
self.mfa.get_authenticator_assurance_level = (
self._get_authenticator_assurance_level
)
self.mfa.list_factors = self._list_factors
self.mfa.unenroll = self._unenroll
self.mfa.verify = self._verify
# Initializations
def initialize(self, *, url: Union[str, None] = None) -> None:
if url and self._is_implicit_grant_flow(url):
self.initialize_from_url(url)
else:
self.initialize_from_storage()
def initialize_from_storage(self) -> None:
return self._recover_and_refresh()
def initialize_from_url(self, url: str) -> None:
try:
if self._is_implicit_grant_flow(url):
session, redirect_type = self._get_session_from_url(url)
self._save_session(session)
self._notify_all_subscribers("SIGNED_IN", session)
if redirect_type == "recovery":
self._notify_all_subscribers("PASSWORD_RECOVERY", session)
except Exception as e:
self._remove_session()
raise e
# Public methods
def sign_up(
self,
credentials: SignUpWithPasswordCredentials,
) -> AuthResponse:
"""
Creates a new user.
"""
self._remove_session()
email = credentials.get("email")
phone = credentials.get("phone")
password = credentials.get("password")
options = credentials.get("options", {})
redirect_to = options.get("redirect_to")
data = options.get("data") or {}
captcha_token = options.get("captcha_token")
if email:
response = self._request(
"POST",
"signup",
body={
"email": email,
"password": password,
"data": data,
"gotrue_meta_security": {
"captcha_token": captcha_token,
},
},
redirect_to=redirect_to,
xform=parse_auth_response,
)
elif phone:
response = self._request(
"POST",
"signup",
body={
"phone": phone,
"password": password,
"data": data,
"gotrue_meta_security": {
"captcha_token": captcha_token,
},
},
xform=parse_auth_response,
)
else:
raise AuthInvalidCredentialsError(
"You must provide either an email or phone number and a password"
)
if response.session:
self._save_session(response.session)
self._notify_all_subscribers("SIGNED_IN", response.session)
return response
def sign_in_with_password(
self,
credentials: SignInWithPasswordCredentials,
) -> AuthResponse:
"""
Log in an existing user with an email or phone and password.
"""
self._remove_session()
email = credentials.get("email")
phone = credentials.get("phone")
password = credentials.get("password")
options = credentials.get("options", {})
data = options.get("data") or {}
captcha_token = options.get("captcha_token")
if email:
response = self._request(
"POST",
"token",
body={
"email": email,
"password": password,
"data": data,
"gotrue_meta_security": {
"captcha_token": captcha_token,
},
},
query={
"grant_type": "password",
},
xform=parse_auth_response,
)
elif phone:
response = self._request(
"POST",
"token",
body={
"phone": phone,
"password": password,
"data": data,
"gotrue_meta_security": {
"captcha_token": captcha_token,
},
},
query={
"grant_type": "password",
},
xform=parse_auth_response,
)
else:
raise AuthInvalidCredentialsError(
"You must provide either an email or phone number and a password"
)
if response.session:
self._save_session(response.session)
self._notify_all_subscribers("SIGNED_IN", response.session)
return response
def sign_in_with_sso(self, credentials: SignInWithSSOCredentials):
"""
Attempts a single-sign on using an enterprise Identity Provider. A
successful SSO attempt will redirect the current page to the identity
provider authorization page. The redirect URL is implementation and SSO
protocol specific.
You can use it by providing a SSO domain. Typically you can extract this
domain by asking users for their email address. If this domain is
registered on the Auth instance the redirect will use that organization's
currently active SSO Identity Provider for the login.
If you have built an organization-specific login page, you can use the
organization's SSO Identity Provider UUID directly instead.
"""
self._remove_session()
provider_id = credentials.get("provider_id")
domain = credentials.get("domain")
options = credentials.get("options", {})
redirect_to = options.get("redirect_to")
captcha_token = options.get("captcha_token")
# HTTPX currently does not follow redirects: https://www.python-httpx.org/compatibility/
# Additionally, unlike the JS client, Python is a server side language and it's not possible
# to automatically redirect in browser for hte user
skip_http_redirect = options.get("skip_http_redirect", True)
if domain:
return self._request(
"POST",
"sso",
body={
"domain": domain,
"skip_http_redirect": skip_http_redirect,
"gotrue_meta_security": {
"captcha_token": captcha_token,
},
},
redirect_to=redirect_to,
xform=parse_sso_response,
)
if provider_id:
return self._request(
"POST",
"sso",
body={
"provider_id": provider_id,
"skip_http_redirect": skip_http_redirect,
"gotrue_meta_security": {
"captcha_token": captcha_token,
},
},
redirect_to=redirect_to,
xform=parse_sso_response,
)
raise AuthInvalidCredentialsError(
"You must provide either a domain or provider_id"
)
def sign_in_with_oauth(
self,
credentials: SignInWithOAuthCredentials,
) -> OAuthResponse:
"""
Log in an existing user via a third-party provider.
"""
self._remove_session()
provider = credentials.get("provider")
options = credentials.get("options", {})
redirect_to = options.get("redirect_to")
scopes = options.get("scopes")
params = options.get("query_params", {})
if redirect_to:
params["redirect_to"] = redirect_to
if scopes:
params["scopes"] = scopes
url = self._get_url_for_provider(provider, params)
return OAuthResponse(provider=provider, url=url)
def link_identity(self, credentials):
provider = credentials.get("provider")
options = credentials.get("options", {})
redirect_to = options.get("redirect_to")
scopes = options.get("scopes")
params = options.get("query_params", {})
if redirect_to:
params["redirect_to"] = redirect_to
if scopes:
params["scopes"] = scopes
params["skip_browser_redirect"] = True
url = self._get_url_for_provider(provider, params)
return OAuthResponse(provider=provider, url=url)
def get_user_identities(self):
response = self.get_user()
return (
IdentitiesResponse(identities=response.user.identities)
if response.user
else AuthSessionMissingError()
)
def unlink_identity(self, identity):
return self._request(
"POST",
f"/user/identities/{identity.id}",
)
def sign_in_with_otp(
self,
credentials: SignInWithPasswordlessCredentials,
) -> AuthOtpResponse:
"""
Log in a user using magiclink or a one-time password (OTP).
If the `{{ .ConfirmationURL }}` variable is specified in
the email template, a magiclink will be sent.
If the `{{ .Token }}` variable is specified in the email
template, an OTP will be sent.
If you're using phone sign-ins, only an OTP will be sent.
You won't be able to send a magiclink for phone sign-ins.
"""
self._remove_session()
email = credentials.get("email")
phone = credentials.get("phone")
options = credentials.get("options", {})
email_redirect_to = options.get("email_redirect_to")
should_create_user = options.get("create_user", True)
data = options.get("data")
captcha_token = options.get("captcha_token")
if email:
return self._request(
"POST",
"otp",
body={
"email": email,
"data": data,
"create_user": should_create_user,
"gotrue_meta_security": {
"captcha_token": captcha_token,
},
},
redirect_to=email_redirect_to,
xform=parse_auth_otp_response,
)
if phone:
return self._request(
"POST",
"otp",
body={
"phone": phone,
"data": data,
"create_user": should_create_user,
"gotrue_meta_security": {
"captcha_token": captcha_token,
},
},
xform=parse_auth_otp_response,
)
raise AuthInvalidCredentialsError(
"You must provide either an email or phone number"
)
def verify_otp(self, params: VerifyOtpParams) -> AuthResponse:
"""
Log in a user given a User supplied OTP received via mobile.
"""
self._remove_session()
response = self._request(
"POST",
"verify",
body={
"gotrue_meta_security": {
"captcha_token": params.get("options", {}).get("captcha_token"),
},
**params,
},
redirect_to=params.get("options", {}).get("redirect_to"),
xform=parse_auth_response,
)
if response.session:
self._save_session(response.session)
self._notify_all_subscribers("SIGNED_IN", response.session)
return response
def get_session(self) -> Union[Session, None]:
"""
Returns the session, refreshing it if necessary.
The session returned can be null if the session is not detected which
can happen in the event a user is not signed-in or has logged out.
"""
current_session: Union[Session, None] = None
if self._persist_session:
maybe_session = self._storage.get_item(self._storage_key)
current_session = self._get_valid_session(maybe_session)
if not current_session:
self._remove_session()
else:
current_session = self._in_memory_session
if not current_session:
return None
time_now = round(time())
has_expired = (
current_session.expires_at <= time_now + EXPIRY_MARGIN
if current_session.expires_at
else False
)
return (
self._call_refresh_token(current_session.refresh_token)
if has_expired
else current_session
)
def get_user(self, jwt: Union[str, None] = None) -> Union[UserResponse, None]:
"""
Gets the current user details if there is an existing session.
Takes in an optional access token `jwt`. If no `jwt` is provided,
`get_user()` will attempt to get the `jwt` from the current session.
"""
if not jwt:
session = self.get_session()
if session:
jwt = session.access_token
else:
return None
return self._request("GET", "user", jwt=jwt, xform=parse_user_response)
def update_user(self, attributes: UserAttributes) -> UserResponse:
"""
Updates user data, if there is a logged in user.
"""
session = self.get_session()
if not session:
raise AuthSessionMissingError()
response = self._request(
"PUT",
"user",
body=attributes,
jwt=session.access_token,
xform=parse_user_response,
)
session.user = response.user
self._save_session(session)
self._notify_all_subscribers("USER_UPDATED", session)
return response
def set_session(self, access_token: str, refresh_token: str) -> AuthResponse:
"""
Sets the session data from the current session. If the current session
is expired, `set_session` will take care of refreshing it to obtain a
new session.
If the refresh token in the current session is invalid and the current
session has expired, an error will be thrown.
If the current session does not contain at `expires_at` field,
`set_session` will use the exp claim defined in the access token.
The current session that minimally contains an access token,
refresh token and a user.
"""
time_now = round(time())
expires_at = time_now
has_expired = True
session: Union[Session, None] = None
if access_token and access_token.split(".")[1]:
payload = self._decode_jwt(access_token)
exp = payload.get("exp")
if exp:
expires_at = int(exp)
has_expired = expires_at <= time_now
if has_expired:
if not refresh_token:
raise AuthSessionMissingError()
response = self._refresh_access_token(refresh_token)
if not response.session:
return AuthResponse()
session = response.session
else:
response = self.get_user(access_token)
session = Session(
access_token=access_token,
refresh_token=refresh_token,
user=response.user,
token_type="bearer",
expires_in=expires_at - time_now,
expires_at=expires_at,
)
self._save_session(session)
self._notify_all_subscribers("TOKEN_REFRESHED", session)
return AuthResponse(session=session, user=response.user)
def refresh_session(self, refresh_token: Union[str, None] = None) -> AuthResponse:
"""
Returns a new session, regardless of expiry status.
Takes in an optional current session. If not passed in, then refreshSession()
will attempt to retrieve it from getSession(). If the current session's
refresh token is invalid, an error will be thrown.
"""
if not refresh_token:
session = self.get_session()
if session:
refresh_token = session.refresh_token
if not refresh_token:
raise AuthSessionMissingError()
session = self._call_refresh_token(refresh_token)
return AuthResponse(session=session, user=session.user)
def sign_out(self, options: SignOutOptions = {"scope": "global"}) -> None:
"""
Inside a browser context, `sign_out` will remove the logged in user from the
browser session and log them out - removing all items from localstorage and
then trigger a `"SIGNED_OUT"` event.
For server-side management, you can revoke all refresh tokens for a user by
passing a user's JWT through to `api.sign_out`.
There is no way to revoke a user's access token jwt until it expires.
It is recommended to set a shorter expiry on the jwt for this reason.
"""
with suppress(AuthApiError):
session = self.get_session()
access_token = session.access_token if session else None
if access_token:
self.admin.sign_out(access_token, options["scope"])
if options["scope"] != "others":
self._remove_session()
self._notify_all_subscribers("SIGNED_OUT", None)
def on_auth_state_change(
self,
callback: Callable[[AuthChangeEvent, Union[Session, None]], None],
) -> Subscription:
"""
Receive a notification every time an auth event happens.
"""
unique_id = str(uuid4())
def _unsubscribe() -> None:
self._state_change_emitters.pop(unique_id)
subscription = Subscription(
id=unique_id,
callback=callback,
unsubscribe=_unsubscribe,
)
self._state_change_emitters[unique_id] = subscription
return subscription
def reset_password_email(
self,
email: str,
options: Options = {},
) -> None:
"""
Sends a password reset request to an email address.
"""
self._request(
"POST",
"recover",
body={
"email": email,
"gotrue_meta_security": {
"captcha_token": options.get("captcha_token"),
},
},
redirect_to=options.get("redirect_to"),
)
# MFA methods
def _enroll(self, params: MFAEnrollParams) -> AuthMFAEnrollResponse:
session = self.get_session()
if not session:
raise AuthSessionMissingError()
response = self._request(
"POST",
"factors",
body=params,
jwt=session.access_token,
xform=partial(model_validate, AuthMFAEnrollResponse),
)
if response.totp.qr_code:
response.totp.qr_code = f"data:image/svg+xml;utf-8,{response.totp.qr_code}"
return response
def _challenge(self, params: MFAChallengeParams) -> AuthMFAChallengeResponse:
session = self.get_session()
if not session:
raise AuthSessionMissingError()
return self._request(
"POST",
f"factors/{params.get('factor_id')}/challenge",
jwt=session.access_token,
xform=partial(model_validate, AuthMFAChallengeResponse),
)
def _challenge_and_verify(
self,
params: MFAChallengeAndVerifyParams,
) -> AuthMFAVerifyResponse:
response = self._challenge(
{
"factor_id": params.get("factor_id"),
}
)
return self._verify(
{
"factor_id": params.get("factor_id"),
"challenge_id": response.id,
"code": params.get("code"),
}
)
def _verify(self, params: MFAVerifyParams) -> AuthMFAVerifyResponse:
session = self.get_session()
if not session:
raise AuthSessionMissingError()
response = self._request(
"POST",
f"factors/{params.get('factor_id')}/verify",
body=params,
jwt=session.access_token,
xform=partial(model_validate, AuthMFAVerifyResponse),
)
session = model_validate(Session, model_dump(response))
self._save_session(session)
self._notify_all_subscribers("MFA_CHALLENGE_VERIFIED", session)
return response
def _unenroll(self, params: MFAUnenrollParams) -> AuthMFAUnenrollResponse:
session = self.get_session()
if not session:
raise AuthSessionMissingError()
return self._request(
"DELETE",
f"factors/{params.get('factor_id')}",
jwt=session.access_token,
xform=partial(AuthMFAUnenrollResponse, model_validate),
)
def _list_factors(self) -> AuthMFAListFactorsResponse:
response = self.get_user()
all = response.user.factors or []
totp = [f for f in all if f.factor_type == "totp" and f.status == "verified"]
return AuthMFAListFactorsResponse(all=all, totp=totp)
def _get_authenticator_assurance_level(
self,
) -> AuthMFAGetAuthenticatorAssuranceLevelResponse:
session = self.get_session()
if not session:
return AuthMFAGetAuthenticatorAssuranceLevelResponse(
current_level=None,
next_level=None,
current_authentication_methods=[],
)
payload = self._decode_jwt(session.access_token)
current_level: Union[AuthenticatorAssuranceLevels, None] = None
if payload.get("aal"):
current_level = payload.get("aal")
verified_factors = [
f for f in session.user.factors or [] if f.status == "verified"
]
next_level = "aal2" if verified_factors else current_level
current_authentication_methods = payload.get("amr") or []
return AuthMFAGetAuthenticatorAssuranceLevelResponse(
current_level=current_level,
next_level=next_level,
current_authentication_methods=current_authentication_methods,
)
# Private methods
def _remove_session(self) -> None:
if self._persist_session:
self._storage.remove_item(self._storage_key)
else:
self._in_memory_session = None
if self._refresh_token_timer:
self._refresh_token_timer.cancel()
self._refresh_token_timer = None
def _get_session_from_url(
self,
url: str,
) -> Tuple[Session, Union[str, None]]:
if not self._is_implicit_grant_flow(url):
raise AuthImplicitGrantRedirectError("Not a valid implicit grant flow url.")
result = urlparse(url)
params = parse_qs(result.query)
error_description = self._get_param(params, "error_description")
if error_description:
error_code = self._get_param(params, "error_code")
error = self._get_param(params, "error")
if not error_code:
raise AuthImplicitGrantRedirectError("No error_code detected.")
if not error:
raise AuthImplicitGrantRedirectError("No error detected.")
raise AuthImplicitGrantRedirectError(
error_description,
{"code": error_code, "error": error},
)
provider_token = self._get_param(params, "provider_token")
provider_refresh_token = self._get_param(params, "provider_refresh_token")
access_token = self._get_param(params, "access_token")
if not access_token:
raise AuthImplicitGrantRedirectError("No access_token detected.")
expires_in = self._get_param(params, "expires_in")
if not expires_in:
raise AuthImplicitGrantRedirectError("No expires_in detected.")
refresh_token = self._get_param(params, "refresh_token")
if not refresh_token:
raise AuthImplicitGrantRedirectError("No refresh_token detected.")
token_type = self._get_param(params, "token_type")
if not token_type:
raise AuthImplicitGrantRedirectError("No token_type detected.")
time_now = round(time())
expires_at = time_now + int(expires_in)
user = self.get_user(access_token)
session = Session(
provider_token=provider_token,
provider_refresh_token=provider_refresh_token,
access_token=access_token,
expires_in=int(expires_in),
expires_at=expires_at,
refresh_token=refresh_token,
token_type=token_type,
user=user.user,
)
redirect_type = self._get_param(params, "type")
return session, redirect_type
def _recover_and_refresh(self) -> None:
raw_session = self._storage.get_item(self._storage_key)
current_session = self._get_valid_session(raw_session)
if not current_session:
if raw_session:
self._remove_session()
return
time_now = round(time())
expires_at = current_session.expires_at
if expires_at and expires_at < time_now + EXPIRY_MARGIN:
refresh_token = current_session.refresh_token
if self._auto_refresh_token and refresh_token:
self._network_retries += 1
try:
self._call_refresh_token(refresh_token)
self._network_retries = 0
except Exception as e:
if (
isinstance(e, AuthRetryableError)
and self._network_retries < MAX_RETRIES
):
if self._refresh_token_timer:
self._refresh_token_timer.cancel()
self._refresh_token_timer = Timer(
(RETRY_INTERVAL ** (self._network_retries * 100)),
self._recover_and_refresh,
)
self._refresh_token_timer.start()
return
self._remove_session()
return
if self._persist_session:
self._save_session(current_session)
self._notify_all_subscribers("SIGNED_IN", current_session)
def _call_refresh_token(self, refresh_token: str) -> Session:
if not refresh_token:
raise AuthSessionMissingError()
response = self._refresh_access_token(refresh_token)
if not response.session:
raise AuthSessionMissingError()
self._save_session(response.session)
self._notify_all_subscribers("TOKEN_REFRESHED", response.session)
return response.session
def _refresh_access_token(self, refresh_token: str) -> AuthResponse:
return self._request(
"POST",
"token",
query={"grant_type": "refresh_token"},
body={"refresh_token": refresh_token},
xform=parse_auth_response,
)
def _save_session(self, session: Session) -> None:
if not self._persist_session:
self._in_memory_session = session
expire_at = session.expires_at
if expire_at:
time_now = round(time())
expire_in = expire_at - time_now
refresh_duration_before_expires = (
EXPIRY_MARGIN if expire_in > EXPIRY_MARGIN else 0.5
)
value = (expire_in - refresh_duration_before_expires) * 1000
self._start_auto_refresh_token(value)
if self._persist_session and session.expires_at:
self._storage.set_item(self._storage_key, model_dump_json(session))
def _start_auto_refresh_token(self, value: float) -> None:
if self._refresh_token_timer:
self._refresh_token_timer.cancel()
self._refresh_token_timer = None
if value <= 0 or not self._auto_refresh_token:
return
def refresh_token_function():
self._network_retries += 1
try:
session = self.get_session()
if session:
self._call_refresh_token(session.refresh_token)
self._network_retries = 0
except Exception as e:
if (
isinstance(e, AuthRetryableError)
and self._network_retries < MAX_RETRIES
):
self._start_auto_refresh_token(
RETRY_INTERVAL ** (self._network_retries * 100)
)
self._refresh_token_timer = Timer(value, refresh_token_function)
self._refresh_token_timer.start()
def _notify_all_subscribers(
self,
event: AuthChangeEvent,
session: Union[Session, None],
) -> None:
for subscription in self._state_change_emitters.values():
subscription.callback(event, session)
def _get_valid_session(
self,
raw_session: Union[str, None],
) -> Union[Session, None]:
if not raw_session:
return None
data = loads(raw_session)
if not data:
return None
if not data.get("access_token"):
return None
if not data.get("refresh_token"):
return None
if not data.get("expires_at"):
return None
try:
expires_at = int(data["expires_at"])
data["expires_at"] = expires_at
except ValueError:
return None
try:
return model_validate(Session, data)
except Exception:
return None
def _get_param(
self,
query_params: Dict[str, List[str]],
name: str,
) -> Union[str, None]:
return query_params[name][0] if name in query_params else None
def _is_implicit_grant_flow(self, url: str) -> bool:
result = urlparse(url)
params = parse_qs(result.query)
return "access_token" in params or "error_description" in params
def _get_url_for_provider(
self,
provider: Provider,
params: Dict[str, str],
) -> str:
if self._flow_type == "pkce":
code_verifier = generate_pkce_verifier()
code_challenge = generate_pkce_challenge(code_verifier)
self._storage.set_item(f"{self._storage_key}-code-verifier", code_verifier)
code_challenge_method = (
"plain" if code_verifier == code_challenge else "s256"
)
params["code_challenge"] = code_challenge
params["code_challenge_method"] = code_challenge_method
params["provider"] = provider
query = urlencode(params)
return f"{self._url}/authorize?{query}"
def _decode_jwt(self, jwt: str) -> DecodedJWTDict:
"""
Decodes a JWT (without performing any validation).
"""
return decode_jwt_payload(jwt)
def exchange_code_for_session(self, params: CodeExchangeParams):
code_verifier = params.get("code_verifier") or self._storage.get_item(
f"{self._storage_key}-code-verifier"
)
response = self._request(
"POST",
"token?grant_type=pkce",
body={
"auth_code": params.get("auth_code"),
"code_verifier": code_verifier,
},
redirect_to=params.get("redirect_to"),
xform=parse_auth_response,
)
self._storage.remove_item(f"{self._storage_key}-code-verifier")
if response.session:
self._save_session(response.session)
self._notify_all_subscribers("SIGNED_IN", response.session)
return response