authorization&Authentication

1. from flask import Flask, request, abort
2. from functools import wraps
3. from jose import jwt
4. from urllib.request import urlopen
5. import json
6.  
7. AUTH0_DOMAIN = 'dev-u8srfgkm.us.auth0.com'
8. ALGORITHMS = ['RS256']
9. API_AUDIENCE = 'image'
10.  
11. class AuthError(Exception):
12.     def __init__(self, error, status_code):
13.         self.error = error
14.         self.status_code = status_code
15.  
16. def verify_decode_jwt(token):
17.     jsonurl = urlopen(f'https://{AUTH0_DOMAIN}/.well-known/jwks.json')
18.     jwks = json.loads(jsonurl.read())
19.     unverified_header = jwt.get_unverified_header(token)
20.     rsa_key = {}
21.     if 'kid' not in unverified_header:
22.         raise AuthError({
23.             'code': 'invalid_header',
24.             'description': ' Authorization malformed.'
25.         }, 401)
26.  
27.     for key in jwks['keys']:
28.         if key['kid'] == unverified_header['kid']:
29.             rsa_key = {
30.                 'kty': key['kty'],
31.                 'kid': key['kid'],
32.                 'use': key['use'],
33.                 'n': key['n'],
34.                 'e': key['e']
35.             }
36.     if rsa_key:
37.         try:
38.             payload = jwt.decode(
39.                 token,
40.                 rsa_key,
41.                 algorithms=ALGORITHMS,
42.                 audience=API_AUDIENCE,
43.                 issuer='https://' + AUTH0_DOMAIN + '/'
44.             )
45.  
46.  
47.             return payload
48.  
49.  
50.         except jwt.ExpiredSignatureError:
51.             raise AuthError({
52.                 'code': 'token_expired',
53.                 'description': 'Token expired.'
54.             }, 401)
55.  
56.         except jwt.JWTClaimsError:
57.             raise AuthError({
58.                 'code': 'invalid_claims',
59.                 'description': 'Incorrect claims. Please, check the audience and issuer.'
60.             }, 401)
61.  
62.         except Exception:
63.             raise AuthError({
64.                 'code': 'invalid_header',
65.                 'description': 'Unable to parse authentication token.'
66.             }, 400)
67.     raise AuthError({
68.                 'code': 'invalid_header',
69.                 'description': 'Unable to find the appropriate key.'
70.             }, 400)
71.  
72. def get_token_auth_header():
73.     if 'Authorization' not in request.headers:
74.         abort(401)
75.  
76.     auth_header = request.headers['Authorization']
77.     header_parts = auth_header.split(' ')
78.  
79.     if len(header_parts) != 2:
80.         abort(401)
81.     elif header_parts[0].lower() != 'bearer':
82.         abort(401)
83.  
84.     return header_parts[1]
85.  
86. def check_permissions(permission, payload):
87.     if 'permissions' not in payload:
88.         abort(400)
89.  
90.     if permission not in payload['permissions']:
91.         abort(403)
92.  
93.     return True
94.  
95.  
96. def requires_auth(permission=''):
97.     def requires_auth_decorator(f):
98.         @wraps(f)
99.         def wrapper(*args, **kwargs):
100.             jwt = get_token_auth_header()
101.             try:
102.                 payload = verify_decode_jwt(jwt)
103.             except:
104.                 abort(401)
105.  
106.             check_permissions(permission, payload)
107.  
108.             return f(payload, *args, **kwargs)
109.         return wrapper
110.     return requires_auth_decorator
111.  
112. app = Flask(__name__)
113.  
114. # @app.route('/headers')
115. # @requires_auth
116. # def headers(jwt):
117. #     #TODO unpack the request header
118. #     print(jwt)
119. #     return 'not implemented'
120.  
121. @app.route('/image')
122. @requires_auth('get:images')
123. def images(jwt):
124.     #TODO unpack the request header
125.     print(jwt)
126.     return 'not implemented'
127.