lemoncurry/lemonauth/tokens.py

from jose import jwt

from datetime import datetime, timedelta
from django.conf import settings


def encode(payload):
    return jwt.encode(payload, settings.SECRET_KEY, algorithm='HS256')


def decode(token):
    return jwt.decode(token, settings.SECRET_KEY, algorithms=('HS256',))


def gen_auth_code(req):
    code = {
        'uid': req.user.id,
        'cid': req.POST['client_id'],
        'uri': req.POST['redirect_uri'],
        'typ': req.POST.get('response_type', 'id'),
        'iat': datetime.utcnow(),
        'exp': datetime.utcnow() + timedelta(seconds=30),
    }
    if 'scope' in req.POST:
        code['sco'] = ' '.join(req.POST.getlist('scope'))

    return encode(code)


def gen_token(code):
    tok = {
        'uid': code['uid'],
        'cid': code['cid'],
        'sco': code['sco'],
        'iat': datetime.utcnow(),
    }
    return encode(tok)
Switch from PyJWT to python-jose, since it supports more features and has more documentation 2017-11-03 02:42:57 -04:00			`from jose import jwt`
Switch from database-persisted auth codes to stateless JSON Web Tokens :) 2017-11-02 01:36:16 -04:00
			`from datetime import datetime, timedelta`
			`from django.conf import settings`


Refactor the actual JWT calls into separate functions since I'll be needing them for tokens as well as auth codes 2017-11-02 23:37:39 -04:00			`def encode(payload):`
			`return jwt.encode(payload, settings.SECRET_KEY, algorithm='HS256')`


			`def decode(token):`
			`return jwt.decode(token, settings.SECRET_KEY, algorithms=('HS256',))`


Add the current user's ID to the auth code, will be handy when making a token since we need to know who the token's for 2017-11-03 00:51:27 -04:00			`def gen_auth_code(req):`
Switch from database-persisted auth codes to stateless JSON Web Tokens :) 2017-11-02 01:36:16 -04:00			`code = {`
Add the current user's ID to the auth code, will be handy when making a token since we need to know who the token's for 2017-11-03 00:51:27 -04:00			`'uid': req.user.id,`
Simplify the auth code format a little: the 'me' value can be computed from the user ID and so is redundant 2017-11-03 01:14:30 -04:00			`'cid': req.POST['client_id'],`
			`'uri': req.POST['redirect_uri'],`
			`'typ': req.POST.get('response_type', 'id'),`
Improve JWT security by specifying the algorithm used, and also use shorter key names to make the code a little shorter 2017-11-02 23:33:27 -04:00			`'iat': datetime.utcnow(),`
			`'exp': datetime.utcnow() + timedelta(seconds=30),`
Switch from database-persisted auth codes to stateless JSON Web Tokens :) 2017-11-02 01:36:16 -04:00			`}`
Simplify the auth code format a little: the 'me' value can be computed from the user ID and so is redundant 2017-11-03 01:14:30 -04:00			`if 'scope' in req.POST:`
			`code['sco'] = ' '.join(req.POST.getlist('scope'))`
Switch from database-persisted auth codes to stateless JSON Web Tokens :) 2017-11-02 01:36:16 -04:00
Simplify the auth code format a little: the 'me' value can be computed from the user ID and so is redundant 2017-11-03 01:14:30 -04:00			`return encode(code)`
Implement a token endpoint - currently all tokens last forever and can't be revoked, but I can add revocation later without too much trouble 2017-11-03 02:18:00 -04:00

			`def gen_token(code):`
			`tok = {`
			`'uid': code['uid'],`
			`'cid': code['cid'],`
			`'sco': code['sco'],`
			`'iat': datetime.utcnow(),`
			`}`
Switch from PyJWT to python-jose, since it supports more features and has more documentation 2017-11-03 02:42:57 -04:00			`return encode(tok)`