a !fK@sdZddlmZddlZddlZddlZddlZz`ddlmZddlm Z ddlm Z ddlm Z ddlm Z dd lm Z dd lmZddlZWneyed Yn0ddlmmZdd lmZdd lmZddlmZddlmZdZdZdZdZddZGddde Z!dS)aUtilities for the Flask web framework Provides a Flask extension that makes using OAuth2 web server flow easier. The extension includes views that handle the entire auth flow and a ``@required`` decorator to automatically ensure that user credentials are available. Configuration ============= To configure, you'll need a set of OAuth2 web application credentials from the `Google Developer's Console `__. .. code-block:: python from oauth2client.contrib.flask_util import UserOAuth2 app = Flask(__name__) app.config['SECRET_KEY'] = 'your-secret-key' app.config['GOOGLE_OAUTH2_CLIENT_SECRETS_FILE'] = 'client_secrets.json' # or, specify the client id and secret separately app.config['GOOGLE_OAUTH2_CLIENT_ID'] = 'your-client-id' app.config['GOOGLE_OAUTH2_CLIENT_SECRET'] = 'your-client-secret' oauth2 = UserOAuth2(app) Usage ===== Once configured, you can use the :meth:`UserOAuth2.required` decorator to ensure that credentials are available within a view. .. code-block:: python :emphasize-lines: 3,7,10 # Note that app.route should be the outermost decorator. @app.route('/needs_credentials') @oauth2.required def example(): # http is authorized with the user's credentials and can be used # to make http calls. http = oauth2.http() # Or, you can access the credentials directly credentials = oauth2.credentials If you want credentials to be optional for a view, you can leave the decorator off and use :meth:`UserOAuth2.has_credentials` to check. .. code-block:: python :emphasize-lines: 3 @app.route('/optional') def optional(): if oauth2.has_credentials(): return 'Credentials found!' else: return 'No credentials!' When credentials are available, you can use :attr:`UserOAuth2.email` and :attr:`UserOAuth2.user_id` to access information from the `ID Token `__, if available. .. code-block:: python :emphasize-lines: 4 @app.route('/info') @oauth2.required def info(): return "Hello, {} ({})".format(oauth2.email, oauth2.user_id) URLs & Trigging Authorization ============================= The extension will add two new routes to your application: * ``"oauth2.authorize"`` -> ``/oauth2authorize`` * ``"oauth2.callback"`` -> ``/oauth2callback`` When configuring your OAuth2 credentials on the Google Developer's Console, be sure to add ``http[s]://[your-app-url]/oauth2callback`` as an authorized callback url. Typically you don't not need to use these routes directly, just be sure to decorate any views that require credentials with ``@oauth2.required``. If needed, you can trigger authorization at any time by redirecting the user to the URL returned by :meth:`UserOAuth2.authorize_url`. .. code-block:: python :emphasize-lines: 3 @app.route('/login') def login(): return oauth2.authorize_url("/") Incremental Auth ================ This extension also supports `Incremental Auth `__. To enable it, configure the extension with ``include_granted_scopes``. .. code-block:: python oauth2 = UserOAuth2(app, include_granted_scopes=True) Then specify any additional scopes needed on the decorator, for example: .. code-block:: python :emphasize-lines: 2,7 @app.route('/drive') @oauth2.required(scopes=["https://www.googleapis.com/auth/drive"]) def requires_drive(): ... @app.route('/calendar') @oauth2.required(scopes=["https://www.googleapis.com/auth/calendar"]) def requires_calendar(): ... The decorator will ensure that the the user has authorized all specified scopes before allowing them to access the view, and will also ensure that credentials do not lose any previously authorized scopes. Storage ======= By default, the extension uses a Flask session-based storage solution. This means that credentials are only available for the duration of a session. It also means that with Flask's default configuration, the credentials will be visible in the session cookie. It's highly recommended to use database-backed session and to use https whenever handling user credentials. If you need the credentials to be available longer than a user session or available outside of a request context, you will need to implement your own :class:`oauth2client.Storage`. wrapsN) Blueprint)_app_ctx_stack) current_app)redirect)request)sessionurl_forz/The flask utilities require flask 0.9 or newer.)client) clientsecrets) transport)dictionary_storage)emailgoogle_oauth2_credentialszgoogle_oauth2_flow_{0}Zgoogle_oauth2_csrf_tokencCs,tt|d}|durdSt|SdS)zZRetrieves the flow instance associated with a given CSRF token from the Flask session.N)r pop _FLOW_KEYformatpickleloads) csrf_tokenZ flow_pickler`/var/www/html/python-backend/venv/lib/python3.9/site-packages/oauth2client/contrib/flask_util.py_get_flow_for_tokens  rc@seZdZdZd!ddZd"ddZddZd d Zd#d d Zd dZ ddZ ddZ e ddZ ddZe ddZe ddZddZd$ddZdd ZdS)% UserOAuth2aFlask extension for making OAuth 2.0 easier. Configuration values: * ``GOOGLE_OAUTH2_CLIENT_SECRETS_FILE`` path to a client secrets json file, obtained from the credentials screen in the Google Developers console. * ``GOOGLE_OAUTH2_CLIENT_ID`` the oauth2 credentials' client ID. This is only needed if ``GOOGLE_OAUTH2_CLIENT_SECRETS_FILE`` is not specified. * ``GOOGLE_OAUTH2_CLIENT_SECRET`` the oauth2 credentials' client secret. This is only needed if ``GOOGLE_OAUTH2_CLIENT_SECRETS_FILE`` is not specified. If app is specified, all arguments will be passed along to init_app. If no app is specified, then you should call init_app in your application factory to finish initialization. NcOs*||_|dur&|j|g|Ri|dS)N)appinit_app)selfrargskwargsrrr__init__szUserOAuth2.__init__c Ksj||_||_||_|dur(tjttd}||_|durD|j dt }||_ | |||| |dS)aHInitialize this extension for the given app. Arguments: app: A Flask application. scopes: Optional list of scopes to authorize. client_secrets_file: Path to a file containing client secrets. You can also specify the GOOGLE_OAUTH2_CLIENT_SECRETS_FILE config value. client_id: If not specifying a client secrets file, specify the OAuth2 client id. You can also specify the GOOGLE_OAUTH2_CLIENT_ID config value. You must also provide a client secret. client_secret: The OAuth2 client secret. You can also specify the GOOGLE_OAUTH2_CLIENT_SECRET config value. authorize_callback: A function that is executed after successful user authorization. storage: A oauth2client.client.Storage subclass for storing the credentials. By default, this is a Flask session based storage. kwargs: Any additional args are passed along to the Flow constructor. N)keyZGOOGLE_OAUTH2_SCOPES)rauthorize_callback flow_kwargsrZDictionaryStorager _CREDENTIALS_KEYstorageconfigget_DEFAULT_SCOPESscopes _load_configZregister_blueprint_create_blueprint) rrr*client_secrets_file client_id client_secretr#r&r rrrrszUserOAuth2.init_appcCs|r|r|||_|_dS|r,||dSd|jjvrN||jjddSz"|jjd|jjd|_|_WntytdYn0dS)aLoads oauth2 configuration in order of priority. Priority: 1. Config passed to the constructor or init_app. 2. Config passed via the GOOGLE_OAUTH2_CLIENT_SECRETS_FILE app config. 3. Config passed via the GOOGLE_OAUTH2_CLIENT_ID and GOOGLE_OAUTH2_CLIENT_SECRET app config. Raises: ValueError if no config could be found. NZ!GOOGLE_OAUTH2_CLIENT_SECRETS_FILEZGOOGLE_OAUTH2_CLIENT_IDZGOOGLE_OAUTH2_CLIENT_SECRETzOAuth2 configuration could not be found. Either specify the client_secrets_file or client_id and client_secret or set the app configuration variables GOOGLE_OAUTH2_CLIENT_SECRETS_FILE or GOOGLE_OAUTH2_CLIENT_ID and GOOGLE_OAUTH2_CLIENT_SECRET.)r.r/_load_client_secretsrr'KeyError ValueError)rr-r.r/rrrr+s&       zUserOAuth2._load_configcCs>t|\}}|tjkr&td||d|_|d|_dS)z-Loads client secrets from the given filename.z+The flow specified in {0} is not supported.r.r/N)r ZloadfileZTYPE_WEBr2rr.r/)rfilenameZ client_typeZ client_inforrrr0:s  zUserOAuth2._load_client_secretsc Ksttd}|tt<t||d}|j }| || dg}t |jt |}tjf|j|j||tdddd|}t|} t|t| <|S)zCreates a Web Server Flowi)r return_urlr*zoauth2.callbackT)Z _external)r.r/scopestateZ redirect_uri)hashlibsha256osurandom hexdigestr _CSRF_KEYjsondumpsr$copyupdatersetr*unionr ZOAuth2WebServerFlowr.r/r rrr) rr4r rr6kwZ extra_scopesr*flowZflow_keyrrr _make_flowEs,     zUserOAuth2._make_flowcCs.tdt}|dd|j|dd|j|S)NZoauth2z/oauth2authorize authorizez/oauth2callbackcallback)r__name__Z add_url_ruleauthorize_view callback_view)rbprrrr,ds zUserOAuth2._create_blueprintcCs\tj}tjd|d<|dd}|dur8tjp6d}|jfd|i|}|}t|S)z|Flask view that starts the authorization flow. Starts flow by redirecting the user to the OAuth2 provider. r*r4N/) rrto_dictgetlistrZreferrerrEZstep1_get_authorize_urlr)rrr4rDauth_urlrrrrIks   zUserOAuth2.authorize_viewc Csddtjvr.curry_wrapper..required_wrapperr)rkrlrjr*r)rkr curry_wrappersz*UserOAuth2.required..curry_wrapperNr)rZdecorated_functionr*rjrnrrmrrequireds zUserOAuth2.requiredcOs&|jstd|jtj|i|S)aReturns an authorized http instance. Can only be called if there are valid credentials for the user, such as inside of a view that is decorated with @required. Args: *args: Positional arguments passed to httplib2.Http constructor. **kwargs: Positional arguments passed to httplib2.Http constructor. Raises: ValueError if no credentials are available. zNo credentials available.)r[r2rFrZget_http_object)rrr rrrhttps zUserOAuth2.http)N)NNNNNN)N)NN)rH __module__ __qualname____doc__r!rr+r0rEr,rIrJpropertyr[rarrergrorprrrrrs,  )& 3     +r)"rs functoolsrr7r=r9rZflaskrrrrrr r rS ImportErrorZsix.moves.http_clientmoves http_clientrUZ oauth2clientr r rZoauth2client.contribrr)r%rr<robjectrrrrrs8