Merge pull request #28 from IcyNet/oauth

Implement OAuth for IcyNet.eu

EpisodesCommunity/settings.py

@@ -14,10 +14,12 @@ import dj_database_url
 import os
 import configparser
 import warnings
+import base64
 
 config = configparser.ConfigParser()
 config.read('options.ini')
 options = config['General']
+oauth_options = config['OAuth']
 
 # Build paths inside the project like this: os.path.join(BASE_DIR, ...)
 BASE_DIR = os.path.dirname(os.path.dirname(os.path.abspath(__file__)))
@@ -128,3 +130,9 @@ USE_TZ = True
 # https://docs.djangoproject.com/en/1.11/howto/static-files/
 
 STATIC_URL = '/static/'
+
+
+AUTH_TOKEN_ENDPOINT = oauth_options.get('token_endpoint','https://icynet.eu/oauth/')
+AUTH_CLIENT_ID = oauth_options.get('client_id')
+AUTH_B64 = base64.b64encode(bytearray('%s:%s'%(AUTH_CLIENT_ID,oauth_options.get('client_secret')),'utf-8')).decode("utf-8")
+AUTH_REDIRECT_URL = oauth_options.get('redirect_url')

EpisodesCommunity/urls.py

@@ -13,9 +13,10 @@ Including another URLconf
     1. Import the include() function: from django.conf.urls import url, include
     2. Add a URL to urlpatterns:  url(r'^blog/', include('blog.urls'))
 """
-from django.conf.urls import url
+from django.conf.urls import url, include
 from django.contrib import admin
 
 urlpatterns = [
     url(r'^admin/', admin.site.urls),
+    url(r'^', include('LandingPage.urls'))
 ]

LandingPage/models.py

@@ -70,8 +70,9 @@ class Show(TimestampedModel):
     ) 
 
 class User(TimestampedModel):
-    user_id = models.IntegerField(
-            help_text='The user id assigned to this user by IcyNet\'s auth servers'
+    user_id = models.CharField(
+            max_length=36,
+            help_text='The UUID assigned to this user by IcyNet\'s auth servers'
     )
     email = models.EmailField(
             help_text='This user\'s email address'

LandingPage/urls.py

@@ -0,0 +1,9 @@
+from django.conf.urls import url
+
+from . import views
+
+urlpatterns = [
+    url(r'^login/redirect$', views.LoginRedirect.as_view()),
+    url(r'^login$', views.Login.as_view()),
+]
+

LandingPage/views.py

@@ -1,3 +1,79 @@
 from django.shortcuts import render
+from django.views import View
+from django.conf import settings
+from django.http import HttpResponse
+from django.http import HttpResponseRedirect
+import requests
+import hashlib
+import json
+from .models import User
 
 # Create your views here.
+# Redirect url should point to this view
+class LoginRedirect(View):
+    def get(self, req):
+        
+        # Check request has correct arguments
+        request_valid = 'state' in req.GET and 'code' in req.GET
+        if not request_valid:
+            r = HttpResponse('<h1>Error</h1><p>There was an error in your request.  Please <a href=/login>try again</a></p>')
+            r.status = 400
+            return r
+
+        # Check state
+        userstate = generateState(req)
+        if userstate == req.GET['state']:
+            code = req.GET['code']
+            resp = requests.post(
+                    settings.AUTH_TOKEN_ENDPOINT+"token",
+                    data={
+                        'grant_type':'authorization_code',
+                        'code':code,
+                        'redirect_uri':settings.AUTH_REDIRECT_URL,
+                        'client_id':settings.AUTH_CLIENT_ID
+                    },
+                    headers = {
+                        'Authorization':'Basic %s'%settings.AUTH_B64
+                    }
+            )
+            resp_json = resp.json()
+            if 'error' in resp_json:
+                r = HttpResponse('<h1>OAuth Error</h1><pre>%s</pre>'%json.dumps(resp_json))
+                r.status = 500
+                return r
+            else:
+                user_info = requests.get(
+                        settings.AUTH_TOKEN_ENDPOINT+"user",
+                        headers = {
+                            'Authorization': 'Bearer ' + resp_json['access_token']
+                        }
+                ).json()
+                req.session['user_id'] = user_info['uuid']
+                matches = User.objects.filter(user_id=user_info['uuid'])
+                if not len(matches):
+                    user = User(
+                            user_id = user_info['uuid'],
+                            email = user_info['email'],
+                            display_name = user_info['display_name']
+                    )
+                    user.save()
+                req.session['token'] = resp_json['access_token']
+                return HttpResponseRedirect('/')
+        else:
+            return HttpResponse('<h1>Unmatching state tokens</h1><br><p>It looks like the request to login wasn\'t started by you.  Try going back to the home page and logging in again.</p>', status=400)
+
+class Login(View):
+    def get(self, req):
+        url = '%sauthorize?response_type=code&client_id=%s&redirect_uri=%s&scope=email&state=%s'%(settings.AUTH_TOKEN_ENDPOINT,settings.AUTH_CLIENT_ID,settings.AUTH_REDIRECT_URL, generateState(req))
+        response = HttpResponse("Redirecting you to the IcyNet auth page...")
+        response.status_code = 302
+        response['Location'] = url
+        return response
+
+def generateState(request):
+    request.session.save()
+
+    m = hashlib.sha256()
+    m.update(bytearray(request.session.session_key, 'utf-8'))
+    m.update(bytearray(settings.SECRET_KEY, 'utf-8'))
+    return m.hexdigest()

options_example.ini

@@ -9,3 +9,14 @@ secret_key=5up3r s3cr3t k3y
 #For configuration details
 database=sqlite:///database.sqlite3
 
+[OAuth]
+#The root of the oauth endpoint you are using for oauth settings
+token_endpoint=https://icynet.eu/oauth/
+
+#The client id, client secret, and redirect url used in the confguration
+#of your oauth client on the site that you plan to use for oauth.
+#The redirect url should probably point to the appropriate view, and 
+#needs to be fully qualified.
+client_id=CLIENT ID HERE
+client_secret=CLIENT SECRET HERE
+redirect_url=REDIRECT URL HERE