diff options
| author | Fabian Mastenbroek <mail.fabianm@gmail.com> | 2021-05-18 20:34:13 +0200 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2021-05-18 20:34:13 +0200 |
| commit | 56bd2ef6b0583fee1dd2da5dceaf57feb07649c9 (patch) | |
| tree | 6d4cfbc44c97cd3ec1e30aa977cd08f404b41b0d /opendc-web/opendc-web-api/main.py | |
| parent | 02776c958a3254735b2be7d9fb1627f75e7f80cd (diff) | |
| parent | ce95cfdf803043e66e2279d0f76c6bfc64e7864e (diff) | |
Migrate to Auth0 as Identity Provider
This pull request removes the hard dependency on Google for
authenticating users and migrates to Auth0 as Identity Provider for OpenDC.
This has as benefit that we can authenticate users without having to manage
user data ourselves and do not have a dependency on Google accounts anymore.
- Frontend cleanup:
- Use CSS modules everywhere to encapsulate the styling of React components.
- Perform all communication in the frontend via the REST API (as opposed to WebSockets).
The original approach was aimed at collaborative editing, but made normal operations
harder to implement and debug. If we want to implement collaborative editing in the
future, we can expose only a small WebSocket API specifically for collaborative editing.
- Move to FontAwesome 5 (using the official React libraries)
- Use Reactstrap where possible. Previously, we mixed raw Bootstrap classes with
Reactstrap, which is confusing.
- Reduce the scope of the Redux state. Some state in the frontend application can be
kept locally and does not need to be managed by Redux.
- Migrate from Create React App (CRA) to Next.js since it allows us to pre-render
multiple pages as well as opt-in to Server Side Rendering.
- Remove the Google login and use Auth0 for authentication now.
- Use Node 16
- Backend cleanup:
- Remove Socket.IO endpoint from backend, since it is not needed by the frontend
anymore. Removing it reduces the attack surface of OpenDC as well as the maintenance efforts.
- Use Auth0 JWT token for authorizing API accesses
- Refactor API endpoints to use Flask Restful as opposed to our custom in-house
routing logic. Previously, this was needed to support the Socket.IO endpoint,
but increases maintenance effort.
- Expose Swagger UI from API
- Use Python 3.9 and uwsgi to host Flask application
- Actualize OpenAPI schema and update to version 3.0.
**Breaking API Changes**
* This pull request removes the users collection from the database table. Instead, we now use the user identifier passed by Auth0 to identify the data that belongs to a user.
Diffstat (limited to 'opendc-web/opendc-web-api/main.py')
| -rwxr-xr-x | opendc-web/opendc-web-api/main.py | 188 |
1 files changed, 0 insertions, 188 deletions
diff --git a/opendc-web/opendc-web-api/main.py b/opendc-web/opendc-web-api/main.py deleted file mode 100755 index 5c6dac31..00000000 --- a/opendc-web/opendc-web-api/main.py +++ /dev/null @@ -1,188 +0,0 @@ -#!/usr/bin/env python3 -import json -import os -import sys -import traceback -import urllib.request - -import flask_socketio -from dotenv import load_dotenv -from flask import Flask, request, jsonify -from flask_compress import Compress -from flask_cors import CORS -from oauth2client import client, crypt - -from opendc.models.user import User -from opendc.util import rest, path_parser, database -from opendc.util.exceptions import AuthorizationTokenError, RequestInitializationError -from opendc.util.json import JSONEncoder - -load_dotenv() - -TEST_MODE = "OPENDC_FLASK_TESTING" in os.environ - -# Setup Sentry if DSN is specified -if 'SENTRY_DSN' in os.environ: - import sentry_sdk - from sentry_sdk.integrations.flask import FlaskIntegration - - sentry_sdk.init( - integrations=[FlaskIntegration()], - traces_sample_rate=0.1 - ) - -# Set up database if not testing -if not TEST_MODE: - database.DB.initialize_database( - user=os.environ['OPENDC_DB_USERNAME'], - password=os.environ['OPENDC_DB_PASSWORD'], - database=os.environ['OPENDC_DB'], - host=os.environ.get('OPENDC_DB_HOST', 'localhost')) - -# Set up the core app -FLASK_CORE_APP = Flask(__name__) -FLASK_CORE_APP.testing = TEST_MODE -FLASK_CORE_APP.config['SECRET_KEY'] = os.environ['OPENDC_FLASK_SECRET'] -FLASK_CORE_APP.json_encoder = JSONEncoder - -# Set up CORS support -CORS(FLASK_CORE_APP) - -compress = Compress() -compress.init_app(FLASK_CORE_APP) - -SOCKET_IO_CORE = flask_socketio.SocketIO(FLASK_CORE_APP, cors_allowed_origins="*") - -API_VERSIONS = {'v2'} - - -@FLASK_CORE_APP.route('/tokensignin', methods=['POST']) -def sign_in(): - """Authenticate a user with Google sign in""" - - try: - token = request.form['idtoken'] - except KeyError: - return 'No idtoken provided', 401 - - try: - idinfo = client.verify_id_token(token, os.environ['OPENDC_OAUTH_CLIENT_ID']) - - if idinfo['aud'] != os.environ['OPENDC_OAUTH_CLIENT_ID']: - raise crypt.AppIdentityError('Unrecognized client.') - - if idinfo['iss'] not in ['accounts.google.com', 'https://accounts.google.com']: - raise crypt.AppIdentityError('Wrong issuer.') - except ValueError: - url = "https://www.googleapis.com/oauth2/v3/tokeninfo?id_token={}".format(token) - req = urllib.request.Request(url) - response = urllib.request.urlopen(url=req, timeout=30) - res = response.read() - idinfo = json.loads(res) - except crypt.AppIdentityError as e: - return 'Did not successfully authenticate' - - user = User.from_google_id(idinfo['sub']) - - data = {'isNewUser': user.obj is None} - - if user.obj is not None: - data['userId'] = user.get_id() - - return jsonify(**data) - - -@FLASK_CORE_APP.route('/<string:version>/<path:endpoint_path>', methods=['GET', 'POST', 'PUT', 'DELETE']) -def api_call(version, endpoint_path): - """Call an API endpoint directly over HTTP.""" - - # Check whether given version is valid - if version not in API_VERSIONS: - return jsonify(error='API version not found'), 404 - - # Get path and parameters - (path, path_parameters) = path_parser.parse(version, endpoint_path) - - query_parameters = request.args.to_dict() - for param in query_parameters: - try: - query_parameters[param] = int(query_parameters[param]) - except: - pass - - try: - body_parameters = json.loads(request.get_data()) - except: - body_parameters = {} - - # Create and call request - (req, response) = _process_message({ - 'id': 0, - 'method': request.method, - 'parameters': { - 'body': body_parameters, - 'path': path_parameters, - 'query': query_parameters - }, - 'path': path, - 'token': request.headers.get('auth-token') - }) - - print( - f'HTTP:\t{req.method} to `/{req.path}` resulted in {response.status["code"]}: {response.status["description"]}') - sys.stdout.flush() - - flask_response = jsonify(json.loads(response.to_JSON())) - flask_response.status_code = response.status['code'] - return flask_response - - -@SOCKET_IO_CORE.on('request') -def receive_message(message): - """"Receive a SocketIO request""" - (req, res) = _process_message(message) - - print(f'Socket: {req.method} to `/{req.path}` resulted in {res.status["code"]}: {res.status["description"]}') - sys.stdout.flush() - - flask_socketio.emit('response', res.to_JSON(), json=True) - - -def _process_message(message): - """Process a request message and return the response.""" - - try: - req = rest.Request(message) - res = req.process() - - return req, res - - except AuthorizationTokenError: - res = rest.Response(401, 'Authorization error') - res.id = message['id'] - - except RequestInitializationError as e: - res = rest.Response(400, str(e)) - res.id = message['id'] - - if not 'method' in message: - message['method'] = 'UNSPECIFIED' - if not 'path' in message: - message['path'] = 'UNSPECIFIED' - - except Exception: - res = rest.Response(500, 'Internal server error') - if 'id' in message: - res.id = message['id'] - traceback.print_exc() - - req = rest.Request() - req.method = message['method'] - req.path = message['path'] - - return req, res - - -if __name__ == '__main__': - print("Web server started on 8081") - SOCKET_IO_CORE.run(FLASK_CORE_APP, host='0.0.0.0', port=8081, use_reloader=False) |