config for oauth

2024-12-04 14:06:30 +00:00
parent ba2f5bb483
commit 9d0fd5b33c
7 changed files with 69 additions and 64 deletions
--- a/api/init.py
+++ b/api/init.py
@@ -1,22 +1,61 @@
 #api/__init__.py
 import os
 from functools import wraps
-from flask import jsonify, session, Blueprint
+from flask import jsonify, session, Blueprint, request, g
 from flask_limiter import Limiter
 from flask_limiter.util import get_remote_address
-
+from jwt import decode, ExpiredSignatureError, InvalidTokenError
 import importlib
+import requests
+from threading import Lock

+_public_key_cache = None
+_lock = Lock()
+
+def keycloak_public_key():
+    global _public_key_cache
+    if _public_key_cache:
+        return _public_key_cache
+    with _lock:
+        if _public_key_cache:
+            return _public_key_cache
+
+        url = "https://login.hangman-lab.top/realms/Hangman-Lab/protocol/openid-connect/certs"
+        response = requests.get(url)
+        jwks = response.json()
+        public_key = jwks["keys"][0]["x5c"][0]
+        _public_key_cache = f"-----BEGIN CERTIFICATE-----\n{public_key}\n-----END CERTIFICATE-----"
+        return _public_key_cache
+
+def verify_token(token):
+    try:
+        decoded = decode(
+            token,
+            keycloak_public_key(),
+            algorithms=["RS256"],
+            audience="labdev"
+        )
+        return decoded
+    except ExpiredSignatureError:
+        return None
+    except InvalidTokenError:
+        return None

 def require_auth(roles=[]):
    def decorator(func):
        @wraps(func)
        def wrapper(*args, **kwargs):
-            user = session.get('user')
-            if not user:
+            auth_header = request.headers.get('Authorization')
+            if not auth_header or not auth_header.startswith('Bearer'):
                return jsonify({"error": "Unauthorized"}), 401
-            if user.get('role') not in roles:
+            token = auth_header.split(" ")[1]
+            decoded = verify_token(token)
+            if not decoded:
+                return jsonify({"error": "Invalid or expired token"}), 401
+            user_roles = decoded.get("roles", [])
+            if roles and not set(roles).issubset(set(user_roles)):
                return jsonify({"error": "Forbidden, permission denied"}), 403
+            g.user = decoded
            return func(*args, **kwargs)
        return wrapper
    return decorator