o ©D®f½ã@s@dZddlmZddlmZmZGdd„dƒZGdd„dƒZdS) zè authlib.oauth2.rfc6749.resource_protector ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Implementation of Accessing Protected Resources per `Section 7`_. .. _`Section 7`: https://tools.ietf.org/html/rfc6749#section-7 é)Ú scope_to_list)ÚMissingAuthorizationErrorÚUnsupportedTokenTypeErrorc@sBeZdZdZdZddd„Zedd„ƒZdd „Zd d „Z d d „Z dS)ÚTokenValidatorziBase token validator class. Subclass this validator to register into ResourceProtector instance. ÚbearerNcKs||_||_dS©N)ÚrealmÚextra_attributes)Úselfrr ©r úb/home/ubuntu/webapp/venv/lib/python3.10/site-packages/authlib/oauth2/rfc6749/resource_protector.pyÚ__init__s zTokenValidator.__init__cCsJ|sdSt|ƒ}|s dSt|ƒ}|D]}tt|ƒƒ}| |¡r"dSqdS)NFT)rÚsetÚ issuperset)Ú token_scopesÚrequired_scopesÚscopeÚresource_scopesr r r Úscope_insufficients  ÿz!TokenValidator.scope_insufficientcCótƒ‚)a_A method to query token from database with the given token string. Developers MUST re-implement this method. For instance:: def authenticate_token(self, token_string): return get_token_from_database(token_string) :param token_string: A string to represent the access_token. :return: token ©ÚNotImplementedError)r Ú token_stringr r r Úauthenticate_token(s z!TokenValidator.authenticate_tokencCsdS)a@A method to validate if the HTTP request is valid or not. Developers MUST re-implement this method. For instance, your server requires a "X-Device-Version" in the header:: def validate_request(self, request): if 'X-Device-Version' not in request.headers: raise InvalidRequestError() Usually, you don't have to detect if the request is valid or not. If you have to, you MUST re-implement this method. :param request: instance of HttpRequest :raise: InvalidRequestError Nr )r Úrequestr r r Úvalidate_request4szTokenValidator.validate_requestcCr)a4A method to validate if the authorized token is valid, if it has the permission on the given scopes. Developers MUST re-implement this method. e.g, check if token is expired, revoked:: def validate_token(self, token, scopes, request): if not token: raise InvalidTokenError() if token.is_expired() or token.is_revoked(): raise InvalidTokenError() if not match_token_scopes(token, scopes): raise InsufficientScopeError() r)r ÚtokenÚscopesrr r r Úvalidate_tokenDs zTokenValidator.validate_tokenr) Ú__name__Ú __module__Ú __qualname__Ú__doc__Ú TOKEN_TYPEr Ú staticmethodrrrrr r r r r s   rc@s:eZdZdd„Zdefdd„Zdd„Zdd „Zd d „Zd S) ÚResourceProtectorcCsi|_d|_d|_dSr)Ú_token_validatorsÚ_default_realmÚ_default_auth_type)r r r r r Us zResourceProtector.__init__Ú validatorcCs6|js |j|_|j|_|j|jvr||j|j<dSdS)z„Register a token validator for a given Authorization type. Authlib has a built-in BearerTokenValidator per rfc6750. N)r(rr'r#r&)r r)r r r Úregister_token_validatorZs  ÿz*ResourceProtector.register_token_validatorcCs&|j | ¡¡}|st|j|jƒ‚|S)z;Get token validator from registry for the given token type.)r&ÚgetÚlowerrr(r')r Ú token_typer)r r r Úget_token_validatoresz%ResourceProtector.get_token_validatorcCs^|j d¡}|st|j|jƒ‚| dd¡}t|ƒdkr"t|j|jƒ‚|\}}| |¡}||fS)aËParse the token and token validator from request Authorization header. Here is an example of Authorization header:: Authorization: Bearer a-token-string This method will parse this header, if it can find the validator for ``Bearer``, it will return the validator and ``a-token-string``. :return: validator, token_string :raise: MissingAuthorizationError :raise: UnsupportedTokenTypeError Ú AuthorizationNré) Úheadersr+rr(r'ÚsplitÚlenrr.)r rÚauthÚ token_partsr-rr)r r r Úparse_request_authorizationls    z-ResourceProtector.parse_request_authorizationcKs<| |¡\}}| |¡| |¡}|j|||fi|¤Ž|S)z(Validate the request and return a token.)r6rrr)r rrÚkwargsr)rrr r r r†s   z"ResourceProtector.validate_requestN) rr r!r rr*r.r6rr r r r r%Ts   r%N)r"ÚutilrÚerrorsrrrr%r r r r Ús  G