Initial upload from Colab

ef1ad9e verified 4 months ago

4.74 kB

	import jwt
	from fastapi import Depends, HTTPException, Request, Security, WebSocket, status
	from fastapi.security import HTTPAuthorizationCredentials, HTTPBearer, SecurityScopes

	from app.config.env import env

	# Define permission sets
	LOAN_OFFICER_PERMISSIONS = ["get:lead", "create:loan", "update:loan"]
	LOAN_OFFICER_ADMIN_PERMISSIONS = ["get:reports"]

	# Custom exception for unauthorized access


	class UnauthorizedException(HTTPException):
	def __init__(self, detail: str, **kwargs):
	super().__init__(status.HTTP_403_FORBIDDEN, detail=detail)


	# Custom exception for unauthenticated requests


	class UnauthenticatedException(HTTPException):
	def __init__(self):
	super().__init__(status_code=status.HTTP_401_UNAUTHORIZED, detail="Requires authentication")


	# Custom HTTPBearer for Auth0


	class Auth0HTTPBearer(HTTPBearer):
	async def __call__(self, request: Request) -> HTTPAuthorizationCredentials:
	credentials: HTTPAuthorizationCredentials = await super().__call__(request)
	if credentials and credentials.scheme == "Bearer":
	return credentials
	else:
	raise HTTPException(
	status_code=status.HTTP_403_FORBIDDEN, detail="Invalid or missing authentication credentials"
	)


	# Token verification class


	class VerifyToken:
	USER_PERMISSIONS = []

	def __init__(self):
	jwks_url = f"https://{env.AUTH0_DOMAIN}/.well-known/jwks.json"
	self.jwks_client = jwt.PyJWKClient(jwks_url)

	async def verify(
	self, security_scopes: SecurityScopes, token: HTTPAuthorizationCredentials = Depends(Auth0HTTPBearer())
	):
	if not token:
	raise UnauthenticatedException()

	# Extract and verify the JWT token from the credentials
	token_value = token.credentials

	try:
	signing_key = self.jwks_client.get_signing_key_from_jwt(token_value).key
	payload = jwt.decode(
	token_value,
	signing_key,
	algorithms=env.AUTH0_ALGORITHMS,
	audience=env.AUTH0_API_AUDIENCE,
	issuer=env.AUTH0_ISSUER,
	)
	except jwt.exceptions.PyJWKClientError as error:
	raise UnauthorizedException(str(error))
	except jwt.exceptions.DecodeError as error:
	raise UnauthorizedException(str(error))
	except Exception as error:
	raise UnauthorizedException(str(error))

	if security_scopes.scopes:
	self._check_claims(payload, "scope", security_scopes.scopes)

	self.USER_PERMISSIONS = payload.get("permissions", [])

	return payload

	async def verify_websocket(self, websocket: WebSocket, token: str):
	if not token:
	await websocket.close(code=1008)
	raise UnauthenticatedException()

	try:
	signing_key = self.jwks_client.get_signing_key_from_jwt(token).key
	payload = jwt.decode(
	token,
	signing_key,
	algorithms=env.AUTH0_ALGORITHMS,
	audience=env.AUTH0_API_AUDIENCE,
	issuer=env.AUTH0_ISSUER,
	)
	self.USER_PERMISSIONS = payload.get("permissions", [])
	except jwt.exceptions.PyJWKClientError as error:
	await websocket.close(code=1008)
	raise UnauthorizedException(str(error))
	except jwt.exceptions.DecodeError as error:
	await websocket.close(code=1008)
	raise UnauthorizedException(str(error))
	except Exception as error:
	await websocket.close(code=1008)
	raise UnauthorizedException(str(error))

	return payload

	def _check_claims(self, payload, claim_name, expected_value):
	if claim_name not in payload:
	raise UnauthorizedException(detail=f'No claim "{claim_name}" found in token')

	payload_claim = payload[claim_name].split(" ") if claim_name == "scope" else payload[claim_name]

	for value in expected_value:
	if value not in payload_claim:
	raise UnauthorizedException(detail=f'Missing required "{claim_name}" scope')

	def is_loan_officer(self):
	for permission in LOAN_OFFICER_PERMISSIONS:
	if permission not in self.USER_PERMISSIONS:
	raise UnauthorizedException(detail="Permission denied")

	def is_loan_officer_admin(self):
	for permission in LOAN_OFFICER_ADMIN_PERMISSIONS:
	if permission not in self.USER_PERMISSIONS:
	raise UnauthorizedException(detail="Permission denied")