Commit a41b58f1 authored by echel0n's avatar echel0n

Refactored getting current user info from decoded token instead of userinfo endpoint

parent 1615fa5e
......@@ -25,18 +25,17 @@ import threading
import time
import traceback
from abc import ABC
from json import JSONDecodeError
from urllib.parse import urlparse, urljoin
from jose import ExpiredSignatureError
from keycloak.exceptions import KeycloakClientError
from mako.exceptions import RichTraceback
from mako.lookup import TemplateLookup
from requests import HTTPError
from tornado import locale
from tornado.web import RequestHandler
import sickrage
from sickrage.core import helpers, API
from sickrage.core import helpers
class BaseHandler(RequestHandler, ABC):
......@@ -108,11 +107,11 @@ class BaseHandler(RequestHandler, ABC):
try:
token = json.loads(cookie.decode("utf-8"))
try:
return sickrage.app.oidc_client.userinfo(token['access_token'])
except KeycloakClientError:
return sickrage.app.oidc_client.decode_token(token['access_token'], sickrage.app.oidc_client.certs())
except (KeycloakClientError, ExpiredSignatureError):
token = sickrage.app.oidc_client.refresh_token(token['refresh_token'])
self.set_secure_cookie('_sr', json.dumps({'access_token': token['access_token'], 'refresh_token': token['refresh_token']}))
return sickrage.app.oidc_client.userinfo(token['access_token'])
return sickrage.app.oidc_client.decode_token(token['access_token'], sickrage.app.oidc_client.certs())
except Exception as e:
sickrage.app.log.debug('{!r}'.format(e))
pass
......
......@@ -36,22 +36,22 @@ class LoginHandler(BaseHandler, ABC):
if code:
try:
token = sickrage.app.oidc_client.authorization_code(code, redirect_uri)
userinfo = sickrage.app.oidc_client.userinfo(token['access_token'])
decoded_token = sickrage.app.oidc_client.decode_token(token['access_token'], sickrage.app.oidc_client.certs())
self.set_secure_cookie('_sr', json.dumps({'access_token': token['access_token'], 'refresh_token': token['refresh_token']}))
if not userinfo.get('sub'):
if not decoded_token.get('sub'):
return self.redirect('/logout')
if not sickrage.app.config.sub_id:
sickrage.app.config.sub_id = userinfo.get('sub')
sickrage.app.config.sub_id = decoded_token.get('sub')
sickrage.app.config.save()
if sickrage.app.config.sub_id != userinfo.get('sub'):
if sickrage.app.config.sub_id != decoded_token.get('sub'):
if API().token:
allowed_usernames = API().allowed_usernames()['data']
if not userinfo['preferred_username'] in allowed_usernames:
sickrage.app.log.debug("USERNAME:{} IP:{} - WEB-UI ACCESS DENIED".format(userinfo['preferred_username'], self.request.remote_ip))
if not decoded_token['preferred_username'] in allowed_usernames:
sickrage.app.log.debug("USERNAME:{} IP:{} - WEB-UI ACCESS DENIED".format(decoded_token['preferred_username'], self.request.remote_ip))
return self.redirect('/logout')
else:
return self.redirect('/logout')
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment