Add code login and logout api

01872a8f · Victor Löfgren · f174504b · 01872a8f
Commit 01872a8f authored 3 years ago by Victor Löfgren
--- a/server/app/apis/auth.py
+++ b/server/app/apis/auth.py
@@ -10,14 +10,15 @@ import marshmallow as ma
 from app.core.codes import verify_code
 from app.core.schemas import UserSchema
 from app.core.sockets import is_active_competition
+from app.database.controller.delete import whitelist_to_blacklist
 from app.database.models import User, Whitelist
 from flask import current_app, has_app_context
 from flask.views import MethodView
 from flask_jwt_extended import create_access_token, get_jti
-from flask_jwt_extended.utils import get_jti
-from flask_smorest import Blueprint, abort
+from flask_jwt_extended.utils import get_jti, get_jwt
+from flask_smorest import Blueprint, abort, arguments

-from . import http_codes
+from . import http_codes, protect_route

 blp = Blueprint("auth", "auth", url_prefix="/api/auth", description="Operations related to authorization")

@@ -32,13 +33,6 @@ class UserLoginResponseSchema(ma.Schema):
    access_token = ma.fields.String()


-# create_user_parser = login_parser.copy()
-# create_user_parser.add_argument("city_id", type=int, required=True, location="json")
-# create_user_parser.add_argument("role_id", type=int, required=True, location="json")
-
-# login_code_parser = reqparse.RequestParser()
-# login_code_parser.add_argument("code", type=str, required=True, location="json")
-
 if has_app_context():
    USER_LOGIN_LOCKED_ATTEMPTS = current_app.config["USER_LOGIN_LOCKED_ATTEMPTS"]
    USER_LOGIN_LOCKED_EXPIRES = current_app.config["USER_LOGIN_LOCKED_EXPIRES"]
@@ -124,69 +118,56 @@ class AuthLogin(MethodView):
        return {"id": item_user.id, "access_token": access_token}


-# @api.route("/login/code")
-# class AuthLoginCode(Resource):
-#     def post(self):
-#         """ Logs in using the provided competition code. """
-
-#         args = login_code_parser.parse_args()
-#         code = args["code"]
-
-#         # Check so the code string is valid
-#         if not verify_code(code):
-#             api.abort(codes.UNAUTHORIZED, "Invalid code")
-
-#         item_code = dbc.get.code_by_code(code)
+@blp.route("/logout")
+class AuthLogout(MethodView):
+    @protect_route(allowed_roles=["*"], allowed_views=["*"])
+    @blp.response(http_codes.NO_CONTENT, None)
+    def post(self):
+        """ Logs out. """
+        whitelist_to_blacklist(Whitelist.jti == get_jwt()["jti"])
+        return None

-#         if item_code.view_type_id != 4:
-#             if not is_active_competition(item_code.competition_id):
-#                 api.abort(codes.UNAUTHORIZED, "Competition not active")

-#         # Create jwt that is only valid for 8 hours
-#         access_token = create_access_token(
-#             item_code.id, user_claims=get_code_claims(item_code), expires_delta=timedelta(hours=8)
-#         )
+class CodeArgsSchema(ma.Schema):
+    code = ma.fields.String(required=True)

-#         # Whitelist the created jwt
-#         dbc.add.whitelist(get_jti(access_token), competition_id=item_code.competition_id)
-#         response = {
-#             "competition_id": item_code.competition_id,
-#             "view": item_code.view_type.name,
-#             "team_id": item_code.team_id,
-#             "access_token": access_token,
-#         }
-#         return response

+class CodeResponseSchema(ma.Schema):
+    competition_id = ma.fields.Int()
+    view = ma.fields.String()
+    team_id = ma.fields.Int()
+    access_token = ma.fields.String()

-# @api.route("/logout")
-# class AuthLogout(Resource):
-#     @protect_route(allowed_roles=["*"], allowed_views=["*"])
-#     def post(self):
-#         """ Logs out. """

-#         jti = get_raw_jwt()["jti"]
+@blp.route("/code")
+class AuthLoginCode(MethodView):
+    @blp.arguments(CodeArgsSchema)
+    @blp.response(http_codes.OK, CodeResponseSchema)
+    @blp.alt_response(http_codes.UNAUTHORIZED, None, description="Incorrect code or competition is not active")
+    @blp.alt_response(http_codes.NOT_FOUND, None, description="The code doesn't exist")
+    def post(self, args):
+        """ Logs in using the provided competition code. """

-#         # Blacklist the token so the user cannot access the api anymore
-#         dbc.add.blacklist(jti)
+        code = args["code"]

-#         # Remove the the token from the whitelist since it's blacklisted now
-#         Whitelist.query.filter(Whitelist.jti == jti).delete()
+        if not verify_code(code):  # Check that code string is valid
+            abort(http_codes.UNAUTHORIZED, message="Felaktigt kod")

-#         dbc.utils.commit()
-#         return text_response("Logout")
+        item_code = dbc.get.code_by_code(code)

+        # If joining client is not operator and competition is not active
+        if item_code.view_type_id != 4 and not is_active_competition(item_code.competition_id):
+            abort(http_codes.UNAUTHORIZED, message="Tävlingen är ej aktiv")

-"""
-@api.route("/refresh")
-class AuthRefresh(Resource):
-    @protect_route(allowed_roles=["*"])
-    @jwt_refresh_token_required
-    def post(self):
-        old_jti = get_raw_jwt()["jti"]
+        # Create jwt that is only valid for 8 hours
+        access_token = create_access_token(
+            item_code.id, additional_claims=get_code_claims(item_code), expires_delta=timedelta(hours=8)
+        )
+        dbc.add.whitelist(get_jti(access_token), competition_id=item_code.competition_id)  # Whitelist the created jwt

-        item_user = dbc.get.user(get_jwt_identity())
-        access_token = create_access_token(item_user.id, user_claims=get_user_claims(item_user))
-        dbc.add.blacklist(old_jti)
-        response = {"access_token": access_token}
-        return response
-"""
+        return {
+            "competition_id": item_code.competition_id,
+            "view": item_code.view_type.name,
+            "team_id": item_code.team_id,
+            "access_token": access_token,
+        }