"""OAuth components for gnexus-gauth."""
import base64
import hashlib
import secrets
from urllib.parse import quote, urlencode
import httpx
from gnexus_gauth.config import GAuthConfig
from gnexus_gauth.contracts import TokenEndpointInterface
from gnexus_gauth.dto import TokenSet
from gnexus_gauth.exceptions import (
TokenExchangeException,
TokenRefreshException,
TokenRevokeException,
TransportException,
)
class PkceGenerator:
"""PKCE parameter generator."""
@staticmethod
def generate_verifier(length: int = 64) -> str:
"""Generate a PKCE code verifier."""
token = secrets.token_urlsafe(length)
return base64.urlsafe_b64encode(token.encode()).decode().rstrip("=")
@staticmethod
def generate_challenge(verifier: str) -> str:
"""Generate S256 challenge from verifier."""
digest = hashlib.sha256(verifier.encode()).digest()
return base64.urlsafe_b64encode(digest).decode().rstrip("=")
@staticmethod
def generate_state(length: int = 32) -> str:
"""Generate a random state parameter."""
return secrets.token_urlsafe(length)
class AuthorizationUrlBuilder:
"""Builds authorization URLs with PKCE."""
def __init__(self, config: GAuthConfig) -> None:
self._config = config
def build(
self,
state: str,
pkce_challenge: str,
return_to: str | None = None,
scopes: list[str] | None = None,
) -> str:
query = {
"response_type": "code",
"client_id": self._config.client_id,
"redirect_uri": self._config.redirect_uri,
"state": state,
"code_challenge": pkce_challenge,
"code_challenge_method": "S256",
}
if scopes:
query["scope"] = " ".join(scopes)
if return_to:
query["return_to"] = return_to
return f"{self._config.authorize_url}?{urlencode(query, safe='', quote_via=quote)}"
class HttpTokenEndpoint(TokenEndpointInterface):
"""HTTP token endpoint client."""
def __init__(
self,
config: GAuthConfig,
http_client: httpx.Client | None = None,
) -> None:
self._config = config
self._http = http_client or httpx.Client()
self._own_client = http_client is None
def __del__(self) -> None:
if getattr(self, "_own_client", False) and hasattr(self, "_http"):
self._http.close()
def exchange_authorization_code(self, code: str, pkce_verifier: str) -> TokenSet:
payload = {
"grant_type": "authorization_code",
"client_id": self._config.client_id,
"client_secret": self._config.client_secret,
"redirect_uri": self._config.redirect_uri,
"code": code,
"code_verifier": pkce_verifier,
}
data = self._send_form_request(self._config.token_url, payload, TokenExchangeException)
return self._map_token_set(data)
def refresh_token(self, refresh_token: str) -> TokenSet:
payload = {
"grant_type": "refresh_token",
"client_id": self._config.client_id,
"client_secret": self._config.client_secret,
"refresh_token": refresh_token,
}
data = self._send_form_request(self._config.refresh_url, payload, TokenRefreshException)
return self._map_token_set(data)
def revoke_token(self, token: str, token_type_hint: str | None = None) -> None:
payload = {
"client_id": self._config.client_id,
"client_secret": self._config.client_secret,
"token": token,
}
if token_type_hint:
payload["token_type_hint"] = token_type_hint
self._send_form_request(self._config.revoke_url, payload, TokenRevokeException, expect_json=False)
def _send_form_request(
self,
url: str,
payload: dict,
exception_class: type,
*,
expect_json: bool = True,
) -> dict:
headers = {
"Content-Type": "application/x-www-form-urlencoded",
"Accept": "application/json",
}
if self._config.user_agent:
headers["User-Agent"] = self._config.user_agent
try:
response = self._http.post(url, data=payload, headers=headers)
except httpx.TransportError as exc:
raise TransportException("Request to gnexus-auth failed.") from exc
if response.status_code >= 400:
message = self._extract_error_message(response.text) or "gnexus-auth returned an error response."
raise exception_class(message)
if not expect_json:
return {}
try:
data = response.json()
except ValueError:
raise exception_class("gnexus-auth returned malformed JSON.")
if not isinstance(data, dict):
raise exception_class("gnexus-auth returned malformed JSON.")
return data
@staticmethod
def _map_token_set(data: dict) -> TokenSet:
expires_in = int(data.get("expires_in", 0))
refresh_expires_in = data.get("refresh_expires_in")
if refresh_expires_in is not None:
refresh_expires_in = int(refresh_expires_in)
scope = data.get("scope")
scopes = []
if isinstance(scope, str) and scope:
scopes = [s for s in scope.split() if s]
from datetime import datetime, timedelta, timezone
expires_at = None
if expires_in > 0:
expires_at = datetime.now(timezone.utc) + timedelta(seconds=expires_in)
return TokenSet(
access_token=str(data.get("access_token", "")),
refresh_token=str(data["refresh_token"]) if "refresh_token" in data else None,
token_type=str(data.get("token_type", "Bearer")),
expires_in=expires_in,
expires_at=expires_at,
refresh_expires_in=refresh_expires_in,
scopes=scopes,
raw_payload=data,
)
@staticmethod
def _extract_error_message(text: str) -> str | None:
import json
try:
decoded = json.loads(text)
except ValueError:
return None
if not isinstance(decoded, dict):
return None
if isinstance(decoded.get("error_description"), str):
return decoded["error_description"]
if isinstance(decoded.get("error"), str):
return decoded["error"]
return None
