"""Plain Python integration example for gnexus-gauth. This example shows: - redirect to gnexus-auth - callback exchange - userinfo fetch - webhook verification and parsing """ import json from datetime import datetime, timezone from gnexus_gauth.client import GAuthClient from gnexus_gauth.config import GAuthConfig from gnexus_gauth.contracts import PkceStoreInterface, StateStoreInterface from gnexus_gauth.exceptions import WebhookVerificationException from gnexus_gauth.oauth import AuthorizationUrlBuilder, HttpTokenEndpoint, PkceGenerator from gnexus_gauth.runtime import HttpRuntimeUserProvider from gnexus_gauth.support import SystemClock from gnexus_gauth.webhook import HmacWebhookVerifier, JsonWebhookParser class SimpleStateStore(StateStoreInterface): """Simple in-memory state store for demonstration.""" def __init__(self) -> None: self._items: dict[str, dict] = {} def put(self, state: str, expires_at: datetime, context: dict | None = None) -> None: self._items[state] = {"expires_at": expires_at, "context": context or {}} def has(self, state: str) -> bool: record = self._items.get(state) if record is None: return False if record["expires_at"] < datetime.now(timezone.utc): del self._items[state] return False return True def get_context(self, state: str) -> dict: if not self.has(state): return {} return self._items[state].get("context", {}) def forget(self, state: str) -> None: self._items.pop(state, None) class SimplePkceStore(PkceStoreInterface): """Simple in-memory PKCE store for demonstration.""" def __init__(self) -> None: self._items: dict[str, dict] = {} def put(self, state: str, verifier: str, expires_at: datetime) -> None: self._items[state] = {"verifier": verifier, "expires_at": expires_at} def get(self, state: str) -> str | None: record = self._items.get(state) if record is None: return None if record["expires_at"] < datetime.now(timezone.utc): del self._items[state] return None return record["verifier"] def forget(self, state: str) -> None: self._items.pop(state, None) def make_client() -> GAuthClient: config = GAuthConfig( base_url="https://gnexus-auth.local", client_id="my-service", client_secret="my-secret", redirect_uri="https://my-service.local/callback", ) token_endpoint = HttpTokenEndpoint(config) runtime_provider = HttpRuntimeUserProvider(config) webhook_verifier = HmacWebhookVerifier(config) webhook_parser = JsonWebhookParser() return GAuthClient( config=config, token_endpoint=token_endpoint, runtime_user_provider=runtime_provider, webhook_verifier=webhook_verifier, webhook_parser=webhook_parser, state_store=SimpleStateStore(), pkce_store=SimplePkceStore(), ) def redirect_example() -> None: client = make_client() auth_request = client.build_authorization_request( return_to="/dashboard", scopes=["openid", "email", "profile", "roles", "permissions"], ) print(f"Redirect user to: {auth_request.authorization_url}") def callback_example(code: str, state: str) -> None: client = make_client() try: token_set = client.exchange_authorization_code(code, state) user = client.fetch_user(token_set.access_token) except Exception as exc: print(f"Authorization failed: {exc}") return print(f"User ID: {user.user_id}") print(f"Email: {user.email}") print(f"Access token: {token_set.access_token[:10]}...") def webhook_example(raw_body: str, headers: dict, secret: str) -> None: client = make_client() try: event = client.verify_and_parse_webhook(raw_body, headers, secret) except WebhookVerificationException: print("Invalid webhook signature.") return print(f"Accepted event: {event.event_type} (id={event.event_id})") if __name__ == "__main__": # Demonstrate redirect URL generation redirect_example() # Demonstrate webhook handling with a dummy payload dummy_body = json.dumps({"type": "user.updated", "id": "evt_1"}) dummy_headers = { "X-Gnexus-Event-Id": "evt_1", "X-Gnexus-Event-Type": "user.updated", "X-Gnexus-Event-Timestamp": "2024-01-01T00:00:00Z", "X-Gnexus-Signature": "t=1704067200,v1=abc123", } webhook_example(dummy_body, dummy_headers, "webhook_secret")