ї
    (Й[f<  Ц                   С═   ≈ d dl Z d dlmZ d dlmZ ddlmZmZmZ ddl	m
Z
mZmZmZmZmZ  e j        eі  ╚        Z G d└ d	eeeі  ╚        Zd
└ ZdS )И    N)зadd_params_to_uri)зgenerate_tokenИ   )з	BaseGrantзAuthorizationEndpointMixinзTokenEndpointMixinИ   )зOAuth2ErrorзUnauthorizedClientErrorзInvalidClientErrorзInvalidGrantErrorзInvalidRequestErrorзAccessDeniedErrorc                   Сd   ≈ e Zd ZdZddgZdZdhZdZd└ Zde	fd	└Z
d
└ Zd└ Zd└ Zd└ Zd└ Zd└ Zd└ ZdS )зAuthorizationCodeGranta°  The authorization code grant type is used to obtain both access
    tokens and refresh tokens and is optimized for confidential clients.
    Since this is a redirection-based flow, the client must be capable of
    interacting with the resource owner's user-agent (typically a web
    browser) and capable of receiving incoming requests (via redirection)
    from the authorization server::

        +----------+
        | Resource |
        |   Owner  |
        |          |
        +----------+
             ^
             |
            (B)
        +----|-----+          Client Identifier      +---------------+
        |         -+----(A)-- & Redirection URI ---->|               |
        |  User-   |                                 | Authorization |
        |  Agent  -+----(B)-- User authenticates --->|     Server    |
        |          |                                 |               |
        |         -+----(C)-- Authorization Code ---<|               |
        +-|----|---+                                 +---------------+
          |    |                                         ^      v
         (A)  (C)                                        |      |
          |    |                                         |      |
          ^    v                                         |      |
        +---------+                                      |      |
        |         |>---(D)-- Authorization Code ---------'      |
        |  Client |          & Redirection URI                  |
        |         |                                             |
        |         |<---(E)----- Access Token -------------------'
        +---------+       (w/ Optional Refresh Token)
    зclient_secret_basicзclient_secret_postИ0   зcodeзauthorization_codec                 С    ≈ t          | і  ╚        S )aЁ  The client constructs the request URI by adding the following
        parameters to the query component of the authorization endpoint URI
        using the "application/x-www-form-urlencoded" format.
        Per `Section 4.1.1`_.

        response_type
             REQUIRED.  Value MUST be set to "code".

        client_id
            REQUIRED.  The client identifier as described in Section 2.2.

        redirect_uri
            OPTIONAL.  As described in Section 3.1.2.

        scope
            OPTIONAL.  The scope of the access request as described by
            Section 3.3.

        state
             RECOMMENDED.  An opaque value used by the client to maintain
             state between the request and callback.  The authorization
             server includes this value when redirecting the user-agent back
             to the client.  The parameter SHOULD be used for preventing
             cross-site request forgery as described in Section 10.12.

        The client directs the resource owner to the constructed URI using an
        HTTP redirection response, or by other means available to it via the
        user-agent.

        For example, the client directs the user-agent to make the following
        HTTP request using TLS (with extra line breaks for display purposes
        only):

        .. code-block:: http

            GET /authorize?response_type=code&client_id=s6BhdRkqt3&state=xyz
            &redirect_uri=https%3A%2F%2Fclient%2Eexample%2Ecom%2Fcb HTTP/1.1
            Host: server.example.com

        The authorization server validates the request to ensure that all
        required parameters are present and valid.  If the request is valid,
        the authorization server authenticates the resource owner and obtains
        an authorization decision (by asking the resource owner or by
        establishing approval via other means).

        .. _`Section 4.1.1`: https://tools.ietf.org/html/rfc6749#section-4.1.1
        )з#validate_code_authorization_request╘зselfs    Зd/var/www/piapp/venv/lib/python3.11/site-packages/authlib/oauth2/rfc6749/grants/authorization_code.pyзvalidate_authorization_requestz5AuthorizationCodeGrant.validate_authorization_request<   s   ─ У` 3╟4я8т8п8С    зredirect_uric                 СJ  ≈ |st          | j        j        |╛і  ╚        ┌|| j        _        | ═                    і   ╚         }| ═                    || j        і  ╚         d|fg}| j        j        r!|═                    d| j        j        fі  ╚         t          ||і  ╚        }d|fg}dd|fS )a'  If the resource owner grants the access request, the authorization
        server issues an authorization code and delivers it to the client by
        adding the following parameters to the query component of the
        redirection URI using the "application/x-www-form-urlencoded" format.
        Per `Section 4.1.2`_.

        code
            REQUIRED.  The authorization code generated by the
            authorization server. The authorization code MUST expire
            shortly after it is issued to mitigate the risk of leaks. A
            maximum authorization code lifetime of 10 minutes is
            RECOMMENDED. The client MUST NOT use the authorization code
            more than once. If an authorization code is used more than
            once, the authorization server MUST deny the request and SHOULD
            revoke (when possible) all tokens previously issued based on
            that authorization code.  The authorization code is bound to
            the client identifier and redirection URI.
        state
            REQUIRED if the "state" parameter was present in the client
            authorization request.  The exact value received from the
            client.

        For example, the authorization server redirects the user-agent by
        sending the following HTTP response.

        .. code-block:: http

            HTTP/1.1 302 Found
            Location: https://client.example.com/cb?code=SplxlOBeZQQYbYS6WxSbIA
                   &state=xyz

        .. _`Section 4.1.2`: https://tools.ietf.org/html/rfc6749#section-4.1.2

        :param redirect_uri: Redirect to the given URI for the authorization
        :param grant_user: if resource owner granted the request, pass this
            resource owner, otherwise pass None.
        :returns: (status_code, body, headers)
        ╘зstater   r   r!   зLocationi.  з )r   зrequestr!   зuserзgenerate_authorization_codeзsave_authorization_codeзappendr   )r   r   з
grant_userr   зparamsзuriзheaderss          r   зcreate_authorization_responsez4AuthorizationCodeGrant.create_authorization_responsen   sЇ   ─ ПN П 	Yщ#╗$╛,т*<х<пXяXтXпXЮ&┬▄тЮв/р/я1т1┬ьв$р$═T╗4╛<я8т8п8Ю≤4░.п!┬ь▄<тП 	9ь▐M┼M≤7═DєLт$6п7я8т8п8щ═╗fя5т5┬ь═п$п%┬ь░B≤ппr   c                 Сt  ≈ | ═                     і   ╚         }t          ═                    d|і  ╚         |═                    | j        і  ╚        st          d| j        ⌡ d²і  ╚        ┌| j        j        ═                    dі  ╚        }|─t          dі  ╚        ┌| ═
                    ||і  ╚        }|st          dі  ╚        ┌t          ═                    d|і  ╚         | j        j        }|═                    і   ╚         }|r||k    rt          d	і  ╚        ┌|| j        _        || j        _        | ═                    d
і  ╚         dS )aО  The client makes a request to the token endpoint by sending the
        following parameters using the "application/x-www-form-urlencoded"
        format per `Section 4.1.3`_:

        grant_type
             REQUIRED.  Value MUST be set to "authorization_code".

        code
             REQUIRED.  The authorization code received from the
             authorization server.

        redirect_uri
             REQUIRED, if the "redirect_uri" parameter was included in the
             authorization request as described in Section 4.1.1, and their
             values MUST be identical.

        client_id
             REQUIRED, if the client is not authenticating with the
             authorization server as described in Section 3.2.1.

        If the client type is confidential or the client was issued client
        credentials (or assigned other authentication requirements), the
        client MUST authenticate with the authorization server as described
        in Section 3.2.1.

        For example, the client makes the following HTTP request using TLS:

        .. code-block:: http

            POST /token HTTP/1.1
            Host: server.example.com
            Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW
            Content-Type: application/x-www-form-urlencoded

            grant_type=authorization_code&code=SplxlOBeZQQYbYS6WxSbIA
            &redirect_uri=https%3A%2F%2Fclient%2Eexample%2Ecom%2Fcb

        .. _`Section 4.1.3`: https://tools.ietf.org/html/rfc6749#section-4.1.3
        zValidate token request of %rz0The client is not authorized to use "grant_type=З"r   NzMissing "code" in request.zInvalid "code" in request.z!Validate token redirect_uri of %rz"Invalid "redirect_uri" in request.зafter_validate_token_request)з"authenticate_token_endpoint_clientзlogзdebugзcheck_grant_typeз
GRANT_TYPEr   r$   зformзgetr   зquery_authorization_coder   r   зget_redirect_uriзclientr   зexecute_hook)r   r:   r   r   r   зoriginal_redirect_uris         r   зvalidate_token_requestz-AuthorizationCodeGrant.validate_token_requestє   sN  ─ ПX в8р8я:т:┬Е▐	┼	п0╟&я9т9п9ьв&р&═tєя7т7П 	Wщ)ьUю4д?пUпUпUЯWТ WП WП ▄|т в$р$═Vя,т,┬ь┬<щ%п&BяCтCпCП
 "в:р:╦4юяHтHпь!П 	Bщ#п$@яAтAпAУ 	▐	┼	п5╟vя>т>п>ь■|т0┬ь 2в Cр Cя Eт Eпь П 	J═\п5Jр%Jп%Jщ#п$HяIтIпIП %┬▄ть*<┬▄т'ьврп8я9т9п9п9п9r   c                 СБ  ≈ | j         j        }| j         j        }| ═                    |і  ╚        }|st	          dі  ╚        ┌|| j         _        |═                    і   ╚         }| ═                    |||═                    dі  ╚        ╛і  ╚        }t          ═
                    d||і  ╚         | ═                    |і  ╚         | ═                    d|╛і  ╚         | ═                    |і  ╚         d|| j        fS )aф  If the access token request is valid and authorized, the
        authorization server issues an access token and optional refresh
        token as described in Section 5.1.  If the request client
        authentication failed or is invalid, the authorization server returns
        an error response as described in Section 5.2. Per `Section 4.1.4`_.

        An example successful response:

        .. code-block:: http

            HTTP/1.1 200 OK
            Content-Type: application/json
            Cache-Control: no-store
            Pragma: no-cache

            {
                "access_token":"2YotnFZFEjr1zCsicMWpAA",
                "token_type":"example",
                "expires_in":3600,
                "refresh_token":"tGzv3JOkF0XG5Qx2TlKWIA",
                "example_parameter":"example_value"
            }

        :returns: (status_code, body, headers)

        .. _`Section 4.1.4`: https://tools.ietf.org/html/rfc6749#section-4.1.4
        z!There is no "user" for this code.зrefresh_token)r%   зscopeзinclude_refresh_tokenzIssue token %r to %rзprocess_token)зtokenИх   )r$   r:   r   зauthenticate_userr   r%   з	get_scoper   r4   r2   r3   з
save_tokenr;   зdelete_authorization_codeзTOKEN_RESPONSE_HEADER)r   r:   r   r%   r@   rC   s         r   зcreate_token_responsez,AuthorizationCodeGrant.create_token_responseН   sЗ   ─ П8 ■т$┬ь!°\т<пЮв%р%п&8я9т9┬ьП 	Iщ#п$GяHтHпHь ┬▄тЮ"в,р,я.т.┬ьв#р#ььь"(в"9р"9╦/я"Jт"JП $Я 
Т 
┬У
 	▐	┼	п(╗%╟я8т8п8Ю▐┼≤ятпьвр≤/╟пя7т7п7ьв&р&п'9я:т:п:ь░E≤4т5п5п5r   c                 С*   ≈ t          | j        і  ╚        S )a  "The method to generate "code" value for authorization code data.
        Developers may rewrite this method, or customize the code length with::

            class MyAuthorizationCodeGrant(AuthorizationCodeGrant):
                AUTHORIZATION_CODE_LENGTH = 32  # default is 48
        )r   зAUTHORIZATION_CODE_LENGTHr   s    r   r&   z2AuthorizationCodeGrant.generate_authorization_code  s   ─ У ≤dт<я=т=п=r   c                 С   ≈ t          і   ╚         ┌)a  Save authorization_code for later use. Developers MUST implement
        it in subclass. Here is an example::

            def save_authorization_code(self, code, request):
                client = request.client
                item = AuthorizationCode(
                    code=code,
                    client_id=client.client_id,
                    redirect_uri=request.redirect_uri,
                    scope=request.scope,
                    user_id=request.user.id,
                )
                item.save()
        ╘зNotImplementedError)r   r   r$   s      r   r'   z.AuthorizationCodeGrant.save_authorization_code(  s   ─ У "я#т#п#r   c                 С   ≈ t          і   ╚         ┌)a▄  Get authorization_code from previously savings. Developers MUST
        implement it in subclass::

            def query_authorization_code(self, code, client):
                return Authorization.get(code=code, client_id=client.client_id)

        :param code: a string represent the code.
        :param client: client related to this code.
        :return: authorization_code object
        rN   )r   r   r:   s      r   r8   z/AuthorizationCodeGrant.query_authorization_code9  s   ─ У "я#т#п#r   c                 С   ≈ t          і   ╚         ┌)a,  Delete authorization code from database or cache. Developers MUST
        implement it in subclass, e.g.::

            def delete_authorization_code(self, authorization_code):
                authorization_code.delete()

        :param authorization_code: the instance of authorization_code
        rN   ╘r   r   s     r   rH   z0AuthorizationCodeGrant.delete_authorization_codeF  s   ─ У "я#т#п#r   c                 С   ≈ t          і   ╚         ┌)aQ  Authenticate the user related to this authorization_code. Developers
        MUST implement this method in subclass, e.g.::

            def authenticate_user(self, authorization_code):
                return User.get(authorization_code.user_id)

        :param authorization_code: AuthorizationCode object
        :return: user
        rN   rR   s     r   rE   z(AuthorizationCodeGrant.authenticate_userQ  s   ─ У "я#т#п#r   N)з__name__з
__module__з__qualname__з__doc__зTOKEN_ENDPOINT_AUTH_METHODSrL   зRESPONSE_TYPESr5   r   зstrr-   r=   rJ   r&   r'   r8   rH   rE   ╘ r   r   r   r      sш   ─ ─ ─ ─ ─ П П  ПD $9п:Nп"OпП !#пЮ░X─Nь%─JП09П 09П 09Пd4 ╦#П 4 П 4 П 4 П 4 ПlH:П H:П H:ПT/6П /6П /6Пb>П >П >П$П $П $П"$П $П $П	$П 	$П 	$П
$П 
$П 
$П 
$П 
$r   r   c                 С0  ≈ | j         }|j        }t          ═                    d|і  ╚         |─t	          |j        ╛і  ╚        ┌| j        ═                    |і  ╚        }|st	          |j        ╛і  ╚        ┌| ═                    ||і  ╚        }|j	        }|═
                    |і  ╚        s t          d|⌡ d²| j         j        |╛і  ╚        ┌	 || j         _        | ═                    і   ╚          | ═                    dі  ╚         n# t          $ r}||_        |┌d }~ww xY w|S )Nz$Validate authorization request of %r)r!   z3The client is not authorized to use "response_type=r/   r    з$after_validate_authorization_request)r$   з	client_idr2   r3   r   r!   зserverзquery_clientз#validate_authorization_redirect_uriзresponse_typeзcheck_response_typer   r:   зvalidate_requested_scoper;   r
   r   )зgrantr$   r^   r:   r   rb   зerrors          r   r   r   ^  s?  ─ ь▄m─Gьт!─Iщ┤I┌Iп4╟iя@т@п@Юпщ ═wє}п5я5т5п5Ю▄\в&р&═yя1т1─FьП 6щ ═wє}п5я5т5п5Юв<р<╦WюfяMтM─Lьт)─Mьв%р%═mя4т4П 
щ%ьRю-пRпRпRь■-т%ь%П
Я 
Т 
П 	
Пь%┬▄тьв&р&я(т(п(ьврпAяBтBпBпBЬщП П П ь)┬ть┬ЬЬЬЬПЬЬЬП пs   ц5C; ц;
Dд	DдD)зloggingзauthlib.common.urlsr   зauthlib.common.securityr   зbaser   r   r   зerrorsr
   r   r   r   r   r   з	getLoggerrT   r2   r   r   r[   r   r   З<module>rm      s  Пь ───ь 1п 1п 1п 1п 1п 1ь 2п 2п 2п 2п 2п 2ь Kп Kп Kп Kп Kп Kп Kп Kп Kп KПП П П П П П П П П П П П П П П П ─gт≤я!т!─ПJ$П J$П J$П J$П J$≤Yп(BпDVЯ J$Т J$П J$ПZ
П П П П r   