([fZdZddlmZddlmZmZGddZGddZdS) z authlib.oauth2.rfc6749.resource_protector ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Implementation of Accessing Protected Resources per `Section 7`_. .. _`Section 7`: https://tools.ietf.org/html/rfc6749#section-7 ) scope_to_list)MissingAuthorizationErrorUnsupportedTokenTypeErrorcFeZdZdZdZd dZedZdZdZ dZ dS) TokenValidatorziBase token validator class. Subclass this validator to register into ResourceProtector instance. bearerNc "||_||_dSN)realmextra_attributes)selfr r s ]/var/www/piapp/venv/lib/python3.11/site-packages/authlib/oauth2/rfc6749/resource_protector.py__init__zTokenValidator.__init__s 0c|sdSt|}|sdSt|}|D]6}tt|}||rdS7dS)NFT)rset issuperset) token_scopesrequired_scopesscoperesource_scopess rscope_insufficientz!TokenValidator.scope_insufficients 5$\22  4<(( $  E!-"6"677O&&77 uu trct)a_A method to query token from database with the given token string. Developers MUST re-implement this method. For instance:: def authenticate_token(self, token_string): return get_token_from_database(token_string) :param token_string: A string to represent the access_token. :return: token NotImplementedError)r token_strings rauthenticate_tokenz!TokenValidator.authenticate_token(s"###rcdS)a@A method to validate if the HTTP request is valid or not. Developers MUST re-implement this method. For instance, your server requires a "X-Device-Version" in the header:: def validate_request(self, request): if 'X-Device-Version' not in request.headers: raise InvalidRequestError() Usually, you don't have to detect if the request is valid or not. If you have to, you MUST re-implement this method. :param request: instance of HttpRequest :raise: InvalidRequestError N)r requests rvalidate_requestzTokenValidator.validate_request4srct)a4A method to validate if the authorized token is valid, if it has the permission on the given scopes. Developers MUST re-implement this method. e.g, check if token is expired, revoked:: def validate_token(self, token, scopes, request): if not token: raise InvalidTokenError() if token.is_expired() or token.is_revoked(): raise InvalidTokenError() if not match_token_scopes(token, scopes): raise InsufficientScopeError() r)r tokenscopesr s rvalidate_tokenzTokenValidator.validate_tokenDs"###rr ) __name__ __module__ __qualname____doc__ TOKEN_TYPEr staticmethodrrr!r%rrrrr sJ1111\ $ $ $   $ $ $ $ $rrc2eZdZdZdefdZdZdZdZdS)ResourceProtectorc0i|_d|_d|_dSr )_token_validators_default_realm_default_auth_type)r s rrzResourceProtector.__init__Us !#""&r validatorc|js|j|_|j|_|j|jvr||j|j<dSdS)zRegister a token validator for a given Authorization type. Authlib has a built-in BearerTokenValidator per rfc6750. N)r1r r0r*r/)r r2s rregister_token_validatorz*ResourceProtector.register_token_validatorZsS& ;"+/D &/&:D #  t'= = =;DD "9#7 8 8 8 > =rc|j|}|st|j|j|S)z;Get token validator from registry for the given token type.)r/getlowerrr1r0)r token_typer2s rget_token_validatorz%ResourceProtector.get_token_validatoresI*..z/?/?/A/ABB  Z+D,CTEXYY Yrc0|jd}|st|j|j|dd}t |dkrt|j|j|\}}||}||fS)aParse the token and token validator from request Authorization header. Here is an example of Authorization header:: Authorization: Bearer a-token-string This method will parse this header, if it can find the validator for ``Bearer``, it will return the validator and ``a-token-string``. :return: validator, token_string :raise: MissingAuthorizationError :raise: UnsupportedTokenTypeError AuthorizationNr) headersr6rr1r0splitlenrr9)r r auth token_partsr8rr2s rparse_request_authorizationz-ResourceProtector.parse_request_authorizationls""?33 Z+D,CTEXYY Yjjq)) {  q +D,CTEXYY Y#. L,,Z88 ,&&rc ||\}}||||}|j|||fi||S)z(Validate the request and return a token.)rBr!rr%)r r$r kwargsr2rr#s rr!z"ResourceProtector.validate_requestse"&"B"B7"K"K <""7+++,,\::  BB6BBB rN) r&r'r(rrr4r9rBr!rrrr-r-Tsp''' E. E E E E'''4rr-N)r)utilrerrorsrrrr-rrrrGs HHHHHHHHD$D$D$D$D$D$D$D$N8888888888r