From 8a20d3f2d81895215ba0dd34e6f14384dc15d153 Mon Sep 17 00:00:00 2001
From: Chris Pritchard <chris@christopherpritchard.co.uk>
Date: Mon, 22 Oct 2018 02:33:46 +0100
Subject: [PATCH] migrated to authlib

---
 app/__init__.py                               |  2 -
 app/models.py                                 |  8 +--
 app/oauth.py                                  | 55 ++++++++++---------
 .../admin_setting_authentication.html         | 10 ++--
 app/views.py                                  | 17 ++++--
 requirements.txt                              |  1 -
 6 files changed, 48 insertions(+), 45 deletions(-)

diff --git a/app/__init__.py b/app/__init__.py
index fe9004b..3747067 100644
--- a/app/__init__.py
+++ b/app/__init__.py
@@ -3,7 +3,6 @@ from flask import Flask, request, session, redirect, url_for
 from flask_login import LoginManager
 from flask_sqlalchemy import SQLAlchemy as SA
 from flask_migrate import Migrate
-from flask_oauthlib.client import OAuth
 from authlib.flask.client import OAuth as AuthlibOAuth
 from sqlalchemy.exc import OperationalError
 
@@ -30,7 +29,6 @@ login_manager = LoginManager()
 login_manager.init_app(app)
 db = SQLAlchemy(app)            # database
 migrate = Migrate(app, db)      # flask-migrate
-oauth_client = OAuth(app)       # oauth
 authlib_oauth_client = AuthlibOAuth(app) # authlib oauth
 
 if app.config.get('SAML_ENABLED') and app.config.get('SAML_ENCRYPT'):
diff --git a/app/models.py b/app/models.py
index c2306f8..538a83f 100644
--- a/app/models.py
+++ b/app/models.py
@@ -1836,10 +1836,10 @@ class Setting(db.Model):
         'google_oauth_enabled': False,
         'google_oauth_client_id':'',
         'google_oauth_client_secret':'',
-        'google_token_url': 'https://accounts.google.com/o/oauth2/token',
-        'google_token_params': {'scope': 'email profile'},
-        'google_authorize_url':'https://accounts.google.com/o/oauth2/auth',
-        'google_base_url':'https://www.googleapis.com/oauth2/v1/',
+        'google_token_url': 'https://oauth2.googleapis.com/token',
+        'google_oauth_scope': 'openid email profile',
+        'google_authorize_url':'https://accounts.google.com/o/oauth2/v2/auth',
+        'google_base_url':'https://www.googleapis.com/oauth2/v3/',
         'oidc_oauth_enabled': False,
         'oidc_oauth_key': '',
         'oidc_oauth_secret': '',
diff --git a/app/oauth.py b/app/oauth.py
index bb8e7a9..a578341 100644
--- a/app/oauth.py
+++ b/app/oauth.py
@@ -1,44 +1,44 @@
 from ast import literal_eval
 from flask import request, session, redirect, url_for
 
-from app import app, oauth_client, authlib_oauth_client
+from app import app, authlib_oauth_client
 from app.models import Setting
 
 # TODO: 
-#   - Replace Flask-OAuthlib by authlib
 #   - Fix github/google enabling (Currently need to reload the flask app)
 
 def github_oauth():
     if not Setting().get('github_oauth_enabled'):
         return None
 
-    github = oauth_client.remote_app(
+    def fetch_github_token():
+        return session.get('github_token')
+
+    github = authlib_oauth_client.register(
         'github',
-        consumer_key = Setting().get('github_oauth_key'),
-        consumer_secret = Setting().get('github_oauth_secret'),
+        client_id = Setting().get('github_oauth_key'),
+        client_secret = Setting().get('github_oauth_secret'),
         request_token_params = {'scope': Setting().get('github_oauth_scope')},
-        base_url = Setting().get('github_oauth_api_url'),
+        api_base_url = Setting().get('github_oauth_api_url'),
         request_token_url = None,
-        access_token_method = 'POST',
         access_token_url = Setting().get('github_oauth_token_url'),
-        authorize_url = Setting().get('github_oauth_authorize_url')
+        authorize_url = Setting().get('github_oauth_authorize_url'),
+        client_kwargs={'scope': Setting().get('github_oauth_scope')},
+        fetch_token=fetch_github_token,
     )
 
     @app.route('/github/authorized')
     def github_authorized():
         session['github_oauthredir'] = url_for('.github_authorized', _external=True)
-        resp = github.authorized_response()
-        if resp is None:
+        token = github.authorize_access_token()
+        if token is None:
             return 'Access denied: reason=%s error=%s' % (
                 request.args['error'],
                 request.args['error_description']
             )
-        session['github_token'] = (resp['access_token'], '')
+        session['github_token'] = (token)
         return redirect(url_for('.login'))
 
-    @github.tokengetter
-    def get_github_oauth_token():
-        return session.get('github_token')
 
     return github
 
@@ -47,33 +47,34 @@ def google_oauth():
     if not Setting().get('google_oauth_enabled'):
         return None
 
-    google = oauth_client.remote_app(
+    def fetch_google_token():
+        return session.get('google_token')
+        print("afkafna")
+
+    google = authlib_oauth_client.register(
         'google',
-        consumer_key=Setting().get('google_oauth_client_id'),
-        consumer_secret=Setting().get('google_oauth_client_secret'),
-        request_token_params=literal_eval(Setting().get('google_token_params')),
-        base_url=Setting().get('google_base_url'),
+        client_id=Setting().get('google_oauth_client_id'),
+        client_secret=Setting().get('google_oauth_client_secret'),
+        api_base_url=Setting().get('google_base_url'),
         request_token_url=None,
-        access_token_method='POST',
         access_token_url=Setting().get('google_token_url'),
         authorize_url=Setting().get('google_authorize_url'),
+        client_kwargs={'scope': Setting().get('google_oauth_scope')},
+        fetch_token=fetch_google_token,
     )
 
     @app.route('/google/authorized')
     def google_authorized():
-        resp = google.authorized_response()
-        if resp is None:
+        session['google_oauthredir'] = url_for('.google_authorized', _external=True)
+        token = google.authorize_access_token()
+        if token is None:
             return 'Access denied: reason=%s error=%s' % (
                 request.args['error_reason'],
                 request.args['error_description']
             )
-        session['google_token'] = (resp['access_token'], '')
+        session['google_token'] = (token)
         return redirect(url_for('.login'))
 
-    @google.tokengetter
-    def get_google_oauth_token():
-        return session.get('google_token')
-
     return google
 
 def oidc_oauth():
diff --git a/app/templates/admin_setting_authentication.html b/app/templates/admin_setting_authentication.html
index 605f3de..8566bb6 100644
--- a/app/templates/admin_setting_authentication.html
+++ b/app/templates/admin_setting_authentication.html
@@ -245,8 +245,8 @@
                                                     <span class="help-block with-errors"></span>
                                                 </div>
                                                 <div class="form-group">
-                                                    <label for="google_token_params">Token params</label>
-                                                    <input type="text" class="form-control" name="google_token_params" id="google_token_params" placeholder="e.g. {'scope': 'email profile'}" data-error="Please input token params" value="{{ SETTING.get('google_token_params') }}">
+                                                    <label for="google_oauth_scope">Scope</label>
+                                                    <input type="text" class="form-control" name="google_oauth_scope" id="google_oauth_scope" placeholder="e.g. email profile" data-error="Please input scope" value="{{ SETTING.get('google_oauth_scope') }}">
                                                     <span class="help-block with-errors"></span>
                                                 </div>
                                                 <div class="form-group">
@@ -496,14 +496,14 @@
             $('#google_oauth_client_id').prop('required', true);
             $('#google_oauth_client_secret').prop('required', true);
             $('#google_token_url').prop('required', true);
-            $('#google_token_params').prop('required', true);
+            $('#google_oauth_scope').prop('required', true);
             $('#google_authorize_url').prop('required', true);
             $('#google_base_url').prop('required', true);
         } else {
             $('#google_oauth_client_id').prop('required', false);
             $('#google_oauth_client_secret').prop('required', false);
             $('#google_token_url').prop('required', false);
-            $('#google_token_params').prop('required', false);
+            $('#google_oauth_scope').prop('required', false);
             $('#google_authorize_url').prop('required', false);
             $('#google_base_url').prop('required', false);
         }
@@ -514,7 +514,7 @@
         $('#google_oauth_client_id').prop('required', true);
         $('#google_oauth_client_secret').prop('required', true);
         $('#google_token_url').prop('required', true);
-        $('#google_token_params').prop('required', true);
+        $('#google_oauth_scope').prop('required', true);
         $('#google_authorize_url').prop('required', true);
         $('#google_base_url').prop('required', true);
     {% endif %}
diff --git a/app/views.py b/app/views.py
index d1fd98a..d86e64c 100644
--- a/app/views.py
+++ b/app/views.py
@@ -163,7 +163,8 @@ def google_login():
         logging.error('Google OAuth is disabled or you have not yet reloaded the pda application after enabling.')
         return abort(400)
     else:
-        return google.authorize(callback=url_for('google_authorized', _external=True))
+        redirect_uri = url_for('google_authorized', _external=True)
+        return google.authorize_redirect(redirect_uri)
 
 
 @app.route('/github/login')
@@ -172,7 +173,8 @@ def github_login():
         logging.error('Github OAuth is disabled or you have not yet reloaded the pda application after enabling.')
         return abort(400)
     else:
-        return github.authorize(callback=url_for('github_authorized', _external=True))
+        redirect_uri = url_for('github_authorized', _external=True)
+        return github.authorize_redirect(redirect_uri)
 
 @app.route('/oidc/login')
 def oidc_login():
@@ -306,11 +308,13 @@ def login():
         return redirect(url_for('dashboard'))
 
     if 'google_token' in session:
-        user_data = google.get('userinfo').data
+        user_data = json.loads(google.get('userinfo').text)
         first_name = user_data['given_name']
         surname = user_data['family_name']
         email = user_data['email']
         user = User.query.filter_by(username=email).first()
+        if user == None:
+            user = User.query.filter_by(email=email).first()
         if not user:
             user = User(username=email,
                         firstname=first_name,
@@ -329,13 +333,14 @@ def login():
         return redirect(url_for('index'))
 
     if 'github_token' in session:
-        me = github.get('user').data
-
+        me = json.loads(github.get('user').text)
         github_username = me['login']
         github_name = me['name']
         github_email = me['email']
 
         user = User.query.filter_by(username=github_username).first()
+        if user == None:
+            user = User.query.filter_by(email=github_email).first()
         if not user:
             user = User(username=github_username,
                         plain_text_password=None,
@@ -1532,7 +1537,7 @@ def admin_setting_authentication():
             Setting().set('google_oauth_client_id', request.form.get('google_oauth_client_id'))
             Setting().set('google_oauth_client_secret', request.form.get('google_oauth_client_secret'))
             Setting().set('google_token_url', request.form.get('google_token_url'))
-            Setting().set('google_token_params', request.form.get('google_token_params'))
+            Setting().set('google_oauth_scope', request.form.get('google_oauth_scope'))
             Setting().set('google_authorize_url', request.form.get('google_authorize_url'))
             Setting().set('google_base_url', request.form.get('google_base_url'))
             result = {'status': True, 'msg': 'Saved successfully. Please reload PDA to take effect.'}
diff --git a/requirements.txt b/requirements.txt
index 04eaa3b..245d0d0 100644
--- a/requirements.txt
+++ b/requirements.txt
@@ -1,7 +1,6 @@
 Flask==1.0.2
 Flask-Assets==0.12
 Flask-Login==0.4.1
-Flask-OAuthlib==0.9.4
 Flask-SQLAlchemy==2.3.2
 Flask-Migrate==2.2.1
 SQLAlchemy==1.2.5