Merge pull request #1 from oktadev/basic-authentication

Adds authentication with Auth0

Author: jtemporal

auth/__init__.py

@@ -0,0 +1,18 @@
+from authlib.integrations.starlette_client import OAuth
+from config import config
+
+
+"""Storing the configuration into the `auth0_config` variable for later usage"""
+
+auth0_config = config['AUTH0']
+
+oauth = OAuth()
+oauth.register(
+    "auth0",
+    client_id=auth0_config['CLIENT_ID'],
+    client_secret=auth0_config['CLIENT_SECRET'],
+    client_kwargs={
+        "scope": "openid profile email",
+    },
+    server_metadata_url=f'https://{auth0_config["DOMAIN"]}/.well-known/openid-configuration'
+)

auth/config.py

@@ -0,0 +1,16 @@
+from fastapi import Request, HTTPException, status
+
+
+def protected_endpoint(request: Request):
+    """
+    This Dependency protects an endpoint and it can only be accessed if the user has an active session
+    """
+    if 'id_token' not in request.session:  # it could be userinfo instead of id_token
+        # this will redirect people to the login after if they are not logged in
+        raise HTTPException(
+            status_code=status.HTTP_307_TEMPORARY_REDIRECT,
+            detail="Not authorized",
+            headers={
+                "Location": "/login"
+            }
+        )

auth/dependencies.py

@@ -0,0 +1,68 @@
+from urllib.parse import quote_plus, urlencode
+
+from fastapi import APIRouter, Request
+from fastapi.responses import RedirectResponse
+
+from auth.config import auth0_config, oauth
+
+
+auth_router = APIRouter()
+
+
+@auth_router.get("/login")
+async def login(request: Request):
+    """
+    Redirects the user to the Auth0 Universal Login (https://auth0.com/docs/authenticate/login/auth0-universal-login)
+    """
+    if 'id_token' not in request.session:  # it could be userinfo instead of id_token
+        return await oauth.auth0.authorize_redirect(
+            request,
+            redirect_uri=request.url_for("callback")
+        )
+    return RedirectResponse(url=request.url_for("profile"))
+
+
+@auth_router.get("/signup")
+async def signup(request: Request):
+    """
+    Redirects the user to the Auth0 Universal Login (https://auth0.com/docs/authenticate/login/auth0-universal-login)
+    """
+    if 'id_token' not in request.session:  # it could be userinfo instead of id_token
+        return await oauth.auth0.authorize_redirect(
+            request,
+            redirect_uri=request.url_for("callback"),
+            screen_hint="signup"
+        )
+    return RedirectResponse(url=request.url_for("profile"))
+
+
+@auth_router.get("/logout")
+def logout(request: Request):
+    """
+    Redirects the user to the Auth0 Universal Login (https://auth0.com/docs/authenticate/login/auth0-universal-login)
+    """
+    response = RedirectResponse(
+        url="https://" + auth0_config['DOMAIN']
+            + "/v2/logout?"
+            + urlencode(
+                {
+                    "returnTo": request.url_for("home"),
+                    "client_id": auth0_config['CLIENT_ID'],
+                },
+                quote_via=quote_plus,
+            )
+    )
+    request.session.clear()
+    return response
+
+
+@auth_router.get("/callback")
+async def callback(request: Request):
+    """
+    Callback redirect from Auth0
+    """
+    token = await oauth.auth0.authorize_access_token(request)
+    # Store `id_token`, and `userinfo` in session
+    request.session['id_token'] = token['id_token']
+    request.session['userinfo'] = token['userinfo']
+    return RedirectResponse(url=request.url_for("profile"))

auth/routes.py

@@ -3,6 +3,7 @@
 from fastapi import FastAPI, Request
 from fastapi.staticfiles import StaticFiles
 from fastapi.templating import Jinja2Templates
+from starlette.middleware.sessions import SessionMiddleware
 
 from utils import to_pretty_json
 
@@ -16,6 +17,9 @@ def load_config():
     return config
 
 
+config = load_config()
+
+
 def create_templates():
     templates = Jinja2Templates(directory="templates")
     templates.env.filters['to_pretty_json'] = to_pretty_json
@@ -28,6 +32,8 @@ def create_templates():
 def create_app():
     app = FastAPI()
     app.mount("/static", StaticFiles(directory="static"), name="static")
+    # You need this to save temporary code & state in session
+    app.add_middleware(SessionMiddleware, secret_key=config['WEBAPP']['SESSION_SECRET'])
     return app
 
 app = create_app()

config.py

@@ -1,6 +1,8 @@
 from config import app
 
+from auth.routes import auth_router
 from webapp.routes import webapp_router
 
 
+app.include_router(auth_router)
 app.include_router(webapp_router)

main.py

@@ -2,5 +2,6 @@
   <nav class="nav-bar">
     {% include 'navigation/desktop/nav_bar_brand.html' %}
     {% include 'navigation/desktop/nav_bar_tabs.html' %}
+    {% include 'navigation/desktop/nav_bar_buttons.html' %}
   </nav>
 </div>

templates/navigation/desktop/nav_bar.html

@@ -0,0 +1,8 @@
+<div class="nav-bar__buttons">
+    {% if request.session %}
+        <a href="{{ url_for('logout') }}" class="button__logout">Log Out</a>
+    {% else %}
+        <a href="{{ url_for('login') }}" class="button__login" >Log In</a>
+        <a href="{{ url_for('signup') }}" class="button__sign-up" >Sign Up</a>
+    {% endif %}
+</div>

templates/navigation/desktop/nav_bar_buttons.html

@@ -10,6 +10,8 @@
 <div class="nav-bar__tabs">
   {{ tab(label="Profile", path=url_for('profile')) }}
   {{ tab(label="Public", path=url_for('public')) }}
-  {{ tab(label="Protected", path=url_for('protected')) }}
-  {{ tab(label="Admin", path=url_for('admin')) }}
+  {% if request.session %}
+    {{ tab(label="Protected", path=url_for('protected')) }}
+    {{ tab(label="Admin", path=url_for('admin')) }}
+  {% endif %}
 </div>

templates/navigation/desktop/nav_bar_tabs.html

@@ -4,6 +4,7 @@
     {% include 'navigation/mobile/menu_button.html' %}
     <div id="mobile-menu" class="mobile-nav-bar__menu mobile-nav-bar__menu--closed">
       {% include 'navigation/mobile/mobile_nav_bar_tabs.html' %}
+      {% include 'navigation/mobile/mobile_nav_bar_buttons.html' %}
     </div>
   </nav>
 </div>

templates/navigation/mobile/mobile_nav_bar.html

@@ -0,0 +1,8 @@
+<div class="mobile-nav-bar__buttons">
+    {% if request.session %}
+        <a href="{{ url_for('logout') }}" class="button__logout">Log Out</a>
+    {% else %}
+        <a href="{{ url_for('login') }}" class="button__login" >Log In</a>
+        <a href="{{ url_for('signup') }}" class="button__sign-up" >Sign Up</a>
+    {% endif %}
+</div>

templates/navigation/mobile/mobile_nav_bar_buttons.html

@@ -10,6 +10,8 @@
 <div class="mobile-nav-bar__tabs">
   {{ tab(label="Profile", path=url_for('profile')) }}
   {{ tab(label="Public", path=url_for('public')) }}
-  {{ tab(label="Protected", path=url_for('protected')) }}
-  {{ tab(label="Admin", path=url_for('admin')) }}
+  {% if request.session %}
+    {{ tab(label="Protected", path=url_for('protected')) }}
+    {{ tab(label="Admin", path=url_for('admin')) }}
+  {% endif %}
 </div>

templates/navigation/mobile/mobile_nav_bar_tabs.html

@@ -6,7 +6,13 @@
         <h1 id="page-title" class="content__title">Profile Page</h1>
         <div class="content__body">
             <p id="page-description">
-                <span><strong>Only authenticated users should access this page.</strong></span>
+                <span>
+                  You can use the <strong>ID Token</strong> to get the profile information of an
+                  authenticated user.
+                </span>
+                <span>
+                    <strong>Only authenticated users can access this page.</strong>
+                </span>
             </p>
             <div class="profile-grid">
                 <div class="profile__header">
@@ -18,7 +24,7 @@ <h2 class="profile__title">{{ userinfo['name'] }}</h2>
                 </div>
 
                 <div class="profile__details">
-                    {{ code_snippet(title="User Profile Object", code=userinfo) }}
+                    {{ code_snippet(title="Decoded ID Token", code=userinfo) }}
                 </div>
             </div>
         </div>

templates/profile.html

@@ -1,5 +1,6 @@
-from fastapi import APIRouter, Request
+from fastapi import APIRouter, Depends, Request
 
+from auth.dependencies import protected_endpoint
 from config import templates
 from services.message_service import MessageService
 
@@ -52,25 +53,16 @@ def home(request: Request):
     )
 
 
-@webapp_router.get("/profile")
+@webapp_router.get("/profile", dependencies=[Depends(protected_endpoint)])
 def profile(request: Request):
     """
     Profile endpoint, should only be accessible after login
     """
-    user_info = {
-        "nickname": "Customer",
-        "name": "One Customer",
-        "picture": "https://cdn.auth0.com/blog/hello-auth0/auth0-user.png",
-        "updated_at": "2021-05-04T21:33:09.415Z",
-        "email": "[email protected]",
-        "email_verified": False,
-        "sub": "auth0|12345678901234567890"
-    }
     return templates.TemplateResponse(
         "profile.html",
         {
             "request": request,
-            "userinfo": user_info
+            "userinfo": request.session['userinfo']
         }
     )
 
@@ -89,7 +81,7 @@ def public(request: Request):
     )
 
 
-@webapp_router.get("/protected")
+@webapp_router.get("/protected", dependencies=[Depends(protected_endpoint)])
 def protected(request: Request):
     """
     Protected endpoint, should only be accessible after login
@@ -103,7 +95,7 @@ def protected(request: Request):
     )
 
 
-@webapp_router.get("/admin")
+@webapp_router.get("/admin", dependencies=[Depends(protected_endpoint)])
 def admin(request: Request):
     """
     Admin endpoint, should only be accessible after login if the user has the admin permissions