stable/freqtrade/rpc/api_server/api_auth.py

import secrets
from datetime import datetime, timedelta

import jwt
from fastapi import APIRouter, Depends, HTTPException, status
from fastapi.security import OAuth2PasswordBearer
from fastapi.security.http import HTTPBasic, HTTPBasicCredentials

from freqtrade.rpc.api_server.api_schemas import AccessAndRefreshToken, AccessToken
from freqtrade.rpc.api_server.deps import get_api_config


ALGORITHM = "HS256"

router_login = APIRouter()


def verify_auth(api_config, username: str, password: str):
    """Verify username/password"""
    return (secrets.compare_digest(username, api_config.get('username')) and
            secrets.compare_digest(password, api_config.get('password')))


httpbasic = HTTPBasic(auto_error=False)
oauth2_scheme = OAuth2PasswordBearer(tokenUrl="token", auto_error=False)


def get_user_from_token(token, secret_key: str, token_type: str = "access"):
    credentials_exception = HTTPException(
        status_code=status.HTTP_401_UNAUTHORIZED,
        detail="Could not validate credentials",
        headers={"WWW-Authenticate": "Bearer"},
    )
    try:
        payload = jwt.decode(token, secret_key, algorithms=[ALGORITHM])
        username: str = payload.get("identity", {}).get('u')
        if username is None:
            raise credentials_exception
        if payload.get("type") != token_type:
            raise credentials_exception

    except jwt.PyJWTError:
        raise credentials_exception
    return username


def create_token(data: dict, secret_key: str, token_type: str = "access") -> str:
    to_encode = data.copy()
    if token_type == "access":
        expire = datetime.utcnow() + timedelta(minutes=15)
    elif token_type == "refresh":
        expire = datetime.utcnow() + timedelta(days=30)
    else:
        raise ValueError()
    to_encode.update({
        "exp": expire,
        "iat": datetime.utcnow(),
        "type": token_type,
    })
    encoded_jwt = jwt.encode(to_encode, secret_key, algorithm=ALGORITHM)
    return encoded_jwt


def http_basic_or_jwt_token(form_data: HTTPBasicCredentials = Depends(httpbasic),
                            token: str = Depends(oauth2_scheme),
                            api_config=Depends(get_api_config)):
    if token:
        return get_user_from_token(token, api_config.get('jwt_secret_key', 'super-secret'))
    elif form_data and verify_auth(api_config, form_data.username, form_data.password):
        return form_data.username

    raise HTTPException(
        status_code=status.HTTP_401_UNAUTHORIZED,
        detail="Unauthorized",
    )


@router_login.post('/token/login', response_model=AccessAndRefreshToken)
def token_login(form_data: HTTPBasicCredentials = Depends(HTTPBasic()),
                api_config=Depends(get_api_config)):

    if verify_auth(api_config, form_data.username, form_data.password):
        token_data = {'identity': {'u': form_data.username}}
        access_token = create_token(token_data, api_config.get('jwt_secret_key', 'super-secret'))
        refresh_token = create_token(token_data, api_config.get('jwt_secret_key', 'super-secret'),
                                     token_type="refresh")
        return {
            "access_token": access_token,
            "refresh_token": refresh_token,
        }
    else:
        raise HTTPException(
            status_code=status.HTTP_401_UNAUTHORIZED,
            detail="Incorrect username or password",
        )


@router_login.post('/token/refresh', response_model=AccessToken)
def token_refresh(token: str = Depends(oauth2_scheme), api_config=Depends(get_api_config)):
    # Refresh token
    u = get_user_from_token(token, api_config.get(
        'jwt_secret_key', 'super-secret'), 'refresh')
    token_data = {'identity': {'u': u}}
    access_token = create_token(token_data, api_config.get('jwt_secret_key', 'super-secret'),
                                token_type="access")
    return {'access_token': access_token}
Implement auth in fastapi 2020-12-25 14:50:19 +00:00			`import secrets`
Implement more endpoints 2020-12-26 14:54:22 +00:00			`from datetime import datetime, timedelta`
Implement auth in fastapi 2020-12-25 14:50:19 +00:00
Implement more endpoints 2020-12-26 14:54:22 +00:00			`import jwt`
Improve response models 2020-12-27 08:02:35 +00:00			`from fastapi import APIRouter, Depends, HTTPException, status`
Implement more endpoints 2020-12-26 14:54:22 +00:00			`from fastapi.security import OAuth2PasswordBearer`
Implement auth in fastapi 2020-12-25 14:50:19 +00:00			`from fastapi.security.http import HTTPBasic, HTTPBasicCredentials`
Implement more endpoints 2020-12-26 14:54:22 +00:00
Rename api_models to api_schemas 2021-01-02 08:07:31 +00:00			`from freqtrade.rpc.api_server.api_schemas import AccessAndRefreshToken, AccessToken`
Rename api_server2 module to apiserver 2020-12-31 10:01:50 +00:00			`from freqtrade.rpc.api_server.deps import get_api_config`
Implement auth in fastapi 2020-12-25 14:50:19 +00:00

			`ALGORITHM = "HS256"`

			`router_login = APIRouter()`


Properly use JWT secret key 2020-12-27 14:24:49 +00:00			`def verify_auth(api_config, username: str, password: str):`
Fix auth providers 2020-12-26 07:48:15 +00:00			`"""Verify username/password"""`
Properly use JWT secret key 2020-12-27 14:24:49 +00:00			`return (secrets.compare_digest(username, api_config.get('username')) and`
			`secrets.compare_digest(password, api_config.get('password')))`
Implement auth in fastapi 2020-12-25 14:50:19 +00:00

Fix auth providers 2020-12-26 07:48:15 +00:00			`httpbasic = HTTPBasic(auto_error=False)`
			`oauth2_scheme = OAuth2PasswordBearer(tokenUrl="token", auto_error=False)`
Implement auth in fastapi 2020-12-25 14:50:19 +00:00

Properly use JWT secret key 2020-12-27 14:24:49 +00:00			`def get_user_from_token(token, secret_key: str, token_type: str = "access"):`
Fix auth providers 2020-12-26 07:48:15 +00:00			`credentials_exception = HTTPException(`
			`status_code=status.HTTP_401_UNAUTHORIZED,`
			`detail="Could not validate credentials",`
			`headers={"WWW-Authenticate": "Bearer"},`
			`)`
			`try:`
Properly use JWT secret key 2020-12-27 14:24:49 +00:00			`payload = jwt.decode(token, secret_key, algorithms=[ALGORITHM])`
Align auth token to flask version to prevent user-logout 2020-12-31 09:22:28 +00:00			`username: str = payload.get("identity", {}).get('u')`
Fix auth providers 2020-12-26 07:48:15 +00:00			`if username is None:`
			`raise credentials_exception`
			`if payload.get("type") != token_type:`
			`raise credentials_exception`
Implement auth in fastapi 2020-12-25 14:50:19 +00:00
Fix auth providers 2020-12-26 07:48:15 +00:00			`except jwt.PyJWTError:`
			`raise credentials_exception`
			`return username`
Implement auth in fastapi 2020-12-25 14:50:19 +00:00

Fix test due to pyjwt2.0 2021-01-08 18:27:51 +00:00			`def create_token(data: dict, secret_key: str, token_type: str = "access") -> str:`
Fix auth providers 2020-12-26 07:48:15 +00:00			`to_encode = data.copy()`
			`if token_type == "access":`
			`expire = datetime.utcnow() + timedelta(minutes=15)`
			`elif token_type == "refresh":`
			`expire = datetime.utcnow() + timedelta(days=30)`
			`else:`
			`raise ValueError()`
			`to_encode.update({`
			`"exp": expire,`
			`"iat": datetime.utcnow(),`
			`"type": token_type,`
			`})`
Properly use JWT secret key 2020-12-27 14:24:49 +00:00			`encoded_jwt = jwt.encode(to_encode, secret_key, algorithm=ALGORITHM)`
Fix auth providers 2020-12-26 07:48:15 +00:00			`return encoded_jwt`


			`def http_basic_or_jwt_token(form_data: HTTPBasicCredentials = Depends(httpbasic),`
Properly use JWT secret key 2020-12-27 14:24:49 +00:00			`token: str = Depends(oauth2_scheme),`
			`api_config=Depends(get_api_config)):`
Fix auth providers 2020-12-26 07:48:15 +00:00			`if token:`
Properly use JWT secret key 2020-12-27 14:24:49 +00:00			`return get_user_from_token(token, api_config.get('jwt_secret_key', 'super-secret'))`
			`elif form_data and verify_auth(api_config, form_data.username, form_data.password):`
Fix auth providers 2020-12-26 07:48:15 +00:00			`return form_data.username`

			`raise HTTPException(`
			`status_code=status.HTTP_401_UNAUTHORIZED,`
Some more tests around api_auth 2020-12-27 13:57:01 +00:00			`detail="Unauthorized",`
Fix auth providers 2020-12-26 07:48:15 +00:00			`)`
Implement auth in fastapi 2020-12-25 14:50:19 +00:00

			`@router_login.post('/token/login', response_model=AccessAndRefreshToken)`
Properly use JWT secret key 2020-12-27 14:24:49 +00:00			`def token_login(form_data: HTTPBasicCredentials = Depends(HTTPBasic()),`
			`api_config=Depends(get_api_config)):`
Implement auth in fastapi 2020-12-25 14:50:19 +00:00
Properly use JWT secret key 2020-12-27 14:24:49 +00:00			`if verify_auth(api_config, form_data.username, form_data.password):`
Align auth token to flask version to prevent user-logout 2020-12-31 09:22:28 +00:00			`token_data = {'identity': {'u': form_data.username}}`
Properly use JWT secret key 2020-12-27 14:24:49 +00:00			`access_token = create_token(token_data, api_config.get('jwt_secret_key', 'super-secret'))`
			`refresh_token = create_token(token_data, api_config.get('jwt_secret_key', 'super-secret'),`
			`token_type="refresh")`
Implement auth in fastapi 2020-12-25 14:50:19 +00:00			`return {`
			`"access_token": access_token,`
			`"refresh_token": refresh_token,`
			`}`
			`else:`
			`raise HTTPException(`
			`status_code=status.HTTP_401_UNAUTHORIZED,`
			`detail="Incorrect username or password",`
			`)`


			`@router_login.post('/token/refresh', response_model=AccessToken)`
Properly use JWT secret key 2020-12-27 14:24:49 +00:00			`def token_refresh(token: str = Depends(oauth2_scheme), api_config=Depends(get_api_config)):`
Fix auth providers 2020-12-26 07:48:15 +00:00			`# Refresh token`
Properly use JWT secret key 2020-12-27 14:24:49 +00:00			`u = get_user_from_token(token, api_config.get(`
			`'jwt_secret_key', 'super-secret'), 'refresh')`
Align auth token to flask version to prevent user-logout 2020-12-31 09:22:28 +00:00			`token_data = {'identity': {'u': u}}`
Properly use JWT secret key 2020-12-27 14:24:49 +00:00			`access_token = create_token(token_data, api_config.get('jwt_secret_key', 'super-secret'),`
			`token_type="access")`
Implement auth in fastapi 2020-12-25 14:50:19 +00:00			`return {'access_token': access_token}`