This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
import webapp2 | |
import os | |
import jwt | |
from webapp2_extras import sessions | |
from google.appengine.ext.webapp import template | |
config = {} | |
config['webapp2_extras.sessions'] = { | |
'secret_key': 'LOCAL_SECRET', | |
} | |
config['fedurus.ru'] = { | |
'iss': 'https://rapid.fedurus.ru', | |
'aud': 'https://fedurus-echo.appspot.com', | |
} | |
class BaseHandler(webapp2.RequestHandler): | |
def dispatch(self): | |
self.session_store = sessions.get_store(request=self.request) | |
try: | |
webapp2.RequestHandler.dispatch(self) | |
finally: | |
self.session_store.save_sessions(self.response) | |
@webapp2.cached_property | |
def session(self): | |
return self.session_store.get_session() | |
class RootHandler(BaseHandler): | |
def get(self): | |
print self.session | |
self.response.out.write(template.render('views/index.html', {})) | |
class WelcomeHandler(BaseHandler): | |
def get(self): | |
if 'attributes' in self.session: | |
self.response.out.write(template.render('views/welcome.html', {'attributes':sorted(self.session['attributes'].iteritems()), 'jwt':sorted(self.session['jwt'].iteritems()), 'jws':self.session['jws']})) | |
else: | |
self.redirect('/') | |
class AuthHandler(BaseHandler): | |
def post(self): | |
try: | |
# Verifies signature and expiry time | |
verified_jwt = jwt.decode(self.request.POST['assertion'], "SECRET") | |
# In a complete app we'd also store and validate the jti value to ensure there is no replay attack | |
if verified_jwt['aud'] == config['fedurus.ru']['aud'] and verified_jwt['iss'] == config['fedurus.ru']['iss']: | |
self.session['attributes'] = verified_jwt['https://www.fedurus.ru/attributes'] | |
self.session['jwt'] = verified_jwt | |
self.session['jws'] = self.request.POST['assertion'] | |
self.redirect('/welcome') | |
else: | |
self.status = 403 | |
self.response.write('Error: Not for this audience') | |
except jwt.ExpiredSignature: | |
self.status = 403 | |
self.response.write('Error: Security cookie has expired') | |
class LogoutHandler(BaseHandler): | |
def get(self): | |
self.session.clear() | |
self.redirect('/') | |
app = webapp2.WSGIApplication([ | |
(r'/', RootHandler), | |
(r'/welcome', WelcomeHandler), | |
(r'/auth/jwt', AuthHandler), | |
(r'/logout', LogoutHandler), | |
], config=config) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment