import webapp2 | |
import os | |
import jwt | |
from webapp2_extras import sessions | |
from google.appengine.ext.webapp import template | |
config = {} | |
config['webapp2_extras.sessions'] = { | |
'secret_key': 'LOCAL_SECRET', | |
} | |
config['fedurus.ru'] = { | |
'iss': 'https://rapid.fedurus.ru', | |
'aud': 'https://fedurus-echo.appspot.com', | |
} | |
class BaseHandler(webapp2.RequestHandler): | |
def dispatch(self): | |
self.session_store = sessions.get_store(request=self.request) | |
try: | |
webapp2.RequestHandler.dispatch(self) | |
finally: | |
self.session_store.save_sessions(self.response) | |
@webapp2.cached_property | |
def session(self): | |
return self.session_store.get_session() | |
class RootHandler(BaseHandler): | |
def get(self): | |
print self.session | |
self.response.out.write(template.render('views/index.html', {})) | |
class WelcomeHandler(BaseHandler): | |
def get(self): | |
if 'attributes' in self.session: | |
self.response.out.write(template.render('views/welcome.html', {'attributes':sorted(self.session['attributes'].iteritems()), 'jwt':sorted(self.session['jwt'].iteritems()), 'jws':self.session['jws']})) | |
else: | |
self.redirect('/') | |
class AuthHandler(BaseHandler): | |
def post(self): | |
try: | |
# Verifies signature and expiry time | |
verified_jwt = jwt.decode(self.request.POST['assertion'], "SECRET") | |
# In a complete app we'd also store and validate the jti value to ensure there is no replay attack | |
if verified_jwt['aud'] == config['fedurus.ru']['aud'] and verified_jwt['iss'] == config['fedurus.ru']['iss']: | |
self.session['attributes'] = verified_jwt['https://www.fedurus.ru/attributes'] | |
self.session['jwt'] = verified_jwt | |
self.session['jws'] = self.request.POST['assertion'] | |
self.redirect('/welcome') | |
else: | |
self.status = 403 | |
self.response.write('Error: Not for this audience') | |
except jwt.ExpiredSignature: | |
self.status = 403 | |
self.response.write('Error: Security cookie has expired') | |
class LogoutHandler(BaseHandler): | |
def get(self): | |
self.session.clear() | |
self.redirect('/') | |
app = webapp2.WSGIApplication([ | |
(r'/', RootHandler), | |
(r'/welcome', WelcomeHandler), | |
(r'/auth/jwt', AuthHandler), | |
(r'/logout', LogoutHandler), | |
], config=config) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment