From 6620ea5d0814952fd93d90025d7da6354ddc9d0c Mon Sep 17 00:00:00 2001 From: rishabhpoddar Date: Tue, 12 Sep 2023 16:06:58 +0530 Subject: [PATCH] adding dev-v0.16.0 tag to this commit to ensure building --- html/supertokens_python/constants.html | 2 +- .../framework/django/django_request.html | 20 +++ .../framework/fastapi/fastapi_request.html | 20 +++ .../framework/flask/flask_request.html | 20 +++ .../supertokens_python/framework/request.html | 23 +++ .../recipe/dashboard/api/index.html | 19 ++- .../recipe/dashboard/api/validate_key.html | 4 +- .../recipe/dashboard/constants.html | 4 +- .../recipe/dashboard/exceptions.html | 32 ++++ .../recipe/dashboard/index.html | 12 +- .../recipe/dashboard/recipe.html | 106 +++++++----- .../dashboard/recipe_implementation.html | 159 +++++++++++++++--- .../recipe/dashboard/utils.html | 64 +++++-- .../recipe/session/asyncio/index.html | 9 + .../recipe/session/constants.html | 1 + .../recipe/session/recipe_implementation.html | 22 ++- .../session/session_request_functions.html | 9 + html/supertokens_python/utils.html | 20 ++- 18 files changed, 445 insertions(+), 101 deletions(-) diff --git a/html/supertokens_python/constants.html b/html/supertokens_python/constants.html index ddabaf437..433530761 100644 --- a/html/supertokens_python/constants.html +++ b/html/supertokens_python/constants.html @@ -42,7 +42,7 @@

Module supertokens_python.constants

from __future__ import annotations SUPPORTED_CDI_VERSIONS = ["3.0"] -VERSION = "0.15.3" +VERSION = "0.16.0" TELEMETRY = "/telemetry" USER_COUNT = "/users/count" USER_DELETE = "/user/remove" diff --git a/html/supertokens_python/framework/django/django_request.html b/html/supertokens_python/framework/django/django_request.html index a30c8807f..a225bb0a6 100644 --- a/html/supertokens_python/framework/django/django_request.html +++ b/html/supertokens_python/framework/django/django_request.html @@ -57,6 +57,9 @@

Module supertokens_python.framework.django.django_reques super().__init__() self.request = request + def get_original_url(self) -> str: + return self.request.get_raw_uri() + def get_query_param( self, key: str, default: Union[str, None] = None ) -> Union[str, None]: @@ -126,6 +129,9 @@

Classes

super().__init__() self.request = request + def get_original_url(self) -> str: + return self.request.get_raw_uri() + def get_query_param( self, key: str, default: Union[str, None] = None ) -> Union[str, None]: @@ -217,6 +223,19 @@

Methods

return self.request.META.get(key.upper())
+
+def get_original_url(self) ‑> str +
+
+
+
+ +Expand source code + +
def get_original_url(self) -> str:
+    return self.request.get_raw_uri()
+
+
def get_path(self) ‑> str
@@ -348,6 +367,7 @@

form_data
  • get_cookie
  • get_header
  • +
  • get_original_url
  • get_path
  • get_query_param
  • get_query_params
  • diff --git a/html/supertokens_python/framework/fastapi/fastapi_request.html b/html/supertokens_python/framework/fastapi/fastapi_request.html index f82978d6e..efa01ad1a 100644 --- a/html/supertokens_python/framework/fastapi/fastapi_request.html +++ b/html/supertokens_python/framework/fastapi/fastapi_request.html @@ -56,6 +56,9 @@

    Module supertokens_python.framework.fastapi.fastapi_requ super().__init__() self.request = request + def get_original_url(self) -> str: + return self.request.url.components.geturl() + def get_query_param( self, key: str, default: Union[str, None] = None ) -> Union[str, None]: @@ -126,6 +129,9 @@

    Classes

    super().__init__() self.request = request + def get_original_url(self) -> str: + return self.request.url.components.geturl() + def get_query_param( self, key: str, default: Union[str, None] = None ) -> Union[str, None]: @@ -218,6 +224,19 @@

    Methods

    return self.request.headers.get(key, None)
    +
    +def get_original_url(self) ‑> str +
    +
    +
    +
    + +Expand source code + +
    def get_original_url(self) -> str:
    +    return self.request.url.components.geturl()
    +
    +
    def get_path(self) ‑> str
    @@ -350,6 +369,7 @@

    form_data
  • get_cookie
  • get_header
  • +
  • get_original_url
  • get_path
  • get_query_param
  • get_query_params
  • diff --git a/html/supertokens_python/framework/flask/flask_request.html b/html/supertokens_python/framework/flask/flask_request.html index 3d9ee76db..09d256795 100644 --- a/html/supertokens_python/framework/flask/flask_request.html +++ b/html/supertokens_python/framework/flask/flask_request.html @@ -55,6 +55,9 @@

    Module supertokens_python.framework.flask.flask_request< super().__init__() self.request = req + def get_original_url(self) -> str: + return self.request.url + def get_query_param(self, key: str, default: Union[str, None] = None): return self.request.args.get(key, default) @@ -133,6 +136,9 @@

    Classes

    super().__init__() self.request = req + def get_original_url(self) -> str: + return self.request.url + def get_query_param(self, key: str, default: Union[str, None] = None): return self.request.args.get(key, default) @@ -233,6 +239,19 @@

    Methods

    return self.request.headers.get(key) # type: ignore
    +
    +def get_original_url(self) ‑> str +
    +
    +
    +
    + +Expand source code + +
    def get_original_url(self) -> str:
    +    return self.request.url
    +
    +
    def get_path(self) ‑> str
    @@ -371,6 +390,7 @@

    form_data
  • get_cookie
  • get_header
  • +
  • get_original_url
  • get_path
  • get_query_param
  • get_query_params
  • diff --git a/html/supertokens_python/framework/request.html b/html/supertokens_python/framework/request.html index 3c2be4998..594cf723a 100644 --- a/html/supertokens_python/framework/request.html +++ b/html/supertokens_python/framework/request.html @@ -53,6 +53,10 @@

    Module supertokens_python.framework.request

    self.wrapper_used = True self.request = None + @abstractmethod + def get_original_url(self) -> str: + pass + @abstractmethod def get_query_param( self, key: str, default: Union[str, None] = None @@ -127,6 +131,10 @@

    Classes

    self.wrapper_used = True self.request = None + @abstractmethod + def get_original_url(self) -> str: + pass + @abstractmethod def get_query_param( self, key: str, default: Union[str, None] = None @@ -230,6 +238,20 @@

    Methods

    pass +
    +def get_original_url(self) ‑> str +
    +
    +
    +
    + +Expand source code + +
    @abstractmethod
    +def get_original_url(self) -> str:
    +    pass
    +
    +
    def get_path(self) ‑> str
    @@ -372,6 +394,7 @@

    form_data
  • get_cookie
  • get_header
  • +
  • get_original_url
  • get_path
  • get_query_param
  • get_query_params
  • diff --git a/html/supertokens_python/recipe/dashboard/api/index.html b/html/supertokens_python/recipe/dashboard/api/index.html index 2e8bd0733..8fee3206a 100644 --- a/html/supertokens_python/recipe/dashboard/api/index.html +++ b/html/supertokens_python/recipe/dashboard/api/index.html @@ -158,9 +158,20 @@

    Functions

    ], user_context: Dict[str, Any], ) -> Optional[BaseResponse]: - should_allow_access = await api_options.recipe_implementation.should_allow_access( - api_options.request, api_options.config, user_context - ) + should_allow_access = False + + try: + should_allow_access = ( + await api_options.recipe_implementation.should_allow_access( + api_options.request, api_options.config, user_context + ) + ) + except DashboardOperationNotAllowedError as _: + return send_non_200_response_with_message( + "You are not permitted to perform this operation", + 403, + api_options.response, + ) if should_allow_access is False: return send_non_200_response_with_message( @@ -1113,7 +1124,7 @@

    Functions

    user_context: Dict[str, Any], ): - is_valid_key = validate_api_key( + is_valid_key = await validate_api_key( api_options.request, api_options.config, user_context ) diff --git a/html/supertokens_python/recipe/dashboard/api/validate_key.html b/html/supertokens_python/recipe/dashboard/api/validate_key.html index a692d5c91..ffeab15b9 100644 --- a/html/supertokens_python/recipe/dashboard/api/validate_key.html +++ b/html/supertokens_python/recipe/dashboard/api/validate_key.html @@ -63,7 +63,7 @@

    Module supertokens_python.recipe.dashboard.api.validate_ user_context: Dict[str, Any], ): - is_valid_key = validate_api_key( + is_valid_key = await validate_api_key( api_options.request, api_options.config, user_context ) @@ -94,7 +94,7 @@

    Functions

    user_context: Dict[str, Any], ): - is_valid_key = validate_api_key( + is_valid_key = await validate_api_key( api_options.request, api_options.config, user_context ) diff --git a/html/supertokens_python/recipe/dashboard/constants.html b/html/supertokens_python/recipe/dashboard/constants.html index ab05d20d8..d4762020b 100644 --- a/html/supertokens_python/recipe/dashboard/constants.html +++ b/html/supertokens_python/recipe/dashboard/constants.html @@ -36,8 +36,8 @@

    Module supertokens_python.recipe.dashboard.constants diff --git a/html/supertokens_python/recipe/dashboard/exceptions.html b/html/supertokens_python/recipe/dashboard/exceptions.html index 49844b4ae..55cfffe76 100644 --- a/html/supertokens_python/recipe/dashboard/exceptions.html +++ b/html/supertokens_python/recipe/dashboard/exceptions.html @@ -30,6 +30,10 @@

    Module supertokens_python.recipe.dashboard.exceptions @@ -42,6 +46,27 @@

    Module supertokens_python.recipe.dashboard.exceptions

    Classes

    +
    +class DashboardOperationNotAllowedError +(*args, **kwargs) +
    +
    +

    Common base class for all non-exit exceptions.

    +
    + +Expand source code + +
    class DashboardOperationNotAllowedError(SuperTokensDashboardError):
    +    pass
    +
    +

    Ancestors

    + +
    class SuperTokensDashboardError (*args, **kwargs) @@ -61,6 +86,10 @@

    Ancestors

  • builtins.Exception
  • builtins.BaseException
  • +

    Subclasses

    +
    @@ -79,6 +108,9 @@

    Index

  • Classes

    diff --git a/html/supertokens_python/recipe/dashboard/index.html b/html/supertokens_python/recipe/dashboard/index.html index 11d46eedd..f5c97daf0 100644 --- a/html/supertokens_python/recipe/dashboard/index.html +++ b/html/supertokens_python/recipe/dashboard/index.html @@ -42,7 +42,7 @@

    Module supertokens_python.recipe.dashboard

    from __future__ import annotations -from typing import Callable, Optional, Union +from typing import Callable, Optional, List from supertokens_python import AppInfo, RecipeModule @@ -54,11 +54,13 @@

    Module supertokens_python.recipe.dashboard

    def init( - api_key: Union[str, None] = None, + api_key: Optional[str] = None, + admins: Optional[List[str]] = None, override: Optional[InputOverrideConfig] = None, ) -> Callable[[AppInfo], RecipeModule]: return DashboardRecipe.init( api_key, + admins, override, )
    @@ -102,7 +104,7 @@

    Sub-modules

    Functions

    -def init(api_key: Union[str, None] = None, override: Optional[InputOverrideConfig] = None) ‑> Callable[[AppInfo], RecipeModule] +def init(api_key: Optional[str] = None, admins: Optional[List[str]] = None, override: Optional[InputOverrideConfig] = None) ‑> Callable[[AppInfo], RecipeModule]
    @@ -111,11 +113,13 @@

    Functions

    Expand source code
    def init(
    -    api_key: Union[str, None] = None,
    +    api_key: Optional[str] = None,
    +    admins: Optional[List[str]] = None,
         override: Optional[InputOverrideConfig] = None,
     ) -> Callable[[AppInfo], RecipeModule]:
         return DashboardRecipe.init(
             api_key,
    +        admins,
             override,
         )
    diff --git a/html/supertokens_python/recipe/dashboard/recipe.html b/html/supertokens_python/recipe/dashboard/recipe.html index 7350f4f2a..a69beb97c 100644 --- a/html/supertokens_python/recipe/dashboard/recipe.html +++ b/html/supertokens_python/recipe/dashboard/recipe.html @@ -42,7 +42,7 @@

    Module supertokens_python.recipe.dashboard.recipe from __future__ import annotations from os import environ -from typing import TYPE_CHECKING, Awaitable, Callable, List, Optional, Union, Dict, Any +from typing import TYPE_CHECKING, Awaitable, Callable, List, Optional, Dict, Any from supertokens_python.normalised_url_path import NormalisedURLPath from supertokens_python.recipe_module import APIHandled, RecipeModule @@ -87,8 +87,8 @@

    Module supertokens_python.recipe.dashboard.recipe from .constants import ( DASHBOARD_ANALYTICS_API, DASHBOARD_API, - EMAIL_PASSSWORD_SIGNOUT, - EMAIL_PASSWORD_SIGN_IN, + SIGN_OUT_API, + SIGN_IN_API, SEARCH_TAGS_API, USER_API, USER_EMAIL_VERIFY_API, @@ -115,12 +115,14 @@

    Module supertokens_python.recipe.dashboard.recipe self, recipe_id: str, app_info: AppInfo, - api_key: Union[str, None], - override: Union[InputOverrideConfig, None] = None, + api_key: Optional[str], + admins: Optional[List[str]], + override: Optional[InputOverrideConfig] = None, ): super().__init__(recipe_id, app_info) self.config = validate_and_normalise_user_input( api_key, + admins, override, ) recipe_implementation = RecipeImplementation() @@ -151,11 +153,9 @@

    Module supertokens_python.recipe.dashboard.recipe False, ), APIHandled( - NormalisedURLPath( - get_api_path_with_dashboard_base(EMAIL_PASSWORD_SIGN_IN) - ), + NormalisedURLPath(get_api_path_with_dashboard_base(SIGN_IN_API)), "post", - EMAIL_PASSWORD_SIGN_IN, + SIGN_IN_API, False, ), APIHandled( @@ -165,11 +165,9 @@

    Module supertokens_python.recipe.dashboard.recipe False, ), APIHandled( - NormalisedURLPath( - get_api_path_with_dashboard_base(EMAIL_PASSSWORD_SIGNOUT) - ), + NormalisedURLPath(get_api_path_with_dashboard_base(SIGN_OUT_API)), "post", - EMAIL_PASSSWORD_SIGNOUT, + SIGN_OUT_API, False, ), APIHandled( @@ -242,6 +240,12 @@

    Module supertokens_python.recipe.dashboard.recipe USER_SESSION_API, False, ), + APIHandled( + NormalisedURLPath(get_api_path_with_dashboard_base(USER_SESSION_API)), + "post", + USER_SESSION_API, + False, + ), APIHandled( NormalisedURLPath(get_api_path_with_dashboard_base(USER_PASSWORD_API)), "put", @@ -305,7 +309,7 @@

    Module supertokens_python.recipe.dashboard.recipe return await handle_validate_key_api( self.api_implementation, api_options, user_context ) - if request_id == EMAIL_PASSWORD_SIGN_IN: + if request_id == SIGN_IN_API: return await handle_emailpassword_signin_api( self.api_implementation, api_options, user_context ) @@ -346,7 +350,7 @@

    Module supertokens_python.recipe.dashboard.recipe api_function = handle_user_password_put elif request_id == USER_EMAIL_VERIFY_TOKEN_API: api_function = handle_email_verify_token_post - elif request_id == EMAIL_PASSSWORD_SIGNOUT: + elif request_id == SIGN_OUT_API: api_function = handle_emailpassword_signout_api elif request_id == SEARCH_TAGS_API: api_function = handle_get_tags @@ -377,8 +381,9 @@

    Module supertokens_python.recipe.dashboard.recipe @staticmethod def init( - api_key: Union[str, None], - override: Union[InputOverrideConfig, None] = None, + api_key: Optional[str], + admins: Optional[List[str]] = None, + override: Optional[InputOverrideConfig] = None, ): def func(app_info: AppInfo): if DashboardRecipe.__instance is None: @@ -386,6 +391,7 @@

    Module supertokens_python.recipe.dashboard.recipe DashboardRecipe.recipe_id, app_info, api_key, + admins, override, ) return DashboardRecipe.__instance @@ -424,7 +430,7 @@

    Classes

    class DashboardRecipe -(recipe_id: str, app_info: AppInfo, api_key: Union[str, None], override: Union[InputOverrideConfig, None] = None) +(recipe_id: str, app_info: AppInfo, api_key: Optional[str], admins: Optional[List[str]], override: Optional[InputOverrideConfig] = None)

    Helper class that provides a standard way to create an ABC using @@ -441,12 +447,14 @@

    Classes

    self, recipe_id: str, app_info: AppInfo, - api_key: Union[str, None], - override: Union[InputOverrideConfig, None] = None, + api_key: Optional[str], + admins: Optional[List[str]], + override: Optional[InputOverrideConfig] = None, ): super().__init__(recipe_id, app_info) self.config = validate_and_normalise_user_input( api_key, + admins, override, ) recipe_implementation = RecipeImplementation() @@ -477,11 +485,9 @@

    Classes

    False, ), APIHandled( - NormalisedURLPath( - get_api_path_with_dashboard_base(EMAIL_PASSWORD_SIGN_IN) - ), + NormalisedURLPath(get_api_path_with_dashboard_base(SIGN_IN_API)), "post", - EMAIL_PASSWORD_SIGN_IN, + SIGN_IN_API, False, ), APIHandled( @@ -491,11 +497,9 @@

    Classes

    False, ), APIHandled( - NormalisedURLPath( - get_api_path_with_dashboard_base(EMAIL_PASSSWORD_SIGNOUT) - ), + NormalisedURLPath(get_api_path_with_dashboard_base(SIGN_OUT_API)), "post", - EMAIL_PASSSWORD_SIGNOUT, + SIGN_OUT_API, False, ), APIHandled( @@ -568,6 +572,12 @@

    Classes

    USER_SESSION_API, False, ), + APIHandled( + NormalisedURLPath(get_api_path_with_dashboard_base(USER_SESSION_API)), + "post", + USER_SESSION_API, + False, + ), APIHandled( NormalisedURLPath(get_api_path_with_dashboard_base(USER_PASSWORD_API)), "put", @@ -631,7 +641,7 @@

    Classes

    return await handle_validate_key_api( self.api_implementation, api_options, user_context ) - if request_id == EMAIL_PASSWORD_SIGN_IN: + if request_id == SIGN_IN_API: return await handle_emailpassword_signin_api( self.api_implementation, api_options, user_context ) @@ -672,7 +682,7 @@

    Classes

    api_function = handle_user_password_put elif request_id == USER_EMAIL_VERIFY_TOKEN_API: api_function = handle_email_verify_token_post - elif request_id == EMAIL_PASSSWORD_SIGNOUT: + elif request_id == SIGN_OUT_API: api_function = handle_emailpassword_signout_api elif request_id == SEARCH_TAGS_API: api_function = handle_get_tags @@ -703,8 +713,9 @@

    Classes

    @staticmethod def init( - api_key: Union[str, None], - override: Union[InputOverrideConfig, None] = None, + api_key: Optional[str], + admins: Optional[List[str]] = None, + override: Optional[InputOverrideConfig] = None, ): def func(app_info: AppInfo): if DashboardRecipe.__instance is None: @@ -712,6 +723,7 @@

    Classes

    DashboardRecipe.recipe_id, app_info, api_key, + admins, override, ) return DashboardRecipe.__instance @@ -775,7 +787,7 @@

    Static methods

    -def init(api_key: Union[str, None], override: Union[InputOverrideConfig, None] = None) +def init(api_key: Optional[str], admins: Optional[List[str]] = None, override: Optional[InputOverrideConfig] = None)
    @@ -785,8 +797,9 @@

    Static methods

    @staticmethod
     def init(
    -    api_key: Union[str, None],
    -    override: Union[InputOverrideConfig, None] = None,
    +    api_key: Optional[str],
    +    admins: Optional[List[str]] = None,
    +    override: Optional[InputOverrideConfig] = None,
     ):
         def func(app_info: AppInfo):
             if DashboardRecipe.__instance is None:
    @@ -794,6 +807,7 @@ 

    Static methods

    DashboardRecipe.recipe_id, app_info, api_key, + admins, override, ) return DashboardRecipe.__instance @@ -857,11 +871,9 @@

    Methods

    False, ), APIHandled( - NormalisedURLPath( - get_api_path_with_dashboard_base(EMAIL_PASSWORD_SIGN_IN) - ), + NormalisedURLPath(get_api_path_with_dashboard_base(SIGN_IN_API)), "post", - EMAIL_PASSWORD_SIGN_IN, + SIGN_IN_API, False, ), APIHandled( @@ -871,11 +883,9 @@

    Methods

    False, ), APIHandled( - NormalisedURLPath( - get_api_path_with_dashboard_base(EMAIL_PASSSWORD_SIGNOUT) - ), + NormalisedURLPath(get_api_path_with_dashboard_base(SIGN_OUT_API)), "post", - EMAIL_PASSSWORD_SIGNOUT, + SIGN_OUT_API, False, ), APIHandled( @@ -948,6 +958,12 @@

    Methods

    USER_SESSION_API, False, ), + APIHandled( + NormalisedURLPath(get_api_path_with_dashboard_base(USER_SESSION_API)), + "post", + USER_SESSION_API, + False, + ), APIHandled( NormalisedURLPath(get_api_path_with_dashboard_base(USER_PASSWORD_API)), "put", @@ -1021,7 +1037,7 @@

    Methods

    return await handle_validate_key_api( self.api_implementation, api_options, user_context ) - if request_id == EMAIL_PASSWORD_SIGN_IN: + if request_id == SIGN_IN_API: return await handle_emailpassword_signin_api( self.api_implementation, api_options, user_context ) @@ -1062,7 +1078,7 @@

    Methods

    api_function = handle_user_password_put elif request_id == USER_EMAIL_VERIFY_TOKEN_API: api_function = handle_email_verify_token_post - elif request_id == EMAIL_PASSSWORD_SIGNOUT: + elif request_id == SIGN_OUT_API: api_function = handle_emailpassword_signout_api elif request_id == SEARCH_TAGS_API: api_function = handle_get_tags diff --git a/html/supertokens_python/recipe/dashboard/recipe_implementation.html b/html/supertokens_python/recipe/dashboard/recipe_implementation.html index 17557a817..6da507de2 100644 --- a/html/supertokens_python/recipe/dashboard/recipe_implementation.html +++ b/html/supertokens_python/recipe/dashboard/recipe_implementation.html @@ -46,10 +46,16 @@

    Module supertokens_python.recipe.dashboard.recipe_implem from supertokens_python.constants import DASHBOARD_VERSION from supertokens_python.framework import BaseRequest from supertokens_python.normalised_url_path import NormalisedURLPath +from supertokens_python.utils import log_debug_message, normalise_http_method from supertokens_python.querier import Querier +from supertokens_python.recipe.dashboard.constants import ( + DASHBOARD_ANALYTICS_API, + SIGN_OUT_API, +) from .interfaces import RecipeInterface from .utils import DashboardConfig, validate_api_key +from .exceptions import DashboardOperationNotAllowedError class RecipeImplementation(RecipeInterface): @@ -62,9 +68,9 @@

    Module supertokens_python.recipe.dashboard.recipe_implem config: DashboardConfig, user_context: Dict[str, Any], ) -> bool: - if config.auth_mode == "email-password": + # For cases where we're not using the API key, the JWT is being used; we allow their access by default + if config.api_key is None: auth_header_value = request.get_header("authorization") - if not auth_header_value: return False @@ -75,11 +81,48 @@

    Module supertokens_python.recipe.dashboard.recipe_implem {"sessionId": auth_header_value}, ) ) - return ( - "status" in session_verification_response - and session_verification_response["status"] == "OK" - ) - return validate_api_key(request, config, user_context)

    + if session_verification_response.get("status") != "OK": + return False + + # For all non GET requests we also want to check if the + # user is allowed to perform this operation + if normalise_http_method(request.method()) != "get": + # We dont want to block the analytics API + if request.get_original_url().endswith(DASHBOARD_ANALYTICS_API): + return True + + # We do not want to block the sign out request + if request.get_original_url().endswith(SIGN_OUT_API): + return True + + admins = config.admins + + if admins is None: + return True + + if len(admins) == 0: + log_debug_message( + "User Dashboard: Throwing OPERATION_NOT_ALLOWED because user is not an admin" + ) + raise DashboardOperationNotAllowedError() + + user_email = session_verification_response.get("email") + + if user_email is None or not isinstance(user_email, str): + log_debug_message( + "User Dashboard: Returning UNAUTHORISED_ERROR because no email was provided in headers" + ) + return False + + if user_email not in admins: + log_debug_message( + "User Dashboard: Throwing OPERATION_NOT_ALLOWED because user is not an admin" + ) + raise DashboardOperationNotAllowedError() + + return True + + return await validate_api_key(request, config, user_context)
    @@ -111,9 +154,9 @@

    Classes

    config: DashboardConfig, user_context: Dict[str, Any], ) -> bool: - if config.auth_mode == "email-password": + # For cases where we're not using the API key, the JWT is being used; we allow their access by default + if config.api_key is None: auth_header_value = request.get_header("authorization") - if not auth_header_value: return False @@ -124,11 +167,48 @@

    Classes

    {"sessionId": auth_header_value}, ) ) - return ( - "status" in session_verification_response - and session_verification_response["status"] == "OK" - ) - return validate_api_key(request, config, user_context)
    + if session_verification_response.get("status") != "OK": + return False + + # For all non GET requests we also want to check if the + # user is allowed to perform this operation + if normalise_http_method(request.method()) != "get": + # We dont want to block the analytics API + if request.get_original_url().endswith(DASHBOARD_ANALYTICS_API): + return True + + # We do not want to block the sign out request + if request.get_original_url().endswith(SIGN_OUT_API): + return True + + admins = config.admins + + if admins is None: + return True + + if len(admins) == 0: + log_debug_message( + "User Dashboard: Throwing OPERATION_NOT_ALLOWED because user is not an admin" + ) + raise DashboardOperationNotAllowedError() + + user_email = session_verification_response.get("email") + + if user_email is None or not isinstance(user_email, str): + log_debug_message( + "User Dashboard: Returning UNAUTHORISED_ERROR because no email was provided in headers" + ) + return False + + if user_email not in admins: + log_debug_message( + "User Dashboard: Throwing OPERATION_NOT_ALLOWED because user is not an admin" + ) + raise DashboardOperationNotAllowedError() + + return True + + return await validate_api_key(request, config, user_context)

    Ancestors

      @@ -165,9 +245,9 @@

      Methods

      config: DashboardConfig, user_context: Dict[str, Any], ) -> bool: - if config.auth_mode == "email-password": + # For cases where we're not using the API key, the JWT is being used; we allow their access by default + if config.api_key is None: auth_header_value = request.get_header("authorization") - if not auth_header_value: return False @@ -178,11 +258,48 @@

      Methods

      {"sessionId": auth_header_value}, ) ) - return ( - "status" in session_verification_response - and session_verification_response["status"] == "OK" - ) - return validate_api_key(request, config, user_context) + if session_verification_response.get("status") != "OK": + return False + + # For all non GET requests we also want to check if the + # user is allowed to perform this operation + if normalise_http_method(request.method()) != "get": + # We dont want to block the analytics API + if request.get_original_url().endswith(DASHBOARD_ANALYTICS_API): + return True + + # We do not want to block the sign out request + if request.get_original_url().endswith(SIGN_OUT_API): + return True + + admins = config.admins + + if admins is None: + return True + + if len(admins) == 0: + log_debug_message( + "User Dashboard: Throwing OPERATION_NOT_ALLOWED because user is not an admin" + ) + raise DashboardOperationNotAllowedError() + + user_email = session_verification_response.get("email") + + if user_email is None or not isinstance(user_email, str): + log_debug_message( + "User Dashboard: Returning UNAUTHORISED_ERROR because no email was provided in headers" + ) + return False + + if user_email not in admins: + log_debug_message( + "User Dashboard: Throwing OPERATION_NOT_ALLOWED because user is not an admin" + ) + raise DashboardOperationNotAllowedError() + + return True + + return await validate_api_key(request, config, user_context)
    diff --git a/html/supertokens_python/recipe/dashboard/utils.html b/html/supertokens_python/recipe/dashboard/utils.html index 5892ff59c..fe882e84f 100644 --- a/html/supertokens_python/recipe/dashboard/utils.html +++ b/html/supertokens_python/recipe/dashboard/utils.html @@ -71,14 +71,14 @@

    Module supertokens_python.recipe.dashboard.utils< get_user_by_id as tppless_get_user_by_id, ) from supertokens_python.types import User -from supertokens_python.utils import Awaitable +from supertokens_python.utils import Awaitable, log_debug_message, normalise_email from ...normalised_url_path import NormalisedURLPath from .constants import ( DASHBOARD_ANALYTICS_API, DASHBOARD_API, - EMAIL_PASSSWORD_SIGNOUT, - EMAIL_PASSWORD_SIGN_IN, + SIGN_OUT_API, + SIGN_IN_API, SEARCH_TAGS_API, USER_API, USER_EMAIL_VERIFY_API, @@ -209,9 +209,14 @@

    Module supertokens_python.recipe.dashboard.utils< class DashboardConfig: def __init__( - self, api_key: Union[str, None], override: OverrideConfig, auth_mode: str + self, + api_key: Optional[str], + admins: Optional[List[str]], + override: OverrideConfig, + auth_mode: str, ): self.api_key = api_key + self.admins = admins self.override = override self.auth_mode = auth_mode @@ -219,14 +224,23 @@

    Module supertokens_python.recipe.dashboard.utils< def validate_and_normalise_user_input( # app_info: AppInfo, api_key: Union[str, None], + admins: Optional[List[str]], override: Optional[InputOverrideConfig] = None, ) -> DashboardConfig: if override is None: override = InputOverrideConfig() + if api_key is not None and admins is not None: + log_debug_message( + "User Dashboard: Providing 'admins' has no effect when using an api key." + ) + + admins = [normalise_email(a) for a in admins] if admins is not None else None + return DashboardConfig( api_key, + admins, OverrideConfig( functions=override.functions, apis=override.apis, @@ -273,10 +287,10 @@

    Module supertokens_python.recipe.dashboard.utils< return USER_PASSWORD_API if path_str.endswith(USER_EMAIL_VERIFY_TOKEN_API) and method == "post": return USER_EMAIL_VERIFY_TOKEN_API - if path_str.endswith(EMAIL_PASSWORD_SIGN_IN) and method == "post": - return EMAIL_PASSWORD_SIGN_IN - if path_str.endswith(EMAIL_PASSSWORD_SIGNOUT) and method == "post": - return EMAIL_PASSSWORD_SIGNOUT + if path_str.endswith(SIGN_IN_API) and method == "post": + return SIGN_IN_API + if path_str.endswith(SIGN_OUT_API) and method == "post": + return SIGN_OUT_API if path_str.endswith(SEARCH_TAGS_API) and method == "get": return SEARCH_TAGS_API if path_str.endswith(DASHBOARD_ANALYTICS_API) and method == "post": @@ -438,7 +452,7 @@

    Module supertokens_python.recipe.dashboard.utils< return isRecipeInitialised -def validate_api_key( +async def validate_api_key( req: BaseRequest, config: DashboardConfig, _user_context: Dict[str, Any] ) -> bool: api_key_header_value = req.get_header("authorization") @@ -490,10 +504,10 @@

    Functions

    return USER_PASSWORD_API if path_str.endswith(USER_EMAIL_VERIFY_TOKEN_API) and method == "post": return USER_EMAIL_VERIFY_TOKEN_API - if path_str.endswith(EMAIL_PASSWORD_SIGN_IN) and method == "post": - return EMAIL_PASSWORD_SIGN_IN - if path_str.endswith(EMAIL_PASSSWORD_SIGNOUT) and method == "post": - return EMAIL_PASSSWORD_SIGNOUT + if path_str.endswith(SIGN_IN_API) and method == "post": + return SIGN_IN_API + if path_str.endswith(SIGN_OUT_API) and method == "post": + return SIGN_OUT_API if path_str.endswith(SEARCH_TAGS_API) and method == "get": return SEARCH_TAGS_API if path_str.endswith(DASHBOARD_ANALYTICS_API) and method == "post": @@ -695,7 +709,7 @@

    Functions

    -def validate_and_normalise_user_input(api_key: Union[str, None], override: Optional[InputOverrideConfig] = None) ‑> DashboardConfig +def validate_and_normalise_user_input(api_key: Union[str, None], admins: Optional[List[str]], override: Optional[InputOverrideConfig] = None) ‑> DashboardConfig
    @@ -706,14 +720,23 @@

    Functions

    def validate_and_normalise_user_input(
         # app_info: AppInfo,
         api_key: Union[str, None],
    +    admins: Optional[List[str]],
         override: Optional[InputOverrideConfig] = None,
     ) -> DashboardConfig:
     
         if override is None:
             override = InputOverrideConfig()
     
    +    if api_key is not None and admins is not None:
    +        log_debug_message(
    +            "User Dashboard: Providing 'admins' has no effect when using an api key."
    +        )
    +
    +    admins = [normalise_email(a) for a in admins] if admins is not None else None
    +
         return DashboardConfig(
             api_key,
    +        admins,
             OverrideConfig(
                 functions=override.functions,
                 apis=override.apis,
    @@ -723,7 +746,7 @@ 

    Functions

    -def validate_api_key(req: BaseRequest, config: DashboardConfig, _user_context: Dict[str, Any]) ‑> bool +async def validate_api_key(req: BaseRequest, config: DashboardConfig, _user_context: Dict[str, Any]) ‑> bool
    @@ -731,7 +754,7 @@

    Functions

    Expand source code -
    def validate_api_key(
    +
    async def validate_api_key(
         req: BaseRequest, config: DashboardConfig, _user_context: Dict[str, Any]
     ) -> bool:
         api_key_header_value = req.get_header("authorization")
    @@ -749,7 +772,7 @@ 

    Classes

    class DashboardConfig -(api_key: Union[str, None], override: OverrideConfig, auth_mode: str) +(api_key: Optional[str], admins: Optional[List[str]], override: OverrideConfig, auth_mode: str)
    @@ -759,9 +782,14 @@

    Classes

    class DashboardConfig:
         def __init__(
    -        self, api_key: Union[str, None], override: OverrideConfig, auth_mode: str
    +        self,
    +        api_key: Optional[str],
    +        admins: Optional[List[str]],
    +        override: OverrideConfig,
    +        auth_mode: str,
         ):
             self.api_key = api_key
    +        self.admins = admins
             self.override = override
             self.auth_mode = auth_mode
    diff --git a/html/supertokens_python/recipe/session/asyncio/index.html b/html/supertokens_python/recipe/session/asyncio/index.html index 4bd8ea7f5..4b08c49d3 100644 --- a/html/supertokens_python/recipe/session/asyncio/index.html +++ b/html/supertokens_python/recipe/session/asyncio/index.html @@ -69,6 +69,7 @@

    Module supertokens_python.recipe.session.asyncio< get_session_from_request, refresh_session_in_request, ) +from ..constants import protected_props from ..utils import get_required_claim_validators from supertokens_python.recipe.multitenancy.constants import DEFAULT_TENANT_ID @@ -134,6 +135,10 @@

    Module supertokens_python.recipe.session.asyncio< final_access_token_payload = {**access_token_payload, "iss": issuer} + for prop in protected_props: + if prop in final_access_token_payload: + del final_access_token_payload[prop] + for claim in claims_added_by_other_recipes: update = await claim.build(user_id, tenant_id, user_context) final_access_token_payload = {**final_access_token_payload, **update} @@ -668,6 +673,10 @@

    Functions

    final_access_token_payload = {**access_token_payload, "iss": issuer} + for prop in protected_props: + if prop in final_access_token_payload: + del final_access_token_payload[prop] + for claim in claims_added_by_other_recipes: update = await claim.build(user_id, tenant_id, user_context) final_access_token_payload = {**final_access_token_payload, **update} diff --git a/html/supertokens_python/recipe/session/constants.html b/html/supertokens_python/recipe/session/constants.html index cf4eb291e..1c7197924 100644 --- a/html/supertokens_python/recipe/session/constants.html +++ b/html/supertokens_python/recipe/session/constants.html @@ -70,6 +70,7 @@

    Module supertokens_python.recipe.session.constants

    diff --git a/html/supertokens_python/recipe/session/recipe_implementation.html b/html/supertokens_python/recipe/session/recipe_implementation.html index 7b84df195..59376da7c 100644 --- a/html/supertokens_python/recipe/session/recipe_implementation.html +++ b/html/supertokens_python/recipe/session/recipe_implementation.html @@ -75,6 +75,7 @@

    Module supertokens_python.recipe.session.recipe_implemen from supertokens_python import AppInfo from .interfaces import SessionContainer +from .constants import protected_props from supertokens_python.querier import Querier from supertokens_python.recipe.multitenancy.constants import DEFAULT_TENANT_ID @@ -406,8 +407,13 @@

    Module supertokens_python.recipe.session.recipe_implemen if session_info is None: return False + new_access_token_payload = session_info.custom_claims_in_access_token_payload + for k in protected_props: + if k in new_access_token_payload: + del new_access_token_payload[k] + new_access_token_payload = { - **session_info.custom_claims_in_access_token_payload, + **new_access_token_payload, **access_token_payload_update, } for k in access_token_payload_update.keys(): @@ -860,8 +866,13 @@

    Classes

    if session_info is None: return False + new_access_token_payload = session_info.custom_claims_in_access_token_payload + for k in protected_props: + if k in new_access_token_payload: + del new_access_token_payload[k] + new_access_token_payload = { - **session_info.custom_claims_in_access_token_payload, + **new_access_token_payload, **access_token_payload_update, } for k in access_token_payload_update.keys(): @@ -1270,8 +1281,13 @@

    Methods

    if session_info is None: return False + new_access_token_payload = session_info.custom_claims_in_access_token_payload + for k in protected_props: + if k in new_access_token_payload: + del new_access_token_payload[k] + new_access_token_payload = { - **session_info.custom_claims_in_access_token_payload, + **new_access_token_payload, **access_token_payload_update, } for k in access_token_payload_update.keys(): diff --git a/html/supertokens_python/recipe/session/session_request_functions.html b/html/supertokens_python/recipe/session/session_request_functions.html index 50c0f6a92..f7f79339b 100644 --- a/html/supertokens_python/recipe/session/session_request_functions.html +++ b/html/supertokens_python/recipe/session/session_request_functions.html @@ -88,6 +88,7 @@

    Module supertokens_python.recipe.session.session_request set_request_in_user_context_if_not_defined, ) from supertokens_python.supertokens import Supertokens +from .constants import protected_props if TYPE_CHECKING: from supertokens_python.recipe.session.recipe import SessionRecipe @@ -268,6 +269,10 @@

    Module supertokens_python.recipe.session.session_request final_access_token_payload = {**access_token_payload, "iss": issuer} + for prop in protected_props: + if prop in final_access_token_payload: + del final_access_token_payload[prop] + for claim in claims_added_by_other_recipes: update = await claim.build(user_id, tenant_id, user_context) final_access_token_payload = {**final_access_token_payload, **update} @@ -538,6 +543,10 @@

    Functions

    final_access_token_payload = {**access_token_payload, "iss": issuer} + for prop in protected_props: + if prop in final_access_token_payload: + del final_access_token_payload[prop] + for claim in claims_added_by_other_recipes: update = await claim.build(user_id, tenant_id, user_context) final_access_token_payload = {**final_access_token_payload, **update} diff --git a/html/supertokens_python/utils.html b/html/supertokens_python/utils.html index c6ca29c90..9664de780 100644 --- a/html/supertokens_python/utils.html +++ b/html/supertokens_python/utils.html @@ -387,7 +387,11 @@

    Module supertokens_python.utils

    self.mutex.unlock() if exc_type is not None: - raise exc_type(exc_value).with_traceback(traceback)

    + raise exc_type(exc_value).with_traceback(traceback) + + +def normalise_email(email: str) -> str: + return email.strip().lower()
    @@ -702,6 +706,19 @@

    Functions

    return _get_max_version(version, minimum_version) == version
    +
    +def normalise_email(email: str) ‑> str +
    +
    +
    +
    + +Expand source code + +
    def normalise_email(email: str) -> str:
    +    return email.strip().lower()
    +
    +
    def normalise_http_method(method: str) ‑> str
    @@ -1036,6 +1053,7 @@

    Index

  • is_5xx_error
  • is_an_ip_address
  • is_version_gte
  • +
  • normalise_email
  • normalise_http_method
  • resolve
  • send_200_response