feat: oauth provider

.pylintrc

@@ -124,6 +124,7 @@ disable=raw-checker-failed,
         no-else-raise,
         too-many-nested-blocks,
         broad-exception-raised,
+        too-many-public-methods,
 
 
 # Enable the message, report, category or checker with the given id(s). You can

supertokens_python/auth_utils.py

@@ -536,7 +536,7 @@ async def check_auth_type_and_linking_status(
         if session_user_result.status == "SHOULD_AUTOMATICALLY_LINK_FALSE":
             if should_try_linking_with_session_user is True:
                 raise BadInputError(
-                    "should_do_automatic_account_linking returned false when creating primary user but shouldTryLinkingWithSessionUser is true"
+                    "shouldDoAutomaticAccountLinking returned false when making the session user primary but shouldTryLinkingWithSessionUser is true"
                 )
             return OkFirstFactorResponse()
         elif (
@@ -565,7 +565,7 @@ async def check_auth_type_and_linking_status(
         if isinstance(should_link, ShouldNotAutomaticallyLink):
             if should_try_linking_with_session_user is True:
                 raise BadInputError(
-                    "should_do_automatic_account_linking returned false when creating primary user but shouldTryLinkingWithSessionUser is true"
+                    "shouldDoAutomaticAccountLinking returned false when making the session user primary but shouldTryLinkingWithSessionUser is true"
                 )
             return OkFirstFactorResponse()
         else:

supertokens_python/framework/django/django_response.py

@@ -88,3 +88,9 @@ def set_json_content(self, content: Dict[str, Any]):
                 separators=(",", ":"),
             ).encode("utf-8")
             self.response_sent = True
+
+    def redirect(self, url: str) -> BaseResponse:
+        if not self.response_sent:
+            self.set_header("Location", url)
+            self.set_status_code(302)
+        return self

supertokens_python/framework/fastapi/fastapi_response.py

@@ -94,3 +94,9 @@ def set_json_content(self, content: Dict[str, Any]):
             self.set_header("Content-Length", str(len(body)))
             self.response.body = body
             self.response_sent = True
+
+    def redirect(self, url: str) -> BaseResponse:
+        if not self.response_sent:
+            self.set_header("Location", url)
+            self.set_status_code(302)
+        return self

supertokens_python/framework/flask/flask_response.py

@@ -85,3 +85,10 @@ def set_json_content(self, content: Dict[str, Any]):
                 separators=(",", ":"),
             ).encode("utf-8")
             self.response_sent = True
+
+    def redirect(self, url: str) -> BaseResponse:
+        self.set_header("Location", url)
+        self.set_status_code(302)
+        self.response.data = b""
+        self.response_sent = True
+        return self

supertokens_python/framework/request.py

@@ -47,6 +47,14 @@ async def json(self) -> Union[Any, None]:
     async def form_data(self) -> Dict[str, Any]:
         pass
 
+    async def get_json_or_form_data(self) -> Union[Dict[str, Any], None]:
+        content_type = self.get_header("Content-Type")
+        if content_type is None:
+            return None
+        if content_type.startswith("application/json"):
+            return await self.json()
+        return await self.form_data()
+
     @abstractmethod
     def method(self) -> str:
         pass

supertokens_python/framework/response.py

@@ -61,3 +61,7 @@ def set_json_content(self, content: Dict[str, Any]):
     @abstractmethod
     def set_html_content(self, content: str):
         pass
+
+    @abstractmethod
+    def redirect(self, url: str) -> "BaseResponse":
+        pass

supertokens_python/querier.py

@@ -402,28 +402,33 @@ async def send_put_request(
         self,
         path: NormalisedURLPath,
         data: Union[Dict[str, Any], None],
+        query_params: Union[Dict[str, Any], None],
         user_context: Union[Dict[str, Any], None],
     ) -> Dict[str, Any]:
         self.invalidate_core_call_cache(user_context)
         if data is None:
             data = {}
+        if query_params is None:
+            query_params = {}
 
         headers = await self.__get_headers_with_api_version(path, user_context)
         headers["content-type"] = "application/json; charset=utf-8"
 
         async def f(url: str, method: str) -> Response:
-            nonlocal headers, data
+            nonlocal headers, data, query_params
             if Querier.network_interceptor is not None:
                 (
                     url,
                     method,
                     headers,
-                    _,
+                    query_params,
                     data,
                 ) = Querier.network_interceptor(  # pylint:disable=not-callable
-                    url, method, headers, {}, data, user_context
+                    url, method, headers, query_params, data, user_context
                 )
-            return await self.api_request(url, method, 2, headers=headers, json=data)
+            return await self.api_request(
+                url, method, 2, headers=headers, json=data, params=query_params
+            )
 
         return await self.__send_request_helper(path, "PUT", f, len(self.__hosts))
 

supertokens_python/recipe/emailpassword/recipe_implementation.py

@@ -297,6 +297,7 @@ async def update_email_or_password(
         response = await self.querier.send_put_request(
             NormalisedURLPath("/recipe/user"),
             data,
+            None,
             user_context=user_context,
         )
 

supertokens_python/recipe/multitenancy/recipe_implementation.py

@@ -147,6 +147,7 @@ async def create_or_update_tenant(
         response = await self.querier.send_put_request(
             NormalisedURLPath("/recipe/multitenancy/tenant/v2"),
             json_body,
+            None,
             user_context=user_context,
         )
         return CreateOrUpdateTenantOkResult(
@@ -217,6 +218,7 @@ async def create_or_update_third_party_config(
                 "config": config.to_json(),
                 "skipValidation": skip_validation is True,
             },
+            None,
             user_context=user_context,
         )
 

supertokens_python/recipe/oauth2provider/__init__.py

@@ -0,0 +1,33 @@
+# Copyright (c) 2024, VRAI Labs and/or its affiliates. All rights reserved.
+#
+# This software is licensed under the Apache License, Version 2.0 (the
+# "License") as published by the Apache Software Foundation.
+#
+# You may not use this file except in compliance with the License. You may
+# obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+from __future__ import annotations
+
+from typing import TYPE_CHECKING, Callable, Union
+
+from . import exceptions as ex
+from . import recipe, utils
+
+exceptions = ex
+InputOverrideConfig = utils.InputOverrideConfig
+
+if TYPE_CHECKING:
+    from supertokens_python.supertokens import AppInfo
+
+    from ...recipe_module import RecipeModule
+
+
+def init(
+    override: Union[InputOverrideConfig, None] = None,
+) -> Callable[[AppInfo], RecipeModule]:
+    return recipe.OAuth2ProviderRecipe.init(override)

supertokens_python/recipe/oauth2provider/api/__init__.py

@@ -0,0 +1,23 @@
+# Copyright (c) 2024, VRAI Labs and/or its affiliates. All rights reserved.
+#
+# This software is licensed under the Apache License, Version 2.0 (the
+# "License") as published by the Apache Software Foundation.
+#
+# You may not use this file except in compliance with the License. You may
+# obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+from .auth import auth_get  # type: ignore
+from .end_session import end_session_get, end_session_post  # type: ignore
+from .introspect_token import introspect_token_post  # type: ignore
+from .login_info import login_info_get  # type: ignore
+from .login import login  # type: ignore
+from .logout import logout_post  # type: ignore
+from .revoke_token import revoke_token_post  # type: ignore
+from .token import token_post  # type: ignore
+from .user_info import user_info_get  # type: ignore

supertokens_python/recipe/oauth2provider/api/auth.py

@@ -0,0 +1,103 @@
+# Copyright (c) 2024, VRAI Labs and/or its affiliates. All rights reserved.
+#
+# This software is licensed under the Apache License, Version 2.0 (the
+# "License") as published by the Apache Software Foundation.
+#
+# You may not use this file except in compliance with the License. You may
+# obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+from __future__ import annotations
+
+from http.cookies import SimpleCookie
+from typing import TYPE_CHECKING, Any, Dict
+from urllib.parse import parse_qsl
+from dateutil import parser
+
+from supertokens_python.recipe.session.asyncio import get_session
+from supertokens_python.recipe.session.exceptions import TryRefreshTokenError
+from supertokens_python.utils import send_200_response, send_non_200_response
+
+if TYPE_CHECKING:
+    from ..interfaces import (
+        APIOptions,
+        APIInterface,
+    )
+
+
+async def auth_get(
+    _tenant_id: str,
+    api_implementation: APIInterface,
+    api_options: APIOptions,
+    user_context: Dict[str, Any],
+):
+    from ..interfaces import (
+        RedirectResponse,
+        ErrorOAuth2Response,
+    )
+
+    if api_implementation.disable_auth_get is True:
+        return None
+
+    original_url = api_options.request.get_original_url()
+    split_url = original_url.split("?", 1)
+    params = dict(parse_qsl(split_url[1], True)) if len(split_url) > 1 else {}
+
+    session = None
+    should_try_refresh = False
+    try:
+        session = await get_session(
+            api_options.request,
+            session_required=False,
+            user_context=user_context,
+        )
+        should_try_refresh = False
+    except Exception as error:
+        session = None
+
+        # should_try_refresh = False should generally not happen, but we can handle this as if the session is not present,
+        # because then we redirect to the frontend, which should handle the validation error
+        should_try_refresh = isinstance(error, TryRefreshTokenError)
+
+    response = await api_implementation.auth_get(
+        params=params,
+        cookie=api_options.request.get_header("cookie"),
+        session=session,
+        should_try_refresh=should_try_refresh,
+        options=api_options,
+        user_context=user_context,
+    )
+
+    if isinstance(response, RedirectResponse):
+        if response.cookies:
+            for cookie_string in response.cookies:
+                cookie = SimpleCookie()
+                cookie.load(cookie_string)
+                for morsel in cookie.values():
+                    api_options.response.set_cookie(
+                        key=morsel.key,
+                        value=morsel.value,
+                        domain=morsel.get("domain"),
+                        secure=morsel.get("secure", True),
+                        httponly=morsel.get("httponly", True),
+                        expires=parser.parse(morsel.get("expires", "")).timestamp() * 1000,  # type: ignore
+                        path=morsel.get("path", "/"),
+                        samesite=morsel.get("samesite", "lax"),
+                    )
+        return api_options.response.redirect(response.redirect_to)
+    elif isinstance(response, ErrorOAuth2Response):
+        return send_non_200_response(
+            {
+                "error": response.error,
+                "error_description": response.error_description,
+            },
+            response.status_code or 400,
+            api_options.response,
+        )
+    else:
+        return send_200_response(response.to_json(), api_options.response)