[OAuth] Implement API for apps to fill in their own claim data

1fbc5ff6 · Nik | Klampfradler · 8596ad80 · 1fbc5ff6 · 1fbc5ff6 · 1fbc5ff6
Verified Commit 1fbc5ff6 authored 3 years ago by Nik | Klampfradler
--- a/aleksis/core/apps.py
+++ b/aleksis/core/apps.py
@@ -9,6 +9,7 @@ from django.utils.translation import gettext as _

 from dynamic_preferences.registries import preference_models
 from health_check.plugins import plugin_dir
+from oauthlib.common import Request as OauthlibRequest

 from .registries import (
    group_preferences_registry,
@@ -156,3 +157,49 @@ class CoreConfig(AppConfig):
                "groups": _("Groups"),
            }
        return scopes
+
+    @classmethod
+    def get_additional_claims(cls, scopes: list[str], request: OauthlibRequest) -> dict[str, Any]:
+        django_request = HttpRequest()
+        django_request.META = request.headers
+
+        claims = {
+            "preferred_username": request.user.username,
+        }
+
+        if "profile" in scopes:
+            if has_person(request.user):
+                claims["given_name"] = request.user.person.first_name
+                claims["family_name"] = request.user.person.last_name
+                claims["profile"] = django_request.build_absolute_uri(
+                    request.user.person.get_absolute_url()
+                )
+                if request.user.person.photo:
+                    claims["picture"] = django_request.build_absolute_uri(
+                        request.user.person.photo.url
+                    )
+            else:
+                claims["given_name"] = request.user.first_name
+                claims["family_name"] = request.user.last_name
+
+        if "email" in scopes:
+            if has_person(request.user):
+                claims["email"] = request.user.person.email
+            else:
+                claims["email"] = request.user.email
+
+        if "address" in scopes and has_person(request.user):
+            claims["address"] = {
+                "street_address": request.user.person.street
+                + " "
+                + request.user.person.housenumber,
+                "locality": request.user.person.place,
+                "postal_code": request.user.person.postal_code,
+            }
+
+        if "groups" in scopes and has_person(request.user):
+            claims["groups"] = list(
+                request.user.person.member_of.values_list("name", flat=True).all()
+            )
+
+        return claims
--- a/aleksis/core/util/apps.py
+++ b/aleksis/core/util/apps.py
@@ -8,6 +8,7 @@ from django.http import HttpRequest

 from dynamic_preferences.signals import preference_updated
 from license_expression import Licensing
+from oauthlib.common import Request as OauthlibRequest
 from spdx_license_list import LICENSES

 from .core_helpers import copyright_years
@@ -244,6 +245,11 @@ class AppConfig(django.apps.AppConfig):
        """Return a list of all OAuth scopes to always include for this request and application."""
        return []

+    @classmethod
+    def get_additional_claims(cls, scopes: list[str], request: OauthlibRequest) -> dict[str, Any]:
+        """Get claim data for requested scopes."""
+        return {}
+
    def _maintain_default_data(self):
        from django.contrib.auth.models import Permission
        from django.contrib.contenttypes.models import ContentType

--- a/aleksis/core/util/auth_helpers.py
+++ b/aleksis/core/util/auth_helpers.py
@@ -16,7 +16,6 @@ from oauth2_provider.views.mixins import (
 from oauthlib.common import Request as OauthlibRequest

 from .apps import AppConfig
-from .core_helpers import get_site_preferences, has_person


 class OurSocialAccountAdapter(DefaultSocialAccountAdapter):
@@ -43,52 +42,16 @@ class OurAccountAdapter(DefaultAccountAdapter):


 class CustomOAuth2Validator(OAuth2Validator):
-    def get_additional_claims(self, request):
-        django_request = HttpRequest()
-        django_request.META = request.headers
-
+    def get_additional_claims(self, request: OauthlibRequest) -> dict[str, Any]:
+        # Pull together scopes from request and from access token
        scopes = request.scopes.copy()
        if request.access_token:
            scopes += request.access_token.scope.split(" ")

-        claims = {
-            "preferred_username": request.user.username,
-        }
-
-        if "profile" in scopes:
-            if has_person(request.user):
-                claims["given_name"] = request.user.person.first_name
-                claims["family_name"] = request.user.person.last_name
-                claims["profile"] = django_request.build_absolute_uri(
-                    request.user.person.get_absolute_url()
-                )
-                if request.user.person.photo:
-                    claims["picture"] = django_request.build_absolute_uri(
-                        request.user.person.photo.url
-                    )
-            else:
-                claims["given_name"] = request.user.first_name
-                claims["family_name"] = request.user.last_name
-
-        if "email" in scopes:
-            if has_person(request.user):
-                claims["email"] = request.user.person.email
-            else:
-                claims["email"] = request.user.email
-
-        if "address" in scopes and has_person(request.user):
-            claims["address"] = {
-                "street_address": request.user.person.street
-                + " "
-                + request.user.person.housenumber,
-                "locality": request.user.person.place,
-                "postal_code": request.user.person.postal_code,
-            }
-
-        if "groups" in scopes and has_person(request.user):
-            claims["groups"] = list(
-                request.user.person.member_of.values_list("name", flat=True).all()
-            )
+        claims = {}
+        # Pull together claim data from all apps
+        for app in AppConfig.__subclasses__():
+            claims.update(app.get_additional_claims(scopes, request))

        return claims