ephraimbuddy commented on a change in pull request #15042:
URL: https://github.com/apache/airflow/pull/15042#discussion_r616884401
##########
File path: airflow/www/security.py
##########
@@ -728,3 +735,102 @@ def check_authorization(
return False
return True
+
+ # TODO: Whether to create APISecurityManager and move api related code to
it?
+ def is_user_logged_in(self):
+ """Raise if user already logged in"""
+ if g.user is not None and g.user.is_authenticated:
+ raise Unauthenticated(detail="Client already authenticated") #
For security
+
+ def login_with_user_pass(self, username, password):
+ """Convenience method for user login through the API"""
+ self.is_user_logged_in()
+ if self.auth_type not in (AUTH_DB, AUTH_LDAP):
+ raise Unauthenticated(detail="Authentication type do not match")
+ user = None
+ if self.auth_type == AUTH_DB:
+ user = self.auth_user_db(username, password)
+ elif self.auth_type == AUTH_LDAP:
+ user = self.auth_user_ldap(username, password)
+ return user
+
+ def oauth_authorization_url(self, app, provider, redirect_url):
+ """Get authorization url for oauth"""
+ self.is_user_logged_in()
+ if self.auth_type != AUTH_OAUTH:
+ raise Unauthenticated(detail="Authentication type do not match")
+ state = jwt.encode(
+ request.args.to_dict(flat=False),
+ app.config["SECRET_KEY"],
+ algorithm="HS256",
+ )
+ auth_provider = self.oauth_remotes[provider]
+ try:
+
+ if provider == "twitter":
+ redirect_uri = redirect_url + f"&state={state}"
+ auth_data =
auth_provider.create_authorization_url(redirect_uri=redirect_uri)
+ auth_provider.save_authorize_data(request,
redirect_uri=redirect_uri, **auth_data)
+ return dict(auth_url=auth_data['url'])
+ else:
+ state = state.decode("ascii") if isinstance(state, bytes) else
state
+ auth_data = auth_provider.create_authorization_url(
+ redirect_uri=redirect_url,
+ state=state,
+ )
+ auth_provider.save_authorize_data(request,
redirect_uri=redirect_url, **auth_data)
+ return dict(auth_url=auth_data['url'])
Review comment:
The OAUTH providers don't send specific items back when you do a
redirect using the API, and the way OpenAPi works, you can't send an arbitrary
number of items to the request endpoint. The API must know what it expects and
raises when it get additional items in the query. Unless there's a way to make
it accept additional items in the query string, then it'll work.
My first design was to have it be routed internally but I later found out
that OpenAPI is strict on the items in query string
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
[email protected]
