Added cognito authentication - Fix 4
All checks were successful
AWS Deploy on Push / build (push) Successful in 1m11s
All checks were successful
AWS Deploy on Push / build (push) Successful in 1m11s
This commit is contained in:
@@ -1,16 +1,16 @@
|
|||||||
import os
|
import os
|
||||||
import boto3
|
import boto3
|
||||||
import requests
|
import requests
|
||||||
|
import jwt
|
||||||
from fastapi import Depends, HTTPException, status
|
from fastapi import Depends, HTTPException, status
|
||||||
from fastapi.security import OAuth2AuthorizationCodeBearer
|
from fastapi.security import OAuth2AuthorizationCodeBearer
|
||||||
from fastapi.responses import RedirectResponse
|
from fastapi.responses import RedirectResponse
|
||||||
from typing import Optional
|
|
||||||
|
|
||||||
REGION = "us-east-2"
|
REGION = "us-east-2"
|
||||||
USER_POOL_ID = os.getenv("COGNITO_USER_POOL_ID")
|
USER_POOL_ID = os.getenv("COGNITO_USER_POOL_ID")
|
||||||
CLIENT_ID = os.getenv("COGNITO_CLIENT_ID")
|
CLIENT_ID = os.getenv("COGNITO_CLIENT_ID")
|
||||||
DOMAIN = f"https://iptv-updater.auth.{REGION}.amazoncognito.com"
|
DOMAIN = f"https://iptv-updater.auth.{REGION}.amazoncognito.com"
|
||||||
REDIRECT_URI = "http://localhost:8000/auth/callback"
|
REDIRECT_URI = f"http://localhost:8000/auth/callback"
|
||||||
|
|
||||||
oauth2_scheme = OAuth2AuthorizationCodeBearer(
|
oauth2_scheme = OAuth2AuthorizationCodeBearer(
|
||||||
authorizationUrl=f"{DOMAIN}/oauth2/authorize",
|
authorizationUrl=f"{DOMAIN}/oauth2/authorize",
|
||||||
@@ -29,6 +29,7 @@ def exchange_code_for_token(code: str):
|
|||||||
response = requests.post(token_url, data=data)
|
response = requests.post(token_url, data=data)
|
||||||
if response.status_code == 200:
|
if response.status_code == 200:
|
||||||
return response.json()
|
return response.json()
|
||||||
|
print(f"Token exchange failed: {response.text}") # Add logging
|
||||||
raise HTTPException(status_code=400, detail="Failed to exchange code for token")
|
raise HTTPException(status_code=400, detail="Failed to exchange code for token")
|
||||||
|
|
||||||
async def get_current_user(token: str = Depends(oauth2_scheme)):
|
async def get_current_user(token: str = Depends(oauth2_scheme)):
|
||||||
@@ -36,15 +37,25 @@ async def get_current_user(token: str = Depends(oauth2_scheme)):
|
|||||||
return RedirectResponse(
|
return RedirectResponse(
|
||||||
f"{DOMAIN}/login?client_id={CLIENT_ID}"
|
f"{DOMAIN}/login?client_id={CLIENT_ID}"
|
||||||
f"&response_type=code"
|
f"&response_type=code"
|
||||||
f"&scope=openid"
|
f"&scope=openid+email+profile" # Added more scopes
|
||||||
f"&redirect_uri={REDIRECT_URI}"
|
f"&redirect_uri={REDIRECT_URI}"
|
||||||
)
|
)
|
||||||
|
|
||||||
try:
|
try:
|
||||||
cognito = boto3.client('cognito-idp', region_name=REGION)
|
# Decode JWT token instead of using get_user
|
||||||
response = cognito.get_user(AccessToken=token)
|
decoded = jwt.decode(
|
||||||
return response
|
token,
|
||||||
|
options={"verify_signature": False} # We trust tokens from Cognito
|
||||||
|
)
|
||||||
|
return {
|
||||||
|
"Username": decoded.get("email") or decoded.get("sub"),
|
||||||
|
"UserAttributes": [
|
||||||
|
{"Name": k, "Value": v}
|
||||||
|
for k, v in decoded.items()
|
||||||
|
]
|
||||||
|
}
|
||||||
except Exception as e:
|
except Exception as e:
|
||||||
|
print(f"Token verification failed: {str(e)}") # Add logging
|
||||||
raise HTTPException(
|
raise HTTPException(
|
||||||
status_code=status.HTTP_401_UNAUTHORIZED,
|
status_code=status.HTTP_401_UNAUTHORIZED,
|
||||||
detail="Invalid authentication credentials",
|
detail="Invalid authentication credentials",
|
||||||
|
|||||||
Reference in New Issue
Block a user