# DomoAuth

> Fill in a module description here


In [None]:
# | default_exp DomoAuth

In [None]:
# | hide
from nbdev.showdoc import *
from fastcore.test import test_eq

In [None]:
# | exporti

from dataclasses import dataclass, field

import aiohttp
from typing import Optional, Union
import nbdev_domo.ResponseGetData as rgd
import nbdev_domo.Logger as lg
from nbdev_domo.Transport import TransportAsync

# Authentication Routes

The nbdev_domo library was designed to support object-oriented / class-based programming; however, all routes are stand-alone functions for users who prefer a functional programming approach

## Full Auth Route - username and password authentication

If SSO is enabled, users must have direct-sign-on ([SSO KB](https://domo-support.domo.com/s/article/360042934374?language=en_US)) access to use this authentication method.


In [None]:
# | export
async def get_full_auth(
    domo_instance: str,  # domo_instance.domo.com
    domo_username: str,  # email address
    domo_password: str,
    session: Optional[aiohttp.ClientSession] = None,
) -> rgd.ResponseGetData:
    """uses username and password authentication to retrieve a full_auth access token"""

    url = f"https://{domo_instance}.domo.com/api/content/v2/authentication"

    body = {
        "method": "password",
        "emailAddress": domo_username,
        "password": domo_password,
    }

    transport = TransportAsync(session=session)

    return await transport.post(url=url, body=body, session=session)

#### Sample Implementations of get_full_auth


In [None]:
# load creds from env
import os
import json

try:
    creds = json.loads(os.environ['DOMO_DOJO'])
except:
    creds = {}

domo_instance = creds.get('domo_instance') or "domo-dojo"
domo_username = creds.get('domo_username') or "test12@domo.com"
domo_password = creds.get('domo_password') or "test1234"

res = await get_full_auth(domo_instance, domo_username, domo_password)

# The 200 response confirms we were able to get a response from the credentials API,
test_eq(res.status, 200)

res

ResponseGetData(status=200, response={'userId': 1893952720, 'success': True, 'sessionToken': 'eyJjdXN0b21lcklkIjoibW1tbS0wMDEyLTAyMDAiLCJleHBpcmF0aW9uIjoxNjcyODk4MTc2MTkyLCJobWFjU2lnbmF0dXJlIjoiMDBmMWY3NGExNGM0OTY2MjMyMjAzZGM0YWM2YWJhMDhlMTgxZWM3MWE3NGJhMGZmOTE5ZTFjZGFjMjhlYmVjZSIsInJvbGUiOiJBZG1pbiIsInNpZCI6ImUzOWYyNmVmLWI2OGItNDlkNy04YzM4LWZhMDg3ZDA1ZDc4YiIsInRpbWVzdGFtcCI6MTY3Mjg2OTM3NjE5MiwidG9lcyI6IlVOS05PV05TSUQiLCJ1c2VySWQiOiIxODkzOTUyNzIwIn0%3D', 'twoFactorInfo': {'token': None, 'key': None, 'status': 'VALID', 'phoneMask': None}, 'userRole': 'Admin'}, is_success=True)

In [None]:
domo_instance = "test"
res = await get_full_auth(domo_instance, domo_username, domo_password)

# the 403 response confirms that there is no domo instance 'test.domo.com'
test_eq(res.status, 403)
res

ResponseGetData(status=403, response='Forbidden', is_success=False)

## Access Token Auth Route - access_token authentication

This access_token based authentication assumes the user has been provided a valid access token from Domo > Admin > Authentication > Access Token so authentication routes are actually not required.

Per the Domo JavaCLI implementation, users can test the validity of the access_token agains the 'me' API

!! Note about the Me API !!
It appears that access_token authentication will always authenticate against the 'correct' domo_instance regardless of the parameter provided. Ths appears to be a bug in the domo_api


In [None]:
# | export
async def test_access_token(
    domo_access_token: str,  # as provided in Domo > Admin > Authentication > AccessTokens
    domo_instance: str,  # <domo_instance>.domo.com
    session: Optional[aiohttp.ClientSession] = None,
):
    """
    will attempt to validate against the 'me' API.
    This is the same authentication test the Domo Java CLI uses.
    """

    url = f"https://{domo_instance}.domo.com/api/content/v2/users/me"

    transport = TransportAsync(
        session=session, auth_header={"X-DOMO-Developer-Token": domo_access_token}
    )

    return await transport.get(url=url)

#### Sample implementation of `test_access_token`


In [None]:
# load creds from env
import os

try:
    creds = os.environ['DOMO_DOJO_ACCESS_TOKEN']
except:
    creds = None

domo_instance = "test"
domo_access_token = creds or "test123"

await test_access_token(
    domo_instance=domo_instance, domo_access_token=domo_access_token
)

ResponseGetData(status=200, response={'id': 1893952720, 'invitorUserId': 587894148, 'displayName': 'Jae Wilson', 'userName': 'jae@onyxreporting.com', 'emailAddress': 'jae@onyxreporting.com', 'avatarKey': 'c605f478-0cd2-4451-9fd4-d82090b71e66', 'accepted': True, 'userType': 'USER', 'modified': 1651692505000, 'created': 1588960518, 'role': 'Admin', 'rights': 63, 'active': True, 'pending': False, 'systemUser': False, 'anonymous': False}, is_success=True)

## Developer Auth Route - client_id and secret authentication


In [None]:
# | export
async def get_developer_auth(
    domo_client_id: str,
    domo_client_secret: str,
    session: Optional[aiohttp.ClientSession] = None,
) -> rgd.ResponseGetData:

    """
    only use for authenticating against apis documented under developer.domo.com
    """

    url = "https://api.domo.com/oauth/token?grant_type=client_credentials"

    is_close_session = False

    if not session:
        is_close_session = True
        session = aiohttp.ClientSession(
            auth=aiohttp.BasicAuth(domo_client_id, domo_client_secret)
        )

    transport = TransportAsync(session=session)
    res = await transport.get(url=url)

    if is_close_session:
        await session.close()

    return res

#### Sample Implementations of get_developer_auth

The 401 response is expected because we are using invalid credentials


In [None]:
domo_client_id = "test_id"
domo_client_secret = "test_secret"

await get_developer_auth(domo_client_id, domo_client_secret)

ResponseGetData(status=401, response='Unauthorized', is_success=False)

# MAIN - Authentication Classes


In [None]:
# | hide
# different auth flows will have different required and optional parameters.
# The libraries use inheritance to mix-in parameters and methods as appropriate.
# The DomoAuth class is an abstract class with stubbed abstract methods which should be overwritten in the actual implementation.

In [None]:
# | exporti
@dataclass
class _DomoAuth_Required:
    """required parameters for all Domo Auth classes"""

    domo_instance: str

    def __post_init__(self):
        if self.domo_instance:
            self.set_manual_login()

    def set_manual_login(self):
        self.url_manual_login = (
            f"https://{self.domo_instance}.domo.com/auth/index?domoManualLogin=true"
        )


@dataclass
class _DomoAuth_Optional:
    """optional parameters for Domo Auth classes that should be defined during initialization or during the Token / Authenitcation process"""

    token: Optional[str] = field(default=None, repr=False)
    token_name: Optional[str] = field(default=None)
    user_id: Optional[str] = field(default=None, repr=False)
    auth_header: dict = field(default_factory=dict, repr=False)

    url_manual_login: Optional[str] = None

    logger : Optional[lg.Logger] = None

    async def get_auth_token(self) -> Union[str, None]:
        """placeholder method"""
        pass

    async def generate_auth_header(self) -> Union[dict, None]:
        """returns auth header appropriate for this authentication method"""
        pass

In [None]:
# | export
@dataclass
class DomoAuth(_DomoAuth_Optional, _DomoAuth_Required):
    """abstract DomoAuth class with all parameters and methods common across all Auth methods"""

    pass


In [None]:
# Attributes of `DomoAuth`
domo_instance = "test"
[attr for attr in dir(DomoAuth(domo_instance)) if not attr.startswith("__")]

['auth_header',
 'domo_instance',
 'generate_auth_header',
 'get_auth_token',
 'logger',
 'set_manual_login',
 'token',
 'token_name',
 'url_manual_login',
 'user_id']

In [None]:
# | hide
# validate can print manual login link
domo_instance = "test"

da = DomoAuth(domo_instance)
da.url_manual_login

'https://test.domo.com/auth/index?domoManualLogin=true'

## DomoAuth Error Classes

Used to raise exceptions during authentication process.


In [None]:
# | exporti
class DomoErrror(Exception):
    """base exception"""

    def __init__(
        self,
        status: Optional[int] = None,  # API request status
        message: str = "error",  # <domo_instance>.domo.com
        domo_instance: Optional[str] = None,
    ):

        instance_str = f" at {domo_instance}" if domo_instance else ""
        status_str = f"Status {status} - " if status else ""
        self.message = f"{status_str}{message}{instance_str}"
        super().__init__(self.message)

In [None]:
# | export
class InvalidCredentialsError(DomoErrror):
    """return invalid credentials sent to API"""

    def __init__(
        self,
        status: Optional[int] = None,  # API request status
        message="invalid credentials",
        domo_instance: Optional[str] = None,
    ):

        super().__init__(status=status, message=message, domo_instance=domo_instance)


class InvalidInstanceError(DomoErrror):
    """return if invalid domo_instance sent to API"""

    def __init__(
        self,
        status: Optional[int] = None,
        message="invalid instance",
        domo_instance: Optional[str] = None,
    ):
        super().__init__(status=status, message=message, domo_instance=domo_instance)

In [None]:
# | hide
# validates that Errors can compile
test_eq(isinstance(InvalidCredentialsError(), InvalidCredentialsError), True)
test_eq(isinstance(InvalidCredentialsError(), InvalidCredentialsError), True)
test_eq(isinstance(InvalidInstanceError(), InvalidInstanceError), True)

## DomoFullAuth


In [None]:
# | exporti
@dataclass
class _DomoFullAuth_Required(_DomoAuth_Required):
    """mix requied parameters for DomoFullAuth"""

    domo_username: str
    domo_password: str = field(repr=False)


In [None]:
# | export
@dataclass
class DomoFullAuth(_DomoAuth_Optional, _DomoFullAuth_Required):
    """use for full authentication token"""

    def __post_init__(self):
        if not self.logger:
            self.logger = lg.Logger(app_name = 'default_domo_full_auth', domo_instance = self.domo_instance)
            

    async def generate_auth_header(self, token: str = None) -> dict:
        if not self.token:
            await self.get_auth_token()

        self.auth_header = {"x-domo-authentication": token or self.token}
        return self.auth_header

    async def get_auth_token(
        self,
        session: Optional[aiohttp.ClientSession] = None,
    ) -> str:
        """returns `token` if valid credentials provided else raises Exception and returns None"""

        res = await get_full_auth(
            domo_instance=self.domo_instance,
            domo_username=self.domo_username,
            domo_password=self.domo_password,
            session=session,
        )

        if res.is_success and res.response.get("reason") == "INVALID_CREDENTIALS":
            message = f"invalid credentials"
            
            self.logger.log_error(message)

            raise InvalidCredentialsError(
                status=res.status,
                message=message,
                domo_instance=self.domo_instance,
            )

        if res.status == 403:
            message = f"invalid instance"

            self.logger.log_error(message)

            raise InvalidInstanceError(
                status=res.status,
                message="INVALID INSTANCE",
                domo_instance=self.domo_instance,
            )

        token = str(res.response.get("sessionToken"))
        self.token = token
        self.user_id = str(res.response.get("userId"))

        if not self.token_name:
            self.token_name = "full_auth"

        return self.token

#### sample implementations of DomoFullAuth


In [None]:
import nbdev_domo.Logger as lg

domo_instance = "domo-dojo"
domo_username = "test12@domo.com"
domo_password = "test1234"

logger = lg.Logger(app_name = 'test_auth', domo_instance= domo_instance)

try:
    full_auth = DomoFullAuth(domo_instance, domo_username, domo_password, logger = logger)
    res = await full_auth.get_auth_token()

except InvalidCredentialsError as e:
    print(e)

logger.logs

Status 200 - invalid credentials at domo-dojo


[{'date_time': datetime.datetime(2023, 1, 4, 21, 56, 20, 198850),
  'application': 'test_auth',
  'log_type': 'Error',
  'log_message': 'invalid credentials',
  'breadcrumb': '',
  'domo_instance': 'domo-dojo',
  'entity_id': None,
  'function_name': 'get_auth_token',
  'file_name': '/tmp/ipykernel_6583/4043354304.py',
  'function_trail': '<module> -> get_auth_token'}]

In [None]:
domo_instance = "test"

try:
    full_auth = DomoFullAuth(domo_instance, domo_username, domo_password)
    await full_auth.get_auth_token()
    
except InvalidInstanceError as e:
    print(e)

full_auth.logger.logs

Status 403 - INVALID INSTANCE at test


[{'date_time': datetime.datetime(2023, 1, 4, 21, 56, 20, 527823),
  'application': 'default_domo_full_auth',
  'log_type': 'Error',
  'log_message': 'invalid instance',
  'breadcrumb': '',
  'domo_instance': 'test',
  'entity_id': None,
  'function_name': 'get_auth_token',
  'file_name': '/tmp/ipykernel_6583/4043354304.py',
  'function_trail': '<module> -> get_auth_token'}]

In [None]:
# | hide
test_eq(isinstance(DomoAuth(domo_instance=domo_instance), DomoAuth), True)

test_eq(
    isinstance(
        DomoFullAuth(
            domo_instance=domo_instance,
            domo_password=domo_password,
            domo_username=domo_username,
        ),
        DomoFullAuth,
    ),
    True,
)

## DomoTokenAuth


In [None]:
# | exporti
@dataclass
class _DomoTokenAuth_Required(_DomoAuth_Required):
    """mix requied parameters for DomoFullAuth"""

    domo_access_token: str = field(repr=False)

In [None]:
# | export
@dataclass
class DomoTokenAuth(_DomoAuth_Optional, _DomoTokenAuth_Required):
    """
    use for access_token authentication.
    Tokens are generated in domo > admin > access token
    Necessary in cases where direct sign on is not permitted
    """

    def __post_init__(self):
        if not self.logger:
            self.logger = lg.Logger(app_name='default_domo_token_auth', domo_instance = self.domo_instance)

    def generate_auth_header(self, token: str) -> dict:
        self.auth_header = {"x-domo-developer-token": token}
        return self.auth_header

    async def get_auth_token(
        self, session: Optional[aiohttp.ClientSession] = None
    ) -> str:
        """
        updates internal attributes
        having an access_token assumes pre-authenticaiton
        """

        res = await test_access_token(
            domo_instance=self.domo_instance,
            domo_access_token=self.domo_access_token,
            session=session,
        )

        if res.status == 401 and res.response == "Unauthorized":
            message = res.response
            self.logger.log_error(message)

            raise InvalidCredentialsError(
                status=res.status,
                message=message,
                domo_instance=self.domo_instance,
            )

        self.token = self.domo_access_token
        self.user_id = res.response.get("id")

        self.auth_header = self.generate_auth_header(token=self.token)

        if not self.token_name:
            self.token_name = "token_auth"

        return self.token

#### Sample implementation of DomoTokenAuth


In [None]:
domo_instance = "test"
domo_access_token = "test_access_token"

try:
    domo_auth = DomoTokenAuth(domo_instance, domo_access_token)
    token = await domo_auth.get_auth_token()
    print(domo_auth.token)

except InvalidCredentialsError as e:
    print(e)

domo_auth.logger.logs

Status 401 - Unauthorized at test


[{'date_time': datetime.datetime(2023, 1, 4, 21, 56, 21, 303754),
  'application': 'default_domo_token_auth',
  'log_type': 'Error',
  'log_message': 'Unauthorized',
  'breadcrumb': '',
  'domo_instance': 'test',
  'entity_id': None,
  'function_name': 'get_auth_token',
  'file_name': '/tmp/ipykernel_6583/804034571.py',
  'function_trail': '<module> -> get_auth_token'}]

## DomoDeveloperAuth


In [None]:
# | exporti
@dataclass
class _DomoDeveloperAuth_Required(_DomoAuth_Required):
    """mix requied parameters for DomoFullAuth"""

    domo_client_id: str
    domo_client_secret: str = field(repr=False)

In [None]:
# | export
@dataclass(init=False)
class DomoDeveloperAuth(_DomoAuth_Optional, _DomoDeveloperAuth_Required):
    """use for full authentication token"""

    def __init__(self, domo_client_id: str, domo_client_secret: str, logger : Optional[lg.Logger] = None):
        self.domo_client_id = domo_client_id
        self.domo_client_secret = domo_client_secret
        self.domo_instance = ""

        self.logger = logger or lg.Logger(app_name='default_domo_developer_auth', domo_instance = self.domo_instance)

    async def generate_auth_header(self, token: str) -> dict:
        if not self.token:
            await self.get_auth_token()

        self.auth_header = {"Authorization": "bearer " + token}
        return self.auth_header

    async def get_auth_token(
        self,
        session: Optional[aiohttp.ClientSession] = None,
    ) -> str:

        res = await get_developer_auth(
            domo_client_id=self.domo_client_id,
            domo_client_secret=self.domo_client_secret,
            session=session,
        )

        if res.status == 401:
            message = str(res.response)

            self.logger.log_error(message)
            raise InvalidCredentialsError(
                status=res.status,
                message= message,
                domo_instance=self.domo_instance,
            )

        token = str(res.response.get("access_token"))
        self.token = token
        self.user_id = res.response.get("userId")
        self.domo_instance = res.response.get("domain")
        self.set_manual_login()

        self.auth_header = self.generate_auth_header(token=token)

        if not self.token_name:
            self.token_name = "developer_auth"

        return token

#### Sample implementations of DomoDeveloperAuth


In [None]:
domo_client_id = "test_client"
domo_client_secret = "test_secret"

try:
    domo_auth = DomoDeveloperAuth(domo_client_id = domo_client_id, domo_client_secret = domo_client_secret)
    await domo_auth.get_auth_token()
except InvalidCredentialsError as e:
    print(e)

domo_auth.logger.logs

Status 401 - Unauthorized


[{'date_time': datetime.datetime(2023, 1, 4, 21, 56, 21, 956105),
  'application': 'default_domo_developer_auth',
  'log_type': 'Error',
  'log_message': 'Unauthorized',
  'breadcrumb': '',
  'domo_instance': '',
  'entity_id': None,
  'function_name': 'get_auth_token',
  'file_name': '/tmp/ipykernel_6583/2043329489.py',
  'function_trail': '<module> -> get_auth_token'}]

In [None]:
# | hide
import nbdev

nbdev.nbdev_export()