fix: ocp only decorator not required user as param

open-contracting · Jun 20, 2023 · 8896cdb · 8896cdb
1 parent 6ce294b
commit 8896cdb
Show file tree

Hide file tree

Showing 2 changed files with 28 additions and 8 deletions.
diff --git a/app/utils/permissions.py b/app/utils/permissions.py
@@ -5,19 +5,25 @@
 from ..schema.core import User
 
 
-def OCP_only():
+def OCP_only(setUser=False):
     def decorator(func):
         @wraps(func)
         async def wrapper(*args, **kwargs):
             current_user = kwargs.get("current_user")
+            if not current_user:
+                raise HTTPException(
+                    status_code=status.HTTP_401_UNAUTHORIZED,
+                    detail="Invalid credentials",
+                )
             session = kwargs.get("session")
 
             # Retrieve the user from the session using external_id
             user = session.query(User).filter(User.external_id == current_user).first()
 
             # Check if the user has the required permission
             if user and user.is_OCP():
-                kwargs["user"] = user  # Pass the user as a keyword argument
+                if setUser:
+                    kwargs["user"] = user  # Pass the user as a keyword argument
                 return await func(*args, **kwargs)
             else:
                 raise HTTPException(

diff --git a/app/utils/verify_token.py b/app/utils/verify_token.py
@@ -1,7 +1,7 @@
 from typing import Dict, List, Optional
 
 import requests
-from fastapi import Depends, HTTPException, Request
+from fastapi import Depends, HTTPException, Request, status
 from fastapi.security import HTTPAuthorizationCredentials, HTTPBearer
 from jose import JWTError, jwk, jwt
 from jose.utils import base64url_decode
@@ -43,7 +43,9 @@ def verify_jwk_token(self, jwt_credentials: JWTAuthorizationCredentials) -> bool
         try:
             public_key = self.kid_to_jwk[jwt_credentials.header["kid"]]
         except KeyError:
-            raise HTTPException(status_code=403, detail="JWK public key not found")
+            raise HTTPException(
+                status_code=status.HTTP_403_FORBIDDEN, detail="JWK public key not found"
+            )
 
         key = jwk.construct(public_key)
         decoded_signature = base64url_decode(jwt_credentials.signature.encode())
@@ -57,7 +59,8 @@ async def __call__(self, request: Request) -> Optional[JWTAuthorizationCredentia
         if credentials:
             if not credentials.scheme == "Bearer":
                 raise HTTPException(
-                    status_code=403, detail="Wrong authentication method"
+                    status_code=status.HTTP_403_FORBIDDEN,
+                    detail="Wrong authentication method",
                 )
 
             jwt_token = credentials.credentials
@@ -73,12 +76,21 @@ async def __call__(self, request: Request) -> Optional[JWTAuthorizationCredentia
                     message=message,
                 )
             except JWTError:
-                raise HTTPException(status_code=403, detail="JWK invalid")
+                raise HTTPException(
+                    status_code=status.HTTP_403_FORBIDDEN, detail="JWK invalid"
+                )
 
             if not self.verify_jwk_token(jwt_credentials):
-                raise HTTPException(status_code=403, detail="JWK invalid")
+                raise HTTPException(
+                    status_code=status.HTTP_403_FORBIDDEN, detail="JWK invalid"
+                )
 
             return jwt_credentials
+        else:
+            raise HTTPException(
+                status_code=status.HTTP_403_FORBIDDEN,
+                detail="Not authenticated",
+            )
 
 
 JsonPublicKeys = None
@@ -106,7 +118,9 @@ async def get_current_user(
     try:
         return credentials.claims["username"]
     except KeyError:
-        raise HTTPException(status_code=403, detail="Username missing")
+        raise HTTPException(
+            status_code=status.HTTP_403_FORBIDDEN, detail="Username missing"
+        )
 
 
 async def get_user(