-
Notifications
You must be signed in to change notification settings - Fork 20
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Adds FEIDE verification using OIDC. The user authenticates with our FEIDE app, and we use their groups API to retrieve the users groups, including study programmes. This allows us to verify the students eligibility to become a member in Abakus, and set their grade and program automatically.
- Loading branch information
Showing
11 changed files
with
186 additions
and
5 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
18 changes: 18 additions & 0 deletions
18
lego/apps/users/migrations/0040_user_student_verification_status.py
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,18 @@ | ||
# Generated by Django 4.0.10 on 2023-07-28 13:19 | ||
|
||
from django.db import migrations, models | ||
|
||
|
||
class Migration(migrations.Migration): | ||
|
||
dependencies = [ | ||
('users', '0039_user_github_username'), | ||
] | ||
|
||
operations = [ | ||
migrations.AddField( | ||
model_name='user', | ||
name='student_verification_status', | ||
field=models.BooleanField(blank=True, null=True), | ||
), | ||
] |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,85 @@ | ||
from django.conf import settings | ||
from django.core.cache import caches | ||
from django.http import HttpResponse | ||
from rest_framework import status, viewsets | ||
from rest_framework.decorators import action | ||
from rest_framework.permissions import IsAuthenticated | ||
from rest_framework.request import Request | ||
from rest_framework.response import Response | ||
|
||
import requests | ||
import sentry_sdk | ||
from authlib.integrations.base_client.errors import MismatchingStateError | ||
from authlib.integrations.django_client import OAuth | ||
from structlog import get_logger | ||
|
||
from lego.apps.users.serializers.student_confirmation import FeideAuthorizeSerializer | ||
|
||
log = get_logger() | ||
|
||
oauth_cache = caches["oauth"] | ||
|
||
oauth = OAuth(cache=oauth_cache) | ||
oauth.register( | ||
name="feide", | ||
client_id=settings.FEIDE_OIDC_CLIENT_ID, | ||
client_secret=settings.FEIDE_OIDC_CLIENT_SECRET, | ||
server_metadata_url=settings.FEIDE_OIDC_CONFIGURATION_ENDPOINT, | ||
client_kwargs={"scope": "openid"}, | ||
) | ||
|
||
|
||
class OIDCViewSet(viewsets.GenericViewSet): | ||
permission_classes = (IsAuthenticated,) | ||
|
||
@action(detail=False, methods=["GET"]) | ||
def authorize(self, request: Request) -> Response: | ||
# TODO Handle already student | ||
if request.user.is_verified_student: | ||
return Response({"status": "verified"}) | ||
redirect_uri = f"{settings.FRONTEND_URL}/users/me/settings/student-confirmation" | ||
auth_uri = oauth.feide.authorize_redirect(request, redirect_uri).url | ||
return Response( | ||
FeideAuthorizeSerializer({"url": auth_uri}).data, | ||
status=status.HTTP_200_OK, | ||
) | ||
|
||
@action(detail=False, methods=["GET"]) | ||
def validate(self, request: Request) -> HttpResponse: | ||
programme_names = [] | ||
|
||
try: | ||
token = oauth.feide.authorize_access_token(request) | ||
status = "success" | ||
except MismatchingStateError as e: | ||
sentry_sdk.capture_message("Failed while validating access token", "fatal") | ||
sentry_sdk.capture_exception(error=e) | ||
return Response( | ||
{ | ||
"status": "error", | ||
"detail": "Error when validating OAUTH acccess token", | ||
} | ||
) | ||
|
||
try: | ||
groups_res = requests.get( | ||
"https://groups-api.dataporten.no/groups/me/groups", | ||
headers={"Authorization": f"Bearer {token['access_token']}"}, | ||
) | ||
groups_res.raise_for_status() | ||
|
||
groups = groups_res.json() | ||
student_validation = request.user.verify_student(feide_groups=groups) | ||
if not student_validation: | ||
status = "unauthorized" | ||
programme_names = [ | ||
p["displayName"] | ||
for p in filter(lambda g: g["type"] == "fc:fs:prg", groups) | ||
] | ||
|
||
except requests.HTTPError as e: | ||
sentry_sdk.capture_message("Failed while obtaining FEIDE groups", "fatal") | ||
sentry_sdk.capture_exception(error=e) | ||
status = "error" | ||
|
||
return Response({"status": status, "studyProgrammes": programme_names}) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters