misp/src/auth/service.py

"""
Module specific business logic for auth module

Exports:
 - claims_dependency
 - authed_dependency
"""
import json
import requests

from typing import Annotated, Any
from joserfc import jwt
from urllib.request import urlopen

from fastapi import Depends, HTTPException
from fastapi.security import OpenIdConnect
from joserfc.jwk import KeySet

from src.auth.config import auth_settings


oidc = OpenIdConnect(openIdConnectUrl=auth_settings.OIDC_CONFIG)
oidc_dependency = Annotated[str, Depends(oidc)]


async def get_current_user(oidc_auth_string: oidc_dependency) -> dict[str, Any]:
	config_url = urlopen(auth_settings.OIDC_CONFIG)
	config = json.loads(config_url.read())
	jwks_uri = config["jwks_uri"]
	key_response = requests.get(jwks_uri)
	jwk_keys = KeySet.import_key_set(key_response.json())

	claims_options = {
		"exp": {"essential": True},
		"aud": {"essential": True, "value": "account"},
		"iss": {"essential": True, "value": auth_settings.OIDC_ISSUER},
	}

	token = jwt.decode(
		oidc_auth_string.replace("Bearer ", ""),
		jwk_keys
	)

	claims_requests = jwt.JWTClaimsRegistry(**claims_options)

	claims_requests.validate(token.claims)

	return token.claims


claims_dependency = Annotated[dict[str, Any], Depends(get_current_user)]


async def is_authed_user(claims: claims_dependency) -> bool:
	authed_users: list[str] = ["chris@sr2.uk"]
	user_email = claims.get("email", None)
	if not user_email or user_email not in authed_users:
		raise HTTPException(status_code=403, detail="Not authenticated")
	return claims.get("email") in authed_users


authed_dependency = Annotated[bool, Depends(is_authed_user)]
init 2026-05-06 12:02:26 +01:00			`"""`
			`Module specific business logic for auth module`

			`Exports:`
			`- claims_dependency`
			`- authed_dependency`
			`"""`
			`import json`
fix: auth port to joserfc authlib.jose is deprecated and no longer works with other updated dependencies. 2026-05-07 12:54:55 +01:00			`import requests`
init 2026-05-06 12:02:26 +01:00
fix: auth port to joserfc authlib.jose is deprecated and no longer works with other updated dependencies. 2026-05-07 12:54:55 +01:00			`from typing import Annotated, Any`
			`from joserfc import jwt`
init 2026-05-06 12:02:26 +01:00			`from urllib.request import urlopen`

			`from fastapi import Depends, HTTPException`
			`from fastapi.security import OpenIdConnect`
fix: auth port to joserfc authlib.jose is deprecated and no longer works with other updated dependencies. 2026-05-07 12:54:55 +01:00			`from joserfc.jwk import KeySet`
init 2026-05-06 12:02:26 +01:00
			`from src.auth.config import auth_settings`


			`oidc = OpenIdConnect(openIdConnectUrl=auth_settings.OIDC_CONFIG)`
			`oidc_dependency = Annotated[str, Depends(oidc)]`


fix: auth port to joserfc authlib.jose is deprecated and no longer works with other updated dependencies. 2026-05-07 12:54:55 +01:00			`async def get_current_user(oidc_auth_string: oidc_dependency) -> dict[str, Any]:`
init 2026-05-06 12:02:26 +01:00			`config_url = urlopen(auth_settings.OIDC_CONFIG)`
			`config = json.loads(config_url.read())`
			`jwks_uri = config["jwks_uri"]`
fix: auth port to joserfc authlib.jose is deprecated and no longer works with other updated dependencies. 2026-05-07 12:54:55 +01:00			`key_response = requests.get(jwks_uri)`
			`jwk_keys = KeySet.import_key_set(key_response.json())`
init 2026-05-06 12:02:26 +01:00
			`claims_options = {`
			`"exp": {"essential": True},`
			`"aud": {"essential": True, "value": "account"},`
			`"iss": {"essential": True, "value": auth_settings.OIDC_ISSUER},`
			`}`

fix: auth port to joserfc authlib.jose is deprecated and no longer works with other updated dependencies. 2026-05-07 12:54:55 +01:00			`token = jwt.decode(`
init 2026-05-06 12:02:26 +01:00			`oidc_auth_string.replace("Bearer ", ""),`
fix: auth port to joserfc authlib.jose is deprecated and no longer works with other updated dependencies. 2026-05-07 12:54:55 +01:00			`jwk_keys`
init 2026-05-06 12:02:26 +01:00			`)`

fix: auth port to joserfc authlib.jose is deprecated and no longer works with other updated dependencies. 2026-05-07 12:54:55 +01:00			`claims_requests = jwt.JWTClaimsRegistry(**claims_options)`
init 2026-05-06 12:02:26 +01:00
fix: auth port to joserfc authlib.jose is deprecated and no longer works with other updated dependencies. 2026-05-07 12:54:55 +01:00			`claims_requests.validate(token.claims)`
init 2026-05-06 12:02:26 +01:00
fix: auth port to joserfc authlib.jose is deprecated and no longer works with other updated dependencies. 2026-05-07 12:54:55 +01:00			`return token.claims`
init 2026-05-06 12:02:26 +01:00
fix: auth port to joserfc authlib.jose is deprecated and no longer works with other updated dependencies. 2026-05-07 12:54:55 +01:00
			`claims_dependency = Annotated[dict[str, Any], Depends(get_current_user)]`
init 2026-05-06 12:02:26 +01:00

			`async def is_authed_user(claims: claims_dependency) -> bool:`
			`authed_users: list[str] = ["chris@sr2.uk"]`
			`user_email = claims.get("email", None)`
			`if not user_email or user_email not in authed_users:`
			`raise HTTPException(status_code=403, detail="Not authenticated")`
			`return claims.get("email") in authed_users`


			`authed_dependency = Annotated[bool, Depends(is_authed_user)]`