coryHawkvelt/gatehouse-api
1
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity

Added OIDC client CORS attributes

Browse Source
This commit is contained in:
Cory Hawkvelt
2026-05-19 15:15:47 +00:00
parent 78bae3c2bb
commit 2342a1aab6
9 changed files with 645 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files
gatehouse_app/api/v1/oidc.py
+8
View File
@@ -29,6 +29,7 @@ from gatehouse_app.exceptions.auth_exceptions import (
from gatehouse_app.utils.constants import AuditAction
from gatehouse_app.services.audit_service import AuditService
from gatehouse_app.services.oidc_audit_service import OIDCAuditService
from gatehouse_app.utils.validators import validate_cors_origins
logger = logging.getLogger(__name__)
@@ -816,6 +817,11 @@ def oidc_register():
except Exception:
return jsonify({"error": "invalid_request", "error_description": f"Invalid redirect_uri: {uri}"}), 400
cors_origins_raw = data.get("allowed_cors_origins")
cors_origins, cors_error = validate_cors_origins(cors_origins_raw)
if cors_error:
return jsonify({"error": "invalid_request", "error_description": cors_error}), 400
client_id = f"oidc_{secrets.token_urlsafe(16)}"
client_secret = f"secret_{secrets.token_urlsafe(24)}"
client_secret_hash = flask_bcrypt.generate_password_hash(client_secret).decode("utf-8")
@@ -842,6 +848,7 @@ def oidc_register():
grant_types=data.get("grant_types", ["authorization_code", "refresh_token"]),
response_types=data.get("response_types", ["code"]),
scopes=data.get("scope", "openid profile email roles").split(),
allowed_cors_origins=cors_origins,
is_active=True,
is_confidential=True,
require_pkce=True,
@@ -871,6 +878,7 @@ def oidc_register():
"client_secret_expires_at": 0,
"client_name": client_name,
"redirect_uris": redirect_uris,
"allowed_cors_origins": client.allowed_cors_origins,
"token_endpoint_auth_method": data.get("token_endpoint_auth_method", "client_secret_basic"),
"grant_types": client.grant_types,
"response_types": client.response_types,
gatehouse_app/api/v1/organizations/clients.py
+15
View File
@@ -7,6 +7,7 @@ from gatehouse_app.utils.decorators import login_required, require_admin, full_a
from gatehouse_app.extensions import db, bcrypt
from gatehouse_app.utils.constants import AuditAction
from gatehouse_app.services.audit_service import AuditService
from gatehouse_app.utils.validators import validate_cors_origins
@api_v1_bp.route("/organizations/<org_id>/clients", methods=["GET"])
@@ -63,6 +64,11 @@ def create_org_client(org_id):
if not redirect_uris:
return api_response(success=False, message="At least one redirect URI is required", status=400, error_type="VALIDATION_ERROR")
cors_origins_raw = data.get("allowed_cors_origins")
cors_origins, cors_error = validate_cors_origins(cors_origins_raw)
if cors_error:
return api_response(success=False, message=cors_error, status=400, error_type="VALIDATION_ERROR")
client_id = _secrets.token_hex(16)
client_secret = _secrets.token_urlsafe(32)
@@ -75,6 +81,7 @@ def create_org_client(org_id):
grant_types=["authorization_code", "refresh_token"],
response_types=["code"],
scopes=["openid", "profile", "email"],
allowed_cors_origins=cors_origins,
is_active=True,
is_confidential=True,
)
@@ -99,6 +106,7 @@ def create_org_client(org_id):
"client_secret": client_secret,
"redirect_uris": client.redirect_uris,
"scopes": client.scopes,
"allowed_cors_origins": client.allowed_cors_origins,
"created_at": client.created_at.isoformat() + "Z",
}
},
@@ -135,6 +143,12 @@ def update_org_client(org_id, client_id):
return api_response(success=False, message="At least one redirect URI is required", status=400, error_type="VALIDATION_ERROR")
client.redirect_uris = uris
if "allowed_cors_origins" in data:
cors_origins, cors_error = validate_cors_origins(data["allowed_cors_origins"])
if cors_error:
return api_response(success=False, message=cors_error, status=400, error_type="VALIDATION_ERROR")
client.allowed_cors_origins = cors_origins
db.session.commit()
AuditService.log_action(
@@ -155,6 +169,7 @@ def update_org_client(org_id, client_id):
"redirect_uris": client.redirect_uris,
"scopes": client.scopes,
"grant_types": client.grant_types,
"allowed_cors_origins": client.allowed_cors_origins,
"is_active": client.is_active,
"created_at": client.created_at.isoformat() + "Z",
}