oidc-client mk1

2026-04-27 02:44:32 +09:30
parent 02e95a4199
commit 63a3109a82
6 changed files with 889 additions and 2 deletions
@@ -1,4 +1,6 @@
 """OIDC Client model."""
+from urllib.parse import urlparse
+
 from gatehouse_app.extensions import db
 from gatehouse_app.models.base import BaseModel
 from gatehouse_app.utils.constants import OIDCGrantType, OIDCResponseType
@@ -21,6 +23,7 @@ class OIDCClient(BaseModel):
    grant_types = db.Column(db.JSON, nullable=False)         # Allowed grant types
    response_types = db.Column(db.JSON, nullable=False)      # Allowed response types
    scopes = db.Column(db.JSON, nullable=False)              # Allowed scopes
+    allowed_cors_origins = db.Column(db.JSON, nullable=True, default=None)  # Per-client CORS origins

    # Client metadata
    logo_uri = db.Column(db.String(512), nullable=True)
@@ -81,6 +84,37 @@ class OIDCClient(BaseModel):
        """Check if a redirect URI is allowed for this client."""
        return redirect_uri in self.redirect_uris

+    def get_effective_origins(self) -> list | None:
+        """Get effective CORS origins for this client.
+
+        Returns None to signal "use global config", a derived list from
+        redirect_uris when "+" is present, or the configured list as-is.
+        """
+        if self.allowed_cors_origins is None:
+            return None
+        if "+" in self.allowed_cors_origins:
+            origins = set()
+            for uri in self.redirect_uris:
+                parsed = urlparse(uri)
+                if parsed.scheme and parsed.hostname:
+                    port = f":{parsed.port}" if parsed.port else ""
+                    origins.add(f"{parsed.scheme}://{parsed.hostname}{port}")
+            return sorted(origins)
+        return list(self.allowed_cors_origins)
+
+    def is_origin_allowed(self, origin: str) -> bool | None:
+        """Check if a browser origin is allowed for CORS.
+
+        Returns True/False when a per-client list is configured,
+        or None to defer to the global CORS policy.
+        """
+        effective = self.get_effective_origins()
+        if effective is None:
+            return None
+        if "*" in effective:
+            return True
+        return origin in effective
+
    def has_scope(self, scope: str) -> bool:
        """Check if client is allowed to request a specific scope."""
        return scope in self.scopes