163 lines
5.3 KiB
Python
163 lines
5.3 KiB
Python
"""OIDC Session model for OIDC session tracking."""
|
|
from datetime import datetime, timezone
|
|
from gatehouse_app.extensions import db
|
|
from gatehouse_app.models.base import BaseModel
|
|
|
|
|
|
class OIDCSession(BaseModel):
|
|
"""OIDC Session model for tracking OIDC authentication sessions.
|
|
|
|
This model tracks the state during the OIDC authentication flow,
|
|
including PKCE parameters and nonce validation.
|
|
"""
|
|
|
|
__tablename__ = "oidc_sessions"
|
|
|
|
# User reference
|
|
user_id = db.Column(
|
|
db.String(36), db.ForeignKey("users.id"), nullable=False, index=True
|
|
)
|
|
|
|
# Client reference
|
|
client_id = db.Column(
|
|
db.String(255), db.ForeignKey("oidc_clients.id"), nullable=False, index=True
|
|
)
|
|
|
|
# State management
|
|
state = db.Column(db.String(255), nullable=False, index=True)
|
|
nonce = db.Column(db.String(255), nullable=True) # For OIDC ID Token validation
|
|
|
|
# Authorization request parameters
|
|
redirect_uri = db.Column(db.String(512), nullable=False)
|
|
scope = db.Column(db.JSON, nullable=True) # Requested scopes
|
|
|
|
# PKCE parameters
|
|
code_challenge = db.Column(db.String(255), nullable=True)
|
|
code_challenge_method = db.Column(db.String(10), nullable=True) # "S256" or "plain"
|
|
|
|
# Timing
|
|
expires_at = db.Column(db.DateTime, nullable=False, index=True)
|
|
authenticated_at = db.Column(db.DateTime, nullable=True)
|
|
|
|
# Relationships
|
|
user = db.relationship("User", back_populates="oidc_sessions")
|
|
client = db.relationship("OIDCClient", back_populates="oidc_sessions")
|
|
|
|
def __repr__(self):
|
|
"""String representation of OIDCSession."""
|
|
return f"<OIDCSession user_id={self.user_id} client_id={self.client_id} state={self.state[:8]}...>"
|
|
|
|
def is_expired(self):
|
|
"""Check if the OIDC session has expired."""
|
|
return datetime.now(timezone.utc) > self.expires_at
|
|
|
|
def is_authenticated(self):
|
|
"""Check if the user has been authenticated in this session."""
|
|
return self.authenticated_at is not None
|
|
|
|
def mark_authenticated(self):
|
|
"""Mark the session as authenticated."""
|
|
self.authenticated_at = datetime.now(timezone.utc)
|
|
db.session.commit()
|
|
|
|
def validate_nonce(self, expected_nonce):
|
|
"""Validate the nonce matches the expected value.
|
|
|
|
Args:
|
|
expected_nonce: The expected nonce value
|
|
|
|
Returns:
|
|
bool: True if nonce matches
|
|
"""
|
|
return self.nonce == expected_nonce
|
|
|
|
def validate_code_challenge(self, code_verifier):
|
|
"""Validate the code verifier against the stored code challenge.
|
|
|
|
Args:
|
|
code_verifier: The PKCE code verifier
|
|
|
|
Returns:
|
|
bool: True if code challenge is valid
|
|
"""
|
|
if not self.code_challenge:
|
|
return False
|
|
|
|
if self.code_challenge_method == "S256":
|
|
import hashlib
|
|
import base64
|
|
# SHA256 hash of code_verifier
|
|
digest = hashlib.sha256(code_verifier.encode()).digest()
|
|
# Base64 URL encode without padding
|
|
expected = base64.urlsafe_b64encode(digest).decode().rstrip("=")
|
|
return self.code_challenge == expected
|
|
elif self.code_challenge_method == "plain":
|
|
return self.code_challenge == code_verifier
|
|
|
|
return False
|
|
|
|
@classmethod
|
|
def create_session(cls, user_id, client_id, state, redirect_uri, scope=None,
|
|
nonce=None, code_challenge=None, code_challenge_method=None,
|
|
lifetime_seconds=600):
|
|
"""Create a new OIDC session.
|
|
|
|
Args:
|
|
user_id: The user ID
|
|
client_id: The OIDC client ID
|
|
state: The state parameter
|
|
redirect_uri: The redirect URI
|
|
scope: Requested scopes
|
|
nonce: OIDC nonce
|
|
code_challenge: PKCE code challenge
|
|
code_challenge_method: PKCE method ("S256" or "plain")
|
|
lifetime_seconds: Session lifetime in seconds
|
|
|
|
Returns:
|
|
OIDCSession instance
|
|
"""
|
|
from datetime import timedelta
|
|
session = cls(
|
|
user_id=user_id,
|
|
client_id=client_id,
|
|
state=state,
|
|
redirect_uri=redirect_uri,
|
|
scope=scope,
|
|
nonce=nonce,
|
|
code_challenge=code_challenge,
|
|
code_challenge_method=code_challenge_method,
|
|
expires_at=datetime.now(timezone.utc) + timedelta(seconds=lifetime_seconds),
|
|
)
|
|
db.session.add(session)
|
|
db.session.commit()
|
|
return session
|
|
|
|
@classmethod
|
|
def get_by_state(cls, state):
|
|
"""Get a session by state parameter.
|
|
|
|
Args:
|
|
state: The state parameter
|
|
|
|
Returns:
|
|
OIDCSession instance or None
|
|
"""
|
|
return cls.query.filter_by(state=state, deleted_at=None).first()
|
|
|
|
def to_dict(self, exclude=None):
|
|
"""Convert to dictionary."""
|
|
return super().to_dict(exclude=exclude)
|
|
|
|
|
|
# Add relationship back to User model
|
|
from gatehouse_app.models.user import User
|
|
User.oidc_sessions = db.relationship(
|
|
"OIDCSession", back_populates="user", cascade="all, delete-orphan"
|
|
)
|
|
|
|
# Add relationship back to OIDCClient model
|
|
from gatehouse_app.models.oidc_client import OIDCClient
|
|
OIDCClient.oidc_sessions = db.relationship(
|
|
"OIDCSession", back_populates="client", cascade="all, delete-orphan"
|
|
)
|