|
|
import hashlib
|
|
|
import time
|
|
|
import urllib.parse
|
|
|
from dataclasses import dataclass
|
|
|
from typing import Optional
|
|
|
|
|
|
import requests
|
|
|
import logging
|
|
|
import json
|
|
|
# Initialize logger for this module
|
|
|
logger = logging.getLogger(__name__)
|
|
|
|
|
|
@dataclass
|
|
|
class OAuthUserInfo:
|
|
|
id: str
|
|
|
name: str
|
|
|
email: str
|
|
|
|
|
|
|
|
|
class OAuth:
|
|
|
def __init__(self, client_id: str, client_secret: str, redirect_uri: str):
|
|
|
self.client_id = client_id
|
|
|
self.client_secret = client_secret
|
|
|
self.redirect_uri = redirect_uri
|
|
|
|
|
|
def get_authorization_url(self):
|
|
|
raise NotImplementedError()
|
|
|
|
|
|
def get_access_token(self, code: str):
|
|
|
raise NotImplementedError()
|
|
|
|
|
|
def get_raw_user_info(self, token: str):
|
|
|
raise NotImplementedError()
|
|
|
|
|
|
def get_user_info(self, token: str) -> OAuthUserInfo:
|
|
|
raw_info = self.get_raw_user_info(token)
|
|
|
return self._transform_user_info(raw_info)
|
|
|
|
|
|
def _transform_user_info(self, raw_info: dict) -> OAuthUserInfo:
|
|
|
raise NotImplementedError()
|
|
|
|
|
|
|
|
|
class GitHubOAuth(OAuth):
|
|
|
_AUTH_URL = "https://github.com/login/oauth/authorize"
|
|
|
_TOKEN_URL = "https://github.com/login/oauth/access_token"
|
|
|
_USER_INFO_URL = "https://api.github.com/user"
|
|
|
_EMAIL_INFO_URL = "https://api.github.com/user/emails"
|
|
|
|
|
|
def get_authorization_url(self, invite_token: Optional[str] = None):
|
|
|
params = {
|
|
|
"client_id": self.client_id,
|
|
|
"redirect_uri": self.redirect_uri,
|
|
|
"scope": "user:email", # Request only basic user information
|
|
|
}
|
|
|
if invite_token:
|
|
|
params["state"] = invite_token
|
|
|
return f"{self._AUTH_URL}?{urllib.parse.urlencode(params)}"
|
|
|
|
|
|
def get_access_token(self, code: str):
|
|
|
data = {
|
|
|
"client_id": self.client_id,
|
|
|
"client_secret": self.client_secret,
|
|
|
"code": code,
|
|
|
"redirect_uri": self.redirect_uri,
|
|
|
}
|
|
|
headers = {"Accept": "application/json"}
|
|
|
response = requests.post(self._TOKEN_URL, data=data, headers=headers)
|
|
|
|
|
|
response_json = response.json()
|
|
|
access_token = response_json.get("access_token")
|
|
|
|
|
|
if not access_token:
|
|
|
raise ValueError(f"Error in GitHub OAuth: {response_json}")
|
|
|
|
|
|
return access_token
|
|
|
|
|
|
def get_raw_user_info(self, token: str):
|
|
|
headers = {"Authorization": f"token {token}"}
|
|
|
response = requests.get(self._USER_INFO_URL, headers=headers)
|
|
|
response.raise_for_status()
|
|
|
user_info = response.json()
|
|
|
|
|
|
email_response = requests.get(self._EMAIL_INFO_URL, headers=headers)
|
|
|
email_info = email_response.json()
|
|
|
primary_email: dict = next((email for email in email_info if email["primary"] == True), {})
|
|
|
|
|
|
return {**user_info, "email": primary_email.get("email", "")}
|
|
|
|
|
|
def _transform_user_info(self, raw_info: dict) -> OAuthUserInfo:
|
|
|
email = raw_info.get("email")
|
|
|
if not email:
|
|
|
email = f"{raw_info['id']}+{raw_info['login']}@users.noreply.github.com"
|
|
|
return OAuthUserInfo(id=str(raw_info["id"]), name=raw_info["name"], email=email)
|
|
|
|
|
|
|
|
|
class GoogleOAuth(OAuth):
|
|
|
_AUTH_URL = "https://accounts.google.com/o/oauth2/v2/auth"
|
|
|
_TOKEN_URL = "https://oauth2.googleapis.com/token"
|
|
|
_USER_INFO_URL = "https://www.googleapis.com/oauth2/v3/userinfo"
|
|
|
|
|
|
def get_authorization_url(self, invite_token: Optional[str] = None):
|
|
|
params = {
|
|
|
"client_id": self.client_id,
|
|
|
"response_type": "code",
|
|
|
"redirect_uri": self.redirect_uri,
|
|
|
"scope": "openid email",
|
|
|
}
|
|
|
if invite_token:
|
|
|
params["state"] = invite_token
|
|
|
return f"{self._AUTH_URL}?{urllib.parse.urlencode(params)}"
|
|
|
|
|
|
def get_access_token(self, code: str):
|
|
|
data = {
|
|
|
"client_id": self.client_id,
|
|
|
"client_secret": self.client_secret,
|
|
|
"code": code,
|
|
|
"grant_type": "authorization_code",
|
|
|
"redirect_uri": self.redirect_uri,
|
|
|
}
|
|
|
headers = {"Accept": "application/json"}
|
|
|
response = requests.post(self._TOKEN_URL, data=data, headers=headers)
|
|
|
|
|
|
response_json = response.json()
|
|
|
access_token = response_json.get("access_token")
|
|
|
|
|
|
if not access_token:
|
|
|
raise ValueError(f"Error in Google OAuth: {response_json}")
|
|
|
|
|
|
return access_token
|
|
|
|
|
|
def get_raw_user_info(self, token: str):
|
|
|
headers = {"Authorization": f"Bearer {token}"}
|
|
|
response = requests.get(self._USER_INFO_URL, headers=headers)
|
|
|
response.raise_for_status()
|
|
|
return response.json()
|
|
|
|
|
|
def _transform_user_info(self, raw_info: dict) -> OAuthUserInfo:
|
|
|
return OAuthUserInfo(id=str(raw_info["sub"]), name="", email=raw_info["email"])
|
|
|
|
|
|
|
|
|
class DigitalBaseOAuth(OAuth):
|
|
|
_AUTH_URL = "http://1.92.71.188/gzt/login" # 基座登录页地址
|
|
|
_TOKEN_URL = "/oauth2/getTokenByCode"
|
|
|
_USER_INFO_URL = "/oauth2/getUserInfoByToken"
|
|
|
_REFRESH_URL = "/oauth2/refreshSessionByToken"
|
|
|
|
|
|
def __init__(self, client_id: str, client_secret: str, redirect_uri: str, base_url: str):
|
|
|
super().__init__(client_id, client_secret, redirect_uri)
|
|
|
self.base_url = base_url
|
|
|
self.app_key = client_id # 数字基座中 AppKey 等同于 client_id
|
|
|
self.app_secret = client_secret
|
|
|
|
|
|
def get_authorization_url(self, invite_token: Optional[str] = None):
|
|
|
params = {
|
|
|
"client_id": self.client_id,
|
|
|
"redirect_uri": self.redirect_uri,
|
|
|
"response_type": "code",
|
|
|
}
|
|
|
if invite_token:
|
|
|
params["state"] = invite_token
|
|
|
# return f"{self.base_url}/oauth2/authorize?{urllib.parse.urlencode(params)}"
|
|
|
return f"{self._AUTH_URL}?{urllib.parse.urlencode(params)}"
|
|
|
|
|
|
def _generate_headers(self, body: Optional[dict] = None) -> dict:
|
|
|
timestamp = str(int(time.time() * 1000))
|
|
|
body_length = len(json.dumps(body).encode('utf-8')) if body else 0
|
|
|
content = f"{self.app_key}{timestamp}{body_length}"
|
|
|
|
|
|
# 第一步:对AppKey + timestamp + bodyLength做sha256加密
|
|
|
sign = hashlib.sha256(content.encode('utf-8')).hexdigest()
|
|
|
|
|
|
# 第二步:对sign + AppSecret做md5加密
|
|
|
open_sign = hashlib.md5(f"{sign}{self.app_secret}".encode('utf-8')).hexdigest()
|
|
|
|
|
|
headers = {
|
|
|
"openAppId": self.app_key,
|
|
|
"openTimestamp": timestamp,
|
|
|
"openSign": open_sign,
|
|
|
"Content-Type": "application/json"
|
|
|
}
|
|
|
|
|
|
# 调试日志 - 中文输出
|
|
|
logger.debug(f"数字基座认证请求头: {headers}")
|
|
|
logger.debug(f"签名生成步骤 - 原始内容: {content}, SHA256签名: {sign}, 最终签名: {open_sign}")
|
|
|
|
|
|
return headers
|
|
|
|
|
|
def get_access_token(self, code: str):
|
|
|
data = {"code": code}
|
|
|
headers = self._generate_headers(data)
|
|
|
|
|
|
response = requests.post(
|
|
|
f"{self.base_url}{self._TOKEN_URL}",
|
|
|
headers=headers,
|
|
|
json=data
|
|
|
)
|
|
|
response_json = response.json()
|
|
|
|
|
|
|
|
|
if response_json.get("retcode") != 0:
|
|
|
raise ValueError(f"Error in DigitalBase OAuth: {response_json.get('errmsg')}")
|
|
|
|
|
|
return response_json["data"]["accessToken"]
|
|
|
|
|
|
def get_raw_user_info(self, token: str):
|
|
|
data = {"accessToken": token}
|
|
|
headers = {
|
|
|
**self._generate_headers(data),
|
|
|
"Authorization": f"Bearer {token}"
|
|
|
}
|
|
|
|
|
|
response = requests.post(
|
|
|
f"{self.base_url}{self._USER_INFO_URL}",
|
|
|
headers=headers,
|
|
|
json={"accessToken": token}
|
|
|
)
|
|
|
response.raise_for_status()
|
|
|
response_json = response.json()
|
|
|
|
|
|
if response_json.get("retcode") != 0:
|
|
|
raise ValueError(f"Error in DigitalBase OAuth: {response_json.get('errmsg')}")
|
|
|
|
|
|
return response_json["data"]
|
|
|
|
|
|
def _transform_user_info(self, raw_info: dict) -> OAuthUserInfo:
|
|
|
return OAuthUserInfo(
|
|
|
id=raw_info["eduID"],
|
|
|
name=raw_info["name"],
|
|
|
email=f"{raw_info['eduID']}@digitalbase.edu" # 基座可能不提供email,使用eduID生成
|
|
|
)
|