Feature/#440 hydra token login (#784)

* Refactor `command_hello` * Added `command_auth` for logging in with an API token * Refactor hash computation in update_irc_password * Choose IRC password as hex encoded string to avoid '/' character * Use lowercase for resolved pub key value so it is not considered a valid config key * Use separate variables for pub key file vs direct pub key * More cleanup * Use hydra token service for authentication * import jwt algorithms * fix import order * Use pyjwk client * change import * Use older jwt version without jwkClient due to twilio constraints update dependencies * Use older version of twilio to get around pyjwt version lock * Fix cron task * Rename to OauthService * log out decoded token * correct decoded token field * change sub to int * Use aiohttp to get jwks * Turn off audience verification * Fix tests * Revert db name change * use mocks properly * sort imports * fix tests * Fix codacy where possible * Address formatting * Remove unused import * only update keys once fully retrieved * Add detection for player id not in database * log login method in metrics * Make two labels for the user_logins * make kid string its own fixture, log user not in db, use dict comprehension * Fix test and formatting * Pipenv lock from linux * Change to prod hydra * Fix comment * Fix test formatting Co-authored-by: Askaholic <askaholic907@gmail.com>
FAForever · Jun 12, 2021 · 58c5887 · 58c5887
1 parent b81229c
commit 58c5887
Show file tree

Hide file tree

Showing 15 changed files with 495 additions and 76 deletions.
diff --git a/Pipfile b/Pipfile
@@ -20,11 +20,12 @@ trueskill = "*"
 aiocron = "*"
 oauthlib = "*"
 sqlalchemy = "*"
-twilio = "*"
+twilio = ">=6.0.0,<6.51.0"  # See https://github.com/twilio/twilio-python/issues/556
 humanize = ">=2.6.0"
 aiomysql = {editable = true, git = "https://github.com/aio-libs/aiomysql"}
 pyyaml = "*"
 aio_pika = "*"
+pyjwt = {version = ">=2", extras = ["crypto"]}
 
 [dev-packages]
 pytest = "*"

diff --git a/Pipfile.lock b/Pipfile.lock
diff --git a/server/__init__.py b/server/__init__.py
@@ -108,6 +108,7 @@
 from .ladder_service import LadderService
 from .lobbyconnection import LobbyConnection
 from .message_queue_service import MessageQueueService
+from .oauth_service import OAuthService
 from .party_service import PartyService
 from .player_service import PlayerService
 from .protocol import Protocol, QDataStreamProtocol
@@ -129,6 +130,7 @@
     "GeoIpService",
     "LadderService",
     "MessageQueueService",
+    "OAuthService",
     "PartyService",
     "PlayerService",
     "RatingService",
@@ -189,7 +191,8 @@ def __init__(
             nts_client=twilio_nts,
             players=self.services["player_service"],
             ladder_service=self.services["ladder_service"],
-            party_service=self.services["party_service"]
+            party_service=self.services["party_service"],
+            oauth_service=self.services["oauth_service"]
         )
 
     def write_broadcast(

diff --git a/server/config.py b/server/config.py
@@ -57,6 +57,8 @@ def __init__(self):
         self.API_TOKEN_URI = "https://api.test.faforever.com/oauth/token"
         self.API_BASE_URL = "https://api.test.faforever.com/"
         self.USE_API = True
+        # Location of the OAuth jwks
+        self.HYDRA_JWKS_URI = "https://hydra.faforever.com/.well-known/jwks.json"
 
         self.MQ_USER = "faf-python-server"
         self.MQ_PASSWORD = "banana"

diff --git a/server/exceptions.py b/server/exceptions.py
@@ -50,6 +50,7 @@ class AuthenticationError(Exception):
     """
     The operation failed to authenticate.
     """
-    def __init__(self, message, *args, **kwargs):
+    def __init__(self, message, method, *args, **kwargs):
         super().__init__(*args, **kwargs)
         self.message = message
+        self.method = method