arXiv · mnazzaro · Jul 10, 2024 · Jun 7, 2024 · Jun 10, 2024 · Jun 10, 2024
diff --git a/arxiv/auth/README.md b/arxiv/auth/README.md
@@ -0,0 +1,57 @@
+# ``arxiv-auth`` Library
+
+This package provides a Flask add on and other code for working with arxiv
+authenticated users in arXiv services.
+
+Housing these components in arxiv-base ensures that users
+and sessions are represented and manipulated consistently. The login+logout, user
+accounts(TBD), API client registry(TBD), and authenticator(TBD) services all
+rely on this package.
+
+# Quick start
+For use-cases to check if a request is from an authenticated arxiv user, do the
+following:
+
+1. Add arxiv-base to your dependencies
+2. Install :class:`arxiv.auth.auth.Auth` onto your application. This adds a
+   function called for each request to Flask that adds an instance of
+   :class:`arxiv.auth.domain.Session` at ``flask.request.auth`` if the client is
+   authenticated.
+3. Add to the ``flask.config`` to setup :class:`arxiv_auth.auth.Auth` and
+   related classes
+
+Here's an example of how you might do #2 and #3:
+```
+   from flask import Flask
+   from arxiv.base import Base
+   from arxiv.auth.auth import auth
+
+   app = Flask(__name__)
+   Base(app)
+
+   # config settings required to use legacy auth 
+   app.config['CLASSIC_SESSION_HASH'] = '{hash_private_secret}'
+   app.config['CLASSIC_DB_URI'] = '{your_sqlalchemy_db_uri_to_legacy_db'}
+   app.config['SESSION_DURATION'] = 36000
+   app.config['CLASSIC_COOKIE_NAME'] = 'tapir_session'
+
+   auth.Auth(app)    # <- Install the Auth to get auth checks and request.auth
+
+   @app.route("/")
+   def are_you_logged_in():
+       if request.auth is not None:
+           return "<p>Hello, You are logged in.</p>"
+       else:
+           return "<p>Hello unknown client.</p>"
+```
+
+# Middleware
+
+In during NG there was middleware for arxiv-auth that could be used in NGINX to
+do the authentication there. As of 2023 it is not in use.
+
+See :class:`arxiv.auth.auth.middleware.AuthMiddleware`
+
+If you are not deploying this application in the cloud behind NGINX (and
+therefore will not support sessions from the distributed store), you do not
+need the auth middleware.
diff --git a/arxiv/auth/__init__.py b/arxiv/auth/__init__.py
diff --git a/arxiv/auth/app.py b/arxiv/auth/app.py
@@ -0,0 +1,10 @@
+"""test app."""
+
+import sys
+sys.path.append('./arxiv')
+
+from flask import Flask
+from arxiv_users import auth, legacy
+
+app = Flask('test')
+legacy.create_all()
diff --git a/arxiv/auth/auth/__init__.py b/arxiv/auth/auth/__init__.py
@@ -0,0 +1,199 @@
+"""Provides tools for working with authenticated user/client sessions."""
+
+from typing import Optional, Union, Any, List
+import os
+
+from werkzeug.datastructures.structures import MultiDict
+
+from flask import Flask, request, Response
+from retry import retry
+
+from ...db import transaction
+from ..legacy import util
+from ..legacy.cookies import parse_cookie
+from .. import domain, legacy
+
+import logging
+
+logger = logging.getLogger(__name__)
+
+
+class Auth(object):
+    """
+    Attaches session and authentication information to the request.
+
+    Set env var or `Flask.config` `ARXIV_AUTH_DEBUG` to True to get
+    additional debugging in the logs. Only use this for short term debugging of
+    configs. This may be used in produciton but should not be left on in production.
+
+    Intended for use in a Flask application factory, for example:
+
+    .. code-block:: python
+
+       from flask import Flask
+       from arxiv.users.auth import Auth
+       from someapp import routes
+
+
+       def create_web_app() -> Flask:
+          app = Flask('someapp')
+          app.config.from_pyfile('config.py')
+          Auth(app)   # Registers the before_reques auth check
+
+          @app.route("/hello")
+          def hello():
+              if request.auth:
+                 return f"Hello {request.auth.user.name}!"
+              else:
+                 return f"Hello world! (not authenticated)"
+
+       return app
+
+
+    """
+
+    def __init__(self, app: Optional[Flask] = None) -> None:
+        """
+        Initialize ``app`` with `Auth`.
+
+        Parameters
+        ----------
+        app : :class:`Flask`
+
+        """
+        if app is not None:
+            self.init_app(app)
+            if self.app.config.get('AUTH_UPDATED_SESSION_REF'):
+                self.auth_session_name = "auth"
+            else:
+                self.auth_session_name = "session"
+
+    @retry(legacy.exceptions.Unavailable, tries=3, delay=0.5, backoff=2)
+    def _get_legacy_session(self,
+                            cookie_value: str) -> Optional[domain.Session]:
+        """
+        Attempt to load a legacy auth session.
+
+        Returns
+        -------
+        :class:`domain.Session` or None
+
+        """
+        if cookie_value is None:
+            return None
+        try:
+            with transaction():
+                return legacy.sessions.load(cookie_value)
+        except legacy.exceptions.UnknownSession as e:
+            logger.debug('No legacy session available: %s', e)
+        except legacy.exceptions.InvalidCookie as e:
+            logger.debug('Invalid legacy cookie: %s', e)
+        except legacy.exceptions.SessionExpired as e:
+            logger.debug('Legacy session is expired: %s', e)
+        return None
+
+    def init_app(self, app: Flask) -> None:
+        """
+        Attach :meth:`.load_session` to the Flask app.
+
+        Parameters
+        ----------
+        app : :class:`Flask`
+
+        """
+        self.app = app
+        app.config['arxiv_auth.Auth'] = self
+
+        if app.config.get('ARXIV_AUTH_DEBUG') or os.getenv('ARXIV_AUTH_DEBUG'):
+            self.auth_debug()
+            logger.debug("ARXIV_AUTH_DEBUG is set and auth debug messages to logging are turned on")
+
+        self.app.before_request(self.load_session)
+        self.app.config.setdefault('DEFAULT_LOGOUT_REDIRECT_URL',
+                                   'https://arxiv.org')
+        self.app.config.setdefault('DEFAULT_LOGIN_REDIRECT_URL',
+                                   'https://arxiv.org')
+
+        if app.config.get('ARXIV_AUTH_DEBUG') or os.getenv('ARXIV_AUTH_DEBUG'):
+            self.auth_debug()
+            logger.debug("ARXIV_AUTH_DEBUG is set and auth debug messages to logging is turned on")
+
+
+    def load_session(self) -> Optional[Response]:
+        """Look for an active session, and attach it to the request.
+
+        The typical scenario will involve the
+        :class:`.middleware.AuthMiddleware` unpacking a session token and
+        adding it to the WSGI request environ.
+
+        As a fallback, if the legacy database is available, this method will
+        also attempt to load an active legacy session.
+
+        """
+        # Check the WSGI request environ for the key, which is where the auth
+        # middleware puts any unpacked auth information from the request OR any
+        # exceptions that need to be raised withing the request context.
+        req_auth: Optional[Union[domain.Session, Exception]] = \
+            request.environ.get(self.auth_session_name)
+
+        # Middlware may raise exception, needs to be raised in to be handled correctly.
+        if isinstance(req_auth, Exception):
+            logger.debug('Middleware passed an exception: %s', req_auth)
+            raise req_auth
+
+        if not req_auth:
+            if util.is_configured():
+                req_auth = self.first_valid(self.legacy_cookies())
+            else:
+                logger.warning('No legacy DB, will not check tapir auth.')
+
+        # Attach auth to the request so other can access easily. request.auth
+        setattr(request, self.auth_session_name, req_auth)
+        return None
+
+    def first_valid(self, cookies: List[str]) -> Optional[domain.Session]:
+        """First valid legacy session or None if there are none."""
+        first =  next(filter(bool,
+                             map(self._get_legacy_session,
+                                 cookies)), None)
+
+        if first is None:
+            logger.debug("Out of %d cookies, no legacy cookie found", len(cookies))
+        else:
+            logger.debug("Out of %d cookies, found a good legacy cookie", len(cookies))
+
+        return first
+
+    def legacy_cookies(self) -> List[str]:
+        """Gets list of legacy cookies.
+
+        Duplicate cookies occur due to the browser sending both the
+        cookies for both arxiv.org and sub.arxiv.org. If this is being
+        served at sub.arxiv.org, there is no response that will cause
+        the browser to alter its cookie store for arxiv.org. Duplicate
+        cookies must be handled gracefully to for the domain and
+        subdomain to coexist.
+
+        The standard way to avoid this problem is to append part of
+        the domain's name to the cookie key but this needs to work
+        even if the configuration is not ideal.
+
+        """
+        # By default, werkzeug uses a dict-based struct that supports only a
+        # single value per key. This isn't really up to speed with RFC 6265.
+        # Luckily we can just pass in an alternate struct to parse_cookie()
+        # that can cope with multiple values.
+        raw_cookie = request.environ.get('HTTP_COOKIE', None)
+        if raw_cookie is None:
+            return []
+        cookies = parse_cookie(raw_cookie, cls=MultiDict)
+        return cookies.getlist(self.app.config['CLASSIC_COOKIE_NAME'])
+
+    def auth_debug(self) -> None:
+        """Sets several auth loggers to DEBUG.
+
+        This is useful to get an idea of what is going on with auth.
+        """
+        logger.setLevel(logging.DEBUG)
+        legacy.sessions.logger.setLevel(logging.DEBUG)
+        legacy.authenticate.logger.setLevel(logging.DEBUG)