Hugging Face's logo

Spaces:
mgbam
/
builder
Running

App Files Community
builder / auth.py
mgbam's picture
mgbam
Update auth.py
c33cb65 verified
raw
history blame contribute delete
4.54 kB
 # auth.py
"""
Centralised OAuth 2.0 helper for GitHub, Google Drive and Slack.
Usage
-----
from auth import oauth_manager
# 1) Redirect user to consent page
auth_url, state = oauth_manager.get_authorization_url(
provider="github",
redirect_uri="https://your‑app.com/callback"
)
# 2) In your callback handler, exchange the code for a token
token = oauth_manager.fetch_token(
provider="github",
redirect_uri="https://your‑app.com/callback",
authorization_response=request.url # full URL with ?code=...
)
"""
from __future__ import annotations
import os
from dataclasses import dataclass
from typing import Dict, Optional, Tuple
from authlib.integrations.requests_client import OAuth2Session
# ------------------------------------------------------------------ #
# 1  Provider configuration
# ------------------------------------------------------------------ #
@dataclass(frozen=True)
class ProviderConfig:
client_id: str | None
client_secret: str | None
authorize_url: str
token_url: str
scope: str
def _env(name: str) -> str | None:
"""Shorthand for os.getenv with strip()."""
val = os.getenv(name)
return val.strip() if val else None
PROVIDERS: Dict[str, ProviderConfig] = {
"github": ProviderConfig(
client_id=_env("GITHUB_CLIENT_ID"),
client_secret=_env("GITHUB_CLIENT_SECRET"),
authorize_url="https://github.com/login/oauth/authorize",
token_url="https://github.com/login/oauth/access_token",
scope="repo read:org",
),
"google": ProviderConfig(
client_id=_env("GOOGLE_CLIENT_ID"),
client_secret=_env("GOOGLE_CLIENT_SECRET"),
authorize_url="https://accounts.google.com/o/oauth2/auth",
token_url="https://oauth2.googleapis.com/token",
scope="openid email profile https://www.googleapis.com/auth/drive.readonly",
),
"slack": ProviderConfig(
client_id=_env("SLACK_CLIENT_ID"),
client_secret=_env("SLACK_CLIENT_SECRET"),
authorize_url="https://slack.com/oauth/v2/authorize",
token_url="https://slack.com/api/oauth.v2.access",
scope="channels:read chat:write",
),
}
# ------------------------------------------------------------------ #
# 2  OAuth manager
# ------------------------------------------------------------------ #
class OAuthManager:
"""Tiny wrapper around Authlib’s OAuth2Session per provider."""
def __init__(self, providers: Dict[str, ProviderConfig]):
self.providers = providers
# ---------- helpers -------------------------------------------------
def _session(self, provider: str, redirect_uri: str) -> OAuth2Session:
cfg = self.providers.get(provider)
if not cfg:
raise KeyError(f"Unsupported provider '{provider}'.")
if not (cfg.client_id and cfg.client_secret):
raise RuntimeError(
f"OAuth credentials for '{provider}' are missing. "
"Set the *_CLIENT_ID and *_CLIENT_SECRET env‑vars."
)
return OAuth2Session(
client_id=cfg.client_id,
client_secret=cfg.client_secret,
scope=cfg.scope,
redirect_uri=redirect_uri,
)
# ---------- public API ----------------------------------------------
def get_authorization_url(
self, provider: str, redirect_uri: str, state: Optional[str] = None
) -> Tuple[str, str]:
"""
Return (auth_url, state) for the given provider.
Pass the *state* back into `fetch_token` to mitigate CSRF.
"""
sess = self._session(provider, redirect_uri)
cfg = self.providers[provider]
auth_url, final_state = sess.create_authorization_url(
cfg.authorize_url, state=state
)
return auth_url, final_state
def fetch_token(
self, provider: str, redirect_uri: str, authorization_response: str
) -> Dict:
"""
Exchange ?code=… for an access token.
Returns the token dict from Authlib (includes access_token,
refresh_token, expires_in, etc.).
"""
sess = self._session(provider, redirect_uri)
cfg = self.providers[provider]
return sess.fetch_token(
cfg.token_url,
authorization_response=authorization_response,
client_secret=cfg.client_secret, # some providers require it explicitly
)
# Singleton instance used throughout the app
oauth_manager = OAuthManager(PROVIDERS)