U >iS @s>ddlZddlZddlZddlZddlZddlZddlmZmZm Z m Z ddl m Z ddl mZddlmZddlmZddlZddlmZmZmZddlmZmZdd lmZdd lmZdd lm Z dd l!m"Z"e#e e eee#effd ddZ$e%edddZ&e#e#dddZ'e#e e#dddZ(ee#efedddZ)e#e e eeee#effd ddZ*ee#efe eddd Z+e#e#e ee#efd!d"d#Z,dd$e#e#e#e ee#efe-e e#ee#effd%d&d'Z.eee#e-fd(d)d*Z/ee#d(d+d,Z0eee#efe#d-d.d/Z1eee#efdd0d1d2Z2dS)3N)AnyDictOptionalTuple)settings)get_user_model) SessionBase)SimpleLazyObject)Cipher algorithmsmodes)str_to_user_iduser_id_to_str)jwkkit)get_session_user) app_settings)lookup_session)tokenreturncsXt|d}|dkrdStjr0t|}|dkr0dS|d}t|tfdd}||fS)NaccesssubcstjjdS)Npk)rZobjectsgetrrS/tmp/pip-unpacked-wheel-upujnpc2/allauth/headless/tokens/strategies/jwt/internal.py"z'validate_access_token..) decode_tokenrZJWT_STATEFUL_VALIDATION_ENABLEDget_token_sessionr r )rpayloadsessionrZ lazy_userrrrvalidate_access_tokens r")initialization_vectorrcCs:tj}t|}t|}t |}t ||}|S)N) rZ SECRET_KEYhashlibsha256encodedigestr ZAESr ZCTRr )r#Z secret_keykey algorithmmodecipherrrrget_session_key_cipher&s    r,) session_keyrcCsFtd}t|}|}|||}t|| }|S)a  In case an access token leaks, we do not want the session encoded in that token to be put to use as an X-Session-Token or session cookie. Therefore, we encrypt the sesison key. Unauthenticated symmetric encryption is fine, as the JWT is signed. ) secretsZ token_bytesr, encryptorupdater&finalizebase64 b64encodedecode)r-r#r+r0encrypted_messagesidrrrsession_key_to_sid/s  r8)r7rcCszt|}Wntjk r&YdSX|dd}|dd}t|dkrPdSt|}|}|||}z | WSt k rYdSXdS)Nr.r) r3 b64decodebinasciiErrorlenr, decryptorr1r2r5UnicodeDecodeError)r7Zencrypted_datar#r6r+r=Zmessage_decryptedrrrsession_key_from_sid>s    r?)rr!cCs0t|}|dkrdSt|}||dkr,dS|S)Nr)rr)rr!userrrrrvalidate_token_userPs rAcCstt|d}|dkrdS|d}t|}|dkr2dSt|}||}t}|dks\||kr`dSt||}|||fS)Nrefreshjti)rrget_refresh_token_statertimerA)rr rCr!refresh_token_jti_to_expexpnowr@rrrvalidate_refresh_tokenZs   rI)r rcCs@|d}t|tsdSt|}|s(dSt|}|dkr|js t|jstt|j}t|}td|||tjddS)Nr)rr7rVrWr)r]r^r-r8rr[rZJWT_ACCESS_TOKEN_EXPIRES_IN)r@r!rVr7rrrrcreate_access_tokens   r`)r!rrcCs t|}|d}||ddS)NrC)rDpop)r!rrFrCrrrinvalidate_refresh_tokensrb)3r3r:r$r/rErZtypingrrrrZ django.confrZdjango.contrib.authrZ%django.contrib.sessions.backends.baserZdjango.utils.functionalr rRZ&cryptography.hazmat.primitives.ciphersr r r Z allauth.account.internal.userkitr rZallauth.core.internalrZ allauth.core.internal.sessionkitrZallauth.headlessrZ$allauth.headless.internal.sessionkitrrKr"bytesr,r8r?rArIrrrYr[rDr_r`rbrrrrsP        $     "