� J�g�F��ddlmZddlmZddlmZmZmZmZddl m Z ddlmZddl mZmZddlmZd d d�ZGd�d ��Zd�ZdS)�)�generate_token)� url_decode�)�prepare_grant_uri�prepare_token_request�!parse_authorization_code_response�parse_implicit_response)�prepare_revoke_token_request)�create_s256_code_challenge)� TokenAuth� ClientAuth)�OAuth2Errorzapplication/jsonz/application/x-www-form-urlencoded;charset=UTF-8)�AcceptzContent-Typec��eZdZdZeZeZeZ dZ gZ dd�Zd�Z d�Zed ��Zejd ��Zdd�Z dd�Zd d�Z d!d�Zd d�Z d"d�Z d"d�Zd�Zd�Z d#d�Z d$d�Z d"d�Zd�Zd�Zd%d�Z d�Z!dS)&�OAuth2Clienta Construct a new OAuth 2 protocol client. :param session: Requests session object to communicate with authorization server. :param client_id: Client ID, which you get from client registration. :param client_secret: Client Secret, which you get from registration. :param token_endpoint_auth_method: client authentication method for token endpoint. :param revocation_endpoint_auth_method: client authentication method for revocation endpoint. :param scope: Scope that you needed to access user resources. :param state: Shared secret to prevent CSRF attack. :param redirect_uri: Redirect URI you registered as callback. :param code_challenge_method: PKCE method name, only S256 is supported. :param token: A dict of token attributes such as ``access_token``, ``token_type`` and ``expires_at``. :param token_placement: The place to put token in HTTP request. Available values: "header", "body", "uri". :param update_token: A function for you to update token. It accept a :class:`OAuth2Token` as parameter. :param leeway: Time window in seconds before the actual expiration of the authentication token, that the token is considered expired and will be refreshed. )� response_mode�nonce�prompt� login_hintN�header�<c��||_||_||_||_|�|rd}nd}||_|�|rd}nd}||_||_||_| |_|� | ||��|_ ||_|�dd��}|rtd��||_t��t��t��t��t��d�|_i|_| |_dS)N�client_secret_basic�none� token_updaterz<update token has been redesigned, checkout the documentation)�access_token_response�refresh_token_request�refresh_token_response�revoke_token_request�introspect_token_request)�session� client_id� client_secret�state�token_endpoint_auth_method�revocation_endpoint_auth_method�scope�redirect_uri�code_challenge_method�token_auth_class� token_auth�update_token�pop� ValueError�metadata�set�compliance_hook� _auth_methods�leeway)�selfr!r"r#r%r&r'r$r(r)�token�token_placementr,r3r/rs �e/home/asafur/pinokio/api/open-webui.git/app/env/lib/python3.11/site-packages/authlib/oauth2/client.py�__init__zOAuth2Client.__init__6s��"��*�� %�-�� 4�-B�*�*�-3�*�*D��'�*�2�� 9�2G�/�/�28�/�/N��,�� (��%:��"��/�/��M�M��(�� _�d�;�;� �� ]��[�\�\�\� �� &)�U�U�%(�U�U�&)�e�e�$'�E�E�(+�� c�~�t|t��r|d|j|d<dS||j|j<dS)zmExtend client authenticate for token endpoint. :param auth: an instance to sign the request rrN)� isinstance�tupler2�name)r4�auths r7�register_client_auth_methodz(OAuth2Client.register_client_auth_methodjsF�� d�E�"�"� 1�*.�q�'�D��t�A�w�'�'�'�,0�D��t�y�)�)�)r9c��t|t��r||jvr |j|}|�|j|j|��S)N)r"r#�auth_method)r;�strr2�client_auth_classr"r#)r4rAs r7�client_authzOAuth2Client.client_authtsY��k�3�'�'� :�K�4�;M�,M�,M��,�[�9�K��%�%��n��,�#�&� � � r9c��|jjS�N)r+r5�r4s r7r5zOAuth2Client.token}s ��$�$r9c�:�|j�|��dSrF)r+� set_token)r4r5s r7r5zOAuth2Client.token�s��!�!�%�(�(�(�(�(r9c��|�t��}|j�dd��}|�d|��}d|vr |j|d<d|vr |j|d<|r-|dkr'|jdkrt|��|d<|j|d<|jD]}||vr||jvr|j|||<� t|f|j ||d �|��}||fS) a�Generate an authorization URL and state. :param url: Authorization endpoint url, must be HTTPS. :param state: An optional state string for CSRF protection. If not given it will be generated for you. :param code_verifier: An optional code_verifier for code challenge. :param kwargs: Extra parameters to include. :return: authorization_url, state N� response_type�coder(r'�S256�code_challenger))r"rKr$)rr/�getr-r(r'r)r�EXTRA_AUTHORIZE_PARAMSrr")r4�urlr$� code_verifier�kwargsrK�k�uris r7�create_authorization_urlz%OAuth2Client.create_authorization_url�s ��=�"�$�$�E�� )�)�/�6�B�B� �� ?�M�B�B� ��'�'�%)�%6�F�>�"��&� � �"�j�F�7�O�� I�]�f�4�4��9S�W]�9]�9]�'A�-�'P�'P�F�#�$�.2�.H�F�*�+��,� -� -�A��1�� #5�#5� �M�!�,��q� ��#��>��#�#�!�#�#��E�z�r9��POSTc��|p|j}|�dd��} | rd| vr|�| |��S|�|��} | r"d| vrd}t | |��}|d|d<|�|j�d��}|�t|��}||jd<|j||fi|��}|�|� |j ��}|�t}|�|j�d ��}|j|f||||d �| ��S)amGeneric method for fetching an access token from the token endpoint. :param url: Access Token endpoint URL, if not configured, ``authorization_response`` is used to extract token from its fragment (implicit way). :param body: Optional application/x-www-form-urlencoded body to add the include in the token request. Prefer kwargs over body. :param method: The HTTP method used to make the request. Defaults to POST, but may also be GET. Other methods should be added as needed. :param headers: Dict to default request headers with. :param auth: An auth tuple or method as accepted by requests. :param grant_type: Use specified grant_type to fetch token :return: A :class:`OAuth2Token` object (a dict too). �authorization_responseN�#zcode=�authorization_code)r$rL� grant_type�token_endpoint)�bodyr>�method�headers) r$r-�token_from_fragment�_extract_session_request_paramsrr/rO�_guess_grant_type�_prepare_token_endpoint_bodyrDr%�DEFAULT_HEADERS�_fetch_token)r4rQr_r`rar>r]r$rSrZ�session_kwargs�paramss r7�fetch_tokenzOAuth2Client.fetch_token�sp��"�#��!'��,D�d�!K�!K��!� K�c�-C�&C�&C��+�+�,B�E�J�J�J��=�=�f�E�E��!� ,�g�1G�&G�&G�-�J�6�&��F�$�F�^�F�6�N��*�*�<�8�8�J��*�6�2�2�J�*4�D�M�,�'�0�t�0��z�L�L�V�L�L��<��#�#�D�$C�D�D�D��?�%�G��;��-�#�#�$4�5�5�C� �t� �� f�� -� � � r9c��t||��}d|vr0|�|d|�d��||_|S)N�error�error_description�rl�description)r �oauth_error_classrOr5)r4rZr$r5s r7rbz OAuth2Client.token_from_fragment�s_��'�(>��F�F��e��(�(��G�n�!�I�I�&9�:�:�)�� r9c��|�|��}|p|j�d��}d|vr|jr |j|d<t d|fd|i|��}|�t ��}|�|j�d��}|jdD]}||||��\}}}�|�|� |j ��}|j|f||||d�|��S)a Fetch a new access token using a refresh token. :param url: Refresh Token endpoint, must be HTTPS. :param refresh_token: The refresh_token to use. :param body: Optional application/x-www-form-urlencoded body to add the include in the token request. Prefer kwargs over body. :param auth: An auth tuple or method as accepted by requests. :param headers: Dict to default request headers with. :return: A :class:`OAuth2Token` object (a dict too). � refresh_tokenr'Nr^r)rrr_rar>)rcr5rOr'rrf�copyr/r1rDr%�_refresh_token) r4rQrrr_r>rarSrh�hooks r7rrzOAuth2Client.refresh_token�s-��=�=�f�E�E��%�H��)H�)H� ��&� � �T�Z� �"�j�F�7�O�$��T� � �'� �+1� � �� ?�%�*�*�,�,�G��;��-�#�#�$4�5�5�C��(�)@�A� :� :�D�!%��c�7�D�!9�!9��C��$�$��<��#�#�D�$C�D�D�D�"�t�"��)�,�4��)�)�'�)�)� )r9c��|�|j}|�|j��sdS|�d��}|j�d��}|r|r|�||��dS|j�d��dkr?|d}|�|d� ��}|jr|�||� ��dSdS)N)r3Trrr^�rrr]�client_credentials�access_token)r])ry)r5� is_expiredr3rOr/rrrjr,)r4r5rrrQry� new_tokens r7�ensure_active_tokenz OAuth2Client.ensure_active_token s��=��J�E��t�{��3�3� ��4�� /�2�2� ��m�� 0�1�1�� S� ��s�-��@�@�@��4� �]� � �|� ,� ,�0D� D� D� ��0�L��(�(��9M�(�N�N�I�� H��!�!�)�,�!�G�G�G��4�E� Dr9c �,�|jd|f|||||d�|��S)a�Revoke token method defined via `RFC7009`_. :param url: Revoke Token endpoint, must be HTTPS. :param token: The token to be revoked. :param token_type_hint: The type of the token that to be revoked. It can be "access_token" or "refresh_token". :param body: Optional application/x-www-form-urlencoded body to add the include in the token request. Prefer kwargs over body. :param auth: An auth tuple or method as accepted by requests. :param headers: Dict to default request headers with. :return: Revocation Response .. _`RFC7009`: https://tools.ietf.org/html/rfc7009 r�r5�token_type_hintr_r>ra��_handle_token_hint�r4rQr5rr_r>rarSs r7�revoke_tokenzOAuth2Client.revoke_tokens@�� '�t�&�"�C�=��D�'�=�=�6<�=�=� =r9c �,�|jd|f|||||d�|��S)a�Implementation of OAuth 2.0 Token Introspection defined via `RFC7662`_. :param url: Introspection Endpoint, must be HTTPS. :param token: The token to be introspected. :param token_type_hint: The type of the token that to be revoked. It can be "access_token" or "refresh_token". :param body: Optional application/x-www-form-urlencoded body to add the include in the token request. Prefer kwargs over body. :param auth: An auth tuple or method as accepted by requests. :param headers: Dict to default request headers with. :return: Introspection Response .. _`RFC7662`: https://tools.ietf.org/html/rfc7662 r r~r�r�s r7�introspect_tokenzOAuth2Client.introspect_token3s@�� '�t�&�&��=��D�'�=�=�6<�=�=� =r9c��|dkr!|jj�|��dS||jvrt d||j��|j|�|��dS)a�Register a hook for request/response tweaking. Available hooks are: * access_token_response: invoked before token parsing. * refresh_token_request: invoked before refreshing token. * refresh_token_response: invoked before refresh token parsing. * protected_request: invoked before making a request. * revoke_token_request: invoked before revoking a token. * introspect_token_request: invoked before introspecting a token. �protected_requestNzHook type %s is not in %s.)r+�hooks�addr1r.)r4� hook_typerus r7�register_compliance_hookz%OAuth2Client.register_compliance_hookHs{��+�+�+��O�!�%�%�d�+�+�+��F��D�0�0�0��9�&��(<�>�>� >��Y�'�+�+�D�1�1�1�1�1r9c��|jdkr|��|��}d|vr0|�|d|�d��||_|jS)Ni�rlrmrn)�status_code�raise_for_status�jsonrprOr5)r4�respr5s r7�parse_response_tokenz!OAuth2Client.parse_response_token]s��s�"�"��!�!�#�#�#�� e��(�(��G�n�!�I�I�&9�:�:�)�� z�r9c��|��dkr2|jj|ftt |��||d�|��}nJd|vrd�||g��}nd�||g��}|jj||f||d�|��}|jdD] }||��}�|�|��S)NrX��datarar>�?�&)rar>r) �upperr!�post�dictr�join�requestr1r�) r4rQr_rar>r`rSr�rus r7rgzOAuth2Client._fetch_tokenjs��<�<�>�>�V�#�#�$�4�<�$��6��z�$�/�/�0�0��d�6�6�.4�6�6�D�D��c�z�z��h�h��T�{�+�+��h�h��T�{�+�+��'�4�<�'��Z�W�4�Z�Z�SY�Z�Z�D��(�)@�A� � �D��4��:�:�D�D��(�(��.�.�.r9c��|j|f|||d�|��}|jdD] }||��}�|�|��} d| vr ||jd<t |j��r|�|j|��|jS)N)r_r>rarrrrw)� _http_postr1r�r5�callabler,) r4rQrrr_rar>rSr�rur5s r7rtzOAuth2Client._refresh_token}s��t��s�T��D�'�T�T�V�T�T��(�)A�B� � �D��4��:�:�D�D��)�)�$�/�/��%�'�'�*7�D�J��'��D�%�&�&� G��d�j� ��F�F�F��z�r9c�v�|�;|jr4|j�d��p|j�d��}|�d}t||||��\}}|j|D]}||||��\}}}�|�|�|j��}|�|��} |j||f||d�| ��S)NrrryrW)r>ra)r5rOr r1rDr&rcr�) r4rurQr5rr_r>rarSrhs r7r�zOAuth2Client._handle_token_hint�s��=�T�Z�=��J�N�N�?�3�3�U�t�z�~�~�n�7U�7U�E��<��D�4��?�D�'�3�3� ��g��(��.� :� :�D�!%��c�7�D�!9�!9��C��$�$��<��#�#�D�$H�I�I�D��=�=�f�E�E��t��E� �'�E�E�5C�E�E� Er9c��|dkrd|vr |j|d<t||fi|��Sd|vr|jr |j|d<t||fi|��S)Nr\r(r')r(rr')r4r_r]rSs r7rez)OAuth2Client._prepare_token_endpoint_body�ss��-�-�-��V�+�+�)-�):��~�&�(��T�D�D�V�D�D�D��&� � �T�Z� �"�j�F�7�O�$�Z��@�@��@�@�@r9c�V�i}|jD]}||vr|�|��||<�|S)zDExtract parameters for session object from the passing ``**kwargs``.)�SESSION_REQUEST_PARAMSr-)r4rS�rvrTs r7rcz,OAuth2Client._extract_session_request_params�s;�� ,� &� &�A��F�{�{�� 1� � ��1�� r9c�d�|jj|ftt|��||d�|��S)Nr�)r!r�r�r)r4rQr_r>rarSs r7r�zOAuth2Client._http_post�sH�� t�|� ��2��:�d�+�+�,�,��$�2�2�*0�2�2� 2r9c� �|`dSrF)r!rGs r7�__del__zOAuth2Client.__del__�s��L�L�Lr9)NNNNNNNNNrNr)NN)NrWrXNNNNrF)NNrWNN)NNNNN)rWNNrX)NrWNN)NNN)"�__name__� __module__�__qualname__�__doc__r rCrr*rrprPr�r8r?rD�propertyr5�setterrVrjrbrrr|r�r�r�r�rgrtr�rercr�r��r9r7rrs1��0#�� #�� >B�,0�15�RV�QS� 2�2�2�2�h1�1�1� � � ��%�%��X�%��\�)�)��\�)��BEI�6:�6 �6 �6 �6 �p��@B�)-�#)�#)�#)�#)�J��"=A�37�=�=�=�=�*AE�7;�=�=�=�=�*2�2�2�*��=A�"�/�/�/�/�&HL� �� IM�9=�E�E�E�E�*A�A�A��2�2�2�2� ��r9rc�.�d|vrd}n d|vrd|vrd}nd}|S)NrLr\�username�passwordrxr�)rSr]s r7rdrd�s;�� )� � � �v� � �*��"6�"6�� )� ��r9N)�authlib.common.securityr�authlib.common.urlsr�rfc6749.parametersrrrr �rfc7009r �rfc7636rr>rr �baserrfrrdr�r9r7�<module>r�s��2�2�2�2�2�2�*�*�*�*�*�*��2�1�1�1�1�1�/�/�/�/�/�/�'�'�'�'�'�'�'�'��!�E��f�f�f�f�f�f�f�f�R ��r9