66 lines
1.6 KiB
Python
66 lines
1.6 KiB
Python
"""Gitea OAuth2 support.
|
|
|
|
Config shape (in ~/.hb.yaml):
|
|
|
|
oauth:
|
|
gitea:
|
|
url: https://git.example.com
|
|
client_id: <client-id>
|
|
client_secret: <client-secret>
|
|
|
|
Register a Gitea OAuth2 application at:
|
|
Gitea → Settings → Applications → OAuth2
|
|
Set the redirect URI to:
|
|
https://<hbd-host>/login/oauth/gitea/callback
|
|
"""
|
|
|
|
import logging
|
|
import secrets
|
|
import time
|
|
|
|
logger = logging.getLogger(__name__)
|
|
|
|
STATE_TTL = 600 # 10 minutes
|
|
|
|
# state_token -> expiry timestamp
|
|
_states: dict[str, float] = {}
|
|
|
|
|
|
def make_state() -> str:
|
|
"""Generate a CSRF state token, store it with TTL, and return it."""
|
|
_purge_states()
|
|
token = secrets.token_hex(32)
|
|
_states[token] = time.time() + STATE_TTL
|
|
return token
|
|
|
|
|
|
def validate_state(state: str) -> bool:
|
|
"""Return True if *state* is known and unexpired; always removes it."""
|
|
expiry = _states.pop(state, None)
|
|
if expiry is None:
|
|
return False
|
|
return time.time() < expiry
|
|
|
|
|
|
def _purge_states() -> None:
|
|
"""Remove all expired CSRF state tokens from the in-memory store."""
|
|
now = time.time()
|
|
expired = [k for k, exp in list(_states.items()) if exp < now]
|
|
for k in expired:
|
|
del _states[k]
|
|
|
|
|
|
class OAuthError(Exception):
|
|
"""Raised when the OAuth2 flow fails for any reason."""
|
|
|
|
|
|
def _gitea_cfg(config: dict) -> dict:
|
|
"""Return the gitea sub-dict or {} if absent/incomplete."""
|
|
return config.get("oauth", {}).get("gitea", {})
|
|
|
|
|
|
def is_enabled(config: dict) -> bool:
|
|
"""Return True when all three required Gitea OAuth keys are present."""
|
|
g = _gitea_cfg(config)
|
|
return bool(g.get("url") and g.get("client_id") and g.get("client_secret"))
|