Secure your code as it's written. Use Snyk Code to scan source code in minutes - no build needed - and fix issues immediately.
def raise_for_status(self):
if self.status_code >= 400:
if self.error_msg is not None:
self.reason = "\n\n" + self.reason + "\n\nContent:\n" + self.error_msg
self.reason = "\n\n" + self.reason + "\n\nRequest URL:\n" + self.req.url
if self.status_code == 401:
raise AuthError(msg=self.reason, req=self.req, res=self)
else:
raise HTTPError(msg=self.reason, req=self.req, res=self)
self, id_token_jwt, client_id=None, nonce=None, hd=None
):
certs = await self._get_openid_certs() # refreshed once a day-ish
# Verify ID token is signed by google
try:
id_token = jwt.decode(id_token_jwt, certs=certs, verify=True)
except ValueError as e:
raise AuthError(e)
# Verify iss (The Issuer Identifier for the Issuer of the response) is https://accounts.google.com
if id_token["iss"] != DEFAULT_ISS:
raise AuthError(
f"Invalid issuer, got: {id_token['iss']}, expected: {DEFAULT_ISS}"
)
if nonce is not None:
if nonce != id_token["nonce"]:
raise AuthError("Provided nonce does not match the encoded nonce")
if hd is not None:
if hd != id_token["hd"]:
raise AuthError(
f"Hosted domains do not match, got: {id_token['hd']}, expected: {hd}"
)
# verify expiry 'exp' (google.jwt handles that)
# verify audience
if client_id is not None:
if id_token["aud"] != client_id:
raise AuthError(
f"Invalid audience. Got: {id_token['aud']} expected: {client_id}"
)
return id_token
async def decode_and_validate(
self, id_token_jwt, client_id=None, nonce=None, hd=None
):
certs = await self._get_openid_certs() # refreshed once a day-ish
# Verify ID token is signed by google
try:
id_token = jwt.decode(id_token_jwt, certs=certs, verify=True)
except ValueError as e:
raise AuthError(e)
# Verify iss (The Issuer Identifier for the Issuer of the response) is https://accounts.google.com
if id_token["iss"] != DEFAULT_ISS:
raise AuthError(
f"Invalid issuer, got: {id_token['iss']}, expected: {DEFAULT_ISS}"
)
if nonce is not None:
if nonce != id_token["nonce"]:
raise AuthError("Provided nonce does not match the encoded nonce")
if hd is not None:
if hd != id_token["hd"]:
raise AuthError(
f"Hosted domains do not match, got: {id_token['hd']}, expected: {hd}"
)
# verify expiry 'exp' (google.jwt handles that)
# verify audience
if client_id is not None: