nuropb_gw.handlers.base_handler

Module Contents

Classes

AuthenticateMixin	Mixin for authenticating handler instances
BaseMixin	Base class for all handlers and extends the AuthenticateMixin providing authentication and authorisation methods.

Functions

strip_bearer_token	Strip the Bearer token prefix from the bearer token string
requires_authorization	A decorator for Handler methods that require a user authorization.

Data

logger
_CHECK_PREFIX_CONFIG

API

nuropb_gw.handlers.base_handler.logger

None

nuropb_gw.handlers.base_handler._CHECK_PREFIX_CONFIG

(‘Bearer :’, ‘Bearer:’, ‘Bearer ‘, ‘Bearer’)

nuropb_gw.handlers.base_handler.strip_bearer_token(bearer_token: str | None) → str | None

Strip the Bearer token prefix from the bearer token string

Parameters:

bearer_token –

Returns:

Bearer token string without the Bearer prefix

nuropb_gw.handlers.base_handler.requires_authorization(method: Callable[..., Optional[Awaitable[None]]]) → Callable[..., Optional[Awaitable[None]]]

A decorator for Handler methods that require a user authorization.

• SSO by session cookie is only allowed with GET or HEAD HTTP requests.

• Sessions are unique per device and SameSite cookie rules apply

• Authorization Header, Authorization cookie, and session cookie are supported in that order.

class nuropb_gw.handlers.base_handler.AuthenticateMixin(application: tornado.web.Application, request: tornado.httputil.HTTPServerRequest, **kwargs: Any)

Bases: tornado.web.RequestHandler

Mixin for authenticating handler instances

Initialization

_user_cache: Optional[Dict[str, Any]]

None

_user_cache is for convenience, avoiding potentially expensive calls validating Authorization tokens and or retrieving cached session information. NOTE : This exists only for a single request, and is not shared between requests.

_allow_authorisation_cookie: bool

None

_authentication_timeout: int | None

None

_authentication_timeout is the number of minutes before authentication expires, and is used to set the session cookie expiry time. If None, the session cookie will not expire.

_authorise_header_name: str

None

_authorise_cookie_name: str

None

_authorise_from_token: Callable[[str], Optional[Dict[str, Any]]] | None

None

initialize(**kwargs) → None

get_user_information_from_bearer_token(bearer_token: str) → Optional[Dict[str, Any]]

Gets user information from a bearer token, update this method as per your authentication pattern.

If a token is revoked or has expired, it is expected that self._authorise_from_token(bearer_token) would return None.

Parameters:

bearer_token –

Returns:

User information dictionary or None

has_authorisation_expired() → bool

This function declaration is here for reference only and represents an abstraction for determining if a users authorisation has expired, and available for customization dependent on derivative implementations specific needs.

Default session identification supports the following:

• tokens: These will contain an expiry claim and will be validated in the get_user_information_from_bearer_token() method

• session_cookie: when a session cookie expires, the user will be required to re-authenticate.

Hence, the “out of the” box user authorisation methods cover this requirement as is.

WEBSOCKETS - Websockets are a special case, as they do not support cookies and are long-lived session that could be open for days. In this case, there is a requirement to periodically check if the user’s authorisation has expired. This is left to the websocket handler implementation. NOTE It’s also likely that the user identification methods for websockets will be identical to other handlers, unless authentication is handled over the websocket protocol. Therefore, beyond instantiating the handler and opening the websocket connection, the has_authorisation_expired() would be checked during incoming and outgoing messages events.

_process_user_info(user_info, message)

utility method to reduce complexity from self.get_current_user()

Parameters:

• user_info –

• message –

Returns:

update_user_info(user_info)

self._user_cache is for convenience to avoid potentially having to make expensive calls validating Authorization token and or retrieving session information.

get_current_user() → Optional[Dict[str, Any]]

Returns the minimum user information from the session cookie or Authorisation cookie (bearer token) in order to identify the user and their session.

An Authentication from cookies is only valid for GET and HEAD methods. An Authentication from headers is valid for all methods.

Order of preference is:

1. Authorisation header

2. Authorisation cookie

3. Session cookie

user information details:

• session_id: str - a unique webserver session or websocket connection identifier

• user_id: str - system unique user identifier, often the same the username

• username : str - username required when providing user credentials

• last_activity: str - UTC iso formatted time

• bearer_token: str - jwt

Returns:

User information dictionary or None

class nuropb_gw.handlers.base_handler.BaseMixin(application: tornado.web.Application, request: tornado.httputil.HTTPServerRequest, **kwargs: Any)

Bases: nuropb_gw.handlers.base_handler.AuthenticateMixin

Base class for all handlers and extends the AuthenticateMixin providing authentication and authorisation methods.

Initialization

initialize(**kwargs)

Initialize the handler and inherit the AuthenticateMixin initialize settings