feat(auth): add JWT signed authentication for OAuth application API

Author: magajh

eox_core/api/support/v1/authentication.py

@@ -0,0 +1,56 @@
+"""
+Custom authenticators for the Support V1 API.
+"""
+import time
+
+import jwt
+from django.conf import settings
+from django.contrib.auth.models import AnonymousUser
+from jwt import ExpiredSignatureError, InvalidTokenError
+from rest_framework import authentication
+from rest_framework.authentication import get_authorization_header
+
+
+class JWTsignedOauthAppAuthentication(authentication.BaseAuthentication):
+    """
+    Authentication class to verify JWTs signed by trusted services.
+    Allows authentication for the OauthApplicationAPIView in Open edX.
+    """
+
+    def authenticate(self, request):
+        """
+        Extracts the JWT token from the Authorization header and verifies it.
+        If authentication fails, it does NOT raise an exception to allow
+        other authentication classes to attempt authentication.
+        """
+        auth = get_authorization_header(request).split()
+
+        if not auth or auth[0].lower() != b'bearer':
+            return None
+
+        if len(auth) != 2:
+            return None
+
+        token = auth[1]
+        return self.authenticate_token(token)
+
+    def authenticate_token(self, token):
+        """
+        Attempts to authenticate the JWT token. If verification fails,
+        returns None instead of raising an exception, allowing other authentication
+        classes to handle authentication.
+        """
+        try:
+            decoded_payload = jwt.decode(
+                token,
+                settings.EOX_CORE_JWT_SIGNED_OAUTH_APP_PUBLIC_KEY,
+                algorithms=["RS256"]
+            )
+
+            if decoded_payload["exp"] < time.time():
+                return None
+
+            return (AnonymousUser(), None)
+
+        except (ExpiredSignatureError, InvalidTokenError):
+            return None

eox_core/api/support/v1/permissions.py

@@ -3,7 +3,11 @@
 """
 Custom Support API permissions module
 """
+from django.conf import settings
+from django.contrib.auth.models import AnonymousUser
 from rest_framework import exceptions, permissions
+from rest_framework.authentication import BaseAuthentication
+from rest_framework.exceptions import AuthenticationFailed
 
 
 class EoxCoreSupportAPIPermission(permissions.BasePermission):
@@ -17,7 +21,7 @@ def has_permission(self, request, view):
         For now, to grant access only checks if the requesting user:
             1) is_staff
         """
-        if request.user.is_staff:
+        if request.user is None or isinstance(request.user, AnonymousUser) or request.user.is_staff:
             return True
 
         # To prevent leaking important information we return the most basic message.

eox_core/api/support/v1/views.py

@@ -20,6 +20,7 @@
 from rest_framework.response import Response
 from rest_framework.views import APIView
 
+from eox_core.api.support.v1.authentication import JWTsignedOauthAppAuthentication
 from eox_core.api.support.v1.permissions import EoxCoreSupportAPIPermission
 from eox_core.api.support.v1.serializers import (
     OauthApplicationSerializer,
@@ -154,7 +155,7 @@ class OauthApplicationAPIView(UserQueryMixin, APIView):
     django_oauth_toolkit Application object.
     """
 
-    authentication_classes = (BearerAuthentication, SessionAuthentication, JwtAuthentication)
+    authentication_classes = (JWTsignedOauthAppAuthentication, BearerAuthentication, SessionAuthentication, JwtAuthentication)
     permission_classes = (EoxCoreSupportAPIPermission,)
     renderer_classes = (JSONRenderer, BrowsableAPIRenderer)
 
@@ -208,7 +209,6 @@ def post(self, request, *args, **kwargs):  # pylint: disable=too-many-locals
             owner user for the application.
         """
         message = "Could not get or create edxapp User"
-
         serializer = OauthApplicationSerializer(data=request.data)
         serializer.is_valid(raise_exception=True)
 

setup.py

@@ -8,7 +8,6 @@
 
 from setuptools import setup
 
-
 with open("README.rst", "r") as fh:
     README = fh.read()