# Harden Wix test routes behind admin+env gating
This commit is contained in:
ي
@@ -48,7 +48,94 @@ class WixOAuthService:
|
||||
is_active BOOLEAN DEFAULT TRUE
|
||||
)
|
||||
''')
|
||||
cursor.execute('''
|
||||
CREATE TABLE IF NOT EXISTS wix_oauth_pkce_states (
|
||||
id INTEGER PRIMARY KEY AUTOINCREMENT,
|
||||
user_id TEXT NOT NULL,
|
||||
state TEXT NOT NULL UNIQUE,
|
||||
code_verifier TEXT NOT NULL,
|
||||
expires_at TIMESTAMP NOT NULL,
|
||||
created_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP,
|
||||
used_at TIMESTAMP
|
||||
)
|
||||
''')
|
||||
cursor.execute('''
|
||||
CREATE INDEX IF NOT EXISTS idx_wix_oauth_pkce_user_state
|
||||
ON wix_oauth_pkce_states (user_id, state)
|
||||
''')
|
||||
conn.commit()
|
||||
|
||||
def cleanup_expired_pkce_states(self, user_id: str) -> int:
|
||||
"""Delete expired or already-used PKCE state records."""
|
||||
try:
|
||||
self._init_db(user_id)
|
||||
db_path = self._get_db_path(user_id)
|
||||
with sqlite3.connect(db_path) as conn:
|
||||
cursor = conn.cursor()
|
||||
cursor.execute(
|
||||
'''
|
||||
DELETE FROM wix_oauth_pkce_states
|
||||
WHERE used_at IS NOT NULL OR expires_at <= datetime('now')
|
||||
'''
|
||||
)
|
||||
deleted = cursor.rowcount
|
||||
conn.commit()
|
||||
return deleted if deleted is not None else 0
|
||||
except Exception as e:
|
||||
logger.warning(f"Failed to cleanup expired Wix PKCE states for user {user_id}: {e}")
|
||||
return 0
|
||||
|
||||
def store_pkce_verifier(self, user_id: str, state: str, code_verifier: str, ttl_seconds: int = 600) -> bool:
|
||||
"""Store PKCE code verifier by OAuth state with short TTL."""
|
||||
try:
|
||||
self._init_db(user_id)
|
||||
self.cleanup_expired_pkce_states(user_id)
|
||||
db_path = self._get_db_path(user_id)
|
||||
expires_at = datetime.now() + timedelta(seconds=ttl_seconds)
|
||||
with sqlite3.connect(db_path) as conn:
|
||||
cursor = conn.cursor()
|
||||
cursor.execute(
|
||||
'''
|
||||
INSERT OR REPLACE INTO wix_oauth_pkce_states (user_id, state, code_verifier, expires_at, created_at, used_at)
|
||||
VALUES (?, ?, ?, ?, CURRENT_TIMESTAMP, NULL)
|
||||
''',
|
||||
(user_id, state, code_verifier, expires_at)
|
||||
)
|
||||
conn.commit()
|
||||
return True
|
||||
except Exception as e:
|
||||
logger.error(f"Failed storing Wix PKCE verifier for user {user_id}, state {state}: {e}")
|
||||
return False
|
||||
|
||||
def consume_pkce_verifier(self, user_id: str, state: str) -> Optional[str]:
|
||||
"""Get and invalidate one-time PKCE verifier for a state if valid and unexpired."""
|
||||
try:
|
||||
self._init_db(user_id)
|
||||
self.cleanup_expired_pkce_states(user_id)
|
||||
db_path = self._get_db_path(user_id)
|
||||
with sqlite3.connect(db_path) as conn:
|
||||
cursor = conn.cursor()
|
||||
cursor.execute(
|
||||
'''
|
||||
SELECT id, code_verifier
|
||||
FROM wix_oauth_pkce_states
|
||||
WHERE user_id = ? AND state = ? AND used_at IS NULL AND expires_at > datetime('now')
|
||||
LIMIT 1
|
||||
''',
|
||||
(user_id, state)
|
||||
)
|
||||
row = cursor.fetchone()
|
||||
if not row:
|
||||
return None
|
||||
cursor.execute(
|
||||
"UPDATE wix_oauth_pkce_states SET used_at = CURRENT_TIMESTAMP WHERE id = ?",
|
||||
(row[0],)
|
||||
)
|
||||
conn.commit()
|
||||
return row[1]
|
||||
except Exception as e:
|
||||
logger.error(f"Failed consuming Wix PKCE verifier for user {user_id}, state {state}: {e}")
|
||||
return None
|
||||
|
||||
def store_tokens(
|
||||
self,
|
||||
@@ -302,4 +389,3 @@ class WixOAuthService:
|
||||
except Exception as e:
|
||||
logger.error(f"Error revoking Wix token: {e}")
|
||||
return False
|
||||
|
||||
|
||||
@@ -40,7 +40,7 @@ class WixService:
|
||||
if not self.client_id:
|
||||
logger.warning("Wix client ID not configured. Set WIX_CLIENT_ID environment variable.")
|
||||
|
||||
def get_authorization_url(self, state: str = None) -> str:
|
||||
def get_authorization_url(self, state: str = None) -> Dict[str, str]:
|
||||
"""
|
||||
Generate Wix OAuth authorization URL for "on behalf of user" authentication
|
||||
|
||||
@@ -54,8 +54,7 @@ class WixService:
|
||||
Authorization URL for user to visit
|
||||
"""
|
||||
url, code_verifier = self.auth_service.generate_authorization_url(state)
|
||||
self._code_verifier = code_verifier
|
||||
return url
|
||||
return {"authorization_url": url, "state": state, "code_verifier": code_verifier}
|
||||
|
||||
def _create_redirect_session_for_auth(self, redirect_uri: str, client_id: str, code_challenge: str, state: str) -> str:
|
||||
"""
|
||||
@@ -97,13 +96,13 @@ class WixService:
|
||||
logger.error(f"Failed to create redirect session for auth: {e}")
|
||||
raise
|
||||
|
||||
def exchange_code_for_tokens(self, code: str, code_verifier: str = None) -> Dict[str, Any]:
|
||||
def exchange_code_for_tokens(self, code: str, code_verifier: str) -> Dict[str, Any]:
|
||||
"""
|
||||
Exchange authorization code for access and refresh tokens using PKCE
|
||||
|
||||
Args:
|
||||
code: Authorization code from Wix
|
||||
code_verifier: PKCE code verifier (uses stored one if not provided)
|
||||
code_verifier: PKCE code verifier
|
||||
|
||||
Returns:
|
||||
Token response with access_token, refresh_token, etc.
|
||||
@@ -111,9 +110,7 @@ class WixService:
|
||||
if not self.client_id:
|
||||
raise ValueError("Wix client ID not configured")
|
||||
if not code_verifier:
|
||||
code_verifier = getattr(self, '_code_verifier', None)
|
||||
if not code_verifier:
|
||||
raise ValueError("Code verifier not found. Please provide code_verifier parameter.")
|
||||
raise ValueError("Code verifier is required.")
|
||||
try:
|
||||
return self.auth_service.exchange_code_for_tokens(code, code_verifier)
|
||||
except requests.RequestException as e:
|
||||
|
||||
Reference in New Issue
Block a user