feature: github/google authentication via OAuth2

It is now possible to login (/account) via GitHub
or Google account. The user profile is not saved to
a database.

.env.global

@@ -0,0 +1,28 @@
+# W A R N I N G ! ! !
+# Please leave sensitive variables empty.
+# You can override the empty variables in .env.local
+# They are empty for two reasons: (1) secrecy or (2) need to
+# be defined to reflect the local environment
+root_url=""
+
+github_authorization_base_url="https://github.com/login/oauth/authorize"
+github_token_url="https://github.com/login/oauth/access_token"
+github_user_api="https://api.github.com/user"
+github_scope="read:user"
+github_redirect_uri=""
+github_client_id=""
+github_client_secret=""
+
+google_authorization_base_url="https://accounts.google.com/o/oauth2/auth"
+google_token_url="https://oauth2.googleapis.com/token"
+google_user_api="https://www.googleapis.com/oauth2/v1/userinfo"
+google_scope="https://www.googleapis.com/auth/userinfo.profile"
+google_redirect_uri=""
+google_client_id=""
+google_client_secret=""
+
+# S3 Storage
+aws_access_key_id=
+aws_secret_access_key=
+region_name=
+bucket_name=

.gitignore

@@ -158,3 +158,4 @@ cython_debug/
 #  and can be added to the global gitignore or merged into this file.  For a more nuclear
 #  option (not recommended) you can uncomment the following to ignore the entire idea folder.
 #.idea/
+.env.local

pyproject.toml

@@ -23,6 +23,8 @@ dependencies = [
     "boto3",
     "cryptography",
     "ipydatagrid",
+    "requests_oauthlib",
+    "python-dotenv",
 ]
 
 [tool.hatch.version]

tomorrowcities/pages/__init__.py

@@ -7,10 +7,42 @@ import os
 import pickle
 import pprint
 from cryptography.fernet import Fernet
-
+from dotenv import dotenv_values
+import secrets
+from requests_oauthlib import OAuth2Session
+from typing import Dict
 from ..data import articles
 
-route_order = ["/", "engine","explore","settings"]
+config = {
+    **dotenv_values(".env.global"),  # global
+    **dotenv_values(".env.local"),  # local sensitive variables
+    **os.environ,  # override loaded values with environment variables
+}
+
+session_storage: Dict[str, Dict[str,str]] = {}
+
+github_client = OAuth2Session(config['github_client_id'], 
+                    scope=[config['github_scope']], 
+                    redirect_uri=config['github_redirect_uri'])
+google_client = OAuth2Session(config['google_client_id'], 
+                    scope=[config['google_scope']], 
+                    redirect_uri=config['google_redirect_uri'])
+
+route_order = ["/", "engine","explore","settings","account"]
+
+def store_in_session_storage(key, value):
+    sesssion_id = solara.get_session_id()
+    if sesssion_id in session_storage.keys():
+        session_storage[sesssion_id][key] = value
+    else:
+        session_storage[sesssion_id] = {key: value}
+
+def read_from_session_storage(key):
+    sesssion_id = solara.get_session_id()
+    if sesssion_id in session_storage.keys():
+        if key in session_storage[sesssion_id].keys():
+            return session_storage[sesssion_id][key]
+    return None
 
 def check_auth(route, children):
     # This can be replaced by a custom function that checks if the user is
@@ -36,10 +68,11 @@ def check_auth(route, children):
 @dataclasses.dataclass
 class User:
     username: str
+    user_profile: Dict = None
     admin: bool = False
 
 
-user = solara.reactive(cast(Optional[User], None))
+user = solara.reactive(cast(Optional[User], read_from_session_storage('user')))
 login_failed = solara.reactive(False)
 
 
@@ -48,24 +81,42 @@ def login_control(username: str, password: str):
     if username == "test" and password == "test":
         user.value = User(username, admin=False)
         login_failed.value = False
+        store_in_session_storage('user', user.value)
     elif username == "admin" and password == "admin":
         user.value = User(username, admin=True)
         login_failed.value = False
+        store_in_session_storage('user', user.value)
     else:
         login_failed.value = True
 
 
 @solara.component
 def LoginForm():
+    github_authorization_url, github_state = github_client.authorization_url(
+        config['github_authorization_base_url'],
+        access_type="offline", 
+        prompt="select_account"
+    )
+
+    google_authorization_url, google_state = google_client.authorization_url(
+        config['google_authorization_base_url'],
+        access_type="offline", 
+        prompt="select_account"
+    )
+
+    store_in_session_storage('github_state', github_state)
+    store_in_session_storage('google_state', google_state)
+
     username = solara.use_reactive("")
     password = solara.use_reactive("")
     with solara.Card("Login"):
-        solara.Markdown(
-            """
-        This is an example login form.
-          * use test/test to login as a normal user.
-        """
-        )
+        with solara.Row():
+            solara.Button(label="Login via Google", icon_name="mdi-google", 
+                attributes={"href": google_authorization_url}, text=True, outlined=True, 
+                on_click=lambda: store_in_session_storage('auth_company','google'))
+            solara.Button(label="Login via GitHub", icon_name="mdi-github-circle", 
+                attributes={"href": github_authorization_url}, text=True, outlined=True,
+                on_click=lambda: store_in_session_storage('auth_company','github'))
         solara.InputText(label="Username", value=username)
         solara.InputText(label="Password", password=True, value=password)
         solara.Button(label="Login", on_click=lambda: login_control(username.value, password.value))

tomorrowcities/pages/account.py

@@ -2,13 +2,83 @@ from typing import Optional
 import solara
 import os
 import pprint
+from urllib.parse import parse_qs
+import json
+
+from . import user, User, login_failed, config, LoginForm, \
+              github_client, google_client, \
+              session_storage, read_from_session_storage, store_in_session_storage
+
+
+# used only to force updating of the page
+force_update_counter = solara.reactive(0)
+
+def is_callback(router):
+    if router.search is not None:
+        params = parse_qs(router.search)
+        if set({'code','state'}).issubset(set(params.keys())):
+            return True
+    return False
 
-from . import user
-from . import LoginForm
 
 @solara.component
 def Page():
     solara.Title(" ")
+
     if user.value is None:
-        LoginForm()
+        LoginForm()        
+    else:
+        solara.Text(f'Hello {user.value.username}')
+        if user.value.user_profile:
+            for key, value in user.value.user_profile.items():
+                if key in ['avatar_url', 'picture']:
+                    solara.Image(value)
+                else:
+                    solara.Text(f'{key}: {value}')
+
+    router = solara.use_router()
+    if is_callback(router):
+        print('entering callback')
+        # callback is made
+        if router.search is not None:
+            params = parse_qs(router.search)
+            print('callback is made',params)
+            code = params['code'][0]
+            state = params['state'][0]
+
+            auth_company = read_from_session_storage('auth_company')
+            state_in_session = read_from_session_storage(f'{auth_company}_state')
+            
+            # Silently ignore state mismatch
+            # TODO: display a warning message
+            if state_in_session != state:
+                return
+            redirect_response = config['root_url'] + '/' +router.path+'?'+router.search
+            if auth_company == 'github':
+                client = github_client
+            elif auth_company == 'google':
+                client = google_client
+            else:
+                client = None
+            
+            client.fetch_token(config[f'{auth_company}_token_url'], 
+                    client_secret=config[f'{auth_company}_client_secret'],
+                    authorization_response=redirect_response)
+
+            r = client.get(config[f'{auth_company}_user_api'])
+            user_dict = json.loads(r.content.decode('utf-8'))
+            print(user_dict)
+            username = user_dict['name']
+            user.value = User(username, admin=False, user_profile=user_dict)
+            
+            login_failed.value = False
+
+            store_in_session_storage('user', user.value)
+           
+            # used only to force updating of the page
+            force_update_counter.value += 1
+            router.push('/account')
+
+
+