Spaces:
Sleeping
Sleeping
Update main.py
Browse files
main.py
CHANGED
|
@@ -186,10 +186,10 @@ def verify_token(req):
|
|
| 186 |
"""
|
| 187 |
Verify Firebase ID token and check if user is admin.
|
| 188 |
Automatically creates admin entry in DB if email is in ADMIN_EMAILS but UID is not found.
|
|
|
|
| 189 |
Returns decoded token dict if valid admin, None otherwise.
|
| 190 |
"""
|
| 191 |
-
#
|
| 192 |
-
logger = logging.getLogger('guards_api')
|
| 193 |
|
| 194 |
auth_header = req.headers.get("Authorization")
|
| 195 |
if not auth_header:
|
|
@@ -207,15 +207,37 @@ def verify_token(req):
|
|
| 207 |
decoded = firebase_auth.verify_id_token(token)
|
| 208 |
logger.debug(f"Token verified successfully. Decoded token keys: {list(decoded.keys())}")
|
| 209 |
|
| 210 |
-
# Get user UID
|
| 211 |
-
uid = decoded.get('uid')
|
| 212 |
-
|
| 213 |
-
logger.debug(f"Extracted UID: {uid}, Email: {email}")
|
| 214 |
|
| 215 |
if not uid:
|
| 216 |
-
logger.error("Verified token does not contain a UID.")
|
| 217 |
return None
|
| 218 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 219 |
# Check if user is admin by querying Firebase Realtime Database using UID
|
| 220 |
admins_ref = db.reference("/admins")
|
| 221 |
admin_data = admins_ref.child(uid).get()
|
|
@@ -241,15 +263,13 @@ def verify_token(req):
|
|
| 241 |
# Return the decoded token as they are now an admin
|
| 242 |
return decoded
|
| 243 |
except Exception as db_error:
|
| 244 |
-
logger.error(f"Failed to create admin entry for UID {uid} in database: {db_error}")
|
| 245 |
-
#
|
| 246 |
-
# but it's safer to deny access if we can't record it.
|
| 247 |
-
# Alternatively: return decoded (less safe) or return None (safer)
|
| 248 |
return None
|
| 249 |
|
| 250 |
else:
|
| 251 |
-
# User is not in the approved admin list or email not found
|
| 252 |
-
logger.warning(f"User {uid} ({email}) is not in the approved admin list or email not found.")
|
| 253 |
return None
|
| 254 |
|
| 255 |
except firebase_auth.InvalidIdTokenError as e:
|
|
|
|
| 186 |
"""
|
| 187 |
Verify Firebase ID token and check if user is admin.
|
| 188 |
Automatically creates admin entry in DB if email is in ADMIN_EMAILS but UID is not found.
|
| 189 |
+
Tries to extract email from token claims or firebase identities.
|
| 190 |
Returns decoded token dict if valid admin, None otherwise.
|
| 191 |
"""
|
| 192 |
+
logger = logging.getLogger('guards_api') # Assuming logger is configured as in your full script
|
|
|
|
| 193 |
|
| 194 |
auth_header = req.headers.get("Authorization")
|
| 195 |
if not auth_header:
|
|
|
|
| 207 |
decoded = firebase_auth.verify_id_token(token)
|
| 208 |
logger.debug(f"Token verified successfully. Decoded token keys: {list(decoded.keys())}")
|
| 209 |
|
| 210 |
+
# Get user UID from decoded token
|
| 211 |
+
uid = decoded.get('uid') or decoded.get('user_id') # Fallback to 'user_id' if 'uid' is missing (though 'uid' should be standard)
|
| 212 |
+
logger.debug(f"Extracted UID: {uid}")
|
|
|
|
| 213 |
|
| 214 |
if not uid:
|
| 215 |
+
logger.error("Verified token does not contain a UID or user_id.")
|
| 216 |
return None
|
| 217 |
|
| 218 |
+
# Attempt to get email from decoded token
|
| 219 |
+
email = decoded.get('email')
|
| 220 |
+
logger.debug(f"Direct email claim from token: {email}")
|
| 221 |
+
|
| 222 |
+
# If email not directly available, try to get it from firebase identities
|
| 223 |
+
if not email and 'firebase' in decoded and 'identities' in decoded['firebase']:
|
| 224 |
+
identities = decoded['firebase']['identities']
|
| 225 |
+
logger.debug(f"Firebase identities found: {identities}")
|
| 226 |
+
# Common provider emails (Google, etc.)
|
| 227 |
+
google_emails = identities.get('google.com', [])
|
| 228 |
+
if google_emails and isinstance(google_emails, list):
|
| 229 |
+
email = google_emails[0] # Take the first one if multiple
|
| 230 |
+
logger.debug(f"Email extracted from google.com identity: {email}")
|
| 231 |
+
# Add checks for other providers if needed (e.g., 'email', etc.)
|
| 232 |
+
# Fallback: check if there's a generic 'email' list
|
| 233 |
+
if not email:
|
| 234 |
+
generic_emails = identities.get('email', [])
|
| 235 |
+
if generic_emails and isinstance(generic_emails, list):
|
| 236 |
+
email = generic_emails[0]
|
| 237 |
+
logger.debug(f"Email extracted from generic 'email' identity: {email}")
|
| 238 |
+
|
| 239 |
+
logger.debug(f"Final extracted email: {email}")
|
| 240 |
+
|
| 241 |
# Check if user is admin by querying Firebase Realtime Database using UID
|
| 242 |
admins_ref = db.reference("/admins")
|
| 243 |
admin_data = admins_ref.child(uid).get()
|
|
|
|
| 263 |
# Return the decoded token as they are now an admin
|
| 264 |
return decoded
|
| 265 |
except Exception as db_error:
|
| 266 |
+
logger.error(f"Failed to create admin entry for UID {uid} in database: {db_error}", exc_info=True)
|
| 267 |
+
# Deny access if we can't record it
|
|
|
|
|
|
|
| 268 |
return None
|
| 269 |
|
| 270 |
else:
|
| 271 |
+
# User is not in the approved admin list or email not found/extractable
|
| 272 |
+
logger.warning(f"User {uid} (Email: {email}) is not in the approved admin list or email not found/extractable.")
|
| 273 |
return None
|
| 274 |
|
| 275 |
except firebase_auth.InvalidIdTokenError as e:
|