o 6d+c@slddlZgdZddlZddlZddlZddlZddlZddlmZmZddl m Z m Z m Z m Z ejrr?rrAuse_pkcetimeoutr6r!r!r"r#ys.  zDropboxOAuth2FlowBase.__init__cCstd|jd}|dur||d<|dur||d<|dur%|tvs!J||d<|r/||d<d|d<|durHd ||d <|durH|tvsDJ||d <|d |tS) Ncode)Z response_type client_id redirect_uristater?rFZS256Zcode_challenge_method rrAz/oauth2/authorize)dictr<r:joinINCLUDE_GRANTED_SCOPES_TYPES build_urlr)rrLrMr?rrArFparamsr!r!r"_get_authorize_urls&  z(DropboxOAuth2FlowBase._get_authorize_urlcCs|d}d||jd}|r||d<n|j|d<|jdur"|j|d<|dur*||d<|jj|||jd}||}d |vrE|d }n|d }|d } d |vrV|d } nd } d|vra|d} nd} d|vrl|d} nd} |d} t | || | | | S)Nz /oauth2/tokenZauthorization_code)Z grant_typerJrKrDZ client_secretr>rL)datarIZteam_idrrrr,ruid) rRr<r=r>r@postrBraise_for_statusjsonr)rrJrLrDurlrSrespdrrrr,rrWr!r!r"_finishsJ         zDropboxOAuth2FlowBase._finishcCs`tjrt|tjr|d}t|}|pi}|}|jr"|j|d<|r.t|}d||fS|S)aBuild the path component for an API URL. This method urlencodes the parameters, adds them to the end of the target url, and puts a marker for the API version in front. :param str target: A target url (e.g. '/files') to build upon. :param dict params: Optional dictionary of parameters (name to value). :return: The path and parameters components of an API URL. :rtype: str utf8r>z%s?%s) sixPY2r text_typeencodeurl_path_quotecopyr>_params_to_urlencoded)rtargetrS target_pathZ query_stringr!r!r" build_paths   z DropboxOAuth2FlowBase.build_pathcCsd||||fS)a<Build an API URL. This method adds scheme and hostname to the path returned from build_path. :param str target: A target url (e.g. '/files') to build upon. :param dict params: Optional dictionary of parameters (name to value). :return: The full API URL. :rtype: str z https://%s%s)ri)rrgrShostr!r!r"rRs zDropboxOAuth2FlowBase.build_url)NNNNr/) r&r'r(rr#rTr^rirrRr!r!r!r"r5ws   4r5csBeZdZdZddddddedffdd ZddZdd ZZS) rz OAuth 2 authorization helper for apps that can't provide a redirect URI (such as the command-line example apps). See examples under `example/oauth `_ NFc s&tt|j||||||||| d dS)a Construct an instance. :param str consumer_key: Your API app's "app key". :param str consumer_secret: Your API app's "app secret". :param str locale: The locale of the user of your application. For example "en" or "en_US". Some API calls return localized data and error messages; this setting tells the server which locale to use. By default, the server uses "en_US". :param str token_access_type: the type of token to be requested. From the following enum: * None - creates a token with the app default (either legacy or online) * legacy - creates one long-lived token with no expiration * online - create one short-lived token with an expiration * offline - create one short-lived token with an expiration with a refresh token :param list scope: list of scopes to request in base oauth flow. If left blank, will default to all scopes for app. :param str include_granted_scopes: which scopes to include from previous grants. From the following enum: * user - include user scopes in the grant * team - include team scopes in the grant * *Note*: if this user has never linked the app, include_granted_scopes must be None :param bool use_pkce: Whether or not to use Sha256 based PKCE. PKCE should be only use on client apps which doesn't call your server. It is less secure than non-PKCE flow but can be used if you are unable to safely retrieve your app secret. :param Optional[float] timeout: Maximum duration in seconds that client will wait for any single packet from the server. After the timeout the client will give up on connection. If `None`, client will wait forever. Defaults to 100 seconds. :param str ca_cert: path to CA certificate. If left blank, default certificate location will be used r<r=r>r?rrArHrIr6N)r*rr#rGr-r!r"r#s & z$DropboxOAuth2FlowNoRedirect.__init__cCs|jdd|j|j|j|jdS)a; Starts the OAuth 2 authorization process. :return: The URL for a page on Dropbox's website. This page will let the user "approve" your app, which gives your app permission to access the user's Dropbox account. Tell the user to visit this URL and approve your app. NrrArF)rTr?rrArFr$r!r!r"startFs z!DropboxOAuth2FlowNoRedirect.startcCs||d|jS)a If the user approves your app, they will be presented with an "authorization code". Have the user copy/paste that authorization code into your app and then call this method to get an access token. :param str code: The authorization code shown to the user when they approved your app. :rtype: :class:`OAuth2FlowNoRedirectResult` :raises: The same exceptions as :meth:`DropboxOAuth2Flow.finish()`. N)r^rD)rrJr!r!r"finishSs z"DropboxOAuth2FlowNoRedirect.finish r&r'r(r)rr#rmrnr4r!r!r-r"r s 2 rcsDeZdZdZddddddedffdd Zd ddZdd ZZS) rad OAuth 2 authorization helper. Use this for web apps. OAuth 2 has a two-step authorization process. The first step is having the user authorize your app. The second involves getting an OAuth 2 access token from Dropbox. See examples under `example/oauth `_ NFc s8tt|j|||||| | | | d ||_||_||_dS)a Construct an instance. :param str consumer_key: Your API app's "app key". :param str redirect_uri: The URI that the Dropbox server will redirect the user to after the user finishes authorizing your app. This URI must be HTTPS-based and pre-registered with the Dropbox servers, though localhost URIs are allowed without pre-registration and can be either HTTP or HTTPS. :param dict session: A dict-like object that represents the current user's web session (Will be used to save the CSRF token). :param str csrf_token_session_key: The key to use when storing the CSRF token in the session (For example: "dropbox-auth-csrf-token"). :param str consumer_secret: Your API app's "app secret". :param str locale: The locale of the user of your application. For example "en" or "en_US". Some API calls return localized data and error messages; this setting tells the server which locale to use. By default, the server uses "en_US". :param str token_access_type: The type of token to be requested. From the following enum: * None - creates a token with the app default (either legacy or online) * legacy - creates one long-lived token with no expiration * online - create one short-lived token with an expiration * offline - create one short-lived token with an expiration with a refresh token :param list scope: List of scopes to request in base oauth flow. If left blank, will default to all scopes for app. :param str include_granted_scopes: Which scopes to include from previous grants. From the following enum: * user - include user scopes in the grant * team - include team scopes in the grant * *Note*: If this user has never linked the app, :attr:`include_granted_scopes` must be `None` :param bool use_pkce: Whether or not to use Sha256 based PKCE :param Optional[float] timeout: Maximum duration in seconds that client will wait for any single packet from the server. After the timeout the client will give up on connection. If `None`, client will wait forever. Defaults to 100 seconds. :param str ca_cert: path to CA certificate. If left blank, default certificate location will be used rkN)r*rr#rLsessioncsrf_token_session_key) rr<rLrprqr=r>r?rrArHrIr6r-r!r"r#ms /  zDropboxOAuth2Flow.__init__cCsZttdd}|}|dur|d|7}||j|j<|j|j||j |j |j |j dS)aP Starts the OAuth 2 authorization process. This function builds an "authorization URL". You should redirect your user's browser to this URL, which will give them an opportunity to grant your app access to their Dropbox account. When the user completes this process, they will be automatically redirected to the :attr:`redirect_uri` you passed in to the constructor. This function will also save a CSRF token to :attr:`session[csrf_token_session_key]` (as provided to the constructor). This CSRF token will be checked on :meth:`finish()` to prevent request forgery. :param str url_state: Any data that you would like to keep in the URL through the authorization process. This exact value will be returned to you by :meth:`finish()`. :return: The URL for a page on Dropbox's website. This page will let the user "approve" your app, which gives your app permission to access the user's Dropbox account. Tell the user to visit this URL and approve your app. asciiN|rl) base64urlsafe_b64encodeosurandomdecoderprqrTrLr?rrArF)rr+Z csrf_tokenrMr!r!r"rms  zDropboxOAuth2Flow.startc Csf|d}|dur td|d}|d}|d}|dur(|dur(td|dur4|dur4td|j|jvr>td |j|j}t|d krPtd ||d }|d kr^|}d} n|d |}||dd} t||syt d||f|j|j=|dur|dkr|durt dt d||} |dur| d|7} t | | ||j |j} t| | S)a Call this after the user has visited the authorize URL (see :meth:`start()`), approved your app and was redirected to your redirect URI. :param dict query_params: The query parameters on the GET request to your redirect URI. :rtype: class:`OAuth2FlowResult` :raises: :class:`BadRequestException` If the redirect URL was missing parameters or if the given parameters were not valid. :raises: :class:`BadStateException` If there's no CSRF token in the session. :raises: :class:`CsrfException` If the :attr:`state` query parameter doesn't contain the CSRF token from the user's session. :raises: :class:`NotApprovedException` If the user chose not to approve your app. :raises: :class:`ProviderException` If Dropbox redirected to your redirect URI with some unexpected error identifier and error message. rMNz Missing query parameter 'state'.errorerror_descriptionrJzGQuery parameters 'code' and 'error' are both set; only one must be set.z1Neither query parameter 'code' or 'error' is set.zMissing CSRF token in session.z!CSRF token unexpectedly short: %rrtrr zexpected %r, got %rZ access_deniedz&No additional description from Dropboxz'Additional description from Dropbox: %sz: )getrrqrprr7AssertionErrorfind _safe_equalsrrr r^rLrDr r2) rZ query_paramsrMrzr{rJZcsrf_token_from_sessionZ split_posZgiven_csrf_tokenr+Z full_messageZno_redirect_resultr!r!r"rnsf            zDropboxOAuth2Flow.finishr/ror!r!r-r"ras  >rc@eZdZdZdS)rz Thrown if the redirect URL was missing parameters or if the given parameters were not valid. The recommended action is to show an HTTP 400 error page. Nr&r'r(r)r!r!r!r"rsrc@r)rz Thrown if all the parameters are correct, but there's no CSRF token in the session. This probably means that the session expired. The recommended action is to redirect the user's browser to try the approval process again. Nrr!r!r!r"r$rc@r)rz Thrown if the given 'state' parameter doesn't contain the CSRF token from the user's session. This is blocked to prevent CSRF attacks. The recommended action is to respond with an HTTP 403 error page. Nrr!r!r!r"r.rrc@r)rz1 The user chose not to approve your app. Nrr!r!r!r"r8src@r)r z Dropbox redirected to your redirect URI with some unexpected error identifier and error message. The recommended action is to log the error, tell the user something went wrong, and let them try again. Nrr!r!r!r"r ?rr c@r)r9z Thrown if incorrect types/values are used This should only ever be thrown during testing, app should have validation of input prior to reaching this point Nrr!r!r!r"r9Irr9cCsHt|t|kr dSd}t||D]\}}|t|t|AO}q|dkS)NFr)r7zipord)abrescacbr!r!r"rSs rcs(ddfddt|D}t|S)a  Returns a application/x-www-form-urlencoded :class:`str` representing the key/value pairs in :attr:`params`. Keys are values are ``str()``'d before calling :meth:`urllib.urlencode`, with the exception of unicode objects which are utf8-encoded. cSs4t|tjr|St|tjr|dSt|dS)Nutf-8)rr` binary_typerbrcstr)or!r!r"rcds   z%_params_to_urlencoded..encodecsi|] \}}||qSr!r!).0kvrcr!r" msz)_params_to_urlencoded..)r` iteritems url_encode)rSZ utf8_paramsr!rr"rf\s rfcCs@tttd}tdd|}t|tkr|dd}|S)Nrz [^a-zA-Z0-9]+rVr) rurvrwrxPKCE_VERIFIER_LENGTHryresubr7)rDr!r!r"rCps   rCcCs4t|d}t|d}|dd}|S)Nr=rV)hashlibsha256rcdigestrurvryreplace)rDrFr!r!r"rEws rE)(r__all__rurwr`urllibrr r rprrrrPY3parsequoterd urlencoderr:rQrobjectrr r5rr Exceptionrrrrr r9rrfrCrEr!r!r!r"sD  ('W;