(
request: Request,
access_token_state: tuple[OAuth2Token, str] = Depends(
oauth2_authorize_callback
),
user_manager: BaseUserManager[models.UP, models.ID] = Depends(get_user_manager),
strategy: Strategy[models.UP, models.ID] = Depends(backend.get_strategy),
)
| 137 | }, |
| 138 | ) |
| 139 | async def callback( |
| 140 | request: Request, |
| 141 | access_token_state: tuple[OAuth2Token, str] = Depends( |
| 142 | oauth2_authorize_callback |
| 143 | ), |
| 144 | user_manager: BaseUserManager[models.UP, models.ID] = Depends(get_user_manager), |
| 145 | strategy: Strategy[models.UP, models.ID] = Depends(backend.get_strategy), |
| 146 | ): |
| 147 | token, state = access_token_state |
| 148 | |
| 149 | try: |
| 150 | state_data = decode_jwt(state, state_secret, [STATE_TOKEN_AUDIENCE]) |
| 151 | except jwt.DecodeError: |
| 152 | raise HTTPException( |
| 153 | status_code=status.HTTP_400_BAD_REQUEST, |
| 154 | detail=ErrorCode.ACCESS_TOKEN_DECODE_ERROR, |
| 155 | ) |
| 156 | except jwt.ExpiredSignatureError: |
| 157 | raise HTTPException( |
| 158 | status_code=status.HTTP_400_BAD_REQUEST, |
| 159 | detail=ErrorCode.ACCESS_TOKEN_ALREADY_EXPIRED, |
| 160 | ) |
| 161 | |
| 162 | cookie_csrf_token = request.cookies.get(csrf_token_cookie_name) |
| 163 | state_csrf_token = state_data.get(CSRF_TOKEN_KEY) |
| 164 | if ( |
| 165 | not cookie_csrf_token |
| 166 | or not state_csrf_token |
| 167 | or not secrets.compare_digest(cookie_csrf_token, state_csrf_token) |
| 168 | ): |
| 169 | raise HTTPException( |
| 170 | status_code=status.HTTP_400_BAD_REQUEST, |
| 171 | detail=ErrorCode.OAUTH_INVALID_STATE, |
| 172 | ) |
| 173 | |
| 174 | account_id, account_email = await oauth_client.get_id_email( |
| 175 | token["access_token"] |
| 176 | ) |
| 177 | |
| 178 | if account_email is None: |
| 179 | raise HTTPException( |
| 180 | status_code=status.HTTP_400_BAD_REQUEST, |
| 181 | detail=ErrorCode.OAUTH_NOT_AVAILABLE_EMAIL, |
| 182 | ) |
| 183 | |
| 184 | try: |
| 185 | user = await user_manager.oauth_callback( |
| 186 | oauth_client.name, |
| 187 | token["access_token"], |
| 188 | account_id, |
| 189 | account_email, |
| 190 | token.get("expires_at"), |
| 191 | token.get("refresh_token"), |
| 192 | request, |
| 193 | associate_by_email=associate_by_email, |
| 194 | is_verified_by_default=is_verified_by_default, |
| 195 | ) |
| 196 | except UserAlreadyExists: |
nothing calls this directly
no test coverage detected