Merge remote-tracking branch 'origin/dev' into dark-mode

Author: chaizhang

.env.example

@@ -10,10 +10,6 @@ REVIEW_DRIVE_ID=?
 REVIEW_DRIVE_EMAIL=?
 REVIEW_DRIVE_PASSWORD=?
 
-# social-auth-app-django library
-SOCIAL_AUTH_GOOGLE_OAUTH2_KEY=?
-SOCIAL_AUTH_GOOGLE_OAUTH2_SECRET=?
-
 # database
 DB_USER=?
 DB_NAME=?
@@ -34,3 +30,10 @@ AWS_SECRET_ACCESS_KEY=?
 # s3
 AWS_STORAGE_BUCKET_NAME=?
 AWS_S3_REGION_NAME=?
+
+# AWS Cognito
+COGNITO_USER_POOL_ID=?
+COGNITO_APP_CLIENT_ID=?
+COGNITO_APP_CLIENT_SECRET=?
+COGNITO_DOMAIN=?
+COGNITO_REGION_NAME=?

.github/workflows/aws.yml

@@ -22,9 +22,12 @@ env:
   AWS_RDS_PASSWORD: ${{ secrets.AWS_DS_PASSWORD }}
   AWS_RDS_HOST: ${{ secrets.AWS_RDS_HOST }}
   AWS_RDS_PORT: ${{ secrets.AWS_RDS_PORT }}
-  # social-auth-app-django
-  SOCIAL_AUTH_GOOGLE_OAUTH2_KEY: ${{ secrets.SOCIAL_AUTH_GOOGLE_OAUTH2_KEY }}
-  SOCIAL_AUTH_GOOGLE_OAUTH2_SECRET: ${{ secrets.SOCIAL_AUTH_GOOGLE_OAUTH2_SECRET }}
+  # AWS Cognito
+  COGNITO_USER_POOL_ID: ${{ secrets.COGNITO_USER_POOL_ID }}
+  COGNITO_APP_CLIENT_ID: ${{ secrets.COGNITO_APP_CLIENT_ID }}
+  COGNITO_APP_CLIENT_SECRET: ${{ secrets.COGNITO_APP_CLIENT_SECRET }}
+  COGNITO_DOMAIN: ${{ secrets.COGNITO_DOMAIN }}
+  COGNITO_REGION_NAME: ${{ secrets.COGNITO_REGION_NAME }}
   # email for account verification
   EMAIL_HOST_USER: ${{ secrets.EMAIL_HOST_USER }}
   EMAIL_HOST_PASSWORD: ${{ secrets.EMAIL_HOST_PASSWORD }}

.github/workflows/ci.yml

@@ -21,9 +21,12 @@ env:
   DB_PASSWORD: postgres # default password
   DB_HOST: localhost # required for GitHub Actions
   DB_PORT: 5432 # default port
-  # social-auth-app-django
-  SOCIAL_AUTH_GOOGLE_OAUTH2_KEY: ${{ secrets.SOCIAL_AUTH_GOOGLE_OAUTH2_KEY }}
-  SOCIAL_AUTH_GOOGLE_OAUTH2_SECRET: ${{ secrets.SOCIAL_AUTH_GOOGLE_OAUTH2_SECRET }}
+  # AWS Cognito
+  COGNITO_USER_POOL_ID: ${{ secrets.COGNITO_USER_POOL_ID }}
+  COGNITO_APP_CLIENT_ID: ${{ secrets.COGNITO_APP_CLIENT_ID }}
+  COGNITO_APP_CLIENT_SECRET: ${{ secrets.COGNITO_APP_CLIENT_SECRET }}
+  COGNITO_DOMAIN: ${{ secrets.COGNITO_DOMAIN }}
+  COGNITO_REGION_NAME: ${{ secrets.COGNITO_REGION_NAME }}
   # email for account verification
   EMAIL_HOST_USER: ${{ secrets.EMAIL_HOST_USER }}
   EMAIL_HOST_PASSWORD: ${{ secrets.EMAIL_HOST_PASSWORD }}

requirements.txt

@@ -27,3 +27,4 @@ social-auth-app-django~=5.4.0
 tqdm~=4.66.1
 types-tqdm~=4.66.0
 uWSGI~=2.0.28
+python-jose~=3.4.0

tcf_core/cognito_middleware.py

@@ -0,0 +1,22 @@
+"""Middleware for handling Cognito authentication"""
+
+import logging
+
+logger = logging.getLogger(__name__)
+
+
+class CognitoAuthMiddleware:  # pylint: disable=too-few-public-methods
+    """
+    Middleware that processes Cognito tokens in HTTP requests
+
+    This middleware checks for tokens in cookies or headers and authenticates users
+    """
+
+    def __init__(self, get_response):
+        self.get_response = get_response
+
+    def __call__(self, request):
+        # The middleware only runs for the callback path
+        # The actual authentication is handled in the view
+        response = self.get_response(request)
+        return response

tcf_core/settings/base.py

@@ -42,7 +42,6 @@
     "django.contrib.messages",
     # "collectfast",
     "django.contrib.staticfiles",
-    "social_django",
     "cachalot",  # TODO: add Redis?
     "storages",
     "rest_framework",
@@ -113,6 +112,7 @@
     "django.contrib.auth.middleware.AuthenticationMiddleware",
     "django.contrib.messages.middleware.MessageMiddleware",
     "django.middleware.clickjacking.XFrameOptionsMiddleware",
+    "tcf_core.cognito_middleware.CognitoAuthMiddleware",
     "tcf_core.settings.handle_exceptions_middleware.HandleExceptionsMiddleware",
     "tcf_core.settings.record_middleware.RecordMiddleware",
 ]
@@ -178,45 +178,25 @@
 
 # social-auth-app-django settings.
 
+# AWS Cognito Configuration
+COGNITO_USER_POOL_ID = env.str("COGNITO_USER_POOL_ID")
+COGNITO_APP_CLIENT_ID = env.str("COGNITO_APP_CLIENT_ID")
+COGNITO_APP_CLIENT_SECRET = env.str("COGNITO_APP_CLIENT_SECRET")
+COGNITO_DOMAIN = env.str("COGNITO_DOMAIN")
+COGNITO_REGION_NAME = env.str("COGNITO_REGION_NAME")
+
+# These should match exactly what you configured in Cognito
+COGNITO_REDIRECT_URI = "/cognito-callback"
+COGNITO_LOGOUT_URI = "/"
+
+# Replace social auth backends with custom Cognito backend
 AUTHENTICATION_BACKENDS = (
-    "social_core.backends.google.GoogleOAuth2",
-    "social_core.backends.email.EmailAuth",
+    "tcf_website.auth_backends.CognitoBackend",
     "django.contrib.auth.backends.ModelBackend",
 )
-# TODO: Look into options like SOCIAL_AUTH_LOGIN_ERROR_URL or LOGIN_ERROR_URL
-SOCIAL_AUTH_GOOGLE_OAUTH2_KEY = env.str("SOCIAL_AUTH_GOOGLE_OAUTH2_KEY")
-SOCIAL_AUTH_GOOGLE_OAUTH2_SECRET = env.str("SOCIAL_AUTH_GOOGLE_OAUTH2_SECRET")
-SOCIAL_AUTH_GOOGLE_OAUTH2_WHITELISTED_DOMAINS = ["virginia.edu"]
-SOCIAL_AUTH_LOGIN_REDIRECT_URL = reverse_lazy("browse")
-
-SOCIAL_AUTH_EMAIL_FORM_URL = "/"
-EMAIL_VALIDATION_URL = "email_verification"
-SOCIAL_AUTH_EMAIL_VALIDATION_FUNCTION = "tcf_core.auth_pipeline.validate_email"
-SOCIAL_AUTH_EMAIL_AUTH_WHITELISTED_DOMAINS = ["virginia.edu"]
 
-WHITELISTED_DOMAINS = ["virginia.edu"]
-
-SOCIAL_AUTH_GOOGLE_OAUTH2_LOGIN_URL = reverse_lazy(
-    "social:begin", args=["google-oauth2"]
-)
-SOCIAL_AUTH_RAISE_EXCEPTIONS = False
-SOCIAL_AUTH_PIPELINE = (
-    "tcf_core.auth_pipeline.password_validation",
-    "social_core.pipeline.social_auth.social_details",
-    "social_core.pipeline.social_auth.social_uid",
-    "tcf_core.auth_pipeline.auth_allowed",
-    "social_core.pipeline.social_auth.social_user",
-    "social_core.pipeline.user.get_username",
-    "tcf_core.auth_pipeline.mail_validation",
-    "social_core.pipeline.social_auth.associate_by_email",
-    "tcf_core.auth_pipeline.collect_extra_info",
-    "tcf_core.auth_pipeline.create_user",
-    "social_core.pipeline.social_auth.associate_user",
-    "tcf_core.auth_pipeline.check_user_password",
-    "social_core.pipeline.social_auth.load_extra_data",
-    "social_core.pipeline.user.user_details",
-)
-SOCIAL_AUTH_USER_MODEL = "tcf_website.User"
+# Login URL for redirecting unauthenticated users
+LOGIN_URL = reverse_lazy("login")
 
 AUTH_USER_MODEL = "tcf_website.User"
 

tcf_website/auth_backends.py

@@ -0,0 +1,131 @@
+"""Custom authentication backend for AWS Cognito."""
+
+import json
+import logging
+import time
+from urllib.request import urlopen
+
+import jose.jwk
+import jose.jwt
+from jose.exceptions import JWKError
+from django.conf import settings
+from django.contrib.auth import get_user_model
+
+User = get_user_model()
+logger = logging.getLogger(__name__)
+
+
+class CognitoBackend:
+    """
+    Authentication backend for validating user against AWS Cognito
+    """
+
+    def authenticate(self, request, token=None):
+        """
+        Authenticate the user using the token provided by Cognito
+        """
+        if token is None:
+            return None
+
+        try:
+            # Validate the token
+            claims = self.validate_token(token)
+            if not claims:
+                return None
+
+            # Get user info from the claims
+            email = claims.get("email")
+            username = email.split("@")[0]
+
+            if not username:
+                return None
+
+            # Get or create the user
+            user, created = User.objects.get_or_create(
+                username=username,
+                defaults={
+                    "email": email,
+                    "computing_id": username,
+                    "first_name": claims.get("given_name", ""),
+                    "last_name": claims.get("family_name", ""),
+                },
+            )
+
+            # Update user attributes if they've changed
+            if not created:
+                updated = False
+                for attr, value in {
+                    "email": email,
+                    "computing_id": username,
+                    "first_name": claims.get("given_name", user.first_name),
+                    "last_name": claims.get("family_name", user.last_name),
+                }.items():
+                    if getattr(user, attr) != value:
+                        setattr(user, attr, value)
+                        updated = True
+
+                if updated:
+                    user.save()
+
+            return user
+        except (ValueError, jose.JWTError) as e:
+            logger.exception("Error authenticating with Cognito: %s", str(e))
+            return None
+
+    def get_user(self, user_id):
+        """
+        Retrieve a user by their ID
+        """
+        try:
+            return User.objects.get(pk=user_id)
+        except User.DoesNotExist:
+            return None
+
+    def validate_token(self, token):
+        """
+        Validate the JWT token from Cognito
+        """
+        # Get the JWKs from Cognito
+        jwks_url = (
+            f"https://cognito-idp.{settings.COGNITO_REGION_NAME}.amazonaws.com/"
+            f"{settings.COGNITO_USER_POOL_ID}/.well-known/jwks.json"
+        )
+
+        try:
+            with urlopen(jwks_url) as response:
+                jwks = json.loads(response.read())
+
+            # Extract the key ID from the token
+            headers = jose.jwt.get_unverified_header(token)
+            kid = headers["kid"]
+
+            # Find the matching key
+            key = next((k for k in jwks["keys"] if k["kid"] == kid), None)
+            if not key:
+                logger.warning("Matching key not found for kid %s", kid)
+                return None
+
+            # Construct the public key
+            public_key = jose.jwk.construct(key)
+
+            # Verify the token
+            claims = jose.jwt.decode(
+                token,
+                public_key,
+                algorithms=["RS256"],
+                audience=settings.COGNITO_APP_CLIENT_ID,
+                options={
+                    "verify_at_hash": False,
+                },
+            )
+
+            # Check if token is expired
+            current_time = time.time()
+            if current_time > claims["exp"]:
+                logger.warning("Token has expired")
+                return None
+
+            return claims
+        except (jose.JWTError, JWKError, KeyError, ValueError) as e:
+            logger.exception("Error validating token: %s", str(e))
+            return None

tcf_website/models/models.py

@@ -11,9 +11,23 @@
 from django.core.paginator import EmptyPage, Page, Paginator
 from django.core.validators import MaxValueValidator, MinValueValidator
 from django.db import models
-from django.db.models import (Avg, Case, CharField, Exists, ExpressionWrapper,
-                              F, FloatField, OuterRef, Q, QuerySet, Subquery,
-                              Sum, Value, When, fields)
+from django.db.models import (
+    Avg,
+    Case,
+    CharField,
+    Exists,
+    ExpressionWrapper,
+    F,
+    FloatField,
+    OuterRef,
+    Q,
+    QuerySet,
+    Subquery,
+    Sum,
+    Value,
+    When,
+    fields,
+)
 from django.db.models.functions import Abs, Cast, Coalesce, Concat, Round
 
 # pylint: disable=line-too-long

tcf_website/static/login/google_login_spritesheet.png

@@ -43,6 +43,7 @@ <h4 class="card-title">
   </div>
   <div class="pagination">
     {% if paginated_courses.has_previous %}
+      <a href="?page={{ 1 }}{% if query_params %}&{{ query_params }}{% endif %}">&lt;&lt;</a>
       <a href="?page={{ paginated_courses.previous_page_number }}{% if query_params %}&{{ query_params }}{% endif %}">&lt;</a>
     {% endif %}
 
@@ -84,6 +85,7 @@ <h4 class="card-title">
 
     {% if paginated_courses.has_next %}
       <a href="?page={{ paginated_courses.next_page_number }}{% if query_params %}&{{ query_params }}{% endif %}">&gt;</a>
+      <a href="?page={{ paginated_courses.paginator.num_pages }}{% if query_params %}&{{ query_params }}{% endif %}">&gt;&gt;</a>
     {% endif %}
   </div>  
 </div>