client: extend authentication to support API token

martonilles · martonilles · commit 891633bbfed1 · 2023-10-31T21:54:52.000+01:00
API token is actually a tenant token, so there is no need to specify the
tenant to be used, neither to request a new tenant token as API tokens
have a longer validity period. (Also it is not possible to renew an API
token.)

When accessing the API using a tenant token, we can query the tenant name
using a GraphQL query, this way can test the access and acquire the tenant
name as well.
diff --git a/onekey_client/client.py b/onekey_client/client.py
@@ -28,7 +28,7 @@
 def _login_required(func):
     @functools.wraps(func)
     def wrapper(self, *args, **kwargs):
-        if self._state.raw_id_token is None:
+        if not self._state.tenants:
             raise errors.NotLoggedIn
 
         return func(self, *args, **kwargs)
@@ -116,6 +116,21 @@ def login(self, email: str, password: str):
         self._state.email = email
         self._state.raw_id_token = json_res["id_token"]
 
+    def use_token(self, token: str):
+        try:
+            tenant_id, _ = token.split("/", 1)
+        except ValueError:
+            raise errors.InvalidAPIToken()
+
+        self._state.raw_tenant_token = token
+
+        self_query = load_query("get_self.graphql")
+        response = self.query(self_query)
+        self._state.email = response["user"]["email"]
+        tenant = m.Tenant(id=tenant_id, name=response["tenant"]["name"])
+        self._state.tenants = {tenant.name: tenant}
+        self._state.tenant = tenant
+
     def _post(self, path: str, headers: Optional[Dict] = None, **kwargs):
         response = self._client.post(path, headers=headers, **kwargs)
         response.raise_for_status()
@@ -163,7 +178,8 @@ def use_tenant(self, tenant: m.Tenant):
 
     @_tenant_required
     def refresh_tenant_token(self):
-        self.use_tenant(self._state.tenant)
+        if self._state.raw_id_token is not None:
+            self.use_tenant(self._state.tenant)
 
     @_tenant_required
     def query(self, query: str, variables: Optional[Dict] = None, timeout=60):
diff --git a/onekey_client/errors.py b/onekey_client/errors.py
@@ -12,18 +12,25 @@ def __init__(self, message: Optional[str] = None):
 class NotLoggedIn(ClientError):
     MESSAGE = (
         "You are not logged in yet. \n"
-        "You have to call client.login(email, password) first."
+        "You have to call client.login(email, password) first or provide API token with use_token()."
     )
 
 
 class TenantNotSelected(ClientError):
-    MESSAGE = "You have to select a Tenant (Environment) with client.use_tenant(tenant) first."
+    MESSAGE = (
+        "You have to select a Tenant (Environment) with client.use_tenant(tenant) first"
+        "or provide API token with use_token()."
+    )
 
 
 class InvalidCABundle(ClientError):
     MESSAGE = "The CA bundle is invalid or doesn't exist."
 
 
+class InvalidAPIToken(ClientError):
+    MESSAGE = "The API Token is invalid."
+
+
 class QueryError(ClientError):
     """raised when a GraphQL query returns errors."""
 
diff --git a/onekey_client/queries/get_self.graphql b/onekey_client/queries/get_self.graphql
@@ -0,0 +1,8 @@
+query {
+    tenant {
+        name
+    }
+    user {
+        email
+    }
+}

-Original file line number
+Diff line change
@@ @@ -0,0 +1,8 @@ @@
 +query {
 +    tenant {
 +        name
 +    }
 +    user {
 +        email
 +    }
 +}