mycodeplug/mail.py: send OTP token via mailgun

masenf · masenf · commit 8c96fd254574 · 2021-11-14T12:45:05.000-08:00
if MG_TOKEN and MG_DOMAIN are not in the environ
then fall back to the "print to console" method
of delivering the OTP from the user module (now
called "local_otp_delivery").
diff --git a/src/mycodeplug/api.py b/src/mycodeplug/api.py
@@ -1,17 +1,17 @@
 import importlib.metadata
-import logging
 import os
 from typing import Optional
 
 from fastapi import Depends, FastAPI, HTTPException, Request
 from fastapi.security import OAuth2PasswordBearer, OAuth2PasswordRequestForm
 from pydantic import BaseModel
 
+from .logging import getLogger
+from .mail import otp_delivery
 from .user import (
     AuthenticationError,
     EditableUser,
     get_current_active,
-    otp_delivery,
     Token,
     UnknownUser,
     User,
@@ -20,13 +20,7 @@
 APP_NAME = "mycodeplug"
 
 app = FastAPI()
-
-# set logging based on MYCODEPLUG_LOGLEVEL
-app_loglevel = getattr(logging, os.environ.get("MYCODEPLUG_LOGLEVEL", "INFO").upper())
-uvicorn_logger = logging.getLogger("uvicorn")
-logger = logging.getLogger(APP_NAME)
-logger.setLevel(app_loglevel)
-logger.handlers = uvicorn_logger.handlers
+logger = getLogger(APP_NAME)
 
 
 class RootData(BaseModel):
@@ -47,7 +41,7 @@ async def root() -> RootData:
 
 
 @app.post("/login")
-async def login(email: str, request: Request, deliver = Depends(otp_delivery)):
+def login(email: str, request: Request, deliver = Depends(otp_delivery)):
     """
     Trigger a login request for the given email address.
 
@@ -92,7 +86,7 @@ def _token(email: str, otp: str, request: Request) -> Token:
 
 
 @app.post("/token", response_model=Token)
-async def token(
+def token(
     request: Request, form_data: OAuth2PasswordRequestForm = Depends()
 ) -> Token:
     """
@@ -106,7 +100,7 @@ async def token(
 
 
 @app.get("/magic/{email}/{otp}", response_model=Token)
-async def magic(email: str, otp: str, request: Request) -> Token:
+def magic(email: str, otp: str, request: Request) -> Token:
     """
     Magic link login: XXX: Needs to be a JS application to save
     the token client side.
@@ -131,7 +125,13 @@ async def get_users_me(current_user: User = Depends(get_current_active)) -> User
 
 
 @app.post("/users/me")
-async def post_users_me(data: EditableUser, request: Request, otp: Optional[str] = None, current_user: User = Depends(get_current_active), deliver = Depends(otp_delivery)):
+def post_users_me(
+    data: EditableUser,
+    request: Request,
+    otp: Optional[str] = None,
+    current_user: User = Depends(get_current_active),
+    deliver = Depends(otp_delivery),
+):
     updated_settings = data.dict(exclude_none=True, exclude_unset=True, exclude_defaults=True)
     if "email" in updated_settings:
         if otp is not None:
diff --git a/src/mycodeplug/logging.py b/src/mycodeplug/logging.py
@@ -0,0 +1,13 @@
+import os
+import logging
+
+# set logging based on MYCODEPLUG_LOGLEVEL
+app_loglevel = getattr(logging, os.environ.get("MYCODEPLUG_LOGLEVEL", "INFO").upper())
+uvicorn_logger = logging.getLogger("uvicorn")
+
+
+def getLogger(*args, **kwargs) -> logging.Logger:
+    logger = logging.getLogger(*args, **kwargs)
+    logger.setLevel(app_loglevel)
+    logger.handlers = uvicorn_logger.handlers
+    return logger
diff --git a/src/mycodeplug/mail.py b/src/mycodeplug/mail.py
@@ -0,0 +1,60 @@
+"""
+Handle email in and out of the application
+"""
+import os
+from urllib.parse import urljoin
+
+import httpx
+
+from .logging import getLogger
+from .user import User
+
+
+BASE_URL = os.environ.get("BASE_URL")
+DOMAIN = os.environ.get("MG_DOMAIN")
+TOKEN = os.environ.get("MG_TOKEN")
+MG_API = f"https://api.mailgun.net/v3/{DOMAIN}/messages"
+FROM = "MyCodeplug.com <service@mycodeplug.com>"
+OTP_MESSAGE = {
+    "from": FROM,
+    "subject": "Click this link to login",
+    "text": """{user},
+Your one-time password is {otp}. This password expires in 5 minutes.
+
+Use the following link to login: {link}
+
+-MyCodeplug
+"""
+}
+
+logger = getLogger(__name__)
+
+
+def otp_delivery():
+    """
+    :return: callable accepting a User and otp string, arranging for it to be sent to the user
+    """
+    def deliver(user: User, otp: str):
+        data = OTP_MESSAGE.copy()
+        data["to"] = user.email
+        data["text"] = data["text"].format(
+            user=user.name or user.email,
+            otp=otp,
+            link=urljoin(BASE_URL, "/magic/{}/{}".format(user.email, otp)),
+        )
+        httpx.post(
+            MG_API,
+            data=data,
+            auth=("api", TOKEN)
+        ).raise_for_status()
+        return {"detail": "new OTP sent"}
+
+    return deliver
+
+
+if None in (TOKEN, DOMAIN):
+    logger.warning(
+        "Mailgun token and/or domain not available in environment. "
+        "Falling back to local/weak OTP delivery",
+    )
+    from .user import local_otp_delivery as otp_delivery
diff --git a/src/mycodeplug/user.py b/src/mycodeplug/user.py
@@ -328,7 +328,7 @@ async def get_token(jwt_raw: str = Depends(oauth2_scheme)) -> TokenData:
     return TokenData.from_jwt(jwt_raw)
 
 
-async def get_current(token_data: TokenData = Depends(get_token)) -> User:
+def get_current(token_data: TokenData = Depends(get_token)) -> User:
     """
     Fetch the User from the oauth session token.
 
@@ -338,7 +338,7 @@ async def get_current(token_data: TokenData = Depends(get_token)) -> User:
     return User.from_token(token_data)
 
 
-async def get_current_active(current: User = Depends(get_current)) -> User:
+def get_current_active(current: User = Depends(get_current)) -> User:
     """
     Provide an enabled User from the oauth session token (or raise HTTP 400).
 
@@ -350,7 +350,7 @@ async def get_current_active(current: User = Depends(get_current)) -> User:
     return current
 
 
-def otp_delivery():
+def local_otp_delivery():
     """
     :return: callable accepting a User and otp string, arranging for it to be sent to the user
     """
