[i)QRUddlmZddlZddlZddlmZmZddlmZmZm Z ddl m Z m Z m Z mZmZddlmZmZddlmZddlmZdd lmZdd lmZmZeeZd ed <e r Gd deZdZ d ed<dZ!d ed<e"e!Z#d ed<dZ$d ed<dZ%d ed<GddZ&d,dZ'd-dZ(d.dZ)d/dZ*d0dZ+d1dZ,d1d Z- d2 d3d!Z.d4d"Z/d5d#Z0d6d$Z1 d7d%Z2 d8d&Z3 d9d'Z4ejjd(Z6 d:d)Z7 d;d*Z8d ["id"] - expose_tokens = ["id", "access"] -> ["id", "access"] expose_tokensidaccesszHInvalid expose_tokens configuration. Only 'id' and 'access' are allowed.)r\r4 isinstancerlistr:r)rYr^restokens r"get_expose_tokens_configrehs,-L $$_5M-%o M4 ('45}es5z}5  3x4"" V   J6sA8cd|vry|d}d|vr.|jdttjd} t |}|jS#t $rt d|dwxYw)zJGet the redirect_uri from auth_section - filling in port number if needed. redirect_uriNz{port}z server.portzInvalid redirect_uri: ". Please check your configuration.)replacerrrVr ValueErrorrgeturlrYrgredirect_uri_parseds r"get_redirect_urirns\)$^4L<#++ c&++M:;  &|4  % % ''   $\N2T U   s AA2ct}|syt|}|sy|jdstj dy|S)a6Get the redirect_uri from secrets, validating it ends with /oauth2callback. This is used for logout flows where we need a validated redirect URI that matches the OAuth callback path. Returns ------- str | None The validated redirect URI, or None if not configured or invalid. Nz/oauth2callbackz.Redirect URI does not end with /oauth2callback)r\rnendswithrwarning)rYrgs r"get_validated_redirect_urirrsG,-L #L1L   !2 3HI r!ct}|syt|}|syt|}|jd|jS)zExtract the origin (scheme + host) from the configured redirect_uri. Returns ------- str | None The origin in format "scheme://host:port", or None if not configured. Nz://)r\rnrschemenetlocrls r"get_origin_from_redirect_urirvsM,-L #L1L "<0!(( )-@-G-G,H IIr!cddlm}||d}|r||d<t|}t||j}i||}t |} |j | jS)aBuild an OIDC logout URL with the required parameters. Parameters ---------- end_session_endpoint The OIDC provider's end_session_endpoint URL. client_id The OAuth client ID. post_logout_redirect_uri The URI to redirect to after logout. id_token Optional ID token to include as id_token_hint for the logout request. Returns ------- str The complete logout URL with query parameters. r) parse_qsl) client_idpost_logout_redirect_uri id_token_hint)query) urllib.parserxrdictr|r_replacerk) end_session_endpointryrzid_tokenrx logout_paramsparsedexisting_params merged_params new_querys r"build_logout_urlrsx0'$<%M )1 o&* +F9V\\23O88-8M-(I ??? + 2 2 44r!c ddlm}ddi}|t j t jtdzd }|j||t}|jd S#t$r tddwxYw) zAReturns a signed JWT token with the provider and expiration time.r)jwtcTo use authentication features, you need to install Authlib>=1.3.2, e.g. via `pip install Authlib`.NalgHS256rH)minutes)rrzlatin-1) authlib.joserrNrrnowrutcrencoderZdecode)rrheaderpayloadprovider_tokens r"encode_provider_tokenrs$ W F||HLL)Ia,@@G JJvw8J8LMN   ++  u  s A++Bc ddlm}m}m}ddiddid} |j |t|}|jtd |S#t$r t ddwxYw#|$r}t d |dd}~wwxYw) z-Decode the JWT token and validate the claims.r) JoseError JWTClaimsrrN essentialT)rr)claims_optionszError decoding provider token: r) rrrrrNrrrZvalidater )rrrr claim_optionsres r"decode_provider_tokenrs::)$/k4=PQMR ZZ .0(   & 00!  u   R #B1#!FGTQRs" A,A'A$'B,A;;Bc i}|jdr|jd|d<|jdr|jd|d<|jdr|jd|d<|jdr6td|jdtij|d<|jdr|jd|d<|S)zKGenerate a default provider section for the 'auth' section of secrets.toml.ry client_secretserver_metadata_url client_kwargsrr^)r4r rto_dict)rYdefault_provider_sections r"!generate_default_provider_sectionrs! $0<0@0@0M -(4@4D4D_4U 1-.:F:J:J !;  !67(48  (((2,G5 ') !1(4@4D4D_4U 1 ##r!ctj|}|||}t|dzt|ztz}|tkDr%t j d|t||||y|||y)a[Set a cookie, splitting into multiple cookies if necessary. Args: set_single_cookie_fn: Function to set a single cookie (cookie_name, value) create_signed_value_fn: Function to create a signed cookie value (cookie_name, value) cookie_name: Name of the cookie value: Dictionary value to serialize and store rFzNCookie size (%d bytes) exceeds browser limit. Splitting into multiple cookies.N)jsondumpslenr%r#rdebug_set_split_cookie)set_single_cookie_fncreate_signed_value_fn cookie_namer8serialized_cookie_value signed_valueactual_cookie_sizes r"set_cookie_with_chunksr.s#jj/*+7NOL[)A-L0AADTT,, \    "  #   [*ABr!c<d}|||}t|tz S)aCalculate the server's signing overhead by measuring the size difference. This empirically measures the overhead added by the signing function (e.g., Tornado's create_signed_value) by signing a minimal test value and computing the difference. Args: create_signed_value_fn: Function to create a signed cookie value cookie_name: Name of the cookie (affects overhead due to length prefix) Returns ------- The number of bytes added by signing (excluding the base64-encoded value) x)rr))rr test_valuesigneds r"_calculate_signing_overheadrTs%"J #K N!N"$;; !STT-q0Q6J F 1c%j* -a!j.) e. 6{a[&)4F }&=>3v; #}Aa!eW- Z3  LL* F r!s chunks-(\d+)c||}||Stj|}||S t|jd}g}t|D]C}|d|dz}||}|t jd|dz|y|j|Edj|} | S#tt f$rt jd|YywxYw)aGet a cookie, reconstructing from chunks if it was split. If a count cookie exists, the main cookie contains the first chunk, and additional chunks are in cookie_name_1, cookie_name_2, etc. If no count cookie exists, the main cookie contains the entire value. Args: get_single_cookie_fn: Function to get a single cookie (cookie_name) -> bytes | None cookie_name: Name of the cookie Returns ------- Cookie value as bytes, or None if not found NrFz#Invalid chunk count for cookie '%s'rz Missing chunk %d for cookie '%s'r!) _chunks_regexmatchrgrouprj TypeErrorr exceptionrerrorrjoin) get_single_cookie_fnr cookie_valuer chunk_countrrr chunk_valuereconstructed_values r"get_cookie_with_chunksrs$( 4L    -E }%++a.) F ; #}Aa!eW- *:6   MM bytes | None clear_single_cookie_fn: Function to clear a single cookie (cookie_name) cookie_name: Name of the cookie NrFr)rrrrrrjr)rclear_single_cookie_fnrrrrrs r"clear_cookie_and_chunksrs( 4L;'    -E } %++a.) q+/*A "k]!A3#7 8+  "   s;A))A;:A;c8tjs tdtjd}| tdd|vr tdd|vr td|j|}d|vrtd |d ||d k(r t |}||d k(r td td |dt |t std|dgd}|Dcgc] }||vs| }}|r&|d k(rtd|dtd|d|dycc}w)z[Validate the general auth credentials and auth credentials for the given provider. zTo use authentication features you need to configure credentials for at least one authentication provider in `.streamlit/secrets.toml`.rTNrgzAuthentication credentials in `.streamlit/secrets.toml` are missing the "redirect_uri" key. Please check your configuration.rUzAuthentication credentials in `.streamlit/secrets.toml` are missing the "cookie_secret" key. Please check your configuration.rzAuth provider name "zI" contains an underscore. Please use a provider name without underscores.defaultzAuthentication credentials in `.streamlit/secrets.toml` are missing for the default authentication provider. Please check your configuration.zeAuthentication credentials in `.streamlit/secrets.toml` are missing for the authentication provider "z#". Please check your configuration.zYAuthentication credentials in `.streamlit/secrets.toml` for the authentication provider "z6" must be valid TOML. Please check your configuration.)ryrrzAuthentication credentials in `.streamlit/secrets.toml` for the default authentication provider are missing the following keys: rhz"" are missing the following keys: )rrWrr4rrar)rrYprovider_section required_keysr6 missing_keyss r"validate_auth_credentialsrs  0 0 2  O  %((0L  O  \)  D  l*  E  $''1 h "8*-> ?  H $9<\J y $Y !,,4:6   & 0 ((0z2" #  JM#0P=CC?O4OC=LP y $S. BD  ! ((0z1Sn> @  Qs  D(D)r@bool)r@r)r@r)r@z list[str])rYrr@ str | None)r@rr-) rrryrrzrrrr@r)rrr@r)rrr@r)rYrr@rB) rCallable[[str, str], None]rCallable[[str, str], bytes]rrr8rBr@rA)rrrrr@r) rrrrrrr8rr@rA)rCallable[[str], bytes | None]rrr@z bytes | None)rrrzCallable[[str], None]rrr@rA)rrr@rA): __future__rrrecollections.abcrrrrrtypingr r r r r r}rr streamlitrstreamlit.errorsrstreamlit.loggerrstreamlit.runtime.secretsrrrrrrr#r$rr%r'r)r+rRrZr\rernrrrvrrrrrrrcompilerrrrr r!r"rs# -22==,/'AH%%y %/5//0%0)+*!""""* 2(,4J0 (5(5(5"(5 (5  (5V,&1.$(#C4#C7#C#C  #C  #CL1711 1,<4<7<<  <  <~ +, -7---`  7  1      FH r!