|  |  | 
					
						
						|  | """ | 
					
						
						|  | Centralised OAuth 2.0 helper for GitHub, Google Drive and Slack. | 
					
						
						|  |  | 
					
						
						|  | Usage | 
					
						
						|  | ----- | 
					
						
						|  | from auth import oauth_manager | 
					
						
						|  |  | 
					
						
						|  | # 1)  Redirect user to consent page | 
					
						
						|  | auth_url, state = oauth_manager.get_authorization_url( | 
					
						
						|  | provider="github", | 
					
						
						|  | redirect_uri="https://your‑app.com/callback" | 
					
						
						|  | ) | 
					
						
						|  |  | 
					
						
						|  | # 2)  In your callback handler, exchange the code for a token | 
					
						
						|  | token = oauth_manager.fetch_token( | 
					
						
						|  | provider="github", | 
					
						
						|  | redirect_uri="https://your‑app.com/callback", | 
					
						
						|  | authorization_response=request.url  # full URL with ?code=... | 
					
						
						|  | ) | 
					
						
						|  | """ | 
					
						
						|  |  | 
					
						
						|  | from __future__ import annotations | 
					
						
						|  |  | 
					
						
						|  | import os | 
					
						
						|  | from dataclasses import dataclass | 
					
						
						|  | from typing import Dict, Optional, Tuple | 
					
						
						|  |  | 
					
						
						|  | from authlib.integrations.requests_client import OAuth2Session | 
					
						
						|  |  | 
					
						
						|  |  | 
					
						
						|  |  | 
					
						
						|  |  | 
					
						
						|  |  | 
					
						
						|  | @dataclass(frozen=True) | 
					
						
						|  | class ProviderConfig: | 
					
						
						|  | client_id: str | None | 
					
						
						|  | client_secret: str | None | 
					
						
						|  | authorize_url: str | 
					
						
						|  | token_url: str | 
					
						
						|  | scope: str | 
					
						
						|  |  | 
					
						
						|  |  | 
					
						
						|  | def _env(name: str) -> str | None: | 
					
						
						|  | """Shorthand for os.getenv with strip().""" | 
					
						
						|  | val = os.getenv(name) | 
					
						
						|  | return val.strip() if val else None | 
					
						
						|  |  | 
					
						
						|  |  | 
					
						
						|  | PROVIDERS: Dict[str, ProviderConfig] = { | 
					
						
						|  | "github": ProviderConfig( | 
					
						
						|  | client_id=_env("GITHUB_CLIENT_ID"), | 
					
						
						|  | client_secret=_env("GITHUB_CLIENT_SECRET"), | 
					
						
						|  | authorize_url="https://github.com/login/oauth/authorize", | 
					
						
						|  | token_url="https://github.com/login/oauth/access_token", | 
					
						
						|  | scope="repo read:org", | 
					
						
						|  | ), | 
					
						
						|  | "google": ProviderConfig( | 
					
						
						|  | client_id=_env("GOOGLE_CLIENT_ID"), | 
					
						
						|  | client_secret=_env("GOOGLE_CLIENT_SECRET"), | 
					
						
						|  | authorize_url="https://accounts.google.com/o/oauth2/auth", | 
					
						
						|  | token_url="https://oauth2.googleapis.com/token", | 
					
						
						|  | scope="openid email profile https://www.googleapis.com/auth/drive.readonly", | 
					
						
						|  | ), | 
					
						
						|  | "slack": ProviderConfig( | 
					
						
						|  | client_id=_env("SLACK_CLIENT_ID"), | 
					
						
						|  | client_secret=_env("SLACK_CLIENT_SECRET"), | 
					
						
						|  | authorize_url="https://slack.com/oauth/v2/authorize", | 
					
						
						|  | token_url="https://slack.com/api/oauth.v2.access", | 
					
						
						|  | scope="channels:read chat:write", | 
					
						
						|  | ), | 
					
						
						|  | } | 
					
						
						|  |  | 
					
						
						|  |  | 
					
						
						|  |  | 
					
						
						|  |  | 
					
						
						|  |  | 
					
						
						|  | class OAuthManager: | 
					
						
						|  | """Tiny wrapper around Authlib’s OAuth2Session per provider.""" | 
					
						
						|  |  | 
					
						
						|  | def __init__(self, providers: Dict[str, ProviderConfig]): | 
					
						
						|  | self.providers = providers | 
					
						
						|  |  | 
					
						
						|  |  | 
					
						
						|  | def _session(self, provider: str, redirect_uri: str) -> OAuth2Session: | 
					
						
						|  | cfg = self.providers.get(provider) | 
					
						
						|  | if not cfg: | 
					
						
						|  | raise KeyError(f"Unsupported provider '{provider}'.") | 
					
						
						|  | if not (cfg.client_id and cfg.client_secret): | 
					
						
						|  | raise RuntimeError( | 
					
						
						|  | f"OAuth credentials for '{provider}' are missing. " | 
					
						
						|  | "Set the *_CLIENT_ID and *_CLIENT_SECRET env‑vars." | 
					
						
						|  | ) | 
					
						
						|  | return OAuth2Session( | 
					
						
						|  | client_id=cfg.client_id, | 
					
						
						|  | client_secret=cfg.client_secret, | 
					
						
						|  | scope=cfg.scope, | 
					
						
						|  | redirect_uri=redirect_uri, | 
					
						
						|  | ) | 
					
						
						|  |  | 
					
						
						|  |  | 
					
						
						|  | def get_authorization_url( | 
					
						
						|  | self, provider: str, redirect_uri: str, state: Optional[str] = None | 
					
						
						|  | ) -> Tuple[str, str]: | 
					
						
						|  | """ | 
					
						
						|  | Return (auth_url, state) for the given provider. | 
					
						
						|  |  | 
					
						
						|  | Pass the *state* back into `fetch_token` to mitigate CSRF. | 
					
						
						|  | """ | 
					
						
						|  | sess = self._session(provider, redirect_uri) | 
					
						
						|  | cfg = self.providers[provider] | 
					
						
						|  | auth_url, final_state = sess.create_authorization_url( | 
					
						
						|  | cfg.authorize_url, state=state | 
					
						
						|  | ) | 
					
						
						|  | return auth_url, final_state | 
					
						
						|  |  | 
					
						
						|  | def fetch_token( | 
					
						
						|  | self, provider: str, redirect_uri: str, authorization_response: str | 
					
						
						|  | ) -> Dict: | 
					
						
						|  | """ | 
					
						
						|  | Exchange ?code=… for an access token. | 
					
						
						|  |  | 
					
						
						|  | Returns the token dict from Authlib (includes access_token, | 
					
						
						|  | refresh_token, expires_in, etc.). | 
					
						
						|  | """ | 
					
						
						|  | sess = self._session(provider, redirect_uri) | 
					
						
						|  | cfg = self.providers[provider] | 
					
						
						|  | return sess.fetch_token( | 
					
						
						|  | cfg.token_url, | 
					
						
						|  | authorization_response=authorization_response, | 
					
						
						|  | client_secret=cfg.client_secret, | 
					
						
						|  | ) | 
					
						
						|  |  | 
					
						
						|  |  | 
					
						
						|  |  | 
					
						
						|  | oauth_manager = OAuthManager(PROVIDERS) | 
					
						
						|  |  |