使用 Flask 和 rauth 进行 Github Oauth 登陆

最近我研究了一下Flask的OAuth库。情况并不乐观，大部分的包都已过时并且不再被支持了。大家熟知的Flask-Oauth基本上已经被废弃了，我也不推荐依赖这个库。有趣的是OAuth本身其实是很简单的，认证之后你会得到一个访问token，你只需将其作为GET参数或者作为request的特殊的header即可。也许其他的OAuth提供者需要更复杂的逻辑，但是Github仅此就足够。

我在StackOverflow上请教了如何解决Flask-OAuth的问题 ，从rauth的作者那里得到回答，他建议试一下他写的库。本文就是对他及开源社区的回报。我写了这个真实的例子，告诉你如何使用Flask、rauth、Github和会话来对你的站点的用户进行认证。

首先你需要设置好本地的环境。你需要安装好python、pip和virtualenv。接下来对环境进行设置：

$ virtualenv venv
$ source venv/bin/activate 
(venv)$ pip install rauth Flask Flask-SQLAlchemy

如果要运行我的例子，你还需要安装Sqlite的python绑定，SQLAlchemy会需要它：

(venv)$ pip install pysqlite

pip会安装所有需要的依赖，所以你的环境已经就绪了。

现在你需要到Github设置页面里找到 Applications sections，为你设置好一个新的应用。下图显示了在我的配置区域。

下面是代码，主模块如下：

# github.py
from flask import (Flask, flash, request, redirect,
    render_template, url_for, session)
from flask.ext.sqlalchemy import SQLAlchemy

from rauth.service import OAuth2Service

# Flask config
SQLALCHEMY_DATABASE_URI = 'sqlite:///github.db'
SECRET_KEY = '\xfb\x12\xdf\xa1@i\xd6>V\xc0\xbb\x8fp\x16#Z\x0b\x81\xeb\x16'
DEBUG = True

# Flask setup
app = Flask(__name__)
app.config.from_object(__name__)
db = SQLAlchemy(app)

# Use your own values in your real application 
github = OAuth2Service(
    name='github',
    base_url='https://api.github.com/',
    access_token_url='https://github.com/login/oauth/access_token',
    authorize_url='https://github.com/login/oauth/authorize',
    client_id= '477151a6a9a9a25853de',
    client_secret= '23b97cc6de3bea712fddbef70a5f5780517449e4',
)

# models
class User(db.Model):
    id = db.Column(db.Integer, primary_key=True)
    login = db.Column(db.String(80), unique=True)
    name = db.Column(db.String(120))

    def __init__(self, login, name):
        self.login = login
        self.name = name

    def __repr__(self):
        return '<User %r>' % self.login

    @staticmethod
    def get_or_create(login, name):
        user = User.query.filter_by(login=login).first()
        if user is None:
            user = User(login, name)
            db.session.add(user)
            db.session.commit()
        return user

# views
@app.route('/')
def index():
    return render_template('login.html')

@app.route('/about')
def about():
    if session.has_key('token'):
        auth = github.get_session(token = session['token'])
        resp = auth.get('/user')
        if resp.status_code == 200:
            user = resp.json()

        return render_template('about.html', user = user)
    else:
        return redirect(url_for('login'))

@app.route('/login')
def login():
    redirect_uri = url_for('authorized', next=request.args.get('next') or
        request.referrer or None, _external=True)
    print(redirect_uri)
    # More scopes http://developer.github.com/v3/oauth/#scopes
    params = {'redirect_uri': redirect_uri, 'scope': 'user:email'}
    print(github.get_authorize_url(**params))
    return redirect(github.get_authorize_url(**params))

# same path as on application settings page
@app.route('/github/callback')
def authorized():
    # check to make sure the user authorized the request
    if not 'code' in request.args:
        flash('You did not authorize the request')
        return redirect(url_for('index'))

    # make a request for the access token credentials using code
    redirect_uri = url_for('authorized', _external=True)

    data = dict(code=request.args['code'],
        redirect_uri=redirect_uri,
        scope='user:email,public_repo')

    auth = github.get_auth_session(data=data)

    # the "me" response
    me = auth.get('user').json()

    user = User.get_or_create(me['login'], me['name'])

    session['token'] = auth.access_token
    session['user_id'] = user.id

    flash('Logged in as ' + me['name'])
    return redirect(url_for('index'))

if __name__ == '__main__':
    db.create_all()
    app.run()

模板：

<!-- templates/about.html -->
<!doctype html>
<title>Login</title>

<h1>About you</h1>
Welcome , and your email is
<br />
<a href ="">Main page</a>

<!-- templates/login.html -->
<!doctype html>
<title>Login</title>

<h1>Login</h1>
<a href ="">Login with OAuth2</a>
<h1>About</h1>
<a href="">About</a> If you are not logged in then you will be redirected to login page.

启动后将创建数据库：

(venv)$ python github.py

在浏览器打开网站后，将在 session 保存 login.access_token，这是不安全的，但作为例子已经足够了。实际的网站中你可以这样使用：

# Probably your User model placed in different blueprint
from authmodule.models import User

@app.before_request
def before_request():
    g.user = None
    if 'user_id' in session:
        if session['user_id']:
            user = User.query.get(session['user_id'])
            if user:
                g.user = user
            else:
                del session['user_id']

相关链接:

• rauth https://github.com/litl/rauth
• Github developers API http://developer.github.com/
• Flask http://flask.pocoo.org/
• SQLAlchemy http://www.sqlalchemy.org/
• Flask-SQLAlchemy http://pythonhosted.org/Flask-SQLAlchemy/
• More complex applicaion examplebakery https://github.com/xen/bakery/