refactor: Moved login for pilots into token file

Author: Robin-Van-de-Merghel

diracx-client/src/diracx/client/_generated/aio/operations/_operations.py

@@ -902,7 +902,7 @@ async def refresh_pilot_tokens(
     ) -> _models.TokenResponse:
         """Refresh Pilot Tokens.
 
-        Endpoint where a pilot can exchange a refresh token against a token.
+        Endpoint where a pilot can exchange a refresh token for a token.
 
         :keyword refresh_token: Required.
         :paramtype refresh_token: str

diracx-client/src/diracx/client/_generated/operations/_operations.py

@@ -1612,7 +1612,7 @@ def refresh_pilot_tokens(
     ) -> _models.TokenResponse:
         """Refresh Pilot Tokens.
 
-        Endpoint where a pilot can exchange a refresh token against a token.
+        Endpoint where a pilot can exchange a refresh token for a token.
 
         :keyword refresh_token: Required.
         :paramtype refresh_token: str

diracx-logic/src/diracx/logic/auth/token.py

@@ -427,7 +427,8 @@ async def generate_pilot_tokens(
         config=config,
         settings=settings,
         available_properties=available_properties,
-        pilot_exchange=legacy_exchange,
+        pilot_exchange=True,
+        legacy_exchange=legacy_exchange,
         refresh_token_expire_minutes=refresh_token_expire_minutes,
         include_refresh_token=include_refresh_token,
     )

diracx-routers/src/diracx/routers/auth/pilot.py

@@ -9,128 +9,22 @@
 )
 
 from diracx.core.exceptions import (
-    AuthorizationError,
-    InvalidCredentialsError,
     PilotAlreadyExistsError,
-    PilotNotFoundError,
 )
-from diracx.core.models import TokenResponse
 from diracx.logic.auth.pilot import (
     add_pilot_credentials,
     register_new_pilots,
-    try_login,
 )
-from diracx.logic.auth.token import create_token, generate_pilot_tokens
 from diracx.logic.pilots.utils import get_pilot_ids_from_references
-from diracx.routers.pilots.access_policies import RegisteredPilotAccessPolicyCallable
 
 from ..dependencies import (
-    AuthDB,
     AuthSettings,
-    AvailableSecurityProperties,
-    Config,
     PilotAgentsDB,
 )
 from ..fastapi_classes import DiracxRouter
 from ..utils.users import AuthorizedUserInfo, verify_dirac_access_token
 
-router = DiracxRouter(require_auth=False)
-
-
-@router.post("/pilot-login")
-async def pilot_login(
-    pilot_db: PilotAgentsDB,
-    auth_db: AuthDB,
-    pilot_job_reference: str,
-    pilot_secret: str,
-    config: Config,
-    settings: AuthSettings,
-    available_properties: AvailableSecurityProperties,
-) -> TokenResponse:
-    """Endpoint without policy, the pilot uses only its secret."""
-    try:
-        await try_login(
-            pilot_reference=pilot_job_reference,
-            pilot_db=pilot_db,
-            pilot_secret=pilot_secret,
-        )
-    except AuthorizationError as e:
-        raise HTTPException(
-            status_code=status.HTTP_401_UNAUTHORIZED, detail=e.detail
-        ) from e
-    except PilotNotFoundError as e:
-        raise HTTPException(
-            status_code=status.HTTP_401_UNAUTHORIZED,
-            detail="bad pilot_id / pilot_secret",
-        ) from e
-
-    try:
-        access_token, refresh_token = await generate_pilot_tokens(
-            pilot_db=pilot_db,
-            auth_db=auth_db,
-            pilot_job_reference=pilot_job_reference,
-            config=config,
-            settings=settings,
-            available_properties=available_properties,
-        )
-    except ValueError as e:
-        raise HTTPException(
-            status_code=status.HTTP_400_BAD_REQUEST, detail=str(e)
-        ) from e
-
-    serialized_access_token = create_token(access_token, settings=settings)
-
-    serialized_refresh_token = create_token(refresh_token, settings=settings)
-
-    return TokenResponse(
-        access_token=serialized_access_token,
-        expires_in=settings.access_token_expire_minutes * 60,
-        refresh_token=serialized_refresh_token,
-    )
-
-
-@router.post("/pilot-refresh-token")
-async def refresh_pilot_tokens(
-    pilot_db: PilotAgentsDB,
-    auth_db: AuthDB,
-    config: Config,
-    settings: AuthSettings,
-    available_properties: AvailableSecurityProperties,
-    check_permissions: RegisteredPilotAccessPolicyCallable,
-    refresh_token: str,
-    pilot_info: Annotated[AuthorizedUserInfo, Depends(verify_dirac_access_token)],
-) -> TokenResponse:
-    """Endpoint where a pilot can exchange a refresh token against a token."""
-    await check_permissions()
-
-    try:
-        new_access_token, new_refresh_token = await generate_pilot_tokens(
-            pilot_db=pilot_db,
-            auth_db=auth_db,
-            pilot_job_reference=pilot_info.preferred_username,
-            config=config,
-            settings=settings,
-            available_properties=available_properties,
-            refresh_token=refresh_token,
-        )
-    except InvalidCredentialsError as e:
-        raise HTTPException(
-            status_code=status.HTTP_401_UNAUTHORIZED, detail=str(e)
-        ) from e
-    except ValueError as e:
-        raise HTTPException(
-            status_code=status.HTTP_400_BAD_REQUEST, detail=str(e)
-        ) from e
-
-    serialized_access_token = create_token(new_access_token, settings=settings)
-
-    serialized_refresh_token = create_token(new_refresh_token, settings=settings)
-
-    return TokenResponse(
-        access_token=serialized_access_token,
-        expires_in=settings.access_token_expire_minutes * 60,
-        refresh_token=serialized_refresh_token,
-    )
+router = DiracxRouter()
 
 
 @router.post("/register-new-pilots")

diracx-routers/src/diracx/routers/auth/token.py

@@ -9,26 +9,39 @@
 from fastapi import Depends, Form, Header, HTTPException, status
 
 from diracx.core.exceptions import (
+    AuthorizationError,
     DiracHttpResponseError,
     ExpiredFlowError,
     InvalidCredentialsError,
     PendingAuthorizationError,
+    PilotNotFoundError,
 )
 from diracx.core.models import (
     AccessTokenPayload,
     GrantType,
     RefreshTokenPayload,
     TokenResponse,
 )
-from diracx.logic.auth.token import create_token
+from diracx.logic.auth.pilot import (
+    try_login,
+)
+from diracx.logic.auth.token import create_token, generate_pilot_tokens
 from diracx.logic.auth.token import get_oidc_token as get_oidc_token_bl
 from diracx.logic.auth.token import (
     perform_legacy_exchange as perform_legacy_exchange_bl,
 )
 from diracx.routers.access_policies import BaseAccessPolicy
+from diracx.routers.pilots.access_policies import RegisteredPilotAccessPolicyCallable
 
-from ..dependencies import AuthDB, AuthSettings, AvailableSecurityProperties, Config
+from ..dependencies import (
+    AuthDB,
+    AuthSettings,
+    AvailableSecurityProperties,
+    Config,
+    PilotAgentsDB,
+)
 from ..fastapi_classes import DiracxRouter
+from ..utils.users import AuthorizedUserInfo, verify_dirac_access_token
 
 router = DiracxRouter(require_auth=False)
 
@@ -250,3 +263,97 @@ async def perform_legacy_exchange(
     return await mint_token(
         access_payload, refresh_payload, None, all_access_policies, settings
     )
+
+
+@router.post("/pilot-login")
+async def pilot_login(
+    pilot_db: PilotAgentsDB,
+    auth_db: AuthDB,
+    pilot_job_reference: str,
+    pilot_secret: str,
+    config: Config,
+    settings: AuthSettings,
+    available_properties: AvailableSecurityProperties,
+    all_access_policies: Annotated[
+        dict[str, BaseAccessPolicy], Depends(BaseAccessPolicy.all_used_access_policies)
+    ],
+) -> TokenResponse:
+    """Endpoint without policy, the pilot uses only its secret."""
+    try:
+        await try_login(
+            pilot_reference=pilot_job_reference,
+            pilot_db=pilot_db,
+            pilot_secret=pilot_secret,
+        )
+    except AuthorizationError as e:
+        raise HTTPException(
+            status_code=status.HTTP_401_UNAUTHORIZED, detail=e.detail
+        ) from e
+    except PilotNotFoundError as e:
+        raise HTTPException(
+            status_code=status.HTTP_401_UNAUTHORIZED,
+            detail="bad pilot_id / pilot_secret",
+        ) from e
+
+    try:
+        access_token, refresh_token = await generate_pilot_tokens(
+            pilot_db=pilot_db,
+            auth_db=auth_db,
+            pilot_job_reference=pilot_job_reference,
+            config=config,
+            settings=settings,
+            available_properties=available_properties,
+        )
+    except ValueError as e:
+        raise HTTPException(
+            status_code=status.HTTP_400_BAD_REQUEST, detail=str(e)
+        ) from e
+
+    return await mint_token(
+        access_token, refresh_token, None, all_access_policies, settings
+    )
+
+
+@router.post("/pilot-refresh-token")
+async def refresh_pilot_tokens(
+    pilot_db: PilotAgentsDB,
+    auth_db: AuthDB,
+    config: Config,
+    settings: AuthSettings,
+    available_properties: AvailableSecurityProperties,
+    check_permissions: RegisteredPilotAccessPolicyCallable,
+    refresh_token: str,
+    pilot_info: Annotated[AuthorizedUserInfo, Depends(verify_dirac_access_token)],
+    all_access_policies: Annotated[
+        dict[str, BaseAccessPolicy], Depends(BaseAccessPolicy.all_used_access_policies)
+    ],
+) -> TokenResponse:
+    """Endpoint where a pilot can exchange a refresh token for a token."""
+    await check_permissions()
+
+    try:
+        new_access_token, new_refresh_token = await generate_pilot_tokens(
+            pilot_db=pilot_db,
+            auth_db=auth_db,
+            pilot_job_reference=pilot_info.preferred_username,
+            config=config,
+            settings=settings,
+            available_properties=available_properties,
+            refresh_token=refresh_token,
+        )
+    except InvalidCredentialsError as e:
+        raise HTTPException(
+            status_code=status.HTTP_401_UNAUTHORIZED, detail=str(e)
+        ) from e
+    except ValueError as e:
+        raise HTTPException(
+            status_code=status.HTTP_400_BAD_REQUEST, detail=str(e)
+        ) from e
+
+    return await mint_token(
+        new_access_token,
+        new_refresh_token,
+        refresh_token,
+        all_access_policies,
+        settings,
+    )

extensions/gubbins/gubbins-client/src/gubbins/client/_generated/aio/operations/_operations.py

@@ -902,7 +902,7 @@ async def refresh_pilot_tokens(
     ) -> _models.TokenResponse:
         """Refresh Pilot Tokens.
 
-        Endpoint where a pilot can exchange a refresh token against a token.
+        Endpoint where a pilot can exchange a refresh token for a token.
 
         :keyword refresh_token: Required.
         :paramtype refresh_token: str

extensions/gubbins/gubbins-client/src/gubbins/client/_generated/operations/_operations.py

@@ -1612,7 +1612,7 @@ def refresh_pilot_tokens(
     ) -> _models.TokenResponse:
         """Refresh Pilot Tokens.
 
-        Endpoint where a pilot can exchange a refresh token against a token.
+        Endpoint where a pilot can exchange a refresh token for a token.
 
         :keyword refresh_token: Required.
         :paramtype refresh_token: str