move migration, bugfixes, ....

lenticular_cloud/app.py

@@ -6,6 +6,7 @@ import subprocess
 from ory_hydra_client import Client
 import os
 
+from pathlib import Path
 from ldap3 import Connection, Server, ALL
 
 from . import model
@@ -32,13 +33,14 @@ def create_app() -> Flask:
 
     #app.ldap_orm = Connection(app.config['LDAP_URL'], app.config['LDAP_BIND_DN'], app.config['LDAP_BIND_PW'], auto_bind=True)
     server = Server(app.config['LDAP_URL'], get_info=ALL)
-    app.ldap_conn = Connection(server, app.config['LDAP_BIND_DN'], app.config['LDAP_BIND_PW'], auto_bind="DEFAULT")
+    app.ldap_conn = Connection(server, app.config['LDAP_BIND_DN'], app.config['LDAP_BIND_PW'], auto_bind=True) # TODO auto_bind read docu
     model.ldap_conn = app.ldap_conn
     model.base_dn = app.config['LDAP_BASE_DN']
 
     from .model import db, migrate
     db.init_app(app)
-    migrate.init_app(app, db)
+    migration_dir = Path(app.root_path) / 'migrations'
+    migrate.init_app(app, db, directory=str(migration_dir))
 #    with app.app_context():
 #        db.create_all()
 

lenticular_cloud/application.cfg

@@ -5,6 +5,7 @@ PREFERRED_URL_SCHEME = 'https'
 
 DATA_FOLDER = "../data"
 
+SCRIPT_LOCATION="lenticular_cloud:migrations"
 SQLALCHEMY_DATABASE_URI = f'sqlite:///{DATA_FOLDER}/db.sqlite'
 SQLALCHEMY_TRACK_MODIFICATIONS=False
 

lenticular_cloud/cli.py

@@ -3,6 +3,7 @@ from .model import db, User, UserSignUp
 from .app import create_app
 from werkzeug.middleware.proxy_fix import ProxyFix
 from flask_migrate import upgrade
+from pathlib import Path
 
 import logging
 import os
@@ -78,7 +79,9 @@ def cli_run(app, args):
     app.run(debug=True, host='127.0.0.1', port=5000)
 
 def cli_db_upgrade(args):
-    upgrade()
+    app = create_app()
+    migration_dir = Path(app.root_path) / 'migrations'
+    upgrade( str(migration_dir) )
 
 
 if __name__ == "__main__":

lenticular_cloud/migrations/README

@@ -0,0 +1 @@
+Single-database configuration for Flask.

lenticular_cloud/migrations/alembic.ini

@@ -0,0 +1,50 @@
+# A generic, single database configuration.
+
+[alembic]
+# template used to generate migration files
+# file_template = %%(rev)s_%%(slug)s
+
+# set to 'true' to run the environment during
+# the 'revision' command, regardless of autogenerate
+# revision_environment = false
+
+
+# Logging configuration
+[loggers]
+keys = root,sqlalchemy,alembic,flask_migrate
+
+[handlers]
+keys = console
+
+[formatters]
+keys = generic
+
+[logger_root]
+level = WARN
+handlers = console
+qualname =
+
+[logger_sqlalchemy]
+level = WARN
+handlers =
+qualname = sqlalchemy.engine
+
+[logger_alembic]
+level = INFO
+handlers =
+qualname = alembic
+
+[logger_flask_migrate]
+level = INFO
+handlers =
+qualname = flask_migrate
+
+[handler_console]
+class = StreamHandler
+args = (sys.stderr,)
+level = NOTSET
+formatter = generic
+
+[formatter_generic]
+format = %(levelname)-5.5s [%(name)s] %(message)s
+datefmt = %H:%M:%S

lenticular_cloud/migrations/env.py

@@ -0,0 +1,91 @@
+from __future__ import with_statement
+
+import logging
+from logging.config import fileConfig
+
+from flask import current_app
+
+from alembic import context
+
+# this is the Alembic Config object, which provides
+# access to the values within the .ini file in use.
+config = context.config
+
+# Interpret the config file for Python logging.
+# This line sets up loggers basically.
+fileConfig(config.config_file_name)
+logger = logging.getLogger('alembic.env')
+
+# add your model's MetaData object here
+# for 'autogenerate' support
+# from myapp import mymodel
+# target_metadata = mymodel.Base.metadata
+config.set_main_option(
+    'sqlalchemy.url',
+    str(current_app.extensions['migrate'].db.get_engine().url).replace(
+        '%', '%%'))
+target_metadata = current_app.extensions['migrate'].db.metadata
+
+# other values from the config, defined by the needs of env.py,
+# can be acquired:
+# my_important_option = config.get_main_option("my_important_option")
+# ... etc.
+
+
+def run_migrations_offline():
+    """Run migrations in 'offline' mode.
+
+    This configures the context with just a URL
+    and not an Engine, though an Engine is acceptable
+    here as well.  By skipping the Engine creation
+    we don't even need a DBAPI to be available.
+
+    Calls to context.execute() here emit the given string to the
+    script output.
+
+    """
+    url = config.get_main_option("sqlalchemy.url")
+    context.configure(
+        url=url, target_metadata=target_metadata, literal_binds=True
+    )
+
+    with context.begin_transaction():
+        context.run_migrations()
+
+
+def run_migrations_online():
+    """Run migrations in 'online' mode.
+
+    In this scenario we need to create an Engine
+    and associate a connection with the context.
+
+    """
+
+    # this callback is used to prevent an auto-migration from being generated
+    # when there are no changes to the schema
+    # reference: http://alembic.zzzcomputing.com/en/latest/cookbook.html
+    def process_revision_directives(context, revision, directives):
+        if getattr(config.cmd_opts, 'autogenerate', False):
+            script = directives[0]
+            if script.upgrade_ops.is_empty():
+                directives[:] = []
+                logger.info('No changes in schema detected.')
+
+    connectable = current_app.extensions['migrate'].db.get_engine()
+
+    with connectable.connect() as connection:
+        context.configure(
+            connection=connection,
+            target_metadata=target_metadata,
+            process_revision_directives=process_revision_directives,
+            **current_app.extensions['migrate'].configure_args
+        )
+
+        with context.begin_transaction():
+            context.run_migrations()
+
+
+if context.is_offline_mode():
+    run_migrations_offline()
+else:
+    run_migrations_online()

lenticular_cloud/migrations/script.py.mako

@@ -0,0 +1,24 @@
+"""${message}
+
+Revision ID: ${up_revision}
+Revises: ${down_revision | comma,n}
+Create Date: ${create_date}
+
+"""
+from alembic import op
+import sqlalchemy as sa
+${imports if imports else ""}
+
+# revision identifiers, used by Alembic.
+revision = ${repr(up_revision)}
+down_revision = ${repr(down_revision)}
+branch_labels = ${repr(branch_labels)}
+depends_on = ${repr(depends_on)}
+
+
+def upgrade():
+    ${upgrades if upgrades else "pass"}
+
+
+def downgrade():
+    ${downgrades if downgrades else "pass"}

lenticular_cloud/migrations/versions/52a21983d2a8_add_webauthn.py

@@ -0,0 +1,37 @@
+"""add webauthn
+
+Revision ID: 52a21983d2a8
+Revises: ff2f2e871dfc
+Create Date: 2022-02-20 17:00:04.531393
+
+"""
+from alembic import op
+import sqlalchemy as sa
+
+
+# revision identifiers, used by Alembic.
+revision = '52a21983d2a8'
+down_revision = 'ff2f2e871dfc'
+branch_labels = None
+depends_on = None
+
+
+def upgrade():
+    # ### commands auto generated by Alembic - please adjust! ###
+    op.create_table('webauthn_credential',
+    sa.Column('id', sa.Integer(), nullable=False),
+    sa.Column('user_id', sa.String(length=36), nullable=False),
+    sa.Column('user_handle', sa.String(length=64), nullable=False),
+    sa.Column('credential_data', sa.LargeBinary(), nullable=False),
+    sa.Column('name', sa.String(length=250), nullable=True),
+    sa.Column('registered', sa.DateTime(), nullable=True),
+    sa.ForeignKeyConstraint(['user_id'], ['user.id'], ondelete='CASCADE'),
+    sa.PrimaryKeyConstraint('id')
+    )
+    # ### end Alembic commands ###
+
+
+def downgrade():
+    # ### commands auto generated by Alembic - please adjust! ###
+    op.drop_table('webauthn_credential')
+    # ### end Alembic commands ###

lenticular_cloud/migrations/versions/ff2f2e871dfc_init.py

@@ -0,0 +1,74 @@
+"""init
+
+Revision ID: ff2f2e871dfc
+Revises: 
+Create Date: 2022-02-20 16:56:13.258209
+
+"""
+from alembic import op
+import sqlalchemy as sa
+from sqlalchemy import engine_from_config
+from sqlalchemy.engine import reflection
+
+
+
+# revision identifiers, used by Alembic.
+revision = 'ff2f2e871dfc'
+down_revision = None
+branch_labels = None
+depends_on = None
+
+
+def upgrade():
+    # ### commands auto generated by Alembic - please adjust! ###
+
+    # init sate, migrate from non versioned db schema
+    # by checking if tables exist
+    
+    config = op.get_context().config
+    engine = engine_from_config(
+        config.get_section(config.config_ini_section), prefix="sqlalchemy."
+    )
+    inspector = reflection.Inspector.from_engine(engine)
+    tables = inspector.get_table_names()
+
+    if 'user' not in tables:
+        op.create_table('user',
+        sa.Column('id', sa.String(length=36), nullable=False),
+        sa.Column('username', sa.String(), nullable=False),
+        sa.Column('alternative_email', sa.String(), nullable=True),
+        sa.Column('created_at', sa.DateTime(), nullable=False),
+        sa.Column('modified_at', sa.DateTime(), nullable=False),
+        sa.Column('last_login', sa.DateTime(), nullable=True),
+        sa.PrimaryKeyConstraint('id'),
+        sa.UniqueConstraint('username')
+        )
+    if 'user_sign_up' not in tables:
+        op.create_table('user_sign_up',
+        sa.Column('id', sa.Integer(), nullable=False),
+        sa.Column('username', sa.String(), nullable=False),
+        sa.Column('password', sa.String(), nullable=False),
+        sa.Column('alternative_email', sa.String(), nullable=True),
+        sa.Column('created_at', sa.DateTime(), nullable=False),
+        sa.PrimaryKeyConstraint('id')
+        )
+    if 'totp' not in tables:
+        op.create_table('totp',
+        sa.Column('id', sa.Integer(), nullable=False),
+        sa.Column('secret', sa.String(), nullable=False),
+        sa.Column('name', sa.String(), nullable=False),
+        sa.Column('created_at', sa.DateTime(), nullable=False),
+        sa.Column('user_id', sa.String(length=36), nullable=False),
+        sa.ForeignKeyConstraint(['user_id'], ['user.id'], ),
+        sa.PrimaryKeyConstraint('id')
+        )
+    # ### end Alembic commands ###
+
+
+def downgrade():
+    pass
+    # ### commands auto generated by Alembic - please adjust! ###
+    #op.drop_table('totp')
+    #op.drop_table('user_sign_up')
+    #op.drop_table('user')
+    # ### end Alembic commands ###

lenticular_cloud/model.py

@@ -340,7 +340,7 @@ class WebauthnCredential(db.Model):  # pylint: disable=too-few-public-methods
     """Webauthn credential model"""
 
     id = db.Column(db.Integer, primary_key=True)
-    user_id = db.Column(db.Integer, db.ForeignKey('user.id', ondelete='CASCADE'), nullable=False)
+    user_id = db.Column(db.String(length=36), db.ForeignKey('user.id', ondelete='CASCADE'), nullable=False)
     user_handle = db.Column(db.String(64), nullable=False)
     credential_data = db.Column(db.LargeBinary, nullable=False)
     name = db.Column(db.String(250))

lenticular_cloud/static/main.js.LICENSE.txt

@@ -51,6 +51,8 @@
  * Date: 2021-03-02T17:08Z
  */
 
+/*! For license information please see cbor.js.LICENSE.txt */
+
 /**!
  * @fileOverview Kickass library to create and place poppers near their reference elements.
  * @version 1.16.1

lenticular_cloud/template/frontend/webauthn_list.html

@@ -0,0 +1,30 @@
+{% extends 'frontend/base.html.j2' %}
+
+{% block content %}
+<div class="users">
+	<h1>WebauthnCredentials list</h1>
+
+	<table class="table">
+		<thead>
+			<tr>
+				<th>user.username</th>
+				<th>user_handle</th>
+				<th>credential_data</th>
+				<th>name</th>
+				<th>_actions</th>
+			</tr>
+		</thead>
+		<tbody>
+		{% for cred in creds %}
+			<tr>
+				<td>{{ cred.user.username }}</td>
+				<td>{{ cred.user_handle }}</td>
+				<td>{{ cred.credential_data[0:40] }}...</td>
+				<td>{{ cred.name }}</td>
+        <td>{{ render_form(button_form, action_url=url_for('app.webauthn_delete_route', webauthn_id=cred.id)) }}</td>
+			</tr>
+		{% endfor %}
+		</tbody>
+	</table>
+</div>
+{% endblock %}

lenticular_cloud/template/frontend/webauthn_register.html

@@ -0,0 +1,140 @@
+{#- This file is part of sner4 project governed by MIT license, see the LICENSE.txt file. -#}
+{% extends 'frontend/base.html.j2' %}
+
+{% block script %}
+<script>
+  /**
+		 * decode base64 data to ArrayBuffer
+		 *
+		 * @param  {string}      data data to decode
+		 * @return {ArrayBuffer}      decoded data
+		 */
+		function base64_to_array_buffer(data) {
+			return Uint8Array.from(atob(data), c => c.charCodeAt(0)).buffer;
+    }
+
+	/**
+	 * request publicKeyCredentialCreationOptions for webauthn from server
+	 *
+	 * @return {Promise<Object>} A promise that resolves with publicKeyCredentialCreationOptions for navigator.credentials.create()
+	 */
+	function get_pkcco() {
+		return fetch("{{ url_for('frontend.webauthn_pkcco_route')}}", {method:'post',  headers: {'Content-Type': 'application/json'}})
+      .then(function(resp) {
+        return resp.text();
+      })
+      .then(function(data){
+        var pkcco = CBOR.decode(base64_to_array_buffer(data));
+        console.debug('credentials.create options:', pkcco);
+        
+var publicKey = {
+  // The challenge is produced by the server; see the Security Considerations
+  challenge: new Uint8Array([21,31,105 /* 29 more random bytes generated by the server */]),
+
+  // Relying Party:
+  rp: {
+    name: "Lenticular Cloud - domain TODO"
+  },
+
+  // User:
+  user: {
+    id: Uint8Array.from(window.atob("MIIBkzCCATigAwIBAjCCAZMwggE4oAMCAQIwggGTMII="), c=>c.charCodeAt(0)),
+    name: "{user.domain}",
+    displayName: "{user.name}",
+  },
+
+  // This Relying Party will accept either an ES256 or RS256 credential, but
+  // prefers an ES256 credential.
+  pubKeyCredParams: [
+    {
+      type: "public-key",
+      alg: -7 // "ES256" as registered in the IANA COSE Algorithms registry
+    },
+    {
+      type: "public-key",
+      alg: -257 // Value registered by this specification for "RS256"
+    }
+  ],
+
+  authenticatorSelection: {
+    // Try to use UV if possible. This is also the default.
+    userVerification: "preferred"
+  },
+
+  timeout: 360000,  // 6 minutes
+  excludeCredentials: [
+    // Don’t re-register any authenticator that has one of these credentials
+    //{"id": Uint8Array.from(window.atob("E/e1dhZc++mIsz4f9hb6NifAzJpF1V4mEtRlIPBiWdY="), c=>c.charCodeAt(0)), "type": "public-key"}
+  ],
+
+  // Make excludeCredentials check backwards compatible with credentials registered with U2F
+  extensions: {"appidExclude": "https://acme.example.com"}
+};
+
+        
+return { "publicKey": publicKey };
+      })
+      .catch(function(error) { console.log('cant get pkcco ',error)});
+	}
+
+	/**
+	 * pack attestation
+	 *
+	 * @param {object} attestation attestation response for the credential to register
+	 */
+	function pack_attestation(attestation) {
+		console.debug('new credential attestation:', attestation);
+
+		var attestation_data = {
+			'clientDataJSON': new Uint8Array(attestation.response.clientDataJSON),
+			'attestationObject': new Uint8Array(attestation.response.attestationObject)
+		};
+    //var form = $('#webauthn_register_form')[0];
+    var form = document.querySelector('form')
+    var base64 = btoa(new Uint8Array(CBOR.encode(attestation_data)).reduce((data, byte) => data + String.fromCharCode(byte), ''));
+		form.attestation.value = base64;
+		form.submit.disabled = false;
+    //form.querySelecotr('p[name="attestation_data_status"]').innerHTML = '<span style="color: green;">Prepared</span>';
+	}
+
+  console.log(window.PublicKeyCredential ? 'WebAuthn supported' : 'WebAuthn NOT supported');
+
+
+  get_pkcco()
+  .then(pkcco => navigator.credentials.create(pkcco))
+  .then(attestation_response => pack_attestation(attestation_response))
+  .catch(function(error) {
+    //toastr.error('Registration data preparation failed.');
+    console.log(error.message);
+  });
+</script>
+{% endblock %}
+
+{% block content %}
+<div class="profile">
+	<h1>Register new Webauthn credential</h1>
+
+	<div>
+		To register new credential:
+		<ol>
+			<li>Insert/connect authenticator and verify user presence.</li>
+			<li>Optionaly set comment for the new credential.</li>
+			<li>Submit the registration.</li>
+		</ol>
+	</div>
+
+  {{ render_form(form) }}
+  {#
+	<form id="webauthn_register_form" class="form-horizontal" method="post">
+		{{ form.csrf_token }}
+		<div class="form-group">
+			<label class="col-sm-2 control-label">Registration data</label>
+			<div class="col-sm-10"><p class="form-control-static" name="attestation_data_status"><span style="color: orange;">To be prepared</span></p></div>
+		</div>
+		{{ b_wtf.bootstrap_field(form.attestation, horizontal=True) }}
+		{{ b_wtf.bootstrap_field(form.name, horizontal=True) }}
+		{{ b_wtf.bootstrap_field(form.submit, horizontal=True) }}
+  </form>
+  #}
+</div>
+{% endblock %}

lenticular_cloud/template/skelet.html.j2

@@ -33,7 +33,9 @@
 </div>
 <script type="application/javascript" src="/static/main.js?v={{ GIT_HASH }}" ></script>
 <script type="application/javascript" >
-{% block script_js %}{% endblock %}
+  {% block script_js %}
+  // depricated
+{% endblock %}
 window.fieldlist = {
 	add: function(linkTag) {
 
@@ -55,6 +57,7 @@ window.fieldlist = {
 	}
 };
 </script>
+{% block script %}{% endblock %}
 </body>
 </html>
 

lenticular_cloud/views/admin.py

@@ -5,6 +5,7 @@ from flask import jsonify
 from flask.typing import ResponseReturnValue
 from flask_login import current_user, logout_user
 from oauthlib.oauth2.rfc6749.errors import TokenExpiredError
+from authlib.integrations.base_client.errors import InvalidTokenError
 from ory_hydra_client.api.admin import list_o_auth_2_clients, get_o_auth_2_client, update_o_auth_2_client, create_o_auth_2_client 
 from ory_hydra_client.models import OAuth2Client, GenericError
 from typing import Optional
@@ -28,7 +29,7 @@ def before_request() -> Optional[ResponseReturnValue]:
             return redirect_login()
         if 'groups' not in data or 'admin' not in data['groups']:
             return 'Not an admin', 403
-    except MissingTokenError:
+    except (MissingTokenError, InvalidTokenError):
         return redirect_login()
     return None
 

lenticular_cloud/views/api.py

@@ -8,6 +8,7 @@ from flask.typing import ResponseReturnValue
 
 from flask import Blueprint, render_template, request, url_for
 import logging
+import httpx
 
 from ..model import User
 from ..auth_providers import LdapAuthProvider
@@ -18,20 +19,43 @@ from ory_hydra_client.models import GenericError
 
 api_views = Blueprint('api', __name__, url_prefix='/api')
 
+logger = logging.getLogger(__name__)
+
 
 @api_views.route('/users', methods=['GET'])
 def user_list() -> ResponseReturnValue:
-    if 'authorization' not in request.headers:
-        return '', 403
-    token = request.headers['authorization'].replace('Bearer ', '')
-    token_info = introspect_o_auth_2_token.sync(_client=hydra_service.hydra_client)
+#   if 'authorization' not in request.headers:
+#       return '', 403
+#   token = request.headers['authorization'].replace('Bearer ', '')
+#   token_info = introspect_o_auth_2_token.sync(_client=hydra_service.hydra_client)
 
-    if token_info is None or isinstance(token_info, GenericError):
-        return 'internal errror', 500
+#   if token_info is None or isinstance(token_info, GenericError):
+#       return 'internal errror', 500
 
-    if not isinstance(token_info.scope, str) or 'lc_i_userlist' not in token_info.scope.split(' '):
-        return '', 403
+#   if not isinstance(token_info.scope, str) or 'lc_i_userlist' not in token_info.scope.split(' '):
+#       return '', 403
 
     return jsonify([
             {'username': str(user.username), 'email': str(user.email)}
             for user in User.query_().all()])
+
+@api_views.route('/introspect', methods=['POST'])
+def introspect() -> ResponseReturnValue:
+    token = request.form['token']
+    logger.error(f'debug token: {token}')
+    resp = httpx.post("https://hydra.cloud.tux.ac/oauth2/introspect", data={'token':token})
+    #if token_info is None or isinstance(token_info, GenericError):
+    if resp.status_code != 200:
+        return jsonify({}), 500
+    token_info = resp.json()
+    #token_info = introspect_o_auth_2_token.sync(_client=hydra_service, token=token)
+    logger.error(f'debug hydra: {token_info}')
+
+    if not token_info['active']:
+        return jsonify({'active': False})
+    token_info['email'] = token_info['ext']['email']
+
+    logger.error(f'debug: {token_info}')
+
+    return jsonify(token_info)
+

lenticular_cloud/views/auth.py

@@ -64,6 +64,7 @@ async def consent() -> ResponseReturnValue:
         token_data = {
             'name': str(user.username),
             'preferred_username': str(user.username),
+            'username': str(user.username),
             'email': str(user.email),
             'email_verified': True,
             'groups': [group.name for group in user.groups]

lenticular_cloud/views/frontend.py

@@ -175,7 +175,7 @@ def webauthn_list_route() -> ResponseReturnValue:
     """list registered credentials for current user"""
 
     creds = WebauthnCredential.query.all()
-    return render_template('webauthn_list.html', creds=creds, button_form=ButtonForm())
+    return render_template('frontend/webauthn_list.html', creds=creds, button_form=ButtonForm())
 
 
 @frontend_views.route('/webauthn/delete/<webauthn_id>', methods=['POST'])
@@ -207,19 +207,15 @@ def random_string(length=32) -> str:
 def webauthn_pkcco_route() -> ResponseReturnValue:
     """get publicKeyCredentialCreationOptions"""
 
-    form = ButtonForm()
-    if form.validate_on_submit():
-        user = User.query.get(current_user.id)
-        user_handle = random_string()
-        exclude_credentials = webauthn_credentials(user)
-        pkcco, state = webauthn.register_begin(
-            {'id': user_handle.encode('utf-8'), 'name': user.username, 'displayName': user.username},
-            exclude_credentials)
-        session['webauthn_register_user_handle'] = user_handle
-        session['webauthn_register_state'] = state
-        return Response(b64encode(cbor.encode(pkcco)).decode('utf-8'), mimetype='text/plain')
-
-    return '', HTTPStatus.BAD_REQUEST
+    user = User.query.get(current_user.id)
+    user_handle = random_string()
+    exclude_credentials = webauthn_credentials(user)
+    pkcco, state = webauthn.register_begin(
+        {'id': user_handle.encode('utf-8'), 'name': user.username, 'displayName': user.username},
+        exclude_credentials)
+    session['webauthn_register_user_handle'] = user_handle
+    session['webauthn_register_state'] = state
+    return Response(b64encode(cbor.encode(pkcco)).decode('utf-8'), mimetype='text/plain')
 
 
 @frontend_views.route('/webauthn/register', methods=['GET', 'POST'])
@@ -248,7 +244,7 @@ def webauthn_register_route() -> ResponseReturnValue:
             current_app.logger.exception(e)
             flash('Error during registration.', 'error')
 
-    return render_template('webauthn_register.html', form=form)
+    return render_template('frontend/webauthn_register.html', form=form)
 
 
 @frontend_views.route('/password_change')

lenticular_cloud/views/oauth2.py

@@ -9,7 +9,7 @@ from typing import Optional
 from ..model import User, SecurityUser
 
 def fetch_token(name: str) -> Optional[dict]:
-    token = session['token']
+    token = session.get('token', None)
     if isinstance(token, dict):
         return token
     return None