From f613891d9d70ea79057e93da5a1c9ce30ed77780 Mon Sep 17 00:00:00 2001
From: Samuel Olwe <samuel.olwe@canonical.com>
Date: Wed, 17 Dec 2025 10:48:44 +0300
Subject: [PATCH] feat: add lp authorization groups to oauth login

---
 webapp/auth.py | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/webapp/auth.py b/webapp/auth.py
index fac8e073..ba82e3e7 100644
--- a/webapp/auth.py
+++ b/webapp/auth.py
@@ -6,6 +6,7 @@
 from datetime import datetime, timedelta
 from functools import wraps
 import os
+import re
 import threading
 import time
 from typing import Any, Callable
@@ -215,7 +216,16 @@ def validate_time_based_token(token: str) -> bool:
             )
             res = lp.get("https://api.launchpad.net/beta/people/+me")
             if res.status_code == 200:
-                return True
+                # Check if user is in AUTHORIZED_TEAMS
+                data = res.json()
+                res = lp.get(data.get("memberships_details_collection_link"))
+                if res.status_code == 200:
+                    group_data = res.json()
+                    for entry in group_data.get("entries", []):
+                        team_link = entry.get("team_link", "")
+                        for team in AUTHORIZED_TEAMS:
+                            if re.match(f".*{team}.*", team_link):
+                                return True
         else:
             logger.error("Token has expired.")
             return False