django-nativemojo 0.1.10__py3-none-any.whl

mojo/apps/account/models/group.py

@@ -0,0 +1,98 @@
+from django.db import models
+from mojo.models import MojoModel, MojoSecrets
+from mojo.helpers import dates
+
+
+
+class Group(MojoSecrets, MojoModel):
+    """
+    Group model.
+    """
+    created = models.DateTimeField(auto_now_add=True, editable=False)
+    modified = models.DateTimeField(auto_now=True, db_index=True)
+
+    name = models.CharField(max_length=200)
+    uuid = models.CharField(max_length=200, null=True, default=None, db_index=True)
+    is_active = models.BooleanField(default=True, db_index=True)
+    kind = models.CharField(max_length=80, default="group", db_index=True)
+
+    parent = models.ForeignKey("account.Group", null=True, related_name="groups",
+        default=None, on_delete=models.CASCADE)
+
+    # JSON-based metadata field
+    metadata = models.JSONField(default=dict, blank=True)
+
+    class RestMeta:
+        SEARCH_FIELDS = ["name"]
+        VIEW_PERMS = ["view_groups", "manage_groups"]
+        SAVE_PERMS = ["manage_groups"]
+        LIST_DEFAULT_FILTERS = {
+            "is_active": True
+        }
+        GRAPHS = {
+            "basic": {
+                "fields": [
+                    'id',
+                    'name',
+                    'created',
+                    'modified',
+                    'is_active',
+                    'kind',
+                ]
+            },
+            "default": {
+                "fields": [
+                    'id',
+                    'name',
+                    'created',
+                    'modified',
+                    'is_active',
+                    'kind',
+                    'parent',
+                    'metadata'
+                ]
+            },
+            "graphs": {
+                "parent": "basic"
+            }
+        }
+
+    @property
+    def timezone(self):
+        return self.metadata.get("timezone", "America/Los_Angeles")
+
+    def get_local_day(self, dt_utc=None):
+        return dates.get_local_day(self.timezone, dt_utc)
+
+    def get_local_time(self, dt_utc):
+        return dates.get_local_time(self.timezone, dt_utc)
+
+    def __str__(self):
+        return self.name
+
+    def has_permission(self, user):
+        from mojo.account.models.member import GroupMember
+        return GroupMember.objects.filter(user=user).last()
+
+    def member_has_permission(self, user, perms, check_user=True):
+        if check_user and user.has_permission(perms):
+            return True
+        ms = self.has_permission(user)
+        if ms is not None:
+            return ms.has_permission(perms)
+        return False
+
+    def get_metadata(self):
+        # converts our local metadata into an objict
+        self.metadata = self.jsonfield_as_objict("metadata")
+        return self.metadata
+
+    def get_member_for_user(self, user):
+        return self.members.filter(user=user).last()
+
+    @classmethod
+    def on_rest_handle_list(cls, request):
+        if cls.rest_check_permission(request, "VIEW_PERMS"):
+            return cls.on_rest_list(request)
+        group_ids = request.user.members.values_list('group__id', flat=True)
+        return cls.on_rest_list(request, cls.objects.filter(id__in=group_ids))

mojo/apps/account/models/member.py

@@ -0,0 +1,95 @@
+from django.db import models
+from mojo.models import MojoModel
+from mojo import errors as merrors
+from mojo.helpers.settings import settings
+
+MEMBER_PERMS_PROTECTION = settings.get("MEMBER_PERMS_PROTECTION", {})
+
+
+class GroupMember(models.Model, MojoModel):
+    """
+    A member of a group
+    """
+    created = models.DateTimeField(auto_now_add=True, editable=False)
+    modified = models.DateTimeField(auto_now=True, db_index=True)
+    user = models.ForeignKey(
+        "account.User",related_name="members",
+        on_delete=models.CASCADE)
+    group = models.ForeignKey(
+        "account.Group", related_name="members",
+        on_delete=models.CASCADE)
+    is_active = models.BooleanField(default=True, db_index=True)
+    # JSON-based permissions field
+    permissions = models.JSONField(default=dict, blank=True)
+    # JSON-based metadata field
+    metadata = models.JSONField(default=dict, blank=True)
+
+    class RestMeta:
+        VIEW_PERMS = ["view_groups", "manage_groups"]
+        SAVE_PERMS = ["manage_groups"]
+        LIST_DEFAULT_FILTERS = {
+            "is_active": True
+        }
+        GRAPHS = {
+            "default": {
+                "fields": [
+                    'id',
+                    'name',
+                    'created',
+                    'modified',
+                    'is_active',
+                    'permissions',
+                    'metadata'
+                ],
+                "graphs": {
+                    "user": "basic",
+                    "group": "basic"
+                }
+            }
+        }
+
+    def __str__(self):
+        return f"{self.user.username}@{self.group.name}"
+
+    def can_change_permission(self, perm, value, request):
+        if request.user.has_permission(["manage_groups", "manage_users"]):
+            return True
+        req_member = self.group.get_member_for_user(request.user)
+        if req_member is not None:
+            if perm in MEMBER_PERMS_PROTECTION:
+                return req_member.has_permission(MEMBER_PERMS_PROTECTION[perm])
+            return req_member.has_permission(["manage_group", "manage_members"])
+        return False
+
+    def set_permissions(self, value, request):
+            if not isinstance(value, dict):
+                return
+            for perm, perm_value in value.items():
+                if not self.can_change_permission(perm, perm_value, request):
+                    raise merrors.PermissionDeniedException()
+                if bool(perm_value):
+                    self.add_permission(perm)
+                else:
+                    self.remove_permission(perm)
+
+    def has_permission(self, perm_key):
+        """Check if user has a specific permission in JSON field."""
+        if isinstance(perm_key, list):
+            for pk in perm_key:
+                if self.has_permission(pk):
+                    return True
+            return False
+        if perm_key == "all":
+            return True
+        return self.permissions.get(perm_key, False)
+
+    def add_permission(self, perm_key, value=True):
+        """Dynamically add a permission."""
+        self.permissions[perm_key] = value
+        self.save()
+
+    def remove_permission(self, perm_key):
+        """Remove a permission."""
+        if perm_key in self.permissions:
+            del self.permissions[perm_key]
+            self.save()

mojo/apps/account/models/pkey.py

@@ -0,0 +1,18 @@
+from django.db import models
+
+class Passkey(models.Model):
+    user = models.ForeignKey(
+        "account.User",related_name="members",
+        on_delete=models.CASCADE)
+    token = models.TextField()
+
+    credential_id = models.CharField(max_length=255, unique=True)
+    rp_id = models.CharField(max_length=255, null=False, db_index=True)
+    is_enabled = models.BooleanField(default=True, db_index=True)
+
+    created = models.DateTimeField(auto_now_add=True)
+    modified = models.DateTimeField(auto_now=True)
+    last_used = models.DateTimeField(null=True, blank=True, default=None)
+
+    def __str__(self):
+        return f"{self.user.username} - {self.credential_id} - {self.rp_id}"

mojo/apps/account/models/user.py

@@ -0,0 +1,211 @@
+from django.contrib.auth.models import AbstractBaseUser, BaseUserManager
+from django.db import models
+from mojo.models import MojoModel, MojoSecrets
+from mojo.helpers.settings import settings
+from mojo import errors as merrors
+from mojo.helpers import dates
+from mojo.apps.account.utils.jwtoken import JWToken
+import uuid
+
+USER_PERMS_PROTECTION = settings.get("USER_PERMS_PROTECTION", {})
+USER_LAST_ACTIVITY_FREQ = settings.get("USER_LAST_ACTIVITY_FREQ", 300)
+
+class CustomUserManager(BaseUserManager):
+    def create_user(self, email, password=None, **extra_fields):
+        if not email:
+            raise ValueError("The Email field must be set")
+        email = self.normalize_email(email)
+        user = self.model(email=email, **extra_fields)
+        user.set_password(password)
+        user.save(using=self._db)
+        return user
+
+    def create_superuser(self, email, password=None, **extra_fields):
+        extra_fields.setdefault("is_staff", True)
+        extra_fields.setdefault("is_superuser", True)
+        return self.create_user(email, password, **extra_fields)
+
+    def get_by_natural_key(self, username):
+        """Required for Django authentication"""
+        return self.get(**{self.model.USERNAME_FIELD: username})
+
+class User(MojoSecrets, AbstractBaseUser, MojoModel):
+    """
+    Full custom user model.
+    """
+    created = models.DateTimeField(auto_now_add=True, editable=False)
+    modified = models.DateTimeField(auto_now_add=True, editable=True)
+    last_activity = models.DateTimeField(default=None, null=True, db_index=True)
+
+    uuid = models.UUIDField(default=uuid.uuid4, editable=False, db_index=True)
+    username = models.TextField(unique=True)
+    email = models.EmailField(unique=True)
+    phone_number = models.CharField(max_length=32, blank=True, null=True, default=None)
+    is_active = models.BooleanField(default=True, db_index=True)
+    display_name = models.CharField(max_length=80, blank=True, null=True, default=None)
+    # key used for sessions and general authentication algs
+    auth_key = models.TextField(null=True, default=None)
+    onetime_code = models.TextField(null=True, default=None)
+    # JSON-based permissions field
+    permissions = models.JSONField(default=dict, blank=True)
+    # JSON-based metadata field
+    metadata = models.JSONField(default=dict, blank=True)
+
+    # required default fields
+    first_name = models.CharField(max_length=80, default="")
+    last_name = models.CharField(max_length=80, default="")
+    is_active = models.BooleanField(default=True)
+    is_staff = models.BooleanField(default=False)  # Required for admin access
+    is_superuser = models.BooleanField(default=False)
+    date_joined = models.DateTimeField(auto_now_add=True)
+
+    is_email_verified = models.BooleanField(default=False)
+    is_phone_verified = models.BooleanField(default=False)
+
+    USERNAME_FIELD = 'username'
+    objects = CustomUserManager()
+
+    class RestMeta:
+        NO_SHOW_FIELDS = ["password", "auth_key", "onetime_code"]
+        SEARCH_FIELDS = ["username", "email", "display_name"]
+        VIEW_PERMS = ["view_users", "manage_users", "owner"]
+        SAVE_PERMS = ["manage_users", "owner"]
+        LIST_DEFAULT_FILTERS = {
+            "is_active": True
+        }
+        UNIQUE_LOOKUP = ["username", "email"]
+        GRAPHS = {
+            "basic": {
+                "fields": [
+                    'id',
+                    'display_name',
+                    'username',
+                    'email',
+                    'phone_number',
+                    'last_login',
+                    'last_activity',
+                    'is_active'
+                ]
+            },
+            "default": {
+                "fields": [
+                    'id',
+                    'display_name',
+                    'username',
+                    'email',
+                    'phone_number',
+                    'last_login',
+                    'last_activity',
+                    'permissions',
+                    'metadata',
+                    'is_active'
+                ],
+            },
+        }
+
+    def __str__(self):
+        return self.email
+
+    def is_request_user(self, request=None):
+        if request is None:
+            request = self.active_request
+        if request is None:
+            return False
+        return request.user.id == self.id
+
+    def touch(self):
+        # can't subtract offset-naive and offset-aware datetimes
+        if self.last_activity is None or dates.has_time_elsapsed(self.last_activity, seconds=USER_LAST_ACTIVITY_FREQ):
+            self.last_activity = dates.utcnow()
+            self.atomic_save()
+
+    def get_auth_key(self):
+        if self.auth_key is None:
+            self.auth_key = uuid.uuid4().hex
+            self.atomic_save()
+        return self.auth_key
+
+    def set_permissions(self, value, request):
+        if not isinstance(value, dict):
+            return
+        for key in value:
+            if key in USER_PERMS_PROTECTION:
+                if not request.user.has_permission(USER_PERMS_PROTECTION[key]):
+                    raise merrors.PermissionDeniedException()
+            elif not request.user.has_permission("manage_users"):
+                raise merrors.PermissionDeniedException()
+            if bool(value[key]):
+                self.add_permission(key)
+            else:
+                self.remove_permission(key)
+
+    def has_module_perms(self, app_label):
+        """Check if user has any permissions in a given app."""
+        return True  # Or customize based on your `permissions` JSON
+
+    def has_permission(self, perm_key):
+        """Check if user has a specific permission in JSON field."""
+        if isinstance(perm_key, list):
+            for pk in perm_key:
+                if self.has_permission(pk):
+                    return True
+            return False
+        if perm_key == "all":
+            return True
+        return self.permissions.get(perm_key, False)
+
+    def add_permission(self, perm_key, value=True):
+        """Dynamically add a permission."""
+        if isinstance(perm_key, (list, set)):
+            for pk in perm_key:
+                self.permissions[pk] = value
+        else:
+            self.permissions[perm_key] = value
+        self.save()
+
+    def remove_permission(self, perm_key):
+        """Remove a permission."""
+        if isinstance(perm_key, (list, set)):
+            for pk in perm_key:
+                if pk in self.permissions:
+                    del self.permissions[pk]
+        else:
+            if perm_key in self.permissions:
+                del self.permissions[perm_key]
+        self.save()
+
+    def remove_all_permissions(self):
+        self.permissions = {}
+        self.save()
+
+    def save_password(self, value):
+        self.set_password(value)
+        self.save()
+
+    def save(self, *args, **kwargs):
+        if not self.username:
+            self.username = self.email.split("@")[0]
+        if not self.display_name:
+            self.display_name = self.username
+        super().save(*args, **kwargs)
+
+    def check_edit_permission(self, perms, request):
+        if "owner" in perms and self.is_request_user():
+            return True
+        return request.user.has_permission(perms)
+
+    @classmethod
+    def validate_jwt(cls, token):
+        token_manager = JWToken()
+        jwt_data = token_manager.decode(token, validate=False)
+        if jwt_data.uid is None:
+            return None, "Invalid token data"
+        user = User.objects.filter(id=jwt_data.uid).last()
+        if user is None:
+            return None, "Invalid token user"
+        token_manager.key = user.auth_key
+        if not token_manager.is_token_valid(token):
+            if token_manager.is_expired:
+                return user, "Token expired"
+            return user, "Token has invalid signature"
+        return user, None

mojo/apps/account/rest/__init__.py

@@ -0,0 +1,3 @@
+APP_NAME = ""
+from .user import *
+from .group import *

mojo/apps/account/rest/group.py

@@ -0,0 +1,25 @@
+from mojo import decorators as md
+from mojo.apps.account.models import Group, GroupMember
+
+
+@md.URL('group')
+@md.URL('group/<int:pk>')
+def on_group(request, pk=None):
+    return Group.on_rest_request(request, pk)
+
+
+@md.URL('group/member')
+@md.URL('group/member/<int:pk>')
+def on_group_member(request, pk=None):
+    return GroupMember.on_rest_request(request, pk)
+
+
+@md.GET('group/<int:pk>/member')
+def on_group_me_member(request, pk=None):
+    request.group = Group.objects.filter(pk=pk).last()
+    if request.group is None:
+        return Group.rest_error_response(request, 403, error="GET permission denied: Group")
+    member = request.group.get_member_for_user(request.user)
+    if member is None:
+        return Group.rest_error_response(request, 403, error="GET permission denied: Member")
+    return member.on_rest_get(request)

mojo/apps/account/rest/user.py

@@ -0,0 +1,47 @@
+from mojo import decorators as md
+from mojo.apps.account.utils.jwtoken import JWToken
+# from django.http import JsonResponse
+from mojo.helpers.response import JsonResponse
+from mojo.apps.account.models.user import User
+import datetime
+
+@md.URL('user')
+@md.URL('user/<int:pk>')
+def on_user(request, pk=None):
+    return User.on_rest_request(request, pk)
+
+
+@md.GET('user/me')
+def on_user_me(request):
+    return User.on_rest_request(request, request.user.pk)
+
+
+@md.POST('refresh_token')
+@md.requires_params("refresh_token")
+def on_refresh_token(request):
+    user, error = User.validate_jwt(request.DATA.refresh_token)
+    if error is not None:
+        return JsonResponse({'error': error}, status=401)
+    # future look at keeping the refresh token the same but updating the access_token
+    # TODO add device id to the token as well
+    user.touch()
+    token_package = JWToken(user.get_auth_key()).create(uid=user.id)
+    return JsonResponse(dict(status=True, data=token_package))
+
+
+@md.POST("login")
+@md.requires_params("username", "password")
+def on_user_login(request):
+    username = request.DATA.username
+    password = request.DATA.password
+    user = User.objects.filter(username=username.lower().strip()).last()
+    if user is None:
+        return JsonResponse(dict(status=False, error="Invalid username or password", code=403))
+    if not user.check_password(password):
+        # Authentication successful
+        user.report_incident(f"{user.username} enter an invalid password", "invalid_password")
+        return JsonResponse(dict(status=False, error="Invalid username or password", code=401))
+    user.last_login = datetime.datetime.utcnow()
+    user.touch()
+    token_package = JWToken(user.get_auth_key()).create(uid=user.id)
+    return JsonResponse(dict(status=True, data=token_package))

mojo/apps/account/utils/jwtoken.py

@@ -0,0 +1,72 @@
+import jwt
+import datetime
+import time
+from objict import objict
+
+class JWToken:
+    def __init__(self, key=f"{time.time()}", access_token_expiry=21600, refresh_token_expiry=604800, alg="HS256", token=None):
+        self.key = key
+        self.access_token_expiry = access_token_expiry
+        self.refresh_token_expiry = refresh_token_expiry
+        self.alg = alg
+        self.is_expired = False
+        self.invalid_sig = False
+        self.is_valid = False
+        self.payload = None
+        if token is not None:
+            self.is_valid, self.payload = self.decode(token)
+
+    def decode(self, token, validate=True):
+        payload = objict.fromdict(jwt.decode(token, self.key, algorithms=self.alg, options={"verify_signature":False}))
+        if not validate:
+            return payload
+        is_valid = self.is_token_valid(token)
+        return is_valid, payload
+
+    def create(self, **kwargs):
+        package = objict()
+        package.access_token = self.create_access_token(**kwargs)
+        package.refresh_token = self.create_access_token(**kwargs)
+        return package
+
+    def create_access_token(self, **kwargs):
+        payload = dict(kwargs)
+        payload['exp'] = self._get_exp_time(self.access_token_expiry)
+        payload['token_type'] = "access"
+        payload["iat"] = int(time.time())
+        token = jwt.encode(payload, self.key, algorithm=self.alg)
+        return token
+
+    def create_refresh_token(self, **kwargs):
+        payload = dict(kwargs)
+        payload['exp'] = self._get_exp_time(self.refresh_token_expiry)
+        payload['token_type'] = "refresh"
+        payload["iat"] = int(time.time())
+        token = jwt.encode(payload, self.key, algorithm=self.alg)
+        return token
+
+    def refresh_access_token(self, refresh_token):
+        try:
+            decoded = jwt.decode(refresh_token, self.key, algorithms=[self.alg])
+            new_access_token = self.create_access_token(**decoded)
+            return new_access_token
+        except jwt.ExpiredSignatureError:
+            raise Exception("Refresh token has expired.")
+        except jwt.InvalidTokenError:
+            raise Exception("Invalid refresh token.")
+
+    def _get_exp_time(self, expiry_seconds):
+        return datetime.datetime.utcnow() + datetime.timedelta(seconds=expiry_seconds)
+
+    def is_token_valid(self, token):
+        try:
+            self.is_expired = False
+            self.invalid_sig = False
+            jwt.decode(token, self.key, algorithms=['HS256'])
+            return True
+        except jwt.ExpiredSignatureError:
+            self.is_expired = True
+            return False
+        except jwt.InvalidTokenError:
+            self.invalid_sig = True
+            return False

mojo/apps/account/utils/passkeys.py

@@ -0,0 +1,54 @@
+from fido2.webauthn import PublicKeyCredentialRpEntity, AttestedCredentialData, ResidentKeyRequirement
+from fido2.server import Fido2Server
+from fido2.utils import websafe_decode, websafe_encode
+from objict import objict
+from mojo.helpers.settings import settings
+
+
+class PasskeyAuthenticator:
+    def __init__(self, rp_id=settings.PASSKEYS_RP_ID, rp_name=settings.PASSKEYS_RP_NAME):
+        self.server = Fido2Server(PublicKeyCredentialRpEntity(id=rp_id, name=rp_name))
+
+    def register_begin(self, member, attachment="cross-platform"):
+        request = {
+            "id": member.uuid,
+            "name": member.username,
+            "displayName": member.display_name
+        }
+        data, state = self.server.register_begin(
+            request,
+            authenticator_attachment=attachment,
+            resident_key_requirement=ResidentKeyRequirement.PREFERRED)
+        response = objict(state=state, data=objict.fromdict(dict(data)), rp=objict(self.server.rp))
+        response.excludeCredentials = self.exclude_credentials(member, websafe=True)
+        return response
+
+    def register_complete(self, credentials, fido2_state):
+        auth_data = self.server.register_complete(
+            fido2_state,
+            response=credentials
+        )
+        return websafe_encode(auth_data.credential_data)
+
+    def exclude_credentials(self, member, websafe=False):
+        creds = [AttestedCredentialData(websafe_decode(uk.token)) for uk in member.passkeys.all()]
+        if websafe:
+            return [dict(type="public-key", id=websafe_encode(acd.credential_id)) for acd in creds]
+        return creds
+
+    def authenticate_begin(self, member):
+        creds = [AttestedCredentialData(websafe_decode(uk.token)) for uk in member.passkeys.all()]
+        challenge, state = self.server.authenticate_begin(creds)
+        response = objict(state=state, challenge=challenge, rp=objict(self.server.rp))
+        return response
+
+    def authenticate_complete(self, credential, public_key, fido2_state):
+        stored_credentials = [AttestedCredentialData(websafe_decode(public_key))]
+        try:
+            self.server.authenticate_complete(
+                fido2_state,
+                credentials=stored_credentials,
+                response=credential)
+            return True
+        except Exception:
+            return False