django-pfx 1.4.dev24__tar.gz → 1.4.dev28__tar.gz

{django-pfx-1.4.dev24 → django-pfx-1.4.dev28}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.1
 Name: django-pfx
-Version: 1.4.dev24
+Version: 1.4.dev28
 Summary: Django PFX is a toolkit designed to streamline the development of RESTful APIs using the Django framework.
 Author: Hervé Martinet
 Author-email: herve.martinet@gmail.com

{django-pfx-1.4.dev24 → django-pfx-1.4.dev28}/django_pfx.egg-info/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.1
 Name: django-pfx
-Version: 1.4.dev24
+Version: 1.4.dev28
 Summary: Django PFX is a toolkit designed to streamline the development of RESTful APIs using the Django framework.
 Author: Hervé Martinet
 Author-email: herve.martinet@gmail.com

{django-pfx-1.4.dev24 → django-pfx-1.4.dev28}/django_pfx.egg-info/SOURCES.txt

@@ -127,6 +127,7 @@ tests/tests/test_locale_api.py
 tests/tests/test_perm_tests.py
 tests/tests/test_perms_api.py
 tests/tests/test_profiling_middleware.py
+tests/tests/test_settings.py
 tests/tests/test_shortcuts.py
 tests/tests/test_timezone_middleware.py
 tests/tests/test_tools.py

{django-pfx-1.4.dev24 → django-pfx-1.4.dev28}/pfx/pfxcore/decorator/rest.py

@@ -7,11 +7,9 @@ from apispec.utils import deepupdate
 
 from pfx.pfxcore.exceptions import APIError
 from pfx.pfxcore.http import JsonResponse
-from pfx.pfxcore.settings import PFXSettings
+from pfx.pfxcore.settings import settings
 from pfx.pfxcore.test import format_request
 
-settings = PFXSettings()
-
 logger = logging.getLogger(__name__)
 
 

{django-pfx-1.4.dev24 → django-pfx-1.4.dev28}/pfx/pfxcore/management/commands/makeapidoc.py

@@ -11,10 +11,9 @@ from apispec.yaml_utils import load_operations_from_docstring
 
 from pfx.pfxcore import __PFX_VIEWS__
 from pfx.pfxcore.apidoc import __PARAMETERS__, __TAGS__, ParameterGroup
-from pfx.pfxcore.settings import PFXSettings
+from pfx.pfxcore.settings import settings
 from pfx.pfxcore.views import FilterGroup, ModelMixin
 
-settings = PFXSettings()
 DEFAULT_TEMPLATE = dict(
     title="PFX API",
     version="1.0.0",

{django-pfx-1.4.dev24 → django-pfx-1.4.dev28}/pfx/pfxcore/middleware/authentication.py

@@ -30,13 +30,29 @@ class JWTTokenDecodeMixin:
         return user
 
     @classmethod
-    def decode_jwt(cls, token, otp_login=False):
+    def decode_jwt_header(cls, token):
         try:
             headers = jwt.get_unverified_header(token)
             if 'pfx_user_pk' not in headers:
                 raise jwt.InvalidTokenError(
                     "Missing pfx_user_pk in token headers")
-            user = cls.get_cached_user(headers['pfx_user_pk'])
+            return headers['pfx_user_pk']
+        except (jwt.ExpiredSignatureError,
+                jwt.InvalidTokenError, jwt.InvalidSignatureError,
+                DecodeError) as e:
+            # Log these exceptions only in debug mode
+            logger.debug(e, exc_info=True)
+            raise
+        except Exception as e:
+            # Always logs unexpected exceptions
+            logger.exception(e)
+            raise
+
+    @classmethod
+    def decode_jwt(cls, token, otp_login=False):
+        user_pk = cls.decode_jwt_header(token)
+        try:
+            user = cls.get_cached_user(user_pk)
             decoded = jwt.decode(
                 token,
                 user.get_user_jwt_signature_key() + settings.PFX_SECRET_KEY,
@@ -49,11 +65,12 @@ class JWTTokenDecodeMixin:
                     "This token is reserved for OTP login")
             return user
         except (get_user_model().DoesNotExist, jwt.ExpiredSignatureError,
-                jwt.InvalidTokenError, jwt.InvalidSignatureError) as e:
+                jwt.InvalidTokenError, jwt.InvalidSignatureError,
+                DecodeError) as e:
             # Log these exceptions only in debug mode
             logger.debug(e, exc_info=True)
             raise
-        except (DecodeError, Exception) as e:
+        except Exception as e:
             # Always logs unexpected exceptions
             logger.exception(e)
             raise
@@ -72,11 +89,11 @@ class AuthenticationMiddleware(JWTTokenDecodeMixin, MiddlewareMixin):
         authorization = request.headers.get('Authorization')
         if authorization:
             try:
-                _, key = authorization.split("Bearer ")
+                _, token = authorization.split("Bearer ")
             except ValueError:
-                key = None
+                token = ""
             try:
-                request.user = self.decode_jwt(key)
+                request.user = self.decode_jwt(token)
             except Exception:
                 request.user = AnonymousUser()
         else:
@@ -102,10 +119,10 @@ class CookieAuthenticationMiddleware(JWTTokenDecodeMixin, MiddlewareMixin):
     """
 
     def process_request(self, request):
-        key = request.COOKIES.get('token')
-        if key:
+        token = request.COOKIES.get('token', "")
+        if token:
             try:
-                request.user = self.decode_jwt(key)
+                request.user = self.decode_jwt(token)
             except Exception:
                 request.user = AnonymousUser()
                 request.delete_cookie = True

{django-pfx-1.4.dev24 → django-pfx-1.4.dev28}/pfx/pfxcore/middleware/profiling.py

@@ -11,10 +11,9 @@ from django.utils.deprecation import MiddlewareMixin
 
 import sqlparse
 
-from pfx.pfxcore.settings import PFXSettings
+from pfx.pfxcore.settings import settings
 
 logger = logging.getLogger(__name__)
-settings = PFXSettings()
 rid = ContextVar('var')
 
 

{django-pfx-1.4.dev24 → django-pfx-1.4.dev28}/pfx/pfxcore/models/login_ban.py

@@ -4,9 +4,7 @@ from django.db import models
 from django.utils import timezone
 from django.utils.translation import gettext_lazy as _
 
-from pfx.pfxcore.settings import PFXSettings
-
-settings = PFXSettings()
+from pfx.pfxcore.settings import settings
 
 
 class LoginBanQuerySet(models.QuerySet):

{django-pfx-1.4.dev24 → django-pfx-1.4.dev28}/pfx/pfxcore/models/otp_user_mixin.py

@@ -4,9 +4,7 @@ from django.db import models
 from django.utils import timezone
 from django.utils.translation import gettext_lazy as _
 
-from pfx.pfxcore.settings import PFXSettings
-
-settings = PFXSettings()
+from pfx.pfxcore.settings import settings
 
 
 class OtpUserMixin(models.Model):

django-pfx-1.4.dev28/pfx/pfxcore/settings.py

@@ -0,0 +1,22 @@
+from django.conf import settings as django_settings
+from django.core.exceptions import ImproperlyConfigured
+
+from . import default_settings
+
+
+class PFXSettings:
+    def __getattr__(self, name):
+        try:
+            val = getattr(django_settings, name)
+        except AttributeError:
+            if hasattr(default_settings, name):
+                val = getattr(default_settings, name)
+            else:
+                raise
+        if name == "PFX_SECRET_KEY" and not val:
+            raise ImproperlyConfigured(
+                "The PFX_SECRET_KEY setting must not be empty.")
+        return val
+
+
+settings = PFXSettings()

{django-pfx-1.4.dev24 → django-pfx-1.4.dev28}/pfx/pfxcore/shortcuts.py

@@ -5,9 +5,7 @@ from datetime import date
 from django.core.exceptions import ObjectDoesNotExist
 from django.utils.translation import gettext_lazy as _
 
-from pfx.pfxcore.settings import PFXSettings
-
-settings = PFXSettings()
+from .settings import settings
 
 logger = logging.getLogger(__name__)
 

{django-pfx-1.4.dev24 → django-pfx-1.4.dev28}/pfx/pfxcore/views/authentication_views.py

@@ -32,7 +32,7 @@ from pfx.pfxcore.http import JsonResponse
 from pfx.pfxcore.middleware.authentication import JWTTokenDecodeMixin
 from pfx.pfxcore.models import CacheableMixin, OtpUserMixin
 from pfx.pfxcore.models.login_ban import LoginBan
-from pfx.pfxcore.settings import PFXSettings
+from pfx.pfxcore.settings import settings
 from pfx.pfxcore.shortcuts import delete_token_cookie
 
 from .rest_views import (
@@ -42,7 +42,6 @@ from .rest_views import (
     ModelMixin,
 )
 
-settings = PFXSettings()
 logger = logging.getLogger(__name__)
 UserModel = get_user_model()
 AUTHENTICATION_TAG = Tag("Authentication")
@@ -261,9 +260,7 @@ class AuthenticationView(
         return jwt.encode(
             payload,
             user.get_user_jwt_signature_key() + settings.PFX_SECRET_KEY,
-            headers=dict(
-                pfx_user_pk=user.pk,
-                username=user.get_username()),
+            headers=dict(pfx_user_pk=user.pk),
             algorithm="HS256")
 
     def get_extra_payload(self, user):
@@ -559,9 +556,13 @@ class AuthenticationView(
                     description: If the OTP is disabled for this user.
         """
         data = self.deserialize_body()
-        token = data.get('token')
-        username = jwt.get_unverified_header(token).get('username')
-        ban_dt = LoginBan.objects.is_ban(username)
+        token = data.get('token', "")
+        try:
+            user_pk = self.decode_jwt_header(token)
+            ban_key = f"otp_{user_pk}"
+        except Exception:
+            raise UnauthorizedError()
+        ban_dt = LoginBan.objects.is_ban(ban_key)
         if ban_dt:
             return self.login_ban_response(ban_dt)
         try:
@@ -574,9 +575,9 @@ class AuthenticationView(
         if not user.otp_secret_token:
             raise ForbiddenError()
         if user.is_otp_valid(data.get('otp_code')):
-            LoginBan.objects.unban(username)
+            LoginBan.objects.unban(ban_key)
             return self._login_success(user, mode, remember_me)
-        LoginBan.objects.ban(username)
+        LoginBan.objects.ban(ban_key)
         return self.login_failed_response()
 
     def get_user(self, uidb64):
@@ -836,9 +837,8 @@ class OtpEmailView(BodyMixin, JWTTokenDecodeMixin, BaseRestView):
             data = self.deserialize_body()
             try:
                 user, __, __ = self.decode_jwt(
-                    data.get('token'), otp_login=True)
-            except Exception as e:
-                logger.exception(e)
+                    data.get('token', ""), otp_login=True)
+            except Exception:
                 raise UnauthorizedError()
         else:
             user = self.request.user

{django-pfx-1.4.dev24 → django-pfx-1.4.dev28}/tests/tests/__init__.py

@@ -11,6 +11,7 @@ from .test_locale_api import LocaleAPITest
 from .test_perm_tests import PermTestsTest
 from .test_perms_api import PermsAPITest
 from .test_profiling_middleware import ProfilingMiddlewareTest
+from .test_settings import TestSettings
 from .test_shortcuts import ShortcutTest
 from .test_timezone_middleware import TimezoneMiddlewareTest
 from .test_tools import TestTools

{django-pfx-1.4.dev24 → django-pfx-1.4.dev28}/tests/tests/test_auth_api.py

@@ -1287,20 +1287,20 @@ class AuthAPITest(TestAssertMixin, TransactionTestCase):
             code_match = re.search(
                 r'Authentication code: (\d{6})', mail.outbox[0].body)
             self.assertIsNotNone(code_match)
-            otp_code = int(code_match.group(1))
+            otp_code = code_match.group(1)
 
-        with freeze_time("2023-05-01 08:15:01"):
+        with freeze_time("2023-05-01 08:15:00"):
             response = self.client.post('/api/auth/otp/login', dict(
                 token=otp_token,
                 otp_code=otp_code))
-            self.assertRC(response, 422)
+            self.assertRC(response, 200)
+            self.assertJEExists(response, 'token')
 
-        with freeze_time("2023-05-01 08:15:00"):
+        with freeze_time("2023-05-01 08:15:01"):
             response = self.client.post('/api/auth/otp/login', dict(
                 token=otp_token,
                 otp_code=otp_code))
-            self.assertRC(response, 200)
-            self.assertJEExists(response, 'token')
+            self.assertRC(response, 422)
 
     @override_settings(
         PFX_HOTP_CODE_VALIDITY=15,

django-pfx-1.4.dev28/tests/tests/test_settings.py

@@ -0,0 +1,23 @@
+from datetime import timedelta
+
+from django.core.exceptions import ImproperlyConfigured
+from django.test import TestCase, override_settings
+
+from pfx.pfxcore.test import TestAssertMixin
+from pfx.pfxcore.views import AuthenticationView
+from tests.models import User
+
+
+class TestSettings(TestAssertMixin, TestCase):
+
+    @override_settings(PFX_SECRET_KEY="")
+    def test_mandatory_pfx_secret_key(self):
+        user = User.objects.create_user(
+            username='user',
+            email="user@example.com",
+            password='test',
+            first_name='User',
+            last_name='Test')
+
+        with self.assertRaises(ImproperlyConfigured):
+            AuthenticationView()._prepare_token(user, timedelta())

django-pfx-1.4.dev24/pfx/pfxcore/settings.py

@@ -1,11 +0,0 @@
-from django.conf import settings
-
-from . import default_settings
-
-
-class PFXSettings:
-    def __getattr__(self, attr):
-        try:
-            return getattr(settings, attr)
-        except AttributeError:
-            return getattr(default_settings, attr)