django-pfx 1.7.2.dev14__tar.gz → 1.7.2.dev16__tar.gz

{django_pfx-1.7.2.dev14 → django_pfx-1.7.2.dev16}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: django-pfx
-Version: 1.7.2.dev14
+Version: 1.7.2.dev16
 Summary: Django PFX is a toolkit designed to streamline the development of RESTful APIs using the Django framework.
 Author: Hervé Martinet
 Author-email: herve.martinet@gmail.com

{django_pfx-1.7.2.dev14 → django_pfx-1.7.2.dev16}/django_pfx.egg-info/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: django-pfx
-Version: 1.7.2.dev14
+Version: 1.7.2.dev16
 Summary: Django PFX is a toolkit designed to streamline the development of RESTful APIs using the Django framework.
 Author: Hervé Martinet
 Author-email: herve.martinet@gmail.com

{django_pfx-1.7.2.dev14 → django_pfx-1.7.2.dev16}/django_pfx.egg-info/SOURCES.txt

@@ -136,6 +136,7 @@ tests/migrations/0002_alter_book_cover.py
 tests/migrations/0003_book_local_file.py
 tests/migrations/0004_mfausermixin_fields.py
 tests/migrations/0005_mfausermixin_fields_fix.py
+tests/migrations/0006_rename_otp_enabled_user_mfa_authenticator_enabled_and_more.py
 tests/migrations/__init__.py
 tests/settings/__init__.py
 tests/settings/ci.py

{django_pfx-1.7.2.dev14 → django_pfx-1.7.2.dev16}/pfx/pfxcore/locale/fr/LC_MESSAGES/django.po

@@ -7,7 +7,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: \n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2026-04-22 09:37+0200\n"
+"POT-Creation-Date: 2026-04-23 14:57+0200\n"
 "PO-Revision-Date: 2021-06-22 23:31+0200\n"
 "Last-Translator: \n"
 "Language-Team: \n"
@@ -61,11 +61,11 @@ msgstr ""
 
 #: models/abstract_pfx_base_user.py:52
 msgid "user"
-msgstr ""
+msgstr "utilisateur"
 
 #: models/abstract_pfx_base_user.py:53
 msgid "users"
-msgstr ""
+msgstr "utilisateurs"
 
 #: models/login_ban.py:54
 msgid "Username"
@@ -115,21 +115,29 @@ msgstr "Numéro de téléphone temporaire (SMS)"
 msgid "SMS MFA enabled"
 msgstr "MFA SMS activé"
 
-#: models/mfa_user_mixin.py:37
+#: models/mfa_user_mixin.py:38
 msgid "Email MFA enabled"
 msgstr "MFA par email activé"
 
-#: models/mfa_user_mixin.py:40
+#: models/mfa_user_mixin.py:41
 msgid "MFA setup dismissed"
 msgstr "Configuration MFA annulée"
 
-#: models/mfa_user_mixin.py:43
+#: models/mfa_user_mixin.py:44
 msgid "Authenticator MFA enabled"
 msgstr "Application MFA activée"
 
-#: models/mfa_user_mixin.py:50 views/authentication_views.py:718
-msgid "OTP enabled"
-msgstr "OTP activé"
+#: models/mfa_user_mixin.py:61
+msgid "MFA enabled"
+msgstr "MFA activé"
+
+#: models/mfa_user_mixin.py:68
+msgid "MFA setup required"
+msgstr "Configuration MFA requise"
+
+#: models/mfa_user_mixin.py:74
+msgid "Is MFA forced"
+msgstr "MFA est forcé"
 
 #: models/pfx_models.py:14
 #, python-format
@@ -247,51 +255,55 @@ msgstr ""
 "Votre connexion est temporairement désactivée après plusieurs tentatives "
 "infructueuses, veuillez réessayer dans {seconds} secondes."
 
-#: views/authentication_views.py:214
+#: views/authentication_views.py:209
 msgid "Successful login"
 msgstr "Connexion réussie"
 
-#: views/authentication_views.py:391
+#: views/authentication_views.py:386
 msgid "This field is required."
 msgstr "Ce champ est requis."
 
-#: views/authentication_views.py:402
+#: views/authentication_views.py:397
 msgid "Code sent."
 msgstr "Code envoyé."
 
-#: views/authentication_views.py:465 views/authentication_views.py:635
+#: views/authentication_views.py:460 views/authentication_views.py:628
 msgid "password updated successfully"
 msgstr "le mot de passe a été mis à jour avec succès"
 
-#: views/authentication_views.py:470
+#: views/authentication_views.py:465
 msgid "Incorrect password"
 msgstr "Mot de passe incorrect"
 
-#: views/authentication_views.py:473 views/authentication_views.py:644
+#: views/authentication_views.py:468 views/authentication_views.py:637
 msgid "Empty password is not allowed"
 msgstr "Un mot de passe vide n’est pas autorisé"
 
-#: views/authentication_views.py:564
+#: views/authentication_views.py:557
 msgid "User and token are valid"
 msgstr "L'utilisateur et le token sont valides"
 
-#: views/authentication_views.py:566
+#: views/authentication_views.py:559
 msgid "User or token is invalid"
 msgstr "L'utilisateur ou le token est invalide"
 
-#: views/authentication_views.py:678
+#: views/authentication_views.py:671
 msgid "OTP is already enabled"
 msgstr "OTP est déjà activé"
 
-#: views/authentication_views.py:719 views/authentication_views.py:755
+#: views/authentication_views.py:711
+msgid "OTP enabled"
+msgstr "OTP activé"
+
+#: views/authentication_views.py:712 views/authentication_views.py:748
 msgid "Invalid code"
 msgstr "Code invalide"
 
-#: views/authentication_views.py:754
+#: views/authentication_views.py:747
 msgid "OTP disabled"
 msgstr "OTP désactivé"
 
-#: views/authentication_views.py:1015
+#: views/authentication_views.py:1008
 msgid ""
 "If the email address you entered is correct, you will receive an email from "
 "us with instructions to reset your password."
@@ -300,7 +312,7 @@ msgstr ""
 "un courrier électronique de notre part contenant des instructions pour "
 "réinitialiser votre mot de passe."
 
-#: views/authentication_views.py:1089
+#: views/authentication_views.py:1082
 msgid "A new authentication code has been sent by email."
 msgstr "Un nouveau code d'authentification a été envoyé par e-mail."
 

{django_pfx-1.7.2.dev14 → django_pfx-1.7.2.dev16}/pfx/pfxcore/models/mfa_user_mixin.py

@@ -32,24 +32,51 @@ class MFAUserMixin(models.Model):
     sms_phone_number_tmp = models.CharField(
         _("Temporary SMS phone number"), max_length=32, null=True, blank=True)
     #: SMS MFA enabled.
-    sms_enabled = models.BooleanField(_("SMS MFA enabled"), default=False)
+    mfa_sms_enabled = models.BooleanField(_("SMS MFA enabled"), default=False)
     #: Email MFA enabled.
-    email_enabled = models.BooleanField(_("Email MFA enabled"), default=False)
+    mfa_email_enabled = models.BooleanField(
+        _("Email MFA enabled"), default=False)
     #: User has dismissed or completed the MFA setup screen.
     mfa_setup_dismissed = models.BooleanField(
         _("MFA setup dismissed"), default=False)
     #: Authenticator app MFA explicitly enabled by the user.
-    otp_enabled = models.BooleanField(
+    mfa_authenticator_enabled = models.BooleanField(
         _("Authenticator MFA enabled"), default=False)
 
     class Meta:
         abstract = True
 
-    # --- deprecated alias ---
-
-    @rest_property(_("OTP enabled"), "BooleanField")
-    def is_otp(self):
-        return self.otp_enabled
+    def auth_json_repr(self, **kw):
+        res = super().auth_json_repr(
+            is_mfa=self.is_mfa,
+            mfa_authenticator_enabled=self.mfa_authenticator_enabled,
+            mfa_sms_enabled=self.mfa_sms_enabled,
+            mfa_email_enabled=self.mfa_email_enabled,
+            mfa_setup_dismissed=self.mfa_setup_dismissed,
+            mfa_setup_required=self.mfa_setup_required,
+            mfa_forced=self.mfa_forced,
+            **kw)
+        return res
+
+    @rest_property(_("MFA enabled"), "BooleanField")
+    def is_mfa(self):
+        return (
+            self.mfa_authenticator_enabled
+            or self.mfa_sms_enabled
+            or self.mfa_email_enabled)
+
+    @rest_property(_("MFA setup required"), "BooleanField")
+    def mfa_setup_required(self):
+        return (
+            self.mfa_forced and
+            not self.mfa_setup_dismissed)
+
+    @rest_property(_("Is MFA forced"), "BooleanField")
+    def mfa_forced(self):
+        """Return True if MFA is forced for this user.
+
+        Can be overridden to implement per-organisation logic."""
+        return settings.PFX_MFA_FORCE
 
     def need_otp_response_extra(self):
         """Add extra attribute to response when need_otp=True."""
@@ -77,9 +104,10 @@ class MFAUserMixin(models.Model):
         if self.is_otp_valid(otp_code, tmp=True):
             self.otp_secret_token = self.otp_secret_token_tmp
             self.otp_secret_token_tmp = None
-            self.otp_enabled = True
+            self.mfa_authenticator_enabled = True
             self.save(update_fields=[
-                'otp_secret_token', 'otp_secret_token_tmp', 'otp_enabled'])
+                'otp_secret_token', 'otp_secret_token_tmp',
+                'mfa_authenticator_enabled'])
             return True
         return False
 
@@ -89,8 +117,9 @@ class MFAUserMixin(models.Model):
         Remove the OTP secret token.
         """
         self.otp_secret_token = None
-        self.otp_enabled = False
-        self.save(update_fields=['otp_secret_token', 'otp_enabled'])
+        self.mfa_authenticator_enabled = False
+        self.save(update_fields=[
+            'otp_secret_token', 'mfa_authenticator_enabled'])
 
     def get_otp_setup_uri(self, tmp=False, with_color=True):
         """Return the setup URL for OTP activation.

{django_pfx-1.7.2.dev14 → django_pfx-1.7.2.dev16}/pfx/pfxcore/views/authentication_views.py

@@ -190,10 +190,6 @@ class AuthenticationView(
         user.last_login = tz.now()
         user.save(update_fields=['last_login'])
         token = self._prepare_token(user, mode, remember_me)
-        mfa_setup_required = (
-            isinstance(user, MFAUserMixin) and
-            self.is_mfa_forced(user) and
-            not user.mfa_setup_dismissed)
         if mode == 'cookie':
             if remember_me:
                 expires = datetime.now(
@@ -203,7 +199,6 @@ class AuthenticationView(
 
             res = JsonResponse(dict(
                 need_otp=False,
-                mfa_setup_required=mfa_setup_required,
                 user=self.get_user_information(user)))
             res.set_cookie(
                 'token', token, secure=settings.PFX_COOKIE_SECURE,
@@ -213,7 +208,6 @@ class AuthenticationView(
         return JsonResponse(dict(
             message=message or _("Successful login"),
             need_otp=False,
-            mfa_setup_required=mfa_setup_required,
             token=token,
             user=self.get_user_information(user)))
 
@@ -259,11 +253,12 @@ class AuthenticationView(
             return []
         result = []
         for backend_id in settings.PFX_MFA_BACKENDS:
-            if backend_id == 'authenticator' and user.otp_enabled:
+            if (backend_id == 'authenticator'
+                    and user.mfa_authenticator_enabled):
                 result.append(backend_id)
-            elif backend_id == 'sms' and user.sms_enabled:
+            elif backend_id == 'sms' and user.mfa_sms_enabled:
                 result.append(backend_id)
-            elif backend_id == 'email' and user.email_enabled:
+            elif backend_id == 'email' and user.mfa_email_enabled:
                 result.append(backend_id)
         return result
 
@@ -271,7 +266,7 @@ class AuthenticationView(
         """Return True if MFA is forced for this user.
 
         Can be overridden to implement per-organisation logic."""
-        return settings.PFX_MFA_FORCE
+        return isinstance(user, MFAUserMixin) and user.mfa_forced
 
     def get_active_mfa_backend(self, user):
         """Return the highest-priority active MFA backend ID for this user.
@@ -509,8 +504,6 @@ class AuthenticationView(
 
         :param user: The user"""
         info = user.auth_json_repr()
-        if isinstance(user, MFAUserMixin):
-            info.update(is_otp=user.is_otp)
         return info
 
     @classmethod
@@ -673,7 +666,7 @@ class AuthenticationView(
         if not isinstance(self.request.user, MFAUserMixin):
             logger.error("User must inherit MFAUserMixin to use MFA")
             raise NotFoundError()
-        if self.request.user.otp_enabled:
+        if self.request.user.mfa_authenticator_enabled:
             return JsonResponse(
                 dict(message=_("OTP is already enabled")), status=400)
         self.request.user.enable_otp()

django_pfx-1.7.2.dev16/tests/migrations/0006_rename_otp_enabled_user_mfa_authenticator_enabled_and_more.py

@@ -0,0 +1,29 @@
+# Generated by Django 4.2.30 on 2026-04-23 07:33
+# flake8: noqa
+
+from django.db import migrations
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('tests', '0005_mfausermixin_fields_fix'),
+    ]
+
+    operations = [
+        migrations.RenameField(
+            model_name='user',
+            old_name='otp_enabled',
+            new_name='mfa_authenticator_enabled',
+        ),
+        migrations.RenameField(
+            model_name='user',
+            old_name='email_enabled',
+            new_name='mfa_email_enabled',
+        ),
+        migrations.RenameField(
+            model_name='user',
+            old_name='sms_enabled',
+            new_name='mfa_sms_enabled',
+        ),
+    ]

{django_pfx-1.7.2.dev14 → django_pfx-1.7.2.dev16}/tests/tests/__init__.py

@@ -2,7 +2,7 @@ from .basic_api_errors import BasicAPIErrorTest
 from .basic_api_test import BasicAPITest
 from .test_api_doc import ApiDocTest
 from .test_api_doc_search import TestAPIDocSearch
-from .test_auth_api import AuthAPITest
+from .test_auth_api import AuthAPITest, MFALoginTest
 from .test_body_mixin import TestBodyMixin
 from .test_cache import TestCache
 from .test_client import TestApiClient

{django_pfx-1.7.2.dev14 → django_pfx-1.7.2.dev16}/tests/tests/test_auth_api.py

@@ -924,7 +924,7 @@ class MFALoginTest(TestAssertMixin, TransactionTestCase):
 
     def enable_otp(self, user):
         user.otp_secret_token = pyotp.random_base32()
-        user.otp_enabled = True
+        user.mfa_authenticator_enabled = True
         user.save()
         user.refresh_from_db()
         return pyotp.totp.TOTP(user.otp_secret_token)
@@ -949,10 +949,10 @@ class MFALoginTest(TestAssertMixin, TransactionTestCase):
     @override_settings(
         PFX_OTP_IMAGE="https://example.org/fake.png",
         PFX_OTP_COLOR="FF0000")
-    def test_otp_enable(self):
+    def test_mfa_authenticator_enabled(self):
         self.client.login(username='jrr.tolkien', password='RIGHT PASSWORD')
 
-        self.assertEqual(self.user1.is_otp, False)
+        self.assertEqual(self.user1.is_mfa, False)
         response = self.client.get('/api/auth/otp/setup-uri')
         self.assertRC(response, 200)
         self.assertJIn(response, 'setup_uri', "otpauth://totp/")
@@ -979,9 +979,9 @@ class MFALoginTest(TestAssertMixin, TransactionTestCase):
         self.user1.refresh_from_db()
         self.assertEqual(len(self.user1.otp_secret_token), 32)
         self.assertIsNone(self.user1.otp_secret_token_tmp)
-        self.assertEqual(self.user1.is_otp, True)
+        self.assertEqual(self.user1.is_mfa, True)
 
-    def test_otp_enable_bad_code(self):
+    def test_mfa_authenticator_enabled_bad_code(self):
         self.client.login(username='jrr.tolkien', password='RIGHT PASSWORD')
 
         response = self.client.get('/api/auth/otp/setup-uri')
@@ -1010,7 +1010,7 @@ class MFALoginTest(TestAssertMixin, TransactionTestCase):
     def test_otp_disable(self):
         totp = self.enable_otp(self.user1)
 
-        self.assertEqual(self.user1.is_otp, True)
+        self.assertEqual(self.user1.is_mfa, True)
         self.otp_login(self.user1, 'RIGHT PASSWORD')
         response = self.client.put('/api/auth/otp/disable', dict(
             otp_code=totp.now()))
@@ -1019,7 +1019,7 @@ class MFALoginTest(TestAssertMixin, TransactionTestCase):
         self.user1.refresh_from_db()
         self.assertIsNone(self.user1.otp_secret_token)
         self.assertIsNone(self.user1.otp_secret_token_tmp)
-        self.assertEqual(self.user1.is_otp, False)
+        self.assertEqual(self.user1.is_mfa, False)
 
     @override_settings(
         PFX_HOTP_CODE_VALIDITY=15,
@@ -1091,8 +1091,8 @@ class MFALoginTest(TestAssertMixin, TransactionTestCase):
                 token=token,
                 otp_code=totp.now()))
             self.assertRC(response, 200)
-            self.assertJE(response, 'user.is_otp', True)
-            self.assertJE(response, 'mfa_setup_required', False)
+            self.assertJE(response, 'user.is_mfa', True)
+            self.assertJE(response, 'user.mfa_setup_required', False)
             headers = jwt.get_unverified_header(token)
             self.assertEqual(headers['pfx_user_pk'], self.user1.pk)
             decoded = jwt.decode(
@@ -1104,6 +1104,7 @@ class MFALoginTest(TestAssertMixin, TransactionTestCase):
             self.assertEqual(
                 datetime.fromtimestamp(decoded['exp']),
                 datetime(2023, 5, 1, 8, 40))
+            response.print()
 
     @override_settings(PFX_TOKEN_LONG_VALIDITY={'days': 1})
     def test_otp_login_remember_me(self):
@@ -1445,7 +1446,7 @@ class MFALoginTest(TestAssertMixin, TransactionTestCase):
         """Login with email+authenticator:
            email (highest priority) is active backend."""
         self.enable_otp(self.user1)
-        self.user1.email_enabled = True
+        self.user1.mfa_email_enabled = True
         self.user1.save()
         with patch(
                 'pfx.pfxcore.views.authentication_views'
@@ -1459,19 +1460,19 @@ class MFALoginTest(TestAssertMixin, TransactionTestCase):
         self.assertJE(response, 'available_backends.@0.id', 'email')
         self.assertJE(response, 'available_backends.@1.id', 'authenticator')
 
-    # --- mfa_setup_required ---
+    # --- user.mfa_setup_required ---
 
     def test_login_success_mfa_setup_required_false_by_default(self):
         """Direct login, no MFA force: mfa_setup_required=False."""
         response = self.do_login()
         self.assertRC(response, 200)
         self.assertJE(response, 'need_otp', False)
-        self.assertJE(response, 'mfa_setup_required', False)
+        self.assertJE(response, 'user.mfa_setup_required', False)
 
     @override_settings(PFX_MFA_FORCE=True)
     def test_login_success_mfa_setup_required_true(self):
         """After OTP login, MFA forced, setup not dismissed:
-           mfa_setup_required=True."""
+           user.mfa_setup_required=True."""
         totp = self.enable_otp(self.user1)
         response = self.do_login()
         self.assertRC(response, 200)
@@ -1479,12 +1480,12 @@ class MFALoginTest(TestAssertMixin, TransactionTestCase):
         response = self.client.post('/api/auth/otp/login', dict(
             token=otp_token, otp_code=totp.now()))
         self.assertRC(response, 200)
-        self.assertJE(response, 'mfa_setup_required', True)
+        self.assertJE(response, 'user.mfa_setup_required', True)
 
     @override_settings(PFX_MFA_FORCE=True)
     def test_login_success_mfa_setup_required_false_when_dismissed(self):
         """After OTP login, MFA forced, setup dismissed:
-           mfa_setup_required=False."""
+           user.mfa_setup_required=False."""
         totp = self.enable_otp(self.user1)
         self.user1.mfa_setup_dismissed = True
         self.user1.save()
@@ -1494,14 +1495,14 @@ class MFALoginTest(TestAssertMixin, TransactionTestCase):
         response = self.client.post('/api/auth/otp/login', dict(
             token=otp_token, otp_code=totp.now()))
         self.assertRC(response, 200)
-        self.assertJE(response, 'mfa_setup_required', False)
+        self.assertJE(response, 'user.mfa_setup_required', False)
 
     # --- email backend ---
 
     @override_settings(PFX_MFA_BACKENDS=['email'])
     def test_login_email_backend_sends_challenge(self):
         """Login with email backend: sends email and returns is_oob=True."""
-        self.user1.email_enabled = True
+        self.user1.mfa_email_enabled = True
         self.user1.otp_secret_token = pyotp.random_base32()
         self.user1.save()
         response = self.do_login()
@@ -1516,7 +1517,7 @@ class MFALoginTest(TestAssertMixin, TransactionTestCase):
     def test_login_email_backend_generates_token_if_missing(self):
         """Login with email backend auto-generates
            otp_secret_token if absent."""
-        self.user1.email_enabled = True
+        self.user1.mfa_email_enabled = True
         self.user1.save()
         self.assertIsNone(self.user1.otp_secret_token)
         response = self.do_login()
@@ -1532,7 +1533,7 @@ class MFALoginTest(TestAssertMixin, TransactionTestCase):
     def test_login_sms_backend_calls_send_sms(self):
         """Login with SMS backend: calls send_mfa_sms_challenge,
            returns is_oob=True."""
-        self.user1.sms_enabled = True
+        self.user1.mfa_sms_enabled = True
         self.user1.otp_secret_token = pyotp.random_base32()
         self.user1.save()
         with patch(
@@ -1551,7 +1552,7 @@ class MFALoginTest(TestAssertMixin, TransactionTestCase):
     def test_login_forced_mfa_fallback_to_email(self):
         """MFA forced with no backend configured:
            falls back to email challenge."""
-        # No otp_secret_token, sms_enabled=False, email_enabled=False
+        # No otp_secret_token, mfa_sms_enabled=False, mfa_email_enabled=False
         response = self.do_login()
         self.assertRC(response, 200)
         self.assertJE(response, 'need_otp', True)
@@ -1573,7 +1574,7 @@ class MFALoginTest(TestAssertMixin, TransactionTestCase):
     @override_settings(PFX_MFA_BACKENDS=['authenticator', 'email'])
     def test_mfa_challenge_email_success(self):
         """POST /auth/mfa/challenge with email sends a new code."""
-        self.user1.email_enabled = True
+        self.user1.mfa_email_enabled = True
         self.user1.otp_secret_token = pyotp.random_base32()
         self.user1.save()
         otp_token = self._get_otp_token()
@@ -1590,7 +1591,7 @@ class MFALoginTest(TestAssertMixin, TransactionTestCase):
         """POST /auth/mfa/challenge: email allowed even without
            email_enabled when MFA forced."""
         otp_token = self._get_otp_token()
-        # user1 has email_enabled=False,
+        # user1 has mfa_email_enabled=False,
         # but PFX_MFA_FORCE=True => forced_email is True
         response = self.client.post('/api/auth/mfa/challenge', {
             'token': otp_token,
@@ -1641,7 +1642,7 @@ class MFALoginTest(TestAssertMixin, TransactionTestCase):
     @override_settings(PFX_MFA_BACKENDS=['sms'])
     def test_mfa_challenge_sms_success(self):
         """POST /auth/mfa/challenge with sms calls send_mfa_sms_challenge."""
-        self.user1.sms_enabled = True
+        self.user1.mfa_sms_enabled = True
         self.user1.otp_secret_token = pyotp.random_base32()
         self.user1.save()
         sms_path = (