navigator-auth 0.17.2__tar.gz → 0.17.3__tar.gz

{navigator_auth-0.17.2 → navigator_auth-0.17.3}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: navigator-auth
-Version: 0.17.2
+Version: 0.17.3
 Summary: Navigator Auth is an Authentication/Authorization Toolkit for aiohttp.
 Author-email: Jesus Lara Gimenez <jesuslarag@gmail.com>
 License-Expression: Apache-2.0

{navigator_auth-0.17.2 → navigator_auth-0.17.3}/navigator_auth/auth.py

@@ -700,7 +700,6 @@ class AuthHandler:
         # avoid authorization backend on OPTION method:
         if request.method == hdrs.METH_OPTIONS:
             return True
-
         # Check for explicit exclude list matches
         for pattern in exclude_list:
             if fnmatch.fnmatch(request.path, pattern):
@@ -749,19 +748,19 @@ class AuthHandler:
         """
         if await self.verify_exceptions(request):
             return await handler(request)
-        logging.debug(":: AUTH MIDDLEWARE ::")
+        self.logger.debug(":: AUTH MIDDLEWARE ::")
         try:
             token = await self._idp.get_payload(request)
             _, payload = self._idp.decode_token(code=token)
         except Forbidden as err:
-            logging.error(
+            self.logger.error(
                 f"Auth Middleware: Access Denied: {err}"
             )
             raise self.Unauthorized(
                 reason=err.message
             ) from err
         except AuthExpired as err:
-            logging.error(
+            self.logger.error(
                 f"Auth Middleware: Credentials expired: {err}"
             )
             raise self.Unauthorized(
@@ -778,7 +777,7 @@ class AuthHandler:
                 try:
                     session = await get_session(request, payload, new=False)
                 except Exception as err:
-                    logging.error(str(err))
+                    self.logger.error(str(err))
                 if not session and AUTH_CREDENTIALS_REQUIRED is True:
                     raise self.Unauthorized(
                         reason="There is no Session or Authentication is missing"
@@ -787,7 +786,7 @@ class AuthHandler:
                     request.user = await self.get_session_user(session)
                     request["authenticated"] = True
                 except Exception as ex:  # pylint: disable=W0703
-                    logging.error(f"Missing User Object from Session: {ex}")
+                    self.logger.error(f"Missing User Object from Session: {ex}")
             elif self.secure_cookies is True:
                 session = await get_session(request, None, new=False)
                 if not session and AUTH_CREDENTIALS_REQUIRED is True:

{navigator_auth-0.17.2 → navigator_auth-0.17.3}/navigator_auth/backends/api.py

@@ -3,6 +3,7 @@
 Navigator Authentication using an API Token.
 description: Single API Token Authentication
 """
+from aiohttp import hdrs
 from collections.abc import Callable, Awaitable
 import orjson
 from aiohttp import web
@@ -223,6 +224,9 @@ class APIKeyAuth(BaseAuthBackend):
     ) -> web.StreamResponse:
         request.user = None
         # avoid check system routes
+        # avoid authorization backend on OPTION method:
+        if request.method == hdrs.METH_OPTIONS:
+            return await handler(request)
         if await self.verify_exceptions(request):
             return await handler(request)
         try:

{navigator_auth-0.17.2 → navigator_auth-0.17.3}/navigator_auth/backends/django.py

@@ -4,6 +4,7 @@ Navigator Authentication using Django Session Backend
 description: read the Django session from Redis Backend
 and decrypt, after that, a session will be created.
 """
+from aiohttp import hdrs
 import base64
 import logging
 from collections.abc import Callable, Awaitable
@@ -226,6 +227,9 @@ class DjangoAuth(BaseAuthBackend):
         Basic Auth Middleware.
         Description: Basic Authentication for NoAuth, Basic, Token and Django.
         """
+        # avoid authorization backend on OPTION method:
+        if request.method == hdrs.METH_OPTIONS:
+            return await handler(request)
         # avoid check system routes
         if await self.verify_exceptions(request):
             return await handler(request)

{navigator_auth-0.17.2 → navigator_auth-0.17.3}/navigator_auth/backends/token.py

@@ -3,6 +3,7 @@
 Navigator Authentication using an API Token for partners.
 description: Single API Token Authentication
 """
+from aiohttp import hdrs
 from collections.abc import Callable, Awaitable
 import jwt
 from aiohttp import web
@@ -177,6 +178,9 @@ class TokenAuth(BaseAuthBackend):
         Token Auth Middleware.
         Description: Token Middleware.
         """
+        # avoid authorization backend on OPTION method:
+        if request.method == hdrs.METH_OPTIONS:
+            return await handler(request)
         # avoid check system routes
         if await self.verify_exceptions(request):
             return await handler(request)

{navigator_auth-0.17.2 → navigator_auth-0.17.3}/navigator_auth/backends/troc.py

@@ -2,6 +2,7 @@
 
 Troc Authentication using RNC algorithm.
 """
+from aiohttp import hdrs
 from typing import Optional
 from collections.abc import Awaitable, Callable
 from aiohttp import web
@@ -220,6 +221,9 @@ class TrocToken(BaseAuthBackend):
         Partner Auth Middleware.
         Description: Basic Authentication for Partner Token Auth.
         """
+        # avoid authorization backend on OPTION method:
+        if request.method == hdrs.METH_OPTIONS:
+            return await handler(request)
         # avoid check system routes
         if await self.verify_exceptions(request):
             return await handler(request)

{navigator_auth-0.17.2 → navigator_auth-0.17.3}/navigator_auth/decorators.py

@@ -1,12 +1,12 @@
 from functools import wraps
 import inspect
-from typing import Any, TypeVar, Union
+from typing import Any, TypeVar
 from collections.abc import Callable, Awaitable
 from aiohttp import web, hdrs
 from aiohttp.abc import AbstractView
 from navigator_session import get_session
 from .exceptions import AuthException
-from .conf import AUTH_SESSION_OBJECT, exclude_list
+from .conf import AUTH_SESSION_OBJECT
 
 
 F = TypeVar("F", bound=Callable[..., Any])
@@ -45,7 +45,7 @@ def allow_anonymous(handler: F) -> F:
     is not required for this endpoint.
 
     Args:
-        func: The handler function or class-based view to decorate.
+        handler: The handler function or class-based view to decorate.
 
     Returns:
         Callable: The decorated handler that allows anonymous access.
@@ -77,6 +77,9 @@ def user_session() -> Callable[[F], F]:
         @wraps(handler)
         async def _wrap(*args, **kwargs) -> web.StreamResponse:
             request = args[0] if isinstance(args[0], web.Request) else args[-1]
+            # avoid check on OPTION method:
+            if request.method == hdrs.METH_OPTIONS:
+                return await handler(*args, **kwargs)
             session = await get_session(request, new=False)
             try:
                 user = session.decode("user")
@@ -95,6 +98,9 @@ def user_session() -> Callable[[F], F]:
         @wraps(method)
         async def wrapped_method(self, *args, **kwargs):
             request = self.request
+            # avoid check on OPTION method:
+            if request.method == hdrs.METH_OPTIONS:
+                return await method(self, *args, **kwargs)
             session = await get_session(request, new=False)
             try:
                 user = session.decode("user")
@@ -138,6 +144,9 @@ def is_authenticated(content_type: str = "application/json") -> Callable[[F], F]
             request = args[-1]
             if request is None or not isinstance(request, web.Request):
                 raise ValueError(f"web.Request was not found in arguments. {handler!s}")
+            # avoid check on OPTION method:
+            if request.method == hdrs.METH_OPTIONS:
+                return await handler(*args, **kwargs)
             if request.get("authenticated", False):
                 return await handler(*args, **kwargs)
             else:
@@ -167,6 +176,9 @@ def is_authenticated(content_type: str = "application/json") -> Callable[[F], F]
         @wraps(method)
         async def wrapped_method(self, *args, **kwargs):
             request = self.request
+            # avoid check on OPTION method:
+            if request.method == hdrs.METH_OPTIONS:
+                return await method(self, *args, **kwargs)
             if request.get("authenticated", False):
                 return await method(self, *args, **kwargs)
             app = request.app
@@ -209,6 +221,9 @@ def allowed_groups(groups: list, content_type: str = "application/json") -> Call
                 raise ValueError(
                     f"web.Request was not found in arguments. {handler!s}"
                 )
+            # avoid check on OPTION method:
+            if request.method == hdrs.METH_OPTIONS:
+                return await handler(*args, **kwargs)
             if request.get("authenticated", False) is False:
                 # check credentials:
                 raise web.HTTPUnauthorized(
@@ -261,6 +276,9 @@ def allowed_programs(
             request = args[-1]
             if request is None:
                 raise ValueError(f"web.Request was not found in arguments. {handler!s}")
+            # avoid check on OPTION method:
+            if request.method == hdrs.METH_OPTIONS:
+                return await handler(*args, **kwargs)
             if not request.get("authenticated", False):
                 raise web.HTTPUnauthorized(
                     reason=f"Access Denied to Handler {handler!s}",
@@ -296,6 +314,9 @@ def allowed_programs(
             request = self.request
             if request is None:
                 raise ValueError(f"web.Request was not found in arguments. {method!s}")
+            # avoid check on OPTION method:
+            if request.method == hdrs.METH_OPTIONS:
+                return await method(self, *args, **kwargs)
             if not request.get("authenticated", False):
                 raise web.HTTPUnauthorized(
                     reason=f"Access Denied to Handler {method!s}",
@@ -350,6 +371,9 @@ def apikey_required(content_type: str = "application/json") -> Callable:
             request = args[-1]
             if request is None:
                 raise ValueError(f"web.Request was not found in arguments. {handler!s}")
+            # avoid check on OPTION method:
+            if request.method == hdrs.METH_OPTIONS:
+                return await handler(*args, **kwargs)
             app = request.app
             try:
                 auth = app["auth"]
@@ -390,6 +414,9 @@ def apikey_required(content_type: str = "application/json") -> Callable:
             request = self.request
             if request is None:
                 raise ValueError(f"web.Request was not found in arguments. {method!s}")
+            # avoid check on OPTION method:
+            if request.method == hdrs.METH_OPTIONS:
+                return await method(self, *args, **kwargs)
             app = request.app
             try:
                 auth = app["auth"]
@@ -450,6 +477,9 @@ def allowed_organizations(
             request = args[-1]
             if request is None:
                 raise ValueError(f"web.Request was not found in arguments. {handler!s}")
+            # avoid check on OPTION method:
+            if request.method == hdrs.METH_OPTIONS:
+                return await handler(*args, **kwargs)
             if not request.get("authenticated", False):
                 raise web.HTTPUnauthorized(
                     reason=f"Access Denied to Handler {handler!s}",
@@ -481,6 +511,9 @@ def allowed_organizations(
             request = self.request
             if request is None:
                 raise ValueError(f"web.Request was not found in arguments. {method!s}")
+            # avoid check on OPTION method:
+            if request.method == hdrs.METH_OPTIONS:
+                return await method(self, *args, **kwargs)
             if not request.get("authenticated", False):
                 raise web.HTTPUnauthorized(
                     reason=f"Access Denied to Handler {method!s}",
@@ -517,3 +550,160 @@ def allowed_organizations(
             return _wrap_function(handler)
 
     return _wrapper
+
+
+def is_restricted(
+    users: list = None, groups: list = None, content_type: str = "application/json"
+) -> Callable:
+    """
+    Restrict access to specific Users or Groups.
+    Logic:
+      - If 'users' is provided, current user MUST be in the list.
+      - If 'groups' is provided, current user MUST have at least one group in the list.
+      - If both are provided, BOTH conditions must be met (Intersection).
+    """
+    def _wrap_function(handler):
+        @wraps(handler)
+        async def _wrapped(*args, **kwargs) -> web.StreamResponse:
+            # For function-based handlers, assume request is the last argument.
+            request = args[-1]
+            if request is None:
+                raise ValueError(f"web.Request was not found in arguments. {handler!s}")
+            # check on OPTION method:
+            if request.method == hdrs.METH_OPTIONS:
+                return await handler(*args, **kwargs)
+            if not request.get("authenticated", False):
+                raise web.HTTPUnauthorized(
+                    reason=f"Access Denied to Handler {handler!s}",
+                    headers={
+                        hdrs.CONTENT_TYPE: content_type,
+                        hdrs.CONNECTION: "keep-alive",
+                    },
+                )
+            # 1. Get Session
+            session = await get_session(request)
+            # 2. Extract User Info
+            username = None
+            user_groups = set()
+            try:
+                # Try getting from cached session dict
+                userinfo = session[AUTH_SESSION_OBJECT]
+                username = userinfo.get("username")
+                if "groups" in userinfo:
+                    user_groups = set(userinfo["groups"])
+            except KeyError:
+                # Fallback to decoding the User object
+                try:
+                    user = session.decode("user")
+                    username = getattr(user, "username", None)
+                    if hasattr(user, "groups"):
+                        for g in user.groups:
+                            if hasattr(g, "group"):
+                                user_groups.add(g.group)
+                            elif hasattr(g, "group_name"):
+                                user_groups.add(g.group_name)
+                except (AttributeError, TypeError, RuntimeError):
+                    pass
+            # 3. Check Constraints
+            # User Check
+            if users is not None:
+                if not username or username not in users:
+                    raise web.HTTPUnauthorized(
+                        reason="Access Denied",
+                        headers={
+                            hdrs.CONTENT_TYPE: content_type,
+                            hdrs.CONNECTION: "keep-alive",
+                        },
+                    )
+            # Group Check
+            if groups is not None:
+                # user_groups must have intersection with allowed groups
+                if user_groups.isdisjoint(groups):
+                    raise web.HTTPUnauthorized(
+                        reason="Access Denied",
+                        headers={
+                            hdrs.CONTENT_TYPE: content_type,
+                            hdrs.CONNECTION: "keep-alive",
+                        },
+                    )
+            return await handler(*args, **kwargs)
+        return _wrapped
+
+    def _wrap_method(method):
+        @wraps(method)
+        async def _wrapped(self, *args, **kwargs) -> web.StreamResponse:
+            request = self.request
+            if request is None:
+                raise ValueError(f"web.Request was not found in arguments. {method!s}")
+            # check on OPTION method:
+            if request.method == hdrs.METH_OPTIONS:
+                return await method(self, *args, **kwargs)
+            if not request.get("authenticated", False):
+                raise web.HTTPUnauthorized(
+                    reason=f"Access Denied to Handler {method!s}",
+                    headers={
+                        hdrs.CONTENT_TYPE: content_type,
+                        hdrs.CONNECTION: "keep-alive",
+                    },
+                )
+            # 1. Get Session
+            session = await get_session(request)
+            # 2. Extract User Info
+            username = None
+            user_groups = set()
+            try:
+                # Try getting from cached session dict
+                userinfo = session[AUTH_SESSION_OBJECT]
+                username = userinfo.get("username")
+                if "groups" in userinfo:
+                    user_groups = set(userinfo["groups"])
+            except KeyError:
+                # Fallback to decoding the User object
+                try:
+                    user = session.decode("user")
+                    username = getattr(user, "username", None)
+                    if hasattr(user, "groups"):
+                        for g in user.groups:
+                            if hasattr(g, "group"):
+                                user_groups.add(g.group)
+                            elif hasattr(g, "group_name"):
+                                user_groups.add(g.group_name)
+                except (AttributeError, TypeError, RuntimeError):
+                    pass
+            # 3. Check Constraints
+            # User Check
+            if users is not None:
+                if not username or username not in users:
+                    raise web.HTTPUnauthorized(
+                        reason="Access Denied",
+                        headers={
+                            hdrs.CONTENT_TYPE: content_type,
+                            hdrs.CONNECTION: "keep-alive",
+                        },
+                    )
+            # Group Check
+            if groups is not None:
+                # user_groups must have intersection with allowed groups
+                if user_groups.isdisjoint(groups):
+                    raise web.HTTPUnauthorized(
+                        reason="Access Denied",
+                        headers={
+                            hdrs.CONTENT_TYPE: content_type,
+                            hdrs.CONNECTION: "keep-alive",
+                        },
+                    )
+            return await method(self, *args, **kwargs)
+        return _wrapped
+
+    def _wrapper(handler: F):
+        # If the handler is a class-based view (subclass of AbstractView), wrap each HTTP method.
+        if inspect.isclass(handler) and issubclass(handler, AbstractView):
+            for method_name in hdrs.METH_ALL:
+                method = getattr(handler, method_name.lower(), None)
+                if method is not None and callable(method):
+                    setattr(handler, method_name.lower(), _wrap_method(method))
+            return handler
+        else:
+            return _wrap_function(handler)
+
+    return _wrapper

{navigator_auth-0.17.2 → navigator_auth-0.17.3}/navigator_auth/handlers/recovery.py

@@ -1,9 +1,11 @@
 from datetime import datetime
 import secrets
+import asyncio
 import logging
 import importlib
 from typing import Optional
 from aiohttp import web
+from aiohttp_cors import CorsViewMixin
 try:
     import redis.asyncio as redis
 except ImportError:
@@ -11,13 +13,9 @@ except ImportError:
 from navconfig import config
 from navigator_auth.conf import (
     REDIS_URL,
-    AUTH_USER_MODEL,
-    AUTH_PWD_DIGEST,
-    AUTH_PWD_ALGORITHM,
-    AUTH_PWD_LENGTH
+    AUTH_USER_MODEL
 )
 from navigator_auth.libs.json import json_decoder
-from navigator_auth.exceptions import UserNotFound
 from navigator_auth.responses import JSONResponse
 
 class RecoveryTokenStorage:
@@ -47,7 +45,7 @@ class RecoveryTokenStorage:
         key = f"{self.prefix}{token}"
         await self.redis.delete(key)
 
-class ForgotPasswordHandler(web.View):
+class ForgotPasswordHandler(web.View, CorsViewMixin):
     async def post(self):
         data = await self.request.json()
         email = data.get('email')
@@ -104,9 +102,8 @@ class ForgotPasswordHandler(web.View):
             logging.exception(f"Error in ForgotPasswordHandler: {e}")
             return web.HTTPInternalServerError(reason="Internal Server Error")
 
-import asyncio
 
-class ResetPasswordHandler(web.View):
+class ResetPasswordHandler(web.View, CorsViewMixin):
     async def post(self):
         data = await self.request.json()
         token = data.get('token')

{navigator_auth-0.17.2 → navigator_auth-0.17.3}/navigator_auth/version.py

@@ -7,7 +7,7 @@ __title__ = "navigator_auth"
 __description__ = (
     "Navigator Auth is an Authentication/Authorization Toolkit for aiohttp."
 )
-__version__ = "0.17.2"  # pragma: no cover
+__version__ = "0.17.3"  # pragma: no cover
 __author__ = "Jesus Lara"
 __author_email__ = "jesuslarag@gmail.com"
 __copyright__ = "Copyright (c) 2019-2025 Jesus Lara"

{navigator_auth-0.17.2 → navigator_auth-0.17.3}/navigator_auth.egg-info/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: navigator-auth
-Version: 0.17.2
+Version: 0.17.3
 Summary: Navigator Auth is an Authentication/Authorization Toolkit for aiohttp.
 Author-email: Jesus Lara Gimenez <jesuslarag@gmail.com>
 License-Expression: Apache-2.0