PyPI - plain.auth - Versions diffs - 0.17.0__tar.gz → 0.19.0__tar.gz - Mend

plain.auth 0.17.0tar.gz → 0.19.0tar.gz

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (20) hide show

{plain_auth-0.17.0 → plain_auth-0.19.0}/.gitignore RENAMED Viewed

@@ -11,9 +11,8 @@ plain*/tests/.plain
 # Ottobot
 .aider*
-/llms-full.txt
 # Plain temp dirs
 .plain
 .vscode
+/.claude

{plain_auth-0.17.0 → plain_auth-0.19.0}/PKG-INFO RENAMED Viewed

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: plain.auth
-Version: 0.17.0
+Version: 0.19.0
 Summary: Add users to your app and decide what they can access.
 Author-email: Dave Gaeddert <dave.gaeddert@dropseed.dev>
 License-File: LICENSE

{plain_auth-0.17.0 → plain_auth-0.19.0}/plain/auth/CHANGELOG.md RENAMED Viewed

@@ -1,5 +1,25 @@
 # plain-auth changelog
+## [0.19.0](https://github.com/dropseed/plain/releases/plain-auth@0.19.0) (2025-09-30)
+### What's changed
+- Updated imports to use the renamed `Request` class instead of `HttpRequest` ([cd46ff2](https://github.com/dropseed/plain/commit/cd46ff2003))
+### Upgrade instructions
+- Replace any imports of `HttpRequest` from `plain.http.request` with `Request` (e.g., `from plain.http.request import HttpRequest` becomes `from plain.http.request import Request`)
+## [0.18.0](https://github.com/dropseed/plain/releases/plain-auth@0.18.0) (2025-09-19)
+### What's changed
+- Removed deprecated `constant_time_compare` utility function, replaced with Python's built-in `hmac.compare_digest()` for improved security in session management ([55f3f55](https://github.com/dropseed/plain/commit/55f3f5596d))
+### Upgrade instructions
+- No changes required
 ## [0.17.0](https://github.com/dropseed/plain/releases/plain-auth@0.17.0) (2025-09-12)
 ### What's changed

{plain_auth-0.17.0 → plain_auth-0.19.0}/plain/auth/sessions.py RENAMED Viewed

@@ -1,7 +1,10 @@
+import hmac
 from plain.exceptions import ImproperlyConfigured
 from plain.models import models_registry
 from plain.runtime import settings
-from plain.utils.crypto import constant_time_compare, salted_hmac
+from plain.utils.crypto import salted_hmac
+from plain.utils.encoding import force_bytes
 USER_ID_SESSION_KEY = "_auth_user_id"
 USER_HASH_SESSION_KEY = "_auth_user_hash"
@@ -60,8 +63,9 @@ def login(request, user):
             # session if the existing session corresponds to a different
             # authenticated user.
             request.session.flush()
-        elif session_auth_hash and not constant_time_compare(
-            request.session.get(USER_HASH_SESSION_KEY, ""), session_auth_hash
+        elif session_auth_hash and not hmac.compare_digest(
+            force_bytes(request.session.get(USER_HASH_SESSION_KEY, "")),
+            force_bytes(session_auth_hash),
         ):
             # If the session hash does not match the current hash, reset the
             # session. Most likely this means the password was changed.
@@ -131,15 +135,17 @@ def get_user(request):
             session_hash_verified = False
         else:
             session_auth_hash = get_session_auth_hash(user)
-            session_hash_verified = constant_time_compare(
-                session_hash, session_auth_hash
+            session_hash_verified = hmac.compare_digest(
+                force_bytes(session_hash), force_bytes(session_auth_hash)
             )
         if not session_hash_verified:
             # If the current secret does not verify the session, try
             # with the fallback secrets and stop when a matching one is
             # found.
             if session_hash and any(
-                constant_time_compare(session_hash, fallback_auth_hash)
+                hmac.compare_digest(
+                    force_bytes(session_hash), force_bytes(fallback_auth_hash)
+                )
                 for fallback_auth_hash in get_session_auth_fallback_hash(user)
             ):
                 request.session.cycle_key()

{plain_auth-0.17.0 → plain_auth-0.19.0}/plain/auth/test.py RENAMED Viewed

@@ -1,6 +1,6 @@
 from http.cookies import SimpleCookie
-from plain.http.request import HttpRequest
+from plain.http.request import Request
 from plain.runtime import settings
 from plain.sessions import SessionStore
@@ -9,7 +9,7 @@ from .sessions import get_user, login, logout
 def login_client(client, user):
     """Log a user into a test client."""
-    request = HttpRequest()
+    request = Request()
     if client.session:
         request.session = client.session
     else:
@@ -30,7 +30,7 @@ def login_client(client, user):
 def logout_client(client):
     """Log out a user from a test client."""
-    request = HttpRequest()
+    request = Request()
     if client.session:
         request.session = client.session
         request.user = get_user(request)

{plain_auth-0.17.0 → plain_auth-0.19.0}/pyproject.toml RENAMED Viewed

@@ -1,6 +1,6 @@
 [project]
 name = "plain.auth"
-version = "0.17.0"
+version = "0.19.0"
 description = "Add users to your app and decide what they can access."
 authors = [{name = "Dave Gaeddert", email = "dave.gaeddert@dropseed.dev"}]
 readme = "README.md"