ppss-auth 0.11.1.1__tar.gz → 0.12.0.0__tar.gz

{ppss_auth-0.11.1.1/ppss_auth.egg-info → ppss_auth-0.12.0.0}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.1
 Name: ppss_auth
-Version: 0.11.1.1
+Version: 0.12.0.0
 Summary: simple auth scheme for pyramid, based on Mako template and sqlalchemy backend
 Home-page: https://bitbucket.org/pingpongstars/ppss_auth/src/master/
 Author: pdepmcp
@@ -23,6 +23,8 @@ Requires-Dist: alembic
 Requires-Dist: cryptography
 Requires-Dist: pyotp
 Requires-Dist: qrcode
+Requires-Dist: Pillow
+Requires-Dist: requests
 
 This package aims to give and easy pluggable module to provide authentication and user maintennance in a Pyramid web application.
 It relies the Pyramid+SQLAlchemy+Mako stack. Implementation for other template languages is on the roadmap.

{ppss_auth-0.11.1.1 → ppss_auth-0.12.0.0}/changelog.txt

@@ -1,3 +1,10 @@
+## v0.12
+- recover password
+- session time limit
+- salt and pepper for password hashing
+- change email
+- BO user page UX and UI
+
 ## v0.11.1.1
 - fix js groups edit page
 

{ppss_auth-0.11.1.1 → ppss_auth-0.12.0.0}/ppss_auth/__init__.py

@@ -1,6 +1,6 @@
 
 
-#from views.auth import ppssauthpolicy,ACLRoot,getPrincipals
+from ppss_auth.ppss_auth_utils.usersession import UserSession
 from sqlalchemy import engine_from_config
 from sqlalchemy.orm import sessionmaker
 import transaction
@@ -12,10 +12,11 @@ from pyramid.authorization import ACLAuthorizationPolicy
 from pyramid.authentication import SessionAuthenticationPolicy
 from pyramid.threadlocal import get_current_request
 from .constants import Conf
-from .models import initdb,PPSsuser
+from .models import PPSsuser
+
 from .routes import configRoutes
 from .ppss_auth_utils.db import checkDBRevision
-
+from .ppss_auth_utils.createdb import initdb
 import logging
 l = logging.getLogger('ppssauth')
 
@@ -48,21 +49,21 @@ def initAuthDb(settings):
 
 def getLoggedUser(request,addinsession=False):
     uid = request.session[Conf.sessionuser]['id'] if Conf.sessionuser in request.session else False
-    user = request.session[Conf.sessionuser]['user'] if Conf.sessionuser in request.session else False
+    user = request.session[Conf.sessionuser].get('user',False) if Conf.sessionuser in request.session else False
     if user:
         if addinsession:
             request.dbsession.add(user)
         return user
     else:
         return None
-    #l.warn("*****getting logged user for {}".format(uid))
-    if uid:
-        user = PPSsuser.byId(uid,request.dbsession)
-        return user
-    else:
-        pass
-        #l.warn("**** session is:{}.\nI was looking for this key:{} -> {}".format(request.session,Conf.sessionuser,request.session.get(Conf.sessionuser,None)))
-    return None
+
+
+def getUserSession(request):
+    if not hasattr(request,'ppss_usersession'):       
+        user = request.loggeduser
+        usersession = UserSession(user,request)
+        request.ppss_usersession = usersession
+    return request.ppss_usersession
     
 
 def add_renderer_globals(event):
@@ -109,6 +110,7 @@ def includeme(config):
     settings = config.get_settings()
     Conf.setup(settings)
     config.add_request_method(getLoggedUser,'loggeduser',reify=True)
+    config.add_request_method(getUserSession,'usersession',reify=True)
     
     config.add_translation_dirs('ppss_auth:locale/')
 
@@ -125,7 +127,7 @@ def includeme(config):
     from .views.auth import getPrincipals,ACLRoot
     authz_policy = ACLAuthorizationPolicy()
     config.set_authentication_policy(SessionAuthenticationPolicy(callback=getPrincipals) )
-    config.set_authorization_policy(ACLAuthorizationPolicy())
+    config.set_authorization_policy(authz_policy)
     config.set_root_factory(ACLRoot)
     config.scan("ppss_auth")
     pass

ppss_auth-0.12.0.0/ppss_auth/alembic/versions/20260109_000ec266dd6e_add_salt.py

@@ -0,0 +1,32 @@
+"""add salt
+
+Revision ID: 000ec266dd6e
+Revises: 483944c8ff05
+Create Date: 2026-01-09 12:17:03.593447
+
+"""
+import secrets
+from alembic import op
+import sqlalchemy as sa
+from sqlalchemy.dialects import mysql
+from sqlalchemy import table, column
+
+# revision identifiers, used by Alembic.
+revision = '000ec266dd6e'
+down_revision = '483944c8ff05'
+branch_labels = None
+depends_on = None
+
+
+def upgrade():
+    # ### commands auto generated by Alembic - please adjust! ###
+    op.add_column('ppss_user', sa.Column('salt', sa.Unicode(length=64), nullable=True))    
+    op.create_unique_constraint(op.f('uq_ppss_user_salt'), 'ppss_user', ['salt'])
+    # ### end Alembic commands ###
+
+
+def downgrade():
+    # ### commands auto generated by Alembic - please adjust! ###
+    op.drop_constraint(op.f('uq_ppss_user_salt'), 'ppss_user', type_='unique')
+    op.drop_column('ppss_user', 'salt')
+    # ### end Alembic commands ###

{ppss_auth-0.11.1.1 → ppss_auth-0.12.0.0}/ppss_auth/constants.py

@@ -15,11 +15,11 @@ else:
             return False
         return hasattr(v, '__iter__')
 
-def getBT(version = 4):
-    v4 = version == 4
-    return {
-        'xs': 'col-' if v4 else 'col-xs-'
-    }
+# def getBT(version = 4):
+#     v4 = version == 4
+#     return {
+#         'xs': 'col-' if v4 else 'col-xs-'
+#     }
 
 class Conf():
 
@@ -46,6 +46,35 @@ class Conf():
                 raise e
             else:
                 return default
+            
+
+    @staticmethod
+    def getTimeSpan(confval):
+        try:            
+            if isinstance(confval, int):
+                return datetime.timedelta(seconds=confval)
+            elif isinstance(confval, str):
+                if confval.endswith('h'):
+                    confval = confval[:-1]
+                    confval = int(confval) * 3600
+                elif confval.endswith('m'):
+                    confval = confval[:-1]
+                    confval = int(confval) * 60
+                elif confval.endswith('s'):
+                    confval = confval[:-1]
+                    confval = int(confval)
+                confval = int(confval)
+                return datetime.timedelta(seconds=confval)
+            else:
+                raise ValueError("Invalid timespan value:{}".format(confval))
+        except Exception as e:
+            l.exception(u"Exception parsing timespan value:{}".format(confval))
+            raise e
+        
+
+    @classmethod
+    def is2faConfigured(cls):
+        return cls.issuer2fa
 
     @classmethod
     def setup(cls, settings):
@@ -68,7 +97,6 @@ class Conf():
         cls.activationemail = settings.get("ppss_auth.register_requireactivation", "true").lower() != "false"
 
         cls.newusergroups = [x for x in map(str.strip, ( settings.get("ppss_auth.newusergroups", '' ).split(",") ) ) if x  ] if settings.get("ppss_auth.newusergroups", '' ) else ['signeduser']
-        cls.saltforhash = settings.get("ppss_auth.salt", "ImTheSaltOfThisLife")
 
         cls.forbiddentologin = settings.get("ppss_auth.forbidden_to_login", "true").lower() == 'true'
 
@@ -80,8 +108,14 @@ class Conf():
         cls.passwordminlen = int(settings.get("ppss_auth.password_min_len",12))
         cls.passwordrelist = Conf.conf2list( settings.get("ppss_auth.password_relist",["[A-Z]+","[a-z]+","[0-9]+","[!,\.\?\\/;:_\-+*@\£\$\%\&\(\)\"\'=\^àèìòùé\#§°ç{}]+",".{{{len},}}".format(len=cls.passwordminlen)]) )
         cls.forbiddenpasswordlist = settings.get("ppss_auth.forbidden_password_list","")
+        ##TODO:
+        ##add salt, pepper e session TTL
+        cls.sessionmaxttl = Conf.getTimeSpan(settings.get("ppss_auth.session_max_ttl","15m")  )
+        cls.pepperforhash = settings.get("ppss_auth.pepper","")
+
+        
         #cls.passwordwrongmessage = f'La nuova password deve essere differente dalle precedenti {cls.passwordpreviousdifferent} e avere almeno 12 caratteri, una maiuscola, una minuscola, un numero e un carattere fra "!,.?\\/;:_-+*".'
-        cls.passwordwrongmessage = f'The new password must be different from the previous {cls.passwordpreviousdifferent} and should contain at least {cls.passwordminlen} chars, cotaining at least 1 upper case, 1 lower case, 1 number and a special char among these "!,.?\\/;:_-+*".'
+        cls.passwordwrongmessage = f'The new password must be different from the previous {cls.passwordpreviousdifferent} and should contain at least {cls.passwordminlen} chars, containing at least 1 upper case, 1 lower case, 1 number and a special char among these "!,.?\\/;:_-+*".'
         cls.passwordexpiredmessage = 'Password expired. Please change it.'
         cls.passwordexpire =  int(settings.get("ppss_auth.password_expire",0)  )
 
@@ -111,12 +145,14 @@ class Conf():
 
         cls.botemplateinherit = settings.get("ppss_auth.botemplateinherit", cls.tplpath("public", True) )
         
+        cls.splashtemplate = settings.get("ppss_auth.splashtemplate", cls.tplpath("splash") )
+        
 
         #bo template inheritance
         cls.mastertemplateinherit = settings.get("ppss_auth.mastertemplateinherit", cls.tplpath("masterlayout", True) )
         cls.sectiontemplateinherit = settings.get("ppss_auth.sectiontemplateinherit", cls.tplpath("midlayout", True) )
 
-        cls.bootstrapClasses = getBT(int(settings.get("ppss_auth.bootstrapversion",4)))
+        # cls.bootstrapClasses = getBT(int(settings.get("ppss_auth.bootstrapversion",4)))
 
         cls.testurl = settings.get("ppss_auth.testurl", "/test")
 
@@ -160,3 +196,8 @@ class Conf():
         cls.issuer2fa = settings.get("ppss_auth.issuer2fa", None)
         cls.enable2fatpl = settings.get("ppss_auth.enable2fatpl", cls.tplpath('enable2fa'))
         cls.verify2fatpl = settings.get("ppss_auth.verify2fatpl", cls.tplpath('verify2fa'))
+        cls.edit2fatpl = settings.get("ppss_auth.edit2fatpl", cls.tplpath('edit2fa'))
+        cls.hoursvalid2fa = int(settings.get("ppss_auth.hoursvalid2fa", 24))
+        # turnstile captcha
+        cls.turnstile_sitekey = settings.get("ppss_auth.turnstile_sitekey", None)
+        cls.turnstile_secretkey = settings.get("ppss_auth.turnstile_secretkey", None)

{ppss_auth-0.11.1.1 → ppss_auth-0.12.0.0}/ppss_auth/models.py

@@ -1,7 +1,6 @@
-from enum import unique
+import secrets
 import sys
 
-import pyotp
 PY2 = sys.version_info[0] == 2
 if not PY2:
     unicode = str
@@ -31,9 +30,10 @@ NAMING_CONVENTION = {
     "pk": "pk_%(table_name)s"
 }
 
-import logging,uuid
+import logging
 
 from sqlalchemy.orm import joinedload
+from pyramid.request import Request
 
 metadata = MetaData(naming_convention=NAMING_CONVENTION)
 Base = declarative_base(metadata=metadata)
@@ -45,128 +45,6 @@ from .ppss_auth_utils.password import getPasswordDigest
 l = logging.getLogger('ppssauth.models')
 
 
-class constants():
-    SYSADMINPERM = "sysadmin"
-    SYSADMINGROUP = "sysadmin"
-
-def __createPermissions(session,permissions):
-    permmap = {}
-    for p in permissions:
-        perm = session.query(PPSspermission).filter(PPSspermission.name == p['name']).first()
-        if not perm:
-            perm = PPSspermission(name = p['name'])
-            session.add(perm)
-            l.info("permission '{}' added to session".format(p['name']))
-        perm.permtype = p['permtype'] if 'permtype' in p else 0
-        permmap[p['name'] ] = perm
-    return permmap
-
-def __createGroups(session,groups,permissions):
-    groupmap = {}
-    for g in groups:
-        g = g.split("=")
-        gname = str.strip(g[0])
-        if len(g) == 2:
-            permlist = map(str.strip,g[1].split(","))
-        else:
-            permlist = []
-        group = session.query(PPSsgroup).filter(PPSsgroup.name == gname).first()
-        if not group:
-            group = PPSsgroup(name = gname)
-            session.add(group)
-            l.info("group '{}' added to session".format(gname))
-        groupmap[gname] = group
-        for p in permlist:
-            if not group.hasPermission(p):
-                if p in permissions:
-                    perm = permissions[p]
-                else:
-                    perm = PPSspermission(name = p,permtype = 0)
-                    session.add(perm)
-                    permissions[p] = perm
-                    l.info("new permission '{}' created for group '{}'".format(p,gname))
-                group.permissions.append(perm)
-    return groupmap
-
-def __createUsers(session,users,groups,defaultpassword = None):
-    usermap = {}
-    for u in users:
-        u = u.split("=")
-        uname = u[0].split("/")
-        upassword = None
-        if len(uname)==2:
-            upassword = uname[1].strip()
-        else: 
-            upassword = Conf.defaultpassword
-        uname = uname[0].strip()
-        if len(u)==2:
-            grouplist = map(str.strip,u[1].split(","))
-        else:
-            grouplist = []
-        user = session.query(PPSsuser).filter(PPSsuser.username == uname).first()
-        if not user:
-            user = PPSsuser(username = uname)
-            if upassword:
-                user.setPassword(upassword)
-            elif defaultpassword:
-                user.setPassword(defaultpassword)
-            session.add(user)
-            l.info("user '{}' added to session".format(uname))
-        usermap[uname] = user
-        for g in grouplist:
-            if not user.isInGroup(g,False):
-                if g in groups:
-                    group = groups[g]
-                else:
-                    group = session.query(PPSsgroup).filter(PPSsgroup.name == g).first()
-                    if group is None:
-                        group = PPSsgroup(name = g)
-                        session.add(group)
-                    else:
-                        groups[g] = group
-                    l.info("new group '{}' created for user '{}'".format(g,uname))
-                user.groups.append(group)
-    return usermap
-
-
-##the caller must commit this
-def initdb(session=None,createdefault=False,engine = None):
-    if engine is None:
-        engine = session.get_bind()
-    try:
-        PPSsuser.all(session)
-    except:
-        raise Exception("no user table. exiting!")
-    if createdefault:
-        l.info("creating default")
-        systemperms = [#PPSspermission(name = u"admin"),
-                {"name": u"edituser","permtype": 1},
-                {"name": u"listuser","permtype": 1},
-                {"name": u"login"   ,"permtype": 1},
-                {"name": constants.SYSADMINPERM,"permtype": 1},
-        ]
-        permissions = [{'name':p,'permtype':1} for p in Conf.perm2create]
-        for sp in systemperms:
-            permissions.append(sp)
-
-        permissionmap = __createPermissions(session,permissions)
-        l.debug("permission map:{}".format(permissionmap))
-        groupmap = __createGroups(session, Conf.group2create + 
-            [
-                "useradmin=edituser,listuser,login",
-                "signeduser=login",
-                "{}={}".format(constants.SYSADMINGROUP,constants.SYSADMINPERM)
-            ] 
-            , permissionmap)
-        l.debug("group map:{}".format(groupmap))
-        if Conf.adminname:
-            root = __createUsers(session,[Conf.adminname+"="+constants.SYSADMINGROUP],groupmap,Conf.adminpass if Conf.adminpass else None)
-        usermap = __createUsers(session, Conf.user2create, groupmap )
-        l.debug("user map:{}".format(usermap))
-        return 0
-    
-    return 0
-
 ppssuserlkppssgroup = Table('ppssuser_lk_ppssgroup', Base.metadata,
     Column('user_id',Integer,ForeignKey('ppss_user.id', ondelete="CASCADE"), primary_key=True),
     Column('group_id',Integer,ForeignKey('ppss_group.id', ondelete="CASCADE"), primary_key=True )
@@ -223,6 +101,16 @@ class commonTable():
     def firstByField(cls,field,value,DBSession):
         return DBSession.query(cls).filter(getattr(cls, field)==value).first()
 
+class LOGINREASON():
+    OTPSKIPPED = (3,"OTP not required")
+    OTPPASSED = (2,"OTP Ok")
+    OK = (1,"Ok")
+    VALIDATIONERROR = (0,"invalid password")
+    BLOCKED = (-1,"too many recent fails")
+    DISABLED = (-2,"user disabled")
+    DONTEXIST = (-3,"user does not exist")
+    OTPERROR = (-4,"OTP error")
+
 class LoginError():
     def __init__(self,validlogin,enabled,failcount):
         self.validlogin = validlogin
@@ -230,25 +118,39 @@ class LoginError():
         self.failcount = failcount
 
     def __bool__(self):
-        #return self.validlogin and self.enabled and self.failcount
+        # return self.validlogin and self.enabled and self.failcount
         return self.result() == 1
     
+    def __result(self):
+        if self.enabled is None:
+            return LOGINREASON.DONTEXIST
+        if not self.enabled:
+            return LOGINREASON.DISABLED
+        if self.failcount:
+            return LOGINREASON.BLOCKED
+        if not self.validlogin:
+            return LOGINREASON.VALIDATIONERROR
+        return LOGINREASON.OK
+
+
     def result(self):
-        return 1 if self.failcount and self.validlogin and self.enabled else 0
+        return self.__result()[0]
+        #return 1 if self.failcount and self.validlogin and self.enabled else 0 if self.validlogin else -1 if self.failcount else -2
                 
     def blocked(self):
         return self.failcount is not None and not self.failcount
 
     def resultreason(self):
-        if self.enabled is None:
-            return "user does not exist"
-        if not self.enabled:
-            return "user disabled"
-        if not self.validlogin:
-            return "invalid password"
-        if not self.failcount:
-            return "too many recent fails"
-        return "Ok"
+        return self.__result()[1]
+        # if self.enabled is None:
+        #     return "user does not exist"
+        # if not self.enabled:
+        #     return "user disabled"
+        # if not self.validlogin:
+        #     return "invalid password"
+        # if not self.failcount:
+        #     return "too many recent fails"
+        # return "Ok"
 
     def __str__(self):
         return self.username
@@ -257,10 +159,10 @@ class PPSsuser(Base,commonTable):
     __tablename__   = 'ppss_user'
     id              = Column(Integer, primary_key=True)
     username        = Column(Unicode(128),unique=True)
-    
+
     ###EMAIL
     email           = Column(Unicode(128),unique=True)
-    
+
     password        = Column(Unicode(1024))
     insertdt        = Column(DateTime,default=datetime.now)
     updatedt        = Column(DateTime,default=datetime.now,onupdate=datetime.now)
@@ -280,67 +182,95 @@ class PPSsuser(Base,commonTable):
 
     phone_prefix = Column(Unicode(8))
     phone_number = Column(Unicode(16), unique=True)
+    
+    ### add a new field salt for password hashing with a unique salt per user
+    salt = Column(Unicode(64), unique=True )
 
     superusercache = None
     permissionscache = None
     permissionsmapcache = None
     groupmapcache = None
+    invalidusersession = False
 
     @classmethod
     def checkLogin(cls,user,password,dbsession, ipaddr = None):
-        return PPSsuser.checkCryptedLogin(user,getPasswordDigest(password),dbsession,ipaddr=ipaddr)
+        # Don't hash with salt here - the salt will be applied in checkCryptedLogin
+        # using the user-specific salt from the database
+        return PPSsuser.checkCryptedLogin(user,password,dbsession,ipaddr=ipaddr)
 
     @classmethod
     def checkCryptedLogin(cls,user,password,dbsession,ipaddr = None):
-        #.filter(cls.password==password).filter(cls.enabled==1)
+        # .filter(cls.password==password).filter(cls.enabled==1)
         res = dbsession.query(cls).filter(cls.username==user) \
             .options(joinedload('groups')) \
             .options(joinedload('groups.permissions')) \
             .all()
         if len(res)==1:
             res:PPSsuser = res[0]
-            failcountquery = dbsession.query(PPSsloginhistory).filter(PPSsloginhistory.user_id == res.id).filter(PPSsloginhistory.result==0).filter(PPSsloginhistory.insertdt > datetime.now()-timedelta(minutes=Conf.loginfailinterval))
+            # Hash the plaintext password with user's salt for comparison
+            password_with_salt = getPasswordDigest(password, salt=res.salt)
+            failcountquery = (
+                dbsession.query(PPSsloginhistory)
+                .filter(PPSsloginhistory.user_id == res.id)
+                .filter(PPSsloginhistory.result == LOGINREASON.VALIDATIONERROR[0])
+                .filter(
+                    PPSsloginhistory.insertdt
+                    > datetime.now() - timedelta(seconds=Conf.loginfailinterval)
+                )
+            )
             if ipaddr:
                 failcountquery = failcountquery.filter(PPSsloginhistory.ipaddress == ipaddr)
             failcount = failcountquery.count()            
-            valid = LoginError(res.password == password, res.enabled == 1,failcount<Conf.loginfailthreshold)
-            #res.password == password and res.enabled == 1
+            valid = LoginError(
+                res.password == password_with_salt,
+                res.enabled == 1,
+                failcount > Conf.loginfailthreshold,
+            )
+            # res.password == password and res.enabled == 1
         else:
             res = None
             valid = LoginError(None,None,None)
         return res,valid
-        #return res[0] if len(res)==1 else None
+        # return res[0] if len(res)==1 else None
 
     def passwordExpired(self,now = None):
         if now is None:
             now = datetime.now()
-        l.debug("user:{},now:{},expire:{},res:{}".format(self.username,now,self.passwordexpire,self.passwordexpire is None or self.passwordexpire>now))
-        return not (self.passwordexpire is None or self.passwordexpire>now)
+        l.debug("-------- user:{},now:{},expire:{},res:{}".format(self.username,now,self.passwordexpire,
+                not ((self.passwordexpire is None) or self.passwordexpire>now)))
+
+        notexpired = ((self.passwordexpire is None) or (self.passwordexpire>now))
+        return not notexpired
 
     def is2faEnabled(self):
         return bool(self.otp_hash)
 
-    def getPrincipals(self,expired=False, is2faEnabled=False):
-        if expired:
-            return ['ppss_auth:changepassword']
-        elif is2faEnabled:
-            return ['ppss_auth:otpverify']
-        else:
-            return [str("g:"+group.name ) for group in self.groups  ] 
+    __principals = None
+    def getPrincipals(self):
+        if self.__principals is None:
+            principals = [str("g:"+group.name ) for group in self.groups  ] 
+            if self.isSuperUser():
+                principals += ["g:admin","g:sysadmin"]
+            l.debug("++++ principals:{}".format(principals))
+            self.__principals = principals
+
+        return self.__principals,self.isSuperUser()
 
     def todict(self):
         return { "id": self.id, "username":self.username,"enabled":self.enabled}
 
-
     def setPassword(self,password,canexpire = True):
-        dig = getPasswordDigest(password)
+        if not self.salt:
+            self.salt = secrets.token_hex(16)
+        dig = getPasswordDigest(password, salt=self.salt)
         self.password= dig
         if Conf.passwordexpire and canexpire:
             self.passwordexpire = datetime.now() + timedelta(days = Conf.passwordexpire)
+        else:
+            self.passwordexpire = None        
         self.passowrdhistory.append( PPSspasswordhistory(password = dig)  )
         return self
 
-
     def getPermissions(self):
         if self.permissionscache is None:
             result = set()
@@ -383,11 +313,24 @@ class PPSsuser(Base,commonTable):
             self.groupmapcache = set(grouplist)
         return self.groupmapcache
 
-
     def isInGroup(self,groupname,whitelie=True):
         if self.isSuperUser() and whitelie:return True
         return groupname in self.getGroupsMap()
 
+    def needVerifyOTP(self, request:Request):
+        since = datetime.now() - timedelta(hours=Conf.hoursvalid2fa)
+        # since = datetime.now() - timedelta(seconds=20)
+        success_login = (
+            request.dbsession.query(PPSsloginhistory)
+            .filter(PPSsloginhistory.user_id == self.id)
+            .filter(PPSsloginhistory.ipaddress == request.remote_addr)
+            .filter(PPSsloginhistory.result == LOGINREASON.OTPPASSED[0])
+            .filter(PPSsloginhistory.insertdt > since)
+        ).first()
+        if success_login:
+            return False
+        return True
+
     def __unicode__(self):
         return u"<PPSsuser ({id}-{name},{enabled})>".format(id=self.id,name=self.username, enabled=self.enabled)
 
@@ -424,6 +367,15 @@ class PPSsloginhistory(Base):
     resultreason    = Column(Unicode(128))
     username        = Column(Unicode(128))
 
+# result int
+# -3 = invalid otp
+# -2 = ??
+# -1 = ?? blocked ?
+# 0 = failed
+# 1 = success
+# 2 = logged in with otp
+# 3 = logged in without otp
+
 
 class PPSsgroup(Base,commonTable):
     __tablename__   = 'ppss_group'
@@ -501,7 +453,3 @@ class DBVersion(Base):
         else:
             version.moduleversion = moduldeversion
             version.dbversion = "1.0"
-
-
-
-