sanic-security 1.11.7__py3-none-any.whl → 1.12.0__py3-none-any.whl

sanic_security/authentication.py

@@ -15,111 +15,35 @@ from sanic_security.exceptions import (
     CredentialsError,
     DeactivatedError,
     SecondFactorFulfilledError,
+    ExpiredError,
 )
 from sanic_security.models import Account, AuthenticationSession, Role, TwoStepSession
-from sanic_security.utils import get_ip
 
 """
-An effective, simple, and async security library for the Sanic framework.
-Copyright (C) 2020-present Aidan Stewart
-
-This program is free software: you can redistribute it and/or modify
-it under the terms of the GNU Affero General Public License as published
-by the Free Software Foundation, either version 3 of the License, or
-(at your option) any later version.
-
-This program is distributed in the hope that it will be useful,
-but WITHOUT ANY WARRANTY; without even the implied warranty of
-MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-GNU Affero General Public License for more details.
-
-You should have received a copy of the GNU Affero General Public License
-along with this program.  If not, see <https://www.gnu.org/licenses/>.
+Copyright (c) 2020-present Nicholas Aidan Stewart
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.
 """
 
 password_hasher = PasswordHasher()
 
 
-def validate_email(email: str) -> str:
-    """
-    Validates email format.
-
-    Args:
-        email (str): Email being validated.
-
-    Returns:
-        email
-
-    Raises:
-        CredentialsError
-    """
-    if not re.search(r"^[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\.[a-zA-Z0-9-.]+$", email):
-        raise CredentialsError("Please use a valid email address.", 400)
-    return email
-
-
-def validate_username(username: str) -> str:
-    """
-    Validates username format.
-
-    Args:
-        username (str): Username being validated.
-
-    Returns:
-        username
-
-    Raises:
-        CredentialsError
-    """
-    if not re.search(r"^[A-Za-z0-9_-]{3,32}$", username):
-        raise CredentialsError(
-            "Username must be between 3-32 characters and not contain any special characters other than _ or -.",
-            400,
-        )
-    return username
-
-
-def validate_phone(phone: str) -> str:
-    """
-    Validates phone number format.
-
-    Args:
-        phone (str): Phone number being validated.
-
-    Returns:
-        phone
-
-    Raises:
-        CredentialsError
-    """
-    if phone and not re.search(
-        r"^(\+\d{1,2}\s)?\(?\d{3}\)?[\s.-]?\d{3}[\s.-]?\d{4}$", phone
-    ):
-        raise CredentialsError("Please use a valid phone number.", 400)
-    return phone
-
-
-def validate_password(password: str) -> str:
-    """
-    Validates password requirements.
-
-    Args:
-        password (str): Password being validated.
-
-    Returns:
-        password
-
-    Raises:
-        CredentialsError
-    """
-    if not re.search(r"^(?=.*[A-Z])(?=.*\d)(?=.*[@#$%^&+=!]).*$", password):
-        raise CredentialsError(
-            "Password must contain one capital letter, one number, and one special character",
-            400,
-        )
-    return password
-
-
 async def register(
     request: Request, verified: bool = False, disabled: bool = False
 ) -> Account:
@@ -139,18 +63,20 @@ async def register(
     """
     email_lower = validate_email(request.form.get("email").lower())
     if await Account.filter(email=email_lower).exists():
-        raise CredentialsError("An account with this email already exists.", 409)
+        raise CredentialsError("An account with this email may already exist.", 409)
     elif await Account.filter(
         username=validate_username(request.form.get("username"))
     ).exists():
-        raise CredentialsError("An account with this username already exists.", 409)
+        raise CredentialsError("An account with this username may already exist.", 409)
     elif (
         request.form.get("phone")
         and await Account.filter(
             phone=validate_phone(request.form.get("phone"))
         ).exists()
     ):
-        raise CredentialsError("An account with this phone number already exists.", 409)
+        raise CredentialsError(
+            "An account with this phone number may already exist.", 409
+        )
     validate_password(request.form.get("password"))
     account = await Account.create(
         email=email_lower,
@@ -212,9 +138,6 @@ async def login(
             request, account, requires_second_factor=require_second_factor
         )
     except VerifyMismatchError:
-        logger.warning(
-            f"Client ({get_ip(request)}) login password attempt is incorrect"
-        )
         raise CredentialsError("Incorrect password.", 401)
 
 
@@ -241,32 +164,6 @@ async def logout(request: Request) -> AuthenticationSession:
     return authentication_session
 
 
-async def authenticate(request: Request) -> AuthenticationSession:
-    """
-    Validates client's authentication session and account.
-
-    Args:
-        request (Request): Sanic request parameter.
-
-    Returns:
-        authentication_session
-
-    Raises:
-        NotFoundError
-        JWTDecodeError
-        DeletedError
-        ExpiredError
-        DeactivatedError
-        UnverifiedError
-        DisabledError
-        SecondFactorRequiredError
-    """
-    authentication_session = await AuthenticationSession.decode(request)
-    authentication_session.validate()
-    authentication_session.bearer.validate()
-    return authentication_session
-
-
 async def fulfill_second_factor(request: Request) -> AuthenticationSession:
     """
     Fulfills client authentication session's second factor requirement via two-step session code.
@@ -288,9 +185,9 @@ async def fulfill_second_factor(request: Request) -> AuthenticationSession:
          authentication_Session
     """
     authentication_session = await AuthenticationSession.decode(request)
-    two_step_session = await TwoStepSession.decode(request)
     if not authentication_session.requires_second_factor:
         raise SecondFactorFulfilledError()
+    two_step_session = await TwoStepSession.decode(request)
     two_step_session.validate()
     await two_step_session.check_code(request, request.form.get("code"))
     authentication_session.requires_second_factor = False
@@ -298,9 +195,40 @@ async def fulfill_second_factor(request: Request) -> AuthenticationSession:
     return authentication_session
 
 
+async def authenticate(request: Request) -> tuple[bool, AuthenticationSession]:
+    """
+    Validates client's authentication session and account. New/Refreshed session automatically returned
+    if expired during authentication, requires encoding.
+
+    Args:
+        request (Request): Sanic request parameter.
+
+    Returns:
+        authentication_session
+
+    Raises:
+        NotFoundError
+        JWTDecodeError
+        DeletedError
+        DeactivatedError
+        UnverifiedError
+        DisabledError
+        SecondFactorRequiredError
+    """
+    authentication_session = await AuthenticationSession.decode(request)
+    try:
+        authentication_session.validate()
+        if not authentication_session.anonymous:
+            authentication_session.bearer.validate()
+    except ExpiredError:
+        authentication_session = await authentication_session.refresh(request)
+    return authentication_session
+
+
 def requires_authentication(arg=None):
     """
-    Validates client's authentication session and account.
+    Validates client's authentication session and account. New/Refreshed session automatically returned if expired
+    during authentication, requires encoding.
 
     Example:
         This method is not called directly and instead used as a decorator:
@@ -314,7 +242,6 @@ def requires_authentication(arg=None):
         NotFoundError
         JWTDecodeError
         DeletedError
-        ExpiredError
         DeactivatedError
         UnverifiedError
         DisabledError
@@ -328,10 +255,7 @@ def requires_authentication(arg=None):
 
         return wrapper
 
-    if callable(arg):
-        return decorator(arg)
-    else:
-        return decorator
+    return decorator(arg) if callable(arg) else decorator
 
 
 def create_initial_admin_account(app: Sanic) -> None:
@@ -343,7 +267,7 @@ def create_initial_admin_account(app: Sanic) -> None:
     """
 
     @app.listener("before_server_start")
-    async def generate(app, loop):
+    async def create(app, loop):
         try:
             role = await Role.filter(name="Head Admin").get()
         except DoesNotExist:
@@ -371,3 +295,83 @@ def create_initial_admin_account(app: Sanic) -> None:
             )
             await account.roles.add(role)
             logger.info("Initial admin account created.")
+
+
+def validate_email(email: str) -> str:
+    """
+    Validates email format.
+
+    Args:
+        email (str): Email being validated.
+
+    Returns:
+        email
+
+    Raises:
+        CredentialsError
+    """
+    if not re.search(r"^[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\.[a-zA-Z0-9-.]+$", email):
+        raise CredentialsError("Please use a valid email address.", 400)
+    return email
+
+
+def validate_username(username: str) -> str:
+    """
+    Validates username format.
+
+    Args:
+        username (str): Username being validated.
+
+    Returns:
+        username
+
+    Raises:
+        CredentialsError
+    """
+    if not re.search(r"^[A-Za-z0-9_-]{3,32}$", username):
+        raise CredentialsError(
+            "Username must be between 3-32 characters and not contain any special characters other than _ or -.",
+            400,
+        )
+    return username
+
+
+def validate_phone(phone: str) -> str:
+    """
+    Validates phone number format.
+
+    Args:
+        phone (str): Phone number being validated.
+
+    Returns:
+        phone
+
+    Raises:
+        CredentialsError
+    """
+    if phone and not re.search(
+        r"^(\+\d{1,2}\s)?\(?\d{3}\)?[\s.-]?\d{3}[\s.-]?\d{4}$", phone
+    ):
+        raise CredentialsError("Please use a valid phone number.", 400)
+    return phone
+
+
+def validate_password(password: str) -> str:
+    """
+    Validates password requirements.
+
+    Args:
+        password (str): Password being validated.
+
+    Returns:
+        password
+
+    Raises:
+        CredentialsError
+    """
+    if not re.search(r"^(?=.*[A-Z])(?=.*\d)(?=.*[@#$%^&+=!]).*$", password):
+        raise CredentialsError(
+            "Password must contain one capital letter, one number, and one special character",
+            400,
+        )
+    return password

sanic_security/authorization.py

@@ -1,31 +1,33 @@
 import functools
-import logging
 from fnmatch import fnmatch
 
 from sanic.request import Request
 from tortoise.exceptions import DoesNotExist
 
 from sanic_security.authentication import authenticate
-from sanic_security.exceptions import AuthorizationError
+from sanic_security.exceptions import AuthorizationError, AnonymousError
 from sanic_security.models import Role, Account, AuthenticationSession
-from sanic_security.utils import get_ip
 
 """
-An effective, simple, and async security library for the Sanic framework.
-Copyright (C) 2020-present Aidan Stewart
-
-This program is free software: you can redistribute it and/or modify
-it under the terms of the GNU Affero General Public License as published
-by the Free Software Foundation, either version 3 of the License, or
-(at your option) any later version.
-
-This program is distributed in the hope that it will be useful,
-but WITHOUT ANY WARRANTY; without even the implied warranty of
-MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-GNU Affero General Public License for more details.
-
-You should have received a copy of the GNU Affero General Public License
-along with this program.  If not, see <https://www.gnu.org/licenses/>.
+Copyright (c) 2020-present Nicholas Aidan Stewart
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.
 """
 
 
@@ -51,8 +53,11 @@ async def check_permissions(
         UnverifiedError
         DisabledError
         AuthorizationError
+        AnonymousError
     """
     authentication_session = await authenticate(request)
+    if authentication_session.anonymous:
+        raise AnonymousError()
     roles = await authentication_session.bearer.roles.filter(deleted=False).all()
     for role in roles:
         for required_permission, role_permission in zip(
@@ -60,7 +65,6 @@ async def check_permissions(
         ):
             if fnmatch(required_permission, role_permission):
                 return authentication_session
-    logging.warning(f"Client ({get_ip(request)}) has insufficient permissions.")
     raise AuthorizationError("Insufficient permissions required for this action.")
 
 
@@ -84,16 +88,40 @@ async def check_roles(request: Request, *required_roles: str) -> AuthenticationS
         UnverifiedError
         DisabledError
         AuthorizationError
+        AnonymousError
     """
     authentication_session = await authenticate(request)
+    if authentication_session.anonymous:
+        raise AnonymousError()
     roles = await authentication_session.bearer.roles.filter(deleted=False).all()
     for role in roles:
         if role.name in required_roles:
             return authentication_session
-    logging.warning(f"Client ({get_ip(request)}) has insufficient roles.")
     raise AuthorizationError("Insufficient roles required for this action.")
 
 
+async def assign_role(
+    name: str, account: Account, permissions: str = None, description: str = None
+) -> Role:
+    """
+    Easy account role assignment. Role being assigned to an account will be created if it doesn't exist.
+
+    Args:
+        name (str):  The name of the role associated with the account.
+        account (Account): The account associated with the created role.
+        permissions (str):  The permissions of the role associated with the account. Permissions must be separated via comma and in wildcard format.
+        description (str):  The description of the role associated with the account.
+    """
+    try:
+        role = await Role.filter(name=name).get()
+    except DoesNotExist:
+        role = await Role.create(
+            description=description, permissions=permissions, name=name
+        )
+    await account.roles.add(role)
+    return role
+
+
 def require_permissions(*required_permissions: str):
     """
     Authenticates client and determines if the account has sufficient permissions for an action.
@@ -118,6 +146,7 @@ def require_permissions(*required_permissions: str):
         UnverifiedError
         DisabledError
         AuthorizationError
+        AnonymousError
     """
 
     def decorator(func):
@@ -157,6 +186,7 @@ def require_roles(*required_roles: str):
         UnverifiedError
         DisabledError
         AuthorizationError
+        AnonymousError
     """
 
     def decorator(func):
@@ -170,25 +200,3 @@ def require_roles(*required_roles: str):
         return wrapper
 
     return decorator
-
-
-async def assign_role(
-    name: str, account: Account, permissions: str = None, description: str = None
-) -> Role:
-    """
-    Easy account role assignment. Role being assigned to an account will be created if it doesn't exist.
-
-    Args:
-        name (str):  The name of the role associated with the account.
-        account (Account): The account associated with the created role.
-        permissions (str):  The permissions of the role associated with the account. Permissions must be separated via comma and in wildcard format.
-        description (str):  The description of the role associated with the account.
-    """
-    try:
-        role = await Role.filter(name=name).get()
-    except DoesNotExist:
-        role = await Role.create(
-            description=description, permissions=permissions, name=name
-        )
-    await account.roles.add(role)
-    return role

sanic_security/configuration.py

@@ -2,23 +2,26 @@ from os import environ
 
 from sanic.utils import str_to_bool
 
-
 """
-An effective, simple, and async security library for the Sanic framework.
-Copyright (C) 2020-present Aidan Stewart
-
-This program is free software: you can redistribute it and/or modify
-it under the terms of the GNU Affero General Public License as published
-by the Free Software Foundation, either version 3 of the License, or
-(at your option) any later version.
-
-This program is distributed in the hope that it will be useful,
-but WITHOUT ANY WARRANTY; without even the implied warranty of
-MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-GNU Affero General Public License for more details.
-
-You should have received a copy of the GNU Affero General Public License
-along with this program.  If not, see <https://www.gnu.org/licenses/>.
+Copyright (c) 2020-present Nicholas Aidan Stewart
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.
 """
 
 
@@ -34,8 +37,9 @@ DEFAULT_CONFIG = {
     "MAX_CHALLENGE_ATTEMPTS": 5,
     "CAPTCHA_SESSION_EXPIRATION": 60,
     "CAPTCHA_FONT": "captcha-font.ttf",
-    "TWO_STEP_SESSION_EXPIRATION": 200,
-    "AUTHENTICATION_SESSION_EXPIRATION": 2592000,
+    "TWO_STEP_SESSION_EXPIRATION": 300,
+    "AUTHENTICATION_SESSION_EXPIRATION": 86400,
+    "AUTHENTICATION_REFRESH_EXPIRATION": 2592000,
     "ALLOW_LOGIN_WITH_USERNAME": False,
     "INITIAL_ADMIN_EMAIL": "admin@example.com",
     "INITIAL_ADMIN_PASSWORD": "admin123",
@@ -59,8 +63,9 @@ class Config(dict):
         MAX_CHALLENGE_ATTEMPTS (str): The maximum amount of session challenge attempts allowed.
         CAPTCHA_SESSION_EXPIRATION (int): The amount of seconds till captcha session expiration on creation. Setting to 0 will disable expiration.
         CAPTCHA_FONT (str): The file path to the font being used for captcha generation.
-        TWO_STEP_SESSION_EXPIRATION (int):  The amount of seconds till two step session expiration on creation. Setting to 0 will disable expiration.
-        AUTHENTICATION_SESSION_EXPIRATION (bool): The amount of seconds till authentication session expiration on creation. Setting to 0 will disable expiration.
+        TWO_STEP_SESSION_EXPIRATION (int):  The amount of seconds till two-step session expiration on creation. Setting to 0 will disable expiration.
+        AUTHENTICATION_SESSION_EXPIRATION (int): The amount of seconds till authentication session expiration on creation. Setting to 0 will disable expiration.
+        AUTHENTICATION_REFRESH_EXPIRATION (int): The amount of seconds till authentication session refresh expiration.
         ALLOW_LOGIN_WITH_USERNAME (bool): Allows login via username and email.
         INITIAL_ADMIN_EMAIL (str): Email used when creating the initial admin account.
         INITIAL_ADMIN_PASSWORD (str): Password used when creating the initial admin account.
@@ -80,6 +85,7 @@ class Config(dict):
     CAPTCHA_FONT: str
     TWO_STEP_SESSION_EXPIRATION: int
     AUTHENTICATION_SESSION_EXPIRATION: int
+    AUTHENTICATION_REFRESH_EXPIRATION: int
     ALLOW_LOGIN_WITH_USERNAME: bool
     INITIAL_ADMIN_EMAIL: str
     INITIAL_ADMIN_PASSWORD: str