sanic-security 1.11.7__py3-none-any.whl → 1.12.0__py3-none-any.whl

sanic_security/exceptions.py

@@ -3,21 +3,25 @@ from sanic.exceptions import SanicException
 from sanic_security.utils import json
 
 """
-An effective, simple, and async security library for the Sanic framework.
-Copyright (C) 2020-present Aidan Stewart
-
-This program is free software: you can redistribute it and/or modify
-it under the terms of the GNU Affero General Public License as published
-by the Free Software Foundation, either version 3 of the License, or
-(at your option) any later version.
-
-This program is distributed in the hope that it will be useful,
-but WITHOUT ANY WARRANTY; without even the implied warranty of
-MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-GNU Affero General Public License for more details.
-
-You should have received a copy of the GNU Affero General Public License
-along with this program.  If not, see <https://www.gnu.org/licenses/>.
+Copyright (c) 2020-present Nicholas Aidan Stewart
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.
 """
 
 
@@ -53,7 +57,16 @@ class DeletedError(SecurityError):
     """
 
     def __init__(self, message):
-        super().__init__(message, 410)
+        super().__init__(message, 404)
+
+
+class CredentialsError(SecurityError):
+    """
+    Raised when credentials are invalid.
+    """
+
+    def __init__(self, message, code=400):
+        super().__init__(message, code)
 
 
 class AccountError(SecurityError):
@@ -125,7 +138,16 @@ class ExpiredError(SessionError):
     """
 
     def __init__(self):
-        super().__init__("Session has expired")
+        super().__init__("Session has expired.")
+
+
+class NotExpiredError(SessionError):
+    """
+    Raised when session needs to be expired.
+    """
+
+    def __init__(self):
+        super().__init__("Session has not expired yet.", 403)
 
 
 class SecondFactorRequiredError(SessionError):
@@ -173,10 +195,10 @@ class AuthorizationError(SecurityError):
         super().__init__(message, 403)
 
 
-class CredentialsError(SecurityError):
+class AnonymousError(AuthorizationError):
     """
-    Raised when credentials are invalid.
+    Raised when attempting to authorize an anonymous user.
     """
 
-    def __init__(self, message, code=400):
-        super().__init__(message, code)
+    def __init__(self):
+        super().__init__("Session is anonymous.")

sanic_security/models.py

@@ -16,21 +16,25 @@ from sanic_security.exceptions import *
 from sanic_security.utils import get_ip, get_code, get_expiration_date
 
 """
-An effective, simple, and async security library for the Sanic framework.
-Copyright (C) 2020-present Aidan Stewart
-
-This program is free software: you can redistribute it and/or modify
-it under the terms of the GNU Affero General Public License as published
-by the Free Software Foundation, either version 3 of the License, or
-(at your option) any later version.
-
-This program is distributed in the hope that it will be useful,
-but WITHOUT ANY WARRANTY; without even the implied warranty of
-MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-GNU Affero General Public License for more details.
-
-You should have received a copy of the GNU Affero General Public License
-along with this program.  If not, see <https://www.gnu.org/licenses/>.
+Copyright (c) 2020-present Nicholas Aidan Stewart
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.
 """
 
 
@@ -109,19 +113,6 @@ class Account(BaseModel):
         "models.Role", through="account_role"
     )
 
-    @property
-    def json(self) -> dict:
-        return {
-            "id": self.id,
-            "date_created": str(self.date_created),
-            "date_updated": str(self.date_updated),
-            "email": self.email,
-            "username": self.username,
-            "phone": self.phone,
-            "disabled": self.disabled,
-            "verified": self.verified,
-        }
-
     def validate(self) -> None:
         """
         Raises an error with respect to account state.
@@ -151,6 +142,19 @@ class Account(BaseModel):
             self.disabled = True
             await self.save(update_fields=["disabled"])
 
+    @property
+    def json(self) -> dict:
+        return {
+            "id": self.id,
+            "date_created": str(self.date_created),
+            "date_updated": str(self.date_updated),
+            "email": self.email,
+            "username": self.username,
+            "phone": self.phone,
+            "disabled": self.disabled,
+            "verified": self.verified,
+        }
+
     @staticmethod
     async def get_via_email(email: str):
         """
@@ -233,19 +237,6 @@ class Session(BaseModel):
     def __init__(self, **kwargs):
         super().__init__(**kwargs)
 
-    @property
-    def json(self) -> dict:
-        return {
-            "id": self.id,
-            "date_created": str(self.date_created),
-            "date_updated": str(self.date_updated),
-            "expiration_date": str(self.expiration_date),
-            "bearer": self.bearer.username
-            if isinstance(self.bearer, Account)
-            else None,
-            "active": self.active,
-        }
-
     def validate(self) -> None:
         """
         Raises an error with respect to session state.
@@ -257,13 +248,13 @@ class Session(BaseModel):
         """
         if self.deleted:
             raise DeletedError("Session has been deleted.")
+        elif not self.active:
+            raise DeactivatedError()
         elif (
             self.expiration_date
             and datetime.datetime.now(datetime.timezone.utc) >= self.expiration_date
         ):
             raise ExpiredError()
-        elif not self.active:
-            raise DeactivatedError()
 
     async def deactivate(self):
         """
@@ -285,23 +276,22 @@ class Session(BaseModel):
         Args:
             response (HTTPResponse): Sanic response used to store JWT into a cookie on the client.
         """
-        payload = {
-            "id": self.id,
-            "date_created": str(self.date_created),
-            "expiration_date": str(self.expiration_date),
-            "ip": self.ip,
-        }
         cookie = (
             f"{security_config.SESSION_PREFIX}_{self.__class__.__name__.lower()[:7]}"
         )
         encoded_session = jwt.encode(
-            payload, security_config.SECRET, security_config.SESSION_ENCODING_ALGORITHM
+            {
+                "id": self.id,
+                "date_created": str(self.date_created),
+                "expiration_date": str(self.expiration_date),
+                "ip": self.ip,
+            },
+            security_config.SECRET,
+            security_config.SESSION_ENCODING_ALGORITHM,
         )
-        if isinstance(encoded_session, bytes):
-            encoded_session = encoded_session.decode()
         response.cookies.add_cookie(
             cookie,
-            encoded_session,
+            str(encoded_session),
             httponly=security_config.SESSION_HTTPONLY,
             samesite=security_config.SESSION_SAMESITE,
             secure=security_config.SESSION_SECURE,
@@ -311,6 +301,29 @@ class Session(BaseModel):
         if security_config.SESSION_DOMAIN:
             response.cookies.get_cookie(cookie).domain = security_config.SESSION_DOMAIN
 
+    @property
+    def json(self) -> dict:
+        return {
+            "id": self.id,
+            "date_created": str(self.date_created),
+            "date_updated": str(self.date_updated),
+            "expiration_date": str(self.expiration_date),
+            "bearer": (
+                self.bearer.username if isinstance(self.bearer, Account) else None
+            ),
+            "active": self.active,
+        }
+
+    @property
+    def anonymous(self) -> bool:
+        """
+        Determines if an account is associated with session.
+
+        Returns:
+            anonymous
+        """
+        return self.bearer is None
+
     @classmethod
     async def new(
         cls,
@@ -345,7 +358,7 @@ class Session(BaseModel):
         Raises:
             NotFoundError
         """
-        sessions = await cls.filter(bearer=account).prefetch_related("bearer").all()
+        sessions = await cls.filter(bearer=account, deleted=False).all()
         if not sessions:
             raise NotFoundError("No sessions associated to account were found.")
         return sessions
@@ -373,9 +386,7 @@ class Session(BaseModel):
             else:
                 return jwt.decode(
                     cookie,
-                    security_config.SECRET
-                    if not security_config.PUBLIC_SECRET
-                    else security_config.PUBLIC_SECRET,
+                    security_config.PUBLIC_SECRET or security_config.SECRET,
                     security_config.SESSION_ENCODING_ALGORITHM,
                 )
         except DecodeError as e:
@@ -421,10 +432,6 @@ class VerificationSession(Session):
     attempts: int = fields.IntField(default=0)
     code: str = fields.CharField(max_length=10, default=get_code, null=True)
 
-    @classmethod
-    async def new(cls, request: Request, account: Account, **kwargs):
-        raise NotImplementedError
-
     async def check_code(self, request: Request, code: str) -> None:
         """
         Checks if code passed is equivalent to the session code.
@@ -453,6 +460,10 @@ class VerificationSession(Session):
             self.active = False
             await self.save(update_fields=["active"])
 
+    @classmethod
+    async def new(cls, request: Request, account: Account, **kwargs):
+        raise NotImplementedError
+
     class Meta:
         abstract = True
 
@@ -514,9 +525,13 @@ class AuthenticationSession(Session):
 
     Attributes:
         requires_second_factor (bool): Determines if session requires a second factor.
+        refresh_expiration_date (bool): Date and time the session can no longer be refreshed.
+        is_refresh (bool): Will only be true when instantiated during refresh of expired session.
     """
 
     requires_second_factor: bool = fields.BooleanField(default=False)
+    refresh_expiration_date: datetime.datetime = fields.DatetimeField(null=True)
+    is_refresh: bool = False
 
     def validate(self) -> None:
         """
@@ -532,16 +547,51 @@ class AuthenticationSession(Session):
         if self.requires_second_factor:
             raise SecondFactorRequiredError()
 
+    async def refresh(self, request: Request):
+        """
+        Seamlessly creates new session if within refresh date.
+
+        Raises:
+            DeletedError
+            ExpiredError
+            DeactivatedError
+            SecondFactorRequiredError
+            NotExpiredError
+
+        Returns:
+            session
+        """
+        try:
+            self.validate()
+            raise NotExpiredError()
+        except ExpiredError as e:
+            if (
+                datetime.datetime.now(datetime.timezone.utc)
+                <= self.refresh_expiration_date
+            ):
+                self.active = False
+                await self.save(update_fields=["active"])
+                return await self.new(request, self.bearer, True)
+            else:
+                raise e
+
     @classmethod
-    async def new(cls, request: Request, account: Account, **kwargs):
-        return await AuthenticationSession.create(
+    async def new(
+        cls, request: Request, account: Account = None, is_refresh=False, **kwargs
+    ):
+        authentication_session = await AuthenticationSession.create(
             **kwargs,
             bearer=account,
             ip=get_ip(request),
             expiration_date=get_expiration_date(
                 security_config.AUTHENTICATION_SESSION_EXPIRATION
             ),
+            refresh_expiration_date=get_expiration_date(
+                security_config.AUTHENTICATION_REFRESH_EXPIRATION
+            ),
         )
+        authentication_session.is_refresh = is_refresh
+        return authentication_session
 
     class Meta:
         table = "authentication_session"
@@ -554,7 +604,7 @@ class Role(BaseModel):
     Attributes:
         name (str): Name of the role.
         description (str): Description of the role.
-        permissions (str): Permissions of the role. Must be separated via comma and in wildcard format (printer:query, printer:query,delete).
+        permissions (str): Permissions of the role. Must be separated via comma + space and in wildcard format (printer:query, dashboard:info,delete).
     """
 
     name: str = fields.CharField(unique=True, max_length=255)

sanic_security/test/server.py

@@ -1,3 +1,6 @@
+import datetime
+import traceback
+
 from argon2 import PasswordHasher
 from sanic import Sanic, text
 from tortoise.contrib.sanic import register_tortoise
@@ -28,27 +31,34 @@ from sanic_security.verification import (
 )
 
 """
-An effective, simple, and async security library for the Sanic framework.
-Copyright (C) 2020-present Aidan Stewart
-
-This program is free software: you can redistribute it and/or modify
-it under the terms of the GNU Affero General Public License as published
-by the Free Software Foundation, either version 3 of the License, or
-(at your option) any later version.
-
-This program is distributed in the hope that it will be useful,
-but WITHOUT ANY WARRANTY; without even the implied warranty of
-MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-GNU Affero General Public License for more details.
-
-You should have received a copy of the GNU Affero General Public License
-along with this program.  If not, see <https://www.gnu.org/licenses/>.
+Copyright (c) 2020-present Nicholas Aidan Stewart
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.
 """
 
 app = Sanic("sanic-security-test")
 password_hasher = PasswordHasher()
 
 
+# TODO: Testing for new functionality.
+
+
 @app.post("api/test/auth/register")
 async def on_register(request):
     """
@@ -105,6 +115,19 @@ async def on_login(request):
     return response
 
 
+@app.post("api/test/auth/login/anon")
+async def on_login_anonymous(request):
+    """
+    Login as anonymous user.
+    """
+    authentication_session = await AuthenticationSession.new(request)
+    response = json(
+        "Anonymous user now associated with session!", authentication_session.json
+    )
+    authentication_session.encode(response)
+    return response
+
+
 @app.post("api/test/auth/validate-2fa")
 async def on_two_factor_authentication(request):
     """
@@ -130,16 +153,40 @@ async def on_logout(request):
 
 
 @app.post("api/test/auth")
-@requires_authentication()
+@requires_authentication
 async def on_authenticate(request):
     """
     Authenticate client session and account.
     """
-    response = json("Authenticated!", request.ctx.authentication_session.bearer.json)
-    request.ctx.authentication_session.encode(response)
+    authentication_session = request.ctx.authentication_session
+    response = json(
+        "Authenticated!",
+        {
+            "bearer": (
+                authentication_session.bearer.json
+                if not authentication_session.anonymous
+                else None
+            ),
+            "refresh": authentication_session.is_refresh,
+        },
+    )
+    if authentication_session.is_refresh:
+        request.ctx.authentication_session.encode(response)
     return response
 
 
+@app.post("api/test/auth/expire")
+@requires_authentication
+async def on_authentication_expire(request):
+    """
+    Expire client's session.
+    """
+    authentication_session = request.ctx.authentication_session
+    authentication_session.expiration_date = datetime.datetime.now(datetime.UTC)
+    await authentication_session.save(update_fields=["expiration_date"])
+    return json("Authentication expired!", authentication_session.json)
+
+
 @app.post("api/test/auth/associated")
 @requires_authentication
 async def on_get_associated_authentication_sessions(request):
@@ -242,16 +289,12 @@ async def on_account_creation(request):
     """
     Quick account creation.
     """
-    if await Account.filter(email=request.form.get("email").lower()).exists():
-        raise CredentialsError("An account with this email already exists.", 409)
-    elif await Account.filter(username=request.form.get("username")).exists():
-        raise CredentialsError("An account with this username already exists.", 409)
     account = await Account.create(
         username=request.form.get("username"),
         email=request.form.get("email").lower(),
         password=password_hasher.hash("password"),
         verified=True,
-        dbisabled=False,
+        disabled=False,
     )
     response = json("Account creation successful!", account.json)
     return response
@@ -262,6 +305,7 @@ async def on_security_error(request, exception):
     """
     Handles security errors with correct response.
     """
+    traceback.print_exc()
     return exception.json
 
 

sanic_security/test/tests.py

@@ -7,21 +7,25 @@ import httpx
 from sanic_security.configuration import Config
 
 """
-An effective, simple, and async security library for the Sanic framework.
-Copyright (C) 2020-present Aidan Stewart
-
-This program is free software: you can redistribute it and/or modify
-it under the terms of the GNU Affero General Public License as published
-by the Free Software Foundation, either version 3 of the License, or
-(at your option) any later version.
-
-This program is distributed in the hope that it will be useful,
-but WITHOUT ANY WARRANTY; without even the implied warranty of
-MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-GNU Affero General Public License for more details.
-
-You should have received a copy of the GNU Affero General Public License
-along with this program.  If not, see <https://www.gnu.org/licenses/>.
+Copyright (c) 2020-present Nicholas Aidan Stewart
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.
 """
 
 
@@ -290,6 +294,19 @@ class LoginTest(TestCase):
         )
         assert authenticate_response.status_code == 200, authenticate_response.text
 
+    def test_anonymous_login(self):
+        """
+        Test login of anonymous user.
+        """
+        anon_login_response = self.client.post(
+            "http://127.0.0.1:8000/api/test/auth/login/anon"
+        )
+        assert anon_login_response.status_code == 200, anon_login_response.text
+        authenticate_response = self.client.post(
+            "http://127.0.0.1:8000/api/test/auth",
+        )
+        assert authenticate_response.status_code == 200, authenticate_response.text
+
 
 class VerificationTest(TestCase):
     """
@@ -468,6 +485,23 @@ class AuthorizationTest(TestCase):
             prohibited_authorization_response.status_code == 403
         ), prohibited_authorization_response.text
 
+    def test_anonymous_authorization(self):
+        anon_login_response = self.client.post(
+            "http://127.0.0.1:8000/api/test/auth/login/anon"
+        )
+        assert anon_login_response.status_code == 200, anon_login_response.text
+        authenticate_response = self.client.post(
+            "http://127.0.0.1:8000/api/test/auth",
+        )
+        assert authenticate_response.status_code == 200, authenticate_response.text
+        prohibited_authorization_response = self.client.post(
+            "http://127.0.0.1:8000/api/test/auth/roles",
+            data={"role": "AuthTestPerms"},
+        )
+        assert (
+            prohibited_authorization_response.status_code == 403
+        ), prohibited_authorization_response.text
+
 
 class MiscTest(TestCase):
     """
@@ -511,3 +545,34 @@ class MiscTest(TestCase):
         assert (
             retrieve_associated_response.status_code == 200
         ), retrieve_associated_response.text
+
+    def test_authentication_refresh(self):
+        """
+        Test automatic authentication refresh.
+        """
+        self.client.post(
+            "http://127.0.0.1:8000/api/test/account",
+            data={
+                "email": "refreshed@misc.test",
+                "username": "refreshed",
+            },
+        )
+        login_response = self.client.post(
+            "http://127.0.0.1:8000/api/test/auth/login",
+            auth=("refreshed@misc.test", "password"),
+        )
+        assert login_response.status_code == 200, login_response.text
+        expire_response = self.client.post("http://127.0.0.1:8000/api/test/auth/expire")
+        assert expire_response.status_code == 200, expire_response.text
+        authenticate_refresh_response = self.client.post(
+            "http://127.0.0.1:8000/api/test/auth",
+        )
+        assert (
+            json.loads(authenticate_refresh_response.text)["data"]["refresh"] is True
+        ), authenticate_refresh_response.text
+        authenticate_response = self.client.post(
+            "http://127.0.0.1:8000/api/test/auth",
+        )  # Since session refresh handling is complete, it will be returned as a regular session now.
+        assert (
+            json.loads(authenticate_response.text)["data"]["refresh"] is False
+        ), authenticate_response.text