sanic-security 1.11.7__py3-none-any.whl → 1.16.7__py3-none-any.whl

sanic_security/test/server.py

@@ -1,5 +1,8 @@
-from argon2 import PasswordHasher
-from sanic import Sanic, text
+import datetime
+import traceback
+
+from httpx_oauth.clients.google import GoogleOAuth2
+from sanic import Sanic, text, raw, redirect
 from tortoise.contrib.sanic import register_tortoise
 
 from sanic_security.authentication import (
@@ -7,57 +10,65 @@ from sanic_security.authentication import (
     register,
     requires_authentication,
     logout,
-    create_initial_admin_account,
     fulfill_second_factor,
+    initialize_security,
 )
 from sanic_security.authorization import (
     assign_role,
     check_permissions,
     check_roles,
 )
-from sanic_security.configuration import config as security_config
-from sanic_security.exceptions import SecurityError, CredentialsError
+from sanic_security.configuration import config
+from sanic_security.exceptions import SecurityError
 from sanic_security.models import Account, CaptchaSession, AuthenticationSession
-from sanic_security.utils import json
+from sanic_security.oauth import (
+    oauth_encode,
+    initialize_oauth,
+    oauth_callback,
+    oauth_decode,
+    oauth_revoke,
+)
+from sanic_security.utils import json, str_to_bool, password_hasher
 from sanic_security.verification import (
     request_two_step_verification,
     requires_two_step_verification,
     verify_account,
-    request_captcha,
     requires_captcha,
 )
 
 """
-An effective, simple, and async security library for the Sanic framework.
-Copyright (C) 2020-present Aidan Stewart
-
-This program is free software: you can redistribute it and/or modify
-it under the terms of the GNU Affero General Public License as published
-by the Free Software Foundation, either version 3 of the License, or
-(at your option) any later version.
-
-This program is distributed in the hope that it will be useful,
-but WITHOUT ANY WARRANTY; without even the implied warranty of
-MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-GNU Affero General Public License for more details.
-
-You should have received a copy of the GNU Affero General Public License
-along with this program.  If not, see <https://www.gnu.org/licenses/>.
+Copyright (c) 2020-present Nicholas Aidan Stewart
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.
 """
 
-app = Sanic("sanic-security-test")
-password_hasher = PasswordHasher()
+app = Sanic("tests")
+google_oauth = GoogleOAuth2(config.OAUTH_CLIENT, config.OAUTH_SECRET)
 
 
 @app.post("api/test/auth/register")
 async def on_register(request):
-    """
-    Register an account with email and password.
-    """
+    """Register an account with email and password."""
     account = await register(
         request,
-        verified=request.form.get("verified") == "true",
-        disabled=request.form.get("disabled") == "true",
+        verified=str_to_bool(request.form.get("verified")),
+        disabled=str_to_bool(request.form.get("disabled")),
     )
     if not account.verified:
         two_step_session = await request_two_step_verification(request, account)
@@ -72,9 +83,7 @@ async def on_register(request):
 
 @app.post("api/test/auth/verify")
 async def on_verify(request):
-    """
-    Verifies client account.
-    """
+    """Verifies client account."""
     two_step_session = await verify_account(request)
     return json(
         "You have verified your account and may login!", two_step_session.bearer.json
@@ -83,14 +92,14 @@ async def on_verify(request):
 
 @app.post("api/test/auth/login")
 async def on_login(request):
-    """
-    Login to an account with an email and password.
-    """
-    two_factor_authentication = request.args.get("two-factor-authentication") == "true"
+    """Login to an account with an email and password."""
     authentication_session = await login(
-        request, require_second_factor=two_factor_authentication
+        request,
+        require_second_factor=str_to_bool(
+            request.args.get("two-factor-authentication")
+        ),
     )
-    if two_factor_authentication:
+    if str_to_bool(request.args.get("two-factor-authentication")):
         two_step_session = await request_two_step_verification(
             request, authentication_session.bearer
         )
@@ -100,54 +109,75 @@ async def on_login(request):
         )
         two_step_session.encode(response)
     else:
-        response = json("Login successful!", authentication_session.bearer.json)
+        response = json("Login successful!", authentication_session.json)
+    authentication_session.encode(response)
+    return response
+
+
+@app.post("api/test/auth/login/anon")
+async def on_login_anonymous(request):
+    """Login as anonymous user."""
+    authentication_session = await AuthenticationSession.new(request)
+    response = json(
+        "Anonymous user now associated with session!", authentication_session.json
+    )
     authentication_session.encode(response)
     return response
 
 
 @app.post("api/test/auth/validate-2fa")
 async def on_two_factor_authentication(request):
-    """
-    Fulfills client authentication session's second factor requirement.
-    """
+    """Fulfills client authentication session's second factor requirement."""
     authentication_session = await fulfill_second_factor(request)
     response = json(
         "Authentication session second-factor fulfilled! You are now authenticated.",
         authentication_session.bearer.json,
     )
-    authentication_session.encode(response)
     return response
 
 
 @app.post("api/test/auth/logout")
 async def on_logout(request):
-    """
-    Logout of currently logged in account.
-    """
+    """Logout of currently logged in account."""
     authentication_session = await logout(request)
-    response = json("Logout successful!", authentication_session.bearer.json)
+    await oauth_revoke(request, google_oauth)
+    response = json("Logout successful!", authentication_session.json)
     return response
 
 
 @app.post("api/test/auth")
-@requires_authentication()
+@requires_authentication
 async def on_authenticate(request):
-    """
-    Authenticate client session and account.
-    """
-    response = json("Authenticated!", request.ctx.authentication_session.bearer.json)
-    request.ctx.authentication_session.encode(response)
+    """Authenticate client session and account."""
+    response = json(
+        "Authenticated!",
+        {
+            "bearer": (
+                request.ctx.session.bearer.json
+                if not request.ctx.session.anonymous
+                else None
+            ),
+            "refresh": request.ctx.session.is_refresh,
+        },
+    )
     return response
 
 
-@app.post("api/test/auth/associated")
+@app.post("api/test/auth/expire")
+@requires_authentication
+async def on_authentication_expire(request):
+    """Expire client's session."""
+    request.ctx.session.expiration_date = datetime.datetime.now(datetime.UTC)
+    await request.ctx.session.save(update_fields=["expiration_date"])
+    return json("Authentication expired!", request.ctx.session.json)
+
+
+@app.get("api/test/auth/associated")
 @requires_authentication
 async def on_get_associated_authentication_sessions(request):
-    """
-    Retrieves authentication sessions associated with logged in account.
-    """
+    """Retrieves authentication sessions associated with logged in account."""
     authentication_sessions = await AuthenticationSession.get_associated(
-        request.ctx.authentication_session.bearer
+        request.ctx.session.bearer
     )
     return json(
         "Associated authentication sessions retrieved!",
@@ -157,10 +187,8 @@ async def on_get_associated_authentication_sessions(request):
 
 @app.get("api/test/capt/request")
 async def on_captcha_request(request):
-    """
-    Request captcha with solution in response.
-    """
-    captcha_session = await request_captcha(request)
+    """Request captcha with solution in response."""
+    captcha_session = await CaptchaSession.new(request)
     response = json("Captcha request successful!", captcha_session.code)
     captcha_session.encode(response)
     return response
@@ -168,29 +196,28 @@ async def on_captcha_request(request):
 
 @app.get("api/test/capt/image")
 async def on_captcha_image(request):
-    """
-    Request captcha image.
-    """
+    """Request captcha image."""
     captcha_session = await CaptchaSession.decode(request)
-    response = captcha_session.get_image()
-    captcha_session.encode(response)
-    return response
+    return raw(captcha_session.get_image(), content_type="image/jpeg")
+
+
+@app.get("api/test/capt/audio")
+async def on_captcha_audio(request):
+    """Request captcha audio."""
+    captcha_session = await CaptchaSession.decode(request)
+    return raw(captcha_session.get_audio(), content_type="audio/mpeg")
 
 
 @app.post("api/test/capt")
 @requires_captcha
 async def on_captcha_attempt(request):
-    """
-    Attempt captcha challenge.
-    """
-    return json("Captcha attempt successful!", request.ctx.captcha_session.json)
+    """Attempt captcha challenge."""
+    return json("Captcha attempt successful!", request.ctx.session.json)
 
 
 @app.post("api/test/two-step/request")
 async def on_request_verification(request):
-    """
-    Request two-step verification with code in the response.
-    """
+    """Request two-step verification with code in the response."""
     two_step_session = await request_two_step_verification(request)
     response = json("Verification request successful!", two_step_session.code)
     two_step_session.encode(response)
@@ -200,72 +227,106 @@ async def on_request_verification(request):
 @app.post("api/test/two-step")
 @requires_two_step_verification
 async def on_verification_attempt(request):
-    """
-    Attempt two-step verification challenge.
-    """
-    return json(
-        "Two step verification attempt successful!", request.ctx.two_step_session.json
-    )
+    """Attempt two-step verification challenge."""
+    return json("Two step verification attempt successful!", request.ctx.session.json)
 
 
 @app.post("api/test/auth/roles")
-@requires_authentication
 async def on_authorization(request):
-    """
-    Check if client is authorized with sufficient roles and permissions.
-    """
+    """Check if client is authorized with sufficient roles and permissions."""
     await check_roles(request, request.form.get("role"))
     if request.form.get("permissions_required"):
         await check_permissions(
             request, *request.form.get("permissions_required").split(", ")
         )
-    return text("Account permitted.")
+    return text("Account permitted!")
 
 
 @app.post("api/test/auth/roles/assign")
 @requires_authentication
 async def on_role_assign(request):
-    """
-    Assign authenticated account a role.
-    """
+    """Assign authenticated account a role."""
     await assign_role(
         request.form.get("name"),
-        request.ctx.authentication_session.bearer,
-        request.form.get("permissions"),
+        request.ctx.session.bearer,
         "Role used for testing.",
+        *(
+            request.form.get("permissions").split(", ")
+            if request.form.get("permissions")
+            else []
+        ),
     )
-    return text("Role assigned.b")
+    return text("Role assigned!")
 
 
 @app.post("api/test/account")
 async def on_account_creation(request):
-    """
-    Quick account creation.
-    """
-    if await Account.filter(email=request.form.get("email").lower()).exists():
-        raise CredentialsError("An account with this email already exists.", 409)
-    elif await Account.filter(username=request.form.get("username")).exists():
-        raise CredentialsError("An account with this username already exists.", 409)
+    """Quick account creation."""
     account = await Account.create(
         username=request.form.get("username"),
-        email=request.form.get("email").lower(),
+        email=request.form.get("email"),
         password=password_hasher.hash("password"),
         verified=True,
-        dbisabled=False,
+        disabled=False,
     )
     response = json("Account creation successful!", account.json)
     return response
 
 
+@app.route("api/test/oauth", methods=["GET", "POST"])
+async def on_oauth_request(request):
+    """OAuth request."""
+    return redirect(
+        await google_oauth.get_authorization_url(
+            "http://localhost:8000/api/test/oauth/callback",
+            scope=google_oauth.base_scopes,
+        )
+    )
+
+
+@app.get("api/test/oauth/callback")
+async def on_oauth_callback(request):
+    """OAuth callback."""
+    token_info, authentication_session = await oauth_callback(
+        request,
+        google_oauth,
+        "http://localhost:8000/api/test/oauth/callback",
+    )
+    response = json(
+        "OAuth successful.",
+        {"token_info": token_info, "auth_session": authentication_session.json},
+    )
+    oauth_encode(response, token_info)
+    authentication_session.encode(response)
+    return response
+
+
+@app.get("api/test/oauth/token")
+@requires_authentication
+async def on_oauth_token(request):
+    """OAuth token retrieval."""
+    token_info = await oauth_decode(request, google_oauth)
+    return json(
+        "Access token retrieved!",
+        {"token_info": token_info, "auth_session": request.ctx.session.json},
+    )
+
+
+@app.route("api/test/oauth/revoke", methods=["GET", "POST"])
+async def on_oauth_revoke(request):
+    """OAuth token revocation."""
+    token_info = await oauth_revoke(request, google_oauth)
+    return json("Access token revoked!", token_info)
+
+
 @app.exception(SecurityError)
 async def on_security_error(request, exception):
-    """
-    Handles security errors with correct response.
-    """
+    """Handles security errors with correct response."""
+    traceback.print_exc()
     return exception.json
 
 
-security_config.SECRET = """
+config.SECRET = """
 -----BEGIN RSA PRIVATE KEY-----
 MIIEpAIBAAKCAQEAww3pEiUx6wMFawJNAHCI80Qj3eyrP6Yx3LNNluQZXMyZkd+6ugBN9e1hw7v2z2PwmJENhYrqbBHU4vHCHEEZjdZIQRqwriFpeeoqMA1
 ecgwJz3fOuYo6WrUbS6pEyJ9vtjh5TaeZLzER+KIK2uvsjsQnFVt41hh3Xd+tR9p+QXT8aRep9hp4XLF87QlDVDrZIStfVn25+ZfSfKH+WYBUglZBmz/K6uW
@@ -283,7 +344,7 @@ mQ4BjbU1slel/eXlhomQpxoBCH3J/Ba9qd+uBql29QZMQXtKFg/mryjprapq8sUcbgazr9u1x+zJz9w+
 1G1CHHo/vq8zPNkVWmhciIUeHR3YJbw==
 -----END RSA PRIVATE KEY-----
 """
-security_config.PUBLIC_SECRET = """
+config.PUBLIC_SECRET = """
 -----BEGIN PUBLIC KEY-----
 MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAww3pEiUx6wMFawJNAHCI80Qj3eyrP6Yx3LNNluQZXMyZkd+6ugBN9e1hw7v2z2PwmJENhYrqbBHU
 4vHCHEEZjdZIQRqwriFpeeoqMA1ecgwJz3fOuYo6WrUbS6pEyJ9vtjh5TaeZLzER+KIK2uvsjsQnFVt41hh3Xd+tR9p+QXT8aRep9hp4XLF87QlDVDrZIStf
@@ -291,16 +352,17 @@ Vn25+ZfSfKH+WYBUglZBmz/K6uW41mSRuuH3Pu/lnPgGvsxtT7KE8dkbyrI+Tyg0pniOYdxBxgpu06S6
 MHlkstd6FFYu5lJQcuppOm79iQIDAQAB
 -----END PUBLIC KEY-----
 """
-security_config.INITIAL_ADMIN_EMAIL = "admin@login.test"
-security_config.SESSION_ENCODING_ALGORITHM = "RS256"
-security_config.ALLOW_LOGIN_WITH_USERNAME = True
-security_config.SESSION_SECURE = False
+config.INITIAL_ADMIN_EMAIL = "admin@login.test"
+config.SESSION_ENCODING_ALGORITHM = "RS256"
+config.ALLOW_LOGIN_WITH_USERNAME = True
+config.SESSION_SECURE = False
 register_tortoise(
     app,
-    db_url=security_config.TEST_DATABASE_URL,
+    db_url=config.TEST_DATABASE_URL,
     modules={"models": ["sanic_security.models"]},
     generate_schemas=True,
 )
-create_initial_admin_account(app)
+initialize_security(app, True)
+initialize_oauth(app)
 if __name__ == "__main__":
     app.run(host="127.0.0.1", port=8000, workers=1, debug=True)