sanic-security 1.12.2__py3-none-any.whl → 1.12.4__py3-none-any.whl

sanic_security/authentication.py

@@ -1,4 +1,3 @@
-import base64
 import functools
 import re
 
@@ -11,7 +10,6 @@ from tortoise.exceptions import DoesNotExist
 
 from sanic_security.configuration import config as security_config
 from sanic_security.exceptions import (
-    NotFoundError,
     CredentialsError,
     DeactivatedError,
     SecondFactorFulfilledError,
@@ -90,15 +88,19 @@ async def register(
 
 
 async def login(
-    request: Request, account: Account = None, require_second_factor: bool = False
+    request: Request,
+    account: Account = None,
+    require_second_factor: bool = False,
+    password: str = None,
 ) -> AuthenticationSession:
     """
     Login with email or username (if enabled) and password.
 
     Args:
-        request (Request): Sanic request parameter. Login credentials are retrieved via the authorization header.
-        account (Account): Account being logged into, overrides retrieving account via email or username in form-data.
+        request (Request): Sanic request parameter, login credentials are retrieved via the authorization header.
+        account (Account): Account being logged into, overrides account retrieved via email or username.
         require_second_factor (bool): Determines authentication session second factor requirement on login.
+        password (str): Overrides user's password attempt retrieved via the authorization header.
 
     Returns:
         authentication_session
@@ -110,24 +112,10 @@ async def login(
         UnverifiedError
         DisabledError
     """
-    if request.headers.get("Authorization"):
-        authorization_type, credentials = request.headers.get("Authorization").split()
-        if authorization_type == "Basic":
-            email_or_username, password = (
-                base64.b64decode(credentials).decode().split(":")
-            )
-        else:
-            raise CredentialsError("Invalid authorization type.")
-    else:
-        raise CredentialsError("Credentials not provided.")
     if not account:
-        try:
-            account = await Account.get_via_email(email_or_username.lower())
-        except NotFoundError as e:
-            if security_config.ALLOW_LOGIN_WITH_USERNAME:
-                account = await Account.get_via_username(email_or_username)
-            else:
-                raise e
+        account, password = await Account.get_via_header(request)
+    elif not password:
+        raise CredentialsError("Password parameter is empty.")
     try:
         password_hasher.verify(account.password, password)
         if password_hasher.check_needs_rehash(account.password):
@@ -223,6 +211,7 @@ async def authenticate(request: Request) -> AuthenticationSession:
             authentication_session.bearer.validate()
     except ExpiredError:
         authentication_session = await authentication_session.refresh(request)
+    request.ctx.authentication_session = authentication_session
     return authentication_session
 
 
@@ -252,7 +241,7 @@ def requires_authentication(arg=None):
     def decorator(func):
         @functools.wraps(func)
         async def wrapper(request, *args, **kwargs):
-            request.ctx.authentication_session = await authenticate(request)
+            await authenticate(request)
             return await func(request, *args, **kwargs)
 
         return wrapper
@@ -290,7 +279,7 @@ def create_initial_admin_account(app: Sanic) -> None:
             account = await Account.create(
                 username="Head-Admin",
                 email=security_config.INITIAL_ADMIN_EMAIL,
-                password=PasswordHasher().hash(security_config.INITIAL_ADMIN_PASSWORD),
+                password=password_hasher.hash(security_config.INITIAL_ADMIN_PASSWORD),
                 verified=True,
             )
             await account.roles.add(role)

sanic_security/models.py

@@ -1,3 +1,4 @@
+import base64
 import datetime
 from io import BytesIO
 from typing import Union
@@ -195,6 +196,58 @@ class Account(BaseModel):
         except DoesNotExist:
             raise NotFoundError("Account with this username does not exist.")
 
+    @staticmethod
+    async def get_via_credential(credential: str):
+        """
+        Retrieve an account with an email or username.
+
+        Args:
+            credential (str): Email or username associated to account being retrieved.
+
+        Returns:
+            account
+
+        Raises:
+            NotFoundError
+        """
+        try:
+            account = await Account.get_via_email(credential)
+        except NotFoundError as e:
+            if security_config.ALLOW_LOGIN_WITH_USERNAME:
+                account = await Account.get_via_username(credential)
+            else:
+                raise e
+        return account
+
+    @staticmethod
+    async def get_via_header(request: Request):
+        """
+        Retrieve the account the client is logging into and client's password attempt via the basic authorization header.
+
+        Args:
+            request (Request): Sanic request parameter.
+
+        Returns:
+            account, password
+
+        Raises:
+            NotFoundError
+        """
+        if request.headers.get("Authorization"):
+            authorization_type, credentials = request.headers.get(
+                "Authorization"
+            ).split()
+            if authorization_type == "Basic":
+                email_or_username, password = (
+                    base64.b64decode(credentials).decode().split(":")
+                )
+                account = await Account.get_via_credential(email_or_username)
+                return account, password
+            else:
+                raise CredentialsError("Invalid authorization type.")
+        else:
+            raise CredentialsError("Authorization header not provided.")
+
     @staticmethod
     async def get_via_phone(phone: str):
         """
@@ -296,8 +349,16 @@ class Session(BaseModel):
             samesite=security_config.SESSION_SAMESITE,
             secure=security_config.SESSION_SECURE,
         )
-        if self.expiration_date:
-            response.cookies.get_cookie(cookie).expires = self.expiration_date
+        if self.expiration_date:  # Overrides refresh expiration.
+            response.cookies.get_cookie(cookie).expires = (
+                self.refresh_expiration_date
+                if (
+                    hasattr(self, "refresh_expiration_date")
+                    and self.refresh_expiration_date
+                )
+                else self.expiration_date
+            )
+
         if security_config.SESSION_DOMAIN:
             response.cookies.get_cookie(cookie).domain = security_config.SESSION_DOMAIN
 

sanic_security/test/server.py

@@ -175,12 +175,10 @@ async def on_authenticate(request):
 
 @app.on_response
 async def authentication_refresh_encoder(request, response):
-    try:
+    if hasattr(request.ctx, "authentication_session"):
         authentication_session = request.ctx.authentication_session
         if authentication_session.is_refresh:
             authentication_session.encode(response)
-    except AttributeError:
-        pass
 
 
 @app.post("api/test/auth/expire")

{sanic_security-1.12.2.dist-info → sanic_security-1.12.4.dist-info}/METADATA

@@ -1,6 +1,6 @@
 Metadata-Version: 2.1
 Name: sanic-security
-Version: 1.12.2
+Version: 1.12.4
 Summary: An async security library for the Sanic framework.
 Author-email: Aidan Stewart <na.stewart365@gmail.com>
 Project-URL: Documentation, https://security.na-stewart.com/
@@ -14,20 +14,20 @@ Classifier: Programming Language :: Python
 Requires-Python: >=3.8
 Description-Content-Type: text/markdown
 License-File: LICENSE
-Requires-Dist: tortoise-orm >=0.17.0
-Requires-Dist: pyjwt >=1.7.0
-Requires-Dist: captcha >=0.4
-Requires-Dist: pillow >=9.5.0
-Requires-Dist: argon2-cffi >=20.1.0
-Requires-Dist: sanic >=21.3.0
+Requires-Dist: tortoise-orm>=0.17.0
+Requires-Dist: pyjwt>=1.7.0
+Requires-Dist: captcha>=0.4
+Requires-Dist: pillow>=9.5.0
+Requires-Dist: argon2-cffi>=20.1.0
+Requires-Dist: sanic>=21.3.0
 Provides-Extra: crypto
-Requires-Dist: cryptography >=3.3.1 ; extra == 'crypto'
+Requires-Dist: cryptography>=3.3.1; extra == "crypto"
 Provides-Extra: dev
-Requires-Dist: httpx ; extra == 'dev'
-Requires-Dist: black ; extra == 'dev'
-Requires-Dist: blacken-docs ; extra == 'dev'
-Requires-Dist: pdoc3 ; extra == 'dev'
-Requires-Dist: cryptography ; extra == 'dev'
+Requires-Dist: httpx; extra == "dev"
+Requires-Dist: black; extra == "dev"
+Requires-Dist: blacken-docs; extra == "dev"
+Requires-Dist: pdoc3; extra == "dev"
+Requires-Dist: cryptography; extra == "dev"
 
 <!-- PROJECT SHIELDS -->
 <!--
@@ -84,7 +84,7 @@ Sanic Security is an authentication, authorization, and verification library des
 * Two-step verification
 * Role based authorization with wildcard permissions
 
-Please visit [security.na-stewart.com](https://security.na-stewart.com) for documentation and [here for an implementation guide](https://blog.na-stewart.com/entry?id=3).
+Visit [security.na-stewart.com](https://security.na-stewart.com) for documentation.
 
 <!-- GETTING STARTED -->
 ## Getting Started
@@ -172,13 +172,13 @@ The tables in the below examples represent example [request form-data](https://s
 
 * Initial Administrator Account
 
-This account can be logged into and has complete authoritative access. Login credentials should be modified in config!
+Creates initial admin account, you should modify its credentials in config!
   
-  ```python
-  create_initial_admin_account(app)
-  if __name__ == "__main__":
-      app.run(host="127.0.0.1", port=8000)
-  ```
+```python
+create_initial_admin_account(app)
+if __name__ == "__main__":
+    app.run(host="127.0.0.1", port=8000)
+```
   
 * Registration (With two-step account verification)
 
@@ -224,11 +224,10 @@ async def on_verify(request):
 
 * Login (With two-factor authentication)
 
-Login credentials are retrieved via the Authorization header. Credentials are constructed by first combining the 
-username and the password with a colon (aladdin:opensesame), and then by encoding the resulting string in base64 
-(YWxhZGRpbjpvcGVuc2VzYW1l). Here is an example authorization header: `Authorization: Basic YWxhZGRpbjpvcGVuc2VzYW1l`.
-
-You can use a username as well as an email for login if `ALLOW_LOGIN_WITH_USERNAME` is true in the config.
+Credentials are retrieved via header are constructed by first combining the username and the password with a colon 
+(aladdin:opensesame), and then by encoding the resulting string in base64 (YWxhZGRpbjpvcGVuc2VzYW1l). 
+Here is an example authorization header: `Authorization: Basic YWxhZGRpbjpvcGVuc2VzYW1l`. You can use a username 
+as well as an email for login if `ALLOW_LOGIN_WITH_USERNAME` is true in the config.
 
 ```python
 @app.post("api/security/login")
@@ -249,6 +248,8 @@ async def on_login(request):
     return response
 ```
 
+If this isn't desired, you can pass an account and password attempt directly into the login instead.
+
 * Fulfill Second Factor
 
 Fulfills client authentication session's second factor requirement via two-step session code.
@@ -295,8 +296,6 @@ async def on_logout(request):
 
 * Authenticate
 
-New/Refreshed session returned if client's session expired during authentication, requires encoding.
-
 ```python
 @app.post("api/security/auth")
 async def on_authenticate(request):
@@ -305,15 +304,11 @@ async def on_authenticate(request):
         "You have been authenticated.",
         authentication_session.json,
     )
-    if authentication_session.is_refresh:
-        authentication_session.encode(response)
     return response
 ```
 
 * Requires Authentication (This method is not called directly and instead used as a decorator)
 
-New/Refreshed session returned if client's session expired during authentication, requires encoding.
-
 ```python
 @app.post("api/security/auth")
 @requires_authentication
@@ -323,24 +318,22 @@ async def on_authenticate(request):
         "You have been authenticated.",
         authentication_session.json,
     )
-    if authentication_session.is_refresh:
-        authentication_session.encode(response)
     return response
 ```
 
 * Authentication Middleware
 
-Refreshed session can be encoded automatically via middleware.
+New/Refreshed session returned if client's session expired during authentication, requires encoding.
+
+Middleware is recommended to automatically encode the refreshed session.
 
 ```python
 @app.on_response
 async def authentication_refresh_encoder(request, response):
-    try:
+    if hasattr(request.ctx, "authentication_session"):
         authentication_session = request.ctx.authentication_session
         if authentication_session.is_refresh:
             authentication_session.encode(response)
-    except AttributeError:
-        pass
 ```
 
 ## Captcha

{sanic_security-1.12.2.dist-info → sanic_security-1.12.4.dist-info}/RECORD

@@ -1,16 +1,16 @@
 sanic_security/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
-sanic_security/authentication.py,sha256=j-nFOLuNBcacKH34J04JIbsKSZ2JMH33ZqnS6vipwfQ,12508
+sanic_security/authentication.py,sha256=j_V-XEx8op5fYcszIE6PoeBDId0OJA8KlJW7FDXKr6s,12012
 sanic_security/authorization.py,sha256=aQztMiZG9LDctr_C6QEzO5qScwbxpiLk96XVxwdCChM,6921
 sanic_security/configuration.py,sha256=p44nTSrBQQSJZYN6qJEod_Ettf90rRNlmPxmNzxqQ9A,5514
 sanic_security/exceptions.py,sha256=8c3xoQSiIKfSiOQOtw49RG8Qdlc3vZDzqjrEnPad4Ds,5411
-sanic_security/models.py,sha256=aB1fFCutUHDAg8jG3_VdZijOblXnSYh99gyA5fOm1u4,20528
+sanic_security/models.py,sha256=nj5iYHzPZzdLs5dc3j6kdeScSk1SASizfK58Sa5YN8E,22527
 sanic_security/utils.py,sha256=Zgde7W69ixwv_H8eTs7indO5_U2Jvq62YUpG6ipN768,2629
 sanic_security/verification.py,sha256=vrxYborEOBKEirOHczul9WYub5j6T2ldXE1gsoA8iyY,7503
 sanic_security/test/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
-sanic_security/test/server.py,sha256=qQtbQh8m9QYf4g1SL8QJbOyyJzAXFaNmDyBxU8b6RBc,12627
+sanic_security/test/server.py,sha256=G5q7mzTUxOpKlhbzNbzTZYSWd6g8a0toOFX9qTA_nVg,12631
 sanic_security/test/tests.py,sha256=Hg40wlZfC-CDZX6lIjeT6uXy-3BJMc4ChJsnCRCBIu8,22459
-sanic_security-1.12.2.dist-info/LICENSE,sha256=sXlJs9_mG-dCkPfWsDnuzydJWagS82E2gYtkVH9enHA,1100
-sanic_security-1.12.2.dist-info/METADATA,sha256=YRKIzZgdU5Ka7QXR3Q0DdAj5dnNgHVh4P9vaVi03wV0,23954
-sanic_security-1.12.2.dist-info/WHEEL,sha256=mguMlWGMX-VHnMpKOjjQidIo1ssRlCFu4a4mBpz1s2M,91
-sanic_security-1.12.2.dist-info/top_level.txt,sha256=ZybkhHXSjfzhmv8XeqLvnNmLmv21Z0oPX6Ep4DJN8b0,15
-sanic_security-1.12.2.dist-info/RECORD,,
+sanic_security-1.12.4.dist-info/LICENSE,sha256=sXlJs9_mG-dCkPfWsDnuzydJWagS82E2gYtkVH9enHA,1100
+sanic_security-1.12.4.dist-info/METADATA,sha256=jBOYc-2TvLy6eFKw9FpiFoXe4toejAPeiw7eVlm0Gi0,23594
+sanic_security-1.12.4.dist-info/WHEEL,sha256=cVxcB9AmuTcXqmwrtPhNK88dr7IR_b6qagTj0UvIEbY,91
+sanic_security-1.12.4.dist-info/top_level.txt,sha256=ZybkhHXSjfzhmv8XeqLvnNmLmv21Z0oPX6Ep4DJN8b0,15
+sanic_security-1.12.4.dist-info/RECORD,,

{sanic_security-1.12.2.dist-info → sanic_security-1.12.4.dist-info}/WHEEL

@@ -1,5 +1,5 @@
 Wheel-Version: 1.0
-Generator: setuptools (70.1.1)
+Generator: setuptools (74.1.2)
 Root-Is-Purelib: true
 Tag: py3-none-any