sanic-security 1.12.3__py3-none-any.whl → 1.12.5__py3-none-any.whl

sanic_security/authentication.py

@@ -1,4 +1,3 @@
-import base64
 import functools
 import re
 
@@ -11,7 +10,6 @@ from tortoise.exceptions import DoesNotExist
 
 from sanic_security.configuration import config as security_config
 from sanic_security.exceptions import (
-    NotFoundError,
     CredentialsError,
     DeactivatedError,
     SecondFactorFulfilledError,
@@ -90,15 +88,19 @@ async def register(
 
 
 async def login(
-    request: Request, account: Account = None, require_second_factor: bool = False
+    request: Request,
+    account: Account = None,
+    require_second_factor: bool = False,
+    password: str = None,
 ) -> AuthenticationSession:
     """
     Login with email or username (if enabled) and password.
 
     Args:
-        request (Request): Sanic request parameter. Login credentials are retrieved via the authorization header.
-        account (Account): Account being logged into, overrides retrieving account via email or username in form-data.
+        request (Request): Sanic request parameter, login credentials are retrieved via the authorization header.
+        account (Account): Account being logged into, overrides account retrieved via email or username.
         require_second_factor (bool): Determines authentication session second factor requirement on login.
+        password (str): Overrides user's password attempt retrieved via the authorization header.
 
     Returns:
         authentication_session
@@ -110,24 +112,10 @@ async def login(
         UnverifiedError
         DisabledError
     """
-    if request.headers.get("Authorization"):
-        authorization_type, credentials = request.headers.get("Authorization").split()
-        if authorization_type == "Basic":
-            email_or_username, password = (
-                base64.b64decode(credentials).decode().split(":")
-            )
-        else:
-            raise CredentialsError("Invalid authorization type.")
-    else:
-        raise CredentialsError("Credentials not provided.")
     if not account:
-        try:
-            account = await Account.get_via_email(email_or_username.lower())
-        except NotFoundError as e:
-            if security_config.ALLOW_LOGIN_WITH_USERNAME:
-                account = await Account.get_via_username(email_or_username)
-            else:
-                raise e
+        account, password = await Account.get_via_header(request)
+    elif not password:
+        raise CredentialsError("Password parameter is empty.")
     try:
         password_hasher.verify(account.password, password)
         if password_hasher.check_needs_rehash(account.password):
@@ -253,7 +241,7 @@ def requires_authentication(arg=None):
     def decorator(func):
         @functools.wraps(func)
         async def wrapper(request, *args, **kwargs):
-            request.ctx.authentication_session = await authenticate(request)
+            await authenticate(request)
             return await func(request, *args, **kwargs)
 
         return wrapper
@@ -261,6 +249,22 @@ def requires_authentication(arg=None):
     return decorator(arg) if callable(arg) else decorator
 
 
+def attach_refresh_encoder(app: Sanic):
+    """
+    Automatically encodes the new/refreshed session returned during authentication when client's current session expires.
+
+    Args:
+        app: (Sanic): The main Sanic application instance.
+    """
+
+    @app.on_response
+    async def refresh_encoder_middleware(request, response):
+        if hasattr(request.ctx, "authentication_session"):
+            authentication_session = request.ctx.authentication_session
+            if authentication_session.is_refresh:
+                authentication_session.encode(response)
+
+
 def create_initial_admin_account(app: Sanic) -> None:
     """
     Creates the initial admin account that can be logged into and has complete authoritative access.
@@ -291,7 +295,7 @@ def create_initial_admin_account(app: Sanic) -> None:
             account = await Account.create(
                 username="Head-Admin",
                 email=security_config.INITIAL_ADMIN_EMAIL,
-                password=PasswordHasher().hash(security_config.INITIAL_ADMIN_PASSWORD),
+                password=password_hasher.hash(security_config.INITIAL_ADMIN_PASSWORD),
                 verified=True,
             )
             await account.roles.add(role)

sanic_security/exceptions.py

@@ -130,7 +130,7 @@ class DeactivatedError(SessionError):
 
     def __init__(
         self,
-        message: str = "Session has been deactivated or refreshed.",
+        message: str = "Session has been deactivated.",
         code: int = 401,
     ):
         super().__init__(message, code)

sanic_security/models.py

@@ -1,3 +1,4 @@
+import base64
 import datetime
 from io import BytesIO
 from typing import Union
@@ -195,6 +196,58 @@ class Account(BaseModel):
         except DoesNotExist:
             raise NotFoundError("Account with this username does not exist.")
 
+    @staticmethod
+    async def get_via_credential(credential: str):
+        """
+        Retrieve an account with an email or username.
+
+        Args:
+            credential (str): Email or username associated to account being retrieved.
+
+        Returns:
+            account
+
+        Raises:
+            NotFoundError
+        """
+        try:
+            account = await Account.get_via_email(credential)
+        except NotFoundError as e:
+            if security_config.ALLOW_LOGIN_WITH_USERNAME:
+                account = await Account.get_via_username(credential)
+            else:
+                raise e
+        return account
+
+    @staticmethod
+    async def get_via_header(request: Request):
+        """
+        Retrieve the account the client is logging into and client's password attempt via the basic authorization header.
+
+        Args:
+            request (Request): Sanic request parameter.
+
+        Returns:
+            account, password
+
+        Raises:
+            NotFoundError
+        """
+        if request.headers.get("Authorization"):
+            authorization_type, credentials = request.headers.get(
+                "Authorization"
+            ).split()
+            if authorization_type == "Basic":
+                email_or_username, password = (
+                    base64.b64decode(credentials).decode().split(":")
+                )
+                account = await Account.get_via_credential(email_or_username)
+                return account, password
+            else:
+                raise CredentialsError("Invalid authorization type.")
+        else:
+            raise CredentialsError("Authorization header not provided.")
+
     @staticmethod
     async def get_via_phone(phone: str):
         """
@@ -297,12 +350,15 @@ class Session(BaseModel):
             secure=security_config.SESSION_SECURE,
         )
         if self.expiration_date:  # Overrides refresh expiration.
-            if hasattr(self, "refresh_expiration_date"):
-                response.cookies.get_cookie(cookie).expires = (
-                    self.refresh_expiration_date
+            response.cookies.get_cookie(cookie).expires = (
+                self.refresh_expiration_date
+                if (
+                    hasattr(self, "refresh_expiration_date")
+                    and self.refresh_expiration_date
                 )
-            else:
-                response.cookies.get_cookie(cookie).expires = self.expiration_date
+                else self.expiration_date
+            )
+
         if security_config.SESSION_DOMAIN:
             response.cookies.get_cookie(cookie).domain = security_config.SESSION_DOMAIN
 

sanic_security/test/server.py

@@ -12,6 +12,7 @@ from sanic_security.authentication import (
     logout,
     create_initial_admin_account,
     fulfill_second_factor,
+    attach_refresh_encoder,
 )
 from sanic_security.authorization import (
     assign_role,
@@ -173,14 +174,6 @@ async def on_authenticate(request):
     return response
 
 
-@app.on_response
-async def authentication_refresh_encoder(request, response):
-    if hasattr(request.ctx, "authentication_session"):
-        authentication_session = request.ctx.authentication_session
-        if authentication_session.is_refresh:
-            authentication_session.encode(response)
-
-
 @app.post("api/test/auth/expire")
 @requires_authentication
 async def on_authentication_expire(request):
@@ -351,6 +344,7 @@ register_tortoise(
     modules={"models": ["sanic_security.models"]},
     generate_schemas=True,
 )
+attach_refresh_encoder(app)
 create_initial_admin_account(app)
 if __name__ == "__main__":
     app.run(host="127.0.0.1", port=8000, workers=1, debug=True)

sanic_security/test/tests.py

@@ -576,6 +576,4 @@ class MiscTest(TestCase):
         authenticate_response = self.client.post(
             "http://127.0.0.1:8000/api/test/auth",
         )  # Since session refresh handling is complete, it will be returned as a regular session now.
-        assert (
-            json.loads(authenticate_response.text)["data"]["refresh"] is False
-        ), authenticate_response.text
+        assert authenticate_response.status_code == 200, authenticate_response.text

{sanic_security-1.12.3.dist-info → sanic_security-1.12.5.dist-info}/METADATA

@@ -1,6 +1,6 @@
 Metadata-Version: 2.1
 Name: sanic-security
-Version: 1.12.3
+Version: 1.12.5
 Summary: An async security library for the Sanic framework.
 Author-email: Aidan Stewart <na.stewart365@gmail.com>
 Project-URL: Documentation, https://security.na-stewart.com/
@@ -14,20 +14,20 @@ Classifier: Programming Language :: Python
 Requires-Python: >=3.8
 Description-Content-Type: text/markdown
 License-File: LICENSE
-Requires-Dist: tortoise-orm >=0.17.0
-Requires-Dist: pyjwt >=1.7.0
-Requires-Dist: captcha >=0.4
-Requires-Dist: pillow >=9.5.0
-Requires-Dist: argon2-cffi >=20.1.0
-Requires-Dist: sanic >=21.3.0
+Requires-Dist: tortoise-orm>=0.17.0
+Requires-Dist: pyjwt>=1.7.0
+Requires-Dist: captcha>=0.4
+Requires-Dist: pillow>=9.5.0
+Requires-Dist: argon2-cffi>=20.1.0
+Requires-Dist: sanic>=21.3.0
 Provides-Extra: crypto
-Requires-Dist: cryptography >=3.3.1 ; extra == 'crypto'
+Requires-Dist: cryptography>=3.3.1; extra == "crypto"
 Provides-Extra: dev
-Requires-Dist: httpx ; extra == 'dev'
-Requires-Dist: black ; extra == 'dev'
-Requires-Dist: blacken-docs ; extra == 'dev'
-Requires-Dist: pdoc3 ; extra == 'dev'
-Requires-Dist: cryptography ; extra == 'dev'
+Requires-Dist: httpx; extra == "dev"
+Requires-Dist: black; extra == "dev"
+Requires-Dist: blacken-docs; extra == "dev"
+Requires-Dist: pdoc3; extra == "dev"
+Requires-Dist: cryptography; extra == "dev"
 
 <!-- PROJECT SHIELDS -->
 <!--
@@ -84,7 +84,7 @@ Sanic Security is an authentication, authorization, and verification library des
 * Two-step verification
 * Role based authorization with wildcard permissions
 
-Please visit [security.na-stewart.com](https://security.na-stewart.com) for documentation and [here for an implementation guide](https://blog.na-stewart.com/entry?id=3).
+Visit [security.na-stewart.com](https://security.na-stewart.com) for documentation.
 
 <!-- GETTING STARTED -->
 ## Getting Started
@@ -172,13 +172,13 @@ The tables in the below examples represent example [request form-data](https://s
 
 * Initial Administrator Account
 
-This account can be logged into and has complete authoritative access. Login credentials should be modified in config!
+Creates initial admin account, you should modify its credentials in config!
   
-  ```python
-  create_initial_admin_account(app)
-  if __name__ == "__main__":
-      app.run(host="127.0.0.1", port=8000)
-  ```
+```python
+create_initial_admin_account(app)
+if __name__ == "__main__":
+    app.run(host="127.0.0.1", port=8000)
+```
   
 * Registration (With two-step account verification)
 
@@ -224,11 +224,10 @@ async def on_verify(request):
 
 * Login (With two-factor authentication)
 
-Login credentials are retrieved via the Authorization header. Credentials are constructed by first combining the 
-username and the password with a colon (aladdin:opensesame), and then by encoding the resulting string in base64 
-(YWxhZGRpbjpvcGVuc2VzYW1l). Here is an example authorization header: `Authorization: Basic YWxhZGRpbjpvcGVuc2VzYW1l`.
-
-You can use a username as well as an email for login if `ALLOW_LOGIN_WITH_USERNAME` is true in the config.
+Credentials are retrieved via header are constructed by first combining the username and the password with a colon 
+(aladdin:opensesame), and then by encoding the resulting string in base64 (YWxhZGRpbjpvcGVuc2VzYW1l). 
+Here is an example authorization header: `Authorization: Basic YWxhZGRpbjpvcGVuc2VzYW1l`. You can use a username 
+as well as an email for login if `ALLOW_LOGIN_WITH_USERNAME` is true in the config.
 
 ```python
 @app.post("api/security/login")
@@ -249,6 +248,8 @@ async def on_login(request):
     return response
 ```
 
+If this isn't desired, you can pass an account and password attempt directly into the login method instead.
+
 * Fulfill Second Factor
 
 Fulfills client authentication session's second factor requirement via two-step session code.
@@ -320,19 +321,15 @@ async def on_authenticate(request):
     return response
 ```
 
-* Authentication Middleware
-
-New/Refreshed session returned if client's session expired during authentication, requires encoding.
+* Refresh Encoder
 
-Middleware is recommended to automatically encode the refreshed session.
+A new/refreshed session is returned during authentication if the client's session expired during authentication and
+requires encoding. Rather than doing so manually, it can be done automatically via middleware.
 
 ```python
-@app.on_response
-async def authentication_refresh_encoder(request, response):
-    if hasattr(request.ctx, "authentication_session"):
-        authentication_session = request.ctx.authentication_session
-        if authentication_session.is_refresh:
-            authentication_session.encode(response)
+attach_refresh_encoder(app)
+if __name__ == "__main__":
+    app.run(host="127.0.0.1", port=8000)
 ```
 
 ## Captcha

sanic_security-1.12.5.dist-info/RECORD

@@ -0,0 +1,16 @@
+sanic_security/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
+sanic_security/authentication.py,sha256=obMKNnJXleeBGXqmsm1y5jFNI-FrW9krdO5SD6yOstE,12598
+sanic_security/authorization.py,sha256=aQztMiZG9LDctr_C6QEzO5qScwbxpiLk96XVxwdCChM,6921
+sanic_security/configuration.py,sha256=p44nTSrBQQSJZYN6qJEod_Ettf90rRNlmPxmNzxqQ9A,5514
+sanic_security/exceptions.py,sha256=MTPF4tm_68Nmf_z06RHH_6DTiC_CNiLER1jzEoW1dFk,5398
+sanic_security/models.py,sha256=nj5iYHzPZzdLs5dc3j6kdeScSk1SASizfK58Sa5YN8E,22527
+sanic_security/utils.py,sha256=Zgde7W69ixwv_H8eTs7indO5_U2Jvq62YUpG6ipN768,2629
+sanic_security/verification.py,sha256=vrxYborEOBKEirOHczul9WYub5j6T2ldXE1gsoA8iyY,7503
+sanic_security/test/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
+sanic_security/test/server.py,sha256=pwqsDS81joMdxIynivaNPCCMamv9qzAjknfZ01ZxQHc,12380
+sanic_security/test/tests.py,sha256=6TUp5GVYIR27qCzwIw2qt7DvW7ohxj-seYpnpeMbuno,22407
+sanic_security-1.12.5.dist-info/LICENSE,sha256=sXlJs9_mG-dCkPfWsDnuzydJWagS82E2gYtkVH9enHA,1100
+sanic_security-1.12.5.dist-info/METADATA,sha256=n8CLfkmnR8lcAn9ZO8tMQDC0H_TjWT1U0ITo3JCkWHs,23420
+sanic_security-1.12.5.dist-info/WHEEL,sha256=cVxcB9AmuTcXqmwrtPhNK88dr7IR_b6qagTj0UvIEbY,91
+sanic_security-1.12.5.dist-info/top_level.txt,sha256=ZybkhHXSjfzhmv8XeqLvnNmLmv21Z0oPX6Ep4DJN8b0,15
+sanic_security-1.12.5.dist-info/RECORD,,

{sanic_security-1.12.3.dist-info → sanic_security-1.12.5.dist-info}/WHEEL

@@ -1,5 +1,5 @@
 Wheel-Version: 1.0
-Generator: setuptools (70.3.0)
+Generator: setuptools (74.1.2)
 Root-Is-Purelib: true
 Tag: py3-none-any
 

sanic_security-1.12.3.dist-info/RECORD

@@ -1,16 +0,0 @@
-sanic_security/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
-sanic_security/authentication.py,sha256=E17jQg1gD06CTRk7l9q8EUzgeAEXn2J0E02Va-QYx9I,12573
-sanic_security/authorization.py,sha256=aQztMiZG9LDctr_C6QEzO5qScwbxpiLk96XVxwdCChM,6921
-sanic_security/configuration.py,sha256=p44nTSrBQQSJZYN6qJEod_Ettf90rRNlmPxmNzxqQ9A,5514
-sanic_security/exceptions.py,sha256=8c3xoQSiIKfSiOQOtw49RG8Qdlc3vZDzqjrEnPad4Ds,5411
-sanic_security/models.py,sha256=OEvO4xUh_7QCdwfaiKt51T3fmn3MJSrIcM1TszDfqgg,20776
-sanic_security/utils.py,sha256=Zgde7W69ixwv_H8eTs7indO5_U2Jvq62YUpG6ipN768,2629
-sanic_security/verification.py,sha256=vrxYborEOBKEirOHczul9WYub5j6T2ldXE1gsoA8iyY,7503
-sanic_security/test/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
-sanic_security/test/server.py,sha256=G5q7mzTUxOpKlhbzNbzTZYSWd6g8a0toOFX9qTA_nVg,12631
-sanic_security/test/tests.py,sha256=Hg40wlZfC-CDZX6lIjeT6uXy-3BJMc4ChJsnCRCBIu8,22459
-sanic_security-1.12.3.dist-info/LICENSE,sha256=sXlJs9_mG-dCkPfWsDnuzydJWagS82E2gYtkVH9enHA,1100
-sanic_security-1.12.3.dist-info/METADATA,sha256=Xaqk6JqUV3Y7IafPDQ85k7VTaghTLTQGtbLpKiZ7gEo,23680
-sanic_security-1.12.3.dist-info/WHEEL,sha256=Z4pYXqR_rTB7OWNDYFOm1qRk0RX6GFP2o8LgvP453Hk,91
-sanic_security-1.12.3.dist-info/top_level.txt,sha256=ZybkhHXSjfzhmv8XeqLvnNmLmv21Z0oPX6Ep4DJN8b0,15
-sanic_security-1.12.3.dist-info/RECORD,,