sanic-security 1.12.6__py3-none-any.whl → 1.13.0__py3-none-any.whl

sanic_security/authentication.py

@@ -1,5 +1,6 @@
 import functools
 import re
+import warnings
 
 from argon2 import PasswordHasher
 from argon2.exceptions import VerifyMismatchError
@@ -8,14 +9,16 @@ from sanic.log import logger
 from sanic.request import Request
 from tortoise.exceptions import DoesNotExist
 
-from sanic_security.configuration import config as security_config
+from sanic_security.configuration import config as security_config, DEFAULT_CONFIG
 from sanic_security.exceptions import (
     CredentialsError,
     DeactivatedError,
     SecondFactorFulfilledError,
     ExpiredError,
+    AuditWarning,
 )
 from sanic_security.models import Account, AuthenticationSession, Role, TwoStepSession
+from sanic_security.utils import get_ip
 
 """
 Copyright (c) 2020-present Nicholas Aidan Stewart
@@ -75,11 +78,10 @@ async def register(
         raise CredentialsError(
             "An account with this phone number may already exist.", 409
         )
-    validate_password(request.form.get("password"))
     account = await Account.create(
         email=email_lower,
         username=request.form.get("username"),
-        password=password_hasher.hash(request.form.get("password")),
+        password=password_hasher.hash(validate_password(request.form.get("password"))),
         phone=request.form.get("phone"),
         verified=verified,
         disabled=disabled,
@@ -122,10 +124,17 @@ async def login(
             account.password = password_hasher.hash(password)
             await account.save(update_fields=["password"])
         account.validate()
-        return await AuthenticationSession.new(
+        authentication_session = await AuthenticationSession.new(
             request, account, requires_second_factor=require_second_factor
         )
+        logger.info(
+            f"Client {get_ip(request)} has logged into account {account.id} with authentication session {authentication_session.id}."
+        )
+        return authentication_session
     except VerifyMismatchError:
+        logger.warning(
+            f"Client {get_ip(request)} has failed to log into account {account.id}."
+        )
         raise CredentialsError("Incorrect password.", 401)
 
 
@@ -149,6 +158,10 @@ async def logout(request: Request) -> AuthenticationSession:
         raise DeactivatedError("Already logged out.", 403)
     authentication_session.active = False
     await authentication_session.save(update_fields=["active"])
+    logger.info(
+        f"Client {get_ip(request)} has logged out {"anonymously" if authentication_session.anonymous 
+        else f"of account {authentication_session.bearer.id}"} with authentication session {authentication_session.id}."
+    )
     return authentication_session
 
 
@@ -177,7 +190,7 @@ async def fulfill_second_factor(request: Request) -> AuthenticationSession:
         raise SecondFactorFulfilledError()
     two_step_session = await TwoStepSession.decode(request)
     two_step_session.validate()
-    await two_step_session.check_code(request, request.form.get("code"))
+    await two_step_session.check_code(request.form.get("code"))
     authentication_session.requires_second_factor = False
     await authentication_session.save(update_fields=["requires_second_factor"])
     return authentication_session
@@ -249,59 +262,6 @@ def requires_authentication(arg=None):
     return decorator(arg) if callable(arg) else decorator
 
 
-def attach_refresh_encoder(app: Sanic):
-    """
-    Automatically encodes the new/refreshed session returned during authentication when client's current session expires.
-
-    Args:
-        app: (Sanic): The main Sanic application instance.
-    """
-
-    @app.on_response
-    async def refresh_encoder_middleware(request, response):
-        if hasattr(request.ctx, "authentication_session"):
-            authentication_session = request.ctx.authentication_session
-            if authentication_session.is_refresh:
-                authentication_session.encode(response)
-
-
-def create_initial_admin_account(app: Sanic) -> None:
-    """
-    Creates the initial admin account that can be logged into and has complete authoritative access.
-
-    Args:
-        app (Sanic): The main Sanic application instance.
-    """
-
-    @app.listener("before_server_start")
-    async def create(app, loop):
-        try:
-            role = await Role.filter(name="Head Admin").get()
-        except DoesNotExist:
-            role = await Role.create(
-                description="Has root abilities, assign sparingly.",
-                permissions="*:*",
-                name="Head Admin",
-            )
-        try:
-            account = await Account.filter(
-                email=security_config.INITIAL_ADMIN_EMAIL
-            ).get()
-            await account.fetch_related("roles")
-            if role not in account.roles:
-                await account.roles.add(role)
-                logger.warning("Initial admin account role has been reinstated.")
-        except DoesNotExist:
-            account = await Account.create(
-                username="Head-Admin",
-                email=security_config.INITIAL_ADMIN_EMAIL,
-                password=password_hasher.hash(security_config.INITIAL_ADMIN_PASSWORD),
-                verified=True,
-            )
-            await account.roles.add(role)
-            logger.info("Initial admin account created.")
-
-
 def validate_email(email: str) -> str:
     """
     Validates email format.
@@ -380,3 +340,77 @@ def validate_password(password: str) -> str:
             400,
         )
     return password
+
+
+def initialize_security(app: Sanic, create_root=True) -> None:
+    """
+    Audits configuration, creates root administrator account, and attaches refresh encoder middleware.
+
+    Args:
+        app (Sanic): The main Sanic application instance.
+        create_root (bool): Determines root account creation on initialization.
+    """
+
+    @app.on_response
+    async def refresh_encoder_middleware(request, response):
+        if hasattr(request.ctx, "authentication_session"):
+            authentication_session = request.ctx.authentication_session
+            if authentication_session.is_refresh:
+                authentication_session.encode(response)
+
+    @app.listener("before_server_start")
+    async def audit_configuration(app, loop):
+        if security_config.SECRET == DEFAULT_CONFIG["SECRET"]:
+            warnings.warn("Secret should be changed from default.", AuditWarning)
+        if not security_config.SESSION_HTTPONLY:
+            warnings.warn("HttpOnly should be enabled.", AuditWarning)
+        if not security_config.SESSION_SECURE:
+            warnings.warn("Secure should be enabled.", AuditWarning)
+        if security_config.SESSION_SAMESITE.lower() == "none":
+            warnings.warn("SameSite should not be set to none.", AuditWarning)
+        if (
+            create_root
+            and security_config.INITIAL_ADMIN_EMAIL
+            == DEFAULT_CONFIG["INITIAL_ADMIN_EMAIL"]
+        ):
+            warnings.warn(
+                "Initial admin email should be changed from default.", AuditWarning
+            )
+        if (
+            create_root
+            and security_config.INITIAL_ADMIN_PASSWORD
+            == DEFAULT_CONFIG["INITIAL_ADMIN_PASSWORD"]
+        ):
+            warnings.warn(
+                "Initial admin password should be changed from default.", AuditWarning
+            )
+
+    @app.listener("before_server_start")
+    async def create_root_account(app, loop):
+        if not create_root:
+            return
+        try:
+            role = await Role.filter(name="Root").get()
+        except DoesNotExist:
+            role = await Role.create(
+                description="Has administrator abilities, assign sparingly.",
+                permissions="*:*",
+                name="Root",
+            )
+        try:
+            account = await Account.filter(
+                email=security_config.INITIAL_ADMIN_EMAIL
+            ).get()
+            await account.fetch_related("roles")
+            if role not in account.roles:
+                await account.roles.add(role)
+                logger.warning("Initial admin account role has been reinstated.")
+        except DoesNotExist:
+            account = await Account.create(
+                username="Root",
+                email=security_config.INITIAL_ADMIN_EMAIL,
+                password=password_hasher.hash(security_config.INITIAL_ADMIN_PASSWORD),
+                verified=True,
+            )
+            await account.roles.add(role)
+            logger.info("Initial admin account created.")

sanic_security/authorization.py

@@ -1,12 +1,14 @@
 import functools
 from fnmatch import fnmatch
 
+from sanic.log import logger
 from sanic.request import Request
 from tortoise.exceptions import DoesNotExist
 
 from sanic_security.authentication import authenticate
 from sanic_security.exceptions import AuthorizationError, AnonymousError
 from sanic_security.models import Role, Account, AuthenticationSession
+from sanic_security.utils import get_ip
 
 """
 Copyright (c) 2020-present Nicholas Aidan Stewart
@@ -65,6 +67,10 @@ async def check_permissions(
         ):
             if fnmatch(required_permission, role_permission):
                 return authentication_session
+    logger.warning(
+        f"Client {get_ip(request)} with account {authentication_session.bearer.id} has insufficient permissions for "
+        "attempted action."
+    )
     raise AuthorizationError("Insufficient permissions required for this action.")
 
 
@@ -97,6 +103,10 @@ async def check_roles(request: Request, *required_roles: str) -> AuthenticationS
     for role in roles:
         if role.name in required_roles:
             return authentication_session
+    logger.warning(
+        f"Client {get_ip(request)} with account {authentication_session.bearer.id} has insufficient roles for "
+        "attempted action."
+    )
     raise AuthorizationError("Insufficient roles required for this action.")
 
 

sanic_security/configuration.py

@@ -24,15 +24,14 @@ OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
 SOFTWARE.
 """
 
-
 DEFAULT_CONFIG = {
     "SECRET": "This is a big secret. Shhhhh",
     "PUBLIC_SECRET": None,
-    "SESSION_SAMESITE": "strict",
+    "SESSION_SAMESITE": "Strict",
     "SESSION_SECURE": True,
     "SESSION_HTTPONLY": True,
     "SESSION_DOMAIN": None,
-    "SESSION_PREFIX": "token",
+    "SESSION_PREFIX": "tkn",
     "SESSION_ENCODING_ALGORITHM": "HS256",
     "MAX_CHALLENGE_ATTEMPTS": 5,
     "CAPTCHA_SESSION_EXPIRATION": 60,

sanic_security/exceptions.py

@@ -206,3 +206,9 @@ class AnonymousError(AuthorizationError):
 
     def __init__(self):
         super().__init__("Session is anonymous.")
+
+
+class AuditWarning(Warning):
+    """
+    Raised when configuration is invalid.
+    """

sanic_security/models.py

@@ -6,7 +6,6 @@ from typing import Union
 import jwt
 from captcha.image import ImageCaptcha
 from jwt import DecodeError
-from sanic.log import logger
 from sanic.request import Request
 from sanic.response import HTTPResponse, raw
 from tortoise import fields, Model
@@ -493,13 +492,12 @@ class VerificationSession(Session):
     attempts: int = fields.IntField(default=0)
     code: str = fields.CharField(max_length=10, default=get_code, null=True)
 
-    async def check_code(self, request: Request, code: str) -> None:
+    async def check_code(self, code: str) -> None:
         """
         Checks if code passed is equivalent to the session code.
 
         Args:
             code (str): Code being cross-checked with session code.
-            request (Request): Sanic request parameter.
 
         Raises:
             ChallengeError
@@ -513,13 +511,9 @@ class VerificationSession(Session):
                     "Your code does not match verification session code."
                 )
             else:
-                logger.warning(
-                    f"Client ({get_ip(request)}) has maxed out on session challenge attempts"
-                )
                 raise MaxedOutChallengeError()
         else:
-            self.active = False
-            await self.save(update_fields=["active"])
+            await self.deactivate()
 
     @classmethod
     async def new(cls, request: Request, account: Account, **kwargs):
@@ -530,9 +524,7 @@ class VerificationSession(Session):
 
 
 class TwoStepSession(VerificationSession):
-    """
-    Validates a client using a code sent via email or text.
-    """
+    """Validates a client using a code sent via email or text."""
 
     @classmethod
     async def new(cls, request: Request, account: Account, **kwargs):
@@ -550,9 +542,7 @@ class TwoStepSession(VerificationSession):
 
 
 class CaptchaSession(VerificationSession):
-    """
-    Validates a client with a captcha challenge.
-    """
+    """Validates a client with a captcha challenge."""
 
     @classmethod
     async def new(cls, request: Request, **kwargs):
@@ -612,6 +602,9 @@ class AuthenticationSession(Session):
         """
         Refreshes session if expired and within refresh date.
 
+        Args:
+            request (Request): Sanic request parameter.
+
         Raises:
             DeletedError
             ExpiredError

sanic_security/test/server.py

@@ -10,9 +10,8 @@ from sanic_security.authentication import (
     register,
     requires_authentication,
     logout,
-    create_initial_admin_account,
     fulfill_second_factor,
-    attach_refresh_encoder,
+    initialize_security,
 )
 from sanic_security.authorization import (
     assign_role,
@@ -62,9 +61,7 @@ password_hasher = PasswordHasher()
 
 @app.post("api/test/auth/register")
 async def on_register(request):
-    """
-    Register an account with email and password.
-    """
+    """Register an account with email and password."""
     account = await register(
         request,
         verified=request.form.get("verified") == "true",
@@ -83,9 +80,7 @@ async def on_register(request):
 
 @app.post("api/test/auth/verify")
 async def on_verify(request):
-    """
-    Verifies client account.
-    """
+    """Verifies client account."""
     two_step_session = await verify_account(request)
     return json(
         "You have verified your account and may login!", two_step_session.bearer.json
@@ -94,9 +89,7 @@ async def on_verify(request):
 
 @app.post("api/test/auth/login")
 async def on_login(request):
-    """
-    Login to an account with an email and password.
-    """
+    """Login to an account with an email and password."""
     two_factor_authentication = request.args.get("two-factor-authentication") == "true"
     authentication_session = await login(
         request, require_second_factor=two_factor_authentication
@@ -118,9 +111,7 @@ async def on_login(request):
 
 @app.post("api/test/auth/login/anon")
 async def on_login_anonymous(request):
-    """
-    Login as anonymous user.
-    """
+    """Login as anonymous user."""
     authentication_session = await AuthenticationSession.new(request)
     response = json(
         "Anonymous user now associated with session!", authentication_session.json
@@ -131,9 +122,7 @@ async def on_login_anonymous(request):
 
 @app.post("api/test/auth/validate-2fa")
 async def on_two_factor_authentication(request):
-    """
-    Fulfills client authentication session's second factor requirement.
-    """
+    """Fulfills client authentication session's second factor requirement."""
     authentication_session = await fulfill_second_factor(request)
     response = json(
         "Authentication session second-factor fulfilled! You are now authenticated.",
@@ -145,9 +134,7 @@ async def on_two_factor_authentication(request):
 
 @app.post("api/test/auth/logout")
 async def on_logout(request):
-    """
-    Logout of currently logged in account.
-    """
+    """Logout of currently logged in account."""
     authentication_session = await logout(request)
     response = json("Logout successful!", authentication_session.json)
     return response
@@ -156,9 +143,7 @@ async def on_logout(request):
 @app.post("api/test/auth")
 @requires_authentication
 async def on_authenticate(request):
-    """
-    Authenticate client session and account.
-    """
+    """Authenticate client session and account."""
     authentication_session = request.ctx.authentication_session
     response = json(
         "Authenticated!",
@@ -177,9 +162,7 @@ async def on_authenticate(request):
 @app.post("api/test/auth/expire")
 @requires_authentication
 async def on_authentication_expire(request):
-    """
-    Expire client's session.
-    """
+    """Expire client's session."""
     authentication_session = request.ctx.authentication_session
     authentication_session.expiration_date = datetime.datetime.now(datetime.UTC)
     await authentication_session.save(update_fields=["expiration_date"])
@@ -189,9 +172,7 @@ async def on_authentication_expire(request):
 @app.post("api/test/auth/associated")
 @requires_authentication
 async def on_get_associated_authentication_sessions(request):
-    """
-    Retrieves authentication sessions associated with logged in account.
-    """
+    """Retrieves authentication sessions associated with logged in account."""
     authentication_sessions = await AuthenticationSession.get_associated(
         request.ctx.authentication_session.bearer
     )
@@ -203,9 +184,7 @@ async def on_get_associated_authentication_sessions(request):
 
 @app.get("api/test/capt/request")
 async def on_captcha_request(request):
-    """
-    Request captcha with solution in response.
-    """
+    """Request captcha with solution in response."""
     captcha_session = await request_captcha(request)
     response = json("Captcha request successful!", captcha_session.code)
     captcha_session.encode(response)
@@ -214,9 +193,7 @@ async def on_captcha_request(request):
 
 @app.get("api/test/capt/image")
 async def on_captcha_image(request):
-    """
-    Request captcha image.
-    """
+    """Request captcha image."""
     captcha_session = await CaptchaSession.decode(request)
     response = captcha_session.get_image()
     captcha_session.encode(response)
@@ -226,17 +203,13 @@ async def on_captcha_image(request):
 @app.post("api/test/capt")
 @requires_captcha
 async def on_captcha_attempt(request):
-    """
-    Attempt captcha challenge.
-    """
+    """Attempt captcha challenge."""
     return json("Captcha attempt successful!", request.ctx.captcha_session.json)
 
 
 @app.post("api/test/two-step/request")
 async def on_request_verification(request):
-    """
-    Request two-step verification with code in the response.
-    """
+    """Request two-step verification with code in the response."""
     two_step_session = await request_two_step_verification(request)
     response = json("Verification request successful!", two_step_session.code)
     two_step_session.encode(response)
@@ -246,9 +219,7 @@ async def on_request_verification(request):
 @app.post("api/test/two-step")
 @requires_two_step_verification
 async def on_verification_attempt(request):
-    """
-    Attempt two-step verification challenge.
-    """
+    """Attempt two-step verification challenge."""
     return json(
         "Two step verification attempt successful!", request.ctx.two_step_session.json
     )
@@ -257,9 +228,7 @@ async def on_verification_attempt(request):
 @app.post("api/test/auth/roles")
 @requires_authentication
 async def on_authorization(request):
-    """
-    Check if client is authorized with sufficient roles and permissions.
-    """
+    """Check if client is authorized with sufficient roles and permissions."""
     await check_roles(request, request.form.get("role"))
     if request.form.get("permissions_required"):
         await check_permissions(
@@ -271,9 +240,7 @@ async def on_authorization(request):
 @app.post("api/test/auth/roles/assign")
 @requires_authentication
 async def on_role_assign(request):
-    """
-    Assign authenticated account a role.
-    """
+    """Assign authenticated account a role."""
     await assign_role(
         request.form.get("name"),
         request.ctx.authentication_session.bearer,
@@ -285,9 +252,7 @@ async def on_role_assign(request):
 
 @app.post("api/test/account")
 async def on_account_creation(request):
-    """
-    Quick account creation.
-    """
+    """Quick account creation."""
     account = await Account.create(
         username=request.form.get("username"),
         email=request.form.get("email").lower(),
@@ -301,9 +266,7 @@ async def on_account_creation(request):
 
 @app.exception(SecurityError)
 async def on_security_error(request, exception):
-    """
-    Handles security errors with correct response.
-    """
+    """Handles security errors with correct response."""
     traceback.print_exc()
     return exception.json
 
@@ -344,7 +307,6 @@ register_tortoise(
     modules={"models": ["sanic_security.models"]},
     generate_schemas=True,
 )
-attach_refresh_encoder(app)
-create_initial_admin_account(app)
+initialize_security(app, True)
 if __name__ == "__main__":
-    app.run(host="127.0.0.1", port=8000, workers=1, debug=True)
+    app.run(host="127.0.0.1", port=8000, workers=1)

sanic_security/test/tests.py

@@ -30,9 +30,7 @@ SOFTWARE.
 
 
 class RegistrationTest(TestCase):
-    """
-    Registration tests.
-    """
+    """Registration tests."""
 
     def setUp(self):
         self.client = httpx.Client()
@@ -62,9 +60,7 @@ class RegistrationTest(TestCase):
         return registration_response
 
     def test_registration(self):
-        """
-        Account registration and login.
-        """
+        """Account registration and login."""
         registration_response = self.register(
             "account_registration@register.test",
             "account_registration",
@@ -80,9 +76,7 @@ class RegistrationTest(TestCase):
         assert login_response.status_code == 200, login_response.text
 
     def test_invalid_registration(self):
-        """
-        Registration with an intentionally invalid email, username, and phone.
-        """
+        """Registration with an intentionally invalid email, username, and phone."""
         invalid_email_registration_response = self.register(
             "invalid_register.test", "invalid_register", False, True
         )
@@ -112,9 +106,7 @@ class RegistrationTest(TestCase):
         ), too_many_characters_registration_response.text
 
     def test_registration_disabled(self):
-        """
-        Registration and login with a disabled account.
-        """
+        """Registration and login with a disabled account."""
         registration_response = self.register(
             "disabled@register.test", "disabled", True, True
         )
@@ -126,9 +118,7 @@ class RegistrationTest(TestCase):
         assert "DisabledError" in login_response.text, login_response.text
 
     def test_registration_unverified(self):
-        """
-        Registration and login with an unverified account.
-        """
+        """Registration and login with an unverified account."""
         registration_response = self.register(
             "unverified@register.test", "unverified", False, False
         )
@@ -140,9 +130,7 @@ class RegistrationTest(TestCase):
         assert "UnverifiedError" in login_response.text, login_response.text
 
     def test_registration_unverified_disabled(self):
-        """
-        Registration and login with an unverified and disabled account.
-        """
+        """Registration and login with an unverified and disabled account."""
         registration_response = self.register(
             "unverified_disabled@register.test", "unverified_disabled", True, False
         )
@@ -155,9 +143,7 @@ class RegistrationTest(TestCase):
 
 
 class LoginTest(TestCase):
-    """
-    Login tests.
-    """
+    """Login tests."""
 
     def setUp(self):
         self.client = httpx.Client()
@@ -166,9 +152,7 @@ class LoginTest(TestCase):
         self.client.close()
 
     def test_login(self):
-        """
-        Login with an email and password.
-        """
+        """Login with an email and password."""
         self.client.post(
             "http://127.0.0.1:8000/api/test/account",
             data={"email": "email_pass@login.test", "username": "email_pass"},
@@ -184,9 +168,7 @@ class LoginTest(TestCase):
         assert authenticate_response.status_code == 200, authenticate_response.text
 
     def test_login_with_username(self):
-        """
-        Login with a username instead of an email and password.
-        """
+        """Login with a username instead of an email and password."""
         self.client.post(
             "http://127.0.0.1:8000/api/test/account",
             data={"email": "user_pass@login.test", "username": "user_pass"},
@@ -202,9 +184,7 @@ class LoginTest(TestCase):
         assert authenticate_response.status_code == 200, authenticate_response.text
 
     def test_invalid_login(self):
-        """
-        Login with an intentionally incorrect password and into a non existent account.
-        """
+        """Login with an intentionally incorrect password and into a non-existent account."""
         self.client.post(
             "http://127.0.0.1:8000/api/test/account",
             data={"email": "incorrect_pass@login.test", "username": "incorrect_pass"},
@@ -225,9 +205,7 @@ class LoginTest(TestCase):
         ), unavailable_account_login_response
 
     def test_logout(self):
-        """
-        Logout of logged in account and attempt to authenticate.
-        """
+        """Logout of logged in account and attempt to authenticate."""
         self.client.post(
             "http://127.0.0.1:8000/api/test/account",
             data={"email": "logout@login.test", "username": "logout"},
@@ -244,9 +222,7 @@ class LoginTest(TestCase):
         assert authenticate_response.status_code == 401, authenticate_response.text
 
     def test_initial_admin_login(self):
-        """
-        Initial admin account login and authorization.
-        """
+        """Initial admin account login and authorization."""
         login_response = self.client.post(
             "http://127.0.0.1:8000/api/test/auth/login",
             auth=("admin@login.test", "admin123"),
@@ -255,7 +231,7 @@ class LoginTest(TestCase):
         permitted_authorization_response = self.client.post(
             "http://127.0.0.1:8000/api/test/auth/roles",
             data={
-                "role": "Head Admin",
+                "role": "Root",
                 "permissions_required": "perm1:create,add, perm2:*",
             },
         )
@@ -264,9 +240,7 @@ class LoginTest(TestCase):
         ), permitted_authorization_response.text
 
     def test_two_factor_login(self):
-        """
-        Test login with two-factor authentication requirement.
-        """
+        """Test login with two-factor authentication requirement."""
         self.client.post(
             "http://127.0.0.1:8000/api/test/account",
             data={"email": "two-factor@login.test", "username": "two-factor"},
@@ -295,9 +269,7 @@ class LoginTest(TestCase):
         assert authenticate_response.status_code == 200, authenticate_response.text
 
     def test_anonymous_login(self):
-        """
-        Test login of anonymous user.
-        """
+        """Test login of anonymous user."""
         anon_login_response = self.client.post(
             "http://127.0.0.1:8000/api/test/auth/login/anon"
         )
@@ -311,9 +283,7 @@ class LoginTest(TestCase):
 
 
 class VerificationTest(TestCase):
-    """
-    Two-step verification and captcha tests.
-    """
+    """Two-step verification and captcha tests."""
 
     def setUp(self):
         self.client = httpx.Client()
@@ -322,9 +292,7 @@ class VerificationTest(TestCase):
         self.client.close()
 
     def test_captcha(self):
-        """
-        Captcha request and attempt.
-        """
+        """Captcha request and attempt."""
         captcha_request_response = self.client.get(
             "http://127.0.0.1:8000/api/test/capt/request"
         )
@@ -344,9 +312,7 @@ class VerificationTest(TestCase):
         ), captcha_attempt_response.text
 
     def test_two_step_verification(self):
-        """
-        Two-step verification request and attempt.
-        """
+        """Two-step verification request and attempt."""
         self.client.post(
             "http://127.0.0.1:8000/api/test/account",
             data={"email": "two_step@verification.test", "username": "two_step"},
@@ -382,9 +348,7 @@ class VerificationTest(TestCase):
         ), two_step_verification_no_email_request_response.text
 
     def test_account_verification(self):
-        """
-        Account registration and verification process with successful login.
-        """
+        """Account registration and verification process with successful login."""
         registration_response = self.client.post(
             "http://127.0.0.1:8000/api/test/auth/register",
             data={
@@ -404,9 +368,7 @@ class VerificationTest(TestCase):
 
 
 class AuthorizationTest(TestCase):
-    """
-    Role and permissions based authorization tests.
-    """
+    """Role and permissions based authorization tests."""
 
     def setUp(self):
         self.client = httpx.Client()
@@ -415,9 +377,7 @@ class AuthorizationTest(TestCase):
         self.client.close()
 
     def test_permissions_authorization(self):
-        """
-        Authorization with permissions.
-        """
+        """Authorization with permissions."""
         self.client.post(
             "http://127.0.0.1:8000/api/test/account",
             data={"email": "permissions@authorization.test", "username": "permissions"},
@@ -455,9 +415,7 @@ class AuthorizationTest(TestCase):
         ), prohibited_authorization_response.text
 
     def test_roles_authorization(self):
-        """
-        Authorization with roles.
-        """
+        """Authorization with roles."""
         self.client.post(
             "http://127.0.0.1:8000/api/test/account",
             data={"email": "roles@authorization.test", "username": "roles"},
@@ -488,6 +446,7 @@ class AuthorizationTest(TestCase):
         ), prohibited_authorization_response.text
 
     def test_anonymous_authorization(self):
+        """Authorization with anonymous client."""
         anon_login_response = self.client.post(
             "http://127.0.0.1:8000/api/test/auth/login/anon"
         )
@@ -506,9 +465,7 @@ class AuthorizationTest(TestCase):
 
 
 class MiscTest(TestCase):
-    """
-    Miscellaneous tests that cannot be categorized.
-    """
+    """Miscellaneous tests that cannot be categorized."""
 
     def setUp(self):
         self.client = httpx.Client()
@@ -517,18 +474,14 @@ class MiscTest(TestCase):
         self.client.close()
 
     def test_environment_variable_load(self):
-        """
-        Config loads environment variables.
-        """
+        """Config loads environment variables."""
         os.environ["SANIC_SECURITY_SECRET"] = "test-secret"
         security_config = Config()
         security_config.load_environment_variables()
         assert security_config.SECRET == "test-secret"
 
     def test_get_associated_sessions(self):
-        """
-        Retrieve sessions associated to logged in account.
-        """
+        """Retrieve sessions associated to logged in account."""
         self.client.post(
             "http://127.0.0.1:8000/api/test/account",
             data={
@@ -549,9 +502,7 @@ class MiscTest(TestCase):
         ), retrieve_associated_response.text
 
     def test_authentication_refresh(self):
-        """
-        Test automatic authentication refresh.
-        """
+        """Test automatic authentication refresh."""
         self.client.post(
             "http://127.0.0.1:8000/api/test/account",
             data={

sanic_security/verification.py

@@ -89,7 +89,7 @@ async def two_step_verification(request: Request) -> TwoStepSession:
     two_step_session = await TwoStepSession.decode(request)
     two_step_session.validate()
     two_step_session.bearer.validate()
-    await two_step_session.check_code(request, request.form.get("code"))
+    await two_step_session.check_code(request.form.get("code"))
     return two_step_session
 
 
@@ -153,7 +153,7 @@ async def verify_account(request: Request) -> TwoStepSession:
     if two_step_session.bearer.verified:
         raise VerifiedError()
     two_step_session.validate()
-    await two_step_session.check_code(request, request.form.get("code"))
+    await two_step_session.check_code(request.form.get("code"))
     two_step_session.bearer.verified = True
     await two_step_session.bearer.save(update_fields=["verified"])
     return two_step_session
@@ -197,7 +197,7 @@ async def captcha(request: Request) -> CaptchaSession:
     """
     captcha_session = await CaptchaSession.decode(request)
     captcha_session.validate()
-    await captcha_session.check_code(request, request.form.get("captcha"))
+    await captcha_session.check_code(request.form.get("captcha"))
     return captcha_session
 
 

{sanic_security-1.12.6.dist-info → sanic_security-1.13.0.dist-info}/METADATA

@@ -1,6 +1,6 @@
 Metadata-Version: 2.1
 Name: sanic-security
-Version: 1.12.6
+Version: 1.13.0
 Summary: An async security library for the Sanic framework.
 Author-email: Aidan Stewart <me@na-stewart.com>
 Project-URL: Documentation, https://security.na-stewart.com/
@@ -64,7 +64,7 @@ Requires-Dist: cryptography; extra == "dev"
 * [Usage](#usage)
     * [Authentication](#authentication)
     * [Captcha](#captcha)
-    * [Two Step Verification](#two-step-verification)
+    * [Two-Step Verification](#two-step-verification)
     * [Authorization](#authorization)
     * [Testing](#testing)
     * [Tortoise](#tortoise)
@@ -145,12 +145,12 @@ You can load environment variables with a different prefix via `config.load_envi
 |---------------------------------------|------------------------------|----------------------------------------------------------------------------------------------------------------------------------|
 | **SECRET**                            | This is a big secret. Shhhhh | The secret used for generating and signing JWTs. This should be a string unique to your application. Keep it safe.               |
 | **PUBLIC_SECRET**                     | None                         | The secret used for verifying and decoding JWTs and can be publicly shared. This should be a string unique to your application.  |
-| **SESSION_SAMESITE**                  | strict                       | The SameSite attribute of session cookies.                                                                                       |
+| **SESSION_SAMESITE**                  | Strict                       | The SameSite attribute of session cookies.                                                                                       |
 | **SESSION_SECURE**                    | True                         | The Secure attribute of session cookies.                                                                                         |
 | **SESSION_HTTPONLY**                  | True                         | The HttpOnly attribute of session cookies. HIGHLY recommended that you do not turn this off, unless you know what you are doing. |
 | **SESSION_DOMAIN**                    | None                         | The Domain attribute of session cookies.                                                                                         |
 | **SESSION_ENCODING_ALGORITHM**        | HS256                        | The algorithm used to encode and decode session JWT's.                                                                           |
-| **SESSION_PREFIX**                    | token                        | Prefix attached to the beginning of session cookies.                                                                             |
+| **SESSION_PREFIX**                    | tkn                          | Prefix attached to the beginning of session cookies.                                                                             |
 | **MAX_CHALLENGE_ATTEMPTS**            | 5                            | The maximum amount of session challenge attempts allowed.                                                                        |
 | **CAPTCHA_SESSION_EXPIRATION**        | 60                           | The amount of seconds till captcha session expiration on creation. Setting to 0 will disable expiration.                         |
 | **CAPTCHA_FONT**                      | captcha-font.ttf             | The file path to the font being used for captcha generation.                                                                     |
@@ -166,19 +166,16 @@ You can load environment variables with a different prefix via `config.load_envi
 Sanic Security's authentication and verification functionality is session based. A new session will be created for the user after the user logs in or requests some form of verification (two-step, captcha). The session data is then encoded into a JWT and stored on a cookie on the user’s browser. The session cookie is then sent
 along with every subsequent request. The server can then compare the session stored on the cookie against the session information stored in the database to verify user’s identity and send a response with the corresponding state.
 
-The tables in the below examples represent example [request form-data](https://sanicframework.org/en/guide/basics/request.html#form).
-
-## Authentication
-
-* Initial Administrator Account
-
-Creates initial admin account, you should modify its credentials in config!
-  
+* Initialize sanic-security as follows:
 ```python
-create_initial_admin_account(app)
+initialize_security(app)
 if __name__ == "__main__":
-    app.run(host="127.0.0.1", port=8000)
+    app.run(host="127.0.0.1", port=8000, workers=1, debug=True)
 ```
+
+The tables in the below examples represent example [request form-data](https://sanicframework.org/en/guide/basics/request.html#form).
+
+## Authentication
   
 * Registration (With two-step account verification)
 
@@ -321,17 +318,6 @@ async def on_authenticate(request):
     return response
 ```
 
-* Refresh Encoder
-
-A new/refreshed session is returned during authentication when the client's current session expires and it
-requires encoding. This should be be done automatically via middleware.
-
-```python
-attach_refresh_encoder(app)
-if __name__ == "__main__":
-    app.run(host="127.0.0.1", port=8000)
-```
-
 ## Captcha
 
 A pre-existing font for captcha challenges is included in the Sanic Security repository. You may set your own font by 

sanic_security-1.13.0.dist-info/RECORD

@@ -0,0 +1,16 @@
+sanic_security/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
+sanic_security/authentication.py,sha256=ZY4WJDUXbwDdaH_2Ovc9gkR1jCgw52yB9enYp_1LypM,14334
+sanic_security/authorization.py,sha256=XbRrnsx-Yqpiemf3bn_djIYIe1khdnfToB7DsBheLtk,7338
+sanic_security/configuration.py,sha256=br2hI3MHsTBh3yfPer5f3bkKSWfQdCeqfLqWmaDNVoM,5510
+sanic_security/exceptions.py,sha256=JiCaBR2kjE1Cj0fc_08y-32fqJJXa_1UCw205T4_RTY,5493
+sanic_security/models.py,sha256=v3tJyL420HEdZXqJCq9uPPSivuYXuQNtqf9QC9wF0TU,22274
+sanic_security/utils.py,sha256=XAUNalcTi53qTz0D8xiDyDyRlq7Z7ffNBzUONJZqe90,2705
+sanic_security/verification.py,sha256=ebT7QaytHAsw-IKA13W9wyCoqoBAYKgmFA1QJ80N2bE,7476
+sanic_security/test/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
+sanic_security/test/server.py,sha256=DmwP5dBs2Sq2qk4UZgWbAqzm96YXvLGI9jWeqzluy_c,12082
+sanic_security/test/tests.py,sha256=bW5fHJfsCrg8eBmcSqVMLm0R5XRL1ou-XJJRgz09GOE,21993
+sanic_security-1.13.0.dist-info/LICENSE,sha256=sXlJs9_mG-dCkPfWsDnuzydJWagS82E2gYtkVH9enHA,1100
+sanic_security-1.13.0.dist-info/METADATA,sha256=VeYHXoqKPrbNAfub2NW3RT78Rt1WSUBCKj2gVJrHplE,23000
+sanic_security-1.13.0.dist-info/WHEEL,sha256=P9jw-gEje8ByB7_hXoICnHtVCrEwMQh-630tKvQWehc,91
+sanic_security-1.13.0.dist-info/top_level.txt,sha256=ZybkhHXSjfzhmv8XeqLvnNmLmv21Z0oPX6Ep4DJN8b0,15
+sanic_security-1.13.0.dist-info/RECORD,,

sanic_security-1.12.6.dist-info/RECORD

@@ -1,16 +0,0 @@
-sanic_security/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
-sanic_security/authentication.py,sha256=obMKNnJXleeBGXqmsm1y5jFNI-FrW9krdO5SD6yOstE,12598
-sanic_security/authorization.py,sha256=aQztMiZG9LDctr_C6QEzO5qScwbxpiLk96XVxwdCChM,6921
-sanic_security/configuration.py,sha256=p44nTSrBQQSJZYN6qJEod_Ettf90rRNlmPxmNzxqQ9A,5514
-sanic_security/exceptions.py,sha256=MTPF4tm_68Nmf_z06RHH_6DTiC_CNiLER1jzEoW1dFk,5398
-sanic_security/models.py,sha256=nj5iYHzPZzdLs5dc3j6kdeScSk1SASizfK58Sa5YN8E,22527
-sanic_security/utils.py,sha256=XAUNalcTi53qTz0D8xiDyDyRlq7Z7ffNBzUONJZqe90,2705
-sanic_security/verification.py,sha256=vrxYborEOBKEirOHczul9WYub5j6T2ldXE1gsoA8iyY,7503
-sanic_security/test/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
-sanic_security/test/server.py,sha256=pwqsDS81joMdxIynivaNPCCMamv9qzAjknfZ01ZxQHc,12380
-sanic_security/test/tests.py,sha256=6TUp5GVYIR27qCzwIw2qt7DvW7ohxj-seYpnpeMbuno,22407
-sanic_security-1.12.6.dist-info/LICENSE,sha256=sXlJs9_mG-dCkPfWsDnuzydJWagS82E2gYtkVH9enHA,1100
-sanic_security-1.12.6.dist-info/METADATA,sha256=aiKkOtkYiexSjoB4uysSQwxAVqRGAQnultZKvx5srAs,23382
-sanic_security-1.12.6.dist-info/WHEEL,sha256=P9jw-gEje8ByB7_hXoICnHtVCrEwMQh-630tKvQWehc,91
-sanic_security-1.12.6.dist-info/top_level.txt,sha256=ZybkhHXSjfzhmv8XeqLvnNmLmv21Z0oPX6Ep4DJN8b0,15
-sanic_security-1.12.6.dist-info/RECORD,,