sanic-security 1.12.7__py3-none-any.whl → 1.13.0__py3-none-any.whl

sanic_security/authentication.py

@@ -15,6 +15,7 @@ from sanic_security.exceptions import (
     DeactivatedError,
     SecondFactorFulfilledError,
     ExpiredError,
+    AuditWarning,
 )
 from sanic_security.models import Account, AuthenticationSession, Role, TwoStepSession
 from sanic_security.utils import get_ip
@@ -85,7 +86,6 @@ async def register(
         verified=verified,
         disabled=disabled,
     )
-    logger.info(f"Client {get_ip(request)} has registered account {account.id}.")
     return account
 
 
@@ -128,10 +128,13 @@ async def login(
             request, account, requires_second_factor=require_second_factor
         )
         logger.info(
-            f"Client has logged into account {account.id} with authentication session {authentication_session.id}."
+            f"Client {get_ip(request)} has logged into account {account.id} with authentication session {authentication_session.id}."
         )
         return authentication_session
     except VerifyMismatchError:
+        logger.warning(
+            f"Client {get_ip(request)} has failed to log into account {account.id}."
+        )
         raise CredentialsError("Incorrect password.", 401)
 
 
@@ -156,8 +159,8 @@ async def logout(request: Request) -> AuthenticationSession:
     authentication_session.active = False
     await authentication_session.save(update_fields=["active"])
     logger.info(
-        f"Client has logged out{" anonymously" if authentication_session.anonymous else
-        f" of account {authentication_session.bearer.id}"} with authentication session {authentication_session.id}."
+        f"Client {get_ip(request)} has logged out {"anonymously" if authentication_session.anonymous 
+        else f"of account {authentication_session.bearer.id}"} with authentication session {authentication_session.id}."
     )
     return authentication_session
 
@@ -190,9 +193,6 @@ async def fulfill_second_factor(request: Request) -> AuthenticationSession:
     await two_step_session.check_code(request.form.get("code"))
     authentication_session.requires_second_factor = False
     await authentication_session.save(update_fields=["requires_second_factor"])
-    logger.info(
-        f"Authentication session {authentication_session.id} second factor has been fulfilled."
-    )
     return authentication_session
 
 
@@ -262,68 +262,6 @@ def requires_authentication(arg=None):
     return decorator(arg) if callable(arg) else decorator
 
 
-def attach_refresh_encoder(app: Sanic):
-    """
-    Automatically encodes the new/refreshed session returned during authentication when client's current session expires.
-
-    Args:
-        app: (Sanic): The main Sanic application instance.
-    """
-
-    @app.on_response
-    async def refresh_encoder_middleware(request, response):
-        if hasattr(request.ctx, "authentication_session"):
-            authentication_session = request.ctx.authentication_session
-            if authentication_session.is_refresh:
-                authentication_session.encode(response)
-
-
-def create_initial_admin_account(app: Sanic) -> None:
-    """
-    Creates the initial admin account that can be logged into and has complete authoritative access.
-
-    Args:
-        app (Sanic): The main Sanic application instance.
-    """
-
-    @app.listener("before_server_start")
-    async def create(app, loop):
-        if security_config.SECRET == DEFAULT_CONFIG["SECRET"]:
-            warnings.warn("Secret should be changed from default.")
-        if security_config.INITIAL_ADMIN_EMAIL == DEFAULT_CONFIG["INITIAL_ADMIN_EMAIL"]:
-            warnings.warn("Initial admin email should be changed from default.")
-        if (
-            security_config.INITIAL_ADMIN_PASSWORD
-            == DEFAULT_CONFIG["INITIAL_ADMIN_PASSWORD"]
-        ):
-            warnings.warn("Initial admin password should be changed from default.")
-        try:
-            role = await Role.filter(name="Admin").get()
-        except DoesNotExist:
-            role = await Role.create(
-                description="Has root abilities, assign sparingly.",
-                permissions="*:*",
-                name="Admin",
-            )
-        try:
-            account = await Account.filter(
-                email=security_config.INITIAL_ADMIN_EMAIL
-            ).get()
-            await account.fetch_related("roles")
-            if role not in account.roles:
-                await account.roles.add(role)
-                logger.warning("Initial admin account role has been reinstated.")
-        except DoesNotExist:
-            account = await Account.create(
-                username="Admin",
-                email=security_config.INITIAL_ADMIN_EMAIL,
-                password=password_hasher.hash(security_config.INITIAL_ADMIN_PASSWORD),
-                verified=True,
-            )
-            await account.roles.add(role)
-            logger.info("Initial admin account created.")
-
-
 def validate_email(email: str) -> str:
     """
     Validates email format.
@@ -402,3 +340,77 @@ def validate_password(password: str) -> str:
             400,
         )
     return password
+
+
+def initialize_security(app: Sanic, create_root=True) -> None:
+    """
+    Audits configuration, creates root administrator account, and attaches refresh encoder middleware.
+
+    Args:
+        app (Sanic): The main Sanic application instance.
+        create_root (bool): Determines root account creation on initialization.
+    """
+
+    @app.on_response
+    async def refresh_encoder_middleware(request, response):
+        if hasattr(request.ctx, "authentication_session"):
+            authentication_session = request.ctx.authentication_session
+            if authentication_session.is_refresh:
+                authentication_session.encode(response)
+
+    @app.listener("before_server_start")
+    async def audit_configuration(app, loop):
+        if security_config.SECRET == DEFAULT_CONFIG["SECRET"]:
+            warnings.warn("Secret should be changed from default.", AuditWarning)
+        if not security_config.SESSION_HTTPONLY:
+            warnings.warn("HttpOnly should be enabled.", AuditWarning)
+        if not security_config.SESSION_SECURE:
+            warnings.warn("Secure should be enabled.", AuditWarning)
+        if security_config.SESSION_SAMESITE.lower() == "none":
+            warnings.warn("SameSite should not be set to none.", AuditWarning)
+        if (
+            create_root
+            and security_config.INITIAL_ADMIN_EMAIL
+            == DEFAULT_CONFIG["INITIAL_ADMIN_EMAIL"]
+        ):
+            warnings.warn(
+                "Initial admin email should be changed from default.", AuditWarning
+            )
+        if (
+            create_root
+            and security_config.INITIAL_ADMIN_PASSWORD
+            == DEFAULT_CONFIG["INITIAL_ADMIN_PASSWORD"]
+        ):
+            warnings.warn(
+                "Initial admin password should be changed from default.", AuditWarning
+            )
+
+    @app.listener("before_server_start")
+    async def create_root_account(app, loop):
+        if not create_root:
+            return
+        try:
+            role = await Role.filter(name="Root").get()
+        except DoesNotExist:
+            role = await Role.create(
+                description="Has administrator abilities, assign sparingly.",
+                permissions="*:*",
+                name="Root",
+            )
+        try:
+            account = await Account.filter(
+                email=security_config.INITIAL_ADMIN_EMAIL
+            ).get()
+            await account.fetch_related("roles")
+            if role not in account.roles:
+                await account.roles.add(role)
+                logger.warning("Initial admin account role has been reinstated.")
+        except DoesNotExist:
+            account = await Account.create(
+                username="Root",
+                email=security_config.INITIAL_ADMIN_EMAIL,
+                password=password_hasher.hash(security_config.INITIAL_ADMIN_PASSWORD),
+                verified=True,
+            )
+            await account.roles.add(role)
+            logger.info("Initial admin account created.")

sanic_security/authorization.py

@@ -8,6 +8,7 @@ from tortoise.exceptions import DoesNotExist
 from sanic_security.authentication import authenticate
 from sanic_security.exceptions import AuthorizationError, AnonymousError
 from sanic_security.models import Role, Account, AuthenticationSession
+from sanic_security.utils import get_ip
 
 """
 Copyright (c) 2020-present Nicholas Aidan Stewart
@@ -66,6 +67,10 @@ async def check_permissions(
         ):
             if fnmatch(required_permission, role_permission):
                 return authentication_session
+    logger.warning(
+        f"Client {get_ip(request)} with account {authentication_session.bearer.id} has insufficient permissions for "
+        "attempted action."
+    )
     raise AuthorizationError("Insufficient permissions required for this action.")
 
 
@@ -98,6 +103,10 @@ async def check_roles(request: Request, *required_roles: str) -> AuthenticationS
     for role in roles:
         if role.name in required_roles:
             return authentication_session
+    logger.warning(
+        f"Client {get_ip(request)} with account {authentication_session.bearer.id} has insufficient roles for "
+        "attempted action."
+    )
     raise AuthorizationError("Insufficient roles required for this action.")
 
 
@@ -120,7 +129,6 @@ async def assign_role(
             description=description, permissions=permissions, name=name
         )
     await account.roles.add(role)
-    logger.info(f"Role {role.id} has been assigned to account {account.id}.")
     return role
 
 

sanic_security/configuration.py

@@ -27,11 +27,11 @@ SOFTWARE.
 DEFAULT_CONFIG = {
     "SECRET": "This is a big secret. Shhhhh",
     "PUBLIC_SECRET": None,
-    "SESSION_SAMESITE": "strict",
+    "SESSION_SAMESITE": "Strict",
     "SESSION_SECURE": True,
     "SESSION_HTTPONLY": True,
     "SESSION_DOMAIN": None,
-    "SESSION_PREFIX": "token",
+    "SESSION_PREFIX": "tkn",
     "SESSION_ENCODING_ALGORITHM": "HS256",
     "MAX_CHALLENGE_ATTEMPTS": 5,
     "CAPTCHA_SESSION_EXPIRATION": 60,

sanic_security/exceptions.py

@@ -206,3 +206,9 @@ class AnonymousError(AuthorizationError):
 
     def __init__(self):
         super().__init__("Session is anonymous.")
+
+
+class AuditWarning(Warning):
+    """
+    Raised when configuration is invalid.
+    """

sanic_security/models.py

@@ -6,7 +6,6 @@ from typing import Union
 import jwt
 from captcha.image import ImageCaptcha
 from jwt import DecodeError
-from sanic.log import logger
 from sanic.request import Request
 from sanic.response import HTTPResponse, raw
 from tortoise import fields, Model
@@ -142,7 +141,6 @@ class Account(BaseModel):
         else:
             self.disabled = True
             await self.save(update_fields=["disabled"])
-            logger.info(f"Account {self.id} has been disabled.")
 
     @property
     def json(self) -> dict:
@@ -320,7 +318,6 @@ class Session(BaseModel):
         if self.active:
             self.active = False
             await self.save(update_fields=["active"])
-            logger.info(f"Session {self.id} has been deactivated.")
         else:
             raise DeactivatedError("Session is already deactivated.", 403)
 
@@ -516,9 +513,6 @@ class VerificationSession(Session):
             else:
                 raise MaxedOutChallengeError()
         else:
-            logger.info(
-                f"Client has completed verification session {self.id} challenge."
-            )
             await self.deactivate()
 
     @classmethod
@@ -530,9 +524,7 @@ class VerificationSession(Session):
 
 
 class TwoStepSession(VerificationSession):
-    """
-    Validates a client using a code sent via email or text.
-    """
+    """Validates a client using a code sent via email or text."""
 
     @classmethod
     async def new(cls, request: Request, account: Account, **kwargs):
@@ -550,9 +542,7 @@ class TwoStepSession(VerificationSession):
 
 
 class CaptchaSession(VerificationSession):
-    """
-    Validates a client with a captcha challenge.
-    """
+    """Validates a client with a captcha challenge."""
 
     @classmethod
     async def new(cls, request: Request, **kwargs):
@@ -612,6 +602,9 @@ class AuthenticationSession(Session):
         """
         Refreshes session if expired and within refresh date.
 
+        Args:
+            request (Request): Sanic request parameter.
+
         Raises:
             DeletedError
             ExpiredError
@@ -633,7 +626,6 @@ class AuthenticationSession(Session):
             ):
                 self.active = False
                 await self.save(update_fields=["active"])
-                logger.info(f"Client has refreshed authentication session {self.id}.")
                 return await self.new(request, self.bearer, True)
             else:
                 raise e

sanic_security/test/server.py

@@ -10,9 +10,8 @@ from sanic_security.authentication import (
     register,
     requires_authentication,
     logout,
-    create_initial_admin_account,
     fulfill_second_factor,
-    attach_refresh_encoder,
+    initialize_security,
 )
 from sanic_security.authorization import (
     assign_role,
@@ -308,7 +307,6 @@ register_tortoise(
     modules={"models": ["sanic_security.models"]},
     generate_schemas=True,
 )
-attach_refresh_encoder(app)
-create_initial_admin_account(app)
+initialize_security(app, True)
 if __name__ == "__main__":
-    app.run(host="127.0.0.1", port=8000, workers=1, debug=True)
+    app.run(host="127.0.0.1", port=8000, workers=1)

sanic_security/test/tests.py

@@ -231,7 +231,7 @@ class LoginTest(TestCase):
         permitted_authorization_response = self.client.post(
             "http://127.0.0.1:8000/api/test/auth/roles",
             data={
-                "role": "Admin",
+                "role": "Root",
                 "permissions_required": "perm1:create,add, perm2:*",
             },
         )

sanic_security/verification.py

@@ -1,7 +1,6 @@
 import functools
 from contextlib import suppress
 
-from sanic.log import logger
 from sanic.request import Request
 
 from sanic_security.exceptions import (
@@ -85,7 +84,7 @@ async def two_step_verification(request: Request) -> TwoStepSession:
         MaxedOutChallengeError
 
     Returns:
-        two_step_session
+         two_step_session
     """
     two_step_session = await TwoStepSession.decode(request)
     two_step_session.validate()
@@ -157,7 +156,6 @@ async def verify_account(request: Request) -> TwoStepSession:
     await two_step_session.check_code(request.form.get("code"))
     two_step_session.bearer.verified = True
     await two_step_session.bearer.save(update_fields=["verified"])
-    logger.info(f"Account {two_step_session.bearer.id} has been verified.")
     return two_step_session
 
 

{sanic_security-1.12.7.dist-info → sanic_security-1.13.0.dist-info}/METADATA

@@ -1,6 +1,6 @@
 Metadata-Version: 2.1
 Name: sanic-security
-Version: 1.12.7
+Version: 1.13.0
 Summary: An async security library for the Sanic framework.
 Author-email: Aidan Stewart <me@na-stewart.com>
 Project-URL: Documentation, https://security.na-stewart.com/
@@ -64,7 +64,7 @@ Requires-Dist: cryptography; extra == "dev"
 * [Usage](#usage)
     * [Authentication](#authentication)
     * [Captcha](#captcha)
-    * [Two Step Verification](#two-step-verification)
+    * [Two-Step Verification](#two-step-verification)
     * [Authorization](#authorization)
     * [Testing](#testing)
     * [Tortoise](#tortoise)
@@ -145,12 +145,12 @@ You can load environment variables with a different prefix via `config.load_envi
 |---------------------------------------|------------------------------|----------------------------------------------------------------------------------------------------------------------------------|
 | **SECRET**                            | This is a big secret. Shhhhh | The secret used for generating and signing JWTs. This should be a string unique to your application. Keep it safe.               |
 | **PUBLIC_SECRET**                     | None                         | The secret used for verifying and decoding JWTs and can be publicly shared. This should be a string unique to your application.  |
-| **SESSION_SAMESITE**                  | strict                       | The SameSite attribute of session cookies.                                                                                       |
+| **SESSION_SAMESITE**                  | Strict                       | The SameSite attribute of session cookies.                                                                                       |
 | **SESSION_SECURE**                    | True                         | The Secure attribute of session cookies.                                                                                         |
 | **SESSION_HTTPONLY**                  | True                         | The HttpOnly attribute of session cookies. HIGHLY recommended that you do not turn this off, unless you know what you are doing. |
 | **SESSION_DOMAIN**                    | None                         | The Domain attribute of session cookies.                                                                                         |
 | **SESSION_ENCODING_ALGORITHM**        | HS256                        | The algorithm used to encode and decode session JWT's.                                                                           |
-| **SESSION_PREFIX**                    | token                        | Prefix attached to the beginning of session cookies.                                                                             |
+| **SESSION_PREFIX**                    | tkn                          | Prefix attached to the beginning of session cookies.                                                                             |
 | **MAX_CHALLENGE_ATTEMPTS**            | 5                            | The maximum amount of session challenge attempts allowed.                                                                        |
 | **CAPTCHA_SESSION_EXPIRATION**        | 60                           | The amount of seconds till captcha session expiration on creation. Setting to 0 will disable expiration.                         |
 | **CAPTCHA_FONT**                      | captcha-font.ttf             | The file path to the font being used for captcha generation.                                                                     |
@@ -166,19 +166,16 @@ You can load environment variables with a different prefix via `config.load_envi
 Sanic Security's authentication and verification functionality is session based. A new session will be created for the user after the user logs in or requests some form of verification (two-step, captcha). The session data is then encoded into a JWT and stored on a cookie on the user’s browser. The session cookie is then sent
 along with every subsequent request. The server can then compare the session stored on the cookie against the session information stored in the database to verify user’s identity and send a response with the corresponding state.
 
-The tables in the below examples represent example [request form-data](https://sanicframework.org/en/guide/basics/request.html#form).
-
-## Authentication
-
-* Initial Administrator Account
-
-Creates root account if it doesn't exist, you should modify its credentials in config!
-  
+* Initialize sanic-security as follows:
 ```python
-create_initial_admin_account(app)
+initialize_security(app)
 if __name__ == "__main__":
-    app.run(host="127.0.0.1", port=8000)
+    app.run(host="127.0.0.1", port=8000, workers=1, debug=True)
 ```
+
+The tables in the below examples represent example [request form-data](https://sanicframework.org/en/guide/basics/request.html#form).
+
+## Authentication
   
 * Registration (With two-step account verification)
 
@@ -321,17 +318,6 @@ async def on_authenticate(request):
     return response
 ```
 
-* Refresh Encoder
-
-A new/refreshed session is returned during authentication when the client's current session expires and it
-requires encoding. This should be be done automatically via middleware.
-
-```python
-attach_refresh_encoder(app)
-if __name__ == "__main__":
-    app.run(host="127.0.0.1", port=8000)
-```
-
 ## Captcha
 
 A pre-existing font for captcha challenges is included in the Sanic Security repository. You may set your own font by 

sanic_security-1.13.0.dist-info/RECORD

@@ -0,0 +1,16 @@
+sanic_security/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
+sanic_security/authentication.py,sha256=ZY4WJDUXbwDdaH_2Ovc9gkR1jCgw52yB9enYp_1LypM,14334
+sanic_security/authorization.py,sha256=XbRrnsx-Yqpiemf3bn_djIYIe1khdnfToB7DsBheLtk,7338
+sanic_security/configuration.py,sha256=br2hI3MHsTBh3yfPer5f3bkKSWfQdCeqfLqWmaDNVoM,5510
+sanic_security/exceptions.py,sha256=JiCaBR2kjE1Cj0fc_08y-32fqJJXa_1UCw205T4_RTY,5493
+sanic_security/models.py,sha256=v3tJyL420HEdZXqJCq9uPPSivuYXuQNtqf9QC9wF0TU,22274
+sanic_security/utils.py,sha256=XAUNalcTi53qTz0D8xiDyDyRlq7Z7ffNBzUONJZqe90,2705
+sanic_security/verification.py,sha256=ebT7QaytHAsw-IKA13W9wyCoqoBAYKgmFA1QJ80N2bE,7476
+sanic_security/test/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
+sanic_security/test/server.py,sha256=DmwP5dBs2Sq2qk4UZgWbAqzm96YXvLGI9jWeqzluy_c,12082
+sanic_security/test/tests.py,sha256=bW5fHJfsCrg8eBmcSqVMLm0R5XRL1ou-XJJRgz09GOE,21993
+sanic_security-1.13.0.dist-info/LICENSE,sha256=sXlJs9_mG-dCkPfWsDnuzydJWagS82E2gYtkVH9enHA,1100
+sanic_security-1.13.0.dist-info/METADATA,sha256=VeYHXoqKPrbNAfub2NW3RT78Rt1WSUBCKj2gVJrHplE,23000
+sanic_security-1.13.0.dist-info/WHEEL,sha256=P9jw-gEje8ByB7_hXoICnHtVCrEwMQh-630tKvQWehc,91
+sanic_security-1.13.0.dist-info/top_level.txt,sha256=ZybkhHXSjfzhmv8XeqLvnNmLmv21Z0oPX6Ep4DJN8b0,15
+sanic_security-1.13.0.dist-info/RECORD,,

sanic_security-1.12.7.dist-info/RECORD

@@ -1,16 +0,0 @@
-sanic_security/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
-sanic_security/authentication.py,sha256=CzjbVh7uDjBs22oQCklcbmp5gTDW17AoYaa3lmyPnGk,13783
-sanic_security/authorization.py,sha256=80vuM_2oNgfhOMuct89R6UBhDYmSWQzIgocKxhKzReE,7030
-sanic_security/configuration.py,sha256=MKxYjq1q9RBRX2cMJkIe87ke0mLKa69RWoQ5MhVciho,5512
-sanic_security/exceptions.py,sha256=MTPF4tm_68Nmf_z06RHH_6DTiC_CNiLER1jzEoW1dFk,5398
-sanic_security/models.py,sha256=zWn9zXl-vwP8qJ-DzBuNNG7MCl1ggZX6yb6Zgh3Jfcs,22601
-sanic_security/utils.py,sha256=XAUNalcTi53qTz0D8xiDyDyRlq7Z7ffNBzUONJZqe90,2705
-sanic_security/verification.py,sha256=rNyZk_J53dOzk8qy5iG3yiMRuRcGaYeHwIwnFDH9TWw,7582
-sanic_security/test/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
-sanic_security/test/server.py,sha256=-dQAB75C-l9kfN7PnaYNDOLiLXaqg0euZAWF5oXMxeE,12164
-sanic_security/test/tests.py,sha256=jUZ5kgQF4rFx1bImKqHYR7UeoYAfjtNNXSQYTMfzlg4,21994
-sanic_security-1.12.7.dist-info/LICENSE,sha256=sXlJs9_mG-dCkPfWsDnuzydJWagS82E2gYtkVH9enHA,1100
-sanic_security-1.12.7.dist-info/METADATA,sha256=ZGVTjtv-OVMrs_3Ac__jKE1JgdhtIAyhMCW2n3VUW3Y,23393
-sanic_security-1.12.7.dist-info/WHEEL,sha256=P9jw-gEje8ByB7_hXoICnHtVCrEwMQh-630tKvQWehc,91
-sanic_security-1.12.7.dist-info/top_level.txt,sha256=ZybkhHXSjfzhmv8XeqLvnNmLmv21Z0oPX6Ep4DJN8b0,15
-sanic_security-1.12.7.dist-info/RECORD,,