sanic-security 1.14.0__py3-none-any.whl → 1.15.0__py3-none-any.whl

sanic_security/authentication.py

@@ -17,7 +17,7 @@ from sanic_security.exceptions import (
     AuditWarning,
 )
 from sanic_security.models import Account, AuthenticationSession, Role, TwoStepSession
-from sanic_security.utils import get_ip, password_hasher, secure_headers
+from sanic_security.utils import get_ip, password_hasher
 
 """
 Copyright (c) 2020-present Nicholas Aidan Stewart
@@ -183,7 +183,7 @@ async def fulfill_second_factor(request: Request) -> AuthenticationSession:
     """
     authentication_session = await AuthenticationSession.decode(request)
     if not authentication_session.requires_second_factor:
-        raise SecondFactorFulfilledError()
+        raise SecondFactorFulfilledError
     two_step_session = await TwoStepSession.decode(request)
     two_step_session.validate()
     await two_step_session.check_code(request.form.get("code"))
@@ -284,20 +284,13 @@ def validate_password(password: str) -> str:
 
 def initialize_security(app: Sanic, create_root=True) -> None:
     """
-    Audits configuration, creates root administrator account, and attaches response handler middleware.
+    Audits configuration, creates root administrator account, and attaches refresh encoder middleware.
 
     Args:
         app (Sanic): The main Sanic application instance.
         create_root (bool): Determines root account creation on initialization.
     """
 
-    @app.on_response
-    async def response_handler_middleware(request, response):
-        if hasattr(request.ctx, "session"):
-            secure_headers.set_headers(response)
-            if request.ctx.session.is_refresh:
-                request.ctx.session.encode(response)
-
     @app.listener("before_server_start")
     async def audit_configuration(app, loop):
         if security_config.SECRET == DEFAULT_CONFIG["SECRET"]:
@@ -361,3 +354,10 @@ def initialize_security(app: Sanic, create_root=True) -> None:
             )
             await account.roles.add(role)
             logger.info("Initial admin account created.")
+
+        @app.on_response
+        async def refresh_encoder_middleware(request, response):
+            if hasattr(request.ctx, "session") and getattr(
+                request.ctx.session, "is_refresh", False
+            ):
+                request.ctx.session.encode(response)

sanic_security/authorization.py

@@ -62,7 +62,7 @@ async def check_permissions(
         logger.warning(
             f"Client {get_ip(request)} attempted an unauthorized action anonymously."
         )
-        raise AnonymousError()
+        raise AnonymousError
     roles = await authentication_session.bearer.roles.filter(deleted=False).all()
     for role in roles:
         for required_permission, role_permission in zip(
@@ -104,7 +104,7 @@ async def check_roles(request: Request, *required_roles: str) -> AuthenticationS
         logger.warning(
             f"Client {get_ip(request)} attempted an unauthorized action anonymously."
         )
-        raise AnonymousError()
+        raise AnonymousError
     roles = await authentication_session.bearer.roles.filter(deleted=False).all()
     for role in roles:
         if role.name in required_roles:

sanic_security/configuration.py

@@ -33,8 +33,8 @@ DEFAULT_CONFIG = {
     "SESSION_DOMAIN": None,
     "SESSION_PREFIX": "tkn",
     "SESSION_ENCODING_ALGORITHM": "HS256",
-    "MAX_CHALLENGE_ATTEMPTS": 5,
-    "CAPTCHA_SESSION_EXPIRATION": 60,
+    "MAX_CHALLENGE_ATTEMPTS": 3,
+    "CAPTCHA_SESSION_EXPIRATION": 180,
     "CAPTCHA_FONT": "captcha-font.ttf",
     "CAPTCHA_VOICE": "captcha-voice/",
     "TWO_STEP_SESSION_EXPIRATION": 300,

sanic_security/exceptions.py

@@ -145,15 +145,6 @@ class ExpiredError(SessionError):
         super().__init__("Session has expired.")
 
 
-class NotExpiredError(SessionError):
-    """
-    Raised when session needs to be expired.
-    """
-
-    def __init__(self):
-        super().__init__("Session has not expired yet.", 403)
-
-
 class SecondFactorRequiredError(SessionError):
     """
     Raised when authentication session two-factor requirement isn't met.

sanic_security/models.py

@@ -1,5 +1,6 @@
 import base64
 import datetime
+import logging
 import re
 from typing import Union
 
@@ -19,6 +20,8 @@ from sanic_security.utils import (
     get_expiration_date,
     image_generator,
     audio_generator,
+    get_id,
+    is_expired,
 )
 
 """
@@ -55,7 +58,7 @@ class BaseModel(Model):
         deleted (bool): Renders the model filterable without removing from the database.
     """
 
-    id: int = fields.IntField(pk=True)
+    id: str = fields.CharField(pk=True, max_length=36, default=get_id)
     date_created: datetime.datetime = fields.DatetimeField(auto_now_add=True)
     date_updated: datetime.datetime = fields.DatetimeField(auto_now=True)
     deleted: bool = fields.BooleanField(default=False)
@@ -67,7 +70,7 @@ class BaseModel(Model):
         Raises:
             SecurityError
         """
-        raise NotImplementedError()
+        raise NotImplementedError
 
     @property
     def json(self) -> dict:
@@ -89,7 +92,7 @@ class BaseModel(Model):
                     }
 
         """
-        raise NotImplementedError()
+        raise NotImplementedError
 
     class Meta:
         abstract = True
@@ -148,9 +151,9 @@ class Account(BaseModel):
         if self.deleted:
             raise DeletedError("Account has been deleted.")
         elif not self.verified:
-            raise UnverifiedError()
+            raise UnverifiedError
         elif self.disabled:
-            raise DisabledError()
+            raise DisabledError
 
     async def disable(self):
         """
@@ -321,12 +324,9 @@ class Session(BaseModel):
         if self.deleted:
             raise DeletedError("Session has been deleted.")
         elif not self.active:
-            raise DeactivatedError()
-        elif (
-            self.expiration_date
-            and datetime.datetime.now(datetime.timezone.utc) >= self.expiration_date
-        ):
-            raise ExpiredError()
+            raise DeactivatedError
+        elif is_expired(self.expiration_date):
+            raise ExpiredError
 
     async def deactivate(self):
         """
@@ -416,7 +416,7 @@ class Session(BaseModel):
         Returns:
             session
         """
-        raise NotImplementedError()
+        raise NotImplementedError
 
     @classmethod
     async def get_associated(cls, account: Account):
@@ -517,15 +517,15 @@ class VerificationSession(Session):
             ChallengeError
             MaxedOutChallengeError
         """
-        if self.code != code.upper():
+        if not code or self.code != code.upper():
+            self.attempts += 1
             if self.attempts < security_config.MAX_CHALLENGE_ATTEMPTS:
-                self.attempts += 1
                 await self.save(update_fields=["attempts"])
                 raise ChallengeError(
                     "Your code does not match verification session code."
                 )
             else:
-                raise MaxedOutChallengeError()
+                raise MaxedOutChallengeError
         else:
             await self.deactivate()
 
@@ -621,39 +621,30 @@ class AuthenticationSession(Session):
         """
         super().validate()
         if self.requires_second_factor:
-            raise SecondFactorRequiredError()
+            raise SecondFactorRequiredError
 
     async def refresh(self, request: Request):
         """
-        Refreshes session if expired and within refresh date.
+        Refreshes session if within refresh date.
 
         Args:
             request (Request): Sanic request parameter.
 
         Raises:
-            DeletedError
             ExpiredError
-            DeactivatedError
-            SecondFactorRequiredError
-            NotExpiredError
 
         Returns:
             session
         """
-        try:
-            self.validate()
-            raise NotExpiredError()
-        except ExpiredError as e:
-            if (
-                self.refresh_expiration_date
-                and datetime.datetime.now(datetime.timezone.utc)
-                <= self.refresh_expiration_date
-            ):
-                self.active = False
-                await self.save(update_fields=["active"])
-                return await self.new(request, self.bearer, True)
-            else:
-                raise e
+        if not is_expired(self.refresh_expiration_date):
+            self.active = False
+            await self.save(update_fields=["active"])
+            logging.warning(
+                f"Client {get_ip(request)} has refreshed authentication session {self.id}."
+            )
+            return await self.new(request, self.bearer, True)
+        else:
+            raise ExpiredError
 
     @classmethod
     async def new(
@@ -692,7 +683,7 @@ class Role(BaseModel):
     permissions: str = fields.CharField(max_length=255, null=True)
 
     def validate(self) -> None:
-        raise NotImplementedError()
+        raise NotImplementedError
 
     @property
     def json(self) -> dict:

sanic_security/test/server.py

@@ -128,7 +128,6 @@ async def on_two_factor_authentication(request):
         "Authentication session second-factor fulfilled! You are now authenticated.",
         authentication_session.bearer.json,
     )
-    authentication_session.encode(response)
     return response
 
 

sanic_security/utils.py

@@ -1,13 +1,13 @@
 import datetime
 import random
 import string
+import uuid
 
 from argon2 import PasswordHasher
 from captcha.audio import AudioCaptcha
 from captcha.image import ImageCaptcha
 from sanic.request import Request
 from sanic.response import json as sanic_json, HTTPResponse
-from secure import Secure
 
 from sanic_security.configuration import config
 
@@ -38,7 +38,6 @@ image_generator = ImageCaptcha(
 )
 audio_generator = AudioCaptcha(voicedir=config.CAPTCHA_VOICE)
 password_hasher = PasswordHasher()
-secure_headers = Secure.with_default_headers()
 
 
 def get_ip(request: Request) -> str:
@@ -66,23 +65,27 @@ def get_code() -> str:
     )
 
 
-def json(
-    message: str, data, status_code: int = 200
-) -> HTTPResponse:  # May be causing fixture error bc of json property
+def get_id() -> str:
     """
-    A preformatted Sanic json response.
+    Generates uuid to be used for primary key.
+
+    Returns:
+        id
+    """
+    return str(uuid.uuid4())
+
+
+def is_expired(date):
+    """
+    Checks if current date has surpassed the date passed into the function.
 
     Args:
-        message (int): Message describing data or relaying human-readable information.
-        data (Any): Raw information to be used by client.
-        status_code (int): HTTP response code.
+        date: The date being checked for expiration.
 
     Returns:
-        json
+        is_expired
     """
-    return sanic_json(
-        {"message": message, "code": status_code, "data": data}, status=status_code
-    )
+    return date and datetime.datetime.now(datetime.timezone.utc) >= date
 
 
 def get_expiration_date(seconds: int) -> datetime.datetime:
@@ -100,3 +103,22 @@ def get_expiration_date(seconds: int) -> datetime.datetime:
         if seconds > 0
         else None
     )
+
+
+def json(
+    message: str, data, status_code: int = 200
+) -> HTTPResponse:  # May be causing fixture error bc of json property
+    """
+    A preformatted Sanic json response.
+
+    Args:
+        message (int): Message describing data or relaying human-readable information.
+        data (Any): Raw information to be used by client.
+        status_code (int): HTTP response code.
+
+    Returns:
+        json
+    """
+    return sanic_json(
+        {"message": message, "code": status_code, "data": data}, status=status_code
+    )

sanic_security/verification.py

@@ -164,7 +164,7 @@ async def verify_account(request: Request) -> TwoStepSession:
     """
     two_step_session = await TwoStepSession.decode(request)
     if two_step_session.bearer.verified:
-        raise VerifiedError()
+        raise VerifiedError
     two_step_session.validate()
     try:
         await two_step_session.check_code(request.form.get("code"))

{sanic_security-1.14.0.dist-info → sanic_security-1.15.0.dist-info}/METADATA

@@ -1,6 +1,6 @@
 Metadata-Version: 2.1
 Name: sanic-security
-Version: 1.14.0
+Version: 1.15.0
 Summary: An async security library for the Sanic framework.
 Author-email: Aidan Stewart <me@na-stewart.com>
 Project-URL: Documentation, https://security.na-stewart.com/
@@ -20,15 +20,14 @@ Requires-Dist: captcha>=0.4
 Requires-Dist: pillow>=9.5.0
 Requires-Dist: argon2-cffi>=20.1.0
 Requires-Dist: sanic>=21.3.0
-Requires-Dist: secure>=1.0.1
-Provides-Extra: crypto
-Requires-Dist: cryptography>=3.3.1; extra == "crypto"
 Provides-Extra: dev
 Requires-Dist: httpx; extra == "dev"
 Requires-Dist: black; extra == "dev"
 Requires-Dist: blacken-docs; extra == "dev"
 Requires-Dist: pdoc3; extra == "dev"
 Requires-Dist: cryptography; extra == "dev"
+Provides-Extra: crypto
+Requires-Dist: cryptography>=3.3.1; extra == "crypto"
 
 <!-- PROJECT SHIELDS -->
 <!--
@@ -149,11 +148,11 @@ You can load environment variables with a different prefix via `config.load_envi
 | **SESSION_DOMAIN**                    | None                         | The Domain attribute of session cookies.                                                                                         |
 | **SESSION_ENCODING_ALGORITHM**        | HS256                        | The algorithm used to encode and decode session JWT's.                                                                           |
 | **SESSION_PREFIX**                    | tkn                          | Prefix attached to the beginning of session cookies.                                                                             |
-| **MAX_CHALLENGE_ATTEMPTS**            | 5                            | The maximum amount of session challenge attempts allowed.                                                                        |
-| **CAPTCHA_SESSION_EXPIRATION**        | 60                           | The amount of seconds till captcha session expiration on creation. Setting to 0 will disable expiration.                         |
+| **MAX_CHALLENGE_ATTEMPTS**            | 3                            | The maximum amount of session challenge attempts allowed.                                                                        |
+| **CAPTCHA_SESSION_EXPIRATION**        | 180                          | The amount of seconds till captcha session expiration on creation. Setting to 0 will disable expiration.                         |
 | **CAPTCHA_FONT**                      | captcha-font.ttf             | The file path to the font being used for captcha generation. Several fonts can be used by separating them via comma.             |
 | **CAPTCHA_VOICE**                     | captcha-voice/               | The directory of the voice library being used for audio captcha generation.                                                      |
-| **TWO_STEP_SESSION_EXPIRATION**       | 200                          | The amount of seconds till two-step session expiration on creation. Setting to 0 will disable expiration.                        |
+| **TWO_STEP_SESSION_EXPIRATION**       | 300                          | The amount of seconds till two-step session expiration on creation. Setting to 0 will disable expiration.                        |
 | **AUTHENTICATION_SESSION_EXPIRATION** | 86400                        | The amount of seconds till authentication session expiration on creation. Setting to 0 will disable expiration.                  |
 | **AUTHENTICATION_REFRESH_EXPIRATION** | 604800                       | The amount of seconds till authentication refresh expiration. Setting to 0 will disable refresh mechanism.                       |
 | **ALLOW_LOGIN_WITH_USERNAME**         | False                        | Allows login via username; unique constraint is disabled when set to false.                                                      |
@@ -196,8 +195,7 @@ async def on_register(request):
         account.email, two_step_session.code  # Code = 24KF19
     )  # Custom method for emailing verification code.
     response = json(
-        "Registration successful! Email verification required.",
-        two_step_session.json,
+        "Registration successful! Email verification required.", account.json
     )
     two_step_session.encode(response)
     return response
@@ -212,10 +210,12 @@ Verifies the client's account via two-step session code.
 | **code** | 24KF19 |
 
 ```python
-@app.post("api/security/verify")
+@app.put("api/security/verify")
 async def on_verify(request):
     two_step_session = await verify_account(request)
-    return json("You have verified your account and may login!", two_step_session.json)
+    return json(
+        "You have verified your account and may login!", two_step_session.bearer.json
+    )
 ```
 
 * Login (With two-factor authentication)
@@ -237,7 +237,7 @@ async def on_login(request):
     )  # Custom method for emailing verification code.
     response = json(
         "Login successful! Two-factor authentication required.",
-        authentication_session.json,
+        authentication_session.bearer.json,
     )
     authentication_session.encode(response)
     two_step_session.encode(response)
@@ -255,14 +255,13 @@ Fulfills client authentication session's second factor requirement via two-step
 | **code** | XGED2U |
 
 ```python
-@app.post("api/security/fulfill-2fa")
+@app.put("api/security/fulfill-2fa")
 async def on_two_factor_authentication(request):
     authentication_session = await fulfill_second_factor(request)
     response = json(
         "Authentication session second-factor fulfilled! You are now authenticated.",
-        authentication_session.json,
+        authentication_session.bearer.json,
     )
-    authentication_session.encode(response)
     return response
 ```
 

sanic_security-1.15.0.dist-info/RECORD

@@ -0,0 +1,16 @@
+sanic_security/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
+sanic_security/authentication.py,sha256=3Pit1B4PN_MRvwAlhYPHl_6DGD9JVpdPjgjiyKQJanM,13145
+sanic_security/authorization.py,sha256=jAxfDT9cHN_zpMKcA3oYFZ5Eu2KItnMJZ7oPcqmMwrw,7537
+sanic_security/configuration.py,sha256=_E66ts5g9t_XHW9ZAnr48rWVcZmGNu_DWGDxm_AVVWE,5681
+sanic_security/exceptions.py,sha256=9zISLyAvP6qN8sNR8e5qxKP__FA4NLIXCun_fEKndOw,5297
+sanic_security/models.py,sha256=v4ZnvZonwrgxnXKPHLQYNtEDJAE2Ri0TGEAbLX0VWTo,22429
+sanic_security/utils.py,sha256=Y_qs3UVuOXHnDWelAxNC6VLeB5lMeSv3xRty9xYlHOw,3538
+sanic_security/verification.py,sha256=9bi8-NZ8GE3rcuELZ63yh18zDg8RxvxGPkhAu5SzLn0,8692
+sanic_security/test/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
+sanic_security/test/server.py,sha256=RjL9Kfvkfqpm5TXWwFQKKa0J4hfTKgwI6U0s_TAKO8w,11984
+sanic_security/test/tests.py,sha256=bW5fHJfsCrg8eBmcSqVMLm0R5XRL1ou-XJJRgz09GOE,21993
+sanic_security-1.15.0.dist-info/LICENSE,sha256=sXlJs9_mG-dCkPfWsDnuzydJWagS82E2gYtkVH9enHA,1100
+sanic_security-1.15.0.dist-info/METADATA,sha256=7bxyaqAFp0hm6ldrbuux1Dwth8OtXVcffKelbV8zkl8,23247
+sanic_security-1.15.0.dist-info/WHEEL,sha256=PZUExdf71Ui_so67QXpySuHtCi3-J3wvF4ORK6k_S8U,91
+sanic_security-1.15.0.dist-info/top_level.txt,sha256=ZybkhHXSjfzhmv8XeqLvnNmLmv21Z0oPX6Ep4DJN8b0,15
+sanic_security-1.15.0.dist-info/RECORD,,

{sanic_security-1.14.0.dist-info → sanic_security-1.15.0.dist-info}/WHEEL

@@ -1,5 +1,5 @@
 Wheel-Version: 1.0
-Generator: setuptools (75.5.0)
+Generator: setuptools (75.6.0)
 Root-Is-Purelib: true
 Tag: py3-none-any
 

sanic_security-1.14.0.dist-info/RECORD

@@ -1,16 +0,0 @@
-sanic_security/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
-sanic_security/authentication.py,sha256=dq7Yt_1xm9_LSZgMZkyzgcvG46NUQsysEb3s5pgO7BE,13165
-sanic_security/authorization.py,sha256=QvLsaOWu3te0Y75tqChrEXQP5CR92nsRU7LXiUWy5cw,7541
-sanic_security/configuration.py,sha256=h-Kh4PalJpjbDcZvVHCzxX5l-GnldP3Fr8OlgGCZNHY,5680
-sanic_security/exceptions.py,sha256=JiCaBR2kjE1Cj0fc_08y-32fqJJXa_1UCw205T4_RTY,5493
-sanic_security/models.py,sha256=bK5daR6Iq7V7aqNSzksH6DGrCXMj2e4feNRhlxlFQMg,22722
-sanic_security/utils.py,sha256=tgewsCAkNl_NkobHaDlZNIgVopQPiD8SWb6UC6tBYNs,3151
-sanic_security/verification.py,sha256=olmpP2AwXKILRVRnDf7AMRJuK5Fs_i5ESHXSH94A-Yk,8694
-sanic_security/test/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
-sanic_security/test/server.py,sha256=hLvT2mG1VXeV7nE6r1avoSOTa1qMSS6jL0qTizyCdOY,12029
-sanic_security/test/tests.py,sha256=bW5fHJfsCrg8eBmcSqVMLm0R5XRL1ou-XJJRgz09GOE,21993
-sanic_security-1.14.0.dist-info/LICENSE,sha256=sXlJs9_mG-dCkPfWsDnuzydJWagS82E2gYtkVH9enHA,1100
-sanic_security-1.14.0.dist-info/METADATA,sha256=ynu6jYXbs9s7ZQi8l2Z2Ilm93Yu8JxQukx-swbOcQIc,23306
-sanic_security-1.14.0.dist-info/WHEEL,sha256=R06PA3UVYHThwHvxuRWMqaGcr-PuniXahwjmQRFMEkY,91
-sanic_security-1.14.0.dist-info/top_level.txt,sha256=ZybkhHXSjfzhmv8XeqLvnNmLmv21Z0oPX6Ep4DJN8b0,15
-sanic_security-1.14.0.dist-info/RECORD,,