sanic-security 1.14.1__py3-none-any.whl → 1.15.1__py3-none-any.whl

sanic_security/authentication.py

@@ -17,7 +17,7 @@ from sanic_security.exceptions import (
     AuditWarning,
 )
 from sanic_security.models import Account, AuthenticationSession, Role, TwoStepSession
-from sanic_security.utils import get_ip, password_hasher, secure_headers
+from sanic_security.utils import get_ip, password_hasher
 
 """
 Copyright (c) 2020-present Nicholas Aidan Stewart
@@ -183,7 +183,7 @@ async def fulfill_second_factor(request: Request) -> AuthenticationSession:
     """
     authentication_session = await AuthenticationSession.decode(request)
     if not authentication_session.requires_second_factor:
-        raise SecondFactorFulfilledError()
+        raise SecondFactorFulfilledError
     two_step_session = await TwoStepSession.decode(request)
     two_step_session.validate()
     await two_step_session.check_code(request.form.get("code"))
@@ -284,7 +284,7 @@ def validate_password(password: str) -> str:
 
 def initialize_security(app: Sanic, create_root=True) -> None:
     """
-    Audits configuration, creates root administrator account, and attaches response handler middleware.
+    Audits configuration, creates root administrator account, and attaches refresh encoder middleware.
 
     Args:
         app (Sanic): The main Sanic application instance.
@@ -356,11 +356,8 @@ def initialize_security(app: Sanic, create_root=True) -> None:
             logger.info("Initial admin account created.")
 
         @app.on_response
-        async def response_handler_middleware(request, response):
-            if hasattr(request.ctx, "session"):
-                secure_headers.set_headers(response)
-                if (
-                    hasattr(request.ctx.session, "is_refresh")
-                    and request.ctx.session.is_refresh
-                ):
-                    request.ctx.session.encode(response)
+        async def refresh_encoder_middleware(request, response):
+            if hasattr(request.ctx, "session") and getattr(
+                request.ctx.session, "is_refresh", False
+            ):
+                request.ctx.session.encode(response)

sanic_security/authorization.py

@@ -62,7 +62,7 @@ async def check_permissions(
         logger.warning(
             f"Client {get_ip(request)} attempted an unauthorized action anonymously."
         )
-        raise AnonymousError()
+        raise AnonymousError
     roles = await authentication_session.bearer.roles.filter(deleted=False).all()
     for role in roles:
         for required_permission, role_permission in zip(
@@ -104,7 +104,7 @@ async def check_roles(request: Request, *required_roles: str) -> AuthenticationS
         logger.warning(
             f"Client {get_ip(request)} attempted an unauthorized action anonymously."
         )
-        raise AnonymousError()
+        raise AnonymousError
     roles = await authentication_session.bearer.roles.filter(deleted=False).all()
     for role in roles:
         if role.name in required_roles:

sanic_security/configuration.py

@@ -33,8 +33,8 @@ DEFAULT_CONFIG = {
     "SESSION_DOMAIN": None,
     "SESSION_PREFIX": "tkn",
     "SESSION_ENCODING_ALGORITHM": "HS256",
-    "MAX_CHALLENGE_ATTEMPTS": 5,
-    "CAPTCHA_SESSION_EXPIRATION": 60,
+    "MAX_CHALLENGE_ATTEMPTS": 3,
+    "CAPTCHA_SESSION_EXPIRATION": 180,
     "CAPTCHA_FONT": "captcha-font.ttf",
     "CAPTCHA_VOICE": "captcha-voice/",
     "TWO_STEP_SESSION_EXPIRATION": 300,

sanic_security/exceptions.py

@@ -145,15 +145,6 @@ class ExpiredError(SessionError):
         super().__init__("Session has expired.")
 
 
-class NotExpiredError(SessionError):
-    """
-    Raised when session needs to be expired.
-    """
-
-    def __init__(self):
-        super().__init__("Session has not expired yet.", 403)
-
-
 class SecondFactorRequiredError(SessionError):
     """
     Raised when authentication session two-factor requirement isn't met.

sanic_security/models.py

@@ -1,6 +1,8 @@
 import base64
 import datetime
+import logging
 import re
+import uuid
 from typing import Union
 
 import jwt
@@ -19,6 +21,7 @@ from sanic_security.utils import (
     get_expiration_date,
     image_generator,
     audio_generator,
+    is_expired,
 )
 
 """
@@ -55,7 +58,9 @@ class BaseModel(Model):
         deleted (bool): Renders the model filterable without removing from the database.
     """
 
-    id: int = fields.IntField(pk=True)
+    id: str = fields.CharField(
+        pk=True, max_length=36, default=lambda: str(uuid.uuid4())
+    )
     date_created: datetime.datetime = fields.DatetimeField(auto_now_add=True)
     date_updated: datetime.datetime = fields.DatetimeField(auto_now=True)
     deleted: bool = fields.BooleanField(default=False)
@@ -67,7 +72,7 @@ class BaseModel(Model):
         Raises:
             SecurityError
         """
-        raise NotImplementedError()
+        raise NotImplementedError
 
     @property
     def json(self) -> dict:
@@ -89,7 +94,7 @@ class BaseModel(Model):
                     }
 
         """
-        raise NotImplementedError()
+        raise NotImplementedError
 
     class Meta:
         abstract = True
@@ -148,9 +153,9 @@ class Account(BaseModel):
         if self.deleted:
             raise DeletedError("Account has been deleted.")
         elif not self.verified:
-            raise UnverifiedError()
+            raise UnverifiedError
         elif self.disabled:
-            raise DisabledError()
+            raise DisabledError
 
     async def disable(self):
         """
@@ -321,12 +326,9 @@ class Session(BaseModel):
         if self.deleted:
             raise DeletedError("Session has been deleted.")
         elif not self.active:
-            raise DeactivatedError()
-        elif (
-            self.expiration_date
-            and datetime.datetime.now(datetime.timezone.utc) >= self.expiration_date
-        ):
-            raise ExpiredError()
+            raise DeactivatedError
+        elif is_expired(self.expiration_date):
+            raise ExpiredError
 
     async def deactivate(self):
         """
@@ -416,7 +418,7 @@ class Session(BaseModel):
         Returns:
             session
         """
-        raise NotImplementedError()
+        raise NotImplementedError
 
     @classmethod
     async def get_associated(cls, account: Account):
@@ -517,15 +519,15 @@ class VerificationSession(Session):
             ChallengeError
             MaxedOutChallengeError
         """
-        if self.code != code.upper():
+        if not code or self.code != code.upper():
+            self.attempts += 1
             if self.attempts < security_config.MAX_CHALLENGE_ATTEMPTS:
-                self.attempts += 1
                 await self.save(update_fields=["attempts"])
                 raise ChallengeError(
                     "Your code does not match verification session code."
                 )
             else:
-                raise MaxedOutChallengeError()
+                raise MaxedOutChallengeError
         else:
             await self.deactivate()
 
@@ -540,9 +542,13 @@ class VerificationSession(Session):
 class TwoStepSession(VerificationSession):
     """Validates a client using a code sent via email or text."""
 
+    code: str = fields.CharField(
+        max_length=6, default=lambda: get_code(True), null=True
+    )
+
     @classmethod
     async def new(cls, request: Request, account: Account, **kwargs):
-        return await TwoStepSession.create(
+        return await cls.create(
             **kwargs,
             ip=get_ip(request),
             bearer=account,
@@ -560,7 +566,7 @@ class CaptchaSession(VerificationSession):
 
     @classmethod
     async def new(cls, request: Request, **kwargs):
-        return await CaptchaSession.create(
+        return await cls.create(
             **kwargs,
             ip=get_ip(request),
             expiration_date=get_expiration_date(
@@ -621,45 +627,36 @@ class AuthenticationSession(Session):
         """
         super().validate()
         if self.requires_second_factor:
-            raise SecondFactorRequiredError()
+            raise SecondFactorRequiredError
 
     async def refresh(self, request: Request):
         """
-        Refreshes session if expired and within refresh date.
+        Refreshes session if within refresh date.
 
         Args:
             request (Request): Sanic request parameter.
 
         Raises:
-            DeletedError
             ExpiredError
-            DeactivatedError
-            SecondFactorRequiredError
-            NotExpiredError
 
         Returns:
             session
         """
-        try:
-            self.validate()
-            raise NotExpiredError()
-        except ExpiredError as e:
-            if (
-                self.refresh_expiration_date
-                and datetime.datetime.now(datetime.timezone.utc)
-                <= self.refresh_expiration_date
-            ):
-                self.active = False
-                await self.save(update_fields=["active"])
-                return await self.new(request, self.bearer, True)
-            else:
-                raise e
+        if not is_expired(self.refresh_expiration_date):
+            self.active = False
+            await self.save(update_fields=["active"])
+            logging.info(
+                f"Client {get_ip(request)} has refreshed authentication session {self.id}."
+            )
+            return await self.new(request, self.bearer, True)
+        else:
+            raise ExpiredError
 
     @classmethod
     async def new(
         cls, request: Request, account: Account = None, is_refresh=False, **kwargs
     ):
-        authentication_session = await AuthenticationSession.create(
+        authentication_session = await cls.create(
             **kwargs,
             bearer=account,
             ip=get_ip(request),
@@ -692,7 +689,7 @@ class Role(BaseModel):
     permissions: str = fields.CharField(max_length=255, null=True)
 
     def validate(self) -> None:
-        raise NotImplementedError()
+        raise NotImplementedError
 
     @property
     def json(self) -> dict:

sanic_security/utils.py

@@ -1,13 +1,12 @@
 import datetime
 import random
-import string
+from string import ascii_uppercase, digits
 
 from argon2 import PasswordHasher
 from captcha.audio import AudioCaptcha
 from captcha.image import ImageCaptcha
 from sanic.request import Request
 from sanic.response import json as sanic_json, HTTPResponse
-from secure import Secure
 
 from sanic_security.configuration import config
 
@@ -38,7 +37,6 @@ image_generator = ImageCaptcha(
 )
 audio_generator = AudioCaptcha(voicedir=config.CAPTCHA_VOICE)
 password_hasher = PasswordHasher()
-secure_headers = Secure.with_default_headers()
 
 
 def get_ip(request: Request) -> str:
@@ -54,35 +52,33 @@ def get_ip(request: Request) -> str:
     return request.remote_addr or request.ip
 
 
-def get_code() -> str:
+def get_code(digits_only: bool = False) -> str:
     """
     Generates random code to be used for verification.
 
+    Args:
+        digits_only: Determines if code should only contain digits.
+
     Returns:
         code
     """
     return "".join(
-        random.choice(string.ascii_uppercase + string.digits) for _ in range(6)
+        random.choice(("" if digits_only else ascii_uppercase) + digits)
+        for _ in range(6)
     )
 
 
-def json(
-    message: str, data, status_code: int = 200
-) -> HTTPResponse:  # May be causing fixture error bc of json property
+def is_expired(date):
     """
-    A preformatted Sanic json response.
+    Checks if current date has surpassed the date passed into the function.
 
     Args:
-        message (int): Message describing data or relaying human-readable information.
-        data (Any): Raw information to be used by client.
-        status_code (int): HTTP response code.
+        date: The date being checked for expiration.
 
     Returns:
-        json
+        is_expired
     """
-    return sanic_json(
-        {"message": message, "code": status_code, "data": data}, status=status_code
-    )
+    return date and datetime.datetime.now(datetime.timezone.utc) >= date
 
 
 def get_expiration_date(seconds: int) -> datetime.datetime:
@@ -100,3 +96,22 @@ def get_expiration_date(seconds: int) -> datetime.datetime:
         if seconds > 0
         else None
     )
+
+
+def json(
+    message: str, data, status_code: int = 200
+) -> HTTPResponse:  # May be causing fixture error bc of json property
+    """
+    A preformatted Sanic json response.
+
+    Args:
+        message (int): Message describing data or relaying human-readable information.
+        data (Any): Raw information to be used by client.
+        status_code (int): HTTP response code.
+
+    Returns:
+        json
+    """
+    return sanic_json(
+        {"message": message, "code": status_code, "data": data}, status=status_code
+    )

sanic_security/verification.py

@@ -164,7 +164,7 @@ async def verify_account(request: Request) -> TwoStepSession:
     """
     two_step_session = await TwoStepSession.decode(request)
     if two_step_session.bearer.verified:
-        raise VerifiedError()
+        raise VerifiedError
     two_step_session.validate()
     try:
         await two_step_session.check_code(request.form.get("code"))

{sanic_security-1.14.1.dist-info → sanic_security-1.15.1.dist-info}/METADATA

@@ -1,6 +1,6 @@
 Metadata-Version: 2.1
 Name: sanic-security
-Version: 1.14.1
+Version: 1.15.1
 Summary: An async security library for the Sanic framework.
 Author-email: Aidan Stewart <me@na-stewart.com>
 Project-URL: Documentation, https://security.na-stewart.com/
@@ -20,7 +20,6 @@ Requires-Dist: captcha>=0.4
 Requires-Dist: pillow>=9.5.0
 Requires-Dist: argon2-cffi>=20.1.0
 Requires-Dist: sanic>=21.3.0
-Requires-Dist: secure>=1.0.1
 Provides-Extra: dev
 Requires-Dist: httpx; extra == "dev"
 Requires-Dist: black; extra == "dev"
@@ -149,11 +148,11 @@ You can load environment variables with a different prefix via `config.load_envi
 | **SESSION_DOMAIN**                    | None                         | The Domain attribute of session cookies.                                                                                         |
 | **SESSION_ENCODING_ALGORITHM**        | HS256                        | The algorithm used to encode and decode session JWT's.                                                                           |
 | **SESSION_PREFIX**                    | tkn                          | Prefix attached to the beginning of session cookies.                                                                             |
-| **MAX_CHALLENGE_ATTEMPTS**            | 5                            | The maximum amount of session challenge attempts allowed.                                                                        |
-| **CAPTCHA_SESSION_EXPIRATION**        | 60                           | The amount of seconds till captcha session expiration on creation. Setting to 0 will disable expiration.                         |
+| **MAX_CHALLENGE_ATTEMPTS**            | 3                            | The maximum amount of session challenge attempts allowed.                                                                        |
+| **CAPTCHA_SESSION_EXPIRATION**        | 180                          | The amount of seconds till captcha session expiration on creation. Setting to 0 will disable expiration.                         |
 | **CAPTCHA_FONT**                      | captcha-font.ttf             | The file path to the font being used for captcha generation. Several fonts can be used by separating them via comma.             |
 | **CAPTCHA_VOICE**                     | captcha-voice/               | The directory of the voice library being used for audio captcha generation.                                                      |
-| **TWO_STEP_SESSION_EXPIRATION**       | 200                          | The amount of seconds till two-step session expiration on creation. Setting to 0 will disable expiration.                        |
+| **TWO_STEP_SESSION_EXPIRATION**       | 300                          | The amount of seconds till two-step session expiration on creation. Setting to 0 will disable expiration.                        |
 | **AUTHENTICATION_SESSION_EXPIRATION** | 86400                        | The amount of seconds till authentication session expiration on creation. Setting to 0 will disable expiration.                  |
 | **AUTHENTICATION_REFRESH_EXPIRATION** | 604800                       | The amount of seconds till authentication refresh expiration. Setting to 0 will disable refresh mechanism.                       |
 | **ALLOW_LOGIN_WITH_USERNAME**         | False                        | Allows login via username; unique constraint is disabled when set to false.                                                      |
@@ -196,8 +195,7 @@ async def on_register(request):
         account.email, two_step_session.code  # Code = 24KF19
     )  # Custom method for emailing verification code.
     response = json(
-        "Registration successful! Email verification required.",
-        two_step_session.json,
+        "Registration successful! Email verification required.", account.json
     )
     two_step_session.encode(response)
     return response
@@ -215,7 +213,9 @@ Verifies the client's account via two-step session code.
 @app.put("api/security/verify")
 async def on_verify(request):
     two_step_session = await verify_account(request)
-    return json("You have verified your account and may login!", two_step_session.json)
+    return json(
+        "You have verified your account and may login!", two_step_session.bearer.json
+    )
 ```
 
 * Login (With two-factor authentication)
@@ -237,7 +237,7 @@ async def on_login(request):
     )  # Custom method for emailing verification code.
     response = json(
         "Login successful! Two-factor authentication required.",
-        authentication_session.json,
+        authentication_session.bearer.json,
     )
     authentication_session.encode(response)
     two_step_session.encode(response)
@@ -260,7 +260,7 @@ async def on_two_factor_authentication(request):
     authentication_session = await fulfill_second_factor(request)
     response = json(
         "Authentication session second-factor fulfilled! You are now authenticated.",
-        authentication_session.json,
+        authentication_session.bearer.json,
     )
     return response
 ```

sanic_security-1.15.1.dist-info/RECORD

@@ -0,0 +1,16 @@
+sanic_security/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
+sanic_security/authentication.py,sha256=3Pit1B4PN_MRvwAlhYPHl_6DGD9JVpdPjgjiyKQJanM,13145
+sanic_security/authorization.py,sha256=jAxfDT9cHN_zpMKcA3oYFZ5Eu2KItnMJZ7oPcqmMwrw,7537
+sanic_security/configuration.py,sha256=_E66ts5g9t_XHW9ZAnr48rWVcZmGNu_DWGDxm_AVVWE,5681
+sanic_security/exceptions.py,sha256=9zISLyAvP6qN8sNR8e5qxKP__FA4NLIXCun_fEKndOw,5297
+sanic_security/models.py,sha256=TytuQTjfKslPr893-mCYSzsRK7gfJtXmDz656iCCM0k,22530
+sanic_security/utils.py,sha256=Il5MjFzVe975yx_CV2HV_LVQYl2W3XYDRGtCG5CQA8Q,3531
+sanic_security/verification.py,sha256=9bi8-NZ8GE3rcuELZ63yh18zDg8RxvxGPkhAu5SzLn0,8692
+sanic_security/test/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
+sanic_security/test/server.py,sha256=RjL9Kfvkfqpm5TXWwFQKKa0J4hfTKgwI6U0s_TAKO8w,11984
+sanic_security/test/tests.py,sha256=bW5fHJfsCrg8eBmcSqVMLm0R5XRL1ou-XJJRgz09GOE,21993
+sanic_security-1.15.1.dist-info/LICENSE,sha256=sXlJs9_mG-dCkPfWsDnuzydJWagS82E2gYtkVH9enHA,1100
+sanic_security-1.15.1.dist-info/METADATA,sha256=EINxdSgG_LLkPu3QqXo1CMe_-GTQk5QDhO3b3909quI,23247
+sanic_security-1.15.1.dist-info/WHEEL,sha256=PZUExdf71Ui_so67QXpySuHtCi3-J3wvF4ORK6k_S8U,91
+sanic_security-1.15.1.dist-info/top_level.txt,sha256=ZybkhHXSjfzhmv8XeqLvnNmLmv21Z0oPX6Ep4DJN8b0,15
+sanic_security-1.15.1.dist-info/RECORD,,

sanic_security-1.14.1.dist-info/RECORD

@@ -1,16 +0,0 @@
-sanic_security/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
-sanic_security/authentication.py,sha256=ksHa4E82kNXNRKGSqeO28xfQWdF2pJDxUaaQy9snKwU,13299
-sanic_security/authorization.py,sha256=QvLsaOWu3te0Y75tqChrEXQP5CR92nsRU7LXiUWy5cw,7541
-sanic_security/configuration.py,sha256=h-Kh4PalJpjbDcZvVHCzxX5l-GnldP3Fr8OlgGCZNHY,5680
-sanic_security/exceptions.py,sha256=JiCaBR2kjE1Cj0fc_08y-32fqJJXa_1UCw205T4_RTY,5493
-sanic_security/models.py,sha256=bK5daR6Iq7V7aqNSzksH6DGrCXMj2e4feNRhlxlFQMg,22722
-sanic_security/utils.py,sha256=tgewsCAkNl_NkobHaDlZNIgVopQPiD8SWb6UC6tBYNs,3151
-sanic_security/verification.py,sha256=olmpP2AwXKILRVRnDf7AMRJuK5Fs_i5ESHXSH94A-Yk,8694
-sanic_security/test/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
-sanic_security/test/server.py,sha256=RjL9Kfvkfqpm5TXWwFQKKa0J4hfTKgwI6U0s_TAKO8w,11984
-sanic_security/test/tests.py,sha256=bW5fHJfsCrg8eBmcSqVMLm0R5XRL1ou-XJJRgz09GOE,21993
-sanic_security-1.14.1.dist-info/LICENSE,sha256=sXlJs9_mG-dCkPfWsDnuzydJWagS82E2gYtkVH9enHA,1100
-sanic_security-1.14.1.dist-info/METADATA,sha256=It9-aEffADsbk5GJGO0SEG2DUd1wTq7FRl64l5oMcdA,23259
-sanic_security-1.14.1.dist-info/WHEEL,sha256=PZUExdf71Ui_so67QXpySuHtCi3-J3wvF4ORK6k_S8U,91
-sanic_security-1.14.1.dist-info/top_level.txt,sha256=ZybkhHXSjfzhmv8XeqLvnNmLmv21Z0oPX6Ep4DJN8b0,15
-sanic_security-1.14.1.dist-info/RECORD,,