sanic-security 1.14.1__tar.gz → 1.15.0__tar.gz

{sanic_security-1.14.1/sanic_security.egg-info → sanic_security-1.15.0}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.1
 Name: sanic-security
-Version: 1.14.1
+Version: 1.15.0
 Summary: An async security library for the Sanic framework.
 Author-email: Aidan Stewart <me@na-stewart.com>
 Project-URL: Documentation, https://security.na-stewart.com/
@@ -20,7 +20,6 @@ Requires-Dist: captcha>=0.4
 Requires-Dist: pillow>=9.5.0
 Requires-Dist: argon2-cffi>=20.1.0
 Requires-Dist: sanic>=21.3.0
-Requires-Dist: secure>=1.0.1
 Provides-Extra: dev
 Requires-Dist: httpx; extra == "dev"
 Requires-Dist: black; extra == "dev"
@@ -149,11 +148,11 @@ You can load environment variables with a different prefix via `config.load_envi
 | **SESSION_DOMAIN**                    | None                         | The Domain attribute of session cookies.                                                                                         |
 | **SESSION_ENCODING_ALGORITHM**        | HS256                        | The algorithm used to encode and decode session JWT's.                                                                           |
 | **SESSION_PREFIX**                    | tkn                          | Prefix attached to the beginning of session cookies.                                                                             |
-| **MAX_CHALLENGE_ATTEMPTS**            | 5                            | The maximum amount of session challenge attempts allowed.                                                                        |
-| **CAPTCHA_SESSION_EXPIRATION**        | 60                           | The amount of seconds till captcha session expiration on creation. Setting to 0 will disable expiration.                         |
+| **MAX_CHALLENGE_ATTEMPTS**            | 3                            | The maximum amount of session challenge attempts allowed.                                                                        |
+| **CAPTCHA_SESSION_EXPIRATION**        | 180                          | The amount of seconds till captcha session expiration on creation. Setting to 0 will disable expiration.                         |
 | **CAPTCHA_FONT**                      | captcha-font.ttf             | The file path to the font being used for captcha generation. Several fonts can be used by separating them via comma.             |
 | **CAPTCHA_VOICE**                     | captcha-voice/               | The directory of the voice library being used for audio captcha generation.                                                      |
-| **TWO_STEP_SESSION_EXPIRATION**       | 200                          | The amount of seconds till two-step session expiration on creation. Setting to 0 will disable expiration.                        |
+| **TWO_STEP_SESSION_EXPIRATION**       | 300                          | The amount of seconds till two-step session expiration on creation. Setting to 0 will disable expiration.                        |
 | **AUTHENTICATION_SESSION_EXPIRATION** | 86400                        | The amount of seconds till authentication session expiration on creation. Setting to 0 will disable expiration.                  |
 | **AUTHENTICATION_REFRESH_EXPIRATION** | 604800                       | The amount of seconds till authentication refresh expiration. Setting to 0 will disable refresh mechanism.                       |
 | **ALLOW_LOGIN_WITH_USERNAME**         | False                        | Allows login via username; unique constraint is disabled when set to false.                                                      |
@@ -196,8 +195,7 @@ async def on_register(request):
         account.email, two_step_session.code  # Code = 24KF19
     )  # Custom method for emailing verification code.
     response = json(
-        "Registration successful! Email verification required.",
-        two_step_session.json,
+        "Registration successful! Email verification required.", account.json
     )
     two_step_session.encode(response)
     return response
@@ -215,7 +213,9 @@ Verifies the client's account via two-step session code.
 @app.put("api/security/verify")
 async def on_verify(request):
     two_step_session = await verify_account(request)
-    return json("You have verified your account and may login!", two_step_session.json)
+    return json(
+        "You have verified your account and may login!", two_step_session.bearer.json
+    )
 ```
 
 * Login (With two-factor authentication)
@@ -237,7 +237,7 @@ async def on_login(request):
     )  # Custom method for emailing verification code.
     response = json(
         "Login successful! Two-factor authentication required.",
-        authentication_session.json,
+        authentication_session.bearer.json,
     )
     authentication_session.encode(response)
     two_step_session.encode(response)
@@ -260,7 +260,7 @@ async def on_two_factor_authentication(request):
     authentication_session = await fulfill_second_factor(request)
     response = json(
         "Authentication session second-factor fulfilled! You are now authenticated.",
-        authentication_session.json,
+        authentication_session.bearer.json,
     )
     return response
 ```

{sanic_security-1.14.1 → sanic_security-1.15.0}/README.md

@@ -117,11 +117,11 @@ You can load environment variables with a different prefix via `config.load_envi
 | **SESSION_DOMAIN**                    | None                         | The Domain attribute of session cookies.                                                                                         |
 | **SESSION_ENCODING_ALGORITHM**        | HS256                        | The algorithm used to encode and decode session JWT's.                                                                           |
 | **SESSION_PREFIX**                    | tkn                          | Prefix attached to the beginning of session cookies.                                                                             |
-| **MAX_CHALLENGE_ATTEMPTS**            | 5                            | The maximum amount of session challenge attempts allowed.                                                                        |
-| **CAPTCHA_SESSION_EXPIRATION**        | 60                           | The amount of seconds till captcha session expiration on creation. Setting to 0 will disable expiration.                         |
+| **MAX_CHALLENGE_ATTEMPTS**            | 3                            | The maximum amount of session challenge attempts allowed.                                                                        |
+| **CAPTCHA_SESSION_EXPIRATION**        | 180                          | The amount of seconds till captcha session expiration on creation. Setting to 0 will disable expiration.                         |
 | **CAPTCHA_FONT**                      | captcha-font.ttf             | The file path to the font being used for captcha generation. Several fonts can be used by separating them via comma.             |
 | **CAPTCHA_VOICE**                     | captcha-voice/               | The directory of the voice library being used for audio captcha generation.                                                      |
-| **TWO_STEP_SESSION_EXPIRATION**       | 200                          | The amount of seconds till two-step session expiration on creation. Setting to 0 will disable expiration.                        |
+| **TWO_STEP_SESSION_EXPIRATION**       | 300                          | The amount of seconds till two-step session expiration on creation. Setting to 0 will disable expiration.                        |
 | **AUTHENTICATION_SESSION_EXPIRATION** | 86400                        | The amount of seconds till authentication session expiration on creation. Setting to 0 will disable expiration.                  |
 | **AUTHENTICATION_REFRESH_EXPIRATION** | 604800                       | The amount of seconds till authentication refresh expiration. Setting to 0 will disable refresh mechanism.                       |
 | **ALLOW_LOGIN_WITH_USERNAME**         | False                        | Allows login via username; unique constraint is disabled when set to false.                                                      |
@@ -164,8 +164,7 @@ async def on_register(request):
         account.email, two_step_session.code  # Code = 24KF19
     )  # Custom method for emailing verification code.
     response = json(
-        "Registration successful! Email verification required.",
-        two_step_session.json,
+        "Registration successful! Email verification required.", account.json
     )
     two_step_session.encode(response)
     return response
@@ -183,7 +182,9 @@ Verifies the client's account via two-step session code.
 @app.put("api/security/verify")
 async def on_verify(request):
     two_step_session = await verify_account(request)
-    return json("You have verified your account and may login!", two_step_session.json)
+    return json(
+        "You have verified your account and may login!", two_step_session.bearer.json
+    )
 ```
 
 * Login (With two-factor authentication)
@@ -205,7 +206,7 @@ async def on_login(request):
     )  # Custom method for emailing verification code.
     response = json(
         "Login successful! Two-factor authentication required.",
-        authentication_session.json,
+        authentication_session.bearer.json,
     )
     authentication_session.encode(response)
     two_step_session.encode(response)
@@ -228,7 +229,7 @@ async def on_two_factor_authentication(request):
     authentication_session = await fulfill_second_factor(request)
     response = json(
         "Authentication session second-factor fulfilled! You are now authenticated.",
-        authentication_session.json,
+        authentication_session.bearer.json,
     )
     return response
 ```

{sanic_security-1.14.1 → sanic_security-1.15.0}/pyproject.toml

@@ -4,7 +4,7 @@ build-backend = "setuptools.build_meta"
 
 [project]
 name = "sanic-security"
-version = "1.14.1"
+version = "1.15.0"
 requires-python = ">=3.8"
 dependencies = [
     "tortoise-orm>=0.17.0",
@@ -13,7 +13,6 @@ dependencies = [
     "pillow>=9.5.0",
     "argon2-cffi>=20.1.0",
     "sanic>=21.3.0",
-    "secure>=1.0.1"
 ]
 description = "An async security library for the Sanic framework."
 authors = [

{sanic_security-1.14.1 → sanic_security-1.15.0}/sanic_security/authentication.py

@@ -17,7 +17,7 @@ from sanic_security.exceptions import (
     AuditWarning,
 )
 from sanic_security.models import Account, AuthenticationSession, Role, TwoStepSession
-from sanic_security.utils import get_ip, password_hasher, secure_headers
+from sanic_security.utils import get_ip, password_hasher
 
 """
 Copyright (c) 2020-present Nicholas Aidan Stewart
@@ -183,7 +183,7 @@ async def fulfill_second_factor(request: Request) -> AuthenticationSession:
     """
     authentication_session = await AuthenticationSession.decode(request)
     if not authentication_session.requires_second_factor:
-        raise SecondFactorFulfilledError()
+        raise SecondFactorFulfilledError
     two_step_session = await TwoStepSession.decode(request)
     two_step_session.validate()
     await two_step_session.check_code(request.form.get("code"))
@@ -284,7 +284,7 @@ def validate_password(password: str) -> str:
 
 def initialize_security(app: Sanic, create_root=True) -> None:
     """
-    Audits configuration, creates root administrator account, and attaches response handler middleware.
+    Audits configuration, creates root administrator account, and attaches refresh encoder middleware.
 
     Args:
         app (Sanic): The main Sanic application instance.
@@ -356,11 +356,8 @@ def initialize_security(app: Sanic, create_root=True) -> None:
             logger.info("Initial admin account created.")
 
         @app.on_response
-        async def response_handler_middleware(request, response):
-            if hasattr(request.ctx, "session"):
-                secure_headers.set_headers(response)
-                if (
-                    hasattr(request.ctx.session, "is_refresh")
-                    and request.ctx.session.is_refresh
-                ):
-                    request.ctx.session.encode(response)
+        async def refresh_encoder_middleware(request, response):
+            if hasattr(request.ctx, "session") and getattr(
+                request.ctx.session, "is_refresh", False
+            ):
+                request.ctx.session.encode(response)

{sanic_security-1.14.1 → sanic_security-1.15.0}/sanic_security/authorization.py

@@ -62,7 +62,7 @@ async def check_permissions(
         logger.warning(
             f"Client {get_ip(request)} attempted an unauthorized action anonymously."
         )
-        raise AnonymousError()
+        raise AnonymousError
     roles = await authentication_session.bearer.roles.filter(deleted=False).all()
     for role in roles:
         for required_permission, role_permission in zip(
@@ -104,7 +104,7 @@ async def check_roles(request: Request, *required_roles: str) -> AuthenticationS
         logger.warning(
             f"Client {get_ip(request)} attempted an unauthorized action anonymously."
         )
-        raise AnonymousError()
+        raise AnonymousError
     roles = await authentication_session.bearer.roles.filter(deleted=False).all()
     for role in roles:
         if role.name in required_roles:

{sanic_security-1.14.1 → sanic_security-1.15.0}/sanic_security/configuration.py

@@ -33,8 +33,8 @@ DEFAULT_CONFIG = {
     "SESSION_DOMAIN": None,
     "SESSION_PREFIX": "tkn",
     "SESSION_ENCODING_ALGORITHM": "HS256",
-    "MAX_CHALLENGE_ATTEMPTS": 5,
-    "CAPTCHA_SESSION_EXPIRATION": 60,
+    "MAX_CHALLENGE_ATTEMPTS": 3,
+    "CAPTCHA_SESSION_EXPIRATION": 180,
     "CAPTCHA_FONT": "captcha-font.ttf",
     "CAPTCHA_VOICE": "captcha-voice/",
     "TWO_STEP_SESSION_EXPIRATION": 300,

{sanic_security-1.14.1 → sanic_security-1.15.0}/sanic_security/exceptions.py

@@ -145,15 +145,6 @@ class ExpiredError(SessionError):
         super().__init__("Session has expired.")
 
 
-class NotExpiredError(SessionError):
-    """
-    Raised when session needs to be expired.
-    """
-
-    def __init__(self):
-        super().__init__("Session has not expired yet.", 403)
-
-
 class SecondFactorRequiredError(SessionError):
     """
     Raised when authentication session two-factor requirement isn't met.

{sanic_security-1.14.1 → sanic_security-1.15.0}/sanic_security/models.py

@@ -1,5 +1,6 @@
 import base64
 import datetime
+import logging
 import re
 from typing import Union
 
@@ -19,6 +20,8 @@ from sanic_security.utils import (
     get_expiration_date,
     image_generator,
     audio_generator,
+    get_id,
+    is_expired,
 )
 
 """
@@ -55,7 +58,7 @@ class BaseModel(Model):
         deleted (bool): Renders the model filterable without removing from the database.
     """
 
-    id: int = fields.IntField(pk=True)
+    id: str = fields.CharField(pk=True, max_length=36, default=get_id)
     date_created: datetime.datetime = fields.DatetimeField(auto_now_add=True)
     date_updated: datetime.datetime = fields.DatetimeField(auto_now=True)
     deleted: bool = fields.BooleanField(default=False)
@@ -67,7 +70,7 @@ class BaseModel(Model):
         Raises:
             SecurityError
         """
-        raise NotImplementedError()
+        raise NotImplementedError
 
     @property
     def json(self) -> dict:
@@ -89,7 +92,7 @@ class BaseModel(Model):
                     }
 
         """
-        raise NotImplementedError()
+        raise NotImplementedError
 
     class Meta:
         abstract = True
@@ -148,9 +151,9 @@ class Account(BaseModel):
         if self.deleted:
             raise DeletedError("Account has been deleted.")
         elif not self.verified:
-            raise UnverifiedError()
+            raise UnverifiedError
         elif self.disabled:
-            raise DisabledError()
+            raise DisabledError
 
     async def disable(self):
         """
@@ -321,12 +324,9 @@ class Session(BaseModel):
         if self.deleted:
             raise DeletedError("Session has been deleted.")
         elif not self.active:
-            raise DeactivatedError()
-        elif (
-            self.expiration_date
-            and datetime.datetime.now(datetime.timezone.utc) >= self.expiration_date
-        ):
-            raise ExpiredError()
+            raise DeactivatedError
+        elif is_expired(self.expiration_date):
+            raise ExpiredError
 
     async def deactivate(self):
         """
@@ -416,7 +416,7 @@ class Session(BaseModel):
         Returns:
             session
         """
-        raise NotImplementedError()
+        raise NotImplementedError
 
     @classmethod
     async def get_associated(cls, account: Account):
@@ -517,15 +517,15 @@ class VerificationSession(Session):
             ChallengeError
             MaxedOutChallengeError
         """
-        if self.code != code.upper():
+        if not code or self.code != code.upper():
+            self.attempts += 1
             if self.attempts < security_config.MAX_CHALLENGE_ATTEMPTS:
-                self.attempts += 1
                 await self.save(update_fields=["attempts"])
                 raise ChallengeError(
                     "Your code does not match verification session code."
                 )
             else:
-                raise MaxedOutChallengeError()
+                raise MaxedOutChallengeError
         else:
             await self.deactivate()
 
@@ -621,39 +621,30 @@ class AuthenticationSession(Session):
         """
         super().validate()
         if self.requires_second_factor:
-            raise SecondFactorRequiredError()
+            raise SecondFactorRequiredError
 
     async def refresh(self, request: Request):
         """
-        Refreshes session if expired and within refresh date.
+        Refreshes session if within refresh date.
 
         Args:
             request (Request): Sanic request parameter.
 
         Raises:
-            DeletedError
             ExpiredError
-            DeactivatedError
-            SecondFactorRequiredError
-            NotExpiredError
 
         Returns:
             session
         """
-        try:
-            self.validate()
-            raise NotExpiredError()
-        except ExpiredError as e:
-            if (
-                self.refresh_expiration_date
-                and datetime.datetime.now(datetime.timezone.utc)
-                <= self.refresh_expiration_date
-            ):
-                self.active = False
-                await self.save(update_fields=["active"])
-                return await self.new(request, self.bearer, True)
-            else:
-                raise e
+        if not is_expired(self.refresh_expiration_date):
+            self.active = False
+            await self.save(update_fields=["active"])
+            logging.warning(
+                f"Client {get_ip(request)} has refreshed authentication session {self.id}."
+            )
+            return await self.new(request, self.bearer, True)
+        else:
+            raise ExpiredError
 
     @classmethod
     async def new(
@@ -692,7 +683,7 @@ class Role(BaseModel):
     permissions: str = fields.CharField(max_length=255, null=True)
 
     def validate(self) -> None:
-        raise NotImplementedError()
+        raise NotImplementedError
 
     @property
     def json(self) -> dict:

{sanic_security-1.14.1 → sanic_security-1.15.0}/sanic_security/utils.py

@@ -1,13 +1,13 @@
 import datetime
 import random
 import string
+import uuid
 
 from argon2 import PasswordHasher
 from captcha.audio import AudioCaptcha
 from captcha.image import ImageCaptcha
 from sanic.request import Request
 from sanic.response import json as sanic_json, HTTPResponse
-from secure import Secure
 
 from sanic_security.configuration import config
 
@@ -38,7 +38,6 @@ image_generator = ImageCaptcha(
 )
 audio_generator = AudioCaptcha(voicedir=config.CAPTCHA_VOICE)
 password_hasher = PasswordHasher()
-secure_headers = Secure.with_default_headers()
 
 
 def get_ip(request: Request) -> str:
@@ -66,23 +65,27 @@ def get_code() -> str:
     )
 
 
-def json(
-    message: str, data, status_code: int = 200
-) -> HTTPResponse:  # May be causing fixture error bc of json property
+def get_id() -> str:
     """
-    A preformatted Sanic json response.
+    Generates uuid to be used for primary key.
+
+    Returns:
+        id
+    """
+    return str(uuid.uuid4())
+
+
+def is_expired(date):
+    """
+    Checks if current date has surpassed the date passed into the function.
 
     Args:
-        message (int): Message describing data or relaying human-readable information.
-        data (Any): Raw information to be used by client.
-        status_code (int): HTTP response code.
+        date: The date being checked for expiration.
 
     Returns:
-        json
+        is_expired
     """
-    return sanic_json(
-        {"message": message, "code": status_code, "data": data}, status=status_code
-    )
+    return date and datetime.datetime.now(datetime.timezone.utc) >= date
 
 
 def get_expiration_date(seconds: int) -> datetime.datetime:
@@ -100,3 +103,22 @@ def get_expiration_date(seconds: int) -> datetime.datetime:
         if seconds > 0
         else None
     )
+
+
+def json(
+    message: str, data, status_code: int = 200
+) -> HTTPResponse:  # May be causing fixture error bc of json property
+    """
+    A preformatted Sanic json response.
+
+    Args:
+        message (int): Message describing data or relaying human-readable information.
+        data (Any): Raw information to be used by client.
+        status_code (int): HTTP response code.
+
+    Returns:
+        json
+    """
+    return sanic_json(
+        {"message": message, "code": status_code, "data": data}, status=status_code
+    )

{sanic_security-1.14.1 → sanic_security-1.15.0}/sanic_security/verification.py

@@ -164,7 +164,7 @@ async def verify_account(request: Request) -> TwoStepSession:
     """
     two_step_session = await TwoStepSession.decode(request)
     if two_step_session.bearer.verified:
-        raise VerifiedError()
+        raise VerifiedError
     two_step_session.validate()
     try:
         await two_step_session.check_code(request.form.get("code"))

{sanic_security-1.14.1 → sanic_security-1.15.0/sanic_security.egg-info}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.1
 Name: sanic-security
-Version: 1.14.1
+Version: 1.15.0
 Summary: An async security library for the Sanic framework.
 Author-email: Aidan Stewart <me@na-stewart.com>
 Project-URL: Documentation, https://security.na-stewart.com/
@@ -20,7 +20,6 @@ Requires-Dist: captcha>=0.4
 Requires-Dist: pillow>=9.5.0
 Requires-Dist: argon2-cffi>=20.1.0
 Requires-Dist: sanic>=21.3.0
-Requires-Dist: secure>=1.0.1
 Provides-Extra: dev
 Requires-Dist: httpx; extra == "dev"
 Requires-Dist: black; extra == "dev"
@@ -149,11 +148,11 @@ You can load environment variables with a different prefix via `config.load_envi
 | **SESSION_DOMAIN**                    | None                         | The Domain attribute of session cookies.                                                                                         |
 | **SESSION_ENCODING_ALGORITHM**        | HS256                        | The algorithm used to encode and decode session JWT's.                                                                           |
 | **SESSION_PREFIX**                    | tkn                          | Prefix attached to the beginning of session cookies.                                                                             |
-| **MAX_CHALLENGE_ATTEMPTS**            | 5                            | The maximum amount of session challenge attempts allowed.                                                                        |
-| **CAPTCHA_SESSION_EXPIRATION**        | 60                           | The amount of seconds till captcha session expiration on creation. Setting to 0 will disable expiration.                         |
+| **MAX_CHALLENGE_ATTEMPTS**            | 3                            | The maximum amount of session challenge attempts allowed.                                                                        |
+| **CAPTCHA_SESSION_EXPIRATION**        | 180                          | The amount of seconds till captcha session expiration on creation. Setting to 0 will disable expiration.                         |
 | **CAPTCHA_FONT**                      | captcha-font.ttf             | The file path to the font being used for captcha generation. Several fonts can be used by separating them via comma.             |
 | **CAPTCHA_VOICE**                     | captcha-voice/               | The directory of the voice library being used for audio captcha generation.                                                      |
-| **TWO_STEP_SESSION_EXPIRATION**       | 200                          | The amount of seconds till two-step session expiration on creation. Setting to 0 will disable expiration.                        |
+| **TWO_STEP_SESSION_EXPIRATION**       | 300                          | The amount of seconds till two-step session expiration on creation. Setting to 0 will disable expiration.                        |
 | **AUTHENTICATION_SESSION_EXPIRATION** | 86400                        | The amount of seconds till authentication session expiration on creation. Setting to 0 will disable expiration.                  |
 | **AUTHENTICATION_REFRESH_EXPIRATION** | 604800                       | The amount of seconds till authentication refresh expiration. Setting to 0 will disable refresh mechanism.                       |
 | **ALLOW_LOGIN_WITH_USERNAME**         | False                        | Allows login via username; unique constraint is disabled when set to false.                                                      |
@@ -196,8 +195,7 @@ async def on_register(request):
         account.email, two_step_session.code  # Code = 24KF19
     )  # Custom method for emailing verification code.
     response = json(
-        "Registration successful! Email verification required.",
-        two_step_session.json,
+        "Registration successful! Email verification required.", account.json
     )
     two_step_session.encode(response)
     return response
@@ -215,7 +213,9 @@ Verifies the client's account via two-step session code.
 @app.put("api/security/verify")
 async def on_verify(request):
     two_step_session = await verify_account(request)
-    return json("You have verified your account and may login!", two_step_session.json)
+    return json(
+        "You have verified your account and may login!", two_step_session.bearer.json
+    )
 ```
 
 * Login (With two-factor authentication)
@@ -237,7 +237,7 @@ async def on_login(request):
     )  # Custom method for emailing verification code.
     response = json(
         "Login successful! Two-factor authentication required.",
-        authentication_session.json,
+        authentication_session.bearer.json,
     )
     authentication_session.encode(response)
     two_step_session.encode(response)
@@ -260,7 +260,7 @@ async def on_two_factor_authentication(request):
     authentication_session = await fulfill_second_factor(request)
     response = json(
         "Authentication session second-factor fulfilled! You are now authenticated.",
-        authentication_session.json,
+        authentication_session.bearer.json,
     )
     return response
 ```

{sanic_security-1.14.1 → sanic_security-1.15.0}/sanic_security.egg-info/requires.txt

@@ -4,7 +4,6 @@ captcha>=0.4
 pillow>=9.5.0
 argon2-cffi>=20.1.0
 sanic>=21.3.0
-secure>=1.0.1
 
 [crypto]
 cryptography>=3.3.1