sanic-security 1.16.10__py3-none-any.whl → 1.16.12__py3-none-any.whl

sanic_security/authentication.py

@@ -12,7 +12,6 @@ from sanic_security.configuration import config, DEFAULT_CONFIG
 from sanic_security.exceptions import (
     CredentialsError,
     DeactivatedError,
-    SecondFactorFulfilledError,
     ExpiredError,
     AuditWarning,
 )
@@ -51,7 +50,7 @@ async def register(
     Args:
         request (Request): Sanic request parameter. Request body should contain form-data with the following argument(s): email, username, password, phone (including country code).
         verified (bool): Sets the verification requirement for the account being registered.
-        disabled (bool): Renders the account being registered unusable.
+        disabled (bool): Renders the account being registered unusable until manual activation.
 
     Returns:
         account
@@ -88,8 +87,9 @@ async def register(
 
 async def login(
     request: Request,
-    account: Account = None,
+    *,
     require_second_factor: bool = False,
+    email: str = None,
     password: str = None,
 ) -> AuthenticationSession:
     """
@@ -97,8 +97,8 @@ async def login(
 
     Args:
         request (Request): Sanic request parameter, login credentials are retrieved via the authorization header.
-        account (Account): Account being logged into, overrides account retrieved via email or username.
         require_second_factor (bool): Determines authentication session second factor requirement on login.
+        email (str): Email (or username) of account being logged into, overrides account retrieved via authorization header.
         password (str): Overrides user's password attempt retrieved via the authorization header.
 
     Returns:
@@ -111,10 +111,12 @@ async def login(
         UnverifiedError
         DisabledError
     """
-    if not account:
+    if not email:
         account, password = await Account.get_via_header(request)
     elif not password:
         raise CredentialsError("Password parameter is empty.")
+    else:
+        account = await Account.get_via_credential(email)
     try:
         password_hasher.verify(account.password, password)
         if password_hasher.check_needs_rehash(account.password):
@@ -176,14 +178,13 @@ async def fulfill_second_factor(request: Request) -> AuthenticationSession:
         DeactivatedError
         ChallengeError
         MaxedOutChallengeError
-        SecondFactorFulfilledError
 
     Returns:
          authentication_session
     """
     authentication_session = await AuthenticationSession.decode(request)
     if not authentication_session.requires_second_factor:
-        raise SecondFactorFulfilledError
+        raise DeactivatedError("Session second factor requirement already met.", 403)
     two_step_session = await TwoStepSession.decode(request)
     two_step_session.validate()
     await two_step_session.check_code(request.form.get("code"))
@@ -265,7 +266,7 @@ def requires_authentication(arg=None):
 
 def validate_password(password: str) -> str:
     """
-    Validates password requirements.
+    Validates password formatting requirements.
 
     Args:
         password (str): Password being validated.

sanic_security/exceptions.py

@@ -43,90 +43,63 @@ class SecurityError(SanicException):
 
 
 class NotFoundError(SecurityError):
-    """
-    Raised when a resource cannot be found.
-    """
+    """Raised when a resource cannot be found on the database."""
 
     def __init__(self, message):
         super().__init__(message, 404)
 
 
 class DeletedError(SecurityError):
-    """
-    Raised when attempting to access a deleted resource.
-    """
+    """Raised when attempting to access a resource marked as deleted."""
 
     def __init__(self, message):
         super().__init__(message, 404)
 
 
 class CredentialsError(SecurityError):
-    """
-    Raised when credentials are invalid.
-    """
+    """Raised when credentials are invalid."""
 
     def __init__(self, message, code=400):
         super().__init__(message, code)
 
 
 class OAuthError(SecurityError):
-    """
-    Raised when an error occurs during OAuth flow.
-    """
+    """Raised when an error occurs during OAuth flow."""
 
     def __init__(self, message, code=401):
         super().__init__(message, code)
 
 
 class AccountError(SecurityError):
-    """
-    Base account error that all other account errors derive from.
-    """
+    """Base account error that all other account errors derive from."""
 
     def __init__(self, message, code):
         super().__init__(message, code)
 
 
 class DisabledError(AccountError):
-    """
-    Raised when account is disabled.
-    """
+    """Raised when account is disabled."""
 
     def __init__(self, message: str = "Account is disabled.", code: int = 401):
         super().__init__(message, code)
 
 
 class UnverifiedError(AccountError):
-    """
-    Raised when account is unverified.
-    """
+    """Raised when account is unverified."""
 
     def __init__(self):
         super().__init__("Account requires verification.", 401)
 
 
-class VerifiedError(AccountError):
-    """
-    Raised when account is already verified.
-    """
-
-    def __init__(self):
-        super().__init__("Account already verified.", 403)
-
-
 class SessionError(SecurityError):
-    """
-    Base session error that all other session errors derive from.
-    """
+    """Base session error that all other session errors derive from."""
 
     def __init__(self, message, code=401):
         super().__init__(message, code)
 
 
 class JWTDecodeError(SessionError):
-    """
-    Raised when client JWT is invalid.
-    """
+    """Raised when client JWT is invalid."""
 
     def __init__(
         self, message="Session token invalid, not provided, or expired.", code=401
@@ -135,9 +108,7 @@ class JWTDecodeError(SessionError):
 
 
 class DeactivatedError(SessionError):
-    """
-    Raised when session is deactivated.
-    """
+    """Raised when session is deactivated."""
 
     def __init__(
         self,
@@ -148,69 +119,46 @@ class DeactivatedError(SessionError):
 
 
 class ExpiredError(SessionError):
-    """
-    Raised when session has expired.
-    """
+    """Raised when session has expired."""
 
     def __init__(self, message="Session has expired."):
         super().__init__(message)
 
 
 class SecondFactorRequiredError(SessionError):
-    """
-    Raised when authentication session two-factor requirement isn't met.
-    """
+    """Raised when authentication session two-factor requirement isn't met."""
 
     def __init__(self):
         super().__init__("Session requires second factor for authentication.")
 
 
-class SecondFactorFulfilledError(SessionError):
-    """
-    Raised when authentication session two-factor requirement is already met.
-    """
-
-    def __init__(self):
-        super().__init__("Session second factor requirement already met.", 403)
-
-
 class ChallengeError(SessionError):
-    """
-    Raised when a session challenge attempt is invalid.
-    """
+    """Raised when a session challenge attempt is invalid."""
 
     def __init__(self, message):
         super().__init__(message)
 
 
 class MaxedOutChallengeError(ChallengeError):
-    """
-    Raised when a session's challenge attempt limit is reached.
-    """
+    """Raised when a session's challenge attempt limit is reached."""
 
     def __init__(self):
         super().__init__("The maximum amount of attempts has been reached.")
 
 
 class AuthorizationError(SecurityError):
-    """
-    Raised when an account has insufficient permissions or roles for an action.
-    """
+    """Raised when an account has insufficient permissions or roles for an action."""
 
     def __init__(self, message):
         super().__init__(message, 403)
 
 
 class AnonymousError(AuthorizationError):
-    """
-    Raised when attempting to authorize an anonymous user.
-    """
+    """Raised when attempting to authorize an anonymous user."""
 
     def __init__(self):
         super().__init__("Session is anonymous.")
 
 
 class AuditWarning(Warning):
-    """
-    Raised when configuration may be dangerous.
-    """
+    """Raised when configuration may be dangerous."""

sanic_security/oauth.py

@@ -110,7 +110,7 @@ async def oauth_callback(
 
 def oauth_encode(response: HTTPResponse, token_info: dict) -> None:
     """
-    Transforms access token into JWT and then is stored in a cookie.
+    Transforms token info into JWT and then is stored in a cookie.
 
     Args:
         response (HTTPResponse): Sanic response used to store JWT into a cookie on the client.
@@ -133,33 +133,9 @@ def oauth_encode(response: HTTPResponse, token_info: dict) -> None:
     )
 
 
-async def oauth_revoke(request: Request, client: BaseOAuth2) -> dict:
-    """
-    Revokes the client's access token.
-
-    Args:
-        request (Request): Sanic request parameter.
-        client (BaseOAuth2): OAuth provider.
-
-    Raises:
-        OAuthError
-    """
-    if request.cookies.get(f"{config.SESSION_PREFIX}_oauth"):
-        try:
-            token_info = await oauth_decode(request, client, False)
-            request.ctx.oauth["revoked"] = True
-            with suppress(RevokeTokenNotSupportedError):
-                await client.revoke_token(
-                    token_info.get("access_token"), "access_token"
-                )
-            return token_info
-        except RevokeTokenError as e:
-            raise OAuthError(f"Failed to revoke access token {e.response.text}")
-
-
 async def oauth_decode(request: Request, client: BaseOAuth2, refresh=True) -> dict:
     """
-    Decodes JWT token from client cookie into an access token.
+    Decodes JWT from client cookie into token info.
 
     Args:
         request (Request): Sanic request parameter.
@@ -193,6 +169,30 @@ async def oauth_decode(request: Request, client: BaseOAuth2, refresh=True) -> di
         raise OAuthError(f"Access token invalid, not provided, or expired.", 400)
 
 
+async def oauth_revoke(request: Request, client: BaseOAuth2) -> dict:
+    """
+    Revokes the client's access token.
+
+    Args:
+        request (Request): Sanic request parameter.
+        client (BaseOAuth2): OAuth provider.
+
+    Raises:
+        OAuthError
+    """
+    if request.cookies.get(f"{config.SESSION_PREFIX}_oauth"):
+        try:
+            token_info = await oauth_decode(request, client, False)
+            request.ctx.oauth["revoked"] = True
+            with suppress(RevokeTokenNotSupportedError):
+                await client.revoke_token(
+                    token_info.get("access_token"), "access_token"
+                )
+            return token_info
+        except RevokeTokenError as e:
+            raise OAuthError(f"Failed to revoke access token {e.response.text}")
+
+
 def requires_oauth(client: BaseOAuth2):
     """
     Decodes JWT token from client cookie into an access token.
@@ -235,6 +235,7 @@ def initialize_oauth(app: Sanic) -> None:
     async def session_middleware(request, response):
         if hasattr(request.ctx, "oauth"):
             if request.ctx.oauth.get("is_refresh"):
+                del request.ctx.oauth["is_refresh"]
                 oauth_encode(response, request.ctx.oauth)
             elif request.ctx.oauth.get("revoked"):
                 response.delete_cookie(f"{config.SESSION_PREFIX}_oauth")

sanic_security/verification.py

@@ -7,8 +7,8 @@ from sanic.request import Request
 from sanic_security.exceptions import (
     JWTDecodeError,
     NotFoundError,
-    VerifiedError,
     MaxedOutChallengeError,
+    DeactivatedError,
 )
 from sanic_security.models import (
     Account,
@@ -157,14 +157,13 @@ async def verify_account(request: Request) -> TwoStepSession:
         DeactivatedError
         ChallengeError
         MaxedOutChallengeError
-        VerifiedError
 
     Returns:
          two_step_session
     """
     two_step_session = await TwoStepSession.decode(request)
     if two_step_session.bearer.verified:
-        raise VerifiedError
+        raise DeactivatedError("Account already verified.", 403)
     two_step_session.validate()
     try:
         await two_step_session.check_code(request.form.get("code"))

{sanic_security-1.16.10.dist-info → sanic_security-1.16.12.dist-info}/METADATA

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: sanic-security
-Version: 1.16.10
+Version: 1.16.12
 Summary: An async security library for the Sanic framework.
 Author-email: Aidan Stewart <me@na-stewart.com>
 Project-URL: Documentation, https://security.na-stewart.com/
@@ -71,13 +71,12 @@ Dynamic: license-file
 ## About The Project
 
 Sanic Security is an authentication, authorization, and verification library designed for use with the 
-[Sanic](https://github.com/huge-success/sanic) web app framework.
+[Sanic](https://github.com/huge-success/sanic) web app framework. Designed to prioritize rapid prototyping with forgiving syntax and structure.
 
 * OAuth2 integration
 * Login, registration, and authentication with refresh mechanisms
 * Role based authorization with wildcard permissions
 * Image & audio CAPTCHA
-* Two-factor authentication
 * Two-step verification
 * Logging & auditing
 
@@ -254,7 +253,7 @@ async def on_oauth_token(request):
 
 ## Authentication
   
-* Registration (with two-step account verification)
+* Registration (with two-step email verification)
 
 Phone can be null or empty.
 
@@ -295,12 +294,15 @@ async def on_verify(request):
     return json("You have verified your account and may login!", two_step_session.json)
 ```
 
-* Login (with two-factor authentication)
+* Login (with two-step email verification)
 
 Credentials are retrieved via header are constructed by first combining the username and the password with a colon 
 (aladdin:opensesame), and then by encoding the resulting string in base64 (YWxhZGRpbjpvcGVuc2VzYW1l). 
-Here is an example authorization header: `Authorization: Basic YWxhZGRpbjpvcGVuc2VzYW1l`. You can use a username 
-as well as an email for login if `ALLOW_LOGIN_WITH_USERNAME` is true in the config.
+Here is an example authorization header: `Authorization: Basic YWxhZGRpbjpvcGVuc2VzYW1l`. 
+
+If this isn't desired, you can pass credentials into the login method instead.
+
+You can use a username as well as an email for login if `ALLOW_LOGIN_WITH_USERNAME` is true in the config.
 
 ```python
 @app.post("api/security/login")
@@ -321,8 +323,6 @@ async def on_login(request):
     return response
 ```
 
-If this isn't desired, you can pass an account and password attempt directly into the login method instead.
-
 * Fulfill Second Factor
 
 Fulfills client authentication session's second factor requirement via two-step session code.
@@ -661,7 +661,7 @@ Distributed under the MIT License. See `LICENSE` for more information.
 <!-- Versioning -->
 ## Versioning
 
-**0.0.0**
+**x.x.x**
 
 * MAJOR version when you make incompatible API changes.
 

{sanic_security-1.16.10.dist-info → sanic_security-1.16.12.dist-info}/RECORD

@@ -1,17 +1,17 @@
 sanic_security/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
-sanic_security/authentication.py,sha256=APs_YkwQCAEKyQo76ukKazQLGcm9fYrve6CUNxK2yKU,13201
+sanic_security/authentication.py,sha256=Q-h63jFRmOMcvciPD2GGHrCSNkHptN1mvYNsrqopXJg,13302
 sanic_security/authorization.py,sha256=Hj1TXWppq7KDH-BQXFNihpZTbaimxnVCbif_Zb5W1bA,8232
 sanic_security/configuration.py,sha256=HxlKWe1vrQsxNtpoOx86RuHtkZz7Mjo88hMCMhTDvfo,6162
-sanic_security/exceptions.py,sha256=b_E6wbbtk9ziFfH3jZstp2E01hTm6V1yjTltANYAuMY,5582
+sanic_security/exceptions.py,sha256=ZtXXo2HvpSlcoQiuNH4WZmnez1vVUX55ybGR0W5mOyY,4955
 sanic_security/models.py,sha256=nA4QqmYEMga4ufVTNggJiIuzZtTOYGOquOSlrKMeVdw,22076
-sanic_security/oauth.py,sha256=X1fx5KwvtWOa9ABGj7-MZ82ztlVeEuDz55yOh1Vtkes,8405
+sanic_security/oauth.py,sha256=AKHUvz55OPUSZGwwLx-otUCoiXismEXdz-XXp577jD0,8445
 sanic_security/utils.py,sha256=WlPOEEQGcfZk-GbPNu6OiysNXAo9mw80TitDV7XxWMc,3762
-sanic_security/verification.py,sha256=vr_64HLC7TfOwhki7B4Xn3XQJ0V6OoVgh8fR4DISZ44,8085
+sanic_security/verification.py,sha256=1DHdWCuSIsGCpFldoYAKrpOQcFGiyEW5OAXvzh71MKk,8102
 sanic_security/test/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 sanic_security/test/server.py,sha256=bVltV-AB_CEz9xrnVIft88FU6IYPgOOWuoSHDijeTDs,13717
 sanic_security/test/tests.py,sha256=YXyn9aJmYg7vCjUuAs8FcI_lGIgzhmMe4AYTzu47_18,22618
-sanic_security-1.16.10.dist-info/licenses/LICENSE,sha256=sXlJs9_mG-dCkPfWsDnuzydJWagS82E2gYtkVH9enHA,1100
-sanic_security-1.16.10.dist-info/METADATA,sha256=_3h-20wix8oJ_Aeyv7IFYJFh7Vjxh8YTkVwnpsOR-gY,25532
-sanic_security-1.16.10.dist-info/WHEEL,sha256=ck4Vq1_RXyvS4Jt6SI0Vz6fyVs4GWg7AINwpsaGEgPE,91
-sanic_security-1.16.10.dist-info/top_level.txt,sha256=ZybkhHXSjfzhmv8XeqLvnNmLmv21Z0oPX6Ep4DJN8b0,15
-sanic_security-1.16.10.dist-info/RECORD,,
+sanic_security-1.16.12.dist-info/licenses/LICENSE,sha256=sXlJs9_mG-dCkPfWsDnuzydJWagS82E2gYtkVH9enHA,1100
+sanic_security-1.16.12.dist-info/METADATA,sha256=kVoOjYuO42uMqbBwNmgFuJAWWadJc6VjRfPB_jv8Ra0,25554
+sanic_security-1.16.12.dist-info/WHEEL,sha256=_zCd3N1l69ArxyTb8rzEoP9TpbYXkqRFSNOD5OuxnTs,91
+sanic_security-1.16.12.dist-info/top_level.txt,sha256=ZybkhHXSjfzhmv8XeqLvnNmLmv21Z0oPX6Ep4DJN8b0,15
+sanic_security-1.16.12.dist-info/RECORD,,

{sanic_security-1.16.10.dist-info → sanic_security-1.16.12.dist-info}/WHEEL

@@ -1,5 +1,5 @@
 Wheel-Version: 1.0
-Generator: setuptools (80.0.0)
+Generator: setuptools (80.9.0)
 Root-Is-Purelib: true
 Tag: py3-none-any