PyPI - yhttp-auth - Versions diffs - 3.9.2__py3-none-any.whl - Mend

yhttp-auth 3.9.2__py3-none-any.whl

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (9) hide show

yhttp/ext/auth/__init__.py +5 -0
yhttp/ext/auth/authentication.py +397 -0
yhttp/ext/auth/cli.py +37 -0
yhttp/ext/auth/install.py +16 -0
yhttp_auth-3.9.2.dist-info/LICENSE +21 -0
yhttp_auth-3.9.2.dist-info/METADATA +119 -0
yhttp_auth-3.9.2.dist-info/RECORD +9 -0
yhttp_auth-3.9.2.dist-info/WHEEL +5 -0
yhttp_auth-3.9.2.dist-info/top_level.txt +1 -0

yhttp/ext/auth/__init__.py ADDED Viewed

@@ -0,0 +1,5 @@
+from .cli import AuthenticatorCLI
+from .install import install
+from .authentication import Authenticator
+__version__ = '3.9.2'

yhttp/ext/auth/authentication.py ADDED Viewed

@@ -0,0 +1,397 @@
+import os
+import jwt
+import hashlib
+import functools
+from datetime import datetime, timedelta, timezone
+import redis
+from pymlconf import MergableDict
+from yhttp import statuses
+from yhttp.lazyattribute import lazyattribute
+FORBIDDEN_REDIS_KEY = 'yhttp-auth-forbidden'
+class Identity:
+    def __init__(self, payload):
+        assert payload['id'] is not None
+        self.payload = payload
+    def __getattr__(self, attr):
+        try:
+            return self.payload[attr]
+        except KeyError:
+            raise AttributeError()
+    def authorize(self, *roles):
+        if 'roles' not in self.payload:
+            raise statuses.forbidden()
+        for r in roles:
+            if r in self.roles:
+                return r
+        raise statuses.forbidden()
+class Authenticator:
+    redis = None
+    default_settings = MergableDict('''
+      redis:
+        host: localhost
+        port: 6379
+        db: 0
+      token:
+        algorithm: HS256
+        secret: foobar
+        maxage: 3600 # seconds
+        leeway: 10 # seconds
+      refresh:
+        key: yhttp-refresh-token
+        algorithm: HS256
+        secret: quxquux
+        secure: true
+        httponly: true
+        maxage: 2592000 # 1 Month
+        leeway: 10 # seconds
+        domain:
+        path:
+        samesite: Strict
+      csrf:
+        key: yhttp-csrf-token
+        secure: true
+        httponly: true
+        maxage: 60 # 1 Minute
+        samesite: Strict
+        domain:
+        path:
+      oauth2:
+        state:
+          algorithm: HS256
+          secret: quxquux
+          maxage: 60 # 1 Minute
+          leeway: 10 # seconds
+    ''')
+    def __init__(self, settings=None):
+        self.settings = settings if settings else self.default_settings
+        self.redis = redis.Redis(**self.settings.redis)
+    ##########
+    # OAuth2 #
+    ##########
+    @lazyattribute
+    def oauth2_state_maxage(self):
+        return self.settings.oauth2.state.maxage
+    @lazyattribute
+    def oauth2_state_secret(self):
+        return self.settings.oauth2.state.secret
+    @lazyattribute
+    def oauth2_state_algorithm(self):
+        return self.settings.oauth2.state.algorithm
+    @lazyattribute
+    def oauth2_state_leeway(self):
+        return self.settings.oauth2.state.leeway
+    def dump_oauth2_state(self, req, redirect_url, attrs=None):
+        payload = {
+            'exp': self._exp(self.oauth2_state_maxage),
+            'redurl': redirect_url,
+            'id': self.create_csrftoken(req)
+        }
+        if attrs:
+            payload.update(attrs)
+        return jwt.encode(
+            payload,
+            self.oauth2_state_secret,
+            algorithm=self.oauth2_state_algorithm
+        )
+    def decode_oauth2_state(self, state):
+        return jwt.decode(
+            state,
+            self.oauth2_state_secret,
+            leeway=self.oauth2_state_leeway,
+            algorithms=[self.oauth2_state_algorithm]
+        )
+    def verify_oauth2_state(self, req, state):
+        if state is None:
+            raise statuses.unauthorized()
+        try:
+            identity = Identity(self.decode_oauth2_state(state))
+        except (KeyError, jwt.DecodeError, jwt.ExpiredSignatureError):
+            raise statuses.unauthorized()
+        self.verify_csrftoken(req, identity.id)
+        return identity
+    ########
+    # CSRF #
+    ########
+    @lazyattribute
+    def csrf_cookiekey(self):
+        return self.settings.csrf.key
+    def set_csrfcookie(self, req, token):
+        settings = self.settings.csrf
+        # Set cookie
+        entry = req.response.setcookie(self.csrf_cookiekey, token)
+        if settings.secure:
+            entry['secure'] = settings.secure
+        if settings.httponly:
+            entry['httponly'] = settings.httponly
+        if settings.domain:
+            entry['domain'] = settings.domain
+        if settings.samesite:
+            entry['samesite'] = settings.samesite
+        if settings.maxage:
+            entry['max-age'] = settings.maxage
+        entry['path'] = settings.path if settings.path else req.path
+        return entry
+    def create_csrftoken(self, req):
+        # Create a state token to prevent request forgery.
+        token = hashlib.sha256(os.urandom(1024)).hexdigest()
+        self.set_csrfcookie(req, token)
+        return token
+    def verify_csrftoken(self, req, token):
+        ctoken = req.cookies.get(self.csrf_cookiekey)
+        if ctoken is None:
+            raise statuses.unauthorized()
+        if ctoken.value != token:
+            raise statuses.unauthorized()
+    ##########
+    # Refresh
+    ##########
+    @lazyattribute
+    def refresh_cookiekey(self):
+        return self.settings.refresh.key
+    @lazyattribute
+    def refresh_secret(self):
+        return self.settings.refresh.secret
+    @lazyattribute
+    def refresh_maxage(self):
+        return self.settings.refresh.maxage
+    @lazyattribute
+    def refresh_leeway(self):
+        return self.settings.refresh.leeway
+    @lazyattribute
+    def refresh_algorithm(self):
+        return self.settings.refresh.algorithm
+    def _set_refreshtoken(self, req, token):
+        settings = self.settings.refresh
+        # Set cookie
+        entry = req.response.setcookie(self.refresh_cookiekey, token)
+        if settings.secure:
+            entry['secure'] = settings.secure
+        if settings.httponly:
+            entry['httponly'] = settings.httponly
+        if settings.domain:
+            entry['domain'] = settings.domain
+        if settings.samesite:
+            entry['samesite'] = settings.samesite
+        entry['path'] = settings.path if settings.path else req.path
+        return entry
+    def delete_refreshtoken(self, req):
+        entry = self._set_refreshtoken(req, '')
+        entry['expires'] = 'Thu, 01 Jan 1970 00:00:00 GMT'
+        return entry
+    def set_refreshtoken(self, req, id, attrs=None):
+        settings = self.settings.refresh
+        token = self.dump_refreshtoken(id, attrs)
+        # Set cookie
+        entry = self._set_refreshtoken(req, token)
+        entry['max-age'] = settings.maxage
+        return entry
+    def _exp(self, seconds):
+        return datetime.now(tz=timezone.utc) + timedelta(seconds=seconds)
+    def dump_refreshtoken(self, id, attrs=None):
+        payload = {
+            'id': id,
+            'refresh': True,
+            'exp': self._exp(self.refresh_maxage)
+        }
+        if attrs:
+            payload.update(attrs)
+        return jwt.encode(
+            payload,
+            self.refresh_secret,
+            algorithm=self.refresh_algorithm
+        )
+    def verify_refreshtoken(self, req):
+        if self.refresh_cookiekey not in req.cookies:
+            raise statuses.unauthorized()
+        token = req.cookies[self.refresh_cookiekey].value
+        try:
+            identity = Identity(jwt.decode(
+                token,
+                self.refresh_secret,
+                leeway=self.refresh_leeway,
+                algorithms=[self.refresh_algorithm]
+            ))
+        except (KeyError, jwt.DecodeError, jwt.ExpiredSignatureError):
+            raise statuses.unauthorized()
+        self.check_blacklist(identity.id)
+        return identity
+    def read_refreshtoken(self, req):
+        if self.refresh_cookiekey not in req.cookies:
+            return None
+        token = req.cookies[self.refresh_cookiekey].value
+        try:
+            identity = Identity(jwt.decode(
+                token,
+                options={"verify_signature": False},
+            ))
+        except (KeyError, jwt.DecodeError):
+            return None
+        return identity
+    #########
+    # Token #
+    #########
+    @lazyattribute
+    def token_secret(self):
+        return self.settings.token.secret
+    @lazyattribute
+    def token_maxage(self):
+        return self.settings.token.maxage
+    @lazyattribute
+    def token_leeway(self):
+        return self.settings.token.leeway
+    @lazyattribute
+    def token_algorithm(self):
+        return self.settings.token.algorithm
+    def dump(self, id, attrs=None, maxage=None):
+        payload = {
+            'id': id,
+            'exp': self._exp(maxage or self.token_maxage)
+        }
+        if attrs:
+            payload.update(attrs)
+        return jwt.encode(
+            payload,
+            self.token_secret,
+            algorithm=self.token_algorithm
+        )
+    def dump_from_refreshtoken(self, refresh, attrs=None):
+        payload = refresh.payload.copy()
+        del payload['refresh']
+        if attrs:
+            payload.update(attrs)
+        payload['exp'] = self._exp(self.token_maxage)
+        return jwt.encode(
+            payload,
+            self.token_secret,
+            algorithm=self.token_algorithm
+        )
+    def check_blacklist(self, userid):
+        # FIXME: use redis hash, hset, hget
+        if self.redis is not None and \
+                self.redis.sismember(FORBIDDEN_REDIS_KEY, userid):
+            raise statuses.unauthorized()
+    def decode_token(self, token):
+        return jwt.decode(
+            token,
+            self.token_secret,
+            leeway=self.token_leeway,
+            algorithms=[self.token_algorithm]
+        )
+    def verify_token(self, req):
+        token = req.headers.get('Authorization')
+        if token is None or not token.startswith('Bearer '):
+            raise statuses.unauthorized()
+        try:
+            identity = Identity(self.decode_token(token[7:]))
+        except (KeyError, jwt.DecodeError, jwt.ExpiredSignatureError):
+            raise statuses.unauthorized()
+        self.check_blacklist(identity.id)
+        return identity
+    def preventlogin(self, id):
+        self.redis.sadd(FORBIDDEN_REDIS_KEY, id)
+    def permitlogin(self, id):
+        self.redis.srem(FORBIDDEN_REDIS_KEY, id)
+def authenticate(app, roles=None):
+    if isinstance(roles, str):
+        roles = [i.strip() for i in roles.split(',')]
+    def decorator(handler):
+        @functools.wraps(handler)
+        def wrapper(req, *args, **kw):
+            req.identity = app.auth.verify_token(req)
+            if roles is not None:
+                req.identity.authorize(*roles)
+            return handler(req, *args, **kw)
+        return wrapper
+    return decorator

yhttp/ext/auth/cli.py ADDED Viewed

@@ -0,0 +1,37 @@
+from easycli import SubCommand, Argument
+import json
+from .authentication import Authenticator
+class Create(SubCommand):
+    __command__ = 'create'
+    __aliases__ = ['c']
+    __arguments__ = [
+        Argument(
+            'id', help='example: alice'
+        ),
+        Argument(
+            'payload', default='', nargs='?', help='example: {"foo": "bar"}'
+        ),
+        Argument(
+            '--maxage', type=int, help='Token maxage in seconds.'
+        ),
+    ]
+    def __call__(self, args):
+        settings = args.application.settings.auth
+        jwt = Authenticator(settings)
+        if args.payload:
+            payload = json.loads(args.payload)
+        else:
+            payload = ''
+        print(jwt.dump(args.id, payload, maxage=args.maxage))
+class AuthenticatorCLI(SubCommand):
+    __command__ = 'auth'
+    __arguments__ = [
+        Create,
+    ]

yhttp/ext/auth/install.py ADDED Viewed

@@ -0,0 +1,16 @@
+import functools
+from .authentication import Authenticator, authenticate
+from .cli import AuthenticatorCLI
+def install(app):
+    app.cliarguments.append(AuthenticatorCLI)
+    app.settings.merge('auth: {}')
+    app.settings['auth'].merge(Authenticator.default_settings)
+    @app.when
+    def ready(app):
+        app.auth = Authenticator(app.settings.auth)
+    return functools.partial(authenticate, app)

yhttp_auth-3.9.2.dist-info/LICENSE ADDED Viewed

@@ -0,0 +1,21 @@
+MIT License
+Copyright (c) 2020 yhttp
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

yhttp_auth-3.9.2.dist-info/METADATA ADDED Viewed

@@ -0,0 +1,119 @@
+Metadata-Version: 2.1
+Name: yhttp-auth
+Version: 3.9.2
+Summary: A very micro http framework.
+Home-page: http://github.com/yhttp/yhttp-auth
+Author: Vahid Mardani
+Author-email: vahid.mardani@gmail.com
+License: MIT
+Classifier: Environment :: Console
+Classifier: Environment :: Web Environment
+Classifier: Intended Audience :: Developers
+Classifier: Natural Language :: English
+Classifier: Development Status :: 5 - Production/Stable
+Classifier: License :: Other/Proprietary License
+Classifier: Operating System :: OS Independent
+Classifier: Programming Language :: Python :: 3.8
+Classifier: Topic :: Software Development
+Classifier: Topic :: Internet :: WWW/HTTP
+Classifier: Topic :: Internet :: WWW/HTTP :: Dynamic Content
+Classifier: Topic :: Internet :: WWW/HTTP :: WSGI :: Application
+Classifier: Topic :: Software Development :: Libraries
+Classifier: Topic :: Software Development :: Libraries :: Python Modules
+Description-Content-Type: text/markdown
+License-File: LICENSE
+Requires-Dist: pyjwt
+Requires-Dist: hiredis
+Requires-Dist: redis
+Requires-Dist: yhttp >=4.1.4
+# yhttp-auth
+[![PyPI](http://img.shields.io/pypi/v/yhttp-auth.svg)](https://pypi.python.org/pypi/yhttp-auth)
+[![Build](https://github.com/yhttp/yhttp-auth/actions/workflows/build.yml/badge.svg?branch=master)](https://github.com/yhttp/yhttp-auth/actions/workflows/build.yml)
+[![Coverage Status](https://coveralls.io/repos/github/yhttp/yhttp-auth/badge.svg?branch=master)](https://coveralls.io/github/yhttp/yhttp-auth?branch=master)
+Authentication extension for [yhttp](https://github.com/yhttp/yhttp).
+### Install
+```bash
+pip install yhttp-pony
+```
+### Usage
+```python
+from yhttp import Application
+from yhttp.ext.auth import install as auth_install
+app = Application()
+auth = auth_install(app)
+app.settings.merge(f'''
+auth:
+  redis:
+    host: localhost
+    port: 6379
+    db: 0
+  token:
+    algorithm: HS256
+    secret: foobar
+  refresh:
+    key: yhttp-refresh-token
+    algorithm: HS256
+    secret: quxquux
+    secure: true
+    httponly: true
+    maxage: 2592000  # 1 Month
+    domain: example.com
+''')
+@app.route('/reftokens')
+@yhttp.statuscode(yhttp.statuses.created)
+def create(req):
+    app.auth.set_refreshtoken(req, 'alice', dict(baz='qux'))
+@app.route('/tokens')
+@yhttp.statuscode(yhttp.statuses.created)
+@yhttp.text
+def refresh(req):
+    reftoken = app.auth.verify_refreshtoken(req)
+    return app.auth.dump_from_refreshtoken(reftoken, dict(foo='bar'))
+@app.route('/admin')
+@auth(roles='admin, god')
+@yhttp.text
+def get(req):
+    return req.identity.roles
+app.ready()
+```
+### Command line interface
+setup.py
+```python
+setup(
+    ...
+    entry_points={
+        'console_scripts': [
+            'myapp = myapp:app.climain'
+        ]
+    },
+    ...
+)
+```
+```bash
+myapp auth --help
+```

yhttp_auth-3.9.2.dist-info/RECORD ADDED Viewed

@@ -0,0 +1,9 @@
+yhttp/ext/auth/__init__.py,sha256=B84lEOXQReXYwKmMkVjDAAZIeFcPSJk9F-u2DaBa_Qs,128
+yhttp/ext/auth/authentication.py,sha256=35x999VqUtbrnRLX3FV9CZ-qHmlgGeAwWmF1mBUXMqY,10229
+yhttp/ext/auth/cli.py,sha256=EX0pgDLRIjm-ulPwZ7lbEqYpFXoCmaozzK6HFJQC9sQ,873
+yhttp/ext/auth/install.py,sha256=EIDVHYHlvvqmU99nsxuRjSEUNprHyzbv4ybyt_RWXNw,408
+yhttp_auth-3.9.2.dist-info/LICENSE,sha256=1lZ7neh4Es6earhYMwYaqsuS1Alohsrf9GZRVdl7l5o,1062
+yhttp_auth-3.9.2.dist-info/METADATA,sha256=G3fecKi0_xXcr9vI-feBJJn2OcPIBMN2-QhWijbgBNQ,2785
+yhttp_auth-3.9.2.dist-info/WHEEL,sha256=HiCZjzuy6Dw0hdX5R3LCFPDmFS4BWl8H-8W39XfmgX4,91
+yhttp_auth-3.9.2.dist-info/top_level.txt,sha256=efaJ4DfUOs7MO3pjIEyRhnQASGVyD6vH-SL3ogQxkeU,6
+yhttp_auth-3.9.2.dist-info/RECORD,,

yhttp_auth-3.9.2.dist-info/WHEEL ADDED Viewed

@@ -0,0 +1,5 @@
+Wheel-Version: 1.0
+Generator: setuptools (72.2.0)
+Root-Is-Purelib: true
+Tag: py3-none-any

yhttp_auth-3.9.2.dist-info/top_level.txt ADDED Viewed

	@@ -0,0 +1 @@
1	+ yhttp