From 43b3f1b4539e6eb0f2d4cd03280a70892fccfcfe Mon Sep 17 00:00:00 2001 From: Koby Fogel Date: Tue, 19 Jan 2021 23:08:17 +0200 Subject: [PATCH 01/56] WIP register - not finished --- .env | 1 + app/crud.py | 40 +++++++++++++++++++++++++ app/database/database.py | 4 +++ app/database/models.py | 4 ++- app/database/schemas.py | 57 +++++++++++++++++++++++++++++++++++ app/main.py | 60 ++++++++++++++++++++++++++++++++++++- app/templates/base.html | 11 +++++++ app/templates/register.html | 24 +++++++++++++++ requirements.txt | 9 ++++++ run.txt | 1 + 10 files changed, 209 insertions(+), 2 deletions(-) create mode 100644 .env create mode 100644 app/crud.py create mode 100644 app/templates/base.html create mode 100644 app/templates/register.html create mode 100644 run.txt diff --git a/.env b/.env new file mode 100644 index 00000000..5388fd5c --- /dev/null +++ b/.env @@ -0,0 +1 @@ +DATABASE_CONNECTION_STRING = "sqlite:///calendar.db" \ No newline at end of file diff --git a/app/crud.py b/app/crud.py new file mode 100644 index 00000000..3c944e68 --- /dev/null +++ b/app/crud.py @@ -0,0 +1,40 @@ +import bcrypt +from database import models, schemas +from sqlalchemy.orm import Session + + +def get_user(db: Session, user_id: int): + return db.query(models.User).filter(models.User.id == user_id).first() + + +def get_user_by_username(db: Session, username: str): + return db.query(models.User).filter(models.User.username == username).first() + + +def get_user_by_email(db: Session, email: str): + return db.query(models.User).filter(models.User.email == email).first() + + +def create_user(db: Session, user: schemas.UserCreate): + salt = bcrypt.gensalt(prefix=b'2b', rounds=10) + unhashed_password = user.password.encode('utf-8') + hashed_password = bcrypt.hashpw(unhashed_password, salt) + fake_hashed_password = user.password + "notreallyhashed" + user_details = { + 'username': user.username, + 'first_name': user.first_name, + 'last_name': user.last_name, + 'email': user.email, + 'password': hashed_password + } + db_user = models.User(**user_details) + db.add(db_user) + db.commit() + db.refresh(db_user) + return db_user + + +def delete_user_by_mail(db: Session, email: str): + db_user = get_user_by_email(db=db, email=email) + db.delete(db_user) + db.commit() \ No newline at end of file diff --git a/app/database/database.py b/app/database/database.py index 43626378..fe08b1d8 100644 --- a/app/database/database.py +++ b/app/database/database.py @@ -1,10 +1,14 @@ import os +from dotenv import load_dotenv from sqlalchemy import create_engine from sqlalchemy.ext.declarative import declarative_base from sqlalchemy.orm import sessionmaker + +load_dotenv() + SQLALCHEMY_DATABASE_URL = os.getenv("DATABASE_CONNECTION_STRING") engine = create_engine( diff --git a/app/database/models.py b/app/database/models.py index 1b3bf771..b64000c7 100644 --- a/app/database/models.py +++ b/app/database/models.py @@ -9,8 +9,10 @@ class User(Base): id = Column(Integer, primary_key=True, index=True) username = Column(String, unique=True) + first_name = Column(String, nullable=False) + last_name = Column(String, nullable=False) email = Column(String, unique=True) - password = Column(String) + password = Column(String, nullable=False) is_active = Column(Boolean, default=True) events = relationship( diff --git a/app/database/schemas.py b/app/database/schemas.py index e69de29b..e61b3163 100644 --- a/app/database/schemas.py +++ b/app/database/schemas.py @@ -0,0 +1,57 @@ +import re +from typing import List +from fastapi import Depends, Form, Query +from pydantic import BaseModel, validator, EmailStr, EmailError + + +def form_body(cls): + cls.__signature__ = cls.__signature__.replace( + parameters=[ + arg.replace(default=Form(...)) + for arg in cls.__signature__.parameters.values() + ] + ) + return cls + +@form_body +class UserBase(BaseModel): + username: str + email: str + first_name: str + last_name: str + +@form_body +class UserCreate(UserBase): + password: str + confirm_password: str + + @validator('confirm_password') + def passwords_match(cls, confirm_password, values, **kwargs): + if 'password' in values and confirm_password != values['password']: + return {"message": "Passwords don't match"} + return confirm_password + + @validator('username') + def username_length(cls, username): + if username == "": + return {"message": "Username field can not be empty"} + if len(username) < 3: + return {"message": "Username must contain minimum of 3 characters"} + return username + + @validator('email') + def confirm_mail(cls, email): + try: + EmailStr.validate(email) + return email + except EmailError: + return {"message": "Email address is not valid"} + + +class User(UserBase): + id: int + is_active: bool + events: List[int] = [] + + class Config: + orm_mode = True diff --git a/app/main.py b/app/main.py index dfbf4ca2..5e9272cf 100644 --- a/app/main.py +++ b/app/main.py @@ -1,12 +1,70 @@ -from fastapi import FastAPI, Request +from database import models, schemas +from database.database import engine, SessionLocal +from fastapi import Depends, FastAPI, Request from fastapi.templating import Jinja2Templates +from sqlalchemy.orm import Session +import crud +models.Base.metadata.create_all(bind=engine) app = FastAPI() templates = Jinja2Templates(directory="templates") +# Dependency +def get_db(): + db = SessionLocal() + try: + yield db + finally: + db.close() + + +@app.get("/register", response_model=schemas.User) +def register_user_form(request: Request): + return templates.TemplateResponse("register.html", { + "request": request, + "message": "register page" + }) + + +@app.post("/register", response_model=schemas.UserBase) +def register_user(request: Request, user: schemas.UserBase = Depends(schemas.UserCreate), db: Session = Depends(get_db)): + messages = [] + if type(user.confirm_password) is dict or type(user.email) is dict or type(user.username) is dict: + if type(user.confirm_password) is dict: + messages.append(user.confirm_password['message']) + if type(user.email) is dict: + messages.append(user.email['message']) + if type(user.username) is dict: + messages.append(user.username['message']) + else: + db_user_email = crud.get_user_by_email(db, email=user.email) + db_user_username = crud.get_user_by_username(db, username=user.username) + if db_user_username: + messages.append("That username is already taken") + if db_user_email: + messages.append("Email already registered") + if len(messages) > 0: + return templates.TemplateResponse("register.html", { + "request": request, + "messages": messages, + "status_code": 400 + }) + crud.create_user(db=db, user=user) + return templates.TemplateResponse("home.html", { + "request": request, + "message": "User created", + "status_code": 201 + }) + + +@app.get("/delete") +def delete_user(db: Session = Depends(get_db)): + crud.delete_user_by_mail(db=db, email="kobyfogel@gmail.com") + + @app.get("/") def home(request: Request): return templates.TemplateResponse("home.html", { diff --git a/app/templates/base.html b/app/templates/base.html new file mode 100644 index 00000000..656240ef --- /dev/null +++ b/app/templates/base.html @@ -0,0 +1,11 @@ + + + + + + {{ title }} + + + {% block content %}{% endblock %} + + \ No newline at end of file diff --git a/app/templates/register.html b/app/templates/register.html new file mode 100644 index 00000000..ebeb8d75 --- /dev/null +++ b/app/templates/register.html @@ -0,0 +1,24 @@ +{% extends "base.html" %} +{% block content %} +
+ +
+ +
+ +
+ +
+ +
+ +
+ +
+ + {% if messages %} + {% for message in messages %} +

{{message}}

+ {% endfor %} + {% endif %} +{% endblock %} \ No newline at end of file diff --git a/requirements.txt b/requirements.txt index de91534a..32b6ee69 100644 --- a/requirements.txt +++ b/requirements.txt @@ -1,12 +1,17 @@ atomicwrites==1.4.0 attrs==20.3.0 +bcrypt==3.2.0 +cffi==1.14.4 click==7.1.2 colorama==0.4.4 +dnspython==2.1.0 +email-validator==1.1.2 fastapi==0.63.0 h11==0.12.0 h2==4.0.0 hpack==4.0.0 hyperframe==6.0.0 +idna==3.1 importlib-metadata==3.3.0 iniconfig==1.1.1 Jinja2==2.11.2 @@ -15,9 +20,13 @@ packaging==20.8 pluggy==0.13.1 priority==1.3.0 py==1.10.0 +pycparser==2.20 pydantic==1.7.3 pyparsing==2.4.7 pytest==6.2.1 +python-dotenv==0.15.0 +python-multipart==0.0.5 +six==1.15.0 SQLAlchemy==1.3.22 starlette==0.13.6 toml==0.10.2 diff --git a/run.txt b/run.txt new file mode 100644 index 00000000..76ea2dfa --- /dev/null +++ b/run.txt @@ -0,0 +1 @@ +uvicorn main:app --reload \ No newline at end of file From a5a1a04765e20a904da4be14250c35707d6a675f Mon Sep 17 00:00:00 2001 From: Koby Fogel Date: Sat, 23 Jan 2021 14:53:55 +0200 Subject: [PATCH 02/56] register fixed errors --- app/database/models.py | 4 +-- app/database/schemas.py | 35 +++++++++++----------- app/internal/crud.py | 6 ++-- app/routers/register.py | 31 +++++++++++--------- tests/test_agenda_route.py | 1 - tests/test_crud.py | 31 +++++++++++--------- tests/test_register.py | 59 +++++++++++++++++++++++++------------- 7 files changed, 97 insertions(+), 70 deletions(-) diff --git a/app/database/models.py b/app/database/models.py index 3ca874a2..665b27f5 100644 --- a/app/database/models.py +++ b/app/database/models.py @@ -9,14 +9,12 @@ class User(Base): id = Column(Integer, primary_key=True, index=True) username = Column(String, unique=True, nullable=False) - # first_name = Column(String, nullable=False) - # last_name = Column(String, nullable=False) email = Column(String, unique=True, nullable=False) password = Column(String, nullable=False) full_name = Column(String, nullable=False) description = Column(String, default="Happy new user!") avatar = Column(String, default="profile.png") - + is_active = Column(Boolean, default=True) events = relationship( diff --git a/app/database/schemas.py b/app/database/schemas.py index 697b1033..5f8e7b5d 100644 --- a/app/database/schemas.py +++ b/app/database/schemas.py @@ -1,7 +1,5 @@ -import re -from typing import List, Optional, Union -from fastapi import Depends, Form, Query -from pydantic import BaseModel, validator, EmailStr, EmailError, root_validator +from typing import Optional, Union +from pydantic import BaseModel, validator, EmailStr, EmailError EMPTY_FIELD_STRING = 'field is required' @@ -29,6 +27,7 @@ class UserBase(BaseModel): class Config: orm_mode = True + class UserCreate(UserBase): ''' Validating fields types @@ -36,19 +35,23 @@ class UserCreate(UserBase): password: str confirm_password: str - ''' Calling to field_not_empty validaion function for each required field. ''' - _fields_not_empty_username = validator('username', allow_reuse=True)(fields_not_empty) - _fields_not_empty_full_name = validator('full_name', allow_reuse=True)(fields_not_empty) - _fields_not_empty_password = validator('password', allow_reuse=True)(fields_not_empty) - _fields_not_empty_confirm_password = validator('confirm_password', allow_reuse=True)(fields_not_empty) - _fields_not_empty_email = validator('email', allow_reuse=True)(fields_not_empty) - + _fields_not_empty_username = validator('username', + allow_reuse=True)(fields_not_empty) + _fields_not_empty_full_name = validator('full_name', + allow_reuse=True)(fields_not_empty) + _fields_not_empty_password = validator('password', + allow_reuse=True)(fields_not_empty) + _fields_not_empty_confirm_password = validator('confirm_password', + allow_reuse=True)(fields_not_empty) + _fields_not_empty_email = validator('email', + allow_reuse=True)(fields_not_empty) @validator('confirm_password') - def passwords_match(cls, confirm_password: str, values: UserBase) -> Union[ValueError, str]: + def passwords_match(cls, confirm_password: str, + values: UserBase) -> Union[ValueError, str]: ''' Validating passwords fields identical. ''' @@ -61,19 +64,19 @@ def username_length(cls, username: str) -> Union[ValueError, str]: ''' Validating username length is legal ''' - if len(username) < 3 or len(username) > 20: + if len(username) < 3 or len(username) > 20: raise ValueError("must contain between 3 to 20 charactars") return username - + @validator('password') def password_length(cls, password: str) -> Union[ValueError, str]: ''' Validating username length is legal ''' - if len(password) < 3 or len(password) > 20: + if len(password) < 3 or len(password) > 20: raise ValueError("must contain between 3 to 20 charactars") return password - + @validator('email') def confirm_mail(cls, email: str) -> Union[ValueError, str]: ''' diff --git a/app/internal/crud.py b/app/internal/crud.py index 2b2d6bd4..ae66e656 100644 --- a/app/internal/crud.py +++ b/app/internal/crud.py @@ -14,7 +14,8 @@ def get_user_by_username(db: Session, username: str) -> models.User: ''' query database for a user by unique username ''' - return db.query(models.User).filter(models.User.username == username).first() + return db.query(models.User).filter( + models.User.username == username).first() def get_user_by_email(db: Session, email: str) -> models.User: @@ -51,4 +52,5 @@ def delete_user_by_mail(db: Session, email: str) -> None: ''' db_user = get_user_by_email(db=db, email=email) db.delete(db_user) - db.commit() \ No newline at end of file + db.commit() + \ No newline at end of file diff --git a/app/routers/register.py b/app/routers/register.py index dac2d36e..4578e161 100644 --- a/app/routers/register.py +++ b/app/routers/register.py @@ -26,7 +26,8 @@ async def register_user_form(request: Request) -> templates: @router.post("/register") -async def register(request:Request, db: Session = Depends(get_db)) -> templates: +async def register(request: Request, + db: Session = Depends(get_db)) -> templates: ''' rendering register route post method. ''' @@ -39,11 +40,12 @@ async def register(request:Request, db: Session = Depends(get_db)) -> templates: except ValidationError as e: # if pydantic validations fails, rendering errors to register.html - errors = {error['loc'][0]: " ".join((error['loc'][0].capitalize(), error['msg'])) for error in e.errors()} + errors = {error['loc'][0]: " ".join((error['loc'][0].capitalize(), + error['msg'])) for error in e.errors()} return templates.TemplateResponse("register.html", { - "request": request, - "errors": errors, - "form_values": form_dict}) + "request": request, + "errors": errors, + "form_values": form_dict}) try: # attempt creating User Model object, and saving to database @@ -57,18 +59,19 @@ async def register(request:Request, db: Session = Depends(get_db)) -> templates: db.rollback() errors = {} db_user_email = crud.get_user_by_email(db, email=user.email) - db_user_username = crud.get_user_by_username(db, username=user.username) + db_user_username = crud.get_user_by_username(db, + username=user.username) if db_user_username: errors['username'] = "That username is already taken" if db_user_email: - errors['email'] = "Email already registered" + errors['email'] = "Email already registered" return templates.TemplateResponse("register.html", { - "request": request, - "errors": errors, - "form_values": form_dict}) + "request": request, + "errors": errors, + "form_values": form_dict}) return templates.TemplateResponse("home.html", { - "request": request, - "message": "User created", - "status_code": 201 -}) \ No newline at end of file + "request": request, + "message": "User created", + "status_code": 201}) + \ No newline at end of file diff --git a/tests/test_agenda_route.py b/tests/test_agenda_route.py index 9e4111c7..707c23fc 100644 --- a/tests/test_agenda_route.py +++ b/tests/test_agenda_route.py @@ -3,7 +3,6 @@ from fastapi import status from app.database.models import User, Event -import pytest class TestAgenda: diff --git a/tests/test_crud.py b/tests/test_crud.py index ffd0db2d..6e5b9b6e 100644 --- a/tests/test_crud.py +++ b/tests/test_crud.py @@ -1,15 +1,16 @@ from app.internal import crud -from app.database import models, schemas +from app.database import schemas user_details = {'username': 'username', 'full_name': 'full_name', - 'password': 'password', 'confirm_password': 'password', - 'email': 'example@email.com', 'description': ""} +'password': 'password', 'confirm_password': 'password', +'email': 'example@email.com', 'description': ""} user = schemas.UserCreate(**user_details) + def test_create_user(session): user_details = {'username': 'username', 'full_name': 'full_name', - 'password': 'password', 'confirm_password': 'password', - 'email': 'example@email.com', 'description': ""} + 'password': 'password', 'confirm_password': 'password', + 'email': 'example@email.com', 'description': ""} user = schemas.UserCreate(**user_details) user = crud.create_user(db=session, user=user) assert user.username == 'username' @@ -17,8 +18,8 @@ def test_create_user(session): def test_get_user_by_id(session): user_details = {'username': 'username', 'full_name': 'full_name', - 'password': 'password', 'confirm_password': 'password', - 'email': 'example@email.com', 'description': ""} + 'password': 'password', 'confirm_password': 'password', + 'email': 'example@email.com', 'description': ""} user = schemas.UserCreate(**user_details) user = crud.create_user(db=session, user=user) user = crud.get_user_by_id(session, 1) @@ -27,8 +28,8 @@ def test_get_user_by_id(session): def test_get_user_by_username(session): user_details = {'username': 'username', 'full_name': 'full_name', - 'password': 'password', 'confirm_password': 'password', - 'email': 'example@email.com', 'description': ""} + 'password': 'password', 'confirm_password': 'password', + 'email': 'example@email.com', 'description': ""} user = schemas.UserCreate(**user_details) user = crud.create_user(db=session, user=user) user = crud.get_user_by_username(session, 'username') @@ -37,19 +38,21 @@ def test_get_user_by_username(session): def test_get_user_by_email(session): user_details = {'username': 'username', 'full_name': 'full_name', - 'password': 'password', 'confirm_password': 'password', - 'email': 'example@email.com', 'description': ""} + 'password': 'password', 'confirm_password': 'password', + 'email': 'example@email.com', 'description': ""} user = schemas.UserCreate(**user_details) user = crud.create_user(db=session, user=user) user = crud.get_user_by_email(session, 'example@email.com') assert user.full_name == 'full_name' + def test_delete_user_by_email(session): user_details = {'username': 'username', 'full_name': 'full_name', - 'password': 'password', 'confirm_password': 'password', - 'email': 'example@email.com', 'description': ""} + 'password': 'password', 'confirm_password': 'password', + 'email': 'example@email.com', 'description': ""} user = schemas.UserCreate(**user_details) crud.create_user(db=session, user=user) crud.delete_user_by_mail(session, 'example@email.com') user = crud.get_user_by_email(session, 'example@email.com') - assert user == None \ No newline at end of file + assert user is None + \ No newline at end of file diff --git a/tests/test_register.py b/tests/test_register.py index c897ec3d..f1108297 100644 --- a/tests/test_register.py +++ b/tests/test_register.py @@ -5,23 +5,37 @@ def test_register_route_ok(client): response = client.get("/register") assert response.status_code == 200 + REGISTER_FORM_VALIDATORS = [ - ('ad', 'admin_user', 'password', 'password', 'example@mail.com', 'description', b'Username must contain'), - ('admin', 'admin_user', 'pa', 'pa', 'example@mail.com', 'description', b'Password must contain'), - ('admin', 'admin_user', 'password', 'wrong_password', 'example@mail.com', 'description', b"match"), - ('admin', 'admin_user', 'password', 'password', 'invalid_mail', 'description', b"Email address is not valid"), - ('', 'admin_user', 'password', 'password', 'example@mail.com', 'description', b'Username field is required'), - ('admin', '', 'password', 'password', 'example@mail.com', 'description', b'Full_name field is required'), - ('admin', 'admin_user', '', 'password', 'example@mail.com', 'description', b'Password field is required'), - ('admin', 'admin_user', 'password', '', 'example@mail.com', 'description', b'Confirm_password field is required'), - ('admin', 'admin_user', 'password', 'password', '', 'description', b'Email field is required'), + ('ad', 'admin_user', 'password', 'password', 'example@mail.com', + 'description', b'Username must contain'), + ('admin', 'admin_user', 'pa', 'pa', 'example@mail.com', + 'description', b'Password must contain'), + ('admin', 'admin_user', 'password', 'wrong_password', 'example@mail.com', + 'description', b"match"), + ('admin', 'admin_user', 'password', 'password', 'invalid_mail', + 'description', b"Email address is not valid"), + ('', 'admin_user', 'password', 'password', 'example@mail.com', + 'description', b'Username field is required'), + ('admin', '', 'password', 'password', 'example@mail.com', + 'description', b'Full_name field is required'), + ('admin', 'admin_user', '', 'password', 'example@mail.com', + 'description', b'Password field is required'), + ('admin', 'admin_user', 'password', '', 'example@mail.com', + 'description', b'Confirm_password field is required'), + ('admin', 'admin_user', 'password', 'password', '', + 'description', b'Email field is required'), ] + ''' Test all active pydantic validators ''' -@pytest.mark.parametrize("username, full_name, password, confirm_password, email, description, expected_response", REGISTER_FORM_VALIDATORS) -def test_register_form_validators(client, username, full_name, password, confirm_password, email, description, expected_response): +@pytest.mark.parametrize( + "username, full_name, password, confirm_password, email, description," + + "expected_response", REGISTER_FORM_VALIDATORS) +def test_register_form_validators(client, username, full_name, password, + confirm_password, email, description, expected_response): data = {'username': username, 'full_name': full_name, 'password': password, 'confirm_password': confirm_password, 'email': email, 'description': description} @@ -34,27 +48,32 @@ def test_register_form_validators(client, username, full_name, password, confirm ''' def test_register_successfull(session, client): data = {'username': 'username', 'full_name': 'full_name', - 'password': 'password', 'confirm_password': 'password', - 'email': 'example@email.com', 'description': ""} + 'password': 'password', 'confirm_password': 'password', + 'email': 'example@email.com', 'description': ""} data = client.post('/register', data=data).content assert b'User created' in data UNIQUE_FIELDS_ARE_TAKEN = [ - ('admin', 'admin_user', 'password', 'password', 'example_new@mail.com', 'description', b'That username is already taken'), - ('admin_new', 'admin_user', 'password', 'password', 'example@mail.com', 'description', b"Email already registered") + ('admin', 'admin_user', 'password', 'password', 'example_new@mail.com', + 'description', b'That username is already taken'), + ('admin_new', 'admin_user', 'password', 'password', 'example@mail.com', + 'description', b"Email already registered") ] ''' Test register a user fails due to unique database fields already in use ''' -@pytest.mark.parametrize("username, full_name, password, confirm_password, email, description, expected_response", UNIQUE_FIELDS_ARE_TAKEN) -def test_register_form_validators(session, client, username, full_name, password, confirm_password, email, description, expected_response): +@pytest.mark.parametrize("username, full_name, password, confirm_password, ++ "email, description, expected_response", UNIQUE_FIELDS_ARE_TAKEN) +def test_register_form_validators(session, client, username, full_name, password, confirm_password, + email, description, expected_response): user_data ={'username': 'username', 'full_name': 'full_name', - 'password': 'password', 'confirm_password': 'password', - 'email': 'example@email.com', 'description': ""} + 'password': 'password', 'confirm_password': 'password', + 'email': 'example@email.com', 'description': ""} client.post('/register', data=user_data) data = client.post('/register', data=user_data).content print(data) - assert expected_response in data \ No newline at end of file + assert expected_response in data + \ No newline at end of file From 5d2c52ecd04bbaec254a41b10f0de0964db6b83b Mon Sep 17 00:00:00 2001 From: Koby Fogel Date: Sat, 23 Jan 2021 17:49:31 +0200 Subject: [PATCH 03/56] register fixed flake-8 --- app/database/schemas.py | 25 +++++++++++++------------ app/internal/crud.py | 1 - app/routers/register.py | 15 ++++++++------- run.txt | 2 ++ 4 files changed, 23 insertions(+), 20 deletions(-) diff --git a/app/database/schemas.py b/app/database/schemas.py index 5f8e7b5d..b9de56bf 100644 --- a/app/database/schemas.py +++ b/app/database/schemas.py @@ -38,20 +38,21 @@ class UserCreate(UserBase): ''' Calling to field_not_empty validaion function for each required field. ''' - _fields_not_empty_username = validator('username', - allow_reuse=True)(fields_not_empty) - _fields_not_empty_full_name = validator('full_name', - allow_reuse=True)(fields_not_empty) - _fields_not_empty_password = validator('password', - allow_reuse=True)(fields_not_empty) - _fields_not_empty_confirm_password = validator('confirm_password', - allow_reuse=True)(fields_not_empty) - _fields_not_empty_email = validator('email', - allow_reuse=True)(fields_not_empty) + _fields_not_empty_username = validator( + 'username', allow_reuse=True)(fields_not_empty) + _fields_not_empty_full_name = validator( + 'full_name', allow_reuse=True)(fields_not_empty) + _fields_not_empty_password = validator( + 'password', allow_reuse=True)(fields_not_empty) + _fields_not_empty_confirm_password = validator( + 'confirm_password', allow_reuse=True)(fields_not_empty) + _fields_not_empty_email = validator( + 'email', allow_reuse=True)(fields_not_empty) @validator('confirm_password') - def passwords_match(cls, confirm_password: str, - values: UserBase) -> Union[ValueError, str]: + def passwords_match( + cls, confirm_password: str, + values: UserBase) -> Union[ValueError, str]: ''' Validating passwords fields identical. ''' diff --git a/app/internal/crud.py b/app/internal/crud.py index ae66e656..f3188e4a 100644 --- a/app/internal/crud.py +++ b/app/internal/crud.py @@ -53,4 +53,3 @@ def delete_user_by_mail(db: Session, email: str) -> None: db_user = get_user_by_email(db=db, email=email) db.delete(db_user) db.commit() - \ No newline at end of file diff --git a/app/routers/register.py b/app/routers/register.py index 4578e161..557caf05 100644 --- a/app/routers/register.py +++ b/app/routers/register.py @@ -14,6 +14,7 @@ responses={404: {"description": "Not found"}}, ) + @router.get("/register") async def register_user_form(request: Request) -> templates: ''' @@ -26,8 +27,8 @@ async def register_user_form(request: Request) -> templates: @router.post("/register") -async def register(request: Request, - db: Session = Depends(get_db)) -> templates: +async def register( + request: Request, db: Session = Depends(get_db)) -> templates: ''' rendering register route post method. ''' @@ -40,7 +41,8 @@ async def register(request: Request, except ValidationError as e: # if pydantic validations fails, rendering errors to register.html - errors = {error['loc'][0]: " ".join((error['loc'][0].capitalize(), + errors = {error['loc'][0]: " ".join(( + error['loc'][0].capitalize(), error['msg'])) for error in e.errors()} return templates.TemplateResponse("register.html", { "request": request, @@ -59,8 +61,8 @@ async def register(request: Request, db.rollback() errors = {} db_user_email = crud.get_user_by_email(db, email=user.email) - db_user_username = crud.get_user_by_username(db, - username=user.username) + db_user_username = crud.get_user_by_username( + db, username=user.username) if db_user_username: errors['username'] = "That username is already taken" if db_user_email: @@ -69,9 +71,8 @@ async def register(request: Request, "request": request, "errors": errors, "form_values": form_dict}) - + return templates.TemplateResponse("home.html", { "request": request, "message": "User created", "status_code": 201}) - \ No newline at end of file diff --git a/run.txt b/run.txt index 54de08c2..51dc3341 100644 --- a/run.txt +++ b/run.txt @@ -2,6 +2,8 @@ uvicorn main:app --reload uvicorn app.main:app --reload +flake8 .\app + # @router.get("/delete") # def delete_user(db: Session = Depends(get_db)): From eafbe3753f02775072602b66b5506c91b9f78c8b Mon Sep 17 00:00:00 2001 From: Koby Fogel Date: Sat, 23 Jan 2021 18:12:50 +0200 Subject: [PATCH 04/56] register fixed tests flake8 --- tests/test_crud.py | 29 ++++++++-------------- tests/test_register.py | 56 +++++++++++++++++++++++++----------------- 2 files changed, 43 insertions(+), 42 deletions(-) diff --git a/tests/test_crud.py b/tests/test_crud.py index 6e5b9b6e..ee33a98c 100644 --- a/tests/test_crud.py +++ b/tests/test_crud.py @@ -1,25 +1,26 @@ from app.internal import crud from app.database import schemas -user_details = {'username': 'username', 'full_name': 'full_name', -'password': 'password', 'confirm_password': 'password', -'email': 'example@email.com', 'description': ""} +user_details = { + 'username': 'username', 'full_name': 'full_name', + 'password': 'password', 'confirm_password': 'password', + 'email': 'example@email.com', 'description': ""} user = schemas.UserCreate(**user_details) +user_details = { + 'username': 'username', 'full_name': 'full_name', + 'password': 'password', 'confirm_password': 'password', + 'email': 'example@email.com', 'description': ""} + + def test_create_user(session): - user_details = {'username': 'username', 'full_name': 'full_name', - 'password': 'password', 'confirm_password': 'password', - 'email': 'example@email.com', 'description': ""} user = schemas.UserCreate(**user_details) user = crud.create_user(db=session, user=user) assert user.username == 'username' def test_get_user_by_id(session): - user_details = {'username': 'username', 'full_name': 'full_name', - 'password': 'password', 'confirm_password': 'password', - 'email': 'example@email.com', 'description': ""} user = schemas.UserCreate(**user_details) user = crud.create_user(db=session, user=user) user = crud.get_user_by_id(session, 1) @@ -27,9 +28,6 @@ def test_get_user_by_id(session): def test_get_user_by_username(session): - user_details = {'username': 'username', 'full_name': 'full_name', - 'password': 'password', 'confirm_password': 'password', - 'email': 'example@email.com', 'description': ""} user = schemas.UserCreate(**user_details) user = crud.create_user(db=session, user=user) user = crud.get_user_by_username(session, 'username') @@ -37,9 +35,6 @@ def test_get_user_by_username(session): def test_get_user_by_email(session): - user_details = {'username': 'username', 'full_name': 'full_name', - 'password': 'password', 'confirm_password': 'password', - 'email': 'example@email.com', 'description': ""} user = schemas.UserCreate(**user_details) user = crud.create_user(db=session, user=user) user = crud.get_user_by_email(session, 'example@email.com') @@ -47,12 +42,8 @@ def test_get_user_by_email(session): def test_delete_user_by_email(session): - user_details = {'username': 'username', 'full_name': 'full_name', - 'password': 'password', 'confirm_password': 'password', - 'email': 'example@email.com', 'description': ""} user = schemas.UserCreate(**user_details) crud.create_user(db=session, user=user) crud.delete_user_by_mail(session, 'example@email.com') user = crud.get_user_by_email(session, 'example@email.com') assert user is None - \ No newline at end of file diff --git a/tests/test_register.py b/tests/test_register.py index f1108297..2560aeb0 100644 --- a/tests/test_register.py +++ b/tests/test_register.py @@ -8,35 +8,39 @@ def test_register_route_ok(client): REGISTER_FORM_VALIDATORS = [ ('ad', 'admin_user', 'password', 'password', 'example@mail.com', - 'description', b'Username must contain'), + 'description', b'Username must contain'), ('admin', 'admin_user', 'pa', 'pa', 'example@mail.com', - 'description', b'Password must contain'), + 'description', b'Password must contain'), ('admin', 'admin_user', 'password', 'wrong_password', 'example@mail.com', - 'description', b"match"), + 'description', b"match"), ('admin', 'admin_user', 'password', 'password', 'invalid_mail', - 'description', b"Email address is not valid"), + 'description', b"Email address is not valid"), ('', 'admin_user', 'password', 'password', 'example@mail.com', - 'description', b'Username field is required'), + 'description', b'Username field is required'), ('admin', '', 'password', 'password', 'example@mail.com', - 'description', b'Full_name field is required'), + 'description', b'Full_name field is required'), ('admin', 'admin_user', '', 'password', 'example@mail.com', - 'description', b'Password field is required'), + 'description', b'Password field is required'), ('admin', 'admin_user', 'password', '', 'example@mail.com', - 'description', b'Confirm_password field is required'), + 'description', b'Confirm_password field is required'), ('admin', 'admin_user', 'password', 'password', '', - 'description', b'Email field is required'), + 'description', b'Email field is required'), ] ''' Test all active pydantic validators ''' + + @pytest.mark.parametrize( - "username, full_name, password, confirm_password, email, description," + "username, full_name, password, confirm_password, email, description," + "expected_response", REGISTER_FORM_VALIDATORS) -def test_register_form_validators(client, username, full_name, password, - confirm_password, email, description, expected_response): - data = {'username': username, 'full_name': full_name, +def test_register_form_validators( + client, username, full_name, password, confirm_password, + email, description, expected_response): + data = { + 'username': username, 'full_name': full_name, 'password': password, 'confirm_password': confirm_password, 'email': email, 'description': description} data = client.post('/register', data=data).content @@ -46,6 +50,8 @@ def test_register_form_validators(client, username, full_name, password, ''' Test successfully register user to database, after passing all validators ''' + + def test_register_successfull(session, client): data = {'username': 'username', 'full_name': 'full_name', 'password': 'password', 'confirm_password': 'password', @@ -56,24 +62,28 @@ def test_register_successfull(session, client): UNIQUE_FIELDS_ARE_TAKEN = [ ('admin', 'admin_user', 'password', 'password', 'example_new@mail.com', - 'description', b'That username is already taken'), + 'description', b'That username is already taken'), ('admin_new', 'admin_user', 'password', 'password', 'example@mail.com', - 'description', b"Email already registered") + 'description', b"Email already registered") ] ''' Test register a user fails due to unique database fields already in use ''' -@pytest.mark.parametrize("username, full_name, password, confirm_password, -+ "email, description, expected_response", UNIQUE_FIELDS_ARE_TAKEN) -def test_register_form_validators(session, client, username, full_name, password, confirm_password, - email, description, expected_response): - user_data ={'username': 'username', 'full_name': 'full_name', - 'password': 'password', 'confirm_password': 'password', - 'email': 'example@email.com', 'description': ""} + + +@pytest.mark.parametrize( + "username, full_name, password, confirm_password" + + "email, description, expected_response", UNIQUE_FIELDS_ARE_TAKEN) +def test_unique_fields_are_taken( + session, client, username, full_name, password, confirm_password, + email, description, expected_response): + user_data = { + 'username': 'username', 'full_name': 'full_name', + 'password': 'password', 'confirm_password': 'password', + 'email': 'example@email.com', 'description': ""} client.post('/register', data=user_data) data = client.post('/register', data=user_data).content print(data) assert expected_response in data - \ No newline at end of file From 56d0ca3156611af8bb3a8b64167eeceecab57bf5 Mon Sep 17 00:00:00 2001 From: Koby Fogel Date: Sat, 23 Jan 2021 18:21:55 +0200 Subject: [PATCH 05/56] register fixed tests issues --- tests/calendar.db | Bin 28672 -> 28672 bytes tests/test_register.py | 2 +- 2 files changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/calendar.db b/tests/calendar.db index 200255ca07785287b2d9866a8589c86af8a29183..2becbffaf0d9d930380eb9227472859c575a6596 100644 GIT binary patch delta 35 lcmZp8z}WDBae}nq2L=WPb|_|JU|^XsQOB6^!^VUK`2eBd2_OIf delta 35 lcmZp8z}WDBae}m9F9QPuI~21qFtFH7)G=o4-I%Z-9{`eH2mk;8 diff --git a/tests/test_register.py b/tests/test_register.py index 2560aeb0..c784dbba 100644 --- a/tests/test_register.py +++ b/tests/test_register.py @@ -74,7 +74,7 @@ def test_register_successfull(session, client): @pytest.mark.parametrize( - "username, full_name, password, confirm_password" + "username, full_name, password, confirm_password," + "email, description, expected_response", UNIQUE_FIELDS_ARE_TAKEN) def test_unique_fields_are_taken( session, client, username, full_name, password, confirm_password, From c9c777ebb9af07c6db43d7df43887374d7b160c2 Mon Sep 17 00:00:00 2001 From: Koby Fogel Date: Sat, 23 Jan 2021 23:52:44 +0200 Subject: [PATCH 06/56] register flake8 fix --- app/database/database.py | 2 -- 1 file changed, 2 deletions(-) diff --git a/app/database/database.py b/app/database/database.py index 05272638..082df117 100644 --- a/app/database/database.py +++ b/app/database/database.py @@ -8,8 +8,6 @@ from app import config -# load_dotenv() - SQLALCHEMY_DATABASE_URL = os.getenv( "DATABASE_CONNECTION_STRING", config.DEVELOPMENT_DATABASE_STRING) From bb2b52dca9413524e6721bd7674c121fd45f32d8 Mon Sep 17 00:00:00 2001 From: Koby Fogel Date: Sat, 23 Jan 2021 23:58:45 +0200 Subject: [PATCH 07/56] register flake8 more fixes --- app/database/database.py | 1 - calendar.db | Bin 28672 -> 0 bytes 2 files changed, 1 deletion(-) delete mode 100644 calendar.db diff --git a/app/database/database.py b/app/database/database.py index 082df117..b89bf6d1 100644 --- a/app/database/database.py +++ b/app/database/database.py @@ -1,5 +1,4 @@ import os -from dotenv import load_dotenv from sqlalchemy import create_engine from sqlalchemy.ext.declarative import declarative_base diff --git a/calendar.db b/calendar.db deleted file mode 100644 index 08e060bcf1514fb75d8db5ed24371e30ab1463d8..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 28672 zcmeI(O>fgM7{Kvl>snUPbtj_UtRbXEnh=9C5^d*o)w+~r9ij&mg(Z_BwdrWmc2{0L z2`9b`d>)R(?lM-i!GT-#x0E+Owv*@Qebw4T(=cTpUKSJ9Oh&cZlNyeL?llv=KA^rh%H`|_>09Tz=EEZT^A6xbhU8zrk& zGe5Ue|NSsrL>Bwv^%(s|vny}b?`k!Oq>G@jMPES!(%h)!?t)&T+#Xh$A`Bd8oRB zo+~?TN7dEyKDKb>fpn$QlBZ&tgp))!FWb#R(Ryr|gB(!DvYY7R#-Dt7RO$U5=3K!4_E6Lh;KN<9BOjb@=}_Ih2}aPG4|b2=wyQq=QYY}GKY)H&#y)}d@2 zWixOyY{wDxXS-t0w#&A?UbJ3XrlF@K`7q3u>z+SN$NJjSir#a5DA;TNZn~$Nu4kXw z1NEs@)NWhtC;F}qUh+Z!0R#|0009ILKmY** z5I{f+u>R*oKmY**5I_I{1Q0*~0R#|0VD$x9|F8ZWlOX~KAb Date: Sun, 24 Jan 2021 16:35:11 +0200 Subject: [PATCH 08/56] fixed CR suggestions --- app/config.py.example | 3 ++ app/database/schemas.py | 36 ++++++++-------------- app/internal/{crud.py => user.py} | 28 ++++++----------- app/routers/register.py | 12 ++++---- tests/calendar.db | Bin 28672 -> 0 bytes tests/{test_crud.py => test_user_crud.py} | 22 ++++++------- 6 files changed, 42 insertions(+), 59 deletions(-) rename app/internal/{crud.py => user.py} (60%) delete mode 100644 tests/calendar.db rename tests/{test_crud.py => test_user_crud.py} (65%) diff --git a/app/config.py.example b/app/config.py.example index 9063b9b7..dce90c26 100644 --- a/app/config.py.example +++ b/app/config.py.example @@ -29,3 +29,6 @@ email_conf = ConnectionConfig( MAIL_SSL=False, USE_CREDENTIALS=True, ) + +# register +DATABASE_CONNECTION_STRING = "sqlite:///calendar.db" \ No newline at end of file diff --git a/app/database/schemas.py b/app/database/schemas.py index b9de56bf..a7c68864 100644 --- a/app/database/schemas.py +++ b/app/database/schemas.py @@ -3,13 +3,13 @@ EMPTY_FIELD_STRING = 'field is required' +MIN_FIELD_LENGTH = 3 +MAX_FIELD_LENGTH = 20 def fields_not_empty(field: Optional[str]) -> Union[ValueError, str]: - ''' - Global function to validate fields are not empty. - ''' - if field == "": + '''Global function to validate fields are not empty.''' + if not field: raise ValueError(EMPTY_FIELD_STRING) return field @@ -29,15 +29,11 @@ class Config: class UserCreate(UserBase): - ''' - Validating fields types - ''' + '''Validating fields types''' password: str confirm_password: str - ''' - Calling to field_not_empty validaion function for each required field. - ''' + '''Calling to field_not_empty validaion function for each required field.''' _fields_not_empty_username = validator( 'username', allow_reuse=True)(fields_not_empty) _fields_not_empty_full_name = validator( @@ -53,36 +49,28 @@ class UserCreate(UserBase): def passwords_match( cls, confirm_password: str, values: UserBase) -> Union[ValueError, str]: - ''' - Validating passwords fields identical. - ''' + '''Validating passwords fields identical.''' if 'password' in values and confirm_password != values['password']: raise ValueError("doesn't match to password") return confirm_password @validator('username') def username_length(cls, username: str) -> Union[ValueError, str]: - ''' - Validating username length is legal - ''' - if len(username) < 3 or len(username) > 20: + '''Validating username length is legal''' + if not (MIN_FIELD_LENGTH < len(username) < MAX_FIELD_LENGTH): raise ValueError("must contain between 3 to 20 charactars") return username @validator('password') def password_length(cls, password: str) -> Union[ValueError, str]: - ''' - Validating username length is legal - ''' - if len(password) < 3 or len(password) > 20: + '''Validating username length is legal''' + if not (MIN_FIELD_LENGTH < len(password) < MAX_FIELD_LENGTH): raise ValueError("must contain between 3 to 20 charactars") return password @validator('email') def confirm_mail(cls, email: str) -> Union[ValueError, str]: - ''' - Validating email is valid mail address. - ''' + '''Validating email is valid mail address.''' try: EmailStr.validate(email) return email diff --git a/app/internal/crud.py b/app/internal/user.py similarity index 60% rename from app/internal/crud.py rename to app/internal/user.py index f3188e4a..00341298 100644 --- a/app/internal/crud.py +++ b/app/internal/user.py @@ -3,29 +3,23 @@ from sqlalchemy.orm import Session -def get_user_by_id(db: Session, user_id: int) -> models.User: - ''' - query database for a user by unique id - ''' +def get_by_id(db: Session, user_id: int) -> models.User: + '''query database for a user by unique id''' return db.query(models.User).filter(models.User.id == user_id).first() -def get_user_by_username(db: Session, username: str) -> models.User: - ''' - query database for a user by unique username - ''' +def get_by_username(db: Session, username: str) -> models.User: + '''query database for a user by unique username''' return db.query(models.User).filter( models.User.username == username).first() -def get_user_by_email(db: Session, email: str) -> models.User: - ''' - query database for a user by unique email - ''' +def get_by_mail(db: Session, email: str) -> models.User: + '''query database for a user by unique email''' return db.query(models.User).filter(models.User.email == email).first() -def create_user(db: Session, user: schemas.UserCreate) -> models.User: +def create(db: Session, user: schemas.UserCreate) -> models.User: ''' creating a new User object in the database, with hashed password ''' @@ -46,10 +40,8 @@ def create_user(db: Session, user: schemas.UserCreate) -> models.User: return db_user -def delete_user_by_mail(db: Session, email: str) -> None: - ''' - deletes a user from database by unique email - ''' - db_user = get_user_by_email(db=db, email=email) +def delete_by_mail(db: Session, email: str) -> None: + '''deletes a user from database by unique email''' + db_user = get_by_mail(db=db, email=email) db.delete(db_user) db.commit() diff --git a/app/routers/register.py b/app/routers/register.py index 557caf05..c2d987ed 100644 --- a/app/routers/register.py +++ b/app/routers/register.py @@ -1,4 +1,4 @@ -from app.internal import crud +from app.internal import user from app.database import schemas from app.database.database import get_db from app.dependencies import templates @@ -37,7 +37,7 @@ async def register( try: # creating pydantic schema object out of form data - user = schemas.UserCreate(**form_dict) + new_user = schemas.UserCreate(**form_dict) except ValidationError as e: # if pydantic validations fails, rendering errors to register.html @@ -51,7 +51,7 @@ async def register( try: # attempt creating User Model object, and saving to database - crud.create_user(db=db, user=user) + user.create(db=db, user=new_user) ''' if creating User Model objects fails due to registered unique details - @@ -60,9 +60,9 @@ async def register( except IntegrityError: db.rollback() errors = {} - db_user_email = crud.get_user_by_email(db, email=user.email) - db_user_username = crud.get_user_by_username( - db, username=user.username) + db_user_email = user.get_by_mail(db, email=new_user.email) + db_user_username = user.get_by_username( + db, username=new_user.username) if db_user_username: errors['username'] = "That username is already taken" if db_user_email: diff --git a/tests/calendar.db b/tests/calendar.db deleted file mode 100644 index 2becbffaf0d9d930380eb9227472859c575a6596..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 28672 zcmeI)F%CgN5CG6wJ{o*S_$Sb~0F_1~PM{!Bh(sL55uC Date: Sun, 24 Jan 2021 22:39:45 +0200 Subject: [PATCH 09/56] first commit --- app/config.py.example | 6 ++- app/internal/security/__init__.py | 0 app/internal/security/ouath2.py | 78 +++++++++++++++++++++++++++++++ app/internal/security/schema.py | 16 +++++++ app/internal/user.py | 8 ++-- app/main.py | 4 +- app/routers/login.py | 47 +++++++++++++++++++ app/routers/register.py | 7 +++ app/templates/base.html | 2 +- app/templates/login.html | 22 +++++++++ 10 files changed, 183 insertions(+), 7 deletions(-) create mode 100644 app/internal/security/__init__.py create mode 100644 app/internal/security/ouath2.py create mode 100644 app/internal/security/schema.py create mode 100644 app/routers/login.py create mode 100644 app/templates/login.html diff --git a/app/config.py.example b/app/config.py.example index dce90c26..81578bdd 100644 --- a/app/config.py.example +++ b/app/config.py.example @@ -31,4 +31,8 @@ email_conf = ConnectionConfig( ) # register -DATABASE_CONNECTION_STRING = "sqlite:///calendar.db" \ No newline at end of file +DATABASE_CONNECTION_STRING = "sqlite:///calendar.db" + +# security +JWT_SECRET_KEY = "c06857128217c661de43d746ecdbe9f1dbc3b3685957fab64512456f639b1881" +JWT_ALGORITHM = "HS256" \ No newline at end of file diff --git a/app/internal/security/__init__.py b/app/internal/security/__init__.py new file mode 100644 index 00000000..e69de29b diff --git a/app/internal/security/ouath2.py b/app/internal/security/ouath2.py new file mode 100644 index 00000000..c96652aa --- /dev/null +++ b/app/internal/security/ouath2.py @@ -0,0 +1,78 @@ +from passlib.context import CryptContext +# from app.database.schemas import Jwt_User +# from app.internal.crud import get_user_by_username +from .schema import LoginUser +from app.database.models import User +from sqlalchemy.orm.session import Session +from fastapi import APIRouter, Depends, Request, HTTPException +from app.dependencies import templates +from app.database.database import get_db, SessionLocal +from fastapi.security import OAuth2PasswordBearer +from datetime import datetime, timedelta +import jwt +from starlette.status import HTTP_401_UNAUTHORIZED +import time +from app.config import JWT_ALGORITHM, JWT_SECRET_KEY + + +JWT_MIN_EXP = 120 + +pwd_context = CryptContext(schemes=["bcrypt"]) +oauth_schema = OAuth2PasswordBearer(tokenUrl="/login") + +def get_db_user_by_username(username: str): + session = SessionLocal() + return session.query(User).filter_by(username = username).first() + + +def get_hashed_password(password): + return pwd_context.hash(password) + + +def verify_password(plain_password, hashed_password): + try: + return pwd_context.verify(plain_password, hashed_password) + except Exception as e: + return False + +# Authenticate username and password +def authenticate_user(user: LoginUser): + db_user = get_db_user_by_username(username = user.username) + if db_user: + if verify_password(user.hashed_password, db_user.password, ): + return user + return False + + +# Create access JWT token +def create_jwt_token(user: LoginUser): + expiration = datetime.utcnow() + timedelta(minutes=JWT_MIN_EXP ) + jwt_payload = {"sub": user.username, "hashed_password": user.hashed_password, "exp": expiration} + jwt_token = jwt.encode(jwt_payload, JWT_SECRET_KEY, algorithm=JWT_ALGORITHM) + return jwt_token + + +# Check whether JWT token is correct +async def check_jwt_token(token: str = Depends(oauth_schema)): + try: + jwt_payload = jwt.decode(token, JWT_SECRET_KEY, algorithms=JWT_ALGORITHM) + jwt_username = jwt_payload.get("sub") + jwt_hashed_password = jwt_payload.get("hashed_password") + jwt_expiration = jwt_payload.get("exp") + is_valid = False + if time.time() < jwt_expiration: + db_user = await get_db_user_by_username(username=jwt_username) + # is_valid = await get_db_user_by_username(username=jwt_username) + if db_user and db_user.password == jwt_hashed_password: + is_valid == True + # is_valid = await db_check_jwt_username(username) + if is_valid: + return True + else: + raise HTTPException(status_code=HTTP_401_UNAUTHORIZED) + else: + raise HTTPException(status_code=HTTP_401_UNAUTHORIZED) + except Exception as e: + raise HTTPException(status_code=HTTP_401_UNAUTHORIZED) + + diff --git a/app/internal/security/schema.py b/app/internal/security/schema.py new file mode 100644 index 00000000..ec60efa7 --- /dev/null +++ b/app/internal/security/schema.py @@ -0,0 +1,16 @@ +from typing import List, Optional, Union +from fastapi import Depends, Form, Query +from pydantic import BaseModel, validator + + +class LoginUser(BaseModel): + username: str + hashed_password: str + + class Config: + orm_mode = True + + + +# class Jwt_User(Login_User): +# is_active: Optional[bool] = False \ No newline at end of file diff --git a/app/internal/user.py b/app/internal/user.py index 00341298..bf04862f 100644 --- a/app/internal/user.py +++ b/app/internal/user.py @@ -1,6 +1,9 @@ -import bcrypt from app.database import models, schemas +from passlib.context import CryptContext from sqlalchemy.orm import Session +from app.internal.security.ouath2 import pwd_context + +# pwd_context = CryptContext(schemes=["bcrypt"]) def get_by_id(db: Session, user_id: int) -> models.User: @@ -23,9 +26,8 @@ def create(db: Session, user: schemas.UserCreate) -> models.User: ''' creating a new User object in the database, with hashed password ''' - salt = bcrypt.gensalt(prefix=b'2b', rounds=10) unhashed_password = user.password.encode('utf-8') - hashed_password = bcrypt.hashpw(unhashed_password, salt) + hashed_password = pwd_context.hash(unhashed_password) user_details = { 'username': user.username, 'full_name': user.full_name, diff --git a/app/main.py b/app/main.py index 29b02660..a42b2a13 100644 --- a/app/main.py +++ b/app/main.py @@ -2,7 +2,7 @@ from app.database.database import engine from app.dependencies import ( MEDIA_PATH, STATIC_PATH, templates) -from app.routers import agenda, event, profile, email, invitation, register +from app.routers import agenda, event, profile, email, invitation, register, login from fastapi import FastAPI, Request from fastapi.staticfiles import StaticFiles @@ -18,7 +18,7 @@ app.include_router(register.router) app.include_router(email.router) app.include_router(invitation.router) - +app.include_router(login.router) @app.get("/") async def home(request: Request): diff --git a/app/routers/login.py b/app/routers/login.py new file mode 100644 index 00000000..382c3d06 --- /dev/null +++ b/app/routers/login.py @@ -0,0 +1,47 @@ +from fastapi import APIRouter, Depends, Request, HTTPException +from app.dependencies import templates +from app.database.database import get_db +from fastapi.security import OAuth2PasswordRequestForm +from app.internal.security.ouath2 import authenticate_user +from app.internal.security.ouath2 import LoginUser, create_jwt_token, check_jwt_token +from starlette.status import HTTP_401_UNAUTHORIZED + + +router = APIRouter( + prefix="", + tags=["/login"], + responses={404: {"description": "Not found"}}, +) + +@router.get("/login") +async def login_user_form(request: Request) -> templates: + ''' + rendering register route get method + ''' + return templates.TemplateResponse("login.html", { + "request": request, + "errors": None + }) + +@router.post('/login') +async def login(form: OAuth2PasswordRequestForm = Depends()): + # form = await request.form() + # form_username = form.username + # form_password = form.password + form_dict = {'username': form.username, 'hashed_password': form.password} + # user = LoginUser(form_username, form_password) + user = LoginUser(**form_dict) + # print(user) + if not user or not authenticate_user(user): + raise HTTPException(status_code=HTTP_401_UNAUTHORIZED) + jwt_token = create_jwt_token(user) + # user = authenticate_user() + return {'token': jwt_token} + + +@router.get('/protected') +async def protected_route(request: Request, jwt: bool = Depends(check_jwt_token)): + return templates.TemplateResponse("home.html", { + "request": request, + "message": "protected" + }) \ No newline at end of file diff --git a/app/routers/register.py b/app/routers/register.py index c2d987ed..60f75c63 100644 --- a/app/routers/register.py +++ b/app/routers/register.py @@ -7,6 +7,8 @@ from sqlalchemy.exc import IntegrityError from sqlalchemy.orm import Session +from app.internal import user + router = APIRouter( prefix="", @@ -76,3 +78,8 @@ async def register( "request": request, "message": "User created", "status_code": 201}) + +### NOT for production +@router.get("/delete") +def delete_user(db: Session = Depends(get_db)): + user.delete_by_mail(db=db, email="") \ No newline at end of file diff --git a/app/templates/base.html b/app/templates/base.html index 675fadc8..ea964873 100644 --- a/app/templates/base.html +++ b/app/templates/base.html @@ -29,7 +29,7 @@ Profile
  • - Sign In + Sign In
  • Sign Up diff --git a/app/templates/login.html b/app/templates/login.html new file mode 100644 index 00000000..fd89a2cc --- /dev/null +++ b/app/templates/login.html @@ -0,0 +1,22 @@ +{% extends "base.html" %} +{% block content %} +
    +

    Login

    +
    +
    + +
    +
    +
    +
    +
    + +
    +
    +
    +
    + +
    +
    +{% endblock %} + \ No newline at end of file From 7ca40e18003aa2ffff80a02ebf7f28835404fb8b Mon Sep 17 00:00:00 2001 From: Koby Fogel Date: Mon, 25 Jan 2021 14:14:49 +0200 Subject: [PATCH 10/56] fixed check_jwt_token --- app/internal/security/ouath2.py | 11 +++---- app/internal/security/schema.py | 5 ++- app/routers/login.py | 55 +++++++++++++++++++++++++++------ 3 files changed, 54 insertions(+), 17 deletions(-) diff --git a/app/internal/security/ouath2.py b/app/internal/security/ouath2.py index c96652aa..c16f3f89 100644 --- a/app/internal/security/ouath2.py +++ b/app/internal/security/ouath2.py @@ -39,8 +39,8 @@ def verify_password(plain_password, hashed_password): def authenticate_user(user: LoginUser): db_user = get_db_user_by_username(username = user.username) if db_user: - if verify_password(user.hashed_password, db_user.password, ): - return user + if verify_password(user.hashed_password, db_user.password): + return LoginUser(username=user.username, hashed_password=db_user.password) return False @@ -57,16 +57,13 @@ async def check_jwt_token(token: str = Depends(oauth_schema)): try: jwt_payload = jwt.decode(token, JWT_SECRET_KEY, algorithms=JWT_ALGORITHM) jwt_username = jwt_payload.get("sub") + print(jwt_payload) jwt_hashed_password = jwt_payload.get("hashed_password") jwt_expiration = jwt_payload.get("exp") - is_valid = False if time.time() < jwt_expiration: - db_user = await get_db_user_by_username(username=jwt_username) + db_user = get_db_user_by_username(username=jwt_username) # is_valid = await get_db_user_by_username(username=jwt_username) if db_user and db_user.password == jwt_hashed_password: - is_valid == True - # is_valid = await db_check_jwt_username(username) - if is_valid: return True else: raise HTTPException(status_code=HTTP_401_UNAUTHORIZED) diff --git a/app/internal/security/schema.py b/app/internal/security/schema.py index ec60efa7..f452e370 100644 --- a/app/internal/security/schema.py +++ b/app/internal/security/schema.py @@ -9,7 +9,10 @@ class LoginUser(BaseModel): class Config: orm_mode = True - + +class Token(BaseModel): + access_token: str + token_type: str # class Jwt_User(Login_User): diff --git a/app/routers/login.py b/app/routers/login.py index 382c3d06..a9818ea3 100644 --- a/app/routers/login.py +++ b/app/routers/login.py @@ -1,9 +1,12 @@ -from fastapi import APIRouter, Depends, Request, HTTPException +from fastapi import APIRouter, Depends, Request, HTTPException, Response, status from app.dependencies import templates from app.database.database import get_db from fastapi.security import OAuth2PasswordRequestForm from app.internal.security.ouath2 import authenticate_user from app.internal.security.ouath2 import LoginUser, create_jwt_token, check_jwt_token +from starlette.responses import RedirectResponse +from starlette.status import HTTP_302_FOUND +from app.internal.security.schema import Token from starlette.status import HTTP_401_UNAUTHORIZED @@ -23,20 +26,54 @@ async def login_user_form(request: Request) -> templates: "errors": None }) + +# @router.post('/login') +# async def login( +# request: Request, +# response: Response, +# form: OAuth2PasswordRequestForm = Depends()): +# form_dict = {'username': form.username, 'hashed_password': form.password} +# user = LoginUser(**form_dict) +# print(user) +# if not user or not authenticate_user(user): +# raise HTTPException( +# status_code=status.HTTP_401_UNAUTHORIZED, +# detail="Incorrect username or password", +# headers={"WWW-Authenticate": "Bearer"}, +# ) + +# jwt_token = create_jwt_token(user) +# response = RedirectResponse( +# url='/profile', status_code=HTTP_302_FOUND) +# response.headers["Authorization"] = jwt_token + +# response.set_cookie( +# "Authorization", +# value=jwt_token, +# httponly=True, +# max_age=120, +# expires=100, +# ) +# return response @router.post('/login') -async def login(form: OAuth2PasswordRequestForm = Depends()): - # form = await request.form() - # form_username = form.username - # form_password = form.password +async def login(request: Request, response: Response, form: OAuth2PasswordRequestForm = Depends()): form_dict = {'username': form.username, 'hashed_password': form.password} - # user = LoginUser(form_username, form_password) user = LoginUser(**form_dict) - # print(user) + authenticated_user = authenticate_user(user) if not user or not authenticate_user(user): raise HTTPException(status_code=HTTP_401_UNAUTHORIZED) - jwt_token = create_jwt_token(user) + jwt_token = create_jwt_token(authenticated_user) + # response.headers["Authorization"] = "Bearer " + jwt_token # user = authenticate_user() - return {'token': jwt_token} + print(await check_jwt_token(jwt_token)) + return jwt_token + + + response.set_cookie(key="access_token",value=f"Bearer {jwt_token}", httponly=True) + return templates.TemplateResponse("home.html", { + "request": request, + "message": "User created", + "status_code": 201}) @router.get('/protected') From 1bdbc549b988b8332426329ec268ec74e6569ede Mon Sep 17 00:00:00 2001 From: Koby Fogel Date: Tue, 26 Jan 2021 13:22:19 +0200 Subject: [PATCH 11/56] Not Finshed --- app/internal/security/ouath2.py | 11 ++++++++--- app/main.py | 34 ++++++++++++++++++++++++++++++++- app/routers/login.py | 15 ++++++++++----- 3 files changed, 51 insertions(+), 9 deletions(-) diff --git a/app/internal/security/ouath2.py b/app/internal/security/ouath2.py index c16f3f89..e93f93fc 100644 --- a/app/internal/security/ouath2.py +++ b/app/internal/security/ouath2.py @@ -4,7 +4,7 @@ from .schema import LoginUser from app.database.models import User from sqlalchemy.orm.session import Session -from fastapi import APIRouter, Depends, Request, HTTPException +from fastapi import APIRouter, Depends, HTTPException from app.dependencies import templates from app.database.database import get_db, SessionLocal from fastapi.security import OAuth2PasswordBearer @@ -13,6 +13,9 @@ from starlette.status import HTTP_401_UNAUTHORIZED import time from app.config import JWT_ALGORITHM, JWT_SECRET_KEY +from starlette.requests import Request + + JWT_MIN_EXP = 120 @@ -43,7 +46,6 @@ def authenticate_user(user: LoginUser): return LoginUser(username=user.username, hashed_password=db_user.password) return False - # Create access JWT token def create_jwt_token(user: LoginUser): expiration = datetime.utcnow() + timedelta(minutes=JWT_MIN_EXP ) @@ -51,7 +53,6 @@ def create_jwt_token(user: LoginUser): jwt_token = jwt.encode(jwt_payload, JWT_SECRET_KEY, algorithm=JWT_ALGORITHM) return jwt_token - # Check whether JWT token is correct async def check_jwt_token(token: str = Depends(oauth_schema)): try: @@ -73,3 +74,7 @@ async def check_jwt_token(token: str = Depends(oauth_schema)): raise HTTPException(status_code=HTTP_401_UNAUTHORIZED) +###### +async def get_current_user(token: str = Depends(oauth_schema)): + if check_jwt_token(token): + return token \ No newline at end of file diff --git a/app/main.py b/app/main.py index a42b2a13..4ce2284b 100644 --- a/app/main.py +++ b/app/main.py @@ -3,9 +3,13 @@ from app.dependencies import ( MEDIA_PATH, STATIC_PATH, templates) from app.routers import agenda, event, profile, email, invitation, register, login -from fastapi import FastAPI, Request +from fastapi import FastAPI, Request, Response from fastapi.staticfiles import StaticFiles +#### +from starlette.responses import RedirectResponse + + models.Base.metadata.create_all(bind=engine) app = FastAPI() @@ -20,6 +24,34 @@ app.include_router(invitation.router) app.include_router(login.router) +# @app.middleware("http") +# async def add_middleware_here(request: Request, response: Response): +# if str(request.url).__contains__("/login"): +# return request +# return RedirectResponse( +# url="/login", status_code=200) +# if "authorization" in response.headers: +# token = response.headers["authorization"] +# elif "authorization" in request.headers: +# token = request.headers["authorization"] +# if token: +# response = request.url +# response = RedirectResponse( +# url=await request.url(request), status_code=200) +# response.headers["authorization"] = token +# return response +# else: +# return +# try: +# verification_of_token = verify_token(token) +# if verification_of_token: +# response = await call_next(request) +# return response +# else: +# return JSONResponse(status_code=403) # or 401 +# except InvalidSignatureError as er: +# return JSONResponse(status_code=401) + @app.get("/") async def home(request: Request): return templates.TemplateResponse("home.html", { diff --git a/app/routers/login.py b/app/routers/login.py index a9818ea3..bf1afeff 100644 --- a/app/routers/login.py +++ b/app/routers/login.py @@ -3,7 +3,7 @@ from app.database.database import get_db from fastapi.security import OAuth2PasswordRequestForm from app.internal.security.ouath2 import authenticate_user -from app.internal.security.ouath2 import LoginUser, create_jwt_token, check_jwt_token +from app.internal.security.ouath2 import LoginUser, create_jwt_token, check_jwt_token, oauth_schema, get_current_user from starlette.responses import RedirectResponse from starlette.status import HTTP_302_FOUND from app.internal.security.schema import Token @@ -65,8 +65,13 @@ async def login(request: Request, response: Response, form: OAuth2PasswordReques jwt_token = create_jwt_token(authenticated_user) # response.headers["Authorization"] = "Bearer " + jwt_token # user = authenticate_user() - print(await check_jwt_token(jwt_token)) - return jwt_token + # return jwt_token + jwt_token = create_jwt_token(user) + print(jwt_token) + response = RedirectResponse( + url='/profile', status_code=HTTP_302_FOUND) + response.headers["authorization"] = jwt_token + return response response.set_cookie(key="access_token",value=f"Bearer {jwt_token}", httponly=True) @@ -75,9 +80,9 @@ async def login(request: Request, response: Response, form: OAuth2PasswordReques "message": "User created", "status_code": 201}) - +# depends = check_jwt_token @router.get('/protected') -async def protected_route(request: Request, jwt: bool = Depends(check_jwt_token)): +async def protected_route(request: Request, jwt: str = Depends(get_current_user)): return templates.TemplateResponse("home.html", { "request": request, "message": "protected" From eed52e2ba3fe553e62e21242f7c2a87aa23d3ab1 Mon Sep 17 00:00:00 2001 From: Koby Fogel Date: Tue, 26 Jan 2021 14:24:25 +0200 Subject: [PATCH 12/56] minor fix --- app/main.py | 10 +--------- 1 file changed, 1 insertion(+), 9 deletions(-) diff --git a/app/main.py b/app/main.py index 4ce2284b..805ba233 100644 --- a/app/main.py +++ b/app/main.py @@ -42,15 +42,7 @@ # return response # else: # return -# try: -# verification_of_token = verify_token(token) -# if verification_of_token: -# response = await call_next(request) -# return response -# else: -# return JSONResponse(status_code=403) # or 401 -# except InvalidSignatureError as er: -# return JSONResponse(status_code=401) + @app.get("/") async def home(request: Request): From b793e2ca7161a01989252f6865a0a166ef64c5dc Mon Sep 17 00:00:00 2001 From: Koby Fogel Date: Sun, 31 Jan 2021 16:52:42 +0200 Subject: [PATCH 13/56] starting dependancy --- app/routers/login.py | 102 ++++++++++++++++++++++++------------------- 1 file changed, 57 insertions(+), 45 deletions(-) diff --git a/app/routers/login.py b/app/routers/login.py index bf1afeff..1fe9c589 100644 --- a/app/routers/login.py +++ b/app/routers/login.py @@ -3,7 +3,7 @@ from app.database.database import get_db from fastapi.security import OAuth2PasswordRequestForm from app.internal.security.ouath2 import authenticate_user -from app.internal.security.ouath2 import LoginUser, create_jwt_token, check_jwt_token, oauth_schema, get_current_user +from app.internal.security.ouath2 import LoginUser, create_jwt_token, check_jwt_token, oauth_schema from starlette.responses import RedirectResponse from starlette.status import HTTP_302_FOUND from app.internal.security.schema import Token @@ -27,62 +27,74 @@ async def login_user_form(request: Request) -> templates: }) +async def current_user(): + print(Request.cookies['Authorization']) + return await check_jwt_token(Request.cookies['Authorization']) + +@router.post('/login') +async def login( + request: Request, + response: Response, + form: OAuth2PasswordRequestForm = Depends()): + form_dict = {'username': form.username, 'hashed_password': form.password} + user = LoginUser(**form_dict) + # print(user) + if user: + user = authenticate_user(user) + if not user: + raise HTTPException( + status_code=status.HTTP_401_UNAUTHORIZED, + detail="Incorrect username or password", + headers={"WWW-Authenticate": "Bearer"}, + ) + + jwt_token = create_jwt_token(user) + # print(jwt_token) + # response = RedirectResponse( + # url='/profile', status_code=HTTP_302_FOUND) + # response.headers["Authorization"] = jwt_token + response = RedirectResponse(url="/protected", status_code=HTTP_302_FOUND) + response.set_cookie( + "Authorization", + value=jwt_token, + httponly=True, + ) + return response # @router.post('/login') -# async def login( -# request: Request, -# response: Response, -# form: OAuth2PasswordRequestForm = Depends()): +# async def login(request: Request, response: Response, form: OAuth2PasswordRequestForm = Depends()): # form_dict = {'username': form.username, 'hashed_password': form.password} # user = LoginUser(**form_dict) -# print(user) +# authenticated_user = authenticate_user(user) # if not user or not authenticate_user(user): -# raise HTTPException( -# status_code=status.HTTP_401_UNAUTHORIZED, -# detail="Incorrect username or password", -# headers={"WWW-Authenticate": "Bearer"}, -# ) - +# raise HTTPException(status_code=HTTP_401_UNAUTHORIZED) +# jwt_token = create_jwt_token(authenticated_user) +# # response.headers["Authorization"] = "Bearer " + jwt_token +# # user = authenticate_user() +# # return jwt_token # jwt_token = create_jwt_token(user) +# print(jwt_token) # response = RedirectResponse( # url='/profile', status_code=HTTP_302_FOUND) -# response.headers["Authorization"] = jwt_token - -# response.set_cookie( -# "Authorization", -# value=jwt_token, -# httponly=True, -# max_age=120, -# expires=100, -# ) +# response.headers["authorization"] = jwt_token # return response -@router.post('/login') -async def login(request: Request, response: Response, form: OAuth2PasswordRequestForm = Depends()): - form_dict = {'username': form.username, 'hashed_password': form.password} - user = LoginUser(**form_dict) - authenticated_user = authenticate_user(user) - if not user or not authenticate_user(user): - raise HTTPException(status_code=HTTP_401_UNAUTHORIZED) - jwt_token = create_jwt_token(authenticated_user) - # response.headers["Authorization"] = "Bearer " + jwt_token - # user = authenticate_user() - # return jwt_token - jwt_token = create_jwt_token(user) - print(jwt_token) - response = RedirectResponse( - url='/profile', status_code=HTTP_302_FOUND) - response.headers["authorization"] = jwt_token - return response - response.set_cookie(key="access_token",value=f"Bearer {jwt_token}", httponly=True) - return templates.TemplateResponse("home.html", { - "request": request, - "message": "User created", - "status_code": 201}) +# response.set_cookie(key="access_token",value=f"Bearer {jwt_token}", httponly=True) +# return templates.TemplateResponse("home.html", { +# "request": request, +# "message": "User created", +# "status_code": 201}) -# depends = check_jwt_token +# request: Request, jwt: str = Depends(get_current_user) +# ('/protected', dependencies = [Depends(current_user)]) @router.get('/protected') -async def protected_route(request: Request, jwt: str = Depends(get_current_user)): +async def protected_route(request: Request): + # print(dir(request)) + # print(request.cookies['Authorization']) + print("AUTHORIZE") + print(await check_jwt_token(request.cookies['Authorization'])) + # print (type(request.headers['cookie'])) + # print (request.headers['cookie']) return templates.TemplateResponse("home.html", { "request": request, "message": "protected" From 46820e104a0e5d41b031a4dda6c87a534788ac97 Mon Sep 17 00:00:00 2001 From: Koby Fogel Date: Mon, 1 Feb 2021 08:26:59 +0200 Subject: [PATCH 14/56] dependancies working --- app/internal/security/ouath2.py | 55 +++++++++++++++++++--------- app/main.py | 8 +++++ app/routers/login.py | 64 ++++++++++++--------------------- 3 files changed, 69 insertions(+), 58 deletions(-) diff --git a/app/internal/security/ouath2.py b/app/internal/security/ouath2.py index e93f93fc..bd3a9b83 100644 --- a/app/internal/security/ouath2.py +++ b/app/internal/security/ouath2.py @@ -1,24 +1,24 @@ from passlib.context import CryptContext # from app.database.schemas import Jwt_User # from app.internal.crud import get_user_by_username +from starlette.responses import RedirectResponse from .schema import LoginUser from app.database.models import User from sqlalchemy.orm.session import Session from fastapi import APIRouter, Depends, HTTPException from app.dependencies import templates -from app.database.database import get_db, SessionLocal +from app.database.database import get_db, SessionLocal from fastapi.security import OAuth2PasswordBearer from datetime import datetime, timedelta import jwt -from starlette.status import HTTP_401_UNAUTHORIZED +from starlette.status import HTTP_401_UNAUTHORIZED, HTTP_302_FOUND import time from app.config import JWT_ALGORITHM, JWT_SECRET_KEY from starlette.requests import Request +from fastapi import Response - - -JWT_MIN_EXP = 120 +JWT_MIN_EXP = 3 pwd_context = CryptContext(schemes=["bcrypt"]) oauth_schema = OAuth2PasswordBearer(tokenUrl="/login") @@ -46,6 +46,7 @@ def authenticate_user(user: LoginUser): return LoginUser(username=user.username, hashed_password=db_user.password) return False + # Create access JWT token def create_jwt_token(user: LoginUser): expiration = datetime.utcnow() + timedelta(minutes=JWT_MIN_EXP ) @@ -53,28 +54,50 @@ def create_jwt_token(user: LoginUser): jwt_token = jwt.encode(jwt_payload, JWT_SECRET_KEY, algorithm=JWT_ALGORITHM) return jwt_token + # Check whether JWT token is correct -async def check_jwt_token(token: str = Depends(oauth_schema)): +async def check_jwt_token(token: str = Depends(oauth_schema), logged_in=False): try: jwt_payload = jwt.decode(token, JWT_SECRET_KEY, algorithms=JWT_ALGORITHM) jwt_username = jwt_payload.get("sub") - print(jwt_payload) jwt_hashed_password = jwt_payload.get("hashed_password") jwt_expiration = jwt_payload.get("exp") if time.time() < jwt_expiration: db_user = get_db_user_by_username(username=jwt_username) - # is_valid = await get_db_user_by_username(username=jwt_username) if db_user and db_user.password == jwt_hashed_password: - return True - else: - raise HTTPException(status_code=HTTP_401_UNAUTHORIZED) + return db_user else: - raise HTTPException(status_code=HTTP_401_UNAUTHORIZED) + return HTTPException(status_code=HTTP_401_UNAUTHORIZED) except Exception as e: - raise HTTPException(status_code=HTTP_401_UNAUTHORIZED) + if logged_in: + return None + if type(e).__name__ == 'ExpiredSignatureError': + raise HTTPException(status_code=HTTP_401_UNAUTHORIZED) + if type(e).__name__ == 'DecodeError': + raise HTTPException(status_code=HTTP_401_UNAUTHORIZED) + ###### -async def get_current_user(token: str = Depends(oauth_schema)): - if check_jwt_token(token): - return token \ No newline at end of file +async def get_cookie(request: Request): + if 'Authorization' in request.cookies: + return request.cookies['Authorization'] + raise HTTPException(status_code=HTTP_401_UNAUTHORIZED) + + +async def current_user(jwt: str = Depends(get_cookie)): + user = await check_jwt_token(jwt) + if user: + return user + else: + return None + +async def logged_in_user(request: Request): + if 'Authorization' in request.cookies: + jwt = request.cookies['Authorization'] + else: + return None + user = await check_jwt_token(jwt, logged_in=True) + return user + + \ No newline at end of file diff --git a/app/main.py b/app/main.py index 805ba233..1107340a 100644 --- a/app/main.py +++ b/app/main.py @@ -24,6 +24,14 @@ app.include_router(invitation.router) app.include_router(login.router) +from starlette.status import HTTP_401_UNAUTHORIZED +@app.exception_handler(HTTP_401_UNAUTHORIZED) +async def exception_handler(request: Request, exc: HTTP_401_UNAUTHORIZED) -> Response: + response = RedirectResponse(url='/login') + response.delete_cookie('Authorization') + return response + return RedirectResponse(url='/login') + # @app.middleware("http") # async def add_middleware_here(request: Request, response: Response): # if str(request.url).__contains__("/login"): diff --git a/app/routers/login.py b/app/routers/login.py index 1fe9c589..9bbe9bae 100644 --- a/app/routers/login.py +++ b/app/routers/login.py @@ -3,11 +3,12 @@ from app.database.database import get_db from fastapi.security import OAuth2PasswordRequestForm from app.internal.security.ouath2 import authenticate_user -from app.internal.security.ouath2 import LoginUser, create_jwt_token, check_jwt_token, oauth_schema +from app.internal.security.ouath2 import LoginUser, create_jwt_token, check_jwt_token, oauth_schema, current_user, get_cookie, logged_in_user from starlette.responses import RedirectResponse from starlette.status import HTTP_302_FOUND from app.internal.security.schema import Token from starlette.status import HTTP_401_UNAUTHORIZED +from app.database.models import User router = APIRouter( @@ -27,9 +28,7 @@ async def login_user_form(request: Request) -> templates: }) -async def current_user(): - print(Request.cookies['Authorization']) - return await check_jwt_token(Request.cookies['Authorization']) + @router.post('/login') async def login( @@ -49,10 +48,6 @@ async def login( ) jwt_token = create_jwt_token(user) - # print(jwt_token) - # response = RedirectResponse( - # url='/profile', status_code=HTTP_302_FOUND) - # response.headers["Authorization"] = jwt_token response = RedirectResponse(url="/protected", status_code=HTTP_302_FOUND) response.set_cookie( "Authorization", @@ -60,42 +55,27 @@ async def login( httponly=True, ) return response -# @router.post('/login') -# async def login(request: Request, response: Response, form: OAuth2PasswordRequestForm = Depends()): -# form_dict = {'username': form.username, 'hashed_password': form.password} -# user = LoginUser(**form_dict) -# authenticated_user = authenticate_user(user) -# if not user or not authenticate_user(user): -# raise HTTPException(status_code=HTTP_401_UNAUTHORIZED) -# jwt_token = create_jwt_token(authenticated_user) -# # response.headers["Authorization"] = "Bearer " + jwt_token -# # user = authenticate_user() -# # return jwt_token -# jwt_token = create_jwt_token(user) -# print(jwt_token) -# response = RedirectResponse( -# url='/profile', status_code=HTTP_302_FOUND) -# response.headers["authorization"] = jwt_token -# return response - - -# response.set_cookie(key="access_token",value=f"Bearer {jwt_token}", httponly=True) -# return templates.TemplateResponse("home.html", { -# "request": request, -# "message": "User created", -# "status_code": 201}) -# request: Request, jwt: str = Depends(get_current_user) -# ('/protected', dependencies = [Depends(current_user)]) + +@router.get('/logout') +async def login(request: Request): + response = RedirectResponse(url="/login", status_code=HTTP_302_FOUND) + response.delete_cookie("Authorization") + # raise HTTPException(status_code=HTTP_401_UNAUTHORIZED) + return response + + @router.get('/protected') -async def protected_route(request: Request): - # print(dir(request)) - # print(request.cookies['Authorization']) - print("AUTHORIZE") - print(await check_jwt_token(request.cookies['Authorization'])) - # print (type(request.headers['cookie'])) - # print (request.headers['cookie']) +async def protected_route(request: Request, user: User = Depends(current_user)): + return templates.TemplateResponse("home.html", { + "request": request, + "message": user.username + }) + +@router.get('/user') +async def user_route(request: Request, current_user: User = Depends(logged_in_user)): + print(current_user) return templates.TemplateResponse("home.html", { "request": request, - "message": "protected" + "message": "user.username" }) \ No newline at end of file From 68e40fec55d31de09a0a47db42808f11ebef432d Mon Sep 17 00:00:00 2001 From: Koby Fogel Date: Mon, 1 Feb 2021 13:55:39 +0200 Subject: [PATCH 15/56] redirectin and user messages --- app/internal/security/dependancies.py | 22 ++++++++++ app/internal/security/ouath2.py | 61 ++++++++++++--------------- app/main.py | 27 +++--------- app/routers/login.py | 47 ++++++++++++--------- app/templates/login.html | 3 ++ 5 files changed, 87 insertions(+), 73 deletions(-) create mode 100644 app/internal/security/dependancies.py diff --git a/app/internal/security/dependancies.py b/app/internal/security/dependancies.py new file mode 100644 index 00000000..1eacb0c4 --- /dev/null +++ b/app/internal/security/dependancies.py @@ -0,0 +1,22 @@ + +from starlette.requests import Request +from fastapi import Depends +from starlette.status import HTTP_401_UNAUTHORIZED +from app.internal.security.ouath2 import get_cookie, check_jwt_token + + +async def current_user_required(request: Request, jwt: str = Depends(get_cookie)): + user = await check_jwt_token(jwt, path=request.url.path) + # print(request.url) + if user: + return user + else: + return None + +async def current_user(request: Request): + if 'Authorization' in request.cookies: + jwt = request.cookies['Authorization'] + else: + return None + user = await check_jwt_token(jwt, logged_in=True) + return user \ No newline at end of file diff --git a/app/internal/security/ouath2.py b/app/internal/security/ouath2.py index bd3a9b83..79e48f78 100644 --- a/app/internal/security/ouath2.py +++ b/app/internal/security/ouath2.py @@ -1,21 +1,15 @@ from passlib.context import CryptContext -# from app.database.schemas import Jwt_User -# from app.internal.crud import get_user_by_username -from starlette.responses import RedirectResponse from .schema import LoginUser from app.database.models import User -from sqlalchemy.orm.session import Session from fastapi import APIRouter, Depends, HTTPException from app.dependencies import templates -from app.database.database import get_db, SessionLocal +from app.database.database import SessionLocal from fastapi.security import OAuth2PasswordBearer from datetime import datetime, timedelta import jwt -from starlette.status import HTTP_401_UNAUTHORIZED, HTTP_302_FOUND -import time +from starlette.status import HTTP_401_UNAUTHORIZED from app.config import JWT_ALGORITHM, JWT_SECRET_KEY from starlette.requests import Request -from fastapi import Response JWT_MIN_EXP = 3 @@ -56,25 +50,25 @@ def create_jwt_token(user: LoginUser): # Check whether JWT token is correct -async def check_jwt_token(token: str = Depends(oauth_schema), logged_in=False): +async def check_jwt_token(token: str = Depends(oauth_schema), logged_in=False, path=None): try: jwt_payload = jwt.decode(token, JWT_SECRET_KEY, algorithms=JWT_ALGORITHM) jwt_username = jwt_payload.get("sub") jwt_hashed_password = jwt_payload.get("hashed_password") jwt_expiration = jwt_payload.get("exp") - if time.time() < jwt_expiration: - db_user = get_db_user_by_username(username=jwt_username) - if db_user and db_user.password == jwt_hashed_password: - return db_user + # if time.time() < jwt_expiration: + db_user = get_db_user_by_username(username=jwt_username) + if db_user and db_user.password == jwt_hashed_password: + return db_user else: - return HTTPException(status_code=HTTP_401_UNAUTHORIZED) + return HTTPException(status_code=HTTP_401_UNAUTHORIZED, headers=path, detail="Your token is incorrect. Please log in again") except Exception as e: if logged_in: return None if type(e).__name__ == 'ExpiredSignatureError': - raise HTTPException(status_code=HTTP_401_UNAUTHORIZED) + raise HTTPException(status_code=HTTP_401_UNAUTHORIZED, headers=path, detail="Your token has expired. Please log in again") if type(e).__name__ == 'DecodeError': - raise HTTPException(status_code=HTTP_401_UNAUTHORIZED) + raise HTTPException(status_code=HTTP_401_UNAUTHORIZED, headers=path, detail="Your token is incorrect. Please log in again") @@ -82,22 +76,23 @@ async def check_jwt_token(token: str = Depends(oauth_schema), logged_in=False): async def get_cookie(request: Request): if 'Authorization' in request.cookies: return request.cookies['Authorization'] - raise HTTPException(status_code=HTTP_401_UNAUTHORIZED) - - -async def current_user(jwt: str = Depends(get_cookie)): - user = await check_jwt_token(jwt) - if user: - return user - else: - return None - -async def logged_in_user(request: Request): - if 'Authorization' in request.cookies: - jwt = request.cookies['Authorization'] - else: - return None - user = await check_jwt_token(jwt, logged_in=True) - return user + raise HTTPException(status_code=HTTP_401_UNAUTHORIZED, headers=request.url.path, detail="Please log in to enter this page") + + +# async def current_user_required(request: Request, jwt: str = Depends(get_cookie)): +# user = await check_jwt_token(jwt, path=request.url.path) +# # print(request.url) +# if user: +# return user +# else: +# return None + +# async def current_user(request: Request): +# if 'Authorization' in request.cookies: +# jwt = request.cookies['Authorization'] +# else: +# return None +# user = await check_jwt_token(jwt, logged_in=True) +# return user \ No newline at end of file diff --git a/app/main.py b/app/main.py index 1107340a..755ee1a0 100644 --- a/app/main.py +++ b/app/main.py @@ -24,32 +24,19 @@ app.include_router(invitation.router) app.include_router(login.router) + from starlette.status import HTTP_401_UNAUTHORIZED @app.exception_handler(HTTP_401_UNAUTHORIZED) async def exception_handler(request: Request, exc: HTTP_401_UNAUTHORIZED) -> Response: response = RedirectResponse(url='/login') + if exc.headers: + response.set_cookie( + "next_url", value=exc.headers, httponly=True) + if exc.detail: + response.set_cookie( + "message", value=exc.detail, httponly=True) response.delete_cookie('Authorization') return response - return RedirectResponse(url='/login') - -# @app.middleware("http") -# async def add_middleware_here(request: Request, response: Response): -# if str(request.url).__contains__("/login"): -# return request -# return RedirectResponse( -# url="/login", status_code=200) -# if "authorization" in response.headers: -# token = response.headers["authorization"] -# elif "authorization" in request.headers: -# token = request.headers["authorization"] -# if token: -# response = request.url -# response = RedirectResponse( -# url=await request.url(request), status_code=200) -# response.headers["authorization"] = token -# return response -# else: -# return @app.get("/") diff --git a/app/routers/login.py b/app/routers/login.py index 9bbe9bae..bc1f6735 100644 --- a/app/routers/login.py +++ b/app/routers/login.py @@ -1,13 +1,11 @@ -from fastapi import APIRouter, Depends, Request, HTTPException, Response, status +from fastapi import APIRouter, Depends, Request, Response from app.dependencies import templates -from app.database.database import get_db from fastapi.security import OAuth2PasswordRequestForm from app.internal.security.ouath2 import authenticate_user -from app.internal.security.ouath2 import LoginUser, create_jwt_token, check_jwt_token, oauth_schema, current_user, get_cookie, logged_in_user +from app.internal.security.ouath2 import LoginUser, create_jwt_token, check_jwt_token +from app.internal.security.dependancies import current_user_required, current_user from starlette.responses import RedirectResponse from starlette.status import HTTP_302_FOUND -from app.internal.security.schema import Token -from starlette.status import HTTP_401_UNAUTHORIZED from app.database.models import User @@ -17,43 +15,53 @@ responses={404: {"description": "Not found"}}, ) + + @router.get("/login") async def login_user_form(request: Request) -> templates: ''' rendering register route get method ''' + message = "" + if 'message' in request.cookies: + message = request.cookies['message'] return templates.TemplateResponse("login.html", { "request": request, - "errors": None + "errors": None, + "message": message }) - - @router.post('/login') async def login( request: Request, response: Response, form: OAuth2PasswordRequestForm = Depends()): + url = "/" form_dict = {'username': form.username, 'hashed_password': form.password} user = LoginUser(**form_dict) - # print(user) if user: user = authenticate_user(user) - if not user: - raise HTTPException( - status_code=status.HTTP_401_UNAUTHORIZED, - detail="Incorrect username or password", - headers={"WWW-Authenticate": "Bearer"}, - ) + if not user: + return templates.TemplateResponse("login.html", { + "request": request, + "errors": None, + "message": 'Please check your credentials' + }) + + ### check url + if 'next_url' in request.cookies: + url = request.cookies['next_url'] jwt_token = create_jwt_token(user) - response = RedirectResponse(url="/protected", status_code=HTTP_302_FOUND) + response = RedirectResponse(url=url, status_code=HTTP_302_FOUND) response.set_cookie( "Authorization", value=jwt_token, httponly=True, ) + response.delete_cookie('next_url') + response.delete_cookie('message') return response @@ -61,20 +69,19 @@ async def login( async def login(request: Request): response = RedirectResponse(url="/login", status_code=HTTP_302_FOUND) response.delete_cookie("Authorization") - # raise HTTPException(status_code=HTTP_401_UNAUTHORIZED) return response @router.get('/protected') -async def protected_route(request: Request, user: User = Depends(current_user)): +async def protected_route(request: Request, user: User = Depends(current_user_required)): return templates.TemplateResponse("home.html", { "request": request, "message": user.username }) @router.get('/user') -async def user_route(request: Request, current_user: User = Depends(logged_in_user)): - print(current_user) +async def user_route(request: Request, current_user: User = Depends(current_user)): + print(current_user.username) return templates.TemplateResponse("home.html", { "request": request, "message": "user.username" diff --git a/app/templates/login.html b/app/templates/login.html index fd89a2cc..739f3ef3 100644 --- a/app/templates/login.html +++ b/app/templates/login.html @@ -2,6 +2,9 @@ {% block content %}

    Login

    + {% if message %} +
    {{ message }}
    + {% endif %}
    From b7e7e60e2854def99749713416cc0255bdb26a4a Mon Sep 17 00:00:00 2001 From: Koby Fogel Date: Mon, 1 Feb 2021 17:49:12 +0200 Subject: [PATCH 16/56] async fixing --- app/internal/security/dependancies.py | 1 + app/internal/security/ouath2.py | 9 +++++---- app/routers/login.py | 7 +++++-- 3 files changed, 11 insertions(+), 6 deletions(-) diff --git a/app/internal/security/dependancies.py b/app/internal/security/dependancies.py index 1eacb0c4..a8198446 100644 --- a/app/internal/security/dependancies.py +++ b/app/internal/security/dependancies.py @@ -19,4 +19,5 @@ async def current_user(request: Request): else: return None user = await check_jwt_token(jwt, logged_in=True) + print (user) return user \ No newline at end of file diff --git a/app/internal/security/ouath2.py b/app/internal/security/ouath2.py index 79e48f78..fec9ecc8 100644 --- a/app/internal/security/ouath2.py +++ b/app/internal/security/ouath2.py @@ -17,7 +17,7 @@ pwd_context = CryptContext(schemes=["bcrypt"]) oauth_schema = OAuth2PasswordBearer(tokenUrl="/login") -def get_db_user_by_username(username: str): +async def get_db_user_by_username(username: str): session = SessionLocal() return session.query(User).filter_by(username = username).first() @@ -33,8 +33,8 @@ def verify_password(plain_password, hashed_password): return False # Authenticate username and password -def authenticate_user(user: LoginUser): - db_user = get_db_user_by_username(username = user.username) +async def authenticate_user(user: LoginUser): + db_user = await get_db_user_by_username(username = user.username) if db_user: if verify_password(user.hashed_password, db_user.password): return LoginUser(username=user.username, hashed_password=db_user.password) @@ -57,13 +57,14 @@ async def check_jwt_token(token: str = Depends(oauth_schema), logged_in=False, p jwt_hashed_password = jwt_payload.get("hashed_password") jwt_expiration = jwt_payload.get("exp") # if time.time() < jwt_expiration: - db_user = get_db_user_by_username(username=jwt_username) + db_user = await get_db_user_by_username(username=jwt_username) if db_user and db_user.password == jwt_hashed_password: return db_user else: return HTTPException(status_code=HTTP_401_UNAUTHORIZED, headers=path, detail="Your token is incorrect. Please log in again") except Exception as e: if logged_in: + print("ff") return None if type(e).__name__ == 'ExpiredSignatureError': raise HTTPException(status_code=HTTP_401_UNAUTHORIZED, headers=path, detail="Your token has expired. Please log in again") diff --git a/app/routers/login.py b/app/routers/login.py index bc1f6735..9e96b19b 100644 --- a/app/routers/login.py +++ b/app/routers/login.py @@ -41,7 +41,7 @@ async def login( form_dict = {'username': form.username, 'hashed_password': form.password} user = LoginUser(**form_dict) if user: - user = authenticate_user(user) + user = await authenticate_user(user) if not user: return templates.TemplateResponse("login.html", { "request": request, @@ -81,7 +81,10 @@ async def protected_route(request: Request, user: User = Depends(current_user_re @router.get('/user') async def user_route(request: Request, current_user: User = Depends(current_user)): - print(current_user.username) + if current_user: + print(current_user.username) + else: + print(None) return templates.TemplateResponse("home.html", { "request": request, "message": "user.username" From e3c620a0884a40ec883ad5651b0e5e21587a8d9a Mon Sep 17 00:00:00 2001 From: Koby Fogel Date: Mon, 1 Feb 2021 19:55:08 +0200 Subject: [PATCH 17/56] exception handler --- app/internal/security/ouath2.py | 33 ++++++++++++++------------------- app/main.py | 15 +++------------ app/routers/login.py | 3 +-- 3 files changed, 18 insertions(+), 33 deletions(-) diff --git a/app/internal/security/ouath2.py b/app/internal/security/ouath2.py index fec9ecc8..2f688f9f 100644 --- a/app/internal/security/ouath2.py +++ b/app/internal/security/ouath2.py @@ -11,12 +11,14 @@ from app.config import JWT_ALGORITHM, JWT_SECRET_KEY from starlette.requests import Request +from starlette.responses import RedirectResponse -JWT_MIN_EXP = 3 +JWT_MIN_EXP = 3 pwd_context = CryptContext(schemes=["bcrypt"]) oauth_schema = OAuth2PasswordBearer(tokenUrl="/login") + async def get_db_user_by_username(username: str): session = SessionLocal() return session.query(User).filter_by(username = username).first() @@ -72,7 +74,6 @@ async def check_jwt_token(token: str = Depends(oauth_schema), logged_in=False, p raise HTTPException(status_code=HTTP_401_UNAUTHORIZED, headers=path, detail="Your token is incorrect. Please log in again") - ###### async def get_cookie(request: Request): if 'Authorization' in request.cookies: @@ -80,20 +81,14 @@ async def get_cookie(request: Request): raise HTTPException(status_code=HTTP_401_UNAUTHORIZED, headers=request.url.path, detail="Please log in to enter this page") -# async def current_user_required(request: Request, jwt: str = Depends(get_cookie)): -# user = await check_jwt_token(jwt, path=request.url.path) -# # print(request.url) -# if user: -# return user -# else: -# return None - -# async def current_user(request: Request): -# if 'Authorization' in request.cookies: -# jwt = request.cookies['Authorization'] -# else: -# return None -# user = await check_jwt_token(jwt, logged_in=True) -# return user - - \ No newline at end of file +# @exception_handler(HTTP_401_UNAUTHORIZED) +async def my_exception_handler(request: Request, exc: HTTP_401_UNAUTHORIZED) -> RedirectResponse: + response = RedirectResponse(url='/login') + if exc.headers: + response.set_cookie( + "next_url", value=exc.headers, httponly=True) + if exc.detail: + response.set_cookie( + "message", value=exc.detail, httponly=True) + response.delete_cookie('Authorization') + return response \ No newline at end of file diff --git a/app/main.py b/app/main.py index 755ee1a0..9a97dd84 100644 --- a/app/main.py +++ b/app/main.py @@ -24,19 +24,10 @@ app.include_router(invitation.router) app.include_router(login.router) - +from app.internal.security.ouath2 import my_exception_handler from starlette.status import HTTP_401_UNAUTHORIZED -@app.exception_handler(HTTP_401_UNAUTHORIZED) -async def exception_handler(request: Request, exc: HTTP_401_UNAUTHORIZED) -> Response: - response = RedirectResponse(url='/login') - if exc.headers: - response.set_cookie( - "next_url", value=exc.headers, httponly=True) - if exc.detail: - response.set_cookie( - "message", value=exc.detail, httponly=True) - response.delete_cookie('Authorization') - return response + +app.add_exception_handler(HTTP_401_UNAUTHORIZED, my_exception_handler) @app.get("/") diff --git a/app/routers/login.py b/app/routers/login.py index 9e96b19b..46251744 100644 --- a/app/routers/login.py +++ b/app/routers/login.py @@ -1,4 +1,4 @@ -from fastapi import APIRouter, Depends, Request, Response +from fastapi import APIRouter, Depends, Request from app.dependencies import templates from fastapi.security import OAuth2PasswordRequestForm from app.internal.security.ouath2 import authenticate_user @@ -35,7 +35,6 @@ async def login_user_form(request: Request) -> templates: @router.post('/login') async def login( request: Request, - response: Response, form: OAuth2PasswordRequestForm = Depends()): url = "/" form_dict = {'username': form.username, 'hashed_password': form.password} From b6b74413f7552e7fdc47241ec4be1691ae4ffb7f Mon Sep 17 00:00:00 2001 From: Koby Fogel Date: Tue, 2 Feb 2021 08:36:14 +0200 Subject: [PATCH 18/56] quary parameters --- app/internal/security/ouath2.py | 11 +++-------- app/routers/login.py | 20 +++++--------------- 2 files changed, 8 insertions(+), 23 deletions(-) diff --git a/app/internal/security/ouath2.py b/app/internal/security/ouath2.py index 2f688f9f..01a1a3b1 100644 --- a/app/internal/security/ouath2.py +++ b/app/internal/security/ouath2.py @@ -81,14 +81,9 @@ async def get_cookie(request: Request): raise HTTPException(status_code=HTTP_401_UNAUTHORIZED, headers=request.url.path, detail="Please log in to enter this page") -# @exception_handler(HTTP_401_UNAUTHORIZED) async def my_exception_handler(request: Request, exc: HTTP_401_UNAUTHORIZED) -> RedirectResponse: - response = RedirectResponse(url='/login') - if exc.headers: - response.set_cookie( - "next_url", value=exc.headers, httponly=True) - if exc.detail: - response.set_cookie( - "message", value=exc.detail, httponly=True) + paramas = f"?next={exc.headers}&message={exc.detail}" + url = f"/login{paramas}" + response = RedirectResponse(url=url) response.delete_cookie('Authorization') return response \ No newline at end of file diff --git a/app/routers/login.py b/app/routers/login.py index 46251744..a3b3f38f 100644 --- a/app/routers/login.py +++ b/app/routers/login.py @@ -7,6 +7,7 @@ from starlette.responses import RedirectResponse from starlette.status import HTTP_302_FOUND from app.database.models import User +from typing import Optional router = APIRouter( @@ -18,16 +19,12 @@ @router.get("/login") -async def login_user_form(request: Request) -> templates: +async def login_user_form(request: Request, message: Optional[str] = "") -> templates: ''' rendering register route get method ''' - message = "" - if 'message' in request.cookies: - message = request.cookies['message'] return templates.TemplateResponse("login.html", { "request": request, - "errors": None, "message": message }) @@ -35,8 +32,8 @@ async def login_user_form(request: Request) -> templates: @router.post('/login') async def login( request: Request, - form: OAuth2PasswordRequestForm = Depends()): - url = "/" + form: OAuth2PasswordRequestForm = Depends(), + next: Optional[str] = "/"): form_dict = {'username': form.username, 'hashed_password': form.password} user = LoginUser(**form_dict) if user: @@ -44,23 +41,16 @@ async def login( if not user: return templates.TemplateResponse("login.html", { "request": request, - "errors": None, "message": 'Please check your credentials' }) - ### check url - if 'next_url' in request.cookies: - url = request.cookies['next_url'] - jwt_token = create_jwt_token(user) - response = RedirectResponse(url=url, status_code=HTTP_302_FOUND) + response = RedirectResponse(next, status_code=HTTP_302_FOUND) response.set_cookie( "Authorization", value=jwt_token, httponly=True, ) - response.delete_cookie('next_url') - response.delete_cookie('message') return response From d1849bb48c9705fab324f4588ce195fd73b4ad02 Mon Sep 17 00:00:00 2001 From: Koby Fogel Date: Wed, 3 Feb 2021 12:12:35 +0200 Subject: [PATCH 19/56] Documentation added --- app/internal/security/dependancies.py | 20 ++++++----- app/internal/security/ouath2.py | 51 ++++++++++++++++++--------- app/internal/security/schema.py | 13 +++---- app/routers/login.py | 21 +++++++---- app/routers/register.py | 38 +++++++++++--------- 5 files changed, 88 insertions(+), 55 deletions(-) diff --git a/app/internal/security/dependancies.py b/app/internal/security/dependancies.py index a8198446..367df1f2 100644 --- a/app/internal/security/dependancies.py +++ b/app/internal/security/dependancies.py @@ -1,23 +1,27 @@ - +from typing import Union from starlette.requests import Request from fastapi import Depends from starlette.status import HTTP_401_UNAUTHORIZED -from app.internal.security.ouath2 import get_cookie, check_jwt_token +from app.internal.security.ouath2 import get_cookie, check_jwt_token, User -async def current_user_required(request: Request, jwt: str = Depends(get_cookie)): +async def current_user_required( + request: Request, jwt: str = Depends(get_cookie)) -> Union[User, bool]: + '''A dependency function protecting routes for only logged in user''' user = await check_jwt_token(jwt, path=request.url.path) - # print(request.url) if user: return user - else: - return None -async def current_user(request: Request): + +async def current_user(request: Request) -> Union[User, bool]: + ''' + A dependency function. + Returns logged in User object if exists. + None if not. + ''' if 'Authorization' in request.cookies: jwt = request.cookies['Authorization'] else: return None user = await check_jwt_token(jwt, logged_in=True) - print (user) return user \ No newline at end of file diff --git a/app/internal/security/ouath2.py b/app/internal/security/ouath2.py index 01a1a3b1..2c5a02df 100644 --- a/app/internal/security/ouath2.py +++ b/app/internal/security/ouath2.py @@ -1,3 +1,4 @@ +from typing import Union from passlib.context import CryptContext from .schema import LoginUser from app.database.models import User @@ -19,23 +20,27 @@ oauth_schema = OAuth2PasswordBearer(tokenUrl="/login") -async def get_db_user_by_username(username: str): +async def get_db_user_by_username(username: str) -> User: + '''Checking database for user by username field''' session = SessionLocal() return session.query(User).filter_by(username = username).first() -def get_hashed_password(password): +def get_hashed_password(password) -> str: + '''Hashing user password''' return pwd_context.hash(password) -def verify_password(plain_password, hashed_password): +def verify_password(plain_password, hashed_password) -> bool: + '''Verifying password and hashed password are equal''' try: return pwd_context.verify(plain_password, hashed_password) except Exception as e: return False -# Authenticate username and password -async def authenticate_user(user: LoginUser): + +async def authenticate_user(user: LoginUser) -> Union[LoginUser, bool]: + '''Verifying user is in database and password is correct''' db_user = await get_db_user_by_username(username = user.username) if db_user: if verify_password(user.hashed_password, db_user.password): @@ -43,30 +48,34 @@ async def authenticate_user(user: LoginUser): return False -# Create access JWT token -def create_jwt_token(user: LoginUser): +def create_jwt_token(user: LoginUser) -> str: + '''Creating jwt-token out of user unique data''' expiration = datetime.utcnow() + timedelta(minutes=JWT_MIN_EXP ) jwt_payload = {"sub": user.username, "hashed_password": user.hashed_password, "exp": expiration} jwt_token = jwt.encode(jwt_payload, JWT_SECRET_KEY, algorithm=JWT_ALGORITHM) return jwt_token -# Check whether JWT token is correct -async def check_jwt_token(token: str = Depends(oauth_schema), logged_in=False, path=None): +async def check_jwt_token( + token: str = Depends(oauth_schema), + logged_in: bool = False, path: bool = None) -> Union[User, bool]: + ''' + Check whether JWT token is correct. Returns User object if yes. + Returns None or raises HTTPException, + depanding which depandency activated this function. + ''' try: jwt_payload = jwt.decode(token, JWT_SECRET_KEY, algorithms=JWT_ALGORITHM) jwt_username = jwt_payload.get("sub") jwt_hashed_password = jwt_payload.get("hashed_password") jwt_expiration = jwt_payload.get("exp") - # if time.time() < jwt_expiration: db_user = await get_db_user_by_username(username=jwt_username) if db_user and db_user.password == jwt_hashed_password: return db_user else: - return HTTPException(status_code=HTTP_401_UNAUTHORIZED, headers=path, detail="Your token is incorrect. Please log in again") + raise HTTPException(status_code=HTTP_401_UNAUTHORIZED, headers=path, detail="Your token is incorrect. Please log in again") except Exception as e: if logged_in: - print("ff") return None if type(e).__name__ == 'ExpiredSignatureError': raise HTTPException(status_code=HTTP_401_UNAUTHORIZED, headers=path, detail="Your token has expired. Please log in again") @@ -74,16 +83,26 @@ async def check_jwt_token(token: str = Depends(oauth_schema), logged_in=False, p raise HTTPException(status_code=HTTP_401_UNAUTHORIZED, headers=path, detail="Your token is incorrect. Please log in again") -###### -async def get_cookie(request: Request): +async def get_cookie(request: Request) -> str: + ''' + Extracts jwt from HTTPONLY cookie, if exists. + Raises HTTPException if not. + ''' if 'Authorization' in request.cookies: return request.cookies['Authorization'] raise HTTPException(status_code=HTTP_401_UNAUTHORIZED, headers=request.url.path, detail="Please log in to enter this page") -async def my_exception_handler(request: Request, exc: HTTP_401_UNAUTHORIZED) -> RedirectResponse: +async def my_exception_handler( + request: Request, exc: HTTP_401_UNAUTHORIZED) -> RedirectResponse: + ''' + Whenever HTTP_401_UNAUTHORIZED is raised, + redirecting to login route, with original requested url, + and details for why original request failed. + ''' paramas = f"?next={exc.headers}&message={exc.detail}" url = f"/login{paramas}" response = RedirectResponse(url=url) response.delete_cookie('Authorization') - return response \ No newline at end of file + return response + \ No newline at end of file diff --git a/app/internal/security/schema.py b/app/internal/security/schema.py index f452e370..41010bea 100644 --- a/app/internal/security/schema.py +++ b/app/internal/security/schema.py @@ -3,17 +3,14 @@ from pydantic import BaseModel, validator + class LoginUser(BaseModel): + ''' + Validating fields types + Returns a User object for signing in. + ''' username: str hashed_password: str class Config: orm_mode = True - -class Token(BaseModel): - access_token: str - token_type: str - - -# class Jwt_User(Login_User): -# is_active: Optional[bool] = False \ No newline at end of file diff --git a/app/routers/login.py b/app/routers/login.py index a3b3f38f..e5526fa2 100644 --- a/app/routers/login.py +++ b/app/routers/login.py @@ -19,10 +19,9 @@ @router.get("/login") -async def login_user_form(request: Request, message: Optional[str] = "") -> templates: - ''' - rendering register route get method - ''' +async def login_user_form( + request: Request, message: Optional[str] = "") -> templates: + '''rendering login route get method''' return templates.TemplateResponse("login.html", { "request": request, "message": message @@ -33,9 +32,15 @@ async def login_user_form(request: Request, message: Optional[str] = "") -> temp async def login( request: Request, form: OAuth2PasswordRequestForm = Depends(), - next: Optional[str] = "/"): + next: Optional[str] = "/") -> RedirectResponse: + '''rendering login route post method.''' form_dict = {'username': form.username, 'hashed_password': form.password} user = LoginUser(**form_dict) + ''' + Validaiting login form data, + if user exist in database, + if password correct. + ''' if user: user = await authenticate_user(user) if not user: @@ -43,7 +48,7 @@ async def login( "request": request, "message": 'Please check your credentials' }) - + # creating HTTPONLY cookie with jwt-token out of user unique data jwt_token = create_jwt_token(user) response = RedirectResponse(next, status_code=HTTP_302_FOUND) response.set_cookie( @@ -54,6 +59,7 @@ async def login( return response +# Not for production @router.get('/logout') async def login(request: Request): response = RedirectResponse(url="/login", status_code=HTTP_302_FOUND) @@ -61,6 +67,7 @@ async def login(request: Request): return response +# Not for production @router.get('/protected') async def protected_route(request: Request, user: User = Depends(current_user_required)): return templates.TemplateResponse("home.html", { @@ -68,6 +75,8 @@ async def protected_route(request: Request, user: User = Depends(current_user_re "message": user.username }) + +# Not for production @router.get('/user') async def user_route(request: Request, current_user: User = Depends(current_user)): if current_user: diff --git a/app/routers/register.py b/app/routers/register.py index 60f75c63..c17ebbba 100644 --- a/app/routers/register.py +++ b/app/routers/register.py @@ -1,5 +1,5 @@ from app.internal import user -from app.database import schemas +from app.database.schemas import UserCreate from app.database.database import get_db from app.dependencies import templates from fastapi import APIRouter, Depends, Request @@ -17,11 +17,25 @@ ) + +async def render_registration_error( + db :Session, new_user: UserCreate) -> dict: + '''After registering new user fails, defines relevant errors''' + db.rollback() + errors = {} + db_user_email = user.get_by_mail(db, email=new_user.email) + db_user_username = user.get_by_username( + db, username=new_user.username) + if db_user_username: + errors['username'] = "That username is already taken" + if db_user_email: + errors['email'] = "Email already registered" + return errors + + @router.get("/register") async def register_user_form(request: Request) -> templates: - ''' - rendering register route get method - ''' + '''rendering register route get method''' return templates.TemplateResponse("register.html", { "request": request, "errors": None @@ -31,15 +45,13 @@ async def register_user_form(request: Request) -> templates: @router.post("/register") async def register( request: Request, db: Session = Depends(get_db)) -> templates: - ''' - rendering register route post method. - ''' + '''rendering register route post method.''' form = await request.form() form_dict = dict(form) try: # creating pydantic schema object out of form data - new_user = schemas.UserCreate(**form_dict) + new_user = UserCreate(**form_dict) except ValidationError as e: # if pydantic validations fails, rendering errors to register.html @@ -60,15 +72,7 @@ async def register( rendering errors to register.html ''' except IntegrityError: - db.rollback() - errors = {} - db_user_email = user.get_by_mail(db, email=new_user.email) - db_user_username = user.get_by_username( - db, username=new_user.username) - if db_user_username: - errors['username'] = "That username is already taken" - if db_user_email: - errors['email'] = "Email already registered" + errors = await render_registration_error(db, new_user) return templates.TemplateResponse("register.html", { "request": request, "errors": errors, From 84db349326d5a563ef131b4f11b4d0e7ce9a63c7 Mon Sep 17 00:00:00 2001 From: Koby Fogel Date: Wed, 3 Feb 2021 19:32:22 +0200 Subject: [PATCH 20/56] fixed pep8 --- app/database/schemas.py | 5 ++- app/internal/email.py | 4 +- app/internal/import_file.py | 2 +- app/internal/security/dependancies.py | 4 +- app/internal/security/ouath2.py | 53 ++++++++++++++++++--------- app/main.py | 8 +--- app/routers/login.py | 34 +++++++++-------- app/routers/register.py | 14 +++---- 8 files changed, 71 insertions(+), 53 deletions(-) diff --git a/app/database/schemas.py b/app/database/schemas.py index a7c68864..d71fe36d 100644 --- a/app/database/schemas.py +++ b/app/database/schemas.py @@ -33,7 +33,10 @@ class UserCreate(UserBase): password: str confirm_password: str - '''Calling to field_not_empty validaion function for each required field.''' + ''' + Calling to field_not_empty validaion function, + for each required field. + ''' _fields_not_empty_username = validator( 'username', allow_reuse=True)(fields_not_empty) _fields_not_empty_full_name = validator( diff --git a/app/internal/email.py b/app/internal/email.py index 55376250..41c27a65 100644 --- a/app/internal/email.py +++ b/app/internal/email.py @@ -138,8 +138,8 @@ def send_email_file(file_path: str, async def send_internal(subject: str, recipients: List[str], body: str, - subtype: Optional[str] = None, - file_attachments: Optional[List[str]] = None): + subtype: Optional[str]=None, + file_attachments: Optional[List[str]]=None): if file_attachments is None: file_attachments = [] diff --git a/app/internal/import_file.py b/app/internal/import_file.py index 1664638c..8ac0a6aa 100644 --- a/app/internal/import_file.py +++ b/app/internal/import_file.py @@ -37,7 +37,7 @@ def is_file_size_valid(file: str, max_size: int = MAX_FILE_SIZE_MB) -> bool: def is_file_extension_valid(file: str, extension: Union[str, Tuple[str, ...]] - = VALID_FILE_EXTENSION) -> bool: + =VALID_FILE_EXTENSION) -> bool: return file.lower().endswith(extension) diff --git a/app/internal/security/dependancies.py b/app/internal/security/dependancies.py index 367df1f2..fa345a0e 100644 --- a/app/internal/security/dependancies.py +++ b/app/internal/security/dependancies.py @@ -6,7 +6,7 @@ async def current_user_required( - request: Request, jwt: str = Depends(get_cookie)) -> Union[User, bool]: + request: Request, jwt: str=Depends(get_cookie)) -> Union[User, bool]: '''A dependency function protecting routes for only logged in user''' user = await check_jwt_token(jwt, path=request.url.path) if user: @@ -24,4 +24,4 @@ async def current_user(request: Request) -> Union[User, bool]: else: return None user = await check_jwt_token(jwt, logged_in=True) - return user \ No newline at end of file + return user diff --git a/app/internal/security/ouath2.py b/app/internal/security/ouath2.py index 2c5a02df..8a52f0c8 100644 --- a/app/internal/security/ouath2.py +++ b/app/internal/security/ouath2.py @@ -4,14 +4,13 @@ from app.database.models import User from fastapi import APIRouter, Depends, HTTPException from app.dependencies import templates -from app.database.database import SessionLocal +from app.database.database import SessionLocal from fastapi.security import OAuth2PasswordBearer -from datetime import datetime, timedelta +from datetime import datetime, timedelta import jwt from starlette.status import HTTP_401_UNAUTHORIZED from app.config import JWT_ALGORITHM, JWT_SECRET_KEY from starlette.requests import Request - from starlette.responses import RedirectResponse @@ -23,7 +22,7 @@ async def get_db_user_by_username(username: str) -> User: '''Checking database for user by username field''' session = SessionLocal() - return session.query(User).filter_by(username = username).first() + return session.query(User).filter_by(username=username).first() def get_hashed_password(password) -> str: @@ -41,31 +40,37 @@ def verify_password(plain_password, hashed_password) -> bool: async def authenticate_user(user: LoginUser) -> Union[LoginUser, bool]: '''Verifying user is in database and password is correct''' - db_user = await get_db_user_by_username(username = user.username) + db_user = await get_db_user_by_username(username=user.username) if db_user: if verify_password(user.hashed_password, db_user.password): - return LoginUser(username=user.username, hashed_password=db_user.password) + return LoginUser( + username=user.username, hashed_password=db_user.password) return False def create_jwt_token(user: LoginUser) -> str: '''Creating jwt-token out of user unique data''' - expiration = datetime.utcnow() + timedelta(minutes=JWT_MIN_EXP ) - jwt_payload = {"sub": user.username, "hashed_password": user.hashed_password, "exp": expiration} - jwt_token = jwt.encode(jwt_payload, JWT_SECRET_KEY, algorithm=JWT_ALGORITHM) + expiration = datetime.utcnow() + timedelta(minutes=JWT_MIN_EXP) + jwt_payload = { + "sub": user.username, + "hashed_password": user.hashed_password, + "exp": expiration} + jwt_token = jwt.encode( + jwt_payload, JWT_SECRET_KEY, algorithm=JWT_ALGORITHM) return jwt_token async def check_jwt_token( - token: str = Depends(oauth_schema), - logged_in: bool = False, path: bool = None) -> Union[User, bool]: + token: str=Depends(oauth_schema), + logged_in: bool=False, path: bool=None) -> Union[User, bool]: ''' Check whether JWT token is correct. Returns User object if yes. Returns None or raises HTTPException, depanding which depandency activated this function. ''' try: - jwt_payload = jwt.decode(token, JWT_SECRET_KEY, algorithms=JWT_ALGORITHM) + jwt_payload = jwt.decode( + token, JWT_SECRET_KEY, algorithms=JWT_ALGORITHM) jwt_username = jwt_payload.get("sub") jwt_hashed_password = jwt_payload.get("hashed_password") jwt_expiration = jwt_payload.get("exp") @@ -73,14 +78,23 @@ async def check_jwt_token( if db_user and db_user.password == jwt_hashed_password: return db_user else: - raise HTTPException(status_code=HTTP_401_UNAUTHORIZED, headers=path, detail="Your token is incorrect. Please log in again") + raise HTTPException( + status_code=HTTP_401_UNAUTHORIZED, + headers=path, + detail="Your token is incorrect. Please log in again") except Exception as e: if logged_in: return None if type(e).__name__ == 'ExpiredSignatureError': - raise HTTPException(status_code=HTTP_401_UNAUTHORIZED, headers=path, detail="Your token has expired. Please log in again") + raise HTTPException( + status_code=HTTP_401_UNAUTHORIZED, + headers=path, + detail="Your token has expired. Please log in again") if type(e).__name__ == 'DecodeError': - raise HTTPException(status_code=HTTP_401_UNAUTHORIZED, headers=path, detail="Your token is incorrect. Please log in again") + raise HTTPException( + status_code=HTTP_401_UNAUTHORIZED, + headers=path, + detail="Your token is incorrect. Please log in again") async def get_cookie(request: Request) -> str: @@ -90,11 +104,15 @@ async def get_cookie(request: Request) -> str: ''' if 'Authorization' in request.cookies: return request.cookies['Authorization'] - raise HTTPException(status_code=HTTP_401_UNAUTHORIZED, headers=request.url.path, detail="Please log in to enter this page") + raise HTTPException( + status_code=HTTP_401_UNAUTHORIZED, + headers=request.url.path, + detail="Please log in to enter this page") async def my_exception_handler( - request: Request, exc: HTTP_401_UNAUTHORIZED) -> RedirectResponse: + request: Request, + exc: HTTP_401_UNAUTHORIZED) -> RedirectResponse: ''' Whenever HTTP_401_UNAUTHORIZED is raised, redirecting to login route, with original requested url, @@ -105,4 +123,3 @@ async def my_exception_handler( response = RedirectResponse(url=url) response.delete_cookie('Authorization') return response - \ No newline at end of file diff --git a/app/main.py b/app/main.py index 02e0368c..5b05b90b 100644 --- a/app/main.py +++ b/app/main.py @@ -7,7 +7,7 @@ from app.internal.security.ouath2 import my_exception_handler from app.routers import ( agenda, categories, dayview, email, - event, invitation, login, profile, + event, invitation, login, profile, register, search, telegram, whatsapp) from app.telegram.bot import telegram_bot from fastapi import Depends, FastAPI, Request, Response @@ -16,7 +16,6 @@ from sqlalchemy.orm import Session - def create_tables(engine, psql_environment): if 'sqlite' in str(engine.url) and psql_environment: raise models.PSQLEnvironmentError( @@ -41,9 +40,6 @@ def create_tables(engine, psql_environment): app.include_router(invitation.router) app.include_router(login.router) - - - app.add_exception_handler(HTTP_401_UNAUTHORIZED, my_exception_handler) load_quotes.load_daily_quotes(next(get_db())) @@ -74,7 +70,7 @@ def create_tables(engine, psql_environment): # until the relevant calendar view will be developed. @app.get("/") @logger.catch() -async def home(request: Request, db: Session = Depends(get_db)): +async def home(request: Request, db: Session=Depends(get_db)): quote = daily_quotes.quote_per_day(db) return templates.TemplateResponse("home.html", { "request": request, diff --git a/app/routers/login.py b/app/routers/login.py index e5526fa2..4eb38e1d 100644 --- a/app/routers/login.py +++ b/app/routers/login.py @@ -1,13 +1,16 @@ -from fastapi import APIRouter, Depends, Request +from typing import Optional + +from app.database.models import User from app.dependencies import templates +from app.internal.security.dependancies import ( + current_user_required, current_user) +from app.internal.security.ouath2 import ( + authenticate_user, check_jwt_token, + create_jwt_token, LoginUser) +from fastapi import APIRouter, Depends, Request from fastapi.security import OAuth2PasswordRequestForm -from app.internal.security.ouath2 import authenticate_user -from app.internal.security.ouath2 import LoginUser, create_jwt_token, check_jwt_token -from app.internal.security.dependancies import current_user_required, current_user from starlette.responses import RedirectResponse from starlette.status import HTTP_302_FOUND -from app.database.models import User -from typing import Optional router = APIRouter( @@ -17,10 +20,9 @@ ) - @router.get("/login") async def login_user_form( - request: Request, message: Optional[str] = "") -> templates: + request: Request, message: Optional[str]="") -> templates: '''rendering login route get method''' return templates.TemplateResponse("login.html", { "request": request, @@ -31,8 +33,8 @@ async def login_user_form( @router.post('/login') async def login( request: Request, - form: OAuth2PasswordRequestForm = Depends(), - next: Optional[str] = "/") -> RedirectResponse: + form: OAuth2PasswordRequestForm=Depends(), + next: Optional[str]="/") -> RedirectResponse: '''rendering login route post method.''' form_dict = {'username': form.username, 'hashed_password': form.password} user = LoginUser(**form_dict) @@ -50,7 +52,7 @@ async def login( }) # creating HTTPONLY cookie with jwt-token out of user unique data jwt_token = create_jwt_token(user) - response = RedirectResponse(next, status_code=HTTP_302_FOUND) + response = RedirectResponse(next, status_code=HTTP_302_FOUND) response.set_cookie( "Authorization", value=jwt_token, @@ -62,14 +64,15 @@ async def login( # Not for production @router.get('/logout') async def login(request: Request): - response = RedirectResponse(url="/login", status_code=HTTP_302_FOUND) + response = RedirectResponse(url="/login", status_code=HTTP_302_FOUND) response.delete_cookie("Authorization") return response # Not for production @router.get('/protected') -async def protected_route(request: Request, user: User = Depends(current_user_required)): +async def protected_route( + request: Request, user: User=Depends(current_user_required)): return templates.TemplateResponse("home.html", { "request": request, "message": user.username @@ -78,7 +81,8 @@ async def protected_route(request: Request, user: User = Depends(current_user_re # Not for production @router.get('/user') -async def user_route(request: Request, current_user: User = Depends(current_user)): +async def user_route( + request: Request, current_user: User=Depends(current_user)): if current_user: print(current_user.username) else: @@ -86,4 +90,4 @@ async def user_route(request: Request, current_user: User = Depends(current_user return templates.TemplateResponse("home.html", { "request": request, "message": "user.username" - }) \ No newline at end of file + }) diff --git a/app/routers/register.py b/app/routers/register.py index c17ebbba..3a1feab7 100644 --- a/app/routers/register.py +++ b/app/routers/register.py @@ -7,8 +7,6 @@ from sqlalchemy.exc import IntegrityError from sqlalchemy.orm import Session -from app.internal import user - router = APIRouter( prefix="", @@ -17,10 +15,9 @@ ) - async def render_registration_error( - db :Session, new_user: UserCreate) -> dict: - '''After registering new user fails, defines relevant errors''' + db: Session, new_user: UserCreate) -> dict: + '''After registering new user fails, defines relevant errors''' db.rollback() errors = {} db_user_email = user.get_by_mail(db, email=new_user.email) @@ -44,7 +41,7 @@ async def register_user_form(request: Request) -> templates: @router.post("/register") async def register( - request: Request, db: Session = Depends(get_db)) -> templates: + request: Request, db: Session=Depends(get_db)) -> templates: '''rendering register route post method.''' form = await request.form() form_dict = dict(form) @@ -83,7 +80,8 @@ async def register( "message": "User created", "status_code": 201}) -### NOT for production + +# NOT for production @router.get("/delete") def delete_user(db: Session = Depends(get_db)): - user.delete_by_mail(db=db, email="") \ No newline at end of file + user.delete_by_mail(db=db, email="") From d9ae4774111aecd64fab9a6ef75163d33710ea89 Mon Sep 17 00:00:00 2001 From: Koby Fogel Date: Wed, 3 Feb 2021 20:04:16 +0200 Subject: [PATCH 21/56] pep8 more fixes --- app/internal/email.py | 4 ++-- app/internal/import_file.py | 2 +- app/internal/security/dependancies.py | 8 ++++---- app/internal/security/ouath2.py | 23 +++++++++++------------ app/internal/security/schema.py | 5 +---- app/internal/user.py | 1 - app/main.py | 4 ++-- app/routers/login.py | 17 ++++++++--------- app/routers/register.py | 3 ++- 9 files changed, 31 insertions(+), 36 deletions(-) diff --git a/app/internal/email.py b/app/internal/email.py index 41c27a65..55376250 100644 --- a/app/internal/email.py +++ b/app/internal/email.py @@ -138,8 +138,8 @@ def send_email_file(file_path: str, async def send_internal(subject: str, recipients: List[str], body: str, - subtype: Optional[str]=None, - file_attachments: Optional[List[str]]=None): + subtype: Optional[str] = None, + file_attachments: Optional[List[str]] = None): if file_attachments is None: file_attachments = [] diff --git a/app/internal/import_file.py b/app/internal/import_file.py index 8ac0a6aa..1664638c 100644 --- a/app/internal/import_file.py +++ b/app/internal/import_file.py @@ -37,7 +37,7 @@ def is_file_size_valid(file: str, max_size: int = MAX_FILE_SIZE_MB) -> bool: def is_file_extension_valid(file: str, extension: Union[str, Tuple[str, ...]] - =VALID_FILE_EXTENSION) -> bool: + = VALID_FILE_EXTENSION) -> bool: return file.lower().endswith(extension) diff --git a/app/internal/security/dependancies.py b/app/internal/security/dependancies.py index fa345a0e..c9d9bf03 100644 --- a/app/internal/security/dependancies.py +++ b/app/internal/security/dependancies.py @@ -1,12 +1,12 @@ from typing import Union -from starlette.requests import Request -from fastapi import Depends -from starlette.status import HTTP_401_UNAUTHORIZED + from app.internal.security.ouath2 import get_cookie, check_jwt_token, User +from fastapi import Depends +from starlette.requests import Request async def current_user_required( - request: Request, jwt: str=Depends(get_cookie)) -> Union[User, bool]: + request: Request, jwt: str =Depends(get_cookie)) -> Union[User, bool]: '''A dependency function protecting routes for only logged in user''' user = await check_jwt_token(jwt, path=request.url.path) if user: diff --git a/app/internal/security/ouath2.py b/app/internal/security/ouath2.py index 8a52f0c8..cf2f7ad4 100644 --- a/app/internal/security/ouath2.py +++ b/app/internal/security/ouath2.py @@ -1,17 +1,17 @@ +from datetime import datetime, timedelta from typing import Union + +from app.config import JWT_ALGORITHM, JWT_SECRET_KEY from passlib.context import CryptContext -from .schema import LoginUser -from app.database.models import User -from fastapi import APIRouter, Depends, HTTPException -from app.dependencies import templates from app.database.database import SessionLocal +from app.database.models import User +from fastapi import Depends, HTTPException from fastapi.security import OAuth2PasswordBearer -from datetime import datetime, timedelta import jwt -from starlette.status import HTTP_401_UNAUTHORIZED -from app.config import JWT_ALGORITHM, JWT_SECRET_KEY from starlette.requests import Request from starlette.responses import RedirectResponse +from starlette.status import HTTP_401_UNAUTHORIZED +from .schema import LoginUser JWT_MIN_EXP = 3 @@ -34,7 +34,7 @@ def verify_password(plain_password, hashed_password) -> bool: '''Verifying password and hashed password are equal''' try: return pwd_context.verify(plain_password, hashed_password) - except Exception as e: + except Exception: return False @@ -61,8 +61,8 @@ def create_jwt_token(user: LoginUser) -> str: async def check_jwt_token( - token: str=Depends(oauth_schema), - logged_in: bool=False, path: bool=None) -> Union[User, bool]: + token: str = Depends(oauth_schema), + logged_in: bool = False, path: bool = None) -> Union[User, bool]: ''' Check whether JWT token is correct. Returns User object if yes. Returns None or raises HTTPException, @@ -73,7 +73,6 @@ async def check_jwt_token( token, JWT_SECRET_KEY, algorithms=JWT_ALGORITHM) jwt_username = jwt_payload.get("sub") jwt_hashed_password = jwt_payload.get("hashed_password") - jwt_expiration = jwt_payload.get("exp") db_user = await get_db_user_by_username(username=jwt_username) if db_user and db_user.password == jwt_hashed_password: return db_user @@ -95,7 +94,7 @@ async def check_jwt_token( status_code=HTTP_401_UNAUTHORIZED, headers=path, detail="Your token is incorrect. Please log in again") - + async def get_cookie(request: Request) -> str: ''' diff --git a/app/internal/security/schema.py b/app/internal/security/schema.py index 41010bea..bc778219 100644 --- a/app/internal/security/schema.py +++ b/app/internal/security/schema.py @@ -1,7 +1,4 @@ -from typing import List, Optional, Union -from fastapi import Depends, Form, Query -from pydantic import BaseModel, validator - +from pydantic import BaseModel class LoginUser(BaseModel): diff --git a/app/internal/user.py b/app/internal/user.py index bf04862f..1e442b34 100644 --- a/app/internal/user.py +++ b/app/internal/user.py @@ -1,5 +1,4 @@ from app.database import models, schemas -from passlib.context import CryptContext from sqlalchemy.orm import Session from app.internal.security.ouath2 import pwd_context diff --git a/app/main.py b/app/main.py index 5b05b90b..9b48b4f3 100644 --- a/app/main.py +++ b/app/main.py @@ -10,7 +10,7 @@ event, invitation, login, profile, register, search, telegram, whatsapp) from app.telegram.bot import telegram_bot -from fastapi import Depends, FastAPI, Request, Response +from fastapi import Depends, FastAPI, Request from fastapi.staticfiles import StaticFiles from starlette.status import HTTP_401_UNAUTHORIZED from sqlalchemy.orm import Session @@ -70,7 +70,7 @@ def create_tables(engine, psql_environment): # until the relevant calendar view will be developed. @app.get("/") @logger.catch() -async def home(request: Request, db: Session=Depends(get_db)): +async def home(request: Request, db: Session = Depends(get_db)): quote = daily_quotes.quote_per_day(db) return templates.TemplateResponse("home.html", { "request": request, diff --git a/app/routers/login.py b/app/routers/login.py index 4eb38e1d..3efc14c3 100644 --- a/app/routers/login.py +++ b/app/routers/login.py @@ -5,8 +5,7 @@ from app.internal.security.dependancies import ( current_user_required, current_user) from app.internal.security.ouath2 import ( - authenticate_user, check_jwt_token, - create_jwt_token, LoginUser) + authenticate_user, create_jwt_token, LoginUser) from fastapi import APIRouter, Depends, Request from fastapi.security import OAuth2PasswordRequestForm from starlette.responses import RedirectResponse @@ -22,7 +21,7 @@ @router.get("/login") async def login_user_form( - request: Request, message: Optional[str]="") -> templates: + request: Request, message: Optional[str] = "") -> templates: '''rendering login route get method''' return templates.TemplateResponse("login.html", { "request": request, @@ -34,7 +33,7 @@ async def login_user_form( async def login( request: Request, form: OAuth2PasswordRequestForm=Depends(), - next: Optional[str]="/") -> RedirectResponse: + next: Optional[str] = "/") -> RedirectResponse: '''rendering login route post method.''' form_dict = {'username': form.username, 'hashed_password': form.password} user = LoginUser(**form_dict) @@ -52,7 +51,7 @@ async def login( }) # creating HTTPONLY cookie with jwt-token out of user unique data jwt_token = create_jwt_token(user) - response = RedirectResponse(next, status_code=HTTP_302_FOUND) + response = RedirectResponse(next, status_code = HTTP_302_FOUND) response.set_cookie( "Authorization", value=jwt_token, @@ -63,8 +62,8 @@ async def login( # Not for production @router.get('/logout') -async def login(request: Request): - response = RedirectResponse(url="/login", status_code=HTTP_302_FOUND) +async def logout(request: Request): + response = RedirectResponse(url="/logout", status_code = HTTP_302_FOUND) response.delete_cookie("Authorization") return response @@ -72,7 +71,7 @@ async def login(request: Request): # Not for production @router.get('/protected') async def protected_route( - request: Request, user: User=Depends(current_user_required)): + request: Request, user: User = Depends(current_user_required)): return templates.TemplateResponse("home.html", { "request": request, "message": user.username @@ -82,7 +81,7 @@ async def protected_route( # Not for production @router.get('/user') async def user_route( - request: Request, current_user: User=Depends(current_user)): + request: Request, current_user: User = Depends(current_user)): if current_user: print(current_user.username) else: diff --git a/app/routers/register.py b/app/routers/register.py index 3a1feab7..e2f77f04 100644 --- a/app/routers/register.py +++ b/app/routers/register.py @@ -41,7 +41,8 @@ async def register_user_form(request: Request) -> templates: @router.post("/register") async def register( - request: Request, db: Session=Depends(get_db)) -> templates: + request: Request, db: + Session = Depends(get_db)) -> templates: '''rendering register route post method.''' form = await request.form() form_dict = dict(form) From d7465b58b169c8dda9a72a65c6f92d15a1ad286b Mon Sep 17 00:00:00 2001 From: Koby Fogel Date: Wed, 3 Feb 2021 20:11:20 +0200 Subject: [PATCH 22/56] pep8 config fix --- app/config.py.example | 4 ++-- app/internal/security/dependancies.py | 2 +- app/routers/login.py | 6 +++--- 3 files changed, 6 insertions(+), 6 deletions(-) diff --git a/app/config.py.example b/app/config.py.example index b33f10c0..a9dec14d 100644 --- a/app/config.py.example +++ b/app/config.py.example @@ -50,8 +50,8 @@ email_conf = ConnectionConfig( DATABASE_CONNECTION_STRING = "sqlite:///calendar.db" # security -JWT_SECRET_KEY = "c06857128217c661de43d746ecdbe9f1dbc3b3685957fab64512456f639b1881" -JWT_ALGORITHM = "HS256" +JWT_SECRET_KEY = "c06857128217c661de43d746ecdb" ++ "e9f1dbc3b3685957fab64512456f639b1881"JWT_ALGORITHM = "HS256" templates = Jinja2Templates(directory=os.path.join("app", "templates")) # application name diff --git a/app/internal/security/dependancies.py b/app/internal/security/dependancies.py index c9d9bf03..40dde89e 100644 --- a/app/internal/security/dependancies.py +++ b/app/internal/security/dependancies.py @@ -6,7 +6,7 @@ async def current_user_required( - request: Request, jwt: str =Depends(get_cookie)) -> Union[User, bool]: + request: Request, jwt: str = Depends(get_cookie)) -> Union[User, bool]: '''A dependency function protecting routes for only logged in user''' user = await check_jwt_token(jwt, path=request.url.path) if user: diff --git a/app/routers/login.py b/app/routers/login.py index 3efc14c3..be07cf78 100644 --- a/app/routers/login.py +++ b/app/routers/login.py @@ -32,7 +32,7 @@ async def login_user_form( @router.post('/login') async def login( request: Request, - form: OAuth2PasswordRequestForm=Depends(), + form: OAuth2PasswordRequestForm = Depends(), next: Optional[str] = "/") -> RedirectResponse: '''rendering login route post method.''' form_dict = {'username': form.username, 'hashed_password': form.password} @@ -51,7 +51,7 @@ async def login( }) # creating HTTPONLY cookie with jwt-token out of user unique data jwt_token = create_jwt_token(user) - response = RedirectResponse(next, status_code = HTTP_302_FOUND) + response = RedirectResponse(next, status_code=HTTP_302_FOUND) response.set_cookie( "Authorization", value=jwt_token, @@ -63,7 +63,7 @@ async def login( # Not for production @router.get('/logout') async def logout(request: Request): - response = RedirectResponse(url="/logout", status_code = HTTP_302_FOUND) + response = RedirectResponse(url="/logout", status_code=HTTP_302_FOUND) response.delete_cookie("Authorization") return response From 9d735b12603c7ea698e59d1a5218adfcb87a2d93 Mon Sep 17 00:00:00 2001 From: Koby Fogel Date: Wed, 3 Feb 2021 20:15:09 +0200 Subject: [PATCH 23/56] pep8 jwt fix --- app/config.py.example | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/app/config.py.example b/app/config.py.example index a9dec14d..206be8d3 100644 --- a/app/config.py.example +++ b/app/config.py.example @@ -51,7 +51,8 @@ DATABASE_CONNECTION_STRING = "sqlite:///calendar.db" # security JWT_SECRET_KEY = "c06857128217c661de43d746ecdb" -+ "e9f1dbc3b3685957fab64512456f639b1881"JWT_ALGORITHM = "HS256" ++ "e9f1dbc3b3685957fab64512456f639b1881" +JWT_ALGORITHM = "HS256" templates = Jinja2Templates(directory=os.path.join("app", "templates")) # application name From 4f5a127d9c91230b4b5d7729cad087b4ed462203 Mon Sep 17 00:00:00 2001 From: Koby Fogel Date: Wed, 3 Feb 2021 20:25:40 +0200 Subject: [PATCH 24/56] pep8 jwt final fix --- app/internal/security/ouath2.py | 6 +++--- app/routers/login.py | 2 +- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/app/internal/security/ouath2.py b/app/internal/security/ouath2.py index cf2f7ad4..be71ce9b 100644 --- a/app/internal/security/ouath2.py +++ b/app/internal/security/ouath2.py @@ -1,7 +1,7 @@ from datetime import datetime, timedelta from typing import Union -from app.config import JWT_ALGORITHM, JWT_SECRET_KEY +from app.config import JWT_ALGORITHM, JWT_KEY from passlib.context import CryptContext from app.database.database import SessionLocal from app.database.models import User @@ -56,7 +56,7 @@ def create_jwt_token(user: LoginUser) -> str: "hashed_password": user.hashed_password, "exp": expiration} jwt_token = jwt.encode( - jwt_payload, JWT_SECRET_KEY, algorithm=JWT_ALGORITHM) + jwt_payload, JWT_KEY, algorithm=JWT_ALGORITHM) return jwt_token @@ -70,7 +70,7 @@ async def check_jwt_token( ''' try: jwt_payload = jwt.decode( - token, JWT_SECRET_KEY, algorithms=JWT_ALGORITHM) + token, JWT_KEY, algorithms=JWT_ALGORITHM) jwt_username = jwt_payload.get("sub") jwt_hashed_password = jwt_payload.get("hashed_password") db_user = await get_db_user_by_username(username=jwt_username) diff --git a/app/routers/login.py b/app/routers/login.py index be07cf78..03ed4bb3 100644 --- a/app/routers/login.py +++ b/app/routers/login.py @@ -63,7 +63,7 @@ async def login( # Not for production @router.get('/logout') async def logout(request: Request): - response = RedirectResponse(url="/logout", status_code=HTTP_302_FOUND) + response = RedirectResponse(url="/login", status_code=HTTP_302_FOUND) response.delete_cookie("Authorization") return response From 4392974feb5d9047e77279381d4312057d07159b Mon Sep 17 00:00:00 2001 From: Koby Fogel Date: Wed, 3 Feb 2021 20:28:39 +0200 Subject: [PATCH 25/56] pep8 final fix --- app/config.py.example | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/app/config.py.example b/app/config.py.example index 206be8d3..0d35b69e 100644 --- a/app/config.py.example +++ b/app/config.py.example @@ -50,8 +50,7 @@ email_conf = ConnectionConfig( DATABASE_CONNECTION_STRING = "sqlite:///calendar.db" # security -JWT_SECRET_KEY = "c06857128217c661de43d746ecdb" -+ "e9f1dbc3b3685957fab64512456f639b1881" +JWT_KEY = "c06857128217c661de43d746ecdbe9f1dbc3b3685957fab64512456f639b1881" JWT_ALGORITHM = "HS256" templates = Jinja2Templates(directory=os.path.join("app", "templates")) From b9ee9d35437d527ae62bb6eacca5898e2bf53ac8 Mon Sep 17 00:00:00 2001 From: Koby Fogel Date: Sun, 7 Feb 2021 16:54:56 +0200 Subject: [PATCH 26/56] CR fixes, tests added --- .env | 1 - README.md | 16 ++++ app/config.py.example | 1 + app/database/schemas.py | 24 +++--- app/internal/security/dependancies.py | 22 +++-- app/internal/security/ouath2.py | 91 +++++++++++---------- app/internal/security/schema.py | 30 ++++++- app/internal/user.py | 18 ++--- app/main.py | 21 ++++- app/routers/login.py | 75 +++++++---------- app/routers/logout.py | 17 ++++ app/routers/register.py | 23 ++---- app/templates/base.html | 4 + tests/client_fixture.py | 5 ++ tests/security_testing_routes.py | 42 ++++++++++ tests/test_login.py | 111 ++++++++++++++++++++++++++ tests/test_register.py | 23 +++--- 17 files changed, 374 insertions(+), 150 deletions(-) delete mode 100644 .env create mode 100644 app/routers/logout.py create mode 100644 tests/security_testing_routes.py create mode 100644 tests/test_login.py diff --git a/.env b/.env deleted file mode 100644 index 5388fd5c..00000000 --- a/.env +++ /dev/null @@ -1 +0,0 @@ -DATABASE_CONNECTION_STRING = "sqlite:///calendar.db" \ No newline at end of file diff --git a/README.md b/README.md index e3415b4b..2a705885 100644 --- a/README.md +++ b/README.md @@ -44,6 +44,22 @@ uvicorn app.main:app --reload python -m pytest --cov-report term-missing --cov=app tests ``` +### Generating personal JWT Secret Key +'''shell +python +import secrets +secrets.token_hex(32) +# copy generated string. +# in config.py file, replace JWT_KEY value with generated string +''' + +## Using security dependencies: +''' +from app.internal.security.dependencies: +use current_user_required and current_user functions as a route dependencies. +an example for how to use can be found at tests.security_testing_routes file. +''' + ## Contributing View [contributing guidelines](https://github.com/PythonFreeCourse/calendar/blob/master/CONTRIBUTING.md). diff --git a/app/config.py.example b/app/config.py.example index 0d35b69e..b016d5c5 100644 --- a/app/config.py.example +++ b/app/config.py.example @@ -52,6 +52,7 @@ DATABASE_CONNECTION_STRING = "sqlite:///calendar.db" # security JWT_KEY = "c06857128217c661de43d746ecdbe9f1dbc3b3685957fab64512456f639b1881" JWT_ALGORITHM = "HS256" +JWT_MIN_EXP = 60 * 24 * 7 templates = Jinja2Templates(directory=os.path.join("app", "templates")) # application name diff --git a/app/database/schemas.py b/app/database/schemas.py index d71fe36d..61d31a33 100644 --- a/app/database/schemas.py +++ b/app/database/schemas.py @@ -8,17 +8,17 @@ def fields_not_empty(field: Optional[str]) -> Union[ValueError, str]: - '''Global function to validate fields are not empty.''' + """Global function to validate fields are not empty.""" if not field: raise ValueError(EMPTY_FIELD_STRING) return field class UserBase(BaseModel): - ''' + """ Validating fields types Returns a User object without sensitive information - ''' + """ username: str email: str full_name: str @@ -29,14 +29,14 @@ class Config: class UserCreate(UserBase): - '''Validating fields types''' + """Validating fields types""" password: str confirm_password: str - ''' + """ Calling to field_not_empty validaion function, for each required field. - ''' + """ _fields_not_empty_username = validator( 'username', allow_reuse=True)(fields_not_empty) _fields_not_empty_full_name = validator( @@ -52,28 +52,28 @@ class UserCreate(UserBase): def passwords_match( cls, confirm_password: str, values: UserBase) -> Union[ValueError, str]: - '''Validating passwords fields identical.''' + """Validating passwords fields identical.""" if 'password' in values and confirm_password != values['password']: raise ValueError("doesn't match to password") return confirm_password @validator('username') def username_length(cls, username: str) -> Union[ValueError, str]: - '''Validating username length is legal''' + """Validating username length is legal""" if not (MIN_FIELD_LENGTH < len(username) < MAX_FIELD_LENGTH): raise ValueError("must contain between 3 to 20 charactars") return username @validator('password') def password_length(cls, password: str) -> Union[ValueError, str]: - '''Validating username length is legal''' + """Validating username length is legal""" if not (MIN_FIELD_LENGTH < len(password) < MAX_FIELD_LENGTH): raise ValueError("must contain between 3 to 20 charactars") return password @validator('email') def confirm_mail(cls, email: str) -> Union[ValueError, str]: - '''Validating email is valid mail address.''' + """Validating email is valid mail address.""" try: EmailStr.validate(email) return email @@ -82,9 +82,9 @@ def confirm_mail(cls, email: str) -> Union[ValueError, str]: class User(UserBase): - ''' + """ Validating fields types Returns a User object without sensitive information - ''' + """ id: int is_active: bool diff --git a/app/internal/security/dependancies.py b/app/internal/security/dependancies.py index 40dde89e..b028f2bf 100644 --- a/app/internal/security/dependancies.py +++ b/app/internal/security/dependancies.py @@ -1,27 +1,33 @@ from typing import Union -from app.internal.security.ouath2 import get_cookie, check_jwt_token, User +from app.internal.security.ouath2 import ( + Depends, Session, check_jwt_token, get_cookie, get_db) +from app.internal.security.schema import CurrentUser from fastapi import Depends from starlette.requests import Request async def current_user_required( - request: Request, jwt: str = Depends(get_cookie)) -> Union[User, bool]: - '''A dependency function protecting routes for only logged in user''' - user = await check_jwt_token(jwt, path=request.url.path) + request: Request, + db: Session = Depends(get_db), + jwt: str = Depends(get_cookie)) -> CurrentUser: + """A dependency function protecting routes for only logged in user""" + user = await check_jwt_token(db, jwt, path=request.url.path) if user: return user -async def current_user(request: Request) -> Union[User, bool]: - ''' +async def current_user( + request: Request, + db: Session = Depends(get_db),) -> Union[CurrentUser, bool]: + """ A dependency function. Returns logged in User object if exists. None if not. - ''' + """ if 'Authorization' in request.cookies: jwt = request.cookies['Authorization'] else: return None - user = await check_jwt_token(jwt, logged_in=True) + user = await check_jwt_token(db, jwt) return user diff --git a/app/internal/security/ouath2.py b/app/internal/security/ouath2.py index be71ce9b..5af784eb 100644 --- a/app/internal/security/ouath2.py +++ b/app/internal/security/ouath2.py @@ -1,59 +1,61 @@ from datetime import datetime, timedelta from typing import Union -from app.config import JWT_ALGORITHM, JWT_KEY +from app.config import JWT_ALGORITHM, JWT_KEY, JWT_MIN_EXP from passlib.context import CryptContext -from app.database.database import SessionLocal +from app.database.database import SessionLocal, get_db from app.database.models import User from fastapi import Depends, HTTPException from fastapi.security import OAuth2PasswordBearer import jwt +from jwt.exceptions import InvalidSignatureError +from sqlalchemy.orm import Session from starlette.requests import Request from starlette.responses import RedirectResponse from starlette.status import HTTP_401_UNAUTHORIZED -from .schema import LoginUser +from .schema import LoginUser, CurrentUser -JWT_MIN_EXP = 3 pwd_context = CryptContext(schemes=["bcrypt"]) oauth_schema = OAuth2PasswordBearer(tokenUrl="/login") -async def get_db_user_by_username(username: str) -> User: - '''Checking database for user by username field''' - session = SessionLocal() - return session.query(User).filter_by(username=username).first() +async def get_db_user_by_username(db: Session, username: str) -> User: + """Checking database for user by username field""" + # session = SessionLocal() + user = db.query(User).filter_by(username=username).first() + return user def get_hashed_password(password) -> str: - '''Hashing user password''' + """Hashing user password""" return pwd_context.hash(password) def verify_password(plain_password, hashed_password) -> bool: - '''Verifying password and hashed password are equal''' - try: - return pwd_context.verify(plain_password, hashed_password) - except Exception: - return False - - -async def authenticate_user(user: LoginUser) -> Union[LoginUser, bool]: - '''Verifying user is in database and password is correct''' - db_user = await get_db_user_by_username(username=user.username) + """Verifying password and hashed password are equal""" + return pwd_context.verify(plain_password, hashed_password) + + +async def authenticate_user( + db: Session, user: LoginUser) -> Union[LoginUser, bool]: + """Verifying user is in database and password is correct""" + db_user = await get_db_user_by_username(db=db, username=user.username) if db_user: - if verify_password(user.hashed_password, db_user.password): + if verify_password(user.password, db_user.password): return LoginUser( - username=user.username, hashed_password=db_user.password) + username=user.username, password=db_user.password) return False -def create_jwt_token(user: LoginUser) -> str: - '''Creating jwt-token out of user unique data''' +def create_jwt_token( + user: LoginUser, JWT_MIN_EXP: int = JWT_MIN_EXP, + JWT_KEY: str = JWT_KEY) -> str: + """Creating jwt-token out of user unique data""" expiration = datetime.utcnow() + timedelta(minutes=JWT_MIN_EXP) jwt_payload = { "sub": user.username, - "hashed_password": user.hashed_password, + "hashed_password": user.password, "exp": expiration} jwt_token = jwt.encode( jwt_payload, JWT_KEY, algorithm=JWT_ALGORITHM) @@ -61,46 +63,49 @@ def create_jwt_token(user: LoginUser) -> str: async def check_jwt_token( + db: Session, token: str = Depends(oauth_schema), - logged_in: bool = False, path: bool = None) -> Union[User, bool]: - ''' + path: bool = None) -> CurrentUser: + """ Check whether JWT token is correct. Returns User object if yes. Returns None or raises HTTPException, depanding which depandency activated this function. - ''' + """ try: jwt_payload = jwt.decode( token, JWT_KEY, algorithms=JWT_ALGORITHM) jwt_username = jwt_payload.get("sub") jwt_hashed_password = jwt_payload.get("hashed_password") - db_user = await get_db_user_by_username(username=jwt_username) + db_user = await get_db_user_by_username(db, username=jwt_username) if db_user and db_user.password == jwt_hashed_password: - return db_user + return CurrentUser(**db_user.__dict__) else: raise HTTPException( status_code=HTTP_401_UNAUTHORIZED, headers=path, detail="Your token is incorrect. Please log in again") - except Exception as e: - if logged_in: - return None - if type(e).__name__ == 'ExpiredSignatureError': - raise HTTPException( - status_code=HTTP_401_UNAUTHORIZED, - headers=path, - detail="Your token has expired. Please log in again") - if type(e).__name__ == 'DecodeError': - raise HTTPException( + except InvalidSignatureError: + raise HTTPException( status_code=HTTP_401_UNAUTHORIZED, headers=path, detail="Your token is incorrect. Please log in again") + except jwt.ExpiredSignatureError: + raise HTTPException( + status_code=HTTP_401_UNAUTHORIZED, + headers=path, + detail="Your token has expired. Please log in again") + except jwt.DecodeError: + raise HTTPException( + status_code=HTTP_401_UNAUTHORIZED, + headers=path, + detail="Your token is incorrect. Please log in again") async def get_cookie(request: Request) -> str: - ''' + """ Extracts jwt from HTTPONLY cookie, if exists. Raises HTTPException if not. - ''' + """ if 'Authorization' in request.cookies: return request.cookies['Authorization'] raise HTTPException( @@ -112,11 +117,11 @@ async def get_cookie(request: Request) -> str: async def my_exception_handler( request: Request, exc: HTTP_401_UNAUTHORIZED) -> RedirectResponse: - ''' + """ Whenever HTTP_401_UNAUTHORIZED is raised, redirecting to login route, with original requested url, and details for why original request failed. - ''' + """ paramas = f"?next={exc.headers}&message={exc.detail}" url = f"/login{paramas}" response = RedirectResponse(url=url) diff --git a/app/internal/security/schema.py b/app/internal/security/schema.py index bc778219..f6d112dd 100644 --- a/app/internal/security/schema.py +++ b/app/internal/security/schema.py @@ -1,13 +1,37 @@ +from typing import List, Optional + +from app.database.models import UserEvent from pydantic import BaseModel class LoginUser(BaseModel): - ''' + """ Validating fields types Returns a User object for signing in. - ''' + """ + username: str + password: str + + class Config: + orm_mode = True + + +class CurrentUser(BaseModel): + """ + Security dependencies will return this object, + instead of db object. + Returns all User's parameters, except password. + """ + id: int username: str - hashed_password: str + full_name: str + email: str + language: str = None + description: str = None + avatar: str + telegram_id: str = None + events = Optional [List[UserEvent]] class Config: orm_mode = True + arbitrary_types_allowed = True diff --git a/app/internal/user.py b/app/internal/user.py index 1e442b34..2120bf6d 100644 --- a/app/internal/user.py +++ b/app/internal/user.py @@ -1,32 +1,30 @@ from app.database import models, schemas +from app.internal.security.ouath2 import get_hashed_password from sqlalchemy.orm import Session -from app.internal.security.ouath2 import pwd_context - -# pwd_context = CryptContext(schemes=["bcrypt"]) def get_by_id(db: Session, user_id: int) -> models.User: - '''query database for a user by unique id''' + """query database for a user by unique id""" return db.query(models.User).filter(models.User.id == user_id).first() def get_by_username(db: Session, username: str) -> models.User: - '''query database for a user by unique username''' + """query database for a user by unique username""" return db.query(models.User).filter( models.User.username == username).first() def get_by_mail(db: Session, email: str) -> models.User: - '''query database for a user by unique email''' + """query database for a user by unique email""" return db.query(models.User).filter(models.User.email == email).first() def create(db: Session, user: schemas.UserCreate) -> models.User: - ''' + """ creating a new User object in the database, with hashed password - ''' + """ unhashed_password = user.password.encode('utf-8') - hashed_password = pwd_context.hash(unhashed_password) + hashed_password = get_hashed_password(unhashed_password) user_details = { 'username': user.username, 'full_name': user.full_name, @@ -42,7 +40,7 @@ def create(db: Session, user: schemas.UserCreate) -> models.User: def delete_by_mail(db: Session, email: str) -> None: - '''deletes a user from database by unique email''' + """deletes a user from database by unique email""" db_user = get_by_mail(db=db, email=email) db.delete(db_user) db.commit() diff --git a/app/main.py b/app/main.py index 9b48b4f3..30830868 100644 --- a/app/main.py +++ b/app/main.py @@ -7,7 +7,7 @@ from app.internal.security.ouath2 import my_exception_handler from app.routers import ( agenda, categories, dayview, email, - event, invitation, login, profile, + event, invitation, login, logout, profile, register, search, telegram, whatsapp) from app.telegram.bot import telegram_bot from fastapi import Depends, FastAPI, Request @@ -32,6 +32,8 @@ def create_tables(engine, psql_environment): app.mount("/static", StaticFiles(directory=STATIC_PATH), name="static") app.mount("/media", StaticFiles(directory=MEDIA_PATH), name="media") +from tests import security_testing_routes +app.include_router(security_testing_routes.router) app.include_router(profile.router) app.include_router(event.router) app.include_router(agenda.router) @@ -39,12 +41,27 @@ def create_tables(engine, psql_environment): app.include_router(email.router) app.include_router(invitation.router) app.include_router(login.router) +app.include_router(logout.router) + app.add_exception_handler(HTTP_401_UNAUTHORIZED, my_exception_handler) load_quotes.load_daily_quotes(next(get_db())) app.logger = logger +######## + +# from jinja2 import Environment +# from app.internal.security.dependancies import current_user, CurrentUser +# env = Environment(enable_async= True) +# async def current(): +# user = await current_user(Session) +# print(user.username) +# return user +# templates.env.globals.update(current_user=current) +# print(templates.env.globals.items()) +######## + routers_to_include = [ agenda.router, categories.router, @@ -53,11 +70,13 @@ def create_tables(engine, psql_environment): event.router, invitation.router, login.router, + logout.router, profile.router, register.router, search.router, telegram.router, whatsapp.router, + security_testing_routes.router, ] for router in routers_to_include: diff --git a/app/routers/login.py b/app/routers/login.py index 03ed4bb3..2d0a96e7 100644 --- a/app/routers/login.py +++ b/app/routers/login.py @@ -1,13 +1,15 @@ -from typing import Optional +from typing import Optional, Union +from app.database.database import get_db from app.database.models import User from app.dependencies import templates from app.internal.security.dependancies import ( - current_user_required, current_user) + current_user_required, current_user, CurrentUser) from app.internal.security.ouath2 import ( authenticate_user, create_jwt_token, LoginUser) from fastapi import APIRouter, Depends, Request -from fastapi.security import OAuth2PasswordRequestForm +from pydantic import ValidationError +from sqlalchemy.orm import Session from starlette.responses import RedirectResponse from starlette.status import HTTP_302_FOUND @@ -21,36 +23,49 @@ @router.get("/login") async def login_user_form( - request: Request, message: Optional[str] = "") -> templates: - '''rendering login route get method''' + request: Request, message: Optional[str] = "", + current_user: Union[CurrentUser, None] = Depends(current_user)) -> templates: + """rendering login route get method""" + if current_user: + return RedirectResponse(url='/') return templates.TemplateResponse("login.html", { "request": request, - "message": message + "message": message, + 'current_user': current_user }) @router.post('/login') async def login( request: Request, - form: OAuth2PasswordRequestForm = Depends(), - next: Optional[str] = "/") -> RedirectResponse: - '''rendering login route post method.''' - form_dict = {'username': form.username, 'hashed_password': form.password} + next: Optional[str] = "/", + db: Session = Depends(get_db), + existing_jwt: Union[str, bool] = False) -> RedirectResponse: + """rendering login route post method.""" + form = await request.form() + form_dict = dict(form) + # creating pydantic schema object out of form data + user = LoginUser(**form_dict) - ''' + """ Validaiting login form data, if user exist in database, if password correct. - ''' + """ if user: - user = await authenticate_user(user) + user = await authenticate_user(db, user) if not user: return templates.TemplateResponse("login.html", { "request": request, "message": 'Please check your credentials' }) # creating HTTPONLY cookie with jwt-token out of user unique data - jwt_token = create_jwt_token(user) + # for testing + if not existing_jwt: + jwt_token = create_jwt_token(user) + else: + jwt_token = existing_jwt + response = RedirectResponse(next, status_code=HTTP_302_FOUND) response.set_cookie( "Authorization", @@ -58,35 +73,3 @@ async def login( httponly=True, ) return response - - -# Not for production -@router.get('/logout') -async def logout(request: Request): - response = RedirectResponse(url="/login", status_code=HTTP_302_FOUND) - response.delete_cookie("Authorization") - return response - - -# Not for production -@router.get('/protected') -async def protected_route( - request: Request, user: User = Depends(current_user_required)): - return templates.TemplateResponse("home.html", { - "request": request, - "message": user.username - }) - - -# Not for production -@router.get('/user') -async def user_route( - request: Request, current_user: User = Depends(current_user)): - if current_user: - print(current_user.username) - else: - print(None) - return templates.TemplateResponse("home.html", { - "request": request, - "message": "user.username" - }) diff --git a/app/routers/logout.py b/app/routers/logout.py new file mode 100644 index 00000000..06666c19 --- /dev/null +++ b/app/routers/logout.py @@ -0,0 +1,17 @@ +from fastapi import APIRouter, Request +from starlette.responses import RedirectResponse +from starlette.status import HTTP_302_FOUND + + +router = APIRouter( + prefix="", + tags=["/logout"], + responses={404: {"description": "Not found"}}, +) + + +@router.get('/logout') +async def logout(request: Request): + response = RedirectResponse(url="/login", status_code=HTTP_302_FOUND) + response.delete_cookie("Authorization") + return response \ No newline at end of file diff --git a/app/routers/register.py b/app/routers/register.py index e2f77f04..7f8c9560 100644 --- a/app/routers/register.py +++ b/app/routers/register.py @@ -17,7 +17,7 @@ async def render_registration_error( db: Session, new_user: UserCreate) -> dict: - '''After registering new user fails, defines relevant errors''' + """After registering new user fails, defines relevant errors""" db.rollback() errors = {} db_user_email = user.get_by_mail(db, email=new_user.email) @@ -32,7 +32,7 @@ async def render_registration_error( @router.get("/register") async def register_user_form(request: Request) -> templates: - '''rendering register route get method''' + """rendering register route get method""" return templates.TemplateResponse("register.html", { "request": request, "errors": None @@ -41,9 +41,9 @@ async def register_user_form(request: Request) -> templates: @router.post("/register") async def register( - request: Request, db: - Session = Depends(get_db)) -> templates: - '''rendering register route post method.''' + request: Request, + db: Session = Depends(get_db)) -> templates: + """rendering register route post method.""" form = await request.form() form_dict = dict(form) try: @@ -64,11 +64,10 @@ async def register( # attempt creating User Model object, and saving to database user.create(db=db, user=new_user) + + # if user registration fails due to database unique fields - + # rendering errors to register.html - ''' - if creating User Model objects fails due to registered unique details - - rendering errors to register.html - ''' except IntegrityError: errors = await render_registration_error(db, new_user) return templates.TemplateResponse("register.html", { @@ -80,9 +79,3 @@ async def register( "request": request, "message": "User created", "status_code": 201}) - - -# NOT for production -@router.get("/delete") -def delete_user(db: Session = Depends(get_db)): - user.delete_by_mail(db=db, email="") diff --git a/app/templates/base.html b/app/templates/base.html index 7cd6f849..1ec39d79 100644 --- a/app/templates/base.html +++ b/app/templates/base.html @@ -31,6 +31,9 @@
  • Sign In
    • +
  • + Sign Out +
  • Sign Up
    • @@ -49,6 +52,7 @@
    + {% block content %} diff --git a/tests/client_fixture.py b/tests/client_fixture.py index c4890b05..60572861 100644 --- a/tests/client_fixture.py +++ b/tests/client_fixture.py @@ -67,3 +67,8 @@ def get_test_placeholder_user(): full_name='FakeName', telegram_id='666666' ) + + +@pytest.fixture(scope="session") +def security_test_client(): + yield from create_test_client(event.get_db) diff --git a/tests/security_testing_routes.py b/tests/security_testing_routes.py new file mode 100644 index 00000000..6385e0c3 --- /dev/null +++ b/tests/security_testing_routes.py @@ -0,0 +1,42 @@ +from app.dependencies import templates +from fastapi import APIRouter, Depends, Request +from app.internal.security.dependancies import ( + current_user_required, current_user, CurrentUser) +from app.database.models import User + +""" +These routes are for security testing. +They represent an example for how to use +security dependencies in other routes. +""" +router = APIRouter( + prefix="", + tags=["/security"], + responses={404: {"description": "Not found"}}, +) + + +@router.get('/protected') +async def protected_route( + request: Request, user: CurrentUser = Depends(current_user_required)): + # This is how to protect route for logged in user only. + # Dependency will return CurrentUser object. + return templates.TemplateResponse("home.html", { + "request": request, + "message": user.username + }) + + +@router.get('/test_user') +async def user_route( + request: Request, current_user: CurrentUser = Depends(current_user)): + # This is how to get CurrentUser in a route. + # Dependency will return CurrentUser object, or None if user not logged in. + if current_user: + message = "Hello " + current_user.username + else: + message = "No logged in user" + return templates.TemplateResponse("home.html", { + "request": request, + "message": message + }) \ No newline at end of file diff --git a/tests/test_login.py b/tests/test_login.py new file mode 100644 index 00000000..ef4ce513 --- /dev/null +++ b/tests/test_login.py @@ -0,0 +1,111 @@ +import pytest +from app.internal.security.ouath2 import create_jwt_token, LoginUser +from starlette.status import HTTP_302_FOUND + + +RESPONSE_OK = 200 +REDIRECT_OK = HTTP_302_FOUND + + +def test_login_route_ok(security_test_client): + response = security_test_client.get("/login") + assert response.status_code == RESPONSE_OK + + +REGISTER_DETAIL = { + 'username': 'correct_user', 'full_name': 'full_name', + 'password': 'correct_password', 'confirm_password': 'correct_password', + 'email': 'example@email.com', 'description': ""} + +LOGIN_WRONG_DETAILS = [ + ('wrong_user', 'wrong_password', b'Please check your credentials'), + ('correct_user', 'wrong_password', b'Please check your credentials'), + ('wrong_user', 'correct_password', b'Please check your credentials'), + ('', 'correct_password', b'Please check your credentials'), + ('correct_user', '', b'Please check your credentials'), + ('', '', b'Please check your credentials'), + ] + +LOGIN_DATA = {'username': 'correct_user', 'password': 'correct_password'} + +def test_register_user(session, security_test_client): + security_test_client.post('/register', data=REGISTER_DETAIL) + + +# from app.internal import user as crud +@pytest.mark.parametrize( + "username, password, expected_response", LOGIN_WRONG_DETAILS) +def test_login_fails( + session, security_test_client, username, password, expected_response): + security_test_client.post('/register', data=REGISTER_DETAIL) + data = {'username': username, 'password': password} + data = security_test_client.post('/login', data=data).content + assert expected_response in data + + +def test_login_successfull(session, security_test_client): + security_test_client.post('/register', data=REGISTER_DETAIL) + res = security_test_client.post('/login', data=LOGIN_DATA) + assert res.status_code == REDIRECT_OK + + +def test_protected_with_logged_in_user(session, security_test_client): + security_test_client.post('/register', data=REGISTER_DETAIL) + security_test_client.post('/login', data=LOGIN_DATA) + res = security_test_client.get('/protected') + assert b'correct_user' in res.content + + +def test_protected_without_logged_in_user( + session, security_test_client): + res = security_test_client.get('/protected') + assert b'Please log in' in res.content + + +def test_current_user_dependency_exists(session, security_test_client): + security_test_client.post('/register', data=REGISTER_DETAIL) + res = security_test_client.post('/login', data=LOGIN_DATA) + res = security_test_client.get('/test_user') + assert b'correct_user' in res.content + + +def test_logout(session, security_test_client): + res = security_test_client.get('/logout') + assert b'Login' in res.content + + +def test_current_user_dependency_not_exists( + session, security_test_client): + res = security_test_client.get('/test_user') + assert b'No logged in user' in res.content + + +def test_incorrect_secret_key_in_token(session, security_test_client): + user = LoginUser(**LOGIN_DATA) + incorrect_token = create_jwt_token(user, JWT_KEY="wrong secret key") + security_test_client.post('/register', data=REGISTER_DETAIL) + url = f"/login?existing_jwt={incorrect_token}" + security_test_client.post(f'{url}', data=LOGIN_DATA) + res = security_test_client.get('/protected') + assert b'Your token is incorrect' in res.content + + +def test_expired_token(session, security_test_client): + security_test_client.get('/logout') + user = LoginUser(**LOGIN_DATA) + incorrect_token = create_jwt_token(user, JWT_MIN_EXP=0) + security_test_client.post('/register', data=REGISTER_DETAIL) + url = f"/login?existing_jwt={incorrect_token}" + security_test_client.post(f'{url}', data=LOGIN_DATA) + res = security_test_client.get('/protected') + assert b'expired' in res.content + + +def test_corrupted_token(session, security_test_client): + user = LoginUser(**LOGIN_DATA) + incorrect_token = create_jwt_token(user) + "s" + security_test_client.post('/register', data=REGISTER_DETAIL) + url = f"/login?existing_jwt={incorrect_token}" + security_test_client.post(f'{url}', data=LOGIN_DATA) + res = security_test_client.get('/protected') + assert b'Your token is incorrect' in res.content diff --git a/tests/test_register.py b/tests/test_register.py index f57fc4a9..10e59d61 100644 --- a/tests/test_register.py +++ b/tests/test_register.py @@ -31,9 +31,9 @@ def test_register_route_ok(client): ] -''' +""" Test all active pydantic validators -''' +""" @pytest.mark.parametrize( @@ -50,16 +50,16 @@ def test_register_form_validators( assert expected_response in data -''' +""" Test successfully register user to database, after passing all validators -''' +""" -def test_register_successfull(session, client): +def test_register_successfull(session, security_test_client): data = {'username': 'username', 'full_name': 'full_name', 'password': 'password', 'confirm_password': 'password', 'email': 'example@email.com', 'description': ""} - data = client.post('/register', data=data).content + data = security_test_client.post('/register', data=data).content assert b'User created' in data @@ -71,21 +71,22 @@ def test_register_successfull(session, client): ] -''' +""" Test register a user fails due to unique database fields already in use -''' +""" @pytest.mark.parametrize( "username, full_name, password, confirm_password," + "email, description, expected_response", UNIQUE_FIELDS_ARE_TAKEN) def test_unique_fields_are_taken( - session, client, username, full_name, password, confirm_password, + session, security_test_client, username, + full_name, password, confirm_password, email, description, expected_response): user_data = { 'username': 'username', 'full_name': 'full_name', 'password': 'password', 'confirm_password': 'password', 'email': 'example@email.com', 'description': ""} - client.post('/register', data=user_data) - data = client.post('/register', data=user_data).content + security_test_client.post('/register', data=user_data) + data = security_test_client.post('/register', data=user_data).content assert expected_response in data From 97d8aff5f3bd65e60c846f32b99e3c909d29df6b Mon Sep 17 00:00:00 2001 From: Koby Fogel Date: Sun, 7 Feb 2021 18:25:49 +0200 Subject: [PATCH 27/56] flake8 fixes --- app/internal/security/dependancies.py | 8 ++++---- app/internal/security/ouath2.py | 4 +--- app/internal/security/schema.py | 4 ++-- app/main.py | 4 +++- app/routers/login.py | 7 +++---- app/routers/logout.py | 3 ++- app/routers/register.py | 2 +- tests/security_testing_routes.py | 3 +-- tests/test_login.py | 4 ++-- 9 files changed, 19 insertions(+), 20 deletions(-) diff --git a/app/internal/security/dependancies.py b/app/internal/security/dependancies.py index b028f2bf..1f719c95 100644 --- a/app/internal/security/dependancies.py +++ b/app/internal/security/dependancies.py @@ -1,14 +1,14 @@ from typing import Union +from app.database.database import get_db from app.internal.security.ouath2 import ( - Depends, Session, check_jwt_token, get_cookie, get_db) + Depends, Session, check_jwt_token, get_cookie) from app.internal.security.schema import CurrentUser -from fastapi import Depends from starlette.requests import Request async def current_user_required( - request: Request, + request: Request, db: Session = Depends(get_db), jwt: str = Depends(get_cookie)) -> CurrentUser: """A dependency function protecting routes for only logged in user""" @@ -19,7 +19,7 @@ async def current_user_required( async def current_user( request: Request, - db: Session = Depends(get_db),) -> Union[CurrentUser, bool]: + db: Session = Depends(get_db),) -> Union[CurrentUser, bool]: """ A dependency function. Returns logged in User object if exists. diff --git a/app/internal/security/ouath2.py b/app/internal/security/ouath2.py index 5af784eb..4b8a32f6 100644 --- a/app/internal/security/ouath2.py +++ b/app/internal/security/ouath2.py @@ -3,7 +3,6 @@ from app.config import JWT_ALGORITHM, JWT_KEY, JWT_MIN_EXP from passlib.context import CryptContext -from app.database.database import SessionLocal, get_db from app.database.models import User from fastapi import Depends, HTTPException from fastapi.security import OAuth2PasswordBearer @@ -22,7 +21,6 @@ async def get_db_user_by_username(db: Session, username: str) -> User: """Checking database for user by username field""" - # session = SessionLocal() user = db.query(User).filter_by(username=username).first() return user @@ -65,7 +63,7 @@ def create_jwt_token( async def check_jwt_token( db: Session, token: str = Depends(oauth_schema), - path: bool = None) -> CurrentUser: + path: bool = None) -> CurrentUser: """ Check whether JWT token is correct. Returns User object if yes. Returns None or raises HTTPException, diff --git a/app/internal/security/schema.py b/app/internal/security/schema.py index f6d112dd..a6542fe4 100644 --- a/app/internal/security/schema.py +++ b/app/internal/security/schema.py @@ -20,7 +20,7 @@ class CurrentUser(BaseModel): """ Security dependencies will return this object, instead of db object. - Returns all User's parameters, except password. + Returns all User's parameters, except password. """ id: int username: str @@ -30,7 +30,7 @@ class CurrentUser(BaseModel): description: str = None avatar: str telegram_id: str = None - events = Optional [List[UserEvent]] + events = Optional[List[UserEvent]] class Config: orm_mode = True diff --git a/app/main.py b/app/main.py index 10e55678..ef950062 100644 --- a/app/main.py +++ b/app/main.py @@ -8,7 +8,8 @@ from app.internal.security.ouath2 import my_exception_handler from app.routers import ( agenda, calendar, categories, currency, dayview, email, - event, invitation,login, logout, profile, register, search, telegram, whatsapp + event, invitation,login, logout, profile, register, + search, telegram, whatsapp ) from app.telegram.bot import telegram_bot from fastapi import Depends, FastAPI, Request @@ -17,6 +18,7 @@ from sqlalchemy.orm import Session from tests import security_testing_routes + def create_tables(engine, psql_environment): if 'sqlite' in str(engine.url) and psql_environment: raise models.PSQLEnvironmentError( diff --git a/app/routers/login.py b/app/routers/login.py index 2d0a96e7..955fe89e 100644 --- a/app/routers/login.py +++ b/app/routers/login.py @@ -1,14 +1,12 @@ from typing import Optional, Union from app.database.database import get_db -from app.database.models import User from app.dependencies import templates from app.internal.security.dependancies import ( - current_user_required, current_user, CurrentUser) + current_user, CurrentUser) from app.internal.security.ouath2 import ( authenticate_user, create_jwt_token, LoginUser) from fastapi import APIRouter, Depends, Request -from pydantic import ValidationError from sqlalchemy.orm import Session from starlette.responses import RedirectResponse from starlette.status import HTTP_302_FOUND @@ -24,7 +22,8 @@ @router.get("/login") async def login_user_form( request: Request, message: Optional[str] = "", - current_user: Union[CurrentUser, None] = Depends(current_user)) -> templates: + current_user: Union[CurrentUser, None] = Depends(current_user) + ) -> templates: """rendering login route get method""" if current_user: return RedirectResponse(url='/') diff --git a/app/routers/logout.py b/app/routers/logout.py index 06666c19..76115862 100644 --- a/app/routers/logout.py +++ b/app/routers/logout.py @@ -14,4 +14,5 @@ async def logout(request: Request): response = RedirectResponse(url="/login", status_code=HTTP_302_FOUND) response.delete_cookie("Authorization") - return response \ No newline at end of file + return response + \ No newline at end of file diff --git a/app/routers/register.py b/app/routers/register.py index 7f8c9560..1d9867d1 100644 --- a/app/routers/register.py +++ b/app/routers/register.py @@ -64,7 +64,7 @@ async def register( # attempt creating User Model object, and saving to database user.create(db=db, user=new_user) - + # if user registration fails due to database unique fields - # rendering errors to register.html diff --git a/tests/security_testing_routes.py b/tests/security_testing_routes.py index 6385e0c3..64c68f01 100644 --- a/tests/security_testing_routes.py +++ b/tests/security_testing_routes.py @@ -2,7 +2,6 @@ from fastapi import APIRouter, Depends, Request from app.internal.security.dependancies import ( current_user_required, current_user, CurrentUser) -from app.database.models import User """ These routes are for security testing. @@ -39,4 +38,4 @@ async def user_route( return templates.TemplateResponse("home.html", { "request": request, "message": message - }) \ No newline at end of file + }) diff --git a/tests/test_login.py b/tests/test_login.py index ef4ce513..d4f0d71e 100644 --- a/tests/test_login.py +++ b/tests/test_login.py @@ -28,11 +28,11 @@ def test_login_route_ok(security_test_client): LOGIN_DATA = {'username': 'correct_user', 'password': 'correct_password'} + def test_register_user(session, security_test_client): security_test_client.post('/register', data=REGISTER_DETAIL) -# from app.internal import user as crud @pytest.mark.parametrize( "username, password, expected_response", LOGIN_WRONG_DETAILS) def test_login_fails( @@ -93,7 +93,7 @@ def test_incorrect_secret_key_in_token(session, security_test_client): def test_expired_token(session, security_test_client): security_test_client.get('/logout') user = LoginUser(**LOGIN_DATA) - incorrect_token = create_jwt_token(user, JWT_MIN_EXP=0) + incorrect_token = create_jwt_token(user, JWT_MIN_EXP=-1) security_test_client.post('/register', data=REGISTER_DETAIL) url = f"/login?existing_jwt={incorrect_token}" security_test_client.post(f'{url}', data=LOGIN_DATA) From 8b54f67f1418aa0f1dd066b8edcd2dcfc538b231 Mon Sep 17 00:00:00 2001 From: Koby Fogel Date: Sun, 7 Feb 2021 18:30:14 +0200 Subject: [PATCH 28/56] flake8 fixes2 --- app/internal/security/ouath2.py | 2 +- app/main.py | 2 +- app/routers/logout.py | 1 - 3 files changed, 2 insertions(+), 3 deletions(-) diff --git a/app/internal/security/ouath2.py b/app/internal/security/ouath2.py index 4b8a32f6..66261d71 100644 --- a/app/internal/security/ouath2.py +++ b/app/internal/security/ouath2.py @@ -33,7 +33,7 @@ def get_hashed_password(password) -> str: def verify_password(plain_password, hashed_password) -> bool: """Verifying password and hashed password are equal""" return pwd_context.verify(plain_password, hashed_password) - + async def authenticate_user( db: Session, user: LoginUser) -> Union[LoginUser, bool]: diff --git a/app/main.py b/app/main.py index ef950062..0b22d6d2 100644 --- a/app/main.py +++ b/app/main.py @@ -8,7 +8,7 @@ from app.internal.security.ouath2 import my_exception_handler from app.routers import ( agenda, calendar, categories, currency, dayview, email, - event, invitation,login, logout, profile, register, + event, invitation, login, logout, profile, register, search, telegram, whatsapp ) from app.telegram.bot import telegram_bot diff --git a/app/routers/logout.py b/app/routers/logout.py index 76115862..009de760 100644 --- a/app/routers/logout.py +++ b/app/routers/logout.py @@ -15,4 +15,3 @@ async def logout(request: Request): response = RedirectResponse(url="/login", status_code=HTTP_302_FOUND) response.delete_cookie("Authorization") return response - \ No newline at end of file From b46d679b88f67a9205d3f0eb380c47cd70eb5f9d Mon Sep 17 00:00:00 2001 From: Koby Fogel Date: Sun, 7 Feb 2021 18:39:55 +0200 Subject: [PATCH 29/56] updating requirements --- requirements.txt | 28 ++++++++++++++++++++-------- 1 file changed, 20 insertions(+), 8 deletions(-) diff --git a/requirements.txt b/requirements.txt index d661e89b..479bc6f9 100644 --- a/requirements.txt +++ b/requirements.txt @@ -1,7 +1,8 @@ -aiofiles==0.6.0 +aiofiles==0.6.0 aioredis==1.3.1 aiosmtpd==1.2.2 aiosmtplib==1.1.4 +aiosqlite==0.16.1 apipkg==1.5 arrow==0.17.0 async-timeout==3.0.1 @@ -9,20 +10,25 @@ asyncio==3.4.3 atomicwrites==1.4.0 atpublic==2.1.2 attrs==20.3.0 +bcrypt==3.2.0 beautifulsoup4==4.9.3 blinker==1.4 certifi==2020.12.5 +cffi==1.14.4 chardet==4.0.0 click==7.1.2 colorama==0.4.4 coverage==5.3.1 +databases==0.4.1 dnspython==2.1.0 email-validator==1.1.2 execnet==1.7.1 Faker==5.6.2 fakeredis==1.4.5 -fastapi-mail==0.3.3.1 fastapi==0.63.0 +fastapi-login==1.5.2 +fastapi-mail==0.3.3.1 +fastapi-users==5.0.0 flake8==3.8.4 frozendict==1.2 h11==0.12.0 @@ -31,6 +37,7 @@ hiredis==1.1.0 hpack==4.0.0 httpcore==0.12.2 httpx==0.16.1 +httpx-oauth==0.3.4 hyperframe==6.0.0 icalendar==4.0.7 idna==2.10 @@ -42,28 +49,32 @@ Jinja2==2.11.2 joblib==1.0.0 lazy-object-proxy==1.5.2 loguru==0.5.3 +makefun==1.9.5 MarkupSafe==1.1.1 mccabe==0.6.1 -mypy-extensions==0.4.3 mypy==0.790 +mypy-extensions==0.4.3 nltk==3.5 packaging==20.8 +passlib==1.7.4 Pillow==8.1.0 pluggy==0.13.1 priority==1.3.0 psycopg2-binary==2.8.6 py==1.10.0 pycodestyle==2.6.0 +pycparser==2.20 pydantic==1.7.3 pyflakes==2.2.0 +PyJWT==2.0.0 pyparsing==2.4.7 -pytest-asyncio<0.14.0 +pytest==6.2.1 +pytest-asyncio==0.12.0 pytest-cov==2.10.1 pytest-forked==1.3.0 pytest-httpx==0.10.1 pytest-mock==3.5.1 pytest-xdist==2.2.0 -pytest==6.2.1 python-dateutil==2.8.1 python-dotenv==0.15.0 python-multipart==0.0.5 @@ -71,8 +82,8 @@ pytz==2020.5 PyYAML==5.3.1 redis==3.5.3 regex==2020.11.13 -requests-mock==1.8.0 requests==2.25.1 +requests-mock==1.8.0 responses==0.12.1 respx==0.16.3 rfc3986==1.4.0 @@ -84,7 +95,7 @@ soupsieve==2.1 SQLAlchemy==1.3.22 starlette==0.13.6 text-unidecode==1.3 -textblob>=0.15.3 +textblob==0.15.3 toml==0.10.2 tqdm==4.56.0 typed-ast==1.4.2 @@ -93,6 +104,7 @@ urllib3==1.26.2 uvicorn==0.13.3 watchgod==0.6 websockets==8.1 +win32-setctime==1.0.3 word-forms==2.1.0 wsproto==1.0.0 -zipp==3.4.0 \ No newline at end of file +zipp==3.4.0 From 73f53c10d4cae26d20d543ced85cb66e6fabdb9a Mon Sep 17 00:00:00 2001 From: Koby Fogel Date: Sun, 7 Feb 2021 19:49:20 +0200 Subject: [PATCH 30/56] test added --- tests/test_login.py | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/tests/test_login.py b/tests/test_login.py index d4f0d71e..b92f957c 100644 --- a/tests/test_login.py +++ b/tests/test_login.py @@ -109,3 +109,9 @@ def test_corrupted_token(session, security_test_client): security_test_client.post(f'{url}', data=LOGIN_DATA) res = security_test_client.get('/protected') assert b'Your token is incorrect' in res.content + +def test_forbidden_route_for_logged_in_user(session, security_test_client): + security_test_client.post('/register', data=REGISTER_DETAIL) + security_test_client.post('/login', data=LOGIN_DATA) + res = security_test_client.get('/login') + assert b'Login' not in res.content From c3cad9d268e1baafb49a46fad55a87bfe913944d Mon Sep 17 00:00:00 2001 From: Koby Fogel Date: Sun, 7 Feb 2021 20:05:34 +0200 Subject: [PATCH 31/56] flake8 fix --- app/main.py | 1 - tests/test_login.py | 1 + 2 files changed, 1 insertion(+), 1 deletion(-) diff --git a/app/main.py b/app/main.py index da5203b3..b6574299 100644 --- a/app/main.py +++ b/app/main.py @@ -11,7 +11,6 @@ event, invitation, login, logout, profile, register, search, telegram, whatsapp ) -from app.telegram.bot import telegram_bot from fastapi import Depends, FastAPI, Request from fastapi.staticfiles import StaticFiles from starlette.status import HTTP_401_UNAUTHORIZED diff --git a/tests/test_login.py b/tests/test_login.py index b92f957c..e6ca8906 100644 --- a/tests/test_login.py +++ b/tests/test_login.py @@ -110,6 +110,7 @@ def test_corrupted_token(session, security_test_client): res = security_test_client.get('/protected') assert b'Your token is incorrect' in res.content + def test_forbidden_route_for_logged_in_user(session, security_test_client): security_test_client.post('/register', data=REGISTER_DETAIL) security_test_client.post('/login', data=LOGIN_DATA) From befd5f9a71c6fa1b90f8c7fa06c478ff76c93922 Mon Sep 17 00:00:00 2001 From: Koby Fogel Date: Tue, 9 Feb 2021 16:11:39 +0200 Subject: [PATCH 32/56] CR fixing --- README.md | 7 +++++-- app/config.py.example | 4 +--- app/internal/security/dependancies.py | 6 +++--- app/internal/security/ouath2.py | 11 ++++++----- app/internal/security/schema.py | 1 + app/main.py | 6 ------ app/routers/register.py | 9 +++++---- tests/client_fixture.py | 5 +++++ tests/security_testing_routes.py | 8 ++++++-- 9 files changed, 32 insertions(+), 25 deletions(-) diff --git a/README.md b/README.md index 75b20909..d50e5325 100644 --- a/README.md +++ b/README.md @@ -27,6 +27,8 @@ virtualenv env pip install -r requirements.txt # Copy app\config.py.example to app\config.py. # Edit the variables' values. +# Rendering JWT_KEY: +python -c "import secrets; from pathlib import Path; f = Path('app/config.py'); f.write_text(f.read_text().replace('JWT_KEY_PLACEHOLDER', secrets.token_hex(32), 1));" uvicorn app.main:app --reload ``` @@ -37,7 +39,8 @@ source venv/bin/activate pip install -r requirements.txt cp app/config.py.example app/config.py # Edit the variables' values. -uvicorn app.main:app --reload +# Rendering JWT_KEY: +python -c "import secrets; from pathlib import Path; f = Path('app/config.py'); f.write_text(f.read_text().replace('JWT_KEY_PLACEHOLDER', secrets.token_hex(32), 1));" ``` ### Running tests ```shell @@ -56,7 +59,7 @@ secrets.token_hex(32) ## Using security dependencies: ''' from app.internal.security.dependencies: -use current_user_required and current_user functions as a route dependencies. +use is_logged_in and current_user functions as a route dependencies. an example for how to use can be found at tests.security_testing_routes file. ''' diff --git a/app/config.py.example b/app/config.py.example index f0867dad..62db3283 100644 --- a/app/config.py.example +++ b/app/config.py.example @@ -48,11 +48,9 @@ email_conf = ConnectionConfig( USE_CREDENTIALS=True, ) -# register -DATABASE_CONNECTION_STRING = "sqlite:///calendar.db" # security -JWT_KEY = "c06857128217c661de43d746ecdbe9f1dbc3b3685957fab64512456f639b1881" +JWT_KEY = "JWT_KEY_PLACEHOLDER" JWT_ALGORITHM = "HS256" JWT_MIN_EXP = 60 * 24 * 7 templates = Jinja2Templates(directory=os.path.join("app", "templates")) diff --git a/app/internal/security/dependancies.py b/app/internal/security/dependancies.py index 1f719c95..c132db38 100644 --- a/app/internal/security/dependancies.py +++ b/app/internal/security/dependancies.py @@ -7,7 +7,7 @@ from starlette.requests import Request -async def current_user_required( +async def is_logged_in( request: Request, db: Session = Depends(get_db), jwt: str = Depends(get_cookie)) -> CurrentUser: @@ -29,5 +29,5 @@ async def current_user( jwt = request.cookies['Authorization'] else: return None - user = await check_jwt_token(db, jwt) - return user + return await check_jwt_token(db, jwt) + diff --git a/app/internal/security/ouath2.py b/app/internal/security/ouath2.py index 66261d71..4434e7b9 100644 --- a/app/internal/security/ouath2.py +++ b/app/internal/security/ouath2.py @@ -25,12 +25,12 @@ async def get_db_user_by_username(db: Session, username: str) -> User: return user -def get_hashed_password(password) -> str: +def get_hashed_password(password: str) -> str: """Hashing user password""" return pwd_context.hash(password) -def verify_password(plain_password, hashed_password) -> bool: +def verify_password(plain_password: str, hashed_password: str) -> bool: """Verifying password and hashed password are equal""" return pwd_context.verify(plain_password, hashed_password) @@ -42,6 +42,7 @@ async def authenticate_user( if db_user: if verify_password(user.password, db_user.password): return LoginUser( + user_id=db_user.id, username=user.username, password=db_user.password) return False @@ -53,7 +54,7 @@ def create_jwt_token( expiration = datetime.utcnow() + timedelta(minutes=JWT_MIN_EXP) jwt_payload = { "sub": user.username, - "hashed_password": user.password, + "user_id": user.user_id, "exp": expiration} jwt_token = jwt.encode( jwt_payload, JWT_KEY, algorithm=JWT_ALGORITHM) @@ -73,9 +74,9 @@ async def check_jwt_token( jwt_payload = jwt.decode( token, JWT_KEY, algorithms=JWT_ALGORITHM) jwt_username = jwt_payload.get("sub") - jwt_hashed_password = jwt_payload.get("hashed_password") + jwt_user_id = jwt_payload.get("user_id") db_user = await get_db_user_by_username(db, username=jwt_username) - if db_user and db_user.password == jwt_hashed_password: + if db_user and db_user.id == jwt_user_id: return CurrentUser(**db_user.__dict__) else: raise HTTPException( diff --git a/app/internal/security/schema.py b/app/internal/security/schema.py index a6542fe4..356dc8ac 100644 --- a/app/internal/security/schema.py +++ b/app/internal/security/schema.py @@ -9,6 +9,7 @@ class LoginUser(BaseModel): Validating fields types Returns a User object for signing in. """ + user_id: Optional[int] username: str password: str diff --git a/app/main.py b/app/main.py index b6574299..b6b44b6e 100644 --- a/app/main.py +++ b/app/main.py @@ -15,7 +15,6 @@ from fastapi.staticfiles import StaticFiles from starlette.status import HTTP_401_UNAUTHORIZED from sqlalchemy.orm import Session -from tests import security_testing_routes def create_tables(engine, psql_environment): @@ -34,7 +33,6 @@ def create_tables(engine, psql_environment): app.mount("/static", StaticFiles(directory=STATIC_PATH), name="static") app.mount("/media", StaticFiles(directory=MEDIA_PATH), name="media") -app.include_router(security_testing_routes.router) app.include_router(profile.router) app.include_router(event.router) app.include_router(agenda.router) @@ -60,14 +58,10 @@ def create_tables(engine, psql_environment): email.router, event.router, invitation.router, - login.router, - logout.router, profile.router, - register.router, search.router, telegram.router, whatsapp.router, - security_testing_routes.router, ] for router in routers_to_include: diff --git a/app/routers/register.py b/app/routers/register.py index 1d9867d1..9e272630 100644 --- a/app/routers/register.py +++ b/app/routers/register.py @@ -52,10 +52,11 @@ async def register( new_user = UserCreate(**form_dict) except ValidationError as e: # if pydantic validations fails, rendering errors to register.html - - errors = {error['loc'][0]: " ".join(( - error['loc'][0].capitalize(), - error['msg'])) for error in e.errors()} + + errors_dict = {error['loc'][0]: error['msg'] for error in e.errors()} + errors = { + field: " ".join((field.capitalize(), + error_message)) for field, error_message in errors_dict.items()} return templates.TemplateResponse("register.html", { "request": request, "errors": errors, diff --git a/tests/client_fixture.py b/tests/client_fixture.py index 60572861..1ef6d96c 100644 --- a/tests/client_fixture.py +++ b/tests/client_fixture.py @@ -7,6 +7,10 @@ from app.main import app from app.routers import agenda, event, invitation, profile from tests.conftest import get_test_db, test_engine +from . import security_testing_routes + + +app.include_router(security_testing_routes.router) @pytest.fixture(scope="session") @@ -69,6 +73,7 @@ def get_test_placeholder_user(): ) + @pytest.fixture(scope="session") def security_test_client(): yield from create_test_client(event.get_db) diff --git a/tests/security_testing_routes.py b/tests/security_testing_routes.py index 64c68f01..d5933d55 100644 --- a/tests/security_testing_routes.py +++ b/tests/security_testing_routes.py @@ -1,7 +1,11 @@ from app.dependencies import templates from fastapi import APIRouter, Depends, Request from app.internal.security.dependancies import ( - current_user_required, current_user, CurrentUser) + is_logged_in, current_user, CurrentUser) + +# from app.main import app +# app.include_router(security_testing_routes.router) + """ These routes are for security testing. @@ -17,7 +21,7 @@ @router.get('/protected') async def protected_route( - request: Request, user: CurrentUser = Depends(current_user_required)): + request: Request, user: CurrentUser = Depends(is_logged_in)): # This is how to protect route for logged in user only. # Dependency will return CurrentUser object. return templates.TemplateResponse("home.html", { From da12351a0a2baeba2eab599086aff63d773197fc Mon Sep 17 00:00:00 2001 From: Koby Fogel Date: Tue, 9 Feb 2021 18:43:04 +0200 Subject: [PATCH 33/56] flake8 fixes --- app/internal/security/dependancies.py | 1 - app/main.py | 8 ++------ app/routers/register.py | 5 ++--- tests/client_fixture.py | 1 - tests/security_testing_routes.py | 1 - tests/test_register.py | 1 + 6 files changed, 5 insertions(+), 12 deletions(-) diff --git a/app/internal/security/dependancies.py b/app/internal/security/dependancies.py index c132db38..665ca409 100644 --- a/app/internal/security/dependancies.py +++ b/app/internal/security/dependancies.py @@ -30,4 +30,3 @@ async def current_user( else: return None return await check_jwt_token(db, jwt) - diff --git a/app/main.py b/app/main.py index d5bc73d3..f058497c 100644 --- a/app/main.py +++ b/app/main.py @@ -6,11 +6,6 @@ from app.internal import daily_quotes, json_data_loader from app.internal.languages import set_ui_language from app.internal.security.ouath2 import my_exception_handler -from app.routers import ( - agenda, calendar, categories, currency, dayview, email, - event, invitation, login, logout, profile, register, - search, telegram, whatsapp -) from fastapi import Depends, FastAPI, Request from fastapi.staticfiles import StaticFiles from starlette.status import HTTP_401_UNAUTHORIZED @@ -52,7 +47,8 @@ def create_tables(engine, psql_environment): from app.routers import ( # noqa: E402 agenda, calendar, categories, currency, dayview, email, - event, invitation, profile, search, telegram, whatsapp + event, invitation, login, logout, profile, register, + search, telegram, whatsapp ) json_data_loader.load_to_db(next(get_db())) diff --git a/app/routers/register.py b/app/routers/register.py index bcd3637b..6d8443be 100644 --- a/app/routers/register.py +++ b/app/routers/register.py @@ -54,11 +54,11 @@ async def register( new_user = UserCreate(**form_dict) except ValidationError as e: # if pydantic validations fails, rendering errors to register.html - + errors_dict = {error['loc'][0]: error['msg'] for error in e.errors()} errors = { field: " ".join((field.capitalize(), - error_message)) for field, error_message in errors_dict.items()} + error_message)) for field, error_message in errors_dict.items()} return templates.TemplateResponse("register.html", { "request": request, "errors": errors, @@ -77,5 +77,4 @@ async def register( "request": request, "errors": errors, "form_values": form_dict}) - return RedirectResponse('/profile', status_code=HTTP_302_FOUND) diff --git a/tests/client_fixture.py b/tests/client_fixture.py index f0edcad3..c88dc574 100644 --- a/tests/client_fixture.py +++ b/tests/client_fixture.py @@ -74,7 +74,6 @@ def get_test_placeholder_user(): ) - @pytest.fixture(scope="session") def security_test_client(): yield from create_test_client(event.get_db) diff --git a/tests/security_testing_routes.py b/tests/security_testing_routes.py index a05394f5..64d5e480 100644 --- a/tests/security_testing_routes.py +++ b/tests/security_testing_routes.py @@ -1,4 +1,3 @@ -from app.dependencies import templates from app.internal.security.dependancies import ( CurrentUser, current_user, is_logged_in) from fastapi import APIRouter, Depends, Request diff --git a/tests/test_register.py b/tests/test_register.py index 3bae29c8..9394e2ba 100644 --- a/tests/test_register.py +++ b/tests/test_register.py @@ -1,6 +1,7 @@ import pytest from starlette.status import HTTP_302_FOUND + def test_register_route_ok(client): response = client.get("/register") assert response.ok From cc4fdaeabae9e260f6b3ad338e00260fb53b80c1 Mon Sep 17 00:00:00 2001 From: Koby Fogel Date: Tue, 9 Feb 2021 18:50:45 +0200 Subject: [PATCH 34/56] flake8 fix2 --- app/main.py | 13 +++---------- 1 file changed, 3 insertions(+), 10 deletions(-) diff --git a/app/main.py b/app/main.py index f058497c..9a1ee638 100644 --- a/app/main.py +++ b/app/main.py @@ -30,15 +30,6 @@ def create_tables(engine, psql_environment): app.mount("/media", StaticFiles(directory=MEDIA_PATH), name="media") app.logger = logger -app.include_router(profile.router) -app.include_router(event.router) -app.include_router(agenda.router) -app.include_router(register.router) -app.include_router(email.router) -app.include_router(invitation.router) -app.include_router(login.router) -app.include_router(logout.router) - app.add_exception_handler(HTTP_401_UNAUTHORIZED, my_exception_handler) json_data_loader.load_to_db(next(get_db())) @@ -53,7 +44,6 @@ def create_tables(engine, psql_environment): json_data_loader.load_to_db(next(get_db())) - routers_to_include = [ agenda.router, calendar.router, @@ -63,7 +53,10 @@ def create_tables(engine, psql_environment): email.router, event.router, invitation.router, + login.router, + logout.router, profile.router, + register.router, search.router, telegram.router, whatsapp.router, From 0ae794ab79d68393a19aca7f55a87e2d82cc9ba0 Mon Sep 17 00:00:00 2001 From: Koby Fogel Date: Tue, 9 Feb 2021 18:54:18 +0200 Subject: [PATCH 35/56] flake8 fixes3 --- app/routers/register.py | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/app/routers/register.py b/app/routers/register.py index 6d8443be..1e5a4e7b 100644 --- a/app/routers/register.py +++ b/app/routers/register.py @@ -57,8 +57,9 @@ async def register( errors_dict = {error['loc'][0]: error['msg'] for error in e.errors()} errors = { - field: " ".join((field.capitalize(), - error_message)) for field, error_message in errors_dict.items()} + field: " ".join( + (field.capitalize(), error_message)) for field, + error_message in errors_dict.items()} return templates.TemplateResponse("register.html", { "request": request, "errors": errors, From 7a47985cea5dec186a53f4a3c8598272a5ae1bf7 Mon Sep 17 00:00:00 2001 From: Koby Fogel Date: Tue, 9 Feb 2021 19:03:29 +0200 Subject: [PATCH 36/56] flake8 fixes4 --- app/routers/register.py | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/app/routers/register.py b/app/routers/register.py index 1e5a4e7b..d98ad0e4 100644 --- a/app/routers/register.py +++ b/app/routers/register.py @@ -57,9 +57,10 @@ async def register( errors_dict = {error['loc'][0]: error['msg'] for error in e.errors()} errors = { - field: " ".join( - (field.capitalize(), error_message)) for field, + field: " ".join(( + field.capitalize(), error_message)) for field, error_message in errors_dict.items()} + return templates.TemplateResponse("register.html", { "request": request, "errors": errors, From e7bc55aa1bc77d7fe59af9763604597b641b4b5b Mon Sep 17 00:00:00 2001 From: Koby Fogel Date: Tue, 9 Feb 2021 19:11:58 +0200 Subject: [PATCH 37/56] flake8 fixes5 --- app/routers/register.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/app/routers/register.py b/app/routers/register.py index d98ad0e4..0db61025 100644 --- a/app/routers/register.py +++ b/app/routers/register.py @@ -58,8 +58,8 @@ async def register( errors_dict = {error['loc'][0]: error['msg'] for error in e.errors()} errors = { field: " ".join(( - field.capitalize(), error_message)) for field, - error_message in errors_dict.items()} + field.capitalize(), error_message) + ) for field, error_message in errors_dict.items()} return templates.TemplateResponse("register.html", { "request": request, From 8fbe36a5a8fcd7a67593abb9e8fba3d5787aba6d Mon Sep 17 00:00:00 2001 From: Koby Fogel Date: Tue, 9 Feb 2021 23:58:47 +0200 Subject: [PATCH 38/56] CR fix --- app/internal/security/ouath2.py | 29 +++++++++++++++-------------- app/main.py | 4 ++-- app/routers/login.py | 15 ++++++++++++++- app/routers/register.py | 13 +++++++++++-- 4 files changed, 42 insertions(+), 19 deletions(-) diff --git a/app/internal/security/ouath2.py b/app/internal/security/ouath2.py index 4434e7b9..c5530a1f 100644 --- a/app/internal/security/ouath2.py +++ b/app/internal/security/ouath2.py @@ -10,7 +10,6 @@ from jwt.exceptions import InvalidSignatureError from sqlalchemy.orm import Session from starlette.requests import Request -from starlette.responses import RedirectResponse from starlette.status import HTTP_401_UNAUTHORIZED from .schema import LoginUser, CurrentUser @@ -113,16 +112,18 @@ async def get_cookie(request: Request) -> str: detail="Please log in to enter this page") -async def my_exception_handler( - request: Request, - exc: HTTP_401_UNAUTHORIZED) -> RedirectResponse: - """ - Whenever HTTP_401_UNAUTHORIZED is raised, - redirecting to login route, with original requested url, - and details for why original request failed. - """ - paramas = f"?next={exc.headers}&message={exc.detail}" - url = f"/login{paramas}" - response = RedirectResponse(url=url) - response.delete_cookie('Authorization') - return response +# this import must be here to avoid circular importing +# from app.routers.login import router + + +# async def my_exception_handler( +# request: Request, +# exc: HTTP_401_UNAUTHORIZED) -> RedirectResponse: +# """ +# Whenever HTTP_401_UNAUTHORIZED is raised, +# redirecting to login route, with original requested url, +# and details for why original request failed. +# """ +# paramas = f"?next={exc.headers}&message={exc.detail}" +# return RedirectResponse(router.url_path_for('login_user_form') +# + f'{paramas}', status_code=HTTP_302_FOUND) diff --git a/app/main.py b/app/main.py index 9a1ee638..a6b8a48e 100644 --- a/app/main.py +++ b/app/main.py @@ -5,7 +5,6 @@ logger, MEDIA_PATH, STATIC_PATH, templates) from app.internal import daily_quotes, json_data_loader from app.internal.languages import set_ui_language -from app.internal.security.ouath2 import my_exception_handler from fastapi import Depends, FastAPI, Request from fastapi.staticfiles import StaticFiles from starlette.status import HTTP_401_UNAUTHORIZED @@ -30,7 +29,6 @@ def create_tables(engine, psql_environment): app.mount("/media", StaticFiles(directory=MEDIA_PATH), name="media") app.logger = logger -app.add_exception_handler(HTTP_401_UNAUTHORIZED, my_exception_handler) json_data_loader.load_to_db(next(get_db())) # This MUST come before the app.routers imports. @@ -42,8 +40,10 @@ def create_tables(engine, psql_environment): search, telegram, whatsapp ) +app.add_exception_handler(HTTP_401_UNAUTHORIZED, login.my_exception_handler) json_data_loader.load_to_db(next(get_db())) + routers_to_include = [ agenda.router, calendar.router, diff --git a/app/routers/login.py b/app/routers/login.py index 955fe89e..1a90c1c8 100644 --- a/app/routers/login.py +++ b/app/routers/login.py @@ -9,7 +9,7 @@ from fastapi import APIRouter, Depends, Request from sqlalchemy.orm import Session from starlette.responses import RedirectResponse -from starlette.status import HTTP_302_FOUND +from starlette.status import HTTP_302_FOUND, HTTP_401_UNAUTHORIZED router = APIRouter( @@ -72,3 +72,16 @@ async def login( httponly=True, ) return response + + +async def my_exception_handler( + request: Request, + exc: HTTP_401_UNAUTHORIZED) -> RedirectResponse: + """ + Whenever HTTP_401_UNAUTHORIZED is raised, + redirecting to login route, with original requested url, + and details for why original request failed. + """ + paramas = f"?next={exc.headers}&message={exc.detail}" + return RedirectResponse(router.url_path_for('login_user_form') + + f'{paramas}', status_code=HTTP_302_FOUND) diff --git a/app/routers/register.py b/app/routers/register.py index 0db61025..fcad5403 100644 --- a/app/routers/register.py +++ b/app/routers/register.py @@ -1,7 +1,11 @@ -from app.internal import user +from typing import Union + from app.database.schemas import UserCreate from app.database.database import get_db from app.dependencies import templates +from app.internal import user +from app.internal.security.dependancies import ( + current_user, CurrentUser) from fastapi import APIRouter, Depends, Request from pydantic import ValidationError from sqlalchemy.exc import IntegrityError @@ -33,8 +37,13 @@ async def render_registration_error( @router.get("/register") -async def register_user_form(request: Request) -> templates: +async def register_user_form( + request: Request, + current_user: Union[CurrentUser, None] = Depends(current_user) + ) -> templates: """rendering register route get method""" + if current_user: + return RedirectResponse(url='/') return templates.TemplateResponse("register.html", { "request": request, "errors": None From f203c387be8c9f631ebe8fd7f7a3842b81eebce5 Mon Sep 17 00:00:00 2001 From: Koby Fogel Date: Wed, 10 Feb 2021 00:53:59 +0200 Subject: [PATCH 39/56] Revert "CR fix" This reverts commit 8fbe36a5a8fcd7a67593abb9e8fba3d5787aba6d. --- app/internal/security/ouath2.py | 29 ++++++++++++++--------------- app/main.py | 4 ++-- app/routers/login.py | 15 +-------------- app/routers/register.py | 13 ++----------- 4 files changed, 19 insertions(+), 42 deletions(-) diff --git a/app/internal/security/ouath2.py b/app/internal/security/ouath2.py index c5530a1f..4434e7b9 100644 --- a/app/internal/security/ouath2.py +++ b/app/internal/security/ouath2.py @@ -10,6 +10,7 @@ from jwt.exceptions import InvalidSignatureError from sqlalchemy.orm import Session from starlette.requests import Request +from starlette.responses import RedirectResponse from starlette.status import HTTP_401_UNAUTHORIZED from .schema import LoginUser, CurrentUser @@ -112,18 +113,16 @@ async def get_cookie(request: Request) -> str: detail="Please log in to enter this page") -# this import must be here to avoid circular importing -# from app.routers.login import router - - -# async def my_exception_handler( -# request: Request, -# exc: HTTP_401_UNAUTHORIZED) -> RedirectResponse: -# """ -# Whenever HTTP_401_UNAUTHORIZED is raised, -# redirecting to login route, with original requested url, -# and details for why original request failed. -# """ -# paramas = f"?next={exc.headers}&message={exc.detail}" -# return RedirectResponse(router.url_path_for('login_user_form') -# + f'{paramas}', status_code=HTTP_302_FOUND) +async def my_exception_handler( + request: Request, + exc: HTTP_401_UNAUTHORIZED) -> RedirectResponse: + """ + Whenever HTTP_401_UNAUTHORIZED is raised, + redirecting to login route, with original requested url, + and details for why original request failed. + """ + paramas = f"?next={exc.headers}&message={exc.detail}" + url = f"/login{paramas}" + response = RedirectResponse(url=url) + response.delete_cookie('Authorization') + return response diff --git a/app/main.py b/app/main.py index a6b8a48e..9a1ee638 100644 --- a/app/main.py +++ b/app/main.py @@ -5,6 +5,7 @@ logger, MEDIA_PATH, STATIC_PATH, templates) from app.internal import daily_quotes, json_data_loader from app.internal.languages import set_ui_language +from app.internal.security.ouath2 import my_exception_handler from fastapi import Depends, FastAPI, Request from fastapi.staticfiles import StaticFiles from starlette.status import HTTP_401_UNAUTHORIZED @@ -29,6 +30,7 @@ def create_tables(engine, psql_environment): app.mount("/media", StaticFiles(directory=MEDIA_PATH), name="media") app.logger = logger +app.add_exception_handler(HTTP_401_UNAUTHORIZED, my_exception_handler) json_data_loader.load_to_db(next(get_db())) # This MUST come before the app.routers imports. @@ -40,10 +42,8 @@ def create_tables(engine, psql_environment): search, telegram, whatsapp ) -app.add_exception_handler(HTTP_401_UNAUTHORIZED, login.my_exception_handler) json_data_loader.load_to_db(next(get_db())) - routers_to_include = [ agenda.router, calendar.router, diff --git a/app/routers/login.py b/app/routers/login.py index 1a90c1c8..955fe89e 100644 --- a/app/routers/login.py +++ b/app/routers/login.py @@ -9,7 +9,7 @@ from fastapi import APIRouter, Depends, Request from sqlalchemy.orm import Session from starlette.responses import RedirectResponse -from starlette.status import HTTP_302_FOUND, HTTP_401_UNAUTHORIZED +from starlette.status import HTTP_302_FOUND router = APIRouter( @@ -72,16 +72,3 @@ async def login( httponly=True, ) return response - - -async def my_exception_handler( - request: Request, - exc: HTTP_401_UNAUTHORIZED) -> RedirectResponse: - """ - Whenever HTTP_401_UNAUTHORIZED is raised, - redirecting to login route, with original requested url, - and details for why original request failed. - """ - paramas = f"?next={exc.headers}&message={exc.detail}" - return RedirectResponse(router.url_path_for('login_user_form') - + f'{paramas}', status_code=HTTP_302_FOUND) diff --git a/app/routers/register.py b/app/routers/register.py index fcad5403..0db61025 100644 --- a/app/routers/register.py +++ b/app/routers/register.py @@ -1,11 +1,7 @@ -from typing import Union - +from app.internal import user from app.database.schemas import UserCreate from app.database.database import get_db from app.dependencies import templates -from app.internal import user -from app.internal.security.dependancies import ( - current_user, CurrentUser) from fastapi import APIRouter, Depends, Request from pydantic import ValidationError from sqlalchemy.exc import IntegrityError @@ -37,13 +33,8 @@ async def render_registration_error( @router.get("/register") -async def register_user_form( - request: Request, - current_user: Union[CurrentUser, None] = Depends(current_user) - ) -> templates: +async def register_user_form(request: Request) -> templates: """rendering register route get method""" - if current_user: - return RedirectResponse(url='/') return templates.TemplateResponse("register.html", { "request": request, "errors": None From bbb241b4e3f118f766d723a014919faa11e3f49c Mon Sep 17 00:00:00 2001 From: Koby Fogel Date: Wed, 10 Feb 2021 18:53:51 +0200 Subject: [PATCH 40/56] CR fixes --- README.md | 21 ----------- app/internal/security/dependancies.py | 54 ++++++++++++++++++++++----- app/internal/security/ouath2.py | 33 ++++++---------- app/internal/security/schema.py | 24 +----------- app/main.py | 4 +- app/routers/login.py | 5 +-- tests/security_testing_routes.py | 22 ++++++++--- tests/test_login.py | 33 ++++++++++++++-- 8 files changed, 106 insertions(+), 90 deletions(-) diff --git a/README.md b/README.md index d50e5325..62e3dd79 100644 --- a/README.md +++ b/README.md @@ -41,27 +41,6 @@ cp app/config.py.example app/config.py # Edit the variables' values. # Rendering JWT_KEY: python -c "import secrets; from pathlib import Path; f = Path('app/config.py'); f.write_text(f.read_text().replace('JWT_KEY_PLACEHOLDER', secrets.token_hex(32), 1));" -``` -### Running tests -```shell -python -m pytest --cov-report term-missing --cov=app tests -``` - -### Generating personal JWT Secret Key -'''shell -python -import secrets -secrets.token_hex(32) -# copy generated string. -# in config.py file, replace JWT_KEY value with generated string -''' - -## Using security dependencies: -''' -from app.internal.security.dependencies: -use is_logged_in and current_user functions as a route dependencies. -an example for how to use can be found at tests.security_testing_routes file. -''' ## Contributing View [contributing guidelines](https://github.com/PythonFreeCourse/calendar/blob/master/CONTRIBUTING.md). diff --git a/app/internal/security/dependancies.py b/app/internal/security/dependancies.py index 665ca409..cf35bc44 100644 --- a/app/internal/security/dependancies.py +++ b/app/internal/security/dependancies.py @@ -1,25 +1,58 @@ from typing import Union from app.database.database import get_db +from app.database.models import User from app.internal.security.ouath2 import ( - Depends, Session, check_jwt_token, get_cookie) -from app.internal.security.schema import CurrentUser + Depends, Session, check_jwt_token, + get_cookie, get_db_user_by_username, + HTTP_401_UNAUTHORIZED, HTTPException) from starlette.requests import Request +async def validate_user( + db: Session, user_id: int, username: str, path: str) -> User: + ''' + Helper for dependency functions. + Recives user details from decrypted jwt token, + and check them against the database. + returns User base model instance if succeeded, + raises HTTPException if fails. + ''' + db_user = await get_db_user_by_username(db, username=username) + if db_user and db_user.id == user_id: + return db_user + else: + raise HTTPException( + status_code=HTTP_401_UNAUTHORIZED, + headers=path, + detail="Your token is incorrect. Please log in again") + + async def is_logged_in( - request: Request, + request: Request, db: Session = Depends(get_db), + jwt: str = Depends(get_cookie)) -> bool: + """ + A dependency function protecting routes for only logged in user + """ + await check_jwt_token(db, jwt) + return True + + +async def is_authenticated( + request: Request, db: Session = Depends(get_db), - jwt: str = Depends(get_cookie)) -> CurrentUser: - """A dependency function protecting routes for only logged in user""" - user = await check_jwt_token(db, jwt, path=request.url.path) - if user: - return user + jwt: str = Depends(get_cookie)) -> User: + """ + A dependency function protecting routes for only logged in user. + Returns logged in User object. + """ + username, user_id = await check_jwt_token(db, jwt) + return await validate_user(db, user_id, username, request.url.path) async def current_user( request: Request, - db: Session = Depends(get_db),) -> Union[CurrentUser, bool]: + db: Session = Depends(get_db)) -> Union[User, bool]: """ A dependency function. Returns logged in User object if exists. @@ -29,4 +62,5 @@ async def current_user( jwt = request.cookies['Authorization'] else: return None - return await check_jwt_token(db, jwt) + username, user_id = await check_jwt_token(db, jwt) + return await validate_user(db, user_id, username, request.url.path) diff --git a/app/internal/security/ouath2.py b/app/internal/security/ouath2.py index 4434e7b9..76bfae42 100644 --- a/app/internal/security/ouath2.py +++ b/app/internal/security/ouath2.py @@ -12,7 +12,7 @@ from starlette.requests import Request from starlette.responses import RedirectResponse from starlette.status import HTTP_401_UNAUTHORIZED -from .schema import LoginUser, CurrentUser +from .schema import LoginUser pwd_context = CryptContext(schemes=["bcrypt"]) @@ -39,11 +39,10 @@ async def authenticate_user( db: Session, user: LoginUser) -> Union[LoginUser, bool]: """Verifying user is in database and password is correct""" db_user = await get_db_user_by_username(db=db, username=user.username) - if db_user: - if verify_password(user.password, db_user.password): - return LoginUser( - user_id=db_user.id, - username=user.username, password=db_user.password) + if db_user and verify_password(user.password, db_user.password): + return LoginUser( + user_id=db_user.id, + username=user.username, password=db_user.password) return False @@ -63,26 +62,16 @@ def create_jwt_token( async def check_jwt_token( db: Session, - token: str = Depends(oauth_schema), - path: bool = None) -> CurrentUser: + token: str = Depends(oauth_schema), path: bool = None) -> User: """ - Check whether JWT token is correct. Returns User object if yes. - Returns None or raises HTTPException, - depanding which depandency activated this function. + Check whether JWT token is correct. + Returns jwt payloads if correct. + Raises HTTPException if fails to decode. """ try: jwt_payload = jwt.decode( token, JWT_KEY, algorithms=JWT_ALGORITHM) - jwt_username = jwt_payload.get("sub") - jwt_user_id = jwt_payload.get("user_id") - db_user = await get_db_user_by_username(db, username=jwt_username) - if db_user and db_user.id == jwt_user_id: - return CurrentUser(**db_user.__dict__) - else: - raise HTTPException( - status_code=HTTP_401_UNAUTHORIZED, - headers=path, - detail="Your token is incorrect. Please log in again") + return jwt_payload.get("sub"), jwt_payload.get("user_id") except InvalidSignatureError: raise HTTPException( status_code=HTTP_401_UNAUTHORIZED, @@ -113,7 +102,7 @@ async def get_cookie(request: Request) -> str: detail="Please log in to enter this page") -async def my_exception_handler( +async def auth_exception_handler( request: Request, exc: HTTP_401_UNAUTHORIZED) -> RedirectResponse: """ diff --git a/app/internal/security/schema.py b/app/internal/security/schema.py index 356dc8ac..0adf54a6 100644 --- a/app/internal/security/schema.py +++ b/app/internal/security/schema.py @@ -1,6 +1,5 @@ -from typing import List, Optional +from typing import Optional -from app.database.models import UserEvent from pydantic import BaseModel @@ -15,24 +14,3 @@ class LoginUser(BaseModel): class Config: orm_mode = True - - -class CurrentUser(BaseModel): - """ - Security dependencies will return this object, - instead of db object. - Returns all User's parameters, except password. - """ - id: int - username: str - full_name: str - email: str - language: str = None - description: str = None - avatar: str - telegram_id: str = None - events = Optional[List[UserEvent]] - - class Config: - orm_mode = True - arbitrary_types_allowed = True diff --git a/app/main.py b/app/main.py index 9a1ee638..422b2c89 100644 --- a/app/main.py +++ b/app/main.py @@ -5,7 +5,7 @@ logger, MEDIA_PATH, STATIC_PATH, templates) from app.internal import daily_quotes, json_data_loader from app.internal.languages import set_ui_language -from app.internal.security.ouath2 import my_exception_handler +from app.internal.security.ouath2 import auth_exception_handler from fastapi import Depends, FastAPI, Request from fastapi.staticfiles import StaticFiles from starlette.status import HTTP_401_UNAUTHORIZED @@ -30,7 +30,7 @@ def create_tables(engine, psql_environment): app.mount("/media", StaticFiles(directory=MEDIA_PATH), name="media") app.logger = logger -app.add_exception_handler(HTTP_401_UNAUTHORIZED, my_exception_handler) +app.add_exception_handler(HTTP_401_UNAUTHORIZED, auth_exception_handler) json_data_loader.load_to_db(next(get_db())) # This MUST come before the app.routers imports. diff --git a/app/routers/login.py b/app/routers/login.py index 955fe89e..4c547374 100644 --- a/app/routers/login.py +++ b/app/routers/login.py @@ -3,7 +3,7 @@ from app.database.database import get_db from app.dependencies import templates from app.internal.security.dependancies import ( - current_user, CurrentUser) + User, current_user) from app.internal.security.ouath2 import ( authenticate_user, create_jwt_token, LoginUser) from fastapi import APIRouter, Depends, Request @@ -22,8 +22,7 @@ @router.get("/login") async def login_user_form( request: Request, message: Optional[str] = "", - current_user: Union[CurrentUser, None] = Depends(current_user) - ) -> templates: + current_user: Union[User, None] = Depends(current_user)) -> templates: """rendering login route get method""" if current_user: return RedirectResponse(url='/') diff --git a/tests/security_testing_routes.py b/tests/security_testing_routes.py index 64d5e480..850971a8 100644 --- a/tests/security_testing_routes.py +++ b/tests/security_testing_routes.py @@ -1,5 +1,5 @@ from app.internal.security.dependancies import ( - CurrentUser, current_user, is_logged_in) + User, current_user, is_authenticated, is_logged_in) from fastapi import APIRouter, Depends, Request @@ -17,17 +17,27 @@ @router.get('/protected') async def protected_route( - request: Request, user: CurrentUser = Depends(is_logged_in)): + request: Request, user: bool = Depends(is_logged_in)): # This is how to protect route for logged in user only. - # Dependency will return CurrentUser object. + # Dependency will return True. + # if user not looged-in, will be redirected to login route. + return {"user": user} + + +@router.get('/is_authenticated') +async def is_authenticated( + request: Request, user: User = Depends(is_authenticated)): + # This is how to protect route for logged in user only. + # Dependency will return User object. + # if user not looged-in, will be redirected to login route. return {"user": user.username} @router.get('/test_user') async def user_route( - request: Request, current_user: CurrentUser = Depends(current_user)): - # This is how to get CurrentUser in a route. - # Dependency will return CurrentUser object, or None if user not logged in. + request: Request, current_user: User = Depends(current_user)): + # This is how to get current_user in a route. + # Dependency will return User object, or None if user not logged in. if current_user: name = current_user.username else: diff --git a/tests/test_login.py b/tests/test_login.py index 5a68b615..df5d27c9 100644 --- a/tests/test_login.py +++ b/tests/test_login.py @@ -23,6 +23,8 @@ def test_login_route_ok(security_test_client): ] LOGIN_DATA = {'username': 'correct_user', 'password': 'correct_password'} +WRONG_LOGIN_DATA = { + 'username': 'incorrect_user', 'password': 'correct_password'} def test_register_user(session, security_test_client): @@ -45,16 +47,18 @@ def test_login_successfull(session, security_test_client): assert res.status_code == HTTP_302_FOUND -def test_protected_with_logged_in_user(session, security_test_client): +def test_is_logged_in_dependency_with_logged_in_user( + session, security_test_client): security_test_client.post('/register', data=REGISTER_DETAIL) security_test_client.post('/login', data=LOGIN_DATA) res = security_test_client.get('/protected') print(res) - assert res.json() == {"user": 'correct_user'} + assert res.json() == {"user": True} -def test_protected_without_logged_in_user( +def test_is_logged_in_dependency_without_logged_in_user( session, security_test_client): + res = security_test_client.get('/logout') res = security_test_client.get('/protected') assert b'Please log in' in res.content @@ -66,6 +70,19 @@ def test_current_user_dependency_exists(session, security_test_client): assert res.json() == {"user": 'correct_user'} +def test_is_authenticated_dependency_exists(session, security_test_client): + security_test_client.post('/register', data=REGISTER_DETAIL) + res = security_test_client.post('/login', data=LOGIN_DATA) + res = security_test_client.get('/is_authenticated') + assert res.json() == {"user": 'correct_user'} + + +def test_is_authenticated_dependency_not_exists(session, security_test_client): + res = security_test_client.get('/logout') + res = security_test_client.get('/is_authenticated') + assert b'Please log in' in res.content + + def test_logout(session, security_test_client): res = security_test_client.get('/logout') assert b'Login' in res.content @@ -87,6 +104,16 @@ def test_incorrect_secret_key_in_token(session, security_test_client): assert b'Your token is incorrect' in res.content +def test_wrong_details_in_token(session, security_test_client): + user = LoginUser(**WRONG_LOGIN_DATA) + incorrect_token = create_jwt_token(user) + security_test_client.post('/register', data=REGISTER_DETAIL) + url = f"/login?existing_jwt={incorrect_token}" + security_test_client.post(f'{url}', data=LOGIN_DATA) + res = security_test_client.get('/is_authenticated') + assert b'Your token is incorrect' in res.content + + def test_expired_token(session, security_test_client): security_test_client.get('/logout') user = LoginUser(**LOGIN_DATA) From d1eabd258b17040c142a363665afb15664cac6da Mon Sep 17 00:00:00 2001 From: Koby Fogel Date: Thu, 11 Feb 2021 13:11:46 +0200 Subject: [PATCH 41/56] works, before tests --- app/internal/security/dependancies.py | 2 +- app/internal/security/ouath2.py | 29 ++++-- app/internal/security/reset_password.py | 25 ++++++ app/internal/security/schema.py | 60 ++++++++++++- app/main.py | 6 +- app/routers/reset_password.py | 115 ++++++++++++++++++++++++ app/templates/forgot_password.html | 31 +++++++ app/templates/reset_password.html | 42 +++++++++ app/templates/reset_password_mail.html | 6 ++ 9 files changed, 306 insertions(+), 10 deletions(-) create mode 100644 app/internal/security/reset_password.py create mode 100644 app/routers/reset_password.py create mode 100644 app/templates/forgot_password.html create mode 100644 app/templates/reset_password.html create mode 100644 app/templates/reset_password_mail.html diff --git a/app/internal/security/dependancies.py b/app/internal/security/dependancies.py index 5b308cc5..31de293a 100644 --- a/app/internal/security/dependancies.py +++ b/app/internal/security/dependancies.py @@ -47,7 +47,7 @@ async def is_authenticated( Returns logged in User object. """ username, user_id = await check_jwt_token(db, jwt) - return await validate_user(db, user_id, username, request.url.path) + return await validate_user(db, int(user_id), username, request.url.path) async def current_user( diff --git a/app/internal/security/ouath2.py b/app/internal/security/ouath2.py index 76bfae42..ac0015d5 100644 --- a/app/internal/security/ouath2.py +++ b/app/internal/security/ouath2.py @@ -12,7 +12,7 @@ from starlette.requests import Request from starlette.responses import RedirectResponse from starlette.status import HTTP_401_UNAUTHORIZED -from .schema import LoginUser +from .schema import ForgotPassword, LoginUser pwd_context = CryptContext(schemes=["bcrypt"]) @@ -25,6 +25,14 @@ async def get_db_user_by_username(db: Session, username: str) -> User: return user +async def update_password( + db: Session, db_user: User, user_password: str): + print("im in") + hashed_password = get_hashed_password(user_password) + db_user.password = hashed_password + db.commit() + + def get_hashed_password(password: str) -> str: """Hashing user password""" return pwd_context.hash(password) @@ -36,10 +44,20 @@ def verify_password(plain_password: str, hashed_password: str) -> bool: async def authenticate_user( - db: Session, user: LoginUser) -> Union[LoginUser, bool]: - """Verifying user is in database and password is correct""" + db: Session, user: Union[LoginUser, ForgotPassword], + email: bool = False) -> Union[LoginUser, ForgotPassword, bool]: + """ + Verifying database record by username. + Comparing other given details to database record, + varies with which function called this action. + """ db_user = await get_db_user_by_username(db=db, username=user.username) - if db_user and verify_password(user.password, db_user.password): + if not db_user: + return False + if email and db_user.email == user.email: + return ForgotPassword( + username=user.username, user_id=db_user.id, email=db_user.email) + elif verify_password(user.password, db_user.password): return LoginUser( user_id=db_user.id, username=user.username, password=db_user.password) @@ -47,7 +65,8 @@ async def authenticate_user( def create_jwt_token( - user: LoginUser, JWT_MIN_EXP: int = JWT_MIN_EXP, + user: Union[LoginUser, ForgotPassword], + JWT_MIN_EXP: int = JWT_MIN_EXP, JWT_KEY: str = JWT_KEY) -> str: """Creating jwt-token out of user unique data""" expiration = datetime.utcnow() + timedelta(minutes=JWT_MIN_EXP) diff --git a/app/internal/security/reset_password.py b/app/internal/security/reset_password.py new file mode 100644 index 00000000..6cb4c234 --- /dev/null +++ b/app/internal/security/reset_password.py @@ -0,0 +1,25 @@ +from app.config import (CALENDAR_RESET_PASSWORD_PAGE, CALENDAR_SITE_NAME, email_conf, templates) +from app.dependencies import get_db +from app.internal.security.schema import ForgotPassword +from fastapi import BackgroundTasks +from fastapi_mail import FastMail, MessageSchema +from sqlalchemy.orm import Session + + +mail = FastMail(email_conf) + + +async def send_mail( + session: Session, user: ForgotPassword, + background_tasks: BackgroundTasks) -> bool: + '''Sending email to user, containing reset password link''' + template = templates.get_template("reset_password_mail.html") + html = template.render(recipient=user.username, + site_name=CALENDAR_SITE_NAME, + link=f"{CALENDAR_RESET_PASSWORD_PAGE}?token={user.token}", + email=user.email) + message = MessageSchema( + subject=f"{CALENDAR_SITE_NAME} reset password", + recipients=[user.email],body = html,subtype='html') + background_tasks.add_task(mail.send_message, message) + return True \ No newline at end of file diff --git a/app/internal/security/schema.py b/app/internal/security/schema.py index 0adf54a6..f2ed0896 100644 --- a/app/internal/security/schema.py +++ b/app/internal/security/schema.py @@ -1,6 +1,6 @@ -from typing import Optional +from typing import Optional, Union -from pydantic import BaseModel +from pydantic import BaseModel, validator class LoginUser(BaseModel): @@ -14,3 +14,59 @@ class LoginUser(BaseModel): class Config: orm_mode = True + + +class ForgotPassword(BaseModel): + """ + BaseModel for collecting and verifying user + details sending a token via email + """ + username: str + email: str + user_id: Optional[str] = None + token: Optional[str] = None + + class Config: + orm_mode = True + + + @validator('username') + def password_length(cls, username: str) -> Union[ValueError, str]: + """Validating username length is legal""" + if not (MIN_FIELD_LENGTH < len(username) < MAX_FIELD_LENGTH): + raise ValueError + return username + + +MIN_FIELD_LENGTH = 3 +MAX_FIELD_LENGTH = 20 + + +class ResetPassword(BaseModel): + """ + Validating fields types + """ + username: str + password: str + confirm_password: str + + class Config: + orm_mode = True + + + @validator('confirm_password') + def passwords_match( + cls, confirm_password: str, + values: BaseModel) -> Union[ValueError, str]: + """Validating passwords fields identical.""" + if 'password' in values and confirm_password != values['password']: + raise ValueError + return confirm_password + + + @validator('password') + def password_length(cls, password: str) -> Union[ValueError, str]: + """Validating password length is legal""" + if not (MIN_FIELD_LENGTH < len(password) < MAX_FIELD_LENGTH): + raise ValueError + return password \ No newline at end of file diff --git a/app/main.py b/app/main.py index b63e5c0e..93e49d29 100644 --- a/app/main.py +++ b/app/main.py @@ -38,12 +38,13 @@ def create_tables(engine, psql_environment): from app.routers import ( # noqa: E402 agenda, calendar, categories, celebrity, currency, dayview, email, event, invitation, login, logout, profile, register, - search, telegram, whatsapp + reset_password, search, telegram, whatsapp ) json_data_loader.load_to_db(next(get_db())) - +from tests import security_testing_routes routers_to_include = [ + security_testing_routes.router, agenda.router, calendar.router, categories.router, @@ -57,6 +58,7 @@ def create_tables(engine, psql_environment): logout.router, profile.router, register.router, + reset_password.router, salary.router, search.router, telegram.router, diff --git a/app/routers/reset_password.py b/app/routers/reset_password.py new file mode 100644 index 00000000..59e6139e --- /dev/null +++ b/app/routers/reset_password.py @@ -0,0 +1,115 @@ +from typing import Optional, Union + +from app.dependencies import get_db, templates +from app.internal.security.dependancies import is_authenticated +from app.internal.security.ouath2 import ( + authenticate_user, check_jwt_token, + create_jwt_token, update_password) +from app.internal.security.reset_password import ( + BackgroundTasks ,send_mail) +from app.internal.security.schema import ( + ForgotPassword, LoginUser, ResetPassword) +from fastapi import APIRouter, Depends, Request +from pydantic import ValidationError +from sqlalchemy.orm import Session +from starlette.responses import RedirectResponse +from starlette.status import HTTP_302_FOUND + + +router = APIRouter( + prefix="", + tags=["/reset_password"], + responses={404: {"description": "Not found"}}, +) + + +@router.get("/forgot-password") +async def forgot_password_form( + request: Request) -> templates: + """rendering forgot password form get method""" + return templates.TemplateResponse("forgot_password.html", { + "request": request, + }) + + +@router.post('/forgot-password') +async def forgot_password( + request: Request, background_tasks: BackgroundTasks, + db: Session = Depends(get_db)) -> templates: + """ + Validaiting form data fields. + Validaiting form data against database records. + If all validations succeed, creating jwt token, + then sending email to the user with a reset password route link. + The contains the verafiction jwt token. + """ + form = await request.form() + form_dict = dict(form) + try: + # validating form data by creating pydantic schema object + user = ForgotPassword(**form_dict) + except ValidationError: + user = False + if user: + user = await authenticate_user(db, user, email=True) + if user: + user.token = create_jwt_token(user, JWT_MIN_EXP=15) + await send_mail(db, user, background_tasks) + return templates.TemplateResponse("forgot_password.html", { + "request": request, + "message": "Email for reseting password was sent"}) + return templates.TemplateResponse("forgot_password.html", { + "request": request, + "message": 'Please check your credentials' + }) + + +@router.get("/reset-password") +async def reset_password_form( + request: Request, token: Optional[str] = "" + ) -> templates: + """ + Rendering reset password form get method. + Validating jwt token is supplied with request. + """ + if token: + return templates.TemplateResponse("reset_password.html", { + "request": request, + }) + message = "?message=Verification token is missing" + return RedirectResponse(f"/login{message}") + + +@router.post("/reset-password") +async def reset_password( + request: Request, token: str = "", + db: Session = Depends(get_db) + ) -> RedirectResponse: + ''' + Receives jwt token. + Receives form data, and validates all fields are correct. + Validating token. + validatting form data against database records. + validatting jwt details against database records. + If all validations succeed, hashing new password and updating database. + ''' + form = await request.form() + form_dict = dict(form) + db_user = await is_authenticated(request=request, db = db, jwt = token) + validated = True + if not form_dict['username'] == db_user.username: + validated = False + try: + # validating form data by creating pydantic schema object + user = ResetPassword(**form_dict) + except ValueError: + validated = False + if not validated: + return templates.TemplateResponse("reset_password.html", { + "request": request, + "message": 'Please check your credentials' + }) + await update_password(db, db_user, user.password) + return RedirectResponse( + url="/login?message=Success reset password", + status_code=HTTP_302_FOUND) diff --git a/app/templates/forgot_password.html b/app/templates/forgot_password.html new file mode 100644 index 00000000..869e2498 --- /dev/null +++ b/app/templates/forgot_password.html @@ -0,0 +1,31 @@ +{% extends "base.html" %} +{% block content %} +
    +
    Please verify your Username and Email:
    + {% if message %} +
    {{ message }}
    + {% endif %} + +
    + +
    +
    +
    +
    +
    + +
    +
    +
    +
    + + Must be the email address you registered with + +
    +
    + + + +
    + +{% endblock %} \ No newline at end of file diff --git a/app/templates/reset_password.html b/app/templates/reset_password.html new file mode 100644 index 00000000..a4bc9bf5 --- /dev/null +++ b/app/templates/reset_password.html @@ -0,0 +1,42 @@ +{% extends "base.html" %} +{% block content %} +
    +
    Please choose a new password:
    + {% if message %} +
    {{ message }}
    + {% endif %} +
    +
    + +
    +
    +
    +
    +
    + +
    +
    +
    +
    + + Must be between 3 to 20 characters. + +
    +
    +
    + +
    +
    +
    +
    + + Must be equal to password. + +
    +
    + +
    + +
    + +{% endblock %} \ No newline at end of file diff --git a/app/templates/reset_password_mail.html b/app/templates/reset_password_mail.html new file mode 100644 index 00000000..abcbaa2e --- /dev/null +++ b/app/templates/reset_password_mail.html @@ -0,0 +1,6 @@ +

    Hi, {{ recipient }}!

    +

    You received this email from {{ site_name }} because you asked to reset your password.

    +

    To continue with resetting your password, please click the confirmation link

    +

    This confirmation link will expired in 15 minutes

    +

    This email has been sent to {{ email }}.

    +

    If you did not ask for it, please ignore it.

    \ No newline at end of file From 7701386420a217e8276d63fbd1c04971ab8177c0 Mon Sep 17 00:00:00 2001 From: Koby Fogel Date: Sun, 14 Feb 2021 09:38:06 +0200 Subject: [PATCH 42/56] testing are not done --- tests/asyncio_fixture.py | 11 ++++++- tests/test_reset_password.py | 64 ++++++++++++++++++++++++++++++++++++ 2 files changed, 74 insertions(+), 1 deletion(-) create mode 100644 tests/test_reset_password.py diff --git a/tests/asyncio_fixture.py b/tests/asyncio_fixture.py index 8d18d52b..e7624373 100644 --- a/tests/asyncio_fixture.py +++ b/tests/asyncio_fixture.py @@ -9,7 +9,16 @@ from app.routers.event import create_event from tests.client_fixture import get_test_placeholder_user from tests.conftest import get_test_db, test_engine - +from app.routers import reset_password + +# @pytest.fixture +# async def reset_password_client(): +# Base.metadata.create_all(bind=test_engine) +# app.dependency_overrides[reset_password.get_db] = get_test_db +# async with AsyncClient(app=app, base_url="http://test") as ac: +# yield ac +# app.dependency_overrides = {} +# Base.metadata.drop_all(bind=test_engine) @pytest.fixture async def telegram_client(): diff --git a/tests/test_reset_password.py b/tests/test_reset_password.py new file mode 100644 index 00000000..6cdb8646 --- /dev/null +++ b/tests/test_reset_password.py @@ -0,0 +1,64 @@ +import pytest +from app.internal.security.ouath2 import create_jwt_token, LoginUser +from app.internal.security.reset_password import mail, send_mail +from starlette.status import HTTP_302_FOUND +from app.internal.security.ouath2 import create_jwt_token, ForgotPassword +from app.config import CALENDAR_RESET_PASSWORD_PAGE + + +REGISTER_DETAIL = { + 'username': 'correct_user', 'full_name': 'full_name', + 'password': 'correct_password', 'confirm_password': 'correct_password', + 'email': 'example@email.com', 'description': ""} + + +FORGOT_PASSWORD_DETAILS = {'username': 'correct_user', 'email': 'example@email.com'} + + +def test_login_route_ok(security_test_client): + response = security_test_client.get("/forgot-password") + assert response.ok + + +def test_email_send(session, security_test_client, smtpd): + security_test_client.post('/register', data=REGISTER_DETAIL) + mail.config.SUPPRESS_SEND = 1 + mail.config.MAIL_SERVER = smtpd.hostname + mail.config.MAIL_PORT = smtpd.port + mail.config.USE_CREDENTIALS = False + mail.config.MAIL_TLS = False + with mail.record_messages() as outbox: + response = security_test_client.post("/forgot-password", data=FORGOT_PASSWORD_DETAILS) + assert len(outbox) == 1 + assert b'Email for reseting password was sent' in response.content + assert 'reset password' in outbox[0]['subject'] + + +def test_reset_password_GET_without_token(session, security_test_client): + user = ForgotPassword(user_id=1, **FORGOT_PASSWORD_DETAILS) + token = create_jwt_token(user, JWT_MIN_EXP=15) + link = f"{CALENDAR_RESET_PASSWORD_PAGE}" + res = security_test_client.get(link) + assert b'Verification token is missing' in res.content + + +def test_reset_password_GET_with_token(session, security_test_client): + user = ForgotPassword(user_id=1, **FORGOT_PASSWORD_DETAILS) + token = create_jwt_token(user, JWT_MIN_EXP=15) + link = f"{CALENDAR_RESET_PASSWORD_PAGE}?token={token}" + res = security_test_client.get(link) + assert b'Please choose a new password' in res.content + + +# def test_reset_password_POST_with_legal_token(session, security_test_client): +# user = ForgotPassword(user_id=1, **FORGOT_PASSWORD_DETAILS) +# expired_token = create_jwt_token(user, JWT_MIN_EXP=15) +# link = f"{CALENDAR_RESET_PASSWORD_PAGE}?token={user.token}" +# res = security_test_client.get(link) +# assert b'Please choose a new password' in res.content + + + + + + \ No newline at end of file From baaba6f61ed9795d6d08de3738c343c3681c438f Mon Sep 17 00:00:00 2001 From: Koby Fogel Date: Sun, 14 Feb 2021 09:46:24 +0200 Subject: [PATCH 43/56] tests not finished --- app/internal/security/reset_password.py | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/app/internal/security/reset_password.py b/app/internal/security/reset_password.py index 6cb4c234..8bbdf686 100644 --- a/app/internal/security/reset_password.py +++ b/app/internal/security/reset_password.py @@ -1,4 +1,5 @@ -from app.config import (CALENDAR_RESET_PASSWORD_PAGE, CALENDAR_SITE_NAME, email_conf, templates) +from app.config import (CALENDAR_RESET_PASSWORD_PAGE, CALENDAR_SITE_NAME, email_conf) +from app.dependencies import templates from app.dependencies import get_db from app.internal.security.schema import ForgotPassword from fastapi import BackgroundTasks @@ -20,6 +21,6 @@ async def send_mail( email=user.email) message = MessageSchema( subject=f"{CALENDAR_SITE_NAME} reset password", - recipients=[user.email],body = html,subtype='html') + recipients=[user.email], body = html, subtype='html') background_tasks.add_task(mail.send_message, message) return True \ No newline at end of file From ad8cdeb50c407707b1b8e263d904e74ccd3f699e Mon Sep 17 00:00:00 2001 From: Koby Fogel Date: Mon, 15 Feb 2021 01:32:21 +0200 Subject: [PATCH 44/56] first push --- app/config.py.example | 2 + app/database/models.py | 7 ++ app/internal/security/dependancies.py | 59 ++----------- app/internal/security/ouath2.py | 66 ++++++++------- app/internal/security/reset_password.py | 35 ++++---- app/internal/security/schema.py | 7 +- app/main.py | 3 +- app/routers/login.py | 22 +++-- app/routers/register.py | 82 +++++++++++------- app/routers/reset_password.py | 37 ++++---- app/static/style.css | 6 ++ app/templates/login.html | 3 + tests/asyncio_fixture.py | 11 +-- tests/security_testing_routes.py | 30 ++----- tests/test_login.py | 63 +++++--------- tests/test_reset_password.py | 107 ++++++++++++++++++------ 16 files changed, 278 insertions(+), 262 deletions(-) diff --git a/app/config.py.example b/app/config.py.example index 06fa5f3a..fe212ee3 100644 --- a/app/config.py.example +++ b/app/config.py.example @@ -57,6 +57,8 @@ email_conf = ConnectionConfig( JWT_KEY = "JWT_KEY_PLACEHOLDER" JWT_ALGORITHM = "HS256" JWT_MIN_EXP = 60 * 24 * 7 +CALENDAR_RESET_PASSWORD_PAGE = "calendar.pythonic.guru/reset-password" + templates = Jinja2Templates(directory=os.path.join("app", "templates")) # application name diff --git a/app/database/models.py b/app/database/models.py index b9129832..eb8288e3 100644 --- a/app/database/models.py +++ b/app/database/models.py @@ -32,6 +32,7 @@ class User(Base): avatar = Column(String, default="profile.png") telegram_id = Column(String, unique=True) is_active = Column(Boolean, default=False) + is_manager = Column(Boolean, default=False) language_id = Column(Integer, ForeignKey("languages.id")) owned_events = relationship( @@ -47,6 +48,12 @@ class User(Base): def __repr__(self): return f'' + @staticmethod + async def get_by_username(db: Session, username: str) -> User: + """query database for a user by unique username""" + return db.query(User).filter( + User.username == username).first() + class Event(Base): __tablename__ = "events" diff --git a/app/internal/security/dependancies.py b/app/internal/security/dependancies.py index 31de293a..7f2a0795 100644 --- a/app/internal/security/dependancies.py +++ b/app/internal/security/dependancies.py @@ -1,36 +1,13 @@ -from typing import Union +from starlette.requests import Request from app.dependencies import get_db -from app.database.models import User from app.internal.security.ouath2 import ( - Depends, Session, check_jwt_token, - get_cookie, get_db_user_by_username, - HTTP_401_UNAUTHORIZED, HTTPException) -from starlette.requests import Request - - -async def validate_user( - db: Session, user_id: int, username: str, path: str) -> User: - ''' - Helper for dependency functions. - Recives user details from decrypted jwt token, - and check them against the database. - returns User base model instance if succeeded, - raises HTTPException if fails. - ''' - db_user = await get_db_user_by_username(db, username=username) - if db_user and db_user.id == user_id: - return db_user - else: - raise HTTPException( - status_code=HTTP_401_UNAUTHORIZED, - headers=path, - detail="Your token is incorrect. Please log in again") + Depends, Session, check_jwt_token, get_authorization_cookie) async def is_logged_in( request: Request, db: Session = Depends(get_db), - jwt: str = Depends(get_cookie)) -> bool: + jwt: str = Depends(get_authorization_cookie)) -> bool: """ A dependency function protecting routes for only logged in user """ @@ -38,29 +15,11 @@ async def is_logged_in( return True -async def is_authenticated( - request: Request, - db: Session = Depends(get_db), - jwt: str = Depends(get_cookie)) -> User: - """ - A dependency function protecting routes for only logged in user. - Returns logged in User object. - """ - username, user_id = await check_jwt_token(db, jwt) - return await validate_user(db, int(user_id), username, request.url.path) - - -async def current_user( - request: Request, - db: Session = Depends(get_db)) -> Union[User, bool]: +async def is_manager( + request: Request, db: Session = Depends(get_db), + jwt: str = Depends(get_authorization_cookie)) -> bool: """ - A dependency function. - Returns logged in User object if exists. - None if not. + A dependency function protecting routes for only logged in manager """ - if 'Authorization' in request.cookies: - jwt = request.cookies['Authorization'] - else: - return None - username, user_id = await check_jwt_token(db, jwt) - return await validate_user(db, user_id, username, request.url.path) + await check_jwt_token(db, jwt, manager=True) + return True diff --git a/app/internal/security/ouath2.py b/app/internal/security/ouath2.py index ac0015d5..7e149e60 100644 --- a/app/internal/security/ouath2.py +++ b/app/internal/security/ouath2.py @@ -1,9 +1,7 @@ from datetime import datetime, timedelta from typing import Union -from app.config import JWT_ALGORITHM, JWT_KEY, JWT_MIN_EXP from passlib.context import CryptContext -from app.database.models import User from fastapi import Depends, HTTPException from fastapi.security import OAuth2PasswordBearer import jwt @@ -11,26 +9,24 @@ from sqlalchemy.orm import Session from starlette.requests import Request from starlette.responses import RedirectResponse -from starlette.status import HTTP_401_UNAUTHORIZED -from .schema import ForgotPassword, LoginUser +from starlette.status import HTTP_302_FOUND, HTTP_401_UNAUTHORIZED +from . import schema + +from app.config import JWT_ALGORITHM, JWT_KEY, JWT_MIN_EXP +from app.database.models import User pwd_context = CryptContext(schemes=["bcrypt"]) oauth_schema = OAuth2PasswordBearer(tokenUrl="/login") -async def get_db_user_by_username(db: Session, username: str) -> User: - """Checking database for user by username field""" - user = db.query(User).filter_by(username=username).first() - return user - - async def update_password( - db: Session, db_user: User, user_password: str): - print("im in") + db: Session, db_user: User, user_password: str) -> None: + """Updating User password in database""" hashed_password = get_hashed_password(user_password) db_user.password = hashed_password db.commit() + return def get_hashed_password(password: str) -> str: @@ -44,44 +40,49 @@ def verify_password(plain_password: str, hashed_password: str) -> bool: async def authenticate_user( - db: Session, user: Union[LoginUser, ForgotPassword], - email: bool = False) -> Union[LoginUser, ForgotPassword, bool]: + db: Session, user: Union[schema.LoginUser, schema.ForgotPassword], + email: bool = False) -> Union[ + schema.LoginUser, schema.ForgotPassword, bool]: """ Verifying database record by username. Comparing other given details to database record, varies with which function called this action. """ - db_user = await get_db_user_by_username(db=db, username=user.username) + db_user = await User.get_by_username(db=db, username=user.username) if not db_user: return False - if email and db_user.email == user.email: - return ForgotPassword( - username=user.username, user_id=db_user.id, email=db_user.email) + if email: + if db_user.email == user.email: + return schema.ForgotPassword( + username=user.username, + user_id=db_user.id, email=db_user.email) + return False elif verify_password(user.password, db_user.password): - return LoginUser( - user_id=db_user.id, + return schema.LoginUser( + user_id=db_user.id, is_manager=db_user.is_manager, username=user.username, password=db_user.password) return False def create_jwt_token( - user: Union[LoginUser, ForgotPassword], - JWT_MIN_EXP: int = JWT_MIN_EXP, - JWT_KEY: str = JWT_KEY) -> str: + user: schema.LoginUser, jwt_min_exp: int = JWT_MIN_EXP, + jwt_key: str = JWT_KEY) -> str: """Creating jwt-token out of user unique data""" - expiration = datetime.utcnow() + timedelta(minutes=JWT_MIN_EXP) + expiration = datetime.utcnow() + timedelta(minutes=jwt_min_exp) jwt_payload = { "sub": user.username, "user_id": user.user_id, + "is_manager": user.is_manager, "exp": expiration} jwt_token = jwt.encode( - jwt_payload, JWT_KEY, algorithm=JWT_ALGORITHM) + jwt_payload, jwt_key, algorithm=JWT_ALGORITHM) return jwt_token async def check_jwt_token( db: Session, - token: str = Depends(oauth_schema), path: bool = None) -> User: + token: str = Depends(oauth_schema), path: bool = None, + manager: bool = False) -> User: """ Check whether JWT token is correct. Returns jwt payloads if correct. @@ -90,7 +91,14 @@ async def check_jwt_token( try: jwt_payload = jwt.decode( token, JWT_KEY, algorithms=JWT_ALGORITHM) - return jwt_payload.get("sub"), jwt_payload.get("user_id") + if not manager: + return True + if jwt_payload.get("is_manager"): + return True + raise HTTPException( + status_code=HTTP_401_UNAUTHORIZED, + headers=path, + detail="You don't have a permition to enter this page") except InvalidSignatureError: raise HTTPException( status_code=HTTP_401_UNAUTHORIZED, @@ -108,7 +116,7 @@ async def check_jwt_token( detail="Your token is incorrect. Please log in again") -async def get_cookie(request: Request) -> str: +async def get_authorization_cookie(request: Request) -> str: """ Extracts jwt from HTTPONLY cookie, if exists. Raises HTTPException if not. @@ -131,6 +139,6 @@ async def auth_exception_handler( """ paramas = f"?next={exc.headers}&message={exc.detail}" url = f"/login{paramas}" - response = RedirectResponse(url=url) + response = RedirectResponse(url=url, status_code=HTTP_302_FOUND) response.delete_cookie('Authorization') return response diff --git a/app/internal/security/reset_password.py b/app/internal/security/reset_password.py index 8bbdf686..caed0e01 100644 --- a/app/internal/security/reset_password.py +++ b/app/internal/security/reset_password.py @@ -1,26 +1,27 @@ -from app.config import (CALENDAR_RESET_PASSWORD_PAGE, CALENDAR_SITE_NAME, email_conf) -from app.dependencies import templates -from app.dependencies import get_db -from app.internal.security.schema import ForgotPassword from fastapi import BackgroundTasks from fastapi_mail import FastMail, MessageSchema from sqlalchemy.orm import Session +from app.config import ( + CALENDAR_RESET_PASSWORD_PAGE, CALENDAR_SITE_NAME, email_conf) +from app.dependencies import templates +from app.internal.security.schema import ForgotPassword + mail = FastMail(email_conf) async def send_mail( - session: Session, user: ForgotPassword, - background_tasks: BackgroundTasks) -> bool: - '''Sending email to user, containing reset password link''' - template = templates.get_template("reset_password_mail.html") - html = template.render(recipient=user.username, - site_name=CALENDAR_SITE_NAME, - link=f"{CALENDAR_RESET_PASSWORD_PAGE}?token={user.token}", - email=user.email) - message = MessageSchema( - subject=f"{CALENDAR_SITE_NAME} reset password", - recipients=[user.email], body = html, subtype='html') - background_tasks.add_task(mail.send_message, message) - return True \ No newline at end of file + session: Session, user: ForgotPassword, + background_tasks: BackgroundTasks) -> bool: + template = templates.get_template("reset_password_mail.html") + html = template.render( + recipient=user.username, + site_name=CALENDAR_SITE_NAME, + link=f"{CALENDAR_RESET_PASSWORD_PAGE}?token={user.token}", + email=user.email) + message = MessageSchema( + subject=f"{CALENDAR_SITE_NAME} reset password", + recipients=[user.email], body=html, subtype='html') + background_tasks.add_task(mail.send_message, message) + return True diff --git a/app/internal/security/schema.py b/app/internal/security/schema.py index f2ed0896..9b40fdf3 100644 --- a/app/internal/security/schema.py +++ b/app/internal/security/schema.py @@ -9,6 +9,7 @@ class LoginUser(BaseModel): Returns a User object for signing in. """ user_id: Optional[int] + is_manager: Optional[bool] username: str password: str @@ -25,10 +26,10 @@ class ForgotPassword(BaseModel): email: str user_id: Optional[str] = None token: Optional[str] = None + is_manager: Optional[bool] = False class Config: orm_mode = True - @validator('username') def password_length(cls, username: str) -> Union[ValueError, str]: @@ -53,7 +54,6 @@ class ResetPassword(BaseModel): class Config: orm_mode = True - @validator('confirm_password') def passwords_match( cls, confirm_password: str, @@ -63,10 +63,9 @@ def passwords_match( raise ValueError return confirm_password - @validator('password') def password_length(cls, password: str) -> Union[ValueError, str]: """Validating password length is legal""" if not (MIN_FIELD_LENGTH < len(password) < MAX_FIELD_LENGTH): raise ValueError - return password \ No newline at end of file + return password diff --git a/app/main.py b/app/main.py index 93e49d29..1ca25d10 100644 --- a/app/main.py +++ b/app/main.py @@ -42,9 +42,8 @@ def create_tables(engine, psql_environment): ) json_data_loader.load_to_db(next(get_db())) -from tests import security_testing_routes + routers_to_include = [ - security_testing_routes.router, agenda.router, calendar.router, categories.router, diff --git a/app/routers/login.py b/app/routers/login.py index 9a8a12c4..99fd5b5c 100644 --- a/app/routers/login.py +++ b/app/routers/login.py @@ -1,15 +1,15 @@ from typing import Optional, Union -from app.dependencies import get_db, templates -from app.internal.security.dependancies import ( - User, current_user) -from app.internal.security.ouath2 import ( - authenticate_user, create_jwt_token, LoginUser) from fastapi import APIRouter, Depends, Request from sqlalchemy.orm import Session from starlette.responses import RedirectResponse from starlette.status import HTTP_302_FOUND +from app.dependencies import get_db, templates +from app.internal.security.ouath2 import ( + authenticate_user, create_jwt_token) +from app.internal.security import schema + router = APIRouter( prefix="", @@ -20,15 +20,12 @@ @router.get("/login") async def login_user_form( - request: Request, message: Optional[str] = "", - current_user: Union[User, None] = Depends(current_user)) -> templates: + request: Request, message: Optional[str] = "") -> templates: """rendering login route get method""" - if current_user: - return RedirectResponse(url='/') return templates.TemplateResponse("login.html", { "request": request, "message": message, - 'current_user': current_user + 'current_user': "logged in" }) @@ -43,7 +40,7 @@ async def login( form_dict = dict(form) # creating pydantic schema object out of form data - user = LoginUser(**form_dict) + user = schema.LoginUser(**form_dict) """ Validaiting login form data, if user exist in database, @@ -62,7 +59,8 @@ async def login( jwt_token = create_jwt_token(user) else: jwt_token = existing_jwt - + if not next.startswith("/"): + next = "/" response = RedirectResponse(next, status_code=HTTP_302_FOUND) response.set_cookie( "Authorization", diff --git a/app/routers/register.py b/app/routers/register.py index 502283e3..2ffa5f80 100644 --- a/app/routers/register.py +++ b/app/routers/register.py @@ -1,13 +1,16 @@ -from app.internal import user -from app.database.schemas import UserCreate -from app.dependencies import get_db, templates +from typing import Dict + from fastapi import APIRouter, Depends, Request from pydantic import ValidationError -from sqlalchemy.exc import IntegrityError from sqlalchemy.orm import Session from starlette.responses import RedirectResponse from starlette.status import HTTP_302_FOUND +from app.internal.security.ouath2 import get_hashed_password +from app.database import schemas +from app.database import models +from app.dependencies import get_db, templates + router = APIRouter( prefix="", @@ -16,21 +19,51 @@ ) -async def render_registration_error( - db: Session, new_user: UserCreate) -> dict: - """After registering new user fails, defines relevant errors""" - db.rollback() +async def create_user( + db: Session, user: schemas.UserCreate) -> models.User: + """ + creating a new User object in the database, with hashed password + """ + unhashed_password = user.password.encode('utf-8') + hashed_password = get_hashed_password(unhashed_password) + user_details = { + 'username': user.username, + 'full_name': user.full_name, + 'email': user.email, + 'password': hashed_password, + 'description': user.description, + } + db_user = models.User(**user_details) + db.add(db_user) + db.commit() + db.refresh(db_user) + return db_user + + +async def check_unique_fields( + db: Session, new_user: schemas.UserCreate) -> dict: + """Verifying new user details are unique. Return relevant errors""" errors = {} - db_user_email = user.get_by_mail(db, email=new_user.email) - db_user_username = user.get_by_username( - db, username=new_user.username) - if db_user_username: + if db.query( + db.query(models.User).filter( + models.User.username == new_user.username).exists()).scalar(): errors['username'] = "That username is already taken" - if db_user_email: + if db.query( + db.query(models.User).filter( + models.User.email == new_user.email).exists()).scalar(): errors['email'] = "Email already registered" return errors +def get_error_messages_by_fields(errors: [list]) -> Dict[str, str]: + """Getting validation errors by fields from pydantic ValidationError""" + errors_by_fields = {error['loc'][0]: error['msg'] for error in errors} + return { + field_name: f"{field_name.capitalize()} {error_message}" + for field_name, error_message in errors_by_fields.items() + } + + @router.get("/register") async def register_user_form(request: Request) -> templates: """rendering register route get method""" @@ -50,32 +83,19 @@ async def register( try: # creating pydantic schema object out of form data - new_user = UserCreate(**form_dict) + new_user = schemas.UserCreate(**form_dict) except ValidationError as e: # if pydantic validations fails, rendering errors to register.html - - errors_dict = {error['loc'][0]: error['msg'] for error in e.errors()} - errors = { - field: " ".join(( - field.capitalize(), error_message) - ) for field, error_message in errors_dict.items()} - + errors = get_error_messages_by_fields(e.errors()) return templates.TemplateResponse("register.html", { "request": request, "errors": errors, "form_values": form_dict}) - try: - # attempt creating User Model object, and saving to database - - user.create(db=db, user=new_user) - - # if user registration fails due to database unique fields - - # rendering errors to register.html - - except IntegrityError: - errors = await render_registration_error(db, new_user) + errors = await check_unique_fields(db, new_user) + if errors: return templates.TemplateResponse("register.html", { "request": request, "errors": errors, "form_values": form_dict}) + await create_user(db=db, user=new_user) return RedirectResponse('/profile', status_code=HTTP_302_FOUND) diff --git a/app/routers/reset_password.py b/app/routers/reset_password.py index 59e6139e..d0a476ae 100644 --- a/app/routers/reset_password.py +++ b/app/routers/reset_password.py @@ -1,19 +1,20 @@ -from typing import Optional, Union +from typing import Optional +from fastapi import APIRouter, Depends, Request +from pydantic import ValidationError +from sqlalchemy.orm import Session +from starlette.responses import RedirectResponse +from starlette.status import HTTP_302_FOUND + +from app.database.models import User from app.dependencies import get_db, templates -from app.internal.security.dependancies import is_authenticated from app.internal.security.ouath2 import ( authenticate_user, check_jwt_token, create_jwt_token, update_password) from app.internal.security.reset_password import ( - BackgroundTasks ,send_mail) + BackgroundTasks, send_mail) from app.internal.security.schema import ( - ForgotPassword, LoginUser, ResetPassword) -from fastapi import APIRouter, Depends, Request -from pydantic import ValidationError -from sqlalchemy.orm import Session -from starlette.responses import RedirectResponse -from starlette.status import HTTP_302_FOUND + ForgotPassword, ResetPassword) router = APIRouter( @@ -35,7 +36,7 @@ async def forgot_password_form( @router.post('/forgot-password') async def forgot_password( request: Request, background_tasks: BackgroundTasks, - db: Session = Depends(get_db)) -> templates: + db: Session = Depends(get_db)) -> templates: """ Validaiting form data fields. Validaiting form data against database records. @@ -51,9 +52,9 @@ async def forgot_password( except ValidationError: user = False if user: - user = await authenticate_user(db, user, email=True) + user = await authenticate_user(db, user, email=True) if user: - user.token = create_jwt_token(user, JWT_MIN_EXP=15) + user.token = create_jwt_token(user, jwt_min_exp=15) await send_mail(db, user, background_tasks) return templates.TemplateResponse("forgot_password.html", { "request": request, @@ -90,14 +91,15 @@ async def reset_password( Receives form data, and validates all fields are correct. Validating token. validatting form data against database records. - validatting jwt details against database records. If all validations succeed, hashing new password and updating database. ''' + await check_jwt_token(db, token) form = await request.form() form_dict = dict(form) - db_user = await is_authenticated(request=request, db = db, jwt = token) + db_user = await User.get_by_username( + db=db, username=form_dict['username']) validated = True - if not form_dict['username'] == db_user.username: + if not db_user: validated = False try: # validating form data by creating pydantic schema object @@ -106,9 +108,8 @@ async def reset_password( validated = False if not validated: return templates.TemplateResponse("reset_password.html", { - "request": request, - "message": 'Please check your credentials' - }) + "request": request, + "message": 'Please check your credentials'}) await update_password(db, db_user, user.password) return RedirectResponse( url="/login?message=Success reset password", diff --git a/app/static/style.css b/app/static/style.css index b49e00d0..234454b7 100644 --- a/app/static/style.css +++ b/app/static/style.css @@ -71,3 +71,9 @@ body { padding-left: 12.5rem; } +.forgot-password{ + line-height: 0; + color: rgb(188, 7, 194); + padding-left: 8rem; +} + diff --git a/app/templates/login.html b/app/templates/login.html index 739f3ef3..f7caa53b 100644 --- a/app/templates/login.html +++ b/app/templates/login.html @@ -19,6 +19,9 @@

    Login

    + + Forgot Password? + {% endblock %} diff --git a/tests/asyncio_fixture.py b/tests/asyncio_fixture.py index e7624373..8d18d52b 100644 --- a/tests/asyncio_fixture.py +++ b/tests/asyncio_fixture.py @@ -9,16 +9,7 @@ from app.routers.event import create_event from tests.client_fixture import get_test_placeholder_user from tests.conftest import get_test_db, test_engine -from app.routers import reset_password - -# @pytest.fixture -# async def reset_password_client(): -# Base.metadata.create_all(bind=test_engine) -# app.dependency_overrides[reset_password.get_db] = get_test_db -# async with AsyncClient(app=app, base_url="http://test") as ac: -# yield ac -# app.dependency_overrides = {} -# Base.metadata.drop_all(bind=test_engine) + @pytest.fixture async def telegram_client(): diff --git a/tests/security_testing_routes.py b/tests/security_testing_routes.py index 850971a8..d6dfeadd 100644 --- a/tests/security_testing_routes.py +++ b/tests/security_testing_routes.py @@ -1,5 +1,4 @@ -from app.internal.security.dependancies import ( - User, current_user, is_authenticated, is_logged_in) +from app.internal.security.dependancies import is_manager, is_logged_in from fastapi import APIRouter, Depends, Request @@ -24,22 +23,11 @@ async def protected_route( return {"user": user} -@router.get('/is_authenticated') -async def is_authenticated( - request: Request, user: User = Depends(is_authenticated)): - # This is how to protect route for logged in user only. - # Dependency will return User object. - # if user not looged-in, will be redirected to login route. - return {"user": user.username} - - -@router.get('/test_user') -async def user_route( - request: Request, current_user: User = Depends(current_user)): - # This is how to get current_user in a route. - # Dependency will return User object, or None if user not logged in. - if current_user: - name = current_user.username - else: - name = "No logged in user" - return {"user": name} +@router.get('/manager') +async def manager_route( + request: Request, user: bool = Depends(is_manager)): + # This is how to protect route for logged in manager only. + # Dependency will return True. + # if user not looged-in, or have no manager permission, + # will be redirected to login route. + return {"manager": user} diff --git a/tests/test_login.py b/tests/test_login.py index df5d27c9..715f322d 100644 --- a/tests/test_login.py +++ b/tests/test_login.py @@ -1,7 +1,11 @@ import pytest -from app.internal.security.ouath2 import create_jwt_token, LoginUser + from starlette.status import HTTP_302_FOUND +from app.database.models import User +from app.internal.security.ouath2 import create_jwt_token +from app.internal.security.schema import LoginUser + def test_login_route_ok(security_test_client): response = security_test_client.get("/login") @@ -52,7 +56,6 @@ def test_is_logged_in_dependency_with_logged_in_user( security_test_client.post('/register', data=REGISTER_DETAIL) security_test_client.post('/login', data=LOGIN_DATA) res = security_test_client.get('/protected') - print(res) assert res.json() == {"user": True} @@ -63,24 +66,25 @@ def test_is_logged_in_dependency_without_logged_in_user( assert b'Please log in' in res.content -def test_current_user_dependency_exists(session, security_test_client): +def test_is_manager_in_dependency_with_logged_in_regular_user( + session, security_test_client): security_test_client.post('/register', data=REGISTER_DETAIL) - res = security_test_client.post('/login', data=LOGIN_DATA) - res = security_test_client.get('/test_user') - assert res.json() == {"user": 'correct_user'} + security_test_client.post('/login', data=LOGIN_DATA) + res = security_test_client.get('/manager') + assert b"have a permition" in res.content -def test_is_authenticated_dependency_exists(session, security_test_client): +def test_is_manager_in_dependency_with_logged_in_manager( + session, security_test_client): security_test_client.post('/register', data=REGISTER_DETAIL) - res = security_test_client.post('/login', data=LOGIN_DATA) - res = security_test_client.get('/is_authenticated') - assert res.json() == {"user": 'correct_user'} - - -def test_is_authenticated_dependency_not_exists(session, security_test_client): - res = security_test_client.get('/logout') - res = security_test_client.get('/is_authenticated') - assert b'Please log in' in res.content + manager = session.query(User).filter( + User.username == 'correct_user').first() + manager.is_manager = True + session.commit() + security_test_client.post('/login', data=LOGIN_DATA) + res = security_test_client.get('/manager') + print(res.content) + assert res.json() == {"manager": True} def test_logout(session, security_test_client): @@ -88,15 +92,9 @@ def test_logout(session, security_test_client): assert b'Login' in res.content -def test_current_user_dependency_not_exists( - session, security_test_client): - res = security_test_client.get('/test_user') - assert res.json() == {"user": "No logged in user"} - - def test_incorrect_secret_key_in_token(session, security_test_client): user = LoginUser(**LOGIN_DATA) - incorrect_token = create_jwt_token(user, JWT_KEY="wrong secret key") + incorrect_token = create_jwt_token(user, jwt_key="wrong secret key") security_test_client.post('/register', data=REGISTER_DETAIL) url = f"/login?existing_jwt={incorrect_token}" security_test_client.post(f'{url}', data=LOGIN_DATA) @@ -104,20 +102,10 @@ def test_incorrect_secret_key_in_token(session, security_test_client): assert b'Your token is incorrect' in res.content -def test_wrong_details_in_token(session, security_test_client): - user = LoginUser(**WRONG_LOGIN_DATA) - incorrect_token = create_jwt_token(user) - security_test_client.post('/register', data=REGISTER_DETAIL) - url = f"/login?existing_jwt={incorrect_token}" - security_test_client.post(f'{url}', data=LOGIN_DATA) - res = security_test_client.get('/is_authenticated') - assert b'Your token is incorrect' in res.content - - def test_expired_token(session, security_test_client): security_test_client.get('/logout') user = LoginUser(**LOGIN_DATA) - incorrect_token = create_jwt_token(user, JWT_MIN_EXP=-1) + incorrect_token = create_jwt_token(user, jwt_min_exp=-1) security_test_client.post('/register', data=REGISTER_DETAIL) url = f"/login?existing_jwt={incorrect_token}" security_test_client.post(f'{url}', data=LOGIN_DATA) @@ -133,10 +121,3 @@ def test_corrupted_token(session, security_test_client): security_test_client.post(f'{url}', data=LOGIN_DATA) res = security_test_client.get('/protected') assert b'Your token is incorrect' in res.content - - -def test_forbidden_route_for_logged_in_user(session, security_test_client): - security_test_client.post('/register', data=REGISTER_DETAIL) - security_test_client.post('/login', data=LOGIN_DATA) - res = security_test_client.get('/login') - assert b'Login' not in res.content diff --git a/tests/test_reset_password.py b/tests/test_reset_password.py index 6cdb8646..3a9e45ac 100644 --- a/tests/test_reset_password.py +++ b/tests/test_reset_password.py @@ -1,9 +1,10 @@ import pytest -from app.internal.security.ouath2 import create_jwt_token, LoginUser -from app.internal.security.reset_password import mail, send_mail + from starlette.status import HTTP_302_FOUND -from app.internal.security.ouath2 import create_jwt_token, ForgotPassword -from app.config import CALENDAR_RESET_PASSWORD_PAGE + +from app.internal.security.ouath2 import create_jwt_token +from app.internal.security.reset_password import mail +from app.internal.security.schema import ForgotPassword REGISTER_DETAIL = { @@ -11,15 +12,48 @@ 'password': 'correct_password', 'confirm_password': 'correct_password', 'email': 'example@email.com', 'description': ""} - -FORGOT_PASSWORD_DETAILS = {'username': 'correct_user', 'email': 'example@email.com'} - - -def test_login_route_ok(security_test_client): +FORGOT_PASSWORD_BAD_DETAILS = [ + ('', ''), + ('', 'example@email.com'), + ('correct_user', ''), + ('incorrect_user', 'example@email.com'), + ('correct_user', 'inncorrect@email.com') +] + +FORGOT_PASSWORD_DETAILS = { + 'username': 'correct_user', 'email': 'example@email.com'} + +RESET_PASSWORD_BAD_CREDENTIALS = [ + ('', '', ''), + ('correct_user', '', 'new_password'), + ('', 'new_password', 'new_password'), + ('correct_user', 'new_password', ''), + ('wrong_user', 'new_password', 'new_password'), + ('correct_user', '', 'new_password'), + ('correct_user', 'new_password', ''), + ('correct_user', 'new_password', 'new_password1') +] + +RESET_PASSWORD_DETAILS = { + 'username': 'correct_user', + 'password': 'new_password', 'confirm_password': 'new_password'} + + +def test_forgot_password_route_ok(security_test_client): response = security_test_client.get("/forgot-password") assert response.ok +@pytest.mark.parametrize( + "username, email", FORGOT_PASSWORD_BAD_DETAILS) +def test_forgot_password_bad_details( + session, security_test_client, username, email): + security_test_client.post('/register', data=REGISTER_DETAIL) + data = {'username': username, 'email': email} + res = security_test_client.post("/forgot-password", data=data) + assert b'Please check your credentials' in res.content + + def test_email_send(session, security_test_client, smtpd): security_test_client.post('/register', data=REGISTER_DETAIL) mail.config.SUPPRESS_SEND = 1 @@ -28,37 +62,56 @@ def test_email_send(session, security_test_client, smtpd): mail.config.USE_CREDENTIALS = False mail.config.MAIL_TLS = False with mail.record_messages() as outbox: - response = security_test_client.post("/forgot-password", data=FORGOT_PASSWORD_DETAILS) + response = security_test_client.post( + "/forgot-password", data=FORGOT_PASSWORD_DETAILS) assert len(outbox) == 1 assert b'Email for reseting password was sent' in response.content assert 'reset password' in outbox[0]['subject'] def test_reset_password_GET_without_token(session, security_test_client): - user = ForgotPassword(user_id=1, **FORGOT_PASSWORD_DETAILS) - token = create_jwt_token(user, JWT_MIN_EXP=15) - link = f"{CALENDAR_RESET_PASSWORD_PAGE}" - res = security_test_client.get(link) + res = security_test_client.get("/reset-password") assert b'Verification token is missing' in res.content def test_reset_password_GET_with_token(session, security_test_client): - user = ForgotPassword(user_id=1, **FORGOT_PASSWORD_DETAILS) - token = create_jwt_token(user, JWT_MIN_EXP=15) - link = f"{CALENDAR_RESET_PASSWORD_PAGE}?token={token}" + user = ForgotPassword(**FORGOT_PASSWORD_DETAILS) + token = create_jwt_token(user, jwt_min_exp=15) + link = f"/reset-password?token={token}" res = security_test_client.get(link) assert b'Please choose a new password' in res.content -# def test_reset_password_POST_with_legal_token(session, security_test_client): -# user = ForgotPassword(user_id=1, **FORGOT_PASSWORD_DETAILS) -# expired_token = create_jwt_token(user, JWT_MIN_EXP=15) -# link = f"{CALENDAR_RESET_PASSWORD_PAGE}?token={user.token}" -# res = security_test_client.get(link) -# assert b'Please choose a new password' in res.content - +@pytest.mark.parametrize( + "username, password, confirm_password", RESET_PASSWORD_BAD_CREDENTIALS) +def test_reset_password_bad_details( + session, security_test_client, username, password, confirm_password): + security_test_client.post('/register', data=REGISTER_DETAIL) + user = ForgotPassword(**FORGOT_PASSWORD_DETAILS) + token = create_jwt_token(user, jwt_min_exp=15) + link = f"/reset-password?token={token}" + data = { + 'username': username, 'password': password, + 'confirm_password': confirm_password + } + res = security_test_client.post(link, data=data) + assert b'Please check your credentials' in res.content + + +def test_reset_password_successfully(session, security_test_client): + security_test_client.post('/register', data=REGISTER_DETAIL) + user = ForgotPassword(**FORGOT_PASSWORD_DETAILS) + token = create_jwt_token(user, jwt_min_exp=15) + link = f"/reset-password?token={token}" + res = security_test_client.post(link, data=RESET_PASSWORD_DETAILS) + assert res.status_code == HTTP_302_FOUND - - - \ No newline at end of file +def test_reset_password_expired_token(session, security_test_client): + security_test_client.post('/register', data=REGISTER_DETAIL) + user = ForgotPassword(**FORGOT_PASSWORD_DETAILS) + token = create_jwt_token(user, jwt_min_exp=-1) + link = f"/reset-password?token={token}" + res = security_test_client.post(link, data=RESET_PASSWORD_DETAILS) + # assert b'Your token has expired' in res.content + assert res.ok From 2977af11fa8974a0943c73b43b978d4c1bc4aae1 Mon Sep 17 00:00:00 2001 From: Koby Fogel Date: Tue, 16 Feb 2021 17:05:55 +0200 Subject: [PATCH 45/56] before pull from develop --- app/internal/security/reset_password.py | 5 ++--- app/static/style.css | 6 ++++-- app/templates/forgot_password.html | 2 +- app/templates/reset_password_mail.html | 2 +- tests/test_reset_password.py | 1 - 5 files changed, 8 insertions(+), 8 deletions(-) diff --git a/app/internal/security/reset_password.py b/app/internal/security/reset_password.py index caed0e01..daf5be00 100644 --- a/app/internal/security/reset_password.py +++ b/app/internal/security/reset_password.py @@ -3,7 +3,7 @@ from sqlalchemy.orm import Session from app.config import ( - CALENDAR_RESET_PASSWORD_PAGE, CALENDAR_SITE_NAME, email_conf) + CALENDAR_RESET_PASSWORD_PAGE, email_conf) from app.dependencies import templates from app.internal.security.schema import ForgotPassword @@ -17,11 +17,10 @@ async def send_mail( template = templates.get_template("reset_password_mail.html") html = template.render( recipient=user.username, - site_name=CALENDAR_SITE_NAME, link=f"{CALENDAR_RESET_PASSWORD_PAGE}?token={user.token}", email=user.email) message = MessageSchema( - subject=f"{CALENDAR_SITE_NAME} reset password", + subject=f"Calendar reset password", recipients=[user.email], body=html, subtype='html') background_tasks.add_task(mail.send_message, message) return True diff --git a/app/static/style.css b/app/static/style.css index 5b21e614..6fabaeb9 100644 --- a/app/static/style.css +++ b/app/static/style.css @@ -103,13 +103,15 @@ p { padding-left: 12.5rem; } -.forgot-password{ +.forgot-password { line-height: 0; color: rgb(188, 7, 194); padding-left: 8rem; } - +.red-massage { + color: red; +} .subtitle { font-size: 20px; } diff --git a/app/templates/forgot_password.html b/app/templates/forgot_password.html index 869e2498..3aeca9fd 100644 --- a/app/templates/forgot_password.html +++ b/app/templates/forgot_password.html @@ -3,7 +3,7 @@
    Please verify your Username and Email:
    {% if message %} -
    {{ message }}
    +
    {{ message }}
    {% endif %}
    diff --git a/app/templates/reset_password_mail.html b/app/templates/reset_password_mail.html index abcbaa2e..76b8108e 100644 --- a/app/templates/reset_password_mail.html +++ b/app/templates/reset_password_mail.html @@ -1,5 +1,5 @@

    Hi, {{ recipient }}!

    -

    You received this email from {{ site_name }} because you asked to reset your password.

    +

    You received this email from Calendar because you asked to reset your password.

    To continue with resetting your password, please click the confirmation link

    This confirmation link will expired in 15 minutes

    This email has been sent to {{ email }}.

    diff --git a/tests/test_reset_password.py b/tests/test_reset_password.py index 3a9e45ac..a724c4c8 100644 --- a/tests/test_reset_password.py +++ b/tests/test_reset_password.py @@ -113,5 +113,4 @@ def test_reset_password_expired_token(session, security_test_client): token = create_jwt_token(user, jwt_min_exp=-1) link = f"/reset-password?token={token}" res = security_test_client.post(link, data=RESET_PASSWORD_DETAILS) - # assert b'Your token has expired' in res.content assert res.ok From b5471c4e28be35ea26516ecac92b20f3b07db95c Mon Sep 17 00:00:00 2001 From: Koby Fogel Date: Tue, 16 Feb 2021 18:17:13 +0200 Subject: [PATCH 46/56] docstring added --- app/internal/email.py | 10 +++++++++- app/routers/reset_password.py | 2 +- 2 files changed, 10 insertions(+), 2 deletions(-) diff --git a/app/internal/email.py b/app/internal/email.py index 67f37d1e..d1f1c3f9 100644 --- a/app/internal/email.py +++ b/app/internal/email.py @@ -185,8 +185,16 @@ def verify_email_pattern(email: str) -> bool: async def send_reset_password_mail( - session: Session, user: ForgotPassword, + user: ForgotPassword, background_tasks: BackgroundTasks) -> bool: + """ + This function sends a reset password email to user. + :param user: ForgotPassword schema. + Contains user's email address, jwt verifying token. + :param background_tasks: (BackgroundTasks): Function from fastapi that lets + you apply tasks in the background. + returns True + """ template = templates.get_template("reset_password_mail.html") html = template.render( recipient=user.username, diff --git a/app/routers/reset_password.py b/app/routers/reset_password.py index 78304066..31f9754d 100644 --- a/app/routers/reset_password.py +++ b/app/routers/reset_password.py @@ -55,7 +55,7 @@ async def forgot_password( user = await authenticate_user(db, user, email=True) if user: user.token = create_jwt_token(user, jwt_min_exp=15) - await send_reset_password_mail(db, user, background_tasks) + await send_reset_password_mail(user, background_tasks) return templates.TemplateResponse("forgot_password.html", { "request": request, "message": "Email for reseting password was sent"}) From a59229620a97925b4f962d61b473b5c968daea1a Mon Sep 17 00:00:00 2001 From: Koby Fogel Date: Wed, 17 Feb 2021 13:49:56 +0200 Subject: [PATCH 47/56] send_reset_password_mail function updated --- app/internal/email.py | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/app/internal/email.py b/app/internal/email.py index d1f1c3f9..7f41eca3 100644 --- a/app/internal/email.py +++ b/app/internal/email.py @@ -200,8 +200,9 @@ async def send_reset_password_mail( recipient=user.username, link=f"{CALENDAR_RESET_PASSWORD_PAGE}?token={user.token}", email=user.email) - message = MessageSchema( - subject="Calendar reset password", - recipients=[user.email], body=html, subtype='html') - background_tasks.add_task(mail.send_message, message) + background_tasks.add_task(send_internal, + subject="Calendar reset password", + recipients=[user.email], + body=html, + subtype='html') return True From 2d9066fb3f257101450cea6d43c8aba2ae07e6c4 Mon Sep 17 00:00:00 2001 From: Koby Fogel Date: Thu, 18 Feb 2021 20:25:18 +0200 Subject: [PATCH 48/56] tests fixed --- tests/test_user_crud.py | 49 ----------------------------------------- 1 file changed, 49 deletions(-) delete mode 100644 tests/test_user_crud.py diff --git a/tests/test_user_crud.py b/tests/test_user_crud.py deleted file mode 100644 index 12205dd4..00000000 --- a/tests/test_user_crud.py +++ /dev/null @@ -1,49 +0,0 @@ -from app.internal import user as crud -from app.database import schemas - -user_details = { - 'username': 'username', 'full_name': 'full_name', - 'password': 'password', 'confirm_password': 'password', - 'email': 'example@email.com', 'description': ""} -user = schemas.UserCreate(**user_details) - - -user_details = { - 'username': 'username', 'full_name': 'full_name', - 'password': 'password', 'confirm_password': 'password', - 'email': 'example@email.com', 'description': ""} - - -def test_create_user(session): - user = schemas.UserCreate(**user_details) - user = crud.create(db=session, user=user) - assert user.username == 'username' - - -def test_get_user_by_id(session): - user = schemas.UserCreate(**user_details) - user = crud.create(db=session, user=user) - user = crud.get_by_id(session, 1) - assert user.username == 'username' - - -def test_get_user_by_username(session): - user = schemas.UserCreate(**user_details) - user = crud.create(db=session, user=user) - user = crud.get_by_username(session, 'username') - assert user.full_name == 'full_name' - - -def test_get_user_by_email(session): - user = schemas.UserCreate(**user_details) - user = crud.create(db=session, user=user) - user = crud.get_by_mail(session, 'example@email.com') - assert user.full_name == 'full_name' - - -def test_delete_user_by_email(session): - user = schemas.UserCreate(**user_details) - crud.create(db=session, user=user) - crud.delete_by_mail(session, 'example@email.com') - user = crud.get_by_mail(session, 'example@email.com') - assert user is None From e0daa16d751f7aad350624ff595c8dfe8579d4c4 Mon Sep 17 00:00:00 2001 From: Koby Fogel Date: Mon, 22 Feb 2021 10:17:37 +0200 Subject: [PATCH 49/56] CR and more fixes --- app/config.py.example | 4 ++-- app/internal/email.py | 5 +++-- app/internal/security/ouath2.py | 6 ++++-- app/internal/security/schema.py | 2 +- app/routers/reset_password.py | 27 ++++++++++++------------ tests/test_reset_password.py | 37 ++++++++++++++++++++++----------- 6 files changed, 48 insertions(+), 33 deletions(-) diff --git a/app/config.py.example b/app/config.py.example index ef2ee4c0..b6f11a25 100644 --- a/app/config.py.example +++ b/app/config.py.example @@ -16,7 +16,7 @@ class Settings(BaseSettings): # GENERAL -DOMAIN = 'Our-Domain' +DOMAIN = 'https://calendar.pythonic.guru/' # DATABASE DEVELOPMENT_DATABASE_STRING = "sqlite:///./dev.db" @@ -63,7 +63,7 @@ email_conf = ConnectionConfig( JWT_KEY = "JWT_KEY_PLACEHOLDER" JWT_ALGORITHM = "HS256" JWT_MIN_EXP = 60 * 24 * 7 -CALENDAR_RESET_PASSWORD_PAGE = "calendar.pythonic.guru/reset-password" +CALENDAR_RESET_PASSWORD_PAGE = "/reset-password" templates = Jinja2Templates(directory=os.path.join("app", "templates")) diff --git a/app/internal/email.py b/app/internal/email.py index 7f41eca3..6cf78bd0 100644 --- a/app/internal/email.py +++ b/app/internal/email.py @@ -9,7 +9,7 @@ from app.config import (CALENDAR_HOME_PAGE, CALENDAR_REGISTRATION_PAGE, CALENDAR_RESET_PASSWORD_PAGE, CALENDAR_SITE_NAME, - email_conf + DOMAIN, email_conf ) from app.database.models import Event, User from app.dependencies import templates @@ -195,10 +195,11 @@ async def send_reset_password_mail( you apply tasks in the background. returns True """ + params = f"?email_verification_token={user.email_verification_token}" template = templates.get_template("reset_password_mail.html") html = template.render( recipient=user.username, - link=f"{CALENDAR_RESET_PASSWORD_PAGE}?token={user.token}", + link=f"{DOMAIN}{CALENDAR_RESET_PASSWORD_PAGE}{params}", email=user.email) background_tasks.add_task(send_internal, subject="Calendar reset password", diff --git a/app/internal/security/ouath2.py b/app/internal/security/ouath2.py index f2818d84..d85db663 100644 --- a/app/internal/security/ouath2.py +++ b/app/internal/security/ouath2.py @@ -21,8 +21,10 @@ async def update_password( - db: Session, db_user: User, user_password: str) -> None: + db: Session, username: str, user_password: str) -> None: """Updating User password in database""" + db_user = await User.get_by_username( + db=db, username=username) hashed_password = get_hashed_password(user_password) db_user.password = hashed_password db.commit() @@ -39,7 +41,7 @@ def verify_password(plain_password: str, hashed_password: str) -> bool: return pwd_context.verify(plain_password, hashed_password) -async def authenticate_user_by_email( +async def is_email_compatible_to_username( db: Session, user: schema.ForgotPassword, email: bool = False) -> Union[schema.ForgotPassword, bool]: """ diff --git a/app/internal/security/schema.py b/app/internal/security/schema.py index f316a674..ff1fc7fb 100644 --- a/app/internal/security/schema.py +++ b/app/internal/security/schema.py @@ -32,7 +32,7 @@ class ForgotPassword(BaseModel): username: str email: str user_id: Optional[str] = None - token: Optional[str] = None + email_verification_token: Optional[str] = None is_manager: Optional[bool] = False class Config: diff --git a/app/routers/reset_password.py b/app/routers/reset_password.py index 764b1c85..6741edc6 100644 --- a/app/routers/reset_password.py +++ b/app/routers/reset_password.py @@ -6,10 +6,9 @@ from starlette.responses import RedirectResponse from starlette.status import HTTP_302_FOUND -from app.database.models import User from app.dependencies import get_db, templates from app.internal.security.ouath2 import ( - authenticate_user_by_email, get_jwt_token, + is_email_compatible_to_username, get_jwt_token, create_jwt_token, update_password) from app.internal.email import ( BackgroundTasks, send_reset_password_mail) @@ -52,9 +51,10 @@ async def forgot_password( except ValidationError: user = False if user: - user = await authenticate_user_by_email(db, user) + user = await is_email_compatible_to_username(db, user) if user: - user.token = create_jwt_token(user, jwt_min_exp=15) + user.email_verification_token = create_jwt_token( + user, jwt_min_exp=15) await send_reset_password_mail(user, background_tasks) return templates.TemplateResponse("forgot_password.html", { "request": request, @@ -67,13 +67,13 @@ async def forgot_password( @router.get("/reset-password") async def reset_password_form( - request: Request, token: Optional[str] = "" + request: Request, email_verification_token: Optional[str] = "" ) -> templates: """ Rendering reset password form get method. Validating jwt token is supplied with request. """ - if token: + if email_verification_token: return templates.TemplateResponse("reset_password.html", { "request": request, }) @@ -83,23 +83,22 @@ async def reset_password_form( @router.post("/reset-password") async def reset_password( - request: Request, token: str = "", + request: Request, email_verification_token: str = "", db: Session = Depends(get_db) ) -> RedirectResponse: ''' - Receives jwt token. + Receives email verification jwt token. Receives form data, and validates all fields are correct. Validating token. - validatting form data against database records. + validatting form data against token details. If all validations succeed, hashing new password and updating database. ''' - await get_jwt_token(db, token) + jwt_payload = await get_jwt_token(db, email_verification_token) + jwt_username = jwt_payload.get("sub") form = await request.form() form_dict = dict(form) - db_user = await User.get_by_username( - db=db, username=form_dict['username']) validated = True - if not db_user: + if not form_dict['username'] == jwt_username: validated = False try: # validating form data by creating pydantic schema object @@ -110,7 +109,7 @@ async def reset_password( return templates.TemplateResponse("reset_password.html", { "request": request, "message": 'Please check your credentials'}) - await update_password(db, db_user, user.password) + await update_password(db, jwt_username, user.password) return RedirectResponse( url="/login?message=Success reset password", status_code=HTTP_302_FOUND) diff --git a/tests/test_reset_password.py b/tests/test_reset_password.py index a4ac6f8e..07510650 100644 --- a/tests/test_reset_password.py +++ b/tests/test_reset_password.py @@ -40,7 +40,8 @@ def test_forgot_password_route_ok(security_test_client): - response = security_test_client.get("/forgot-password") + response = security_test_client.get( + security_test_client.app.url_path_for('forgot_password_form')) assert response.ok @@ -50,7 +51,9 @@ def test_forgot_password_bad_details( session, security_test_client, username, email): security_test_client.post('/register', data=REGISTER_DETAIL) data = {'username': username, 'email': email} - res = security_test_client.post("/forgot-password", data=data) + res = security_test_client.post( + security_test_client.app.url_path_for('forgot_password'), + data=data) assert b'Please check your credentials' in res.content @@ -63,22 +66,26 @@ def test_email_send(session, security_test_client, smtpd): mail.config.MAIL_TLS = False with mail.record_messages() as outbox: response = security_test_client.post( - "/forgot-password", data=FORGOT_PASSWORD_DETAILS) + security_test_client.app.url_path_for('forgot_password'), + data=FORGOT_PASSWORD_DETAILS) assert len(outbox) == 1 assert b'Email for reseting password was sent' in response.content assert 'reset password' in outbox[0]['subject'] def test_reset_password_GET_without_token(session, security_test_client): - res = security_test_client.get("/reset-password") + res = security_test_client.get( + security_test_client.app.url_path_for('reset_password_form')) assert b'Verification token is missing' in res.content def test_reset_password_GET_with_token(session, security_test_client): user = ForgotPassword(**FORGOT_PASSWORD_DETAILS) token = create_jwt_token(user, jwt_min_exp=15) - link = f"/reset-password?token={token}" - res = security_test_client.get(link) + params = f"?email_verification_token={token}" + res = security_test_client.get( + security_test_client.app.url_path_for( + 'reset_password_form') + f'{params}') assert b'Please choose a new password' in res.content @@ -89,12 +96,14 @@ def test_reset_password_bad_details( security_test_client.post('/register', data=REGISTER_DETAIL) user = ForgotPassword(**FORGOT_PASSWORD_DETAILS) token = create_jwt_token(user, jwt_min_exp=15) - link = f"/reset-password?token={token}" data = { 'username': username, 'password': password, 'confirm_password': confirm_password } - res = security_test_client.post(link, data=data) + params = f"?email_verification_token={token}" + res = security_test_client.post( + security_test_client.app.url_path_for( + 'reset_password') + f'{params}', data=data) assert b'Please check your credentials' in res.content @@ -102,8 +111,10 @@ def test_reset_password_successfully(session, security_test_client): security_test_client.post('/register', data=REGISTER_DETAIL) user = ForgotPassword(**FORGOT_PASSWORD_DETAILS) token = create_jwt_token(user, jwt_min_exp=15) - link = f"/reset-password?token={token}" - res = security_test_client.post(link, data=RESET_PASSWORD_DETAILS) + params = f"?email_verification_token={token}" + res = security_test_client.post( + security_test_client.app.url_path_for( + 'reset_password') + f'{params}', data=RESET_PASSWORD_DETAILS) assert res.status_code == HTTP_302_FOUND @@ -111,6 +122,8 @@ def test_reset_password_expired_token(session, security_test_client): security_test_client.post('/register', data=REGISTER_DETAIL) user = ForgotPassword(**FORGOT_PASSWORD_DETAILS) token = create_jwt_token(user, jwt_min_exp=-1) - link = f"/reset-password?token={token}" - res = security_test_client.post(link, data=RESET_PASSWORD_DETAILS) + params = f"?email_verification_token={token}" + res = security_test_client.post( + security_test_client.app.url_path_for( + 'reset_password') + f'{params}', data=RESET_PASSWORD_DETAILS) assert res.ok From fff36835b1403f2ba412af0d188711176c24c3b3 Mon Sep 17 00:00:00 2001 From: Koby Fogel Date: Tue, 23 Feb 2021 16:43:20 +0200 Subject: [PATCH 50/56] CR fixes --- app/config.py.example | 3 +- app/internal/email.py | 132 ++++++++++++++++++++-------------- app/routers/reset_password.py | 104 ++++++++++++++++----------- tests/test_reset_password.py | 132 ++++++++++++++++++++-------------- 4 files changed, 221 insertions(+), 150 deletions(-) diff --git a/app/config.py.example b/app/config.py.example index 4b6cda90..a40e7f06 100644 --- a/app/config.py.example +++ b/app/config.py.example @@ -16,7 +16,7 @@ class Settings(BaseSettings): # GENERAL -DOMAIN = 'https://calendar.pythonic.guru/' +DOMAIN = 'Our-Domain' # DATABASE DEVELOPMENT_DATABASE_STRING = "sqlite:///./dev.db" @@ -63,7 +63,6 @@ email_conf = ConnectionConfig( JWT_KEY = "JWT_KEY_PLACEHOLDER" JWT_ALGORITHM = "HS256" JWT_MIN_EXP = 60 * 24 * 7 -CALENDAR_RESET_PASSWORD_PAGE = "/reset-password" templates = Jinja2Templates(directory=os.path.join("app", "templates")) diff --git a/app/internal/email.py b/app/internal/email.py index 6cf78bd0..2d8701a1 100644 --- a/app/internal/email.py +++ b/app/internal/email.py @@ -7,10 +7,13 @@ from pydantic.errors import EmailError from sqlalchemy.orm.session import Session -from app.config import (CALENDAR_HOME_PAGE, CALENDAR_REGISTRATION_PAGE, - CALENDAR_RESET_PASSWORD_PAGE, CALENDAR_SITE_NAME, - DOMAIN, email_conf - ) +from app.config import ( + CALENDAR_HOME_PAGE, + CALENDAR_REGISTRATION_PAGE, + CALENDAR_SITE_NAME, + DOMAIN, + email_conf, +) from app.database.models import Event, User from app.dependencies import templates from app.internal.security.schema import ForgotPassword @@ -20,8 +23,11 @@ def send( - session: Session, event_used: int, user_to_send: int, - title: str, background_tasks: BackgroundTasks = BackgroundTasks + session: Session, + event_used: int, + user_to_send: int, + title: str, + background_tasks: BackgroundTasks = BackgroundTasks, ) -> bool: """This function is being used to send emails in the background. It takes an event and a user and it sends the event to the user. @@ -37,10 +43,8 @@ def send( Returns: bool: Returns True if the email was sent, else returns False. """ - event_used = session.query(Event).filter( - Event.id == event_used).first() - user_to_send = session.query(User).filter( - User.id == user_to_send).first() + event_used = session.query(Event).filter(Event.id == event_used).first() + user_to_send = session.query(User).filter(User.id == user_to_send).first() if not user_to_send or not event_used: return False if not verify_email_pattern(user_to_send.email): @@ -50,18 +54,21 @@ def send( recipients = {"email": [user_to_send.email]}.get("email") body = f"begins at:{event_used.start} : {event_used.content}" - background_tasks.add_task(send_internal, - subject=subject, - recipients=recipients, - body=body) + background_tasks.add_task( + send_internal, + subject=subject, + recipients=recipients, + body=body, + ) return True -def send_email_invitation(sender_name: str, - recipient_name: str, - recipient_mail: str, - background_tasks: BackgroundTasks = BackgroundTasks - ) -> bool: +def send_email_invitation( + sender_name: str, + recipient_name: str, + recipient_mail: str, + background_tasks: BackgroundTasks = BackgroundTasks, +) -> bool: """ This function takes as parameters the sender's name, the recipient's name and his email address, configuration, and @@ -86,28 +93,35 @@ def send_email_invitation(sender_name: str, return False template = templates.get_template("invite_mail.html") - html = template.render(recipient=recipient_name, sender=sender_name, - site_name=CALENDAR_SITE_NAME, - registration_link=CALENDAR_REGISTRATION_PAGE, - home_link=CALENDAR_HOME_PAGE, - addr_to=recipient_mail) + html = template.render( + recipient=recipient_name, + sender=sender_name, + site_name=CALENDAR_SITE_NAME, + registration_link=CALENDAR_REGISTRATION_PAGE, + home_link=CALENDAR_HOME_PAGE, + addr_to=recipient_mail, + ) subject = "Invitation" recipients = [recipient_mail] body = html subtype = "html" - background_tasks.add_task(send_internal, - subject=subject, - recipients=recipients, - body=body, - subtype=subtype) + background_tasks.add_task( + send_internal, + subject=subject, + recipients=recipients, + body=body, + subtype=subtype, + ) return True -def send_email_file(file_path: str, - recipient_mail: str, - background_tasks: BackgroundTasks = BackgroundTasks): +def send_email_file( + file_path: str, + recipient_mail: str, + background_tasks: BackgroundTasks = BackgroundTasks, +): """ his function takes as parameters the file's path, the recipient's email address, configuration, and @@ -131,19 +145,23 @@ def send_email_file(file_path: str, body = "file" file_attachments = [file_path] - background_tasks.add_task(send_internal, - subject=subject, - recipients=recipients, - body=body, - file_attachments=file_attachments) + background_tasks.add_task( + send_internal, + subject=subject, + recipients=recipients, + body=body, + file_attachments=file_attachments, + ) return True -async def send_internal(subject: str, - recipients: List[str], - body: str, - subtype: Optional[str] = None, - file_attachments: Optional[List[str]] = None): +async def send_internal( + subject: str, + recipients: List[str], + body: str, + subtype: Optional[str] = None, + file_attachments: Optional[List[str]] = None, +): if file_attachments is None: file_attachments = [] @@ -152,8 +170,10 @@ async def send_internal(subject: str, recipients=[EmailStr(recipient) for recipient in recipients], body=body, subtype=subtype, - attachments=[UploadFile(file_attachment) - for file_attachment in file_attachments]) + attachments=[ + UploadFile(file_attachment) for file_attachment in file_attachments + ], + ) return await send_internal_internal(message) @@ -185,8 +205,9 @@ def verify_email_pattern(email: str) -> bool: async def send_reset_password_mail( - user: ForgotPassword, - background_tasks: BackgroundTasks) -> bool: + user: ForgotPassword, + background_tasks: BackgroundTasks, +) -> bool: """ This function sends a reset password email to user. :param user: ForgotPassword schema. @@ -198,12 +219,15 @@ async def send_reset_password_mail( params = f"?email_verification_token={user.email_verification_token}" template = templates.get_template("reset_password_mail.html") html = template.render( - recipient=user.username, - link=f"{DOMAIN}{CALENDAR_RESET_PASSWORD_PAGE}{params}", - email=user.email) - background_tasks.add_task(send_internal, - subject="Calendar reset password", - recipients=[user.email], - body=html, - subtype='html') + recipient=user.username, + link=f"{DOMAIN}/reset-password{params}", + email=user.email, + ) + background_tasks.add_task( + send_internal, + subject="Calendar reset password", + recipients=[user.email], + body=html, + subtype="html", + ) return True diff --git a/app/routers/reset_password.py b/app/routers/reset_password.py index 6741edc6..02bed08c 100644 --- a/app/routers/reset_password.py +++ b/app/routers/reset_password.py @@ -8,12 +8,14 @@ from app.dependencies import get_db, templates from app.internal.security.ouath2 import ( - is_email_compatible_to_username, get_jwt_token, - create_jwt_token, update_password) -from app.internal.email import ( - BackgroundTasks, send_reset_password_mail) -from app.internal.security.schema import ( - ForgotPassword, ResetPassword) + is_email_compatible_to_username, + get_jwt_token, + create_jwt_token, + update_password, +) +from app.internal.email import BackgroundTasks, send_reset_password_mail +from app.internal.security.schema import ForgotPassword, ResetPassword +from app.routers.login import router as login_router router = APIRouter( @@ -24,18 +26,22 @@ @router.get("/forgot-password") -async def forgot_password_form( - request: Request) -> templates: +async def forgot_password_form(request: Request) -> templates: """rendering forgot password form get method""" - return templates.TemplateResponse("forgot_password.html", { - "request": request, - }) + return templates.TemplateResponse( + "forgot_password.html", + { + "request": request, + }, + ) -@router.post('/forgot-password') +@router.post("/forgot-password") async def forgot_password( - request: Request, background_tasks: BackgroundTasks, - db: Session = Depends(get_db)) -> templates: + request: Request, + background_tasks: BackgroundTasks, + db: Session = Depends(get_db), +) -> templates: """ Validaiting form data fields. Validaiting form data against database records. @@ -49,56 +55,67 @@ async def forgot_password( # validating form data by creating pydantic schema object user = ForgotPassword(**form_dict) except ValidationError: - user = False + user = None if user: user = await is_email_compatible_to_username(db, user) - if user: - user.email_verification_token = create_jwt_token( - user, jwt_min_exp=15) - await send_reset_password_mail(user, background_tasks) - return templates.TemplateResponse("forgot_password.html", { - "request": request, - "message": "Email for reseting password was sent"}) - return templates.TemplateResponse("forgot_password.html", { + if not user: + return templates.TemplateResponse( + "forgot_password.html", + {"request": request, "message": "Please check your credentials"}, + ) + user.email_verification_token = create_jwt_token(user, jwt_min_exp=15) + await send_reset_password_mail(user, background_tasks) + return templates.TemplateResponse( + "forgot_password.html", + { "request": request, - "message": 'Please check your credentials' - }) + "message": "Email for reseting password was sent", + }, + ) @router.get("/reset-password") async def reset_password_form( - request: Request, email_verification_token: Optional[str] = "" - ) -> templates: + request: Request, + email_verification_token: Optional[str] = "", +) -> templates: """ Rendering reset password form get method. Validating jwt token is supplied with request. """ if email_verification_token: - return templates.TemplateResponse("reset_password.html", { - "request": request, - }) + return templates.TemplateResponse( + "reset_password.html", + { + "request": request, + }, + ) message = "?message=Verification token is missing" - return RedirectResponse(f"/login{message}") + return RedirectResponse( + login_router.url_path_for("login_user_form") + f"{message}", + status_code=HTTP_302_FOUND, + ) @router.post("/reset-password") async def reset_password( - request: Request, email_verification_token: str = "", - db: Session = Depends(get_db) - ) -> RedirectResponse: - ''' + request: Request, + email_verification_token: str = "", + db: Session = Depends(get_db), +) -> RedirectResponse: + """ Receives email verification jwt token. Receives form data, and validates all fields are correct. Validating token. validatting form data against token details. If all validations succeed, hashing new password and updating database. - ''' + """ jwt_payload = await get_jwt_token(db, email_verification_token) jwt_username = jwt_payload.get("sub") form = await request.form() form_dict = dict(form) validated = True - if not form_dict['username'] == jwt_username: + if not form_dict["username"] == jwt_username: validated = False try: # validating form data by creating pydantic schema object @@ -106,10 +123,13 @@ async def reset_password( except ValueError: validated = False if not validated: - return templates.TemplateResponse("reset_password.html", { - "request": request, - "message": 'Please check your credentials'}) + return templates.TemplateResponse( + "reset_password.html", + {"request": request, "message": "Please check your credentials"}, + ) await update_password(db, jwt_username, user.password) + message = "?message=Success reset password" return RedirectResponse( - url="/login?message=Success reset password", - status_code=HTTP_302_FOUND) + login_router.url_path_for("login_user_form") + f"{message}", + status_code=HTTP_302_FOUND, + ) diff --git a/tests/test_reset_password.py b/tests/test_reset_password.py index 07510650..0e1fe272 100644 --- a/tests/test_reset_password.py +++ b/tests/test_reset_password.py @@ -8,57 +8,70 @@ REGISTER_DETAIL = { - 'username': 'correct_user', 'full_name': 'full_name', - 'password': 'correct_password', 'confirm_password': 'correct_password', - 'email': 'example@email.com', 'description': ""} + "username": "correct_user", + "full_name": "full_name", + "password": "correct_password", + "confirm_password": "correct_password", + "email": "example@email.com", + "description": "", +} FORGOT_PASSWORD_BAD_DETAILS = [ - ('', ''), - ('', 'example@email.com'), - ('correct_user', ''), - ('incorrect_user', 'example@email.com'), - ('correct_user', 'inncorrect@email.com') + ("", ""), + ("", "example@email.com"), + ("correct_user", ""), + ("incorrect_user", "example@email.com"), + ("correct_user", "inncorrect@email.com"), ] FORGOT_PASSWORD_DETAILS = { - 'username': 'correct_user', 'email': 'example@email.com'} + "username": "correct_user", + "email": "example@email.com", +} RESET_PASSWORD_BAD_CREDENTIALS = [ - ('', '', ''), - ('correct_user', '', 'new_password'), - ('', 'new_password', 'new_password'), - ('correct_user', 'new_password', ''), - ('wrong_user', 'new_password', 'new_password'), - ('correct_user', '', 'new_password'), - ('correct_user', 'new_password', ''), - ('correct_user', 'new_password', 'new_password1') + ("", "", ""), + ("correct_user", "", "new_password"), + ("", "new_password", "new_password"), + ("correct_user", "new_password", ""), + ("wrong_user", "new_password", "new_password"), + ("correct_user", "", "new_password"), + ("correct_user", "new_password", ""), + ("correct_user", "new_password", "new_password1"), ] RESET_PASSWORD_DETAILS = { - 'username': 'correct_user', - 'password': 'new_password', 'confirm_password': 'new_password'} + "username": "correct_user", + "password": "new_password", + "confirm_password": "new_password", +} def test_forgot_password_route_ok(security_test_client): response = security_test_client.get( - security_test_client.app.url_path_for('forgot_password_form')) + security_test_client.app.url_path_for("forgot_password_form"), + ) assert response.ok -@pytest.mark.parametrize( - "username, email", FORGOT_PASSWORD_BAD_DETAILS) +@pytest.mark.parametrize("username, email", FORGOT_PASSWORD_BAD_DETAILS) def test_forgot_password_bad_details( - session, security_test_client, username, email): - security_test_client.post('/register', data=REGISTER_DETAIL) - data = {'username': username, 'email': email} + session, + security_test_client, + username, + email, +): + security_test_client.post("/register", data=REGISTER_DETAIL) + data = {"username": username, "email": email} res = security_test_client.post( - security_test_client.app.url_path_for('forgot_password'), - data=data) - assert b'Please check your credentials' in res.content + security_test_client.app.url_path_for("forgot_password"), + data=data, + ) + assert b"Please check your credentials" in res.content def test_email_send(session, security_test_client, smtpd): - security_test_client.post('/register', data=REGISTER_DETAIL) + security_test_client.post("/register", data=REGISTER_DETAIL) mail.config.SUPPRESS_SEND = 1 mail.config.MAIL_SERVER = smtpd.hostname mail.config.MAIL_PORT = smtpd.port @@ -66,17 +79,19 @@ def test_email_send(session, security_test_client, smtpd): mail.config.MAIL_TLS = False with mail.record_messages() as outbox: response = security_test_client.post( - security_test_client.app.url_path_for('forgot_password'), - data=FORGOT_PASSWORD_DETAILS) + security_test_client.app.url_path_for("forgot_password"), + data=FORGOT_PASSWORD_DETAILS, + ) assert len(outbox) == 1 - assert b'Email for reseting password was sent' in response.content - assert 'reset password' in outbox[0]['subject'] + assert b"Email for reseting password was sent" in response.content + assert "reset password" in outbox[0]["subject"] def test_reset_password_GET_without_token(session, security_test_client): res = security_test_client.get( - security_test_client.app.url_path_for('reset_password_form')) - assert b'Verification token is missing' in res.content + security_test_client.app.url_path_for("reset_password_form"), + ) + assert b"Verification token is missing" in res.content def test_reset_password_GET_with_token(session, security_test_client): @@ -84,46 +99,59 @@ def test_reset_password_GET_with_token(session, security_test_client): token = create_jwt_token(user, jwt_min_exp=15) params = f"?email_verification_token={token}" res = security_test_client.get( - security_test_client.app.url_path_for( - 'reset_password_form') + f'{params}') - assert b'Please choose a new password' in res.content + security_test_client.app.url_path_for("reset_password_form") + + f"{params}", + ) + assert b"Please choose a new password" in res.content @pytest.mark.parametrize( - "username, password, confirm_password", RESET_PASSWORD_BAD_CREDENTIALS) + "username, password, confirm_password", + RESET_PASSWORD_BAD_CREDENTIALS, +) def test_reset_password_bad_details( - session, security_test_client, username, password, confirm_password): - security_test_client.post('/register', data=REGISTER_DETAIL) + session, + security_test_client, + username, + password, + confirm_password, +): + security_test_client.post("/register", data=REGISTER_DETAIL) user = ForgotPassword(**FORGOT_PASSWORD_DETAILS) token = create_jwt_token(user, jwt_min_exp=15) data = { - 'username': username, 'password': password, - 'confirm_password': confirm_password + "username": username, + "password": password, + "confirm_password": confirm_password, } params = f"?email_verification_token={token}" res = security_test_client.post( - security_test_client.app.url_path_for( - 'reset_password') + f'{params}', data=data) - assert b'Please check your credentials' in res.content + security_test_client.app.url_path_for("reset_password") + f"{params}", + data=data, + ) + print(res.content) + assert b"Please check your credentials" in res.content def test_reset_password_successfully(session, security_test_client): - security_test_client.post('/register', data=REGISTER_DETAIL) + security_test_client.post("/register", data=REGISTER_DETAIL) user = ForgotPassword(**FORGOT_PASSWORD_DETAILS) token = create_jwt_token(user, jwt_min_exp=15) params = f"?email_verification_token={token}" res = security_test_client.post( - security_test_client.app.url_path_for( - 'reset_password') + f'{params}', data=RESET_PASSWORD_DETAILS) + security_test_client.app.url_path_for("reset_password") + f"{params}", + data=RESET_PASSWORD_DETAILS, + ) assert res.status_code == HTTP_302_FOUND def test_reset_password_expired_token(session, security_test_client): - security_test_client.post('/register', data=REGISTER_DETAIL) + security_test_client.post("/register", data=REGISTER_DETAIL) user = ForgotPassword(**FORGOT_PASSWORD_DETAILS) token = create_jwt_token(user, jwt_min_exp=-1) params = f"?email_verification_token={token}" res = security_test_client.post( - security_test_client.app.url_path_for( - 'reset_password') + f'{params}', data=RESET_PASSWORD_DETAILS) + security_test_client.app.url_path_for("reset_password") + f"{params}", + data=RESET_PASSWORD_DETAILS, + ) assert res.ok From fd42eef2b5cb172f5bb281e28a823b169d36bff8 Mon Sep 17 00:00:00 2001 From: Koby Fogel Date: Tue, 23 Feb 2021 17:29:55 +0200 Subject: [PATCH 51/56] upgraded security in dependencies --- app/internal/security/dependancies.py | 46 ++++++++++++++++++------- tests/test_reset_password.py | 49 ++++++++++++++++++++++++++- 2 files changed, 81 insertions(+), 14 deletions(-) diff --git a/app/internal/security/dependancies.py b/app/internal/security/dependancies.py index 584235dd..e784bc62 100644 --- a/app/internal/security/dependancies.py +++ b/app/internal/security/dependancies.py @@ -5,34 +5,48 @@ from app.database.models import User from app.dependencies import get_db from app.internal.security.ouath2 import ( - Session, get_jwt_token, get_authorization_cookie + Session, + get_jwt_token, + get_authorization_cookie, ) from app.internal.security import schema async def is_logged_in( - request: Request, db: Session = Depends(get_db), - jwt: str = Depends(get_authorization_cookie)) -> bool: + request: Request, + db: Session = Depends(get_db), + jwt: str = Depends(get_authorization_cookie), +) -> bool: """ A dependency function protecting routes for only logged in user """ - await get_jwt_token(db, jwt) + jwt_payload = await get_jwt_token(db, jwt) + user_id = jwt_payload.get("user_id") + if not user_id: + raise HTTPException( + status_code=HTTP_401_UNAUTHORIZED, + detail="Your token is not valid. Please log in again", + ) return True async def is_manager( - request: Request, db: Session = Depends(get_db), - jwt: str = Depends(get_authorization_cookie)) -> bool: + request: Request, + db: Session = Depends(get_db), + jwt: str = Depends(get_authorization_cookie), +) -> bool: """ A dependency function protecting routes for only logged in manager """ jwt_payload = await get_jwt_token(db, jwt) - if jwt_payload.get("is_manager"): + user_id = jwt_payload.get("user_id") + if jwt_payload.get("is_manager") and user_id: return True raise HTTPException( - status_code=HTTP_401_UNAUTHORIZED, - headers=request.url.path, - detail="You don't have a permition to enter this page") + status_code=HTTP_401_UNAUTHORIZED, + headers=request.url.path, + detail="You don't have a permition to enter this page", + ) async def current_user_from_db( @@ -52,9 +66,10 @@ async def current_user_from_db( return db_user else: raise HTTPException( - status_code=HTTP_401_UNAUTHORIZED, - headers=request.url.path, - detail="Your token is incorrect. Please log in again") + status_code=HTTP_401_UNAUTHORIZED, + headers=request.url.path, + detail="Your token is incorrect. Please log in again", + ) async def current_user( @@ -69,4 +84,9 @@ async def current_user( jwt_payload = await get_jwt_token(db, jwt) username = jwt_payload.get("sub") user_id = jwt_payload.get("user_id") + if not user_id: + raise HTTPException( + status_code=HTTP_401_UNAUTHORIZED, + detail="Your token is not valid. Please log in again", + ) return schema.CurrentUser(user_id=user_id, username=username) diff --git a/tests/test_reset_password.py b/tests/test_reset_password.py index 0e1fe272..5ea5f8c7 100644 --- a/tests/test_reset_password.py +++ b/tests/test_reset_password.py @@ -129,7 +129,6 @@ def test_reset_password_bad_details( security_test_client.app.url_path_for("reset_password") + f"{params}", data=data, ) - print(res.content) assert b"Please check your credentials" in res.content @@ -155,3 +154,51 @@ def test_reset_password_expired_token(session, security_test_client): data=RESET_PASSWORD_DETAILS, ) assert res.ok + + +LOGIN_DATA = {"username": "correct_user", "password": "correct_password"} + + +def test_is_logged_in_with_reset_password_token(session, security_test_client): + security_test_client.post("/register", data=REGISTER_DETAIL) + user = ForgotPassword(**FORGOT_PASSWORD_DETAILS) + token = create_jwt_token(user, jwt_min_exp=15) + params = f"?existing_jwt={token}" + security_test_client.post( + security_test_client.app.url_path_for("login") + f"{params}", + data=LOGIN_DATA, + ) + res = security_test_client.get( + security_test_client.app.url_path_for("is_logged_in"), + ) + assert b"Your token is not valid" in res.content + + +def test_is_manager_with_reset_password_token(session, security_test_client): + security_test_client.post("/register", data=REGISTER_DETAIL) + user = ForgotPassword(**FORGOT_PASSWORD_DETAILS) + token = create_jwt_token(user, jwt_min_exp=15) + params = f"?existing_jwt={token}" + security_test_client.post( + security_test_client.app.url_path_for("login") + f"{params}", + data=LOGIN_DATA, + ) + res = security_test_client.get( + security_test_client.app.url_path_for("is_manager"), + ) + assert b"have a permition to enter this page" in res.content + + +def test_current_user_with_reset_password_token(session, security_test_client): + security_test_client.post("/register", data=REGISTER_DETAIL) + user = ForgotPassword(**FORGOT_PASSWORD_DETAILS) + token = create_jwt_token(user, jwt_min_exp=15) + params = f"?existing_jwt={token}" + security_test_client.post( + security_test_client.app.url_path_for("login") + f"{params}", + data=LOGIN_DATA, + ) + res = security_test_client.get( + security_test_client.app.url_path_for("current_user"), + ) + assert b"Your token is not valid" in res.content From 5da9a1dbef06caa4f841a82111ff58f2a3331bc5 Mon Sep 17 00:00:00 2001 From: Koby Fogel Date: Wed, 24 Feb 2021 11:56:05 +0200 Subject: [PATCH 52/56] CR and get_jwt_token function fixes --- app/internal/security/dependencies.py | 8 ++--- app/internal/security/ouath2.py | 46 ++++++++++++++++----------- app/internal/security/schema.py | 19 +++++++---- app/routers/reset_password.py | 2 +- app/templates/reset_password.html | 24 +++++++------- tests/test_reset_password.py | 3 +- 6 files changed, 61 insertions(+), 41 deletions(-) diff --git a/app/internal/security/dependencies.py b/app/internal/security/dependencies.py index e784bc62..bdd2e3b8 100644 --- a/app/internal/security/dependencies.py +++ b/app/internal/security/dependencies.py @@ -20,7 +20,7 @@ async def is_logged_in( """ A dependency function protecting routes for only logged in user """ - jwt_payload = await get_jwt_token(db, jwt) + jwt_payload = get_jwt_token(jwt) user_id = jwt_payload.get("user_id") if not user_id: raise HTTPException( @@ -38,7 +38,7 @@ async def is_manager( """ A dependency function protecting routes for only logged in manager """ - jwt_payload = await get_jwt_token(db, jwt) + jwt_payload = get_jwt_token(jwt) user_id = jwt_payload.get("user_id") if jwt_payload.get("is_manager") and user_id: return True @@ -58,7 +58,7 @@ async def current_user_from_db( Returns logged in User object. A dependency function protecting routes for only logged in user. """ - jwt_payload = await get_jwt_token(db, jwt) + jwt_payload = get_jwt_token(jwt) username = jwt_payload.get("sub") user_id = jwt_payload.get("user_id") db_user = await User.get_by_username(db, username=username) @@ -81,7 +81,7 @@ async def current_user( Returns logged in User object. A dependency function protecting routes for only logged in user. """ - jwt_payload = await get_jwt_token(db, jwt) + jwt_payload = get_jwt_token(jwt) username = jwt_payload.get("sub") user_id = jwt_payload.get("user_id") if not user_id: diff --git a/app/internal/security/ouath2.py b/app/internal/security/ouath2.py index d85db663..6f4262b7 100644 --- a/app/internal/security/ouath2.py +++ b/app/internal/security/ouath2.py @@ -21,10 +21,12 @@ async def update_password( - db: Session, username: str, user_password: str) -> None: + db: Session, + username: str, + user_password: str, +) -> None: """Updating User password in database""" - db_user = await User.get_by_username( - db=db, username=username) + db_user = await User.get_by_username(db=db, username=username) hashed_password = get_hashed_password(user_password) db_user.password = hashed_password db.commit() @@ -42,8 +44,10 @@ def verify_password(plain_password: str, hashed_password: str) -> bool: async def is_email_compatible_to_username( - db: Session, user: schema.ForgotPassword, - email: bool = False) -> Union[schema.ForgotPassword, bool]: + db: Session, + user: schema.ForgotPassword, + email: bool = False, +) -> Union[schema.ForgotPassword, bool]: """ Verifying database record by username. Comparing given email to database record, @@ -53,13 +57,16 @@ async def is_email_compatible_to_username( return False if db_user.email == user.email: return schema.ForgotPassword( - username=user.username, - user_id=db_user.id, email=db_user.email) + username=user.username, + user_id=db_user.id, + email=db_user.email, + ) return False async def authenticate_user( - db: Session, user: schema.LoginUser, + db: Session, + user: schema.LoginUser, ) -> Union[schema.LoginUser, bool]: """ Verifying database record by username. @@ -71,8 +78,11 @@ async def authenticate_user( return False elif verify_password(user.password, db_user.password): return schema.LoginUser( - user_id=db_user.id, is_manager=db_user.is_manager, - username=user.username, password=db_user.password) + user_id=db_user.id, + is_manager=db_user.is_manager, + username=user.username, + password=db_user.password, + ) return False @@ -93,18 +103,17 @@ def create_jwt_token( return jwt_token -async def get_jwt_token( - db: Session, - token: str = Depends(oauth_schema), - path: Union[bool, str] = None) -> User: +def get_jwt_token( + token: str = Depends(oauth_schema), + path: Union[bool, str] = None, +) -> User: """ Check whether JWT token is correct. Returns jwt payloads if correct. Raises HTTPException if fails to decode. """ try: - jwt_payload = jwt.decode( - token, JWT_KEY, algorithms=JWT_ALGORITHM) + jwt_payload = jwt.decode(token, JWT_KEY, algorithms=JWT_ALGORITHM) except InvalidSignatureError: raise HTTPException( status_code=HTTP_401_UNAUTHORIZED, @@ -121,7 +130,8 @@ async def get_jwt_token( raise HTTPException( status_code=HTTP_401_UNAUTHORIZED, headers=path, - detail="Your token is incorrect. Please log in again") + detail="Your token is incorrect. Please log in again", + ) return jwt_payload @@ -151,5 +161,5 @@ async def auth_exception_handler( paramas = f"?next={exc.headers}&message={exc.detail}" url = f"/login{paramas}" response = RedirectResponse(url=url, status_code=HTTP_302_FOUND) - response.delete_cookie('Authorization') + response.delete_cookie("Authorization") return response diff --git a/app/internal/security/schema.py b/app/internal/security/schema.py index ff1fc7fb..2e5fee8d 100644 --- a/app/internal/security/schema.py +++ b/app/internal/security/schema.py @@ -8,6 +8,7 @@ class CurrentUser(BaseModel): Validating fields types Returns a user details as a class. """ + user_id: Optional[int] username: str @@ -20,6 +21,7 @@ class LoginUser(CurrentUser): Validating fields types Returns a User object for signing in. """ + is_manager: Optional[bool] password: str @@ -29,6 +31,7 @@ class ForgotPassword(BaseModel): BaseModel for collecting and verifying user details sending a token via email """ + username: str email: str user_id: Optional[str] = None @@ -38,7 +41,7 @@ class ForgotPassword(BaseModel): class Config: orm_mode = True - @validator('username') + @validator("username") def password_length(cls, username: str) -> Union[ValueError, str]: """Validating username length is legal""" if not (MIN_FIELD_LENGTH < len(username) < MAX_FIELD_LENGTH): @@ -54,23 +57,27 @@ class ResetPassword(BaseModel): """ Validating fields types """ + username: str password: str confirm_password: str class Config: orm_mode = True + fields = {"confirm_password": "confirm-password"} - @validator('confirm_password') + @validator("confirm_password") def passwords_match( - cls, confirm_password: str, - values: BaseModel) -> Union[ValueError, str]: + cls, + confirm_password: str, + values: BaseModel, + ) -> Union[ValueError, str]: """Validating passwords fields identical.""" - if 'password' in values and confirm_password != values['password']: + if "password" in values and confirm_password != values["password"]: raise ValueError return confirm_password - @validator('password') + @validator("password") def password_length(cls, password: str) -> Union[ValueError, str]: """Validating password length is legal""" if not (MIN_FIELD_LENGTH < len(password) < MAX_FIELD_LENGTH): diff --git a/app/routers/reset_password.py b/app/routers/reset_password.py index 02bed08c..5713f20b 100644 --- a/app/routers/reset_password.py +++ b/app/routers/reset_password.py @@ -110,7 +110,7 @@ async def reset_password( validatting form data against token details. If all validations succeed, hashing new password and updating database. """ - jwt_payload = await get_jwt_token(db, email_verification_token) + jwt_payload = get_jwt_token(email_verification_token) jwt_username = jwt_payload.get("sub") form = await request.form() form_dict = dict(form) diff --git a/app/templates/reset_password.html b/app/templates/reset_password.html index a4bc9bf5..10a7dc90 100644 --- a/app/templates/reset_password.html +++ b/app/templates/reset_password.html @@ -1,21 +1,22 @@ {% extends "base.html" %} {% block content %} -
    -
    Please choose a new password:
    +
    +
    Please choose a new password:
    {% if message %} -
    {{ message }}
    +
    {{ message }}
    {% endif %}
    -
    +
    -
    +
    @@ -24,9 +25,10 @@
    Please choose a new password:
    - +
    -
    +
    @@ -36,7 +38,7 @@
    Please choose a new password:
    - -
    - -{% endblock %} \ No newline at end of file + +
    + +{% endblock %} diff --git a/tests/test_reset_password.py b/tests/test_reset_password.py index 5ea5f8c7..02890ba7 100644 --- a/tests/test_reset_password.py +++ b/tests/test_reset_password.py @@ -43,7 +43,7 @@ RESET_PASSWORD_DETAILS = { "username": "correct_user", "password": "new_password", - "confirm_password": "new_password", + "confirm-password": "new_password", } @@ -141,6 +141,7 @@ def test_reset_password_successfully(session, security_test_client): security_test_client.app.url_path_for("reset_password") + f"{params}", data=RESET_PASSWORD_DETAILS, ) + print(res.content) assert res.status_code == HTTP_302_FOUND From e505c5e3a91601f475835d597b2e64010c127266 Mon Sep 17 00:00:00 2001 From: Koby Fogel Date: Thu, 25 Feb 2021 09:43:40 +0200 Subject: [PATCH 53/56] CR fixes --- app/database/schemas.py | 49 ++++--- app/internal/email.py | 2 +- app/internal/security/ouath2.py | 5 +- app/routers/reset_password.py | 11 +- app/templates/forgot_password.html | 10 +- app/templates/reset_password.html | 6 +- tests/test_register.py | 226 +++++++++++++++++++++-------- 7 files changed, 218 insertions(+), 91 deletions(-) diff --git a/app/database/schemas.py b/app/database/schemas.py index 61d31a33..4ee0813c 100644 --- a/app/database/schemas.py +++ b/app/database/schemas.py @@ -2,7 +2,7 @@ from pydantic import BaseModel, validator, EmailStr, EmailError -EMPTY_FIELD_STRING = 'field is required' +EMPTY_FIELD_STRING = "field is required" MIN_FIELD_LENGTH = 3 MAX_FIELD_LENGTH = 20 @@ -19,6 +19,7 @@ class UserBase(BaseModel): Validating fields types Returns a User object without sensitive information """ + username: str email: str full_name: str @@ -30,6 +31,7 @@ class Config: class UserCreate(UserBase): """Validating fields types""" + password: str confirm_password: str @@ -37,41 +39,51 @@ class UserCreate(UserBase): Calling to field_not_empty validaion function, for each required field. """ - _fields_not_empty_username = validator( - 'username', allow_reuse=True)(fields_not_empty) - _fields_not_empty_full_name = validator( - 'full_name', allow_reuse=True)(fields_not_empty) - _fields_not_empty_password = validator( - 'password', allow_reuse=True)(fields_not_empty) + _fields_not_empty_username = validator("username", allow_reuse=True)( + fields_not_empty, + ) + _fields_not_empty_full_name = validator("full_name", allow_reuse=True)( + fields_not_empty, + ) + _fields_not_empty_password = validator("password", allow_reuse=True)( + fields_not_empty, + ) _fields_not_empty_confirm_password = validator( - 'confirm_password', allow_reuse=True)(fields_not_empty) - _fields_not_empty_email = validator( - 'email', allow_reuse=True)(fields_not_empty) - - @validator('confirm_password') + "confirm_password", + allow_reuse=True, + )(fields_not_empty) + _fields_not_empty_email = validator("email", allow_reuse=True)( + fields_not_empty, + ) + + @validator("confirm_password") def passwords_match( - cls, confirm_password: str, - values: UserBase) -> Union[ValueError, str]: + cls, + confirm_password: str, + values: UserBase, + ) -> Union[ValueError, str]: """Validating passwords fields identical.""" - if 'password' in values and confirm_password != values['password']: + if "password" in values and confirm_password != values["password"]: raise ValueError("doesn't match to password") return confirm_password - @validator('username') + @validator("username") def username_length(cls, username: str) -> Union[ValueError, str]: """Validating username length is legal""" if not (MIN_FIELD_LENGTH < len(username) < MAX_FIELD_LENGTH): raise ValueError("must contain between 3 to 20 charactars") + if username.startswith("@"): + raise ValueError("username can not start with '@'") return username - @validator('password') + @validator("password") def password_length(cls, password: str) -> Union[ValueError, str]: """Validating username length is legal""" if not (MIN_FIELD_LENGTH < len(password) < MAX_FIELD_LENGTH): raise ValueError("must contain between 3 to 20 charactars") return password - @validator('email') + @validator("email") def confirm_mail(cls, email: str) -> Union[ValueError, str]: """Validating email is valid mail address.""" try: @@ -86,5 +98,6 @@ class User(UserBase): Validating fields types Returns a User object without sensitive information """ + id: int is_active: bool diff --git a/app/internal/email.py b/app/internal/email.py index 2d8701a1..5f61c962 100644 --- a/app/internal/email.py +++ b/app/internal/email.py @@ -219,7 +219,7 @@ async def send_reset_password_mail( params = f"?email_verification_token={user.email_verification_token}" template = templates.get_template("reset_password_mail.html") html = template.render( - recipient=user.username, + recipient=user.username.strip("@"), link=f"{DOMAIN}/reset-password{params}", email=user.email, ) diff --git a/app/internal/security/ouath2.py b/app/internal/security/ouath2.py index 6f4262b7..9ed55ace 100644 --- a/app/internal/security/ouath2.py +++ b/app/internal/security/ouath2.py @@ -52,7 +52,10 @@ async def is_email_compatible_to_username( Verifying database record by username. Comparing given email to database record, """ - db_user = await User.get_by_username(db=db, username=user.username) + db_user = await User.get_by_username( + db=db, + username=user.username.strip("@"), + ) if not db_user: return False if db_user.email == user.email: diff --git a/app/routers/reset_password.py b/app/routers/reset_password.py index 5713f20b..e4ddcaf7 100644 --- a/app/routers/reset_password.py +++ b/app/routers/reset_password.py @@ -51,13 +51,16 @@ async def forgot_password( """ form = await request.form() form_dict = dict(form) + form_dict["username"] = "@" + form_dict["username"] try: # validating form data by creating pydantic schema object user = ForgotPassword(**form_dict) except ValidationError: - user = None - if user: - user = await is_email_compatible_to_username(db, user) + return templates.TemplateResponse( + "forgot_password.html", + {"request": request, "message": "Please check your credentials"}, + ) + user = await is_email_compatible_to_username(db, user) if not user: return templates.TemplateResponse( "forgot_password.html", @@ -111,7 +114,7 @@ async def reset_password( If all validations succeed, hashing new password and updating database. """ jwt_payload = get_jwt_token(email_verification_token) - jwt_username = jwt_payload.get("sub") + jwt_username = jwt_payload.get("sub").strip("@") form = await request.form() form_dict = dict(form) validated = True diff --git a/app/templates/forgot_password.html b/app/templates/forgot_password.html index 3aeca9fd..255c7f24 100644 --- a/app/templates/forgot_password.html +++ b/app/templates/forgot_password.html @@ -3,7 +3,7 @@
    Please verify your Username and Email:
    {% if message %} -
    {{ message }}
    +
    {{ message }}
    {% endif %}
    @@ -18,14 +18,14 @@
    Please verify your Username and Email:

    - + Must be the email address you registered with
    - +
    - -{% endblock %} \ No newline at end of file + +{% endblock %} diff --git a/app/templates/reset_password.html b/app/templates/reset_password.html index 10a7dc90..7d62ebe6 100644 --- a/app/templates/reset_password.html +++ b/app/templates/reset_password.html @@ -3,7 +3,7 @@
    Please choose a new password:
    {% if message %} -
    {{ message }}
    +
    {{ message }}
    {% endif %}
    @@ -19,7 +19,7 @@
    Please choose a new password:

    - + Must be between 3 to 20 characters.
    @@ -31,7 +31,7 @@
    Please choose a new password:
    placeholder="Required">
    - + Must be equal to password.
    diff --git a/tests/test_register.py b/tests/test_register.py index 9394e2ba..a9b619ad 100644 --- a/tests/test_register.py +++ b/tests/test_register.py @@ -8,83 +8,191 @@ def test_register_route_ok(client): REGISTER_FORM_VALIDATORS = [ - ('ad', 'admin_user', 'password', 'password', 'example@mail.com', - 'description', b'Username must contain'), - ('admin', 'admin_user', 'pa', 'pa', 'example@mail.com', - 'description', b'Password must contain'), - ('admin', 'admin_user', 'password', 'wrong_password', 'example@mail.com', - 'description', b"match"), - ('admin', 'admin_user', 'password', 'password', 'invalid_mail', - 'description', b"Email address is not valid"), - ('', 'admin_user', 'password', 'password', 'example@mail.com', - 'description', b'Username field is required'), - ('admin', '', 'password', 'password', 'example@mail.com', - 'description', b'Full_name field is required'), - ('admin', 'admin_user', '', 'password', 'example@mail.com', - 'description', b'Password field is required'), - ('admin', 'admin_user', 'password', '', 'example@mail.com', - 'description', b'Confirm_password field is required'), - ('admin', 'admin_user', 'password', 'password', '', - 'description', b'Email field is required'), - ] - - -""" -Test all active pydantic validators -""" + ( + "ad", + "admin_user", + "password", + "password", + "example@mail.com", + "description", + b"Username must contain", + ), + ( + "admin", + "admin_user", + "pa", + "pa", + "example@mail.com", + "description", + b"Password must contain", + ), + ( + "admin", + "admin_user", + "password", + "wrong_password", + "example@mail.com", + "description", + b"match", + ), + ( + "admin", + "admin_user", + "password", + "password", + "invalid_mail", + "description", + b"Email address is not valid", + ), + ( + "", + "admin_user", + "password", + "password", + "example@mail.com", + "description", + b"Username field is required", + ), + ( + "admin", + "", + "password", + "password", + "example@mail.com", + "description", + b"Full_name field is required", + ), + ( + "admin", + "admin_user", + "", + "password", + "example@mail.com", + "description", + b"Password field is required", + ), + ( + "admin", + "admin_user", + "password", + "", + "example@mail.com", + "description", + b"Confirm_password field is required", + ), + ( + "admin", + "admin_user", + "password", + "password", + "", + "description", + b"Email field is required", + ), + ( + "@admin", + "admin_user", + "password", + "password", + "example@mail.com", + "description", + b"can not start with", + ), +] @pytest.mark.parametrize( "username, full_name, password, confirm_password, email, description," - + "expected_response", REGISTER_FORM_VALIDATORS) + + "expected_response", + REGISTER_FORM_VALIDATORS, +) def test_register_form_validators( - client, username, full_name, password, confirm_password, - email, description, expected_response): + client, + username, + full_name, + password, + confirm_password, + email, + description, + expected_response, +): data = { - 'username': username, 'full_name': full_name, - 'password': password, 'confirm_password': confirm_password, - 'email': email, 'description': description} - data = client.post('/register', data=data).content + "username": username, + "full_name": full_name, + "password": password, + "confirm_password": confirm_password, + "email": email, + "description": description, + } + data = client.post("/register", data=data).content assert expected_response in data -""" -Test successfully register user to database, after passing all validators -""" - - def test_register_successfull(session, security_test_client): - data = {'username': 'username', 'full_name': 'full_name', - 'password': 'password', 'confirm_password': 'password', - 'email': 'example@email.com', 'description': ""} - data = security_test_client.post('/register', data=data) + data = { + "username": "username", + "full_name": "full_name", + "password": "password", + "confirm_password": "password", + "email": "example@email.com", + "description": "", + } + """ + Test successfully register user to database, after passing all validators + """ + data = security_test_client.post("/register", data=data) assert data.status_code == HTTP_302_FOUND UNIQUE_FIELDS_ARE_TAKEN = [ - ('admin', 'admin_user', 'password', 'password', 'example_new@mail.com', - 'description', b'That username is already taken'), - ('admin_new', 'admin_user', 'password', 'password', 'example@mail.com', - 'description', b"Email already registered") - ] - - -""" -Test register a user fails due to unique database fields already in use -""" + ( + "admin", + "admin_user", + "password", + "password", + "example_new@mail.com", + "description", + b"That username is already taken", + ), + ( + "admin_new", + "admin_user", + "password", + "password", + "example@mail.com", + "description", + b"Email already registered", + ), +] @pytest.mark.parametrize( "username, full_name, password, confirm_password," - + "email, description, expected_response", UNIQUE_FIELDS_ARE_TAKEN) + + "email, description, expected_response", + UNIQUE_FIELDS_ARE_TAKEN, +) def test_unique_fields_are_taken( - session, security_test_client, username, - full_name, password, confirm_password, - email, description, expected_response): + session, + security_test_client, + username, + full_name, + password, + confirm_password, + email, + description, + expected_response, +): + """ + Test register a user fails due to unique database fields already in use + """ user_data = { - 'username': 'username', 'full_name': 'full_name', - 'password': 'password', 'confirm_password': 'password', - 'email': 'example@email.com', 'description': ""} - security_test_client.post('/register', data=user_data) - data = security_test_client.post('/register', data=user_data).content + "username": "username", + "full_name": "full_name", + "password": "password", + "confirm_password": "password", + "email": "example@email.com", + "description": "", + } + security_test_client.post("/register", data=user_data) + data = security_test_client.post("/register", data=user_data).content assert expected_response in data From 1aeb21930ee83ee77c4ffc2cbddc4b0090b2d989 Mon Sep 17 00:00:00 2001 From: Koby Fogel Date: Thu, 25 Feb 2021 19:43:12 +0200 Subject: [PATCH 54/56] CR small fix --- app/internal/email.py | 3 +-- app/internal/security/ouath2.py | 2 +- app/routers/reset_password.py | 9 ++++----- 3 files changed, 6 insertions(+), 8 deletions(-) diff --git a/app/internal/email.py b/app/internal/email.py index 5f61c962..d75e1e09 100644 --- a/app/internal/email.py +++ b/app/internal/email.py @@ -18,7 +18,6 @@ from app.dependencies import templates from app.internal.security.schema import ForgotPassword - mail = FastMail(email_conf) @@ -219,7 +218,7 @@ async def send_reset_password_mail( params = f"?email_verification_token={user.email_verification_token}" template = templates.get_template("reset_password_mail.html") html = template.render( - recipient=user.username.strip("@"), + recipient=user.username.lstrip("@"), link=f"{DOMAIN}/reset-password{params}", email=user.email, ) diff --git a/app/internal/security/ouath2.py b/app/internal/security/ouath2.py index de7f70d4..a20f3b0e 100644 --- a/app/internal/security/ouath2.py +++ b/app/internal/security/ouath2.py @@ -54,7 +54,7 @@ async def is_email_compatible_to_username( """ db_user = await User.get_by_username( db=db, - username=user.username.strip("@"), + username=user.username.lstrip("@"), ) if not db_user: return False diff --git a/app/routers/reset_password.py b/app/routers/reset_password.py index e4ddcaf7..9a8d3444 100644 --- a/app/routers/reset_password.py +++ b/app/routers/reset_password.py @@ -7,17 +7,16 @@ from starlette.status import HTTP_302_FOUND from app.dependencies import get_db, templates +from app.internal.email import BackgroundTasks, send_reset_password_mail from app.internal.security.ouath2 import ( - is_email_compatible_to_username, - get_jwt_token, create_jwt_token, + get_jwt_token, + is_email_compatible_to_username, update_password, ) -from app.internal.email import BackgroundTasks, send_reset_password_mail from app.internal.security.schema import ForgotPassword, ResetPassword from app.routers.login import router as login_router - router = APIRouter( prefix="", tags=["/reset_password"], @@ -133,6 +132,6 @@ async def reset_password( await update_password(db, jwt_username, user.password) message = "?message=Success reset password" return RedirectResponse( - login_router.url_path_for("login_user_form") + f"{message}", + login_router.url_path_for("login_user_form") + str(message), status_code=HTTP_302_FOUND, ) From fadb54a874d5c3b01cf5c54ee0cb28f5e8f03db4 Mon Sep 17 00:00:00 2001 From: Koby Fogel Date: Thu, 25 Feb 2021 20:23:14 +0200 Subject: [PATCH 55/56] html fix --- app/static/style.css | 13 ++++-- app/templates/forgot_password.html | 2 +- app/templates/reset_password.html | 68 +++++++++++++++--------------- 3 files changed, 45 insertions(+), 38 deletions(-) diff --git a/app/static/style.css b/app/static/style.css index f2df7738..4a72ed0b 100644 --- a/app/static/style.css +++ b/app/static/style.css @@ -143,9 +143,9 @@ p { } .forgot-password { - line-height: 0; - color: rgb(188, 7, 194); - padding-left: 8rem; + line-height: 0; + color: rgb(188, 7, 194); + padding-left: 8rem; } .red-massage { @@ -169,3 +169,10 @@ h2.modal-title { height: 2.5rem; margin-top: 1rem; } + +.reset-password{ + font-size: 2rem; + font-style: bold; + margin: 2rem; + color:black; +} diff --git a/app/templates/forgot_password.html b/app/templates/forgot_password.html index 255c7f24..09b04228 100644 --- a/app/templates/forgot_password.html +++ b/app/templates/forgot_password.html @@ -1,7 +1,7 @@ {% extends "base.html" %} {% block content %}
    -
    Please verify your Username and Email:
    +
    Please verify your Username and Email:
    {% if message %}
    {{ message }}
    {% endif %} diff --git a/app/templates/reset_password.html b/app/templates/reset_password.html index 7d62ebe6..cbfa5fbd 100644 --- a/app/templates/reset_password.html +++ b/app/templates/reset_password.html @@ -1,43 +1,43 @@ {% extends "base.html" %} {% block content %}
    -
    Please choose a new password:
    - {% if message %} -
    {{ message }}
    - {% endif %} - -
    - -
    -
    -
    +
    Please choose a new password:
    + {% if message %} +
    {{ message }}
    + {% endif %} + +
    + +
    +
    -
    - -
    -
    -
    -
    - - Must be between 3 to 20 characters. - -
    +
    +
    + +
    +
    -
    - -
    -
    -
    -
    - - Must be equal to password. - -
    +
    + + Must be between 3 to 20 characters. +
    - - +
    +
    + +
    +
    +
    +
    + + Must be equal to password. + +
    +
    + +
    From 692436f7374279067bf4cc95dad095b3908fabc8 Mon Sep 17 00:00:00 2001 From: Koby Fogel Date: Sun, 28 Feb 2021 08:15:03 +0200 Subject: [PATCH 56/56] annotation and docstring --- app/dependencies.py | 1 + app/internal/security/dependencies.py | 15 ++++++++++++ app/main.py | 2 ++ app/templates/base.html | 33 +++++++++++++++------------ tests/test_jinja_variable.py | 30 ++++++++++++++++++++++++ 5 files changed, 66 insertions(+), 15 deletions(-) create mode 100644 tests/test_jinja_variable.py diff --git a/app/dependencies.py b/app/dependencies.py index 9c28232c..01cdcf56 100644 --- a/app/dependencies.py +++ b/app/dependencies.py @@ -17,6 +17,7 @@ templates = Jinja2Templates(directory=TEMPLATES_PATH) templates.env.add_extension("jinja2.ext.i18n") + # Configure logger logger = LoggerCustomizer.make_logger( config.LOG_PATH, diff --git a/app/internal/security/dependencies.py b/app/internal/security/dependencies.py index c33bc8a2..56857b0c 100644 --- a/app/internal/security/dependencies.py +++ b/app/internal/security/dependencies.py @@ -1,3 +1,5 @@ +from typing import Optional + from fastapi import Depends, HTTPException from starlette.requests import Request from starlette.status import HTTP_401_UNAUTHORIZED @@ -90,3 +92,16 @@ async def current_user( detail="Your token is not valid. Please log in again", ) return schema.CurrentUser(user_id=user_id, username=username) + + +def get_jinja_current_user(request: Request) -> Optional[schema.CurrentUser]: + """Return the currently logged in user. + Returns logged in User object if exists, None if not. + Set as a jinja global parameter. + """ + if "Authorization" not in request.cookies: + return None + jwt_payload = get_jwt_token(request.cookies["Authorization"]) + username = jwt_payload.get("sub") + user_id = jwt_payload.get("user_id") + return schema.CurrentUser(user_id=user_id, username=username) diff --git a/app/main.py b/app/main.py index 7570d0bd..131a7b0e 100644 --- a/app/main.py +++ b/app/main.py @@ -19,6 +19,7 @@ ) from app.internal import daily_quotes, json_data_loader from app.internal.languages import set_ui_language +from app.internal.security.dependencies import get_jinja_current_user from app.internal.security.ouath2 import auth_exception_handler from app.routers.salary import routes as salary from app.utils.extending_openapi import custom_openapi @@ -49,6 +50,7 @@ def create_tables(engine, psql_environment): app.logger = logger app.add_exception_handler(status.HTTP_401_UNAUTHORIZED, auth_exception_handler) +templates.env.globals["jinja_current_user"] = get_jinja_current_user # This MUST come before the app.routers imports. set_ui_language() diff --git a/app/templates/base.html b/app/templates/base.html index d6039fb4..aa6baf06 100644 --- a/app/templates/base.html +++ b/app/templates/base.html @@ -31,21 +31,24 @@