na-stewart / sanic-security Goto Github PK

Remove role method.

Error: AttributeError: 'ImageDraw' object has no attribute 'textsize' generating captcha.

Downgrading pillow to 9.5.0 fixes this issue for now.

=> you have a license mismatch (https://github.com/sunset-developer/sanic-security/blob/main/setup.py#L15)

=> you default to HTTP cookies that do not have secure flag set (https://github.com/sunset-developer/sanic-security/blob/main/sanic_security/configuration.py#L29)

=> your project requires phone number, and the regex doesnt support any non US format (https://github.com/sunset-developer/sanic-security/blob/main/sanic_security/authentication.py#L74)

=> your project does not check for common passwords such as "password", "qwerty", etc

In order to rip out Tortoise, we need to convert the current ORM objects into regular objects in models.py.

I began the process by converting the BaseModel and Account objects.

This commit provides a demonstration as to what was changed and what was removed.

7a0cb64

Simply, any line of code that uses Tortoise must be removed or changed in a way that can have a similar function but without requiring retrieving the object from the database, for example: requiring a parameter in a method so the object has to be passed in.

Use request.context to pass sessions instead of an arg parameter in an endpoint method.

    sessions = await cls.filter(bearer=account).prefetch_related("bearer").all()

bearer doesn't need to be retrieved as it can be assumed account is already available

DEPRECATION: sanic-security is being installed using the legacy 'setup.py install' method, because it does not have a 'pyproject.toml' and the 'wheel' package is not installed. pip 23.1 will enforce this behaviour change. A possible replacement is to enable the '--use-pep517' option. Discussion can be found at pypa/pip#8559

• It is generally considered good security practice to adopt a “deny-by-default” stance, where you explicitly specify what is allowed and disallow everything else. Defining what is accessible to unauthenticated users is a similar situation, particularly for web applications. Many sites require that users must be authenticated for anything other than a few URLs (for example the home and login pages).
• In that case, it is easiest to define access configuration attributes for these specific URLs rather than for every secured resource (decorating endpoints requiring authentication).
• Anonymous authentication gives you a more convenient way to configure your access-control attributes.
• Currently, users that are not authenticated are simply rejected from endpoints requiring authentication. Instead, endpoints not requiring authentication should be explicitly defined and/or effectively handle unauthenticated users.

Only localhost is retrieved when hosted on AWS EB.

Describe the bug
sanic response cookie seems need type str rather than bytes,
or got TypeError

// tested with sanic 20.12.3, 21.6.2

To Reproduce
server use test/server.py
client use curl:

//1. reg user //ok

curl -sv http://127.0.0.1:8000/api/test/auth/register [email protected] \
 -Fusername=test -Fpassword=testtest -Fverified=true

//2. login user // fail TypeError
// should login success

curl -sv http://127.0.0.1:8000/api/test/auth/login --user '[email protected]:testtest' -d ''

[2022-01-22 09:34:03 +0800] [1732395] [ERROR] Exception occurred while handling uri: 'http://127.0.0.1:8000/api/test/auth/login'
Traceback (most recent call last):
  File "/home/chen/.local/lib/python3.8/site-packages/sanic/server.py", line 509, in write_response
    response.output(
  File "/home/chen/.local/lib/python3.8/site-packages/sanic/response.py", line 169, in output
    return self.get_headers(version, keep_alive, keep_alive_timeout, body)
  File "/home/chen/.local/lib/python3.8/site-packages/sanic/response.py", line 64, in get_headers
    return format_http1_response(self.status, self.headers.items(), body)
  File "/home/chen/.local/lib/python3.8/site-packages/sanic/headers.py", line 194, in format_http1_response
    headerbytes = format_http1(headers)
  File "/home/chen/.local/lib/python3.8/site-packages/sanic/headers.py", line 184, in format_http1
    return "".join(f"{name}: {val}\r\n" for name, val in headers).encode()
  File "/home/chen/.local/lib/python3.8/site-packages/sanic/headers.py", line 184, in <genexpr>
    return "".join(f"{name}: {val}\r\n" for name, val in headers).encode()
  File "/home/chen/.local/lib/python3.8/site-packages/sanic/cookies.py", line 137, in __str__
    output = ["%s=%s" % (self.key, _quote(self.value))]
  File "/home/chen/.local/lib/python3.8/site-packages/sanic/cookies.py", line 30, in _quote
    if str is None or _is_legal_key(str):
TypeError: cannot use a string pattern on a bytes-like object

Version
// sanic-security 1.4.7

• sanic 20.12.3 + py3.8
• sanic 21.6.2 + py3.9

Workaround
seems in sanic 20.12.3, 21.6.2
response.cookie should be str type.

https://github.com/sunset-developer/sanic-security/blob/v1.4.7/sanic_security/models.py#L288

changes:

        response.cookies[cookie] = jwt.encode(
            payload, security_config.SECRET, security_config.SESSION_ENCODING_ALGORITHM
-        )
+        ).decode('utf-8')

.disable