waqasbhatti / authnzerver Goto Github PK

This will be used to lock users by:

• setting is_active = False
• setting user_role = 'locked'

This should go in actions.users.

https://pages.nist.gov/800-63-3/sp800-63b.html

The full guide: https://pages.nist.gov/800-63-3/sp800-63-3.html

This won't use bootstrap or JS. Just Tornado templates, basic CSS and HTML, and normal POST/GET queries.

• consider adding in social login support with all the client redirect bits required. See #9 for the backend work required.
• also add in an API key authentication example.

Collecting useful links:

• https://ldpreload.com/blog/names-to-reserve
• https://github.com/ubernostrum/django-registration
• http://habitatchronicles.com/2008/10/the-tripartite-identity-pattern/
• https://github.com/ubernostrum/django-registration/blob/1d7d0f01a24b916977016c1d66823a5e4a33f2a0/registration/validators.py#L25
• https://confusable-homoglyphs.readthedocs.io/en/latest/index.html
• https://www.b-list.org/weblog/2018/feb/11/usernames/

This will go here:

The use-case is to support a "delete all my other sessions" function (we'll have an optional payload key for the current session token if called by a user themselves so they don't delete their current session). And also to clear all sessions for a user who must be locked everywhere.

Also add a check for authdb emptiness if the DB URL is provided and do autosetup if it's empty.

The list of environ vars to add awareness of (from deploy/authnzerver-environ.conf):

# listen address and port settings
AUTHNZERVER_PORT={{ authnzerver_listenport }}
AUTHNZERVER_LISTEN={{ authnzerver_listenaddr }}

# secret token and authentication DB URL
AUTHNZERVER_SECRET={{ authnzerver_secretkey }}
AUTHNZERVER_AUTHDB={{ authnzerver_authdb }}

# cache and base directory locations
AUTHNZERVER_CACHEDIR={{ authnzerver_cachedir }}
AUTHNZERVER_BASEDIR={{ authnzerver_basedir }}

# session expiry time in days and session cookie name
AUTHNZERVER_SESSIONEXPIRY={{ authnzerver_sessionexpiry }}
AUTHNZERVER_SESSIONCOOKIE={{ authnzerver_sessioncookiename }}

# email settings for sending emails to users
AUTHNZERVER_EMAILSENDER={{ authnzerver_emailsender }}
AUTHNZERVER_EMAILSERVER={{ authnzerver_emailserver }}
AUTHNZERVER_EMAILPORT={{ authnzerver_emailport }}
AUTHNZERVER_EMAILUSER={{ authnzerver_emailuser }}
AUTHNZERVER_EMAILPASS={{ authnzerver_emailpass }}

Maybe generate a permissions model from a provided JSON and a set of:

• roles
• actions that can be performed
• targets for actions
• things that can be returned
• number and rate/60sec limits on things that can be returned

Stacktrace:

authnzerver_1 | [I 200706 09:12:11 web:2246] 200 POST / (172.31.0.16) 1740.56ms
authnzerver_1 | [E 200706 09:17:38 handlers:292] Failed to understand request.
authnzerver_1 | authnzerver.external.futures37.process._RemoteTraceback:
authnzerver_1 | """
authnzerver_1 | Traceback (most recent call last):
authnzerver_1 | File "/home/authnzerver/authnzerver/external/futures37/process.py", line 246, in _process_worker
authnzerver_1 | r = call_item.fn(*call_item.args, **call_item.kwargs)
authnzerver_1 | File "/home/authnzerver/authnzerver/actions/user.py", line 994, in create_new_user
authnzerver_1 | pii_hash(rows['user_id'],payload['pii_salt']))
authnzerver_1 | TypeError: 'NoneType' object is not subscriptable
authnzerver_1 | """
authnzerver_1 |
authnzerver_1 | The above exception was the direct cause of the following exception:
authnzerver_1 |
authnzerver_1 | Traceback (most recent call last):
authnzerver_1 | File "/home/authnzerver/authnzerver/handlers.py", line 213, in post
authnzerver_1 | response = await loop.run_in_executor(
authnzerver_1 | TypeError: 'NoneType' object is not subscriptable
authnzerver_1 | [W 200706 09:17:38 web:2246] 400 POST / (172.31.0.16) 104.35ms
authnzerver_1 | [E 200706 09:21:12 handlers:292] Failed to understand request.
authnzerver_1 | authnzerver.external.futures37.process._RemoteTraceback:
authnzerver_1 | """
authnzerver_1 | Traceback (most recent call last):
authnzerver_1 | File "/home/authnzerver/authnzerver/external/futures37/process.py", line 246, in _process_worker
authnzerver_1 | r = call_item.fn(*call_item.args, **call_item.kwargs)
authnzerver_1 | File "/home/authnzerver/authnzerver/actions/user.py", line 994, in create_new_user
authnzerver_1 | pii_hash(rows['user_id'],payload['pii_salt']))
authnzerver_1 | TypeError: 'NoneType' object is not subscriptable
authnzerver_1 | """
authnzerver_1 |
authnzerver_1 | The above exception was the direct cause of the following exception:
authnzerver_1 |
authnzerver_1 | Traceback (most recent call last):
authnzerver_1 | File "/home/authnzerver/authnzerver/handlers.py", line 213, in post
authnzerver_1 | response = await loop.run_in_executor(
authnzerver_1 | TypeError: 'NoneType' object is not subscriptable
authnzerver_1 | [W 200706 09:21:12 web:2246] 400 POST / (172.31.0.16) 90.67ms

In here:

consider encrypting the API key like we do the password (might make things slower though).

In here:

We should:

• check if the API key hasn't expired ('exp' > utcnow())
• use the secrets.compare_digest() fn to compare instead of doing the equality check in the SQL expression

Obviously we'll never log passwords or PII. Should log the errors, etc. though. Should also:

• on errors and permissions failures, log session tokens and IP addresses with salted hashes to allow correlation, but not actual info exposure
• maybe log user IDs?

This might be more suited for the LCC-Server serving user_ids in JSON responses.

This will use the Tornado OAuth2, GoogleAuthMixin and TwitterAuthMixins to support for:

• Twitter
• Google
• Github

Should figure out how to do a client redirect bit and put that into the example as well.

This should be done by doing a async sleep until the time to sleep passes.