cista-storage/cista/auth.py

import hmac
import re
from time import time
from unicodedata import normalize

import argon2
import msgspec
from html5tagger import Document
from sanic import Blueprint, html, json, redirect
from sanic.exceptions import BadRequest, Forbidden, Unauthorized

from cista import config, session

_argon = argon2.PasswordHasher()
_droppyhash = re.compile(r"^([a-f0-9]{64})\$([a-f0-9]{8})$")


def _pwnorm(password):
    return normalize("NFC", password).strip().encode()


def login(username: str, password: str):
    un = _pwnorm(username)
    pw = _pwnorm(password)
    try:
        u = config.config.users[un.decode()]
    except KeyError:
        raise ValueError("Invalid username") from None
    # Verify password
    need_rehash = False
    if not u.hash:
        raise ValueError("Account disabled")
    if (m := _droppyhash.match(u.hash)) is not None:
        h, s = m.groups()
        h2 = hmac.digest(pw + s.encode() + un, b"", "sha256").hex()
        if not hmac.compare_digest(h, h2):
            raise ValueError("Invalid password")
        # Droppy hashes are weak, do a hash update
        need_rehash = True
    else:
        try:
            _argon.verify(u.hash, pw)
        except Exception:
            raise ValueError("Invalid password") from None
        if _argon.check_needs_rehash(u.hash):
            need_rehash = True
    # Login successful
    if need_rehash:
        set_password(u, password)
    now = int(time())
    u.lastSeen = now
    return u


def set_password(user: config.User, password: str):
    user.hash = _argon.hash(_pwnorm(password))


class LoginResponse(msgspec.Struct):
    user: str = ""
    privileged: bool = False
    error: str = ""


def verify(request, *, privileged=False):
    """Raise Unauthorized or Forbidden if the request is not authorized"""
    if privileged:
        if request.ctx.user:
            if request.ctx.user.privileged:
                return
            raise Forbidden("Access Forbidden: Only for privileged users")
    elif config.config.public or request.ctx.user:
        return
    raise Unauthorized("Login required", "cookie", context={"redirect": "/login"})


bp = Blueprint("auth")


@bp.get("/login")
async def login_page(request):
    doc = Document("Cista Login")
    with doc.div(id="login"):
        with doc.form(method="POST", autocomplete="on"):
            doc.h1("Login")
            doc.input(
                name="username",
                placeholder="Username",
                autocomplete="username",
                required=True,
            ).br
            doc.input(
                type="password",
                name="password",
                placeholder="Password",
                autocomplete="current-password",
                required=True,
            ).br
            doc.input(type="submit", value="Login")
        s = session.get(request)
        if s:
            name = s["username"]
            with doc.form(method="POST", action="/logout"):
                doc.input(type="submit", value=f"Logout {name}")
    flash = request.cookies.message
    if flash:
        doc.dialog(
            flash,
            id="flash",
            open=True,
            style="position: fixed; top: 0; left: 0; width: 100%; opacity: .8",
        )
    res = html(doc)
    if flash:
        res.cookies.delete_cookie("flash")
    if s is False:
        session.delete(res)
    return res


@bp.post("/login")
async def login_post(request):
    try:
        if request.headers.content_type == "application/json":
            username = request.json["username"]
            password = request.json["password"]
        else:
            username = request.form["username"][0]
            password = request.form["password"][0]
        if not username or not password:
            raise KeyError
    except KeyError:
        raise BadRequest(
            "Missing username or password",
            context={"redirect": "/login"},
        ) from None
    try:
        user = login(username, password)
    except ValueError as e:
        raise Forbidden(str(e), context={"redirect": "/login"}) from e

    if "text/html" in request.headers.accept:
        res = redirect("/")
        session.flash(res, "Logged in")
    else:
        res = json({"data": {"username": username, "privileged": user.privileged}})
    session.create(res, username)
    return res


@bp.post("/logout")
async def logout_post(request):
    s = request.ctx.session
    msg = "Logged out" if s else "Not logged in"
    if "text/html" in request.headers.accept:
        res = redirect("/login")
        res.cookies.add_cookie("flash", msg, max_age=5)
    else:
        res = json({"message": msg})
    session.delete(res)
    return res
Implemented login page and new jwt-based sessions. Watching cleanup. 2023-10-17 23:06:27 +01:00			`import hmac`
			`import re`
			`from time import time`
			`from unicodedata import normalize`

			`import argon2`
			`import msgspec`
			`from html5tagger import Document`
Cleanup, bugfixes. Added access control on files and API. 2023-10-23 02:51:39 +01:00			`from sanic import Blueprint, html, json, redirect`
			`from sanic.exceptions import BadRequest, Forbidden, Unauthorized`
Implemented login page and new jwt-based sessions. Watching cleanup. 2023-10-17 23:06:27 +01:00
Refactoring and cleanup 2023-10-21 17:17:09 +01:00			`from cista import config, session`
Implemented login page and new jwt-based sessions. Watching cleanup. 2023-10-17 23:06:27 +01:00
			`_argon = argon2.PasswordHasher()`
Formatting and fix Internal Server Error on upload 2023-10-28 21:20:34 +01:00			`_droppyhash = re.compile(r"^([a-f0-9]{64})\$([a-f0-9]{8})$")`

Implemented login page and new jwt-based sessions. Watching cleanup. 2023-10-17 23:06:27 +01:00
			`def _pwnorm(password):`
Formatting and fix Internal Server Error on upload 2023-10-28 21:20:34 +01:00			`return normalize("NFC", password).strip().encode()`

Implemented login page and new jwt-based sessions. Watching cleanup. 2023-10-17 23:06:27 +01:00
			`def login(username: str, password: str):`
			`un = _pwnorm(username)`
			`pw = _pwnorm(password)`
			`try:`
Refactor with its own entry point and startup script cista, instead of running via sanic. Config file handling and Droppy updates. HTTP redirection/acme server added. 2023-10-19 00:06:14 +01:00			`u = config.config.users[un.decode()]`
Implemented login page and new jwt-based sessions. Watching cleanup. 2023-10-17 23:06:27 +01:00			`except KeyError:`
Ruff 2023-11-01 19:36:10 +00:00			`raise ValueError("Invalid username") from None`
Implemented login page and new jwt-based sessions. Watching cleanup. 2023-10-17 23:06:27 +01:00			`# Verify password`
			`need_rehash = False`
			`if not u.hash:`
			`raise ValueError("Account disabled")`
			`if (m := _droppyhash.match(u.hash)) is not None:`
			`h, s = m.groups()`
			`h2 = hmac.digest(pw + s.encode() + un, b"", "sha256").hex()`
			`if not hmac.compare_digest(h, h2):`
			`raise ValueError("Invalid password")`
			`# Droppy hashes are weak, do a hash update`
			`need_rehash = True`
			`else:`
			`try:`
			`_argon.verify(u.hash, pw)`
			`except Exception:`
Ruff 2023-11-01 19:36:10 +00:00			`raise ValueError("Invalid password") from None`
Implemented login page and new jwt-based sessions. Watching cleanup. 2023-10-17 23:06:27 +01:00			`if _argon.check_needs_rehash(u.hash):`
			`need_rehash = True`
			`# Login successful`
			`if need_rehash:`
Refactor with its own entry point and startup script cista, instead of running via sanic. Config file handling and Droppy updates. HTTP redirection/acme server added. 2023-10-19 00:06:14 +01:00			`set_password(u, password)`
Implemented login page and new jwt-based sessions. Watching cleanup. 2023-10-17 23:06:27 +01:00			`now = int(time())`
			`u.lastSeen = now`
			`return u`

Formatting and fix Internal Server Error on upload 2023-10-28 21:20:34 +01:00
Refactor with its own entry point and startup script cista, instead of running via sanic. Config file handling and Droppy updates. HTTP redirection/acme server added. 2023-10-19 00:06:14 +01:00			`def set_password(user: config.User, password: str):`
Implemented login page and new jwt-based sessions. Watching cleanup. 2023-10-17 23:06:27 +01:00			`user.hash = _argon.hash(_pwnorm(password))`

Formatting and fix Internal Server Error on upload 2023-10-28 21:20:34 +01:00
Implemented login page and new jwt-based sessions. Watching cleanup. 2023-10-17 23:06:27 +01:00			`class LoginResponse(msgspec.Struct):`
			`user: str = ""`
			`privileged: bool = False`
			`error: str = ""`

Formatting and fix Internal Server Error on upload 2023-10-28 21:20:34 +01:00
Ruff 2023-11-01 19:36:10 +00:00			`def verify(request, *, privileged=False):`
Cleanup, bugfixes. Added access control on files and API. 2023-10-23 02:51:39 +01:00			`"""Raise Unauthorized or Forbidden if the request is not authorized"""`
			`if privileged:`
			`if request.ctx.user:`
Formatting and fix Internal Server Error on upload 2023-10-28 21:20:34 +01:00			`if request.ctx.user.privileged:`
			`return`
Cleanup, bugfixes. Added access control on files and API. 2023-10-23 02:51:39 +01:00			`raise Forbidden("Access Forbidden: Only for privileged users")`
Formatting and fix Internal Server Error on upload 2023-10-28 21:20:34 +01:00			`elif config.config.public or request.ctx.user:`
			`return`
Cleanup, bugfixes. Added access control on files and API. 2023-10-23 02:51:39 +01:00			`raise Unauthorized("Login required", "cookie", context={"redirect": "/login"})`
Implemented login page and new jwt-based sessions. Watching cleanup. 2023-10-17 23:06:27 +01:00
Formatting and fix Internal Server Error on upload 2023-10-28 21:20:34 +01:00
Cleanup, bugfixes. Added access control on files and API. 2023-10-23 02:51:39 +01:00			`bp = Blueprint("auth")`

Formatting and fix Internal Server Error on upload 2023-10-28 21:20:34 +01:00
Cleanup, bugfixes. Added access control on files and API. 2023-10-23 02:51:39 +01:00			`@bp.get("/login")`
Implemented login page and new jwt-based sessions. Watching cleanup. 2023-10-17 23:06:27 +01:00			`async def login_page(request):`
			`doc = Document("Cista Login")`
			`with doc.div(id="login"):`
			`with doc.form(method="POST", autocomplete="on"):`
			`doc.h1("Login")`
Formatting and fix Internal Server Error on upload 2023-10-28 21:20:34 +01:00			`doc.input(`
			`name="username",`
			`placeholder="Username",`
			`autocomplete="username",`
			`required=True,`
			`).br`
			`doc.input(`
			`type="password",`
			`name="password",`
			`placeholder="Password",`
			`autocomplete="current-password",`
			`required=True,`
			`).br`
Implemented login page and new jwt-based sessions. Watching cleanup. 2023-10-17 23:06:27 +01:00			`doc.input(type="submit", value="Login")`
			`s = session.get(request)`
			`if s:`
			`name = s["username"]`
			`with doc.form(method="POST", action="/logout"):`
			`doc.input(type="submit", value=f"Logout {name}")`
Implemented control commands and tests. Rewritten error and session/flash handling. 2023-10-21 02:44:43 +01:00			`flash = request.cookies.message`
Implemented login page and new jwt-based sessions. Watching cleanup. 2023-10-17 23:06:27 +01:00			`if flash:`
Formatting and fix Internal Server Error on upload 2023-10-28 21:20:34 +01:00			`doc.dialog(`
			`flash,`
			`id="flash",`
			`open=True,`
			`style="position: fixed; top: 0; left: 0; width: 100%; opacity: .8",`
			`)`
Implemented login page and new jwt-based sessions. Watching cleanup. 2023-10-17 23:06:27 +01:00			`res = html(doc)`
			`if flash:`
			`res.cookies.delete_cookie("flash")`
			`if s is False:`
			`session.delete(res)`
			`return res`

Formatting and fix Internal Server Error on upload 2023-10-28 21:20:34 +01:00
Cleanup, bugfixes. Added access control on files and API. 2023-10-23 02:51:39 +01:00			`@bp.post("/login")`
Implemented login page and new jwt-based sessions. Watching cleanup. 2023-10-17 23:06:27 +01:00			`async def login_post(request):`
Login error handling and flash messages. Remove host prefix on cookies because of https://bugs.chromium.org/p/chromium/issues/detail?id=1245434 2023-10-19 17:55:59 +01:00			`try:`
Implemented control commands and tests. Rewritten error and session/flash handling. 2023-10-21 02:44:43 +01:00			`if request.headers.content_type == "application/json":`
Login error handling and flash messages. Remove host prefix on cookies because of https://bugs.chromium.org/p/chromium/issues/detail?id=1245434 2023-10-19 17:55:59 +01:00			`username = request.json["username"]`
			`password = request.json["password"]`
			`else:`
			`username = request.form["username"][0]`
			`password = request.form["password"][0]`
			`if not username or not password:`
			`raise KeyError`
			`except KeyError:`
Ruff 2023-11-01 19:36:10 +00:00			`raise BadRequest(`
			`"Missing username or password",`
			`context={"redirect": "/login"},`
			`) from None`
Login error handling and flash messages. Remove host prefix on cookies because of https://bugs.chromium.org/p/chromium/issues/detail?id=1245434 2023-10-19 17:55:59 +01:00			`try:`
			`user = login(username, password)`
			`except ValueError as e:`
Ruff 2023-11-01 19:36:10 +00:00			`raise Forbidden(str(e), context={"redirect": "/login"}) from e`
Implemented login page and new jwt-based sessions. Watching cleanup. 2023-10-17 23:06:27 +01:00
Implemented control commands and tests. Rewritten error and session/flash handling. 2023-10-21 02:44:43 +01:00			`if "text/html" in request.headers.accept:`
Implemented login page and new jwt-based sessions. Watching cleanup. 2023-10-17 23:06:27 +01:00			`res = redirect("/")`
Implemented control commands and tests. Rewritten error and session/flash handling. 2023-10-21 02:44:43 +01:00			`session.flash(res, "Logged in")`
			`else:`
			`res = json({"data": {"username": username, "privileged": user.privileged}})`
Implemented login page and new jwt-based sessions. Watching cleanup. 2023-10-17 23:06:27 +01:00			`session.create(res, username)`
			`return res`

Formatting and fix Internal Server Error on upload 2023-10-28 21:20:34 +01:00
Cleanup, bugfixes. Added access control on files and API. 2023-10-23 02:51:39 +01:00			`@bp.post("/logout")`
Implemented login page and new jwt-based sessions. Watching cleanup. 2023-10-17 23:06:27 +01:00			`async def logout_post(request):`
Implemented control commands and tests. Rewritten error and session/flash handling. 2023-10-21 02:44:43 +01:00			`s = request.ctx.session`
			`msg = "Logged out" if s else "Not logged in"`
			`if "text/html" in request.headers.accept:`
			`res = redirect("/login")`
			`res.cookies.add_cookie("flash", msg, max_age=5)`
			`else:`
			`res = json({"message": msg})`
Implemented login page and new jwt-based sessions. Watching cleanup. 2023-10-17 23:06:27 +01:00			`session.delete(res)`
			`return res`