Authenticators¶
-
exception
keg_auth.libs.authenticators.
AttemptBlocked
¶
-
class
keg_auth.libs.authenticators.
DefaultPasswordPolicy
¶ A bare-bones, very permissive policy to use as a default if none is set on initialization.
-
class
keg_auth.libs.authenticators.
ForgotPasswordViewResponder
(parent)¶ Master responder for keg-integrated logins, using an email form
-
form_cls
¶ alias of
keg_auth.forms.ForgotPassword
-
get_last_limiting_attempt
(username)¶ Get the last attempt that counts toward the limit count. Attempts that count toward the limit before this attempt will be counted to determine if this attempt caused a lockout.
For login, this will be the last failed attempt. For password reset, this will be the last attempt.
-
get_limiting_attempt_count
(before_time, username)¶ Return the number of attempts that count toward the limit up to before_time.
-
-
class
keg_auth.libs.authenticators.
FormResponderMixin
¶ Wrap form usage for auth responders, contains GET and POST handlers
-
class
keg_auth.libs.authenticators.
JwtRequestLoader
(app)¶ Loader for JWT tokens contained in the Authorization header.
Requires flask-jwt-extended (pip install keg-auth[jwt])
-
class
keg_auth.libs.authenticators.
KegAuthenticator
(app)¶ Uses username/password authentication with a login form, validates against keg-auth db
-
is_domain_excluded
(login_id)¶ Domains configured for OAuth access are excluded from the password authenticator.
Any operations not using
verify_user
should check for exclusion.
-
-
class
keg_auth.libs.authenticators.
LdapAuthenticator
(app)¶ Uses username/password authentication with a login form, validates against LDAP host
Most responder types won’t be relevant here.
-
verify_password
(user, password)¶ Check the given username/password combination at the application’s configured LDAP server. Returns True if the user authentication is successful, False otherwise. NOTE: By request, authentication can be bypassed by setting the KEGAUTH_LDAP_TEST_MODE configuration setting to True. When set, all authentication attempts will succeed!
-
-
class
keg_auth.libs.authenticators.
LoginAuthenticator
(app)¶ Manages verification of users as well as relevant view-layer logic
Relevant auth views (login, verification, resets, etc.) get passed through to responders on this layer, to process and render for the specific type of authentication happening.
For example, a password authenticator will want a user/password login form, but other types like oauth may get a different form entirely (and handle resets differently, etc.).
responder_cls is a key/value store for associating view keys with responder classes. If a view key is not present, we assume that view is not relevant to the authenticator, and the view itself will return 404.
-
class
keg_auth.libs.authenticators.
LoginResponderMixin
¶ Wrap user authentication view-layer logic
Flash messages, what to do when a user has been authenticated (by whatever method the parent authenticator uses), redirects to a safe URL after login, etc.
-
static
is_safe_url
(target)¶ Returns True if the target is a valid URL for redirect
-
static
-
class
keg_auth.libs.authenticators.
LogoutViewResponder
(parent)¶
-
class
keg_auth.libs.authenticators.
OAuthAuthenticator
(app)¶ Uses OAuth authentication via authlib, validates user info against keg-auth db
-
class
keg_auth.libs.authenticators.
OAuthAuthorizeViewResponder
(parent)¶ OAuth logins, using a provider via authlib
-
class
keg_auth.libs.authenticators.
OAuthLoginViewResponder
(parent)¶ OAuth logins, using a provider via authlib
-
class
keg_auth.libs.authenticators.
PasswordAuthenticatorMixin
¶ Username/password authenticators will need a way to verify a user is valid prior to making it the current user in flask login
-
class
keg_auth.libs.authenticators.
PasswordCharset
(name, alphabet)¶ -
alphabet
¶ Alias for field number 1
-
name
¶ Alias for field number 0
-
-
class
keg_auth.libs.authenticators.
PasswordFormViewResponder
(parent)¶ Master responder for username/password-style logins, using a login form
-
get_last_limiting_attempt
(username)¶ Get the last attempt that counts toward the limit count. Attempts that count toward the limit before this attempt will be counted to determine if this attempt caused a lockout.
For login, this will be the last failed attempt. For password reset, this will be the last attempt.
-
get_limiting_attempt_count
(before_time, username)¶ Return the number of attempts that count toward the limit up to before_time.
-
-
class
keg_auth.libs.authenticators.
PasswordPolicy
¶ A base class that defines password requirements for the application. This class defines some basic, common validations and can be extended or limited by subclassing.
To define additional password checks, create a method on your subclass that accepts a password string and a user entity object and raises PasswordPolicyError if the password does not meet the requirement you intend to check. Then override password_checks to add your method to the returned list of methods.
To remove a password check that is enabled by default, override password_checks and return only the methods you wish to use.
Default settings are based on NIST guidelines and some common restrictions.
-
check_character_set
(pw: str, user)¶ Raises PasswordPolicyError if a password does not contain at least one character from at least required_at_least_char_types of the alphabets in required_char_sets. :param pw: password to check :param user: user entity
-
check_does_not_contain_username
(pw: str, user)¶ Raises PasswordPolicyError if the password contains the username. This is case insensitive. :param pw: password to check :param user: user entity
-
check_length
(pw: str, user)¶ Raises PasswordPolicyError if a password is not at least min_length characters long. :param pw: password to check :param user: user entity
-
min_length
= 8¶ Character sets used for checking minimum “complexity” in check_character_set validation
-
required_char_types
= [PasswordCharset(name='lowercase letter', alphabet='abcdefghijklmnopqrstuvwxyz'), PasswordCharset(name='uppercase letter', alphabet='ABCDEFGHIJKLMNOPQRSTUVWXYZ'), PasswordCharset(name='number', alphabet='0123456789'), PasswordCharset(name='symbol', alphabet='!"#$%&\'()*+,-./:;<=>?@[\\]^_`{|}~')]¶ Minimum character number of different character types required in check_character_set validation
-
-
exception
keg_auth.libs.authenticators.
PasswordPolicyError
¶
-
class
keg_auth.libs.authenticators.
PasswordSetterResponderBase
(parent)¶ Base logic for resetting passwords and verifying accounts via token
-
form_cls
¶ alias of
keg_auth.forms.SetPassword
-
-
class
keg_auth.libs.authenticators.
RedirectAuthenticator
(app)¶ Redirects to another source for authentication. Useful for when we have an OAuth source in mind for primary auth. We will want to redirect /login there, keep /logout, and direct other responder keys to return 404.
Use KEGAUTH_REDIRECT_LOGIN_TARGET to set the login target.
-
class
keg_auth.libs.authenticators.
RedirectLoginViewResponder
(parent)¶
-
class
keg_auth.libs.authenticators.
RequestLoader
(app)¶ Generic loader interface for determining if a user should be logged in
-
class
keg_auth.libs.authenticators.
ResetPasswordViewResponder
(parent)¶ Responder for resetting passwords via token on keg-auth logins
-
get_last_limiting_attempt
(username)¶ Get the last attempt that counts toward the limit count. Attempts that count toward the limit before this attempt will be counted to determine if this attempt caused a lockout.
For login, this will be the last failed attempt. For password reset, this will be the last attempt.
-
get_limiting_attempt_count
(before_time, username)¶ Return the number of attempts that count toward the limit up to before_time.
-
-
class
keg_auth.libs.authenticators.
TokenLoaderMixin
¶ Token authenticators will need a way to generate an access token, which will then be loaded in the request to log a user into flask-login
-
class
keg_auth.libs.authenticators.
TokenRequestLoader
(app)¶
-
exception
keg_auth.libs.authenticators.
UserInactive
(user)¶
-
exception
keg_auth.libs.authenticators.
UserInvalidAuth
(user)¶
-
exception
keg_auth.libs.authenticators.
UserNotFound
¶
-
class
keg_auth.libs.authenticators.
VerifyAccountViewResponder
(parent)¶ Responder for verifying users via email token for keg-auth logins
-
class
keg_auth.libs.authenticators.
ViewResponder
(parent)¶ View-layer logic wrapper for use in the Authenticator
Responder should be combined with needed mixins for various functionality (forms, logins, etc.).
Expected to have methods named for the request method (get, post, etc.)
template_name is passed to flask.render_template by default
-
handle_csrf
()¶ For some views that are rate-limited, we want to log all attempts, including those that would fail CSRF validation. Because of this, we need to circumvent flask-csrf’s default before-request hook. The auth manager will work to exempt any of our auth endpoints whose class is marked with _csrf_custom_handling.
If CSRF fails, ensure the attempt is logged, and then raise the error.
If CSRF succeeds, the ensuing view responder methods should do any appropriate logging.
-