Authenticators

exception keg_auth.libs.authenticators.AttemptBlocked

class keg_auth.libs.authenticators.DefaultPasswordPolicy

A bare-bones, very permissive policy to use as a default if none is set on initialization.

class keg_auth.libs.authenticators.ForgotPasswordViewResponder(parent)

Master responder for keg-integrated logins, using an email form

form_cls

alias of keg_auth.forms.ForgotPassword

get_last_limiting_attempt(username)

Get the last attempt that counts toward the limit count. Attempts that count toward the limit before this attempt will be counted to determine if this attempt caused a lockout.

For login, this will be the last failed attempt. For password reset, this will be the last attempt.

get_limiting_attempt_count(before_time, username)

Return the number of attempts that count toward the limit up to before_time.

class keg_auth.libs.authenticators.FormResponderMixin

Wrap form usage for auth responders, contains GET and POST handlers

class keg_auth.libs.authenticators.JwtRequestLoader(app)

Loader for JWT tokens contained in the Authorization header.

Requires flask-jwt-extended (pip install keg-auth[jwt])

class keg_auth.libs.authenticators.KegAuthenticator(app)

Uses username/password authentication with a login form, validates against keg-auth db

is_domain_excluded(login_id)

Domains configured for OAuth access are excluded from the password authenticator.

Any operations not using verify_user should check for exclusion.

class keg_auth.libs.authenticators.LdapAuthenticator(app)

Uses username/password authentication with a login form, validates against LDAP host

Most responder types won’t be relevant here.

verify_password(user, password)

Check the given username/password combination at the application’s configured LDAP server. Returns True if the user authentication is successful, False otherwise. NOTE: By request, authentication can be bypassed by setting the KEGAUTH_LDAP_TEST_MODE configuration setting to True. When set, all authentication attempts will succeed!

class keg_auth.libs.authenticators.LoginAuthenticator(app)

Manages verification of users as well as relevant view-layer logic

Relevant auth views (login, verification, resets, etc.) get passed through to responders on this layer, to process and render for the specific type of authentication happening.

For example, a password authenticator will want a user/password login form, but other types like oauth may get a different form entirely (and handle resets differently, etc.).

responder_cls is a key/value store for associating view keys with responder classes. If a view key is not present, we assume that view is not relevant to the authenticator, and the view itself will return 404.

class keg_auth.libs.authenticators.LoginResponderMixin

Wrap user authentication view-layer logic

Flash messages, what to do when a user has been authenticated (by whatever method the parent authenticator uses), redirects to a safe URL after login, etc.

static is_safe_url(target)

Returns True if the target is a valid URL for redirect

class keg_auth.libs.authenticators.LogoutViewResponder(parent)

class keg_auth.libs.authenticators.OAuthAuthenticator(app)

Uses OAuth authentication via authlib, validates user info against keg-auth db

class keg_auth.libs.authenticators.OAuthAuthorizeViewResponder(parent)

OAuth logins, using a provider via authlib

class keg_auth.libs.authenticators.OAuthLoginViewResponder(parent)

OAuth logins, using a provider via authlib

class keg_auth.libs.authenticators.PasswordAuthenticatorMixin

Username/password authenticators will need a way to verify a user is valid prior to making it the current user in flask login

class keg_auth.libs.authenticators.PasswordCharset(name, alphabet)

alphabet

Alias for field number 1

name

Alias for field number 0

class keg_auth.libs.authenticators.PasswordFormViewResponder(parent)

Master responder for username/password-style logins, using a login form

get_last_limiting_attempt(username)

Get the last attempt that counts toward the limit count. Attempts that count toward the limit before this attempt will be counted to determine if this attempt caused a lockout.

For login, this will be the last failed attempt. For password reset, this will be the last attempt.

get_limiting_attempt_count(before_time, username)

Return the number of attempts that count toward the limit up to before_time.

class keg_auth.libs.authenticators.PasswordPolicy

A base class that defines password requirements for the application. This class defines some basic, common validations and can be extended or limited by subclassing.

To define additional password checks, create a method on your subclass that accepts a password string and a user entity object and raises PasswordPolicyError if the password does not meet the requirement you intend to check. Then override password_checks to add your method to the returned list of methods.

To remove a password check that is enabled by default, override password_checks and return only the methods you wish to use.

Default settings are based on NIST guidelines and some common restrictions.

check_character_set(pw: str, user)

Raises PasswordPolicyError if a password does not contain at least one character from at least required_at_least_char_types of the alphabets in required_char_sets. :param pw: password to check :param user: user entity

check_does_not_contain_username(pw: str, user)

Raises PasswordPolicyError if the password contains the username. This is case insensitive. :param pw: password to check :param user: user entity

check_length(pw: str, user)

Raises PasswordPolicyError if a password is not at least min_length characters long. :param pw: password to check :param user: user entity

min_length = 8

Character sets used for checking minimum “complexity” in check_character_set validation

required_char_types = [PasswordCharset(name='lowercase letter', alphabet='abcdefghijklmnopqrstuvwxyz'), PasswordCharset(name='uppercase letter', alphabet='ABCDEFGHIJKLMNOPQRSTUVWXYZ'), PasswordCharset(name='number', alphabet='0123456789'), PasswordCharset(name='symbol', alphabet='!"#$%&\'()*+,-./:;<=>?@[\\]^_`{|}~')]

Minimum character number of different character types required in check_character_set validation

exception keg_auth.libs.authenticators.PasswordPolicyError

class keg_auth.libs.authenticators.PasswordSetterResponderBase(parent)

Base logic for resetting passwords and verifying accounts via token

form_cls

alias of keg_auth.forms.SetPassword

class keg_auth.libs.authenticators.RedirectAuthenticator(app)

Redirects to another source for authentication. Useful for when we have an OAuth source in mind for primary auth. We will want to redirect /login there, keep /logout, and direct other responder keys to return 404.

Use KEGAUTH_REDIRECT_LOGIN_TARGET to set the login target.

class keg_auth.libs.authenticators.RedirectLoginViewResponder(parent)

class keg_auth.libs.authenticators.RequestLoader(app)

Generic loader interface for determining if a user should be logged in

class keg_auth.libs.authenticators.ResetPasswordViewResponder(parent)

Responder for resetting passwords via token on keg-auth logins

get_last_limiting_attempt(username)

Get the last attempt that counts toward the limit count. Attempts that count toward the limit before this attempt will be counted to determine if this attempt caused a lockout.

For login, this will be the last failed attempt. For password reset, this will be the last attempt.

get_limiting_attempt_count(before_time, username)

Return the number of attempts that count toward the limit up to before_time.

class keg_auth.libs.authenticators.TokenLoaderMixin

Token authenticators will need a way to generate an access token, which will then be loaded in the request to log a user into flask-login

class keg_auth.libs.authenticators.TokenRequestLoader(app)

exception keg_auth.libs.authenticators.UserInactive(user)

exception keg_auth.libs.authenticators.UserInvalidAuth(user)

exception keg_auth.libs.authenticators.UserNotFound

class keg_auth.libs.authenticators.VerifyAccountViewResponder(parent)

Responder for verifying users via email token for keg-auth logins

class keg_auth.libs.authenticators.ViewResponder(parent)

View-layer logic wrapper for use in the Authenticator

Responder should be combined with needed mixins for various functionality (forms, logins, etc.).

Expected to have methods named for the request method (get, post, etc.)

template_name is passed to flask.render_template by default

handle_csrf()

For some views that are rate-limited, we want to log all attempts, including those that would fail CSRF validation. Because of this, we need to circumvent flask-csrf’s default before-request hook. The auth manager will work to exempt any of our auth endpoints whose class is marked with _csrf_custom_handling.

If CSRF fails, ensure the attempt is logged, and then raise the error.

If CSRF succeeds, the ensuing view responder methods should do any appropriate logging.