class keg_auth.model.__init__.AttemptMixin

Generic mixin for logging user login attempts.

classmethod purge_attempts(username=None, older_than=None, attempt_type=None)

Delete attempt records optionally filtered by username, age, or type.

class keg_auth.model.__init__.BundleMixin

Generic mixin for permission bundles.

class keg_auth.model.__init__.GroupMixin

Generic mixin for user groups.

exception keg_auth.model.__init__.InvalidToken
class keg_auth.model.__init__.KAPasswordType(max_length=None, **kwargs)

Return a TypeEngine object corresponding to a dialect.

This is an end-user override hook that can be used to provide differing types depending on the given dialect. It is used by the TypeDecorator implementation of type_engine() to help determine what type should ultimately be returned for a given TypeDecorator.

By default returns self.impl.

class keg_auth.model.__init__.PermissionMixin

Generic mixin for permissions.

class keg_auth.model.__init__.UserEmailMixin

Mixin for users who will be authenticated by email/password.

change_password(token, new_password)

Change a password based on token authorization.

class keg_auth.model.__init__.UserMixin

Generic mixin for user entities.


Create salt data for password reset token signing. The return value will be hashed together with the signing key. This ensures that changes to any of the fields included in the salt invalidates any tokens produced with the old values Values included:

  • user login identifier -> if username/email change it will invalidate
    the user token
  • is_active -> Anytime a user verifies will invalidate a token
  • current password hash or empty string if no password has been set -> If the password is updated we want to invalidate the token
  • last login time -> Any time a user logs in it will invalidate any
    verification and reset password emails
Returns:JSON string of list containing the values listed above

Create a new token for this user. The returned value is an expiring JWT signed with the application’s crypto key. Externally this token should be treated as opaque. The value returned by this function must not be persisted. :return: a string representation of the generated token

token_verify(token, _use_legacy=False, _block_legacy=False)
Verify a password reset token. The token is validated for:
  • user identity
  • tampering
  • expiration
  • password was not already reset since token was generated
  • user has not signed in since token was generated
Parameters:token – string representation of token to verify
Returns:bool indicating token validity
class keg_auth.model.__init__.UserTokenMixin

Mixin for users who will be authenticated by tokens.

classmethod generate_raw_auth_token(length=32, entropy=None, charset='ascii_50')

Return a raw authentication token

NOTE(nZac): You should not store this directly in the database. When using this mixin, simply setting this value to self.token = generate_raw_auth_token is enough (though, there is a helper method for that reset_auth_token).


Reset the authentication token for this user

Takes the same parameter as :cls:generate_auth_token


Based on the registered user entity, find the column representing the login ID.