revil-O/platypush
1
0
Fork 0
forked from platypush/platypush
Code Pull requests Activity
4904 commits 7 branches 83 tags 136 MiB
Commit graph

33 commits

Author SHA1 Message Date
Fabio Manganiello
179c8265cf
[#419] Added ability to view and remove API tokens. 2024-07-27 01:43:18 +02:00
Fabio Manganiello
91f6beb349
[#419] API tokens - backend implementation. 2024-07-26 02:29:40 +02:00
Fabio Manganiello
79dc5e238d
[core] Skip 2FA code verification for JWT tokens. 2024-07-25 02:23:07 +02:00
Fabio Manganiello
a11f17aa8f
[core] Encrypt users 2FA backup codes with bcrypt. 
Instead of RSA - decrypting is unnecessary.
 2024-07-25 02:23:07 +02:00
Fabio Manganiello
8ec1ca8543
[#339] Backend preparation for 2FA support. 2024-07-25 00:47:04 +02:00
Fabio Manganiello
357d92b479
[core] Added current_user() HTTP utility. 2024-07-24 00:49:21 +02:00
Fabio Manganiello
2033f9760a
[core] Refactoring user/authentication layer. 
- Separated the user model/db classes from the `UserManager`.
- More consistent naming for the flag on the `authenticate_*` functions
  that enables returning a tuple with the authentication status - all
  those flags are now named `with_status`.
 2024-07-23 22:44:40 +02:00
Fabio Manganiello
ee27b2c4c6
[core] Refactored Web login/registration layer. 
Instead of having a single Flask-provided endpoint, the UI should
initialize its own Vue component and manage the authentication
asynchronously over API.

This is especially a requirement for the implementation of 2FA.

The following routes have also been merged/refactored:

- `POST /register` -> `POST /auth?type=register`
- `POST /login` -> `POST /auth?type=login`
- `POST /auth` -> `POST /auth?type=jwt`
 2024-07-23 02:08:25 +02:00
Fabio Manganiello
c9a5c29a4a
🐛 A proper cross-version solution for the utcnow() issue. 
No need to maintain two different pieces of logic - a `utcnow()` for
Python < 3.11 and `now(datetime.UTC)` for Python >= 3.11.

`datetime.timezone.utc` existed long before datetime.UTC and that's what
the `utcnow` facade should use.

This means that all the `utcnow()` will always have `tzinfo=UTC`
regardless of the Python version.

There's still a problem with the `utcnow()`-generated timestamps that
have been generated by previous versions of Python and stored on the db.

Therefore, when the code performs comparisons with timestamps fetched
from the db, it should always explicitly do a `.replace(tzinfo=utc)` to
ensure that we always compare offset-aware datetime representations.

See blog post for technical details:
https://manganiello.blog/wheres-my-time-again
 2024-06-01 01:34:47 +02:00
Fabio Manganiello
4e82dd17bb
🐛 Partial revert of c18768e61f 
`datetime.utcnow` may be deprecated on Python >= 3.12, but
`datetime.UTC` isn't present on older Python versions.

Added a `platypush.utils.utcnow()` method as a workaround compatible
with both.
 2024-05-31 19:52:32 +02:00
Fabio Manganiello
fa318882a5
Replaced deprecated usages of datetime.utcnow() with datetime.now(UTC). 2024-05-31 02:30:48 +02:00
Fabio Manganiello
901338e228
[#397] Replaced bcrypt dependency with native hashlib logic. 
Closes: #397
 2024-05-05 21:38:27 +02:00
Fabio Manganiello
440d70d9cf
LINT/format fixes. 2023-04-25 10:36:27 +02:00
Fabio Manganiello
c0dd91838b
Merge branch 'master' into 29-generic-entities-support 2022-11-21 22:13:47 +01:00
Fabio Manganiello
d95baac74e Add user credentials on the encrypted JWT token. 
Adding the credentials ensures that tokens associated to non-existing
users, or users with an invalid password, won't be accepted, even if
they were correctly encrypted using the host's keypair.

This adds an additional layer of security in case the host's keypair
gets compromised.
 2022-11-21 13:16:09 +01:00
Fabio Manganiello
ba1681fc22 Merge branch 'master' into 29-generic-entities-support 2022-11-21 12:36:01 +01:00
Fabio Manganiello
a2c8e27bd8 Removed PyJWT dependency. 
PyJWT is a very brittle and cumbersome dependency that expects several
cryptography libraries to be already installed on the system, and it can
lead to hard-to-debug errors when ported to different systems.

Moreover, it installs the whole `cryptography` package, which is several
MBs in size, takes time to compile, and it requires a Rust compiler to
be present on the target machine.

Platypush will now use the Python-native `rsa` module to handle JWT
tokens.
 2022-11-21 12:30:38 +01:00
Fabio Manganiello
ae17a12c12
FIX: UserManager.get_users 
`UserManager.get_users` should not return a reference to the query
object, since the query object will be invalidated as soon as the
connection is closed.

Instead, it should return directly the list of `User` objects.
 2022-11-21 00:57:00 +01:00
Fabio Manganiello
69e097707d
Don't lock read session from the main database 2022-11-12 16:10:57 +01:00
Fabio Manganiello
86edd70d93
Fixed session/concurrency management on the main SQLite db 
- The `declarative_base` instance should be shared
- Database `session_locks` should be stored at module, not instance
  level
- Better isolation of scoped sessions
- Enclapsulated `get_session` method in `UserManager`
 2022-11-12 15:36:17 +01:00
Fabio Manganiello
6b7933cd33
Using a different SQLite database for entities 
This prevents multiprocessing/concurrency issues when modifying the same
database file both from the main process and from the web server process
 2022-11-12 02:00:55 +01:00
Fabio Manganiello
3fc94181b7
LINT fixes 2022-11-11 22:02:36 +01:00
Fabio Manganiello
8a70f1d38e
Replaced deprecated sqlalchemy.ext.declarative with sqlalchemy.orm 2022-04-05 22:47:44 +02:00
Fabio Manganiello
4ee7e4db29
Basic support for entities on the local db and implemented support for switch entities on the tplink plugin 2022-04-04 16:50:17 +02:00
Fabio Manganiello
1a314ffd6b Fixed LGTM errors and warnings 2021-09-17 22:21:29 +02:00
Fabio Manganiello
3bfc5b83ef Moved to manifest files for describing plugins and backends and their dependencies 2021-09-16 17:53:40 +02:00
Fabio Manganiello
87b70716c1 Logic for supporting JWT tokens both as bytes and strings [closes #197] 2021-08-24 22:55:42 +02:00
Fabio Manganiello
2a78f81a7b Major LINT fixes 2021-04-05 00:58:44 +02:00
Fabio Manganiello
570f1d0cf6 Passing expire_on_commit=False on sessionmaker() [see #181] 
Accessing db objects outside of their session seems to fail on SQLAlchemy >= 1.4
with a `Instance `Instance <x> is not bound to a Session` error.

Setting expire_on_commit=False on the session seems to somehow fix the issue
(see https://stackoverflow.com/questions/3039567/sqlalchemy-detachedinstanceerror-with-regular-attribute-not-a-relation)
 2021-03-25 20:30:51 +01:00
Fabio Manganiello
748609c6f4 Migrated settings panel and logout button 2021-02-15 23:09:27 +01:00
Fabio Manganiello
b3c28f6773 Added support for JWT token-based authentication 2021-02-12 22:43:34 +01:00
Fabio Manganiello
f86e2eb5a7 Implemented settings page and finalized multi-user support 2019-07-19 00:50:52 +02:00
Fabio Manganiello
1c1ecc18df Support for multi-users and authentication for HTTP pages 2019-07-15 14:12:00 +02:00