caravancoop / rest-framework-auth-toolkit Goto Github PK

GraphAPI changed and the get_extended_access_token call now returns a tuple instead of a string. Storing the tuple in a CharField works 🤷‍♂️

Important operations should log messages:

• user signup
• send confirmation email
• confirm email address

Debug logs are useful for troubleshooting:

• authentication failure
• authentication success
• error with confirmation token

Implementation: stdlib logging is the most generic, but structlog is IMO a much better way (combined with smart log collectors rather that infinite flat files).

• API endpoint that sends an email
• see #38 for details about the link / code in the email
• API endpoint to receive the frontend request (with token from link or code + new password), update the model and return ok

Should run with current Django LTS

Remove Python 3.6, add 3.8

Rework the model to make a distinction between account (representing a person using the website or app) and identify (login information such as email/password, facebook token, google login token, client-generated opaque token for a login-less phone app).

Rename BaseUser to BaseAccount. Projects can override it to add required fields, handle multi-tenancy with an Organization or Team concept, etc. An account is linked to 0 or more identities.

Move email/password fields to EmailIdentity model and table. Add another identity model for facebook fields (#14). Each identity provider has its authentication backend to check credentials and return a token. Account admin can have an inline class for each identity model.

Subclasses of BaseAccount work as custom user model. It is really useful to integrate with everything that needs request.user.

Active sessions (#9) can have foreign key to account and generic foreign key to identity models.

In another ticket: add BaseAdminAccount, a proxy subclass with base admin (filter querysets on is_staff=True, hide is_staff in admin forms, etc). Now admin separates clearly the user accounts (can log into the site with various identities, have custom data, etc.) and the administrators (all privileges, must log with email, no app-custom data, careful zone). And it is still possible to provide automatic app access if you have an admin account with a custom identity class!

In the demo app, have two sets of requirements files + urls1.py/urls2.py to be compatible with Django 1.11 and 2.x (or conditionals?) + compatible with Python 3 / 2.7.

Add functional tests with django-webtest and pytest-django that load the app and send requests.

Set up tox to run functional tests with different Django versions.

We can use django.signing instead of a model for email confirmation tokens.

Dependabot couldn't authenticate with https://pypi.python.org/simple/.

You can provide authentication details in your Dependabot dashboard by clicking into the account menu (in the top right) and selecting 'Config variables'.

View the update logs.

Follow the pattern of rest_framework and other libs where all settings and their default values are in one module.

collections.ChainMap is a nice helper to implement this.

Copy caravancoop/configstore#10

1. serializers should normalize email (with user manager method)
2. signup should call create_user with **validated_data to support extra deserialized fields
3. login view should send user_logged_in signal
4. default handler for user_logged_in should update and save user.last_login
5. provide token authentication class
6. logout view calls token.revoke which does not exist on the base token class

If signup and confirmation are performed out of band (say in the django admin) and the API only needs LoginView, the import fails since SignupView requires a setting for the email confirmation class.

Dependabot can't resolve your Python dependency files.

As a result, Dependabot couldn't update your dependencies.

The error Dependabot encountered was:

Could not find a version that satisfies the requirement django==2.1.6 (from versions: 1.1.3, 1.1.4, 1.2, 1.2.1, 1.2.2, 1.2.3, 1.2.4, 1.2.5, 1.2.6, 1.2.7, 1.3, 1.3.1, 1.3.2, 1.3.3, 1.3.4, 1.3.5, 1.3.6, 1.3.7, 1.4, 1.4.1, 1.4.2, 1.4.3, 1.4.4, 1.4.5, 1.4.6, 1.4.7, 1.4.8, 1.4.9, 1.4.10, 1.4.11, 1.4.12, 1.4.13, 1.4.14, 1.4.15, 1.4.16, 1.4.17, 1.4.18, 1.4.19, 1.4.20, 1.4.21, 1.4.22, 1.5, 1.5.1, 1.5.2, 1.5.3, 1.5.4, 1.5.5, 1.5.6, 1.5.7, 1.5.8, 1.5.9, 1.5.10, 1.5.11, 1.5.12, 1.6, 1.6.1, 1.6.2, 1.6.3, 1.6.4, 1.6.5, 1.6.6, 1.6.7, 1.6.8, 1.6.9, 1.6.10, 1.6.11, 1.7, 1.7.1, 1.7.2, 1.7.3, 1.7.4, 1.7.5, 1.7.6, 1.7.7, 1.7.8, 1.7.9, 1.7.10, 1.7.11, 1.8a1, 1.8b1, 1.8b2, 1.8rc1, 1.8, 1.8.1, 1.8.2, 1.8.3, 1.8.4, 1.8.5, 1.8.6, 1.8.7, 1.8.8, 1.8.9, 1.8.10, 1.8.11, 1.8.12, 1.8.13, 1.8.14, 1.8.15, 1.8.16, 1.8.17, 1.8.18, 1.8.19, 1.9a1, 1.9b1, 1.9rc1, 1.9rc2, 1.9, 1.9.1, 1.9.2, 1.9.3, 1.9.4, 1.9.5, 1.9.6, 1.9.7, 1.9.8, 1.9.9, 1.9.10, 1.9.11, 1.9.12, 1.9.13, 1.10a1, 1.10b1, 1.10rc1, 1.10, 1.10.1, 1.10.2, 1.10.3, 1.10.4, 1.10.5, 1.10.6, 1.10.7, 1.10.8, 1.11a1, 1.11b1, 1.11rc1, 1.11, 1.11.1, 1.11.2, 1.11.3, 1.11.4, 1.11.5, 1.11.6, 1.11.7, 1.11.8, 1.11.9, 1.11.10, 1.11.11, 1.11.12, 1.11.13, 1.11.14, 1.11.15, 1.11.16, 1.11.17, 1.11.18, 1.11.20, 2.0a1, 2.0b1, 2.0rc1, 2.0, 2.0.1, 2.0.2, 2.0.3, 2.0.4, 2.0.5, 2.0.6, 2.0.7, 2.0.8, 2.0.9, 2.0.10, 2.0.12, 2.0.13, 2.1a1, 2.1b1, 2.1rc1, 2.1, 2.1.1, 2.1.2, 2.1.3, 2.1.4, 2.1.5, 2.1.7, 2.2a1, 2.2b1)
Traceback (most recent call last):
  File "/usr/local/.pyenv/versions/3.6.8/bin/pip-compile", line 11, in <module>
    sys.exit(cli())
  File "/usr/local/.pyenv/versions/3.6.8/lib/python3.6/site-packages/click/core.py", line 764, in __call__
    return self.main(*args, **kwargs)
  File "/usr/local/.pyenv/versions/3.6.8/lib/python3.6/site-packages/click/core.py", line 717, in main
    rv = self.invoke(ctx)
  File "/usr/local/.pyenv/versions/3.6.8/lib/python3.6/site-packages/click/core.py", line 956, in invoke
    return ctx.invoke(self.callback, **ctx.params)
  File "/usr/local/.pyenv/versions/3.6.8/lib/python3.6/site-packages/click/core.py", line 555, in invoke
    return callback(*args, **kwargs)
  File "/usr/local/.pyenv/versions/3.6.8/lib/python3.6/site-packages/piptools/scripts/compile.py", line 197, in cli
    results = resolver.resolve(max_rounds=max_rounds)
  File "/usr/local/.pyenv/versions/3.6.8/lib/python3.6/site-packages/piptools/resolver.py", line 101, in resolve
    has_changed, best_matches = self._resolve_one_round()
  File "/usr/local/.pyenv/versions/3.6.8/lib/python3.6/site-packages/piptools/resolver.py", line 198, in _resolve_one_round
    for dep in self._iter_dependencies(best_match):
  File "/usr/local/.pyenv/versions/3.6.8/lib/python3.6/site-packages/piptools/resolver.py", line 284, in _iter_dependencies
    dependencies = self.repository.get_dependencies(ireq)
  File "/usr/local/.pyenv/versions/3.6.8/lib/python3.6/site-packages/piptools/repositories/local.py", line 65, in get_dependencies
    return self.repository.get_dependencies(ireq)
  File "/usr/local/.pyenv/versions/3.6.8/lib/python3.6/site-packages/piptools/repositories/pypi.py", line 225, in get_dependencies
    self._dependencies_cache[ireq] = self.resolve_reqs(download_dir, ireq, wheel_cache)
  File "/usr/local/.pyenv/versions/3.6.8/lib/python3.6/site-packages/piptools/repositories/pypi.py", line 191, in resolve_reqs
    results = resolver._resolve_one(reqset, ireq)
  File "/usr/local/.pyenv/versions/3.6.8/lib/python3.6/site-packages/pip/_internal/resolve.py", line 294, in _resolve_one
    abstract_dist = self._get_abstract_dist_for(req_to_install)
  File "/usr/local/.pyenv/versions/3.6.8/lib/python3.6/site-packages/pip/_internal/resolve.py", line 242, in _get_abstract_dist_for
    self.require_hashes
  File "/usr/local/.pyenv/versions/3.6.8/lib/python3.6/site-packages/pip/_internal/operations/prepare.py", line 269, in prepare_linked_requirement
    req.populate_link(finder, upgrade_allowed, require_hashes)
  File "/usr/local/.pyenv/versions/3.6.8/lib/python3.6/site-packages/pip/_internal/req/req_install.py", line 196, in populate_link
    self.link = finder.find_requirement(self, upgrade)
  File "/usr/local/.pyenv/versions/3.6.8/lib/python3.6/site-packages/pip/_internal/index.py", line 688, in find_requirement
    'No matching distribution found for %s' % req
pip._internal.exceptions.DistributionNotFound: No matching distribution found for django==2.1.6

If you think the above is an error on Dependabot's side please don't hesitate to get in touch - we'll do whatever we can to fix it.

You can mention @dependabot in the comments below to contact the Dependabot team.

The email template rest_auth_toolkit/email_confirmation.txt does not exist.

Dependabot was set up to create pull requests against the branch master, but couldn't find it.

If the branch has been permanently deleted you can update Dependabot's target branch from your dashboard.

View the update logs.

Current project name is long, not identical to the import name, and not superbly indexed on PyPI.

Rename to django-rest-authkit and django_rest_authkit

This lib is a toolkit with optional features, but when some feature is enabled it requires some settings. We should use the django checks subsystem to issue warnings.

We could do it using AppConfig.ready: https://github.com/fabiocaccamo/django-admin-interface/blob/master/admin_interface/settings.py
or use the django checks subsystem that is used by manage.py check and manage.py runserver: https://docs.djangoproject.com/en/2.1/topics/checks/

• facebook login requires facepy
  

  rest-framework-auth-toolkit/rest_auth_toolkit/views.py

  Lines 183 to 185 in 0bf0fb5

  	if facepy is None:
  	raise TypeError('install rest-framework-auth-toolkit[facebook] '
  	'to enable Facebook logins')

  
  and settings

  rest-framework-auth-toolkit/rest_auth_toolkit/serializers.py

  Lines 76 to 78 in 30aba20

  	req = facepy.SignedRequest(data['signed_request'],
  	settings.FACEBOOK_APP_SECRET_KEY,
  	settings.FACEBOOK_APP_ID)

• email signup with confirmations requires settings

  rest-framework-auth-toolkit/rest_auth_toolkit/views.py

  Lines 73 to 77 in 0bf0fb5

  	else:
  	user = deserializer.save()
  	if self.email_confirmation_class is None:
  	raise MissingSetting('email_confirmation_class')

  
  and templates

  rest-framework-auth-toolkit/rest_auth_toolkit/views.py

  Lines 28 to 32 in 0bf0fb5

  	If the setting email_confirmation_send_email is true (default),
  	the function send_email will be called. That function requires
  	that your project defines defines two email templates:
  	- rest_auth_toolkit/email_confirmation.txt
  	- rest_auth_toolkit/email_confirmation.html

Issues in current email confirmation code:

1. Email confirmation should be optional (for projects that want to accept signups immediately, or validate the email with other methods). At the moment there is a setting for this, but a test fails if no EmailConfirmation class is defined (caused by #11).

2. For projects where the website (JS dynamic site) and the API have separate domain names, we can’t use routes and reverse to create the URL in the email; another function should be used to generate frontend URL (example below).

3. Provide an API view to receive the confirmation token sent by the frontend.

4. If confirmation fails, the user can’t sign up again with the same address. We could change signup to use get_or_create; add an endpoint to re-send the email; punt until #19 is solved; something else.

Add BaseFacebookUser, subclass of BaseEmailUser.

Make sure updating from class User(BaseEmailUser) to class User(BaseFacebookUser) is painless.

Make facepy dependency optional with extras.

It'd be cool to check if ti's completly compatible with django 2 and if so, bump the package dependency.

Write unit tests using pytest facilities.

Set up tox to run with Python 3.6 and 3.7, with Django 1.11, 2.0 and 2.1.

This is specified in an RFC, contrary to Token.

• Store user-agent, client IP, last login time (last usage time?)
• Basic API view for active sessions (= active tokens)
• DELETE view to expire a session
• HTML example in demo
• Fix issue in get or create facebook user (should try to get by facebook_id first in case the demo user email is now different from the fb email)

Log in with a google account.

Ability to restrict to specific email domains.

Check if generic OAuth2 provider is sufficient, or something specific to google is needed (i.e. like the facebook provider is specific to facebook because it uses fb API to get user info).

Needs #30

We create User objects in SignupDeserializer.create, but we don't apply password validation.