Feature/login

.gitignore

@@ -143,6 +143,9 @@ dmypy.json
 # Pyre type checker
 .pyre/
 
+
+# register stuff
+run.txt
 # VScode
 .vscode/
 app/.vscode/

README.md

@@ -35,6 +35,8 @@ virtualenv env
 pip install -r requirements.txt
 # Copy app\config.py.example to app\config.py.
 # Edit the variables' values.
+# Rendering JWT_KEY:
+python -c "import secrets; from pathlib import Path; f = Path('app/config.py'); f.write_text(f.read_text().replace('JWT_KEY_PLACEHOLDER', secrets.token_hex(32), 1));"
 uvicorn app.main:app --reload
 ```
 
@@ -45,12 +47,8 @@ source venv/bin/activate
 pip install -r requirements.txt
 cp app/config.py.example app/config.py
 # Edit the variables' values.
-uvicorn app.main:app --reload
-```
-### Running tests
-```shell
-python -m pytest --cov-report term-missing --cov=app tests
-```
+# Rendering JWT_KEY:
+python -c "import secrets; from pathlib import Path; f = Path('app/config.py'); f.write_text(f.read_text().replace('JWT_KEY_PLACEHOLDER', secrets.token_hex(32), 1));"
 
 ## Contributing
 View [contributing guidelines](https://github.com/PythonFreeCourse/calendar/blob/master/CONTRIBUTING.md).

app/config.py.example

@@ -52,6 +52,11 @@ email_conf = ConnectionConfig(
     USE_CREDENTIALS=True,
 )
 
+
+# security
+JWT_KEY = "JWT_KEY_PLACEHOLDER"
+JWT_ALGORITHM = "HS256"
+JWT_MIN_EXP = 60 * 24 * 7
 templates = Jinja2Templates(directory=os.path.join("app", "templates"))
 
 # application name

app/database/models.py

@@ -46,6 +46,12 @@ class User(Base):
     def __repr__(self):
         return f'<User {self.id}>'
 
+    @staticmethod
+    async def get_by_username(db: Session, username: str) -> User:
+        """query database for a user by unique username"""
+        return db.query(User).filter(
+            User.username == username).first()
+
 
 class Event(Base):
     __tablename__ = "events"

app/database/schemas.py

@@ -0,0 +1,90 @@
+from typing import Optional, Union
+from pydantic import BaseModel, validator, EmailStr, EmailError
+
+
+EMPTY_FIELD_STRING = 'field is required'
+MIN_FIELD_LENGTH = 3
+MAX_FIELD_LENGTH = 20
+
+
+def fields_not_empty(field: Optional[str]) -> Union[ValueError, str]:
+    """Global function to validate fields are not empty."""
+    if not field:
+        raise ValueError(EMPTY_FIELD_STRING)
+    return field
+
+
+class UserBase(BaseModel):
+    """
+    Validating fields types
+    Returns a User object without sensitive information
+    """
+    username: str
+    email: str
+    full_name: str
+    description: Optional[str] = None
+
+    class Config:
+        orm_mode = True
+
+
+class UserCreate(UserBase):
+    """Validating fields types"""
+    password: str
+    confirm_password: str
+
+    """
+    Calling to field_not_empty validaion function,
+    for each required field.
+    """
+    _fields_not_empty_username = validator(
+        'username', allow_reuse=True)(fields_not_empty)
+    _fields_not_empty_full_name = validator(
+        'full_name', allow_reuse=True)(fields_not_empty)
+    _fields_not_empty_password = validator(
+        'password', allow_reuse=True)(fields_not_empty)
+    _fields_not_empty_confirm_password = validator(
+        'confirm_password', allow_reuse=True)(fields_not_empty)
+    _fields_not_empty_email = validator(
+        'email', allow_reuse=True)(fields_not_empty)
+
+    @validator('confirm_password')
+    def passwords_match(
+            cls, confirm_password: str,
+            values: UserBase) -> Union[ValueError, str]:
+        """Validating passwords fields identical."""
+        if 'password' in values and confirm_password != values['password']:
+            raise ValueError("doesn't match to password")
+        return confirm_password
+
+    @validator('username')
+    def username_length(cls, username: str) -> Union[ValueError, str]:
+        """Validating username length is legal"""
+        if not (MIN_FIELD_LENGTH < len(username) < MAX_FIELD_LENGTH):
+            raise ValueError("must contain between 3 to 20 charactars")
+        return username
+
+    @validator('password')
+    def password_length(cls, password: str) -> Union[ValueError, str]:
+        """Validating username length is legal"""
+        if not (MIN_FIELD_LENGTH < len(password) < MAX_FIELD_LENGTH):
+            raise ValueError("must contain between 3 to 20 charactars")
+        return password
+
+    @validator('email')
+    def confirm_mail(cls, email: str) -> Union[ValueError, str]:
+        """Validating email is valid mail address."""
+        try:
+            EmailStr.validate(email)
+            return email
+        except EmailError:
+            raise ValueError("address is not valid")
+
+
+class User(UserBase):
+    """
+    Validating fields types
+    Returns a User object without sensitive information
+    """
+    id: int
+    is_active: bool

app/internal/security/dependancies.py

@@ -0,0 +1,66 @@
+from typing import Union
+
+from app.dependencies import get_db
+from app.database.models import User
+from app.internal.security.ouath2 import (
+    Depends, Session, check_jwt_token,
+    get_authorization_cookie, HTTP_401_UNAUTHORIZED,
+    HTTPException)
+from starlette.requests import Request
+
+
+async def get_user(
+        db: Session, user_id: int, username: str, path: str) -> User:
+    '''
+    Helper for dependency functions.
+    Recives user details from decrypted jwt token,
+    and check them against the database.
+    returns User base model instance if succeeded,
+    raises HTTPException if fails.
+    '''
+    db_user = await User.get_by_username(db, username=username)
+    if db_user and db_user.id == user_id:
+        return db_user
+    else:
+        raise HTTPException(
+                status_code=HTTP_401_UNAUTHORIZED,
+                headers=path,
+                detail="Your token is incorrect. Please log in again")
+
+
+async def is_logged_in(
+    request: Request, db: Session = Depends(get_db),
+        jwt: str = Depends(get_authorization_cookie)) -> bool:
+    """
+    A dependency function protecting routes for only logged in user
+    """
+    await check_jwt_token(db, jwt)
+    return True
+
+
+async def logged_in_user(
+    request: Request,
+        db: Session = Depends(get_db),
+        jwt: str = Depends(get_authorization_cookie)) -> User:
+    """
+    A dependency function protecting routes for only logged in user.
+    Returns logged in User object.
+    """
+    username, user_id = await check_jwt_token(db, jwt)
+    return await get_user(db, user_id, username, request.url.path)
+
+
+async def optional_logged_in_user(
+    request: Request,
+        db: Session = Depends(get_db)) -> Union[User, type(None)]:
+    """
+    A dependency function.
+    Returns logged in User object if exists.
+    None if not.
+    """
+    if 'Authorization' in request.cookies:
+        jwt = request.cookies['Authorization']
+    else:
+        return None
+    username, user_id = await check_jwt_token(db, jwt)
+    return await get_user(db, user_id, username, request.url.path)

app/internal/security/ouath2.py

@@ -0,0 +1,112 @@
+from datetime import datetime, timedelta
+from typing import Union
+
+from app.config import JWT_ALGORITHM, JWT_KEY, JWT_MIN_EXP
+from app.database.models import User
+from passlib.context import CryptContext
+from fastapi import Depends, HTTPException
+from fastapi.security import OAuth2PasswordBearer
+import jwt
+from jwt.exceptions import InvalidSignatureError
+from sqlalchemy.orm import Session
+from starlette.requests import Request
+from starlette.responses import RedirectResponse
+from starlette.status import HTTP_401_UNAUTHORIZED
+from . import schema
+
+
+pwd_context = CryptContext(schemes=["bcrypt"])
+oauth_schema = OAuth2PasswordBearer(tokenUrl="/login")
+
+
+def get_hashed_password(password: str) -> str:
+    """Hashing user password"""
+    return pwd_context.hash(password)
+
+
+def verify_password(plain_password: str, hashed_password: str) -> bool:
+    """Verifying password and hashed password are equal"""
+    return pwd_context.verify(plain_password, hashed_password)
+
+
+async def authenticate_user(
+        db: Session, new_user: schema.LoginUser
+            ) -> Union[schema.LoginUser, bool]:
+    """Verifying user is in database and password is correct"""
+    db_user = await User.get_by_username(db=db, username=new_user.username)
+    if db_user and verify_password(new_user.password, db_user.password):
+        return schema.LoginUser(
+            user_id=db_user.id,
+            username=new_user.username, password=db_user.password)
+    return False
+
+
+def create_jwt_token(
+        user: schema.LoginUser, jwt_min_exp: int = JWT_MIN_EXP,
+        jwt_key: str = JWT_KEY) -> str:
+    """Creating jwt-token out of user unique data"""
+    expiration = datetime.utcnow() + timedelta(minutes=jwt_min_exp)
+    jwt_payload = {
+        "sub": user.username,
+        "user_id": user.user_id,
+        "exp": expiration}
+    jwt_token = jwt.encode(
+        jwt_payload, jwt_key, algorithm=JWT_ALGORITHM)
+    return jwt_token
+
+
+async def check_jwt_token(
+    db: Session,
+        token: str = Depends(oauth_schema), path: bool = None) -> User:
+    """
+    Check whether JWT token is correct.
+    Returns jwt payloads if correct.
+    Raises HTTPException if fails to decode.
+    """
+    try:
+        jwt_payload = jwt.decode(
+            token, JWT_KEY, algorithms=JWT_ALGORITHM)
+        return jwt_payload.get("sub"), jwt_payload.get("user_id")
+    except InvalidSignatureError:
+        raise HTTPException(
+                status_code=HTTP_401_UNAUTHORIZED,
+                headers=path,
+                detail="Your token is incorrect. Please log in again")
+    except jwt.ExpiredSignatureError:
+        raise HTTPException(
+            status_code=HTTP_401_UNAUTHORIZED,
+            headers=path,
+            detail="Your token has expired. Please log in again")
+    except jwt.DecodeError:
+        raise HTTPException(
+            status_code=HTTP_401_UNAUTHORIZED,
+            headers=path,
+            detail="Your token is incorrect. Please log in again")
+
+
+async def get_authorization_cookie(request: Request) -> str:
+    """
+    Extracts jwt from HTTPONLY cookie, if exists.
+    Raises HTTPException if not.
+    """
+    if 'Authorization' in request.cookies:
+        return request.cookies['Authorization']
+    raise HTTPException(
+        status_code=HTTP_401_UNAUTHORIZED,
+        headers=request.url.path,
+        detail="Please log in to enter this page")
+
+
+async def auth_exception_handler(
+        request: Request,
+        exc: HTTP_401_UNAUTHORIZED) -> RedirectResponse:
+    """
+    Whenever HTTP_401_UNAUTHORIZED is raised,
+    redirecting to login route, with original requested url,
+    and details for why original request failed.
+    """
+    paramas = f"?next={exc.headers}&message={exc.detail}"
+    url = f"/login{paramas}"
+    response = RedirectResponse(url=url)
+    response.delete_cookie('Authorization')
+    return response

app/internal/security/schema.py

@@ -0,0 +1,16 @@
+from typing import Optional
+
+from pydantic import BaseModel
+
+
+class LoginUser(BaseModel):
+    """
+    Validating fields types
+    Returns a User object for signing in.
+    """
+    user_id: Optional[int]
+    username: str
+    password: str
+
+    class Config:
+        orm_mode = True

app/main.py

@@ -1,13 +1,14 @@
-from fastapi import Depends, FastAPI, Request
-from fastapi.staticfiles import StaticFiles
-from sqlalchemy.orm import Session
-
 from app import config
 from app.database import engine, models
 from app.dependencies import get_db, logger, MEDIA_PATH, STATIC_PATH, templates
 from app.internal import daily_quotes, json_data_loader
 from app.internal.languages import set_ui_language
+from app.internal.security.ouath2 import auth_exception_handler
 from app.routers.salary import routes as salary
+from fastapi import Depends, FastAPI, Request
+from fastapi.staticfiles import StaticFiles
+from starlette.status import HTTP_401_UNAUTHORIZED
+from sqlalchemy.orm import Session
 
 
 def create_tables(engine, psql_environment):
@@ -28,12 +29,16 @@ def create_tables(engine, psql_environment):
 app.mount("/media", StaticFiles(directory=MEDIA_PATH), name="media")
 app.logger = logger
 
+app.add_exception_handler(HTTP_401_UNAUTHORIZED, auth_exception_handler)
+
+json_data_loader.load_to_db(next(get_db()))
 # This MUST come before the app.routers imports.
 set_ui_language()
 
 from app.routers import (  # noqa: E402
     agenda, calendar, categories, celebrity, currency, dayview,
-    email, event, invitation, profile, search, telegram, whatsapp
+    email, event, invitation, login, logout, profile, register,
+    search, telegram, whatsapp
 )
 
 json_data_loader.load_to_db(next(get_db()))
@@ -48,7 +53,10 @@ def create_tables(engine, psql_environment):
     email.router,
     event.router,
     invitation.router,
+    login.router,
+    logout.router,
     profile.router,
+    register.router,
     salary.router,
     search.router,
     telegram.router,