chore: refactor, update dependency

Author: mutantsan

README.md

@@ -11,6 +11,8 @@ There are two methods of 2FA available:
 
 ## Requirements
 
+Python 3.11+
+
 This extension uses __Redis__, so it must be configured for CKAN.
 
 Compatibility with core CKAN versions:
@@ -29,61 +31,31 @@ and I'll help you with that.
 To install ckanext-auth:
 
 1. Activate your CKAN virtual environment, for example:
-
-        . /usr/lib/ckan/default/bin/activate
-
+```sh
+. /usr/lib/ckan/default/bin/activate
+```
 2. Clone the source and install it on the virtualenv
-
-        git clone https://github.com/DataShades/ckanext-auth.git
-        cd ckanext-auth
-        pip install -e .
-        pip install -r requirements.txt
-
+```sh
+git clone https://github.com/DataShades/ckanext-auth.git
+cd ckanext-auth
+pip install -e .
+```
 3. Add `auth` to the `ckan.plugins` setting in your CKAN
    config file (by default the config file is located at
    `/etc/ckan/default/ckan.ini`).
 
 4. Apply database migrations:
-
-        ckan db pending-migrations --apply
-
+```
+ckan db upgrade
+```
 5. Restart CKAN. For example if you've deployed CKAN with Apache on Ubuntu:
-
-        sudo service apache2 reload
-
+```
+sudo service apache2 reload
+```
 
 ## Config settings
 
-There are several configuration settings available for this extension:
-
-    - key: ckanext.auth.2fa_enabled
-      default: true
-      type: bool
-      description: Enable two-factor authentication for users
-
-    - key: ckanext.auth.2fa_method
-      default: email
-      description: The method to use for two-factor authentication. Options are email or authenticator.
-
-    - key: ckanext.auth.2fa_email_interval
-      default: 600
-      type: int
-      description: TTL for the authentication code sent via email in seconds. Default is 10 minutes.
-
-    - key: ckanext.auth.2fa_login_timeout
-      default: 900
-      type: int
-      description: Login timeout in seconds after N failed attempted. Default is 15 minutes.
-
-    - key: ckanext.auth.2fa_login_max_attempts
-      default: 10
-      type: int
-      description: Number of failed login attempts before the login timeout is triggered.
-
-    - key: ckanext.auth.2fa_dev_mode
-      default: false
-      type: bool
-      description: Enables Dev Mode. When enabled, it shows the actual code next to the code input. This is useful when your environment does not have SMTP configured.
+There are several configuration settings available for this extension. Check the config [declaration file](./ckanext/auth/config_declaration.yaml).
 
 If you have the [ckanext-admin-panel](https://github.com/DataShades/ckanext-admin-panel) installed, the configuration settings will be available in the admin panel too.
 
@@ -94,9 +66,9 @@ If you have the [ckanext-admin-panel](https://github.com/DataShades/ckanext-admi
 ## Tests
 
 To run the tests, do:
-
-    pytest --ckan-ini=test.ini
-
+```sh
+pytest --ckan-ini=test.ini
+```
 
 ## License
 

ckanext/__init__.py

@@ -1,5 +1,3 @@
-# encoding: utf-8
-
 # this is a namespace package
 try:
     import pkg_resources

ckanext/auth/cli.py

@@ -4,7 +4,7 @@
 
 import click
 
-from ckanext.auth import utils, model
+from ckanext.auth import model, utils
 
 logger = logging.getLogger(__name__)
 
@@ -20,24 +20,24 @@ def auth():
 
 @auth.command()
 @click.argument("username")
-def reset_secret(username):
+def reset_secret(username: str) -> None:
     utils.regenerate_user_secret(username)
 
 
 @auth.command()
 @click.argument("username")
-def unblock_user(username):
+def unblock_user(username: str) -> None:
     utils.LoginManager.reset_for_user(username)
 
 
 @auth.command()
-def unblock_all():
+def unblock_all() -> None:
     utils.LoginManager.reset_all()
 
 
 @auth.command()
 @click.argument("username")
-def get_code(username):
+def get_code(username: str) -> None:
     secret = model.UserSecret.get_for_user(username)
 
     if not secret:

ckanext/auth/exceptions.py

@@ -1,4 +1,2 @@
-class ReplayAttackException(Exception):
-    """Raised when a replay attack is detected"""
-
-    pass
+class ReplayAttackError(Exception):
+    """Raised when a replay attack is detected."""

ckanext/auth/logic/action.py

@@ -3,16 +3,14 @@
 import logging
 from typing import TypedDict
 
-import ckan.model as model
 import ckan.plugins.toolkit as tk
-from ckan import types
+from ckan import model, types
+from ckan.lib import captcha
 from ckan.logic import validate
-import ckan.lib.captcha as captcha
 
-import ckanext.auth.exceptions as exceptions
-import ckanext.auth.utils as utils
 import ckanext.auth.config as auth_config
-import ckanext.auth.logic.schema as schema
+from ckanext.auth import exceptions, utils
+from ckanext.auth.logic import schema
 from ckanext.auth.model import UserSecret
 
 log = logging.getLogger(__name__)
@@ -26,7 +24,8 @@ class LoginResponse(TypedDict, total=False):
 
 @validate(schema.auth_2fa_user_login)
 def auth_2fa_user_login(
-    context: types.Context, data_dict: types.DataDict
+    context: types.Context,
+    data_dict: types.DataDict,
 ) -> LoginResponse:
     tk.check_access("auth_2fa_user_login", context, data_dict)
 
@@ -45,7 +44,7 @@ def auth_2fa_user_login(
 
     try:
         success = user_secret.check_code(data_dict["code"])
-    except exceptions.ReplayAttackException:
+    except exceptions.ReplayAttackError:
         return LoginResponse(
             success=False,
             error="The verification code has expired",
@@ -61,7 +60,8 @@ def auth_2fa_user_login(
 
 @validate(schema.auth_2fa_user_login)
 def auth_2fa_check_credentials(
-    context: types.Context, data_dict: types.DataDict
+    context: types.Context,
+    data_dict: types.DataDict,
 ) -> LoginResponse:
     tk.check_access("auth_2fa_user_login", context, data_dict)
 
@@ -88,14 +88,10 @@ def auth_2fa_check_credentials(
         ):
             utils.LoginManager.block_user_login(data_dict["login"])
 
-        return LoginResponse(
-            success=False, error=tk._("Invalid login or password")
-        )
+        return LoginResponse(success=False, error=tk._("Invalid login or password"))
 
     if utils.LoginManager.is_login_blocked(data_dict["login"]):
         log.info("2FA: User %s is blocked from logging in", data_dict["login"])
-        return LoginResponse(
-            success=False, error=tk._("Too many login attempts")
-        )
+        return LoginResponse(success=False, error=tk._("Too many login attempts"))
 
     return LoginResponse(success=True, error=None)

ckanext/auth/migration/auth/env.py

@@ -1,11 +1,8 @@
-# -*- coding: utf-8 -*-
+import os
+from logging.config import fileConfig
 
-from __future__ import with_statement
 from alembic import context
 from sqlalchemy import engine_from_config, pool
-from logging.config import fileConfig
-
-import os
 
 # this is the Alembic Config object, which provides
 # access to the values within the .ini file in use.
@@ -41,13 +38,12 @@ def run_migrations_offline():
     script output.
 
     """
-
     url = config.get_main_option("sqlalchemy.url")
     context.configure(
         url=url,
         target_metadata=target_metadata,
         literal_binds=True,
-        version_table="{}_alembic_version".format(name),
+        version_table=f"{name}_alembic_version",
     )
 
     with context.begin_transaction():
@@ -71,7 +67,7 @@ def run_migrations_online():
         context.configure(
             connection=connection,
             target_metadata=target_metadata,
-            version_table="{}_alembic_version".format(name),
+            version_table=f"{name}_alembic_version",
         )
 
         with context.begin_transaction():

ckanext/auth/migration/auth/versions/7917e1c52a37_init_2fa_user_totp_table.py

@@ -1,14 +1,13 @@
-"""Init 2fa_user_totp table
+"""Init 2fa_user_totp table.
 
 Revision ID: 7917e1c52a37
 Revises:
 Create Date: 2024-08-01 15:38:57.177385
 
 """
 
-from alembic import op
 import sqlalchemy as sa
-
+from alembic import op
 
 # revision identifiers, used by Alembic.
 revision = "7917e1c52a37"