Source code for django_otp.models

from datetime import timedelta
import enum

from django.apps import apps
from django.conf import settings
from django.core.exceptions import ObjectDoesNotExist
from django.db import models
from django.utils import timezone
from django.utils.functional import cached_property

from .util import random_number_token


[docs] class DeviceManager(models.Manager): """ The :class:`~django.db.models.Manager` object installed as ``Device.objects``. """
[docs] def devices_for_user(self, user, confirmed=None): """ Returns a queryset for all devices of this class that belong to the given user. :param user: The user. :type user: :class:`~django.contrib.auth.models.User` :param confirmed: If ``None``, all matching devices are returned. Otherwise, this can be any true or false value to limit the query to confirmed or unconfirmed devices, respectively. """ devices = self.model.objects.filter(user=user) if confirmed is not None: devices = devices.filter(confirmed=bool(confirmed)) return devices
[docs] class Device(models.Model): """ Abstract base model for a :term:`device` attached to a user. Plugins must subclass this to define their OTP models. .. _unsaved_device_warning: .. warning:: OTP devices are inherently stateful. For example, verifying a token is logically a mutating operation on the device, which may involve incrementing a counter or otherwise consuming a token. A device must be committed to the database before it can be used in any way. .. attribute:: user *ForeignKey*: Foreign key to your user model, as configured by :setting:`AUTH_USER_MODEL` (:class:`~django.contrib.auth.models.User` by default). .. attribute:: name *CharField*: A human-readable name to help the user identify their devices. .. attribute:: confirmed *BooleanField*: A boolean value that tells us whether this device has been confirmed as valid. It defaults to ``True``, but subclasses or individual deployments can force it to ``False`` if they wish to create a device and then ask the user for confirmation. As a rule, built-in APIs that enumerate devices will only include those that are confirmed. .. attribute:: objects A :class:`~django_otp.models.DeviceManager`. """ user = models.ForeignKey( getattr(settings, 'AUTH_USER_MODEL', 'auth.User'), help_text="The user that this device belongs to.", on_delete=models.CASCADE, ) name = models.CharField( max_length=64, help_text="The human-readable name of this device." ) confirmed = models.BooleanField( default=True, help_text="Is this device ready for use?" ) objects = DeviceManager() class Meta: abstract = True def __str__(self): try: user = self.user except ObjectDoesNotExist: user = None return "{0} ({1})".format(self.name, user) @property def persistent_id(self): """ A stable device identifier for forms and APIs. """ return '{0}/{1}'.format(self.model_label(), self.id) @classmethod def model_label(cls): """ Returns an identifier for this Django model class. This is just the standard "<app_label>.<model_name>" form. """ return '{0}.{1}'.format(cls._meta.app_label, cls._meta.model_name)
[docs] @classmethod def from_persistent_id(cls, persistent_id, for_verify=False): """ Loads a device from its persistent id:: device == Device.from_persistent_id(device.persistent_id) :param bool for_verify: If ``True``, we'll load the device with :meth:`~django.db.models.query.QuerySet.select_for_update` to prevent concurrent verifications from succeeding. In which case, this must be called inside a transaction. """ device = None try: model_label, device_id = persistent_id.rsplit('/', 1) app_label, model_name = model_label.split('.') device_cls = apps.get_model(app_label, model_name) if issubclass(device_cls, Device): device_set = device_cls.objects.filter(id=int(device_id)) if for_verify: device_set = device_set.select_for_update() device = device_set.first() except (ValueError, LookupError): pass return device
[docs] def is_interactive(self): """ Returns ``True`` if this is an interactive device. The default implementation returns ``True`` if :meth:`~django_otp.models.Device.generate_challenge` has been overridden, but subclasses are welcome to provide smarter implementations. :rtype: bool """ return not hasattr(self.generate_challenge, 'stub')
[docs] def generate_is_allowed(self): """ Checks whether it is permissible to call :meth:`generate_challenge`. If it is allowed, returns ``(True, None)``. Otherwise returns ``(False, data_dict)``, where ``data_dict`` contains extra information, defined by the implementation. This method can be used to implement throttling of token generation for interactive devices. Client code should check this method before calling :meth:`generate_challenge` and report problems to the user. """ return (True, None)
[docs] def generate_challenge(self): """ Generates a challenge value that the user will need to produce a token. This method is permitted to have side effects, such as transmitting information to the user through some other channel (email or SMS, perhaps). And, of course, some devices may need to commit the challenge to the database. :returns: A message to the user. This should be a string that fits comfortably in the template ``'OTP Challenge: {0}'``. This may return ``None`` if this device is not interactive. :rtype: string or ``None`` :raises: Any :exc:`~exceptions.Exception` is permitted. Callers should trap ``Exception`` and report it to the user. """ return None
generate_challenge.stub = True
[docs] def verify_is_allowed(self): """ Checks whether it is permissible to call :meth:`verify_token`. If it is allowed, returns ``(True, None)``. Otherwise returns ``(False, data_dict)``, where ``data_dict`` contains extra information, defined by the implementation. This method can be used to implement throttling or locking, for example. Client code should check this method before calling :meth:`verify_token` and report problems to the user. To report specific problems, the data dictionary can return include a ``'reason'`` member with a value from the constants in :class:`VerifyNotAllowed`. Otherwise, an ``'error_message'`` member should be provided with an error message. :meth:`verify_token` should also call this method and return False if verification is not allowed. :rtype: (bool, dict or ``None``) """ return (True, None)
[docs] def verify_token(self, token): """ Verifies a token. As a rule, the token should no longer be valid if this returns ``True``. :param str token: The OTP token provided by the user. :rtype: bool """ return False
[docs] class SideChannelDevice(Device): """ Abstract base model for a side-channel :term:`device` attached to a user. This model implements token generation, verification and expiration, so the concrete devices only have to implement delivery. """ token = models.CharField(max_length=16, blank=True, null=True) valid_until = models.DateTimeField( default=timezone.now, help_text="The timestamp of the moment of expiry of the saved token.", ) class Meta: abstract = True
[docs] def generate_token(self, length=6, valid_secs=300, commit=True): """ Generates a token of the specified length, then sets it on the model and sets the expiration of the token on the model. Pass 'commit=False' to avoid calling self.save(). :param int length: Number of decimal digits in the generated token. :param int valid_secs: Amount of seconds the token should be valid. :param bool commit: Whether to autosave the generated token. """ self.token = random_number_token(length) self.valid_until = timezone.now() + timedelta(seconds=valid_secs) if commit: self.save()
[docs] def verify_token(self, token): """ Verifies a token by content and expiry. On success, the token is cleared and the device saved. :param str token: The OTP token provided by the user. :rtype: bool """ _now = timezone.now() if ( (self.token is not None) and (token == self.token) and (_now < self.valid_until) ): self.token = None self.valid_until = _now self.save() return True else: return False
[docs] class GenerateNotAllowed(enum.Enum): """ Constants that may be returned in the ``reason`` member of the extra information dictionary returned by :meth:`~django_otp.models.Device.generate_is_allowed` .. data:: COOLDOWN_DURATION_PENDING Indicates that a token was generated recently and we're waiting for the cooldown period to expire. """ COOLDOWN_DURATION_PENDING = 'COOLDOWN_DURATION_PENDING'
[docs] class CooldownMixin(models.Model): """ Mixin class for models requiring a cooldown duration between challenge generations. Subclass must implement :meth:`get_cooldown_duration`, and must use the :meth:`generate_is_allowed` method from within their generate_challenge() method. Further it must use :meth:`cooldown_set` when a token is generated. See the implementation of :class:`~django_otp.plugins.otp_email.models.EmailDevice` for an example. """ last_generated_timestamp = models.DateTimeField( null=True, blank=True, help_text="The last time a token was generated for this device.", ) class Meta: abstract = True
[docs] def generate_is_allowed(self): """ If token generation is allowed, returns ``(True, None)``. Otherwise, returns ``(False, data_dict)``. ``data_dict`` contains further information. Currently it can be:: { 'reason': GenerateNotAllowed.COOLDOWN_DURATION_PENDING, 'next_generation_at': when, } where ``when`` is a datetime marking the end of the cooldown period. See :class:`GenerateNotAllowed`. """ dt_now = timezone.now() if ( not self.last_generated_timestamp or (dt_now - self.last_generated_timestamp).total_seconds() > self.get_cooldown_duration() ): return super().generate_is_allowed() else: return False, { 'reason': GenerateNotAllowed.COOLDOWN_DURATION_PENDING, 'next_generation_at': self.last_generated_timestamp + timedelta(seconds=self.get_cooldown_duration()), }
[docs] def cooldown_reset(self, commit=True): """ Call this method to reset cooldown (normally after a successful verification). Pass 'commit=False' to avoid calling self.save(). """ self.last_generated_timestamp = None if commit: self.save()
[docs] def cooldown_set(self, commit=True): """ Call this method to set the cooldown timestamp to now (normally when a token is generated). Pass 'commit=False' to avoid calling self.save(). """ self.last_generated_timestamp = timezone.now() if commit: self.save()
def verify_token(self, token): """ Reset the throttle if the token is valid. """ verified = super().verify_token(token) if verified: self.cooldown_reset() return verified @cached_property def cooldown_enabled(self): return self.get_cooldown_duration() > 0
[docs] def get_cooldown_duration(self): """ This must be implemented to return the cooldown duration in seconds. A duration of 0 disables the cooldown. Normally this is just a wrapper for a plugin-specific setting like :setting:`OTP_EMAIL_COOLDOWN_DURATION`. """ raise NotImplementedError()
[docs] class VerifyNotAllowed(enum.Enum): """ Constants that may be returned in the ``reason`` member of the extra information dictionary returned by :meth:`~django_otp.models.Device.verify_is_allowed` .. data:: N_FAILED_ATTEMPTS Indicates that verification is disallowed because of ``n`` successive failed attempts. The data dictionary should include the value of ``n`` in member ``failure_count`` """ N_FAILED_ATTEMPTS = 'N_FAILED_ATTEMPTS'
[docs] class ThrottlingMixin(models.Model): """ Mixin class for models that want throttling behaviour. This implements exponential back-off for verifying tokens. Subclasses must implement :meth:`get_throttle_factor`, and must use the :meth:`verify_is_allowed`, :meth:`throttle_reset` and :meth:`throttle_increment` methods from within their verify_token() method. See the implementation of :class:`~django_otp.plugins.otp_email.models.EmailDevice` for an example. """ throttling_failure_timestamp = models.DateTimeField( null=True, blank=True, default=None, help_text=( "A timestamp of the last failed verification attempt. Null if last attempt" " succeeded." ), ) throttling_failure_count = models.PositiveIntegerField( default=0, help_text="Number of successive failed attempts." ) class Meta: abstract = True
[docs] def verify_is_allowed(self): """ If verification is allowed, returns ``(True, None)``. Otherwise, returns ``(False, data_dict)``. ``data_dict`` contains further information. Currently it can be:: { 'reason': VerifyNotAllowed.N_FAILED_ATTEMPTS, 'failure_count': n } where ``n`` is the number of successive failures. See :class:`~django_otp.models.VerifyNotAllowed`. """ if ( self.throttling_enabled and self.throttling_failure_count > 0 and self.throttling_failure_timestamp is not None ): now = timezone.now() delay = (now - self.throttling_failure_timestamp).total_seconds() # Required delays should be 1, 2, 4, 8 ... delay_required = self.get_throttle_factor() * ( 2 ** (self.throttling_failure_count - 1) ) if delay < delay_required: return ( False, { 'reason': VerifyNotAllowed.N_FAILED_ATTEMPTS, 'failure_count': self.throttling_failure_count, 'locked_until': self.throttling_failure_timestamp + timedelta(seconds=delay_required), }, ) return super().verify_is_allowed()
[docs] def throttle_reset(self, commit=True): """ Call this method to reset throttling (normally when a verify attempt succeeded). Pass 'commit=False' to avoid calling self.save(). """ self.throttling_failure_timestamp = None self.throttling_failure_count = 0 if commit: self.save()
[docs] def throttle_increment(self, commit=True): """ Call this method to increase throttling (normally when a verify attempt failed). Pass 'commit=False' to avoid calling self.save(). """ self.throttling_failure_timestamp = timezone.now() self.throttling_failure_count += 1 if commit: self.save()
@cached_property def throttling_enabled(self): return self.get_throttle_factor() > 0
[docs] def get_throttle_factor(self): # pragma: no cover """ This must be implemented to return the throttle factor. The number of seconds required between verification attempts will be :math:`c2^{n-1}` where `c` is this factor and `n` is the number of previous failures. A factor of 1 translates to delays of 1, 2, 4, 8, etc. seconds. A factor of 0 disables the throttling. Normally this is just a wrapper for a plugin-specific setting like :setting:`OTP_EMAIL_THROTTLE_FACTOR`. """ raise NotImplementedError()