Tests and CI

.gitignore

@@ -2,6 +2,7 @@
 *.db
 *~
 .*
+.idea/
 
 html/
 htmlcov/

.travis.yml

@@ -0,0 +1,46 @@
+python: '3.5'
+
+language: python
+
+sudo: false
+
+env:
+ - TOX_ENV=py35-flake8
+
+ - TOX_ENV=py33-django1.8-drf3.1
+ - TOX_ENV=py33-django1.8-drf3.2
+ - TOX_ENV=py33-django1.8-drf3.3
+ - TOX_ENV=py33-django1.8-drf3.4
+ - TOX_ENV=py33-django1.8-drf3.5
+ - TOX_ENV=py33-django1.8-drf3.6
+
+ - TOX_ENV=py34-django1.8-drf3.1
+ - TOX_ENV=py34-django1.8-drf3.2
+ - TOX_ENV=py34-django1.8-drf3.3
+ - TOX_ENV=py34-django1.8-drf3.4
+ - TOX_ENV=py34-django1.8-drf3.5
+ - TOX_ENV=py34-django1.8-drf3.6
+
+ - TOX_ENV=py34-django1.9-drf3.1
+ - TOX_ENV=py34-django1.9-drf3.2
+ - TOX_ENV=py34-django1.9-drf3.3
+ - TOX_ENV=py34-django1.9-drf3.4
+ - TOX_ENV=py34-django1.9-drf3.5
+ - TOX_ENV=py34-django1.9-drf3.6
+
+ - TOX_ENV=py34-django1.10-drf3.4
+ - TOX_ENV=py34-django1.10-drf3.5
+ - TOX_ENV=py34-django1.10-drf3.6
+
+ - TOX_ENV=py35-django1.10-drf3.4
+ - TOX_ENV=py35-django1.10-drf3.5
+ - TOX_ENV=py35-django1.10-drf3.6
+
+matrix:
+ fast_finish: true
+
+install:
+ - pip install tox
+
+script:
+ - tox -e $TOX_ENV

LICENSE

@@ -0,0 +1,21 @@
+The MIT License (MIT)
+
+Copyright (c) 2017 Aaron Ng
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

README.md

@@ -120,7 +120,7 @@ The template renders a single variable `{{ callback_token }}` which is the 6 dig
 ## Contact Point Validation
 Endpoints can automatically mark themselves as validated when a user logs in with a token sent to a specific endpoint. They can also automatically mark themselves as invalid when a user changes a contact point.
 
-This is off by default but can be turned on with `PASSWORDLESS_USER_MARK_VERIFIED_EMAIL` or `PASSWORDLESS_USER_MARK_VERIFIED_MOBILE`. By default when these are enabled they look for the User model fields `email_verified` or `mobile_verified`.
+This is off by default but can be turned on with `PASSWORDLESS_USER_MARK_EMAIL_VERIFIED` or `PASSWORDLESS_USER_MARK_MOBILE_VERIFIED`. By default when these are enabled they look for the User model fields `email_verified` or `mobile_verified`.
 
 ## Registration
 all unrecognized emails and mobile numbers create new accounts by default. New accounts are automatically set with `set_unusable_password()` but it’s recommended that admins have some type of password.
@@ -145,12 +145,12 @@ Here’s a full list of the configurable defaults.
 
   # Marks itself as verified the first time a user completes auth via token.
   # Automatically unmarks itself if email is changed.
-  'PASSWORDLESS_USER_MARK_VERIFIED_EMAIL': False,
+  'PASSWORDLESS_USER_MARK_EMAIL_VERIFIED': False,
   'PASSWORDLESS_USER_EMAIL_VERIFIED_FIELD_NAME': 'email_verified',
 
   # Marks itself as verified the first time a user completes auth via token.
   # Automatically unmarks itself if mobile number is changed.
-  'PASSWORDLESS_USER_MARK_VERIFIED_MOBILE': False,
+  'PASSWORDLESS_USER_MARK_MOBILE_VERIFIED': False,
   'PASSWORDLESS_USER_MOBILE_VERIFIED_FIELD_NAME': 'mobile_verified',
 
   # The email the callback token is sent from
@@ -166,14 +166,18 @@ Here’s a full list of the configurable defaults.
   'PASSWORDLESS_EMAIL_TOKEN_HTML_TEMPLATE_NAME': "passwordless_default_token_email.html",
 
   # The SMS sent to mobile users logging in. Takes one string.
-  'PASSWORDLESS_MOBILE_MESSAGE': "Use this code to log in: %s"
+  'PASSWORDLESS_MOBILE_MESSAGE': "Use this code to log in: %s",
 
   # Registers previously unseen aliases as new users.
-  'PASSWORDLESS_REGISTER_NEW_USERS': True
+  'PASSWORDLESS_REGISTER_NEW_USERS': True,
+
+  # Suppresses actual SMS for testing
+  'PASSWORDLESS_TEST_SUPPRESSION': False
  }
 
 
 ### Todo
 - Support non-US mobile numbers
 - Tests
 - Custom URLs
+- Change bad settings to 500's

drfpasswordless/apps.py

@@ -5,4 +5,4 @@ class DrfpasswordlessConfig(AppConfig):
  name = 'drfpasswordless'
 
  def ready(self):
- import drfpasswordless.signals
+ import drfpasswordless.signals # NOQA

drfpasswordless/serializers.py

@@ -20,6 +20,7 @@ class TokenField(serializers.CharField):
  'max_length': _('Tokens are {max_length} digits long.'),
  'min_length': _('Tokens are {min_length} digits long.')}
 
+
 """
 Serializers
 """
@@ -43,7 +44,7 @@ def validate(self, attrs):
  # Return a token for them to log in
  # Consider moving this into somewhere else. Serializer should only serialize.
 
- if api_settings.PASSWORDLESS_REGISTER_NEW_USERS:
+ if api_settings.PASSWORDLESS_REGISTER_NEW_USERS is True:
  # If new aliases should register new users.
  user, created = User.objects.get_or_create(**{self.alias_type: alias})
  else:

drfpasswordless/settings.py

@@ -1,4 +1,3 @@
-import sys
 from django.conf import settings
 from rest_framework.settings import APISettings
 
@@ -20,12 +19,12 @@
 
  # Marks itself as verified the first time a user completes auth via token.
  # Automatically unmarks itself if email is changed.
- 'PASSWORDLESS_USER_MARK_VERIFIED_EMAIL': False,
+ 'PASSWORDLESS_USER_MARK_EMAIL_VERIFIED': False,
  'PASSWORDLESS_USER_EMAIL_VERIFIED_FIELD_NAME': 'email_verified',
 
  # Marks itself as verified the first time a user completes auth via token.
  # Automatically unmarks itself if mobile number is changed.
- 'PASSWORDLESS_USER_MARK_VERIFIED_MOBILE': False,
+ 'PASSWORDLESS_USER_MARK_MOBILE_VERIFIED': False,
  'PASSWORDLESS_USER_MOBILE_VERIFIED_FIELD_NAME': 'mobile_verified',
 
  # The email the callback token is sent from
@@ -47,7 +46,10 @@
  'PASSWORDLESS_MOBILE_MESSAGE': "Use this code to log in: %s",
 
  # Registers previously unseen aliases as new users.
- 'PASSWORDLESS_REGISTER_NEW_USERS': True
+ 'PASSWORDLESS_REGISTER_NEW_USERS': True,
+
+ # Suppresses actual SMS for testing
+ 'PASSWORDLESS_TEST_SUPPRESSION': False
 }
 
 # List of settings that may be in string import notation.

drfpasswordless/signals.py

@@ -44,7 +44,7 @@ def update_alias_verification(sender, instance, **kwargs):
  if instance.id:
  user_old = User.objects.get(id=instance.id) # Pre-save object
 
- if api_settings.PASSWORDLESS_USER_MARK_VERIFIED_EMAIL:
+ if api_settings.PASSWORDLESS_USER_MARK_EMAIL_VERIFIED is True:
  """
  For marking email aliases as not verified when a user changes it.
  """
@@ -65,7 +65,7 @@ def update_alias_verification(sender, instance, **kwargs):
  # User probably is just initially being created
  setattr(instance, email_verified_field, True)
 
- if api_settings.PASSWORDLESS_USER_MARK_VERIFIED_MOBILE:
+ if api_settings.PASSWORDLESS_USER_MARK_MOBILE_VERIFIED is True:
  """
  For marking mobile aliases as not verified when a user changes it.
  """

drfpasswordless/urls.py

@@ -2,7 +2,6 @@
 from rest_framework.urlpatterns import format_suffix_patterns
 from .views import ObtainEmailCallbackToken, ObtainMobileCallbackToken, ObtainAuthTokenFromCallbackToken
 
-# The URL a user posts a 6 digit token to to get their auth token.
 urlpatterns = [url(r'^callback/auth/$', ObtainAuthTokenFromCallbackToken.as_view(), name='auth_callback'),
  url(r'^auth/email/$', ObtainEmailCallbackToken.as_view(), name='auth_email'),
  url(r'^auth/mobile/$', ObtainMobileCallbackToken.as_view(), name='auth_mobile')]

drfpasswordless/utils.py

@@ -1,7 +1,6 @@
 import logging
 import os
 from django.contrib.auth import get_user_model
-from django.conf import settings
 from django.core.exceptions import PermissionDenied
 from django.core.mail import send_mail
 from django.template import loader
@@ -26,21 +25,23 @@ def authenticate_by_token(callback_token):
  if token is not None:
  # Our token becomes used now that it's passing through the authentication pipeline.
  token.is_active = False
- token.save()
 
- if api_settings.PASSWORDLESS_USER_MARK_VERIFIED_EMAIL \
- or api_settings.PASSWORDLESS_USER_MARK_VERIFIED_MOBILE:
+ if api_settings.PASSWORDLESS_USER_MARK_EMAIL_VERIFIED \
+ or api_settings.PASSWORDLESS_USER_MARK_MOBILE_VERIFIED:
  # Mark this alias as verified
- user = User.objects.get(pk=token.user.pk)
- verify_user_alias(user, token)
+ user = verify_user_alias(User.objects.get(pk=token.user.pk), token)
+ token.user = user
 
  # Returning a user designates a successful authentication.
+ token.save()
  return token.user
 
  except CallbackToken.DoesNotExist:
- pass
+ log.debug("drfpasswordless: Challenged with a callback token that doesn't exist.")
+ except User.DoesNotExist:
+ log.debug("drfpasswordless: Authenticated user somehow doesn't exist.")
  except PermissionDenied:
- pass
+ log.debug("drfpasswordless: Permission denied while authenticating.")
 
  return None
 
@@ -70,7 +71,7 @@ def validate_token_age(token):
  """
  Returns True if a given token is within the age expiration limit.
  """
- seconds = (timezone.now()-token.created_at).total_seconds()
+ seconds = (timezone.now() - token.created_at).total_seconds()
  token_expiry_time = api_settings.PASSWORDLESS_TOKEN_EXPIRE_TIME
 
  if seconds <= token_expiry_time:
@@ -98,7 +99,7 @@ def verify_user_alias(user, token):
  return user
 
 
-def send_email_with_callback_token(user, email_token):
+def send_email_with_callback_token(self, user, email_token):
  """
  Sends a SMS to user.mobile.
 
@@ -107,6 +108,8 @@ def send_email_with_callback_token(user, email_token):
 
  try:
  if api_settings.PASSWORDLESS_EMAIL_NOREPLY_ADDRESS:
+ # Make sure we have a sending address before sending.
+
  html_message = loader.render_to_string(
  api_settings.PASSWORDLESS_EMAIL_TOKEN_HTML_TEMPLATE_NAME,
  {'callback_token': email_token.key, }
@@ -133,7 +136,7 @@ def send_email_with_callback_token(user, email_token):
  return False
 
 
-def send_sms_with_callback_token(user, mobile_token):
+def send_sms_with_callback_token(self, user, mobile_token):
  """
  Sends a SMS to user.mobile via Twilio.
 
@@ -142,19 +145,24 @@ def send_sms_with_callback_token(user, mobile_token):
  base_string = api_settings.PASSWORDLESS_MOBILE_MESSAGE
 
  try:
- if hasattr(settings, 'TEST'):
- # If TEST = True in settings, we assume success to prevent spamming SMS during testing.
- if settings.TEST is True:
+
+ if api_settings.PASSWORDLESS_MOBILE_NOREPLY_NUMBER:
+ # We need a sending number to send properly
+ if api_settings.PASSWORDLESS_TEST_SUPPRESSION is True:
+ # we assume success to prevent spamming SMS during testing.
  return True
 
- from twilio.rest import TwilioRestClient
- twilio_client = TwilioRestClient(os.environ['TWILIO_ACCOUNT_SID'], os.environ['TWILIO_AUTH_TOKEN'])
- twilio_client.messages.create(
- body=base_string % mobile_token.key,
- to=getattr(user, api_settings.PASSWORDLESS_USER_MOBILE_FIELD_NAME),
- from_=os.environ['PASSWORDLESS_MOBILE_NOREPLY_NUMBER']
- )
- return True
+ from twilio.rest import TwilioRestClient
+ twilio_client = TwilioRestClient(os.environ['TWILIO_ACCOUNT_SID'], os.environ['TWILIO_AUTH_TOKEN'])
+ twilio_client.messages.create(
+ body=base_string % mobile_token.key,
+ to=getattr(user, api_settings.PASSWORDLESS_USER_MOBILE_FIELD_NAME),
+ from_=api_settings.PASSWORDLESS_MOBILE_NOREPLY_NUMBER
+ )
+ return True
+ else:
+ log.debug("Failed to send login sms. Missing PASSWORDLESS_MOBILE_NOREPLY_NUMBER.")
+ return False
  except ImportError:
  log.debug("Couldn't import Twilio client. Is twilio installed?")
  return False

drfpasswordless/views.py

@@ -38,7 +38,7 @@ def send_action(self):
  raise NotImplementedError
 
  def post(self, request, *args, **kwargs):
- if self.alias_type not in api_settings.PASSWORDLESS_AUTH_TYPES:
+ if self.alias_type.upper() not in api_settings.PASSWORDLESS_AUTH_TYPES:
  # Only allow auth types allowed in settings.
  return Response(status=status.HTTP_404_NOT_FOUND)
 

manifest.in

@@ -0,0 +1,3 @@
+include README.md LICENSE
+recursive-exclude * __pycache__
+recursive-exclude * *.py[co]

requirements.txt

@@ -0,0 +1,8 @@
+# Laying these out as separate requirements files, allows us to
+# only included the relevant sets when running tox, and ensures
+# we are only ever declaring our dependencies in one place.
+
+-r requirements/codestyle.txt
+-r requirements/optionals.txt
+-r requirements/packaging.txt
+-r requirements/testing.txt

requirements/codestyle.txt

@@ -0,0 +1,3 @@
+# PEP8 code linting, which we run on all commits.
+flake8==3.3.0
+pep8==1.7.0

requirements/optionals.txt

@@ -0,0 +1 @@
+twilio==5.7.0

requirements/packaging.txt

@@ -0,0 +1,5 @@
+# Wheel for PyPI installs.
+wheel==0.24.0
+
+# Twine for secured PyPI uploads.
+twine==1.8.1

requirements/testing.txt

@@ -0,0 +1,4 @@
+# PyTest for running the tests.
+pytest==2.6.4
+pytest-django==2.8.0
+pytest-cov==1.6