Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

arxiv-auth with python 3.10 #78

Merged
merged 47 commits into from
Sep 22, 2023
Merged

arxiv-auth with python 3.10 #78

merged 47 commits into from
Sep 22, 2023

Conversation

bdc34
Copy link
Contributor

@bdc34 bdc34 commented Aug 17, 2022
edited
Loading

This includes fixes to use arxiv-auth and accounts with python 3.10.

The users directory is moved to arxiv-auth to reflect that that is the directory with the code that is uploaded to pypi as the arxiv-auth package.

The dependency management is changed from pipenv to poetry. The main motivation here is that poetry has poetry upload to build the package and upload to pypi. This removes the need for the redundant setup.py files.

Instead of having a dependency description file at ./ there is now one at both ./arxiv-auth and ./accounts to more directly reflect the fact that these are two different packages. The dependencies in both of these are updated to use newer packages and python 3.10. I developed this with 3.10.6.

Tests were updated to work. There were problems with mocks that needed the Flask request context. There were tests that also needed the request context. Some tests were converted to pytest from UnitTest.

Some of the docs were updated. Please let me know where these are not clear. "NG" was removed in several places since we are moving on.

@bdc34
Removes use indirect imports from Auth
db21ce4 
users.init_app and legacy.init_app were pointing to the same function.

users.create_all and legacy.create_all were pointing to the same
function.
@bdc34
Removes accounts.services.users
394d51f 
This was just redirection to packages in `arxiv.users`
@bdc34
Removes accounts.services.legacy
39c5fb8 
More clean up of indirection
@bdc34
Removes accounts.services.sessions
f6384f6 
It was just importing things from `arxiv.users`
@bdc34
Changes tapir DBPolicyClass for tests
22bc152
@bdc34
Clean up of authenticate
2d5e7c2
@bdc34
Bumps python from 3.6 to 3.9
a7ecb77 
Fixes pillow dep issue
@bdc34
WIP Moving ./users to ./arxiv-auth
6068c7a 
Tests under ./arxiv-auth pass

The intent is to better show the relation between the directory and
the package.

Fixes tests in arxiv-auth/arxiv_auth/auth/tests/test_extension.py
@bdc34
Doc changes
19df852 
And other fixes
@bdc34
Changes to githup actions
03f1319 
Changes to lint.sh and style.sh

Doc style fixes.
@bdc34
Bumps version to 1.0.0rc1
072f248 
Fixes yaml error
@bdc34
github workflow changes
250c872
@bdc34
Github action changes
51af351
@bdc34
Github action
90d82b4 
Change to deps to try to get github actions to work
@bdc34
github action change
f7c189e
@bdc34
github action changes
5f49a72
@bdc34
github action changes
4ac390d
@bdc34
github action
78378c9
@bdc34
Fixes bug in getting legacy sessions.
b306229 
This fixes a bug where the query to get a session from the
db was not limiting to the session id from the cookie.
@bdc34
Debug output change, spelling fix
25cdee4
@bdc34
Adds ARXIV_AUTH_DEBUG env var or config to turn on debugging
6ee2f7b 
Setting either `Flask.config['ARXIV_AUTH_DEBUG']` or env var
ARXIV_AUTH_DEBUG will turn on logging debugging messages for several
auth packages.
@bdc34
Stops using arxiv.base.logging in auth
98111a5
@bdc34
Tests auth debug mode
ab71745
@bdc34
Fixes bug in previous commits
6f5b3e7
@bdc34
Removes AUTH_UPDATED_SESSION_REF config.
86be43e 
It is no longer needed and and causes unnecessary configuration complexity and
problems.

The AUTH_UPDATED_SESSION_REF was only in place to ease the transition from
placing the auth object on `request.session` to `request.auth`. Placing in at
`request.session` was a mistake during the NG because it interfered with flask
sessions.

Also bumps version from 1.0 to 1.1.
@bdc34
Moves login redirect pattern to authentication controller
349a799
@bdc34
Removes namespace.
596bd4d 
Used by vault but we don't use vault anymore.
bdc34 added 12 commits April 26, 2023 11:09
github-advanced-security[bot]
github-advanced-security bot found potential problems Apr 28, 2023
View reviewed changes
accounts/main.py Dismissed Show dismissed Hide dismissed
accounts/accounts/controllers/tests/test_authentication.py
)
salt = b'fdoo'
password = b'thepassword'
hashed = hashlib.sha1(salt + b'-' + password).digest()

Check failure

Code scanning / CodeQL

Use of a broken or weak cryptographic hashing algorithm on sensitive data High test

Sensitive data (password)
Loading
is used in a hashing algorithm (SHA1) that is insecure for password hashing, since it is not a computationally expensive hash function.
accounts/accounts/controllers/tests/test_registration.py
)
salt = b'fdoo'
password = b'thepassword'
hashed = hashlib.sha1(salt + b'-' + password).digest()

Check failure

Code scanning / CodeQL

Use of a broken or weak cryptographic hashing algorithm on sensitive data High test

Sensitive data (password)
Loading
is used in a hashing algorithm (SHA1) that is insecure for password hashing, since it is not a computationally expensive hash function.
@bdc34 bdc34 merged commit 0ef8c46 into develop Sep 22, 2023
1 of 2 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@bmaltzan bmaltzan Awaiting requested review from bmaltzan

@cbf66 cbf66 Awaiting requested review from cbf66

@DavidLFielding DavidLFielding Awaiting requested review from DavidLFielding

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@bdc34