Upgraded OIDC

Author: Casassarnau

app/settings.py

@@ -65,6 +65,7 @@
     'axes',
     'django_password_validators',
     'django_password_validators.password_history',
+    'rest_framework',
     'user',
     'application',
     'review',
@@ -144,29 +145,29 @@
 # https://docs.djangoproject.com/en/4.0/ref/settings/#auth-password-validators
 
 AUTH_PASSWORD_VALIDATORS = [
-    {
-        'NAME': 'django.contrib.auth.password_validation.UserAttributeSimilarityValidator',
-    },
-    {
-        'NAME': 'django.contrib.auth.password_validation.MinimumLengthValidator',
-    },
     {
         'NAME': 'django_password_validators.password_history.password_validation.UniquePasswordsValidator',
-    },
-    {
-        'NAME': 'django_password_validators.password_character_requirements.password_validation.'
-                'PasswordCharacterValidator',
         'OPTIONS': {
-            'min_length_digit': 1,
-            'min_length_alpha': 1,
-            'min_length_special': 1,
-            'min_length_lower': 1,
-            'min_length_upper': 1,
-            'special_characters': ",.-~!@#$%^&*()_+{}\":;'[]"
+            # How many recently entered passwords matter.
+            # Passwords out of range are deleted.
+            # Default: 0 - All passwords entered by the user. All password hashes are stored.
+            'last_passwords': 5  # Only the last 5 passwords entered by the user
         }
     },
 ]
 
+# Validations are js because server does not get the password
+PASSWORD_VALIDATORS = {
+    'min_length_digit': 1,
+    'min_length_special': 1,
+    'min_length_lower': 1,
+    'min_length_upper': 1,
+    'min_characters': 8,
+    # regex format
+    'special_characters': "/[`~!@#$%\^\*\(\),\.\-=_+\\\\\[\]{}/\?]/g",
+
+}
+
 AUTHENTICATION_BACKENDS = [
     # AxesStandaloneBackend should be the first backend in the AUTHENTICATION_BACKENDS list.
     'axes.backends.AxesStandaloneBackend',
@@ -234,17 +235,10 @@
 LOGIN_URL = '/auth/login'
 
 # JWT settings
-JWT_CLIENT = {
-    'OPENID2_URL': os.environ.get('OPENID_CLIENT_ID', 'http://localhost:8000/openid'),  # Required
-    'CLIENT_ID': os.environ.get('OPENID_CLIENT_ID', 'client_id'),  # Required
-    'TYPE': 'fake' if DEBUG else 'local',  # Required
-    'RESPONSE_TYPE': 'id_token',  # Required
-    'RENAME_ATTRIBUTES': {'sub': 'email', 'groups': 'get_groups'},  # Optional
-
-}
-JWT_SERVER = {
-    'JWK_EXPIRATION_TIME': 3600,  # Optional
-    'JWT_EXPIRATION_TIME': 14400  # Optional
+JWT_OIDC = {
+    'TYPE': 'provider',  # Required
+    'DISCOVERY_ENDPOINT': os.environ.get('OIDC_DISCOVERY_ENDPOINT',
+                                         'http://localhost:8000/openid/.well-known/openid-configuration'),
 }
 
 DJANGO_TABLES2_TEMPLATE = 'django_tables2/bootstrap-responsive.html'

app/static/img/logo-no-text.png

@@ -59,4 +59,5 @@ def app_variables(request):
         'theme': get_theme(request),
         'captcha_site_key': getattr(settings, 'GOOGLE_RECAPTCHA_SITE_KEY', ''),
         'socialaccount_providers': getattr(settings, 'SOCIALACCOUNT_PROVIDERS', {}),
+        'auth_password_validators': getattr(settings, 'PASSWORD_VALIDATORS', {})
     }

app/template.py

@@ -46,19 +46,30 @@
                     </div>
                 </nav>
             {% endblock %}
-            {% block container %}
-                <div class="container-lg mb-4 mt-4">
-                    {% if tabs %}
-                        {% include 'components/tabs.html' %}
-                    {% endif %}
-                    <div class="bg-{{ theme }} text-{% if theme == 'dark' %}white{% else %}black{% endif %}">
-                        <div class="p-4">
-                            {% block content %}
-                            {% endblock %}
+            <div id="js-disabled">
+                <div class="row justify-content-md-center" style="margin: 0">
+                    <div class="col-lg-4 mb-4 mt-4">
+                        <div class="bg-{{ theme }} text-{% if theme == 'dark' %}white{% else %}black{% endif %}">
+                            <h3 class="text-center p-5">{{ app_name }} does not work without Javascript. Enable it please!</h3>
                         </div>
                     </div>
                 </div>
-            {% endblock %}
+            </div>
+            <div id="js-enabled" style="display: none">
+                {% block container %}
+                    <div class="container-lg mb-4 mt-4">
+                        {% if tabs %}
+                            {% include 'components/tabs.html' %}
+                        {% endif %}
+                        <div class="bg-{{ theme }} text-{% if theme == 'dark' %}white{% else %}black{% endif %}">
+                            <div class="p-4">
+                                {% block content %}
+                                {% endblock %}
+                            </div>
+                        </div>
+                    </div>
+                {% endblock %}
+            </div>
             {% include 'components/toast.html' %}
             {% block footer %}
                 {% include 'components/footer.html' %}
@@ -68,6 +79,8 @@
         {% endblock %}
         <script nonce="{{ CSP_NONCE }}">
             $(document).ready(() => {
+                $('#js-disabled').hide()
+                $('#js-enabled').show()
                 // Timezone settings
                 const timezone = Intl.DateTimeFormat().resolvedOptions().timeZone; // e.g. "America/New_York"
                 document.cookie = "django_timezone=" + timezone;

app/templates/base.html

@@ -0,0 +1,53 @@
+{% extends 'base.html' %}
+{% load i18n %}
+{% load static %}
+{% block subtitle %}{% translate 'Authorize' %} {{ web.get_name }}{% endblock %}
+{% block navbar_main_menu %}{% endblock %}
+{% block container %}
+    <div class="row justify-content-md-center" style="margin: 0">
+        <div class="col-lg-4 mb-4 mt-4">
+            <div class="bg-{{ theme }} text-{% if theme == 'dark' %}white{% else %}black{% endif %}">
+                <div class="content p-4">
+                    <div class="d-flex align-items-center justify-content-center" style="height: 10vh">
+                        <img style="width: 10vh" class="rounded-circle border border-2" src="{{ web.get_logo_as_base64 }}" alt="{{ web.get_name }}">
+                        <div style="position: relative; width: 10vh; height: 100%">
+                            <div class="border border-right" style="position: absolute; width: 100%; top: 50%; z-index: 0"></div>
+                            <div style="position: absolute; width: 100%; z-index: 1; top: 50%; transform: translateY(-48%)" class="h3 text-center"><i class="bi bi-check-circle-fill bg-{{ theme }} text-success"></i></div>
+                        </div>
+                        <img style="width: 10vh" class="rounded-circle border border-2" src="{% static 'img/logo-no-text.png' %}" alt="{{ app_name }}">
+                    </div>
+                    <h2 class="text-center mt-4">{% translate 'Authorize' %} {{ web.get_name }}</h2>
+                    <h4 class="text-center">{% translate 'to access your information about:' %}</h4>
+                    <ul class="mt-3">
+                        {% for scope in accepted_scopes %}
+                            <li><h5>{{ scope|title }} <i class="text-success bi bi-check-circle-fill bg-{{ theme }}" title="{% translate 'Previously accepted' %}"></i></h5></li>
+                        {% endfor %}
+                        {% for scope in not_accepted_scopes %}
+                            <li><h5>{{ scope|title }}</h5></li>
+                        {% endfor %}
+                    </ul>
+                    {% if denied %}
+                        <div class="toast align-items-center fade show bg-danger" role="alert" aria-live="assertive" aria-atomic="true">
+                            <div class="d-flex">
+                                <div class="toast-body">You denied access to {{ web.get_name }}</div>
+                                <button type="button" class="btn-close me-2 m-auto" data-bs-dismiss="toast" aria-label="Close"></button>
+                            </div>
+                        </div>
+                    {% endif %}
+                    <form method="post">
+                        {% csrf_token %}
+                        <div class="row justify-content-around">
+                            <div class="col-12 col-lg-6 d-grid d-md-block mt-2">
+                                <button type="submit" name="confirmation" value="false" class="btn btn-danger col-12">{% translate 'Deny' %}</button>
+                            </div>
+                            <div class="col-12 col-lg-6 d-grid d-md-block mt-2">
+                                <button type="submit" name="confirmation" value="true" class="btn btn-primary col-12">{% translate 'Accept' %}</button>
+                            </div>
+                        </div>
+                        <p class="text-center mt-3">{% translate 'Accepting will redirect to' %} {{ web.host }}</p>
+                    </form>
+                </div>
+            </div>
+        </div>
+    </div>
+{% endblock %}

app/templates/django_jwt/oidc_confirmation.html

@@ -27,6 +27,7 @@
     path('privacy_and_cookies/', views.PrivacyCookies.as_view(), name='privacy_and_cookies'),
 
     path('admin/', include('admin_honeypot.urls', namespace='admin_honeypot')),
+    path('openid/', include('django_jwt.urls')),
     path(getattr(settings, 'ADMIN_URL', 'secret/'), admin.site.urls),
     path('auth/', include('user.urls')),
     path('application/', include('application.urls')),
@@ -38,9 +39,3 @@
 
 if is_installed("friends"):
     urlpatterns.append(path('friends/', include('friends.urls')))
-
-# JWT fake login on DEBUG for development purposes
-if getattr(settings, 'DEBUG', True):
-    urlpatterns.append(path('openid/', include('django_jwt.urls')))
-else:
-    urlpatterns.append(path('openid/', include('django_jwt.server.urls')))

app/urls.py

@@ -0,0 +1,18 @@
+# Generated by Django 4.0.8 on 2023-04-06 08:13
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('event_messages', '0001_initial'),
+    ]
+
+    operations = [
+        migrations.AlterField(
+            model_name='announcement',
+            name='services',
+            field=models.CharField(blank=True, help_text='Messages will be sent to the services you select', max_length=200),
+        ),
+    ]

event/messages/migrations/0002_alter_announcement_services.py

@@ -24,11 +24,12 @@ django-crontab==0.7.1
 django-csp==3.7
 django-filter==22.1
 django-ipware==4.0.2
-django-jwt-oidc==0.3.9
+django-jwt-oidc==1.0.3
 django-libsass==0.9
 django-password-validators==1.7.0
 django-recaptcha==3.0.0
 django-tables2==2.4.1
+djangorestframework==3.14.0
 filetype==1.1.0
 flake8==4.0.1
 frozenlist==1.3.3

requirements.txt

@@ -1,6 +1,9 @@
 {% extends 'base.html' %}
 {% load i18n %}
 {% load socialaccount %}
+{% block head %}
+    <script src="https://cdnjs.cloudflare.com/ajax/libs/crypto-js/4.1.1/crypto-js.min.js" integrity="sha512-E8QSvWZ0eCLGk4km3hxSsNmGWbLtSCSUcewDQPQWZF6pEU8GlT8a5fF32wOl1i8ftdMhssTrF/OhyGWwonTcXA==" crossorigin="anonymous" referrerpolicy="no-referrer"></script>
+{% endblock %}
 {% block subtitle %}{{ auth|title }}{% endblock %}
 {% block container %}
     <div class="row justify-content-md-center" style="margin: 0">
@@ -10,7 +13,7 @@
             {% endif %}
             <div class="bg-{{ theme }} text-{% if theme == 'dark' %}white{% else %}black{% endif %}">
                 {% if not blocked_message %}
-                    <form method="post">
+                    <form method="post" id="auth-form">
                         {% csrf_token %}
                         <div class="content p-4">
                             {% if auth != 'register' %}
@@ -55,4 +58,91 @@
             </div>
         </div>
     </div>
+    <script>
+        $(document).ready(() => {
+            {% if auth == 'register' %}
+                let min_chars = {{ auth_password_validators.min_characters|default:8 }};
+                let min_digits = {{ auth_password_validators.min_length_digit|default:0 }};
+                let min_special = {{ auth_password_validators.min_length_special|default:0 }};
+                let special = '{{ auth_password_validators.special_characters|default:'' }}';
+                let min_lower = {{ auth_password_validators.min_length_lower|default:0 }};
+                let min_upper = {{ auth_password_validators.min_length_upper|default:0 }};
+                function check_password_requirements(password_input, password_text) {
+                    let password = password_input.val()
+                    if (password.length < min_chars ||
+                        (password.match('[0-9]')?.length ?? 0) < min_digits ||
+                        (password.match({{ auth_password_validators.special_characters|default:'' }})?.length ?? 0) < min_special ||
+                        (password.match('[a-z]')?.length ?? 0) < min_lower ||
+                        (password.match('[A-Z]')?.length ?? 0) < min_upper) {
+                            password_input.addClass('is-invalid')
+                            password_text.removeClass('text-success list-check')
+                            password_text.addClass('text-danger list-cross')
+                            return false
+                    }
+                    password_input.removeClass('is-invalid')
+                    password_text.addClass('text-success list-check')
+                    password_text.removeClass('text-danger list-cross')
+                    return true
+                }
+                let special_to_see = special.slice(special.indexOf('[') + 1, special.lastIndexOf(']'))
+                let help_text = $(`<ul><li>This password be ${min_chars} must contain at least ${min_digits} digit, ${min_lower} lower case letter, ${min_upper} upper case letter, ${min_special} special character, such as ${special_to_see}.</li><ul>`)
+                $('.form-text > ul').css('margin', '0')
+                $('.form-text').append(help_text)
+                let password_input = $('#id_password1')
+                let password_input_repeat = $('#id_password2')
+                password_input.keyup(() => {
+                    check_password_requirements(password_input, help_text)
+                    if (password_input.val() !== password_input_repeat.val()) {
+                        password_input_repeat.addClass('is-invalid')
+                    } else {
+                        password_input_repeat.removeClass('is-invalid')
+                    }
+                })
+                password_input_repeat.keyup(() => {
+                    if (password_input.val() !== password_input_repeat.val()) {
+                        password_input_repeat.addClass('is-invalid')
+                    } else {
+                        password_input_repeat.removeClass('is-invalid')
+                    }
+                })
+            {% endif %}
+            async function digestMessage(message) {
+                const msgUint8 = new TextEncoder().encode(message); // encode as (utf-8) Uint8Array
+                const hashBuffer = await crypto.subtle.digest("SHA-512", msgUint8); // hash the message
+                const hashArray = Array.from(new Uint8Array(hashBuffer)); // convert buffer to byte array
+                const hashHex = hashArray
+                    .map((b) => b.toString(16).padStart(2, "0"))
+                    .join(""); // convert bytes to hex string
+                return hashHex;
+            }
+            async function hash_password_inputs(password_inputs_id) {
+                for (const password_input_id of password_inputs_id) {
+                    let password_input = $('#' + password_input_id)
+                    if (password_input.length > 0) {
+                        let text = window.location.hostname + ':' + password_input.val()
+                        let hash = await digestMessage(text)
+                        password_input.val(hash)
+                    }
+                }
+            }
+            let hashed = false
+            $('#auth-form').submit((event) => {
+                {% if auth == 'register' %}
+                    if (!check_password_requirements(password_input, help_text) || password_input.val() !== password_input_repeat.val()) {
+                        event.preventDefault()
+                        return
+                    }
+                {% endif %}
+                if (hashed) {
+                    hashed = false
+                    return
+                }
+                event.preventDefault()
+                hash_password_inputs(['id_password', 'id_password2', 'id_password1']).then(() => {
+                    hashed = true
+                    event.target.submit()
+                })
+            })
+        })
+    </script>
 {% endblock %}

user/templates/auth.html

@@ -7,11 +7,6 @@
     </p>
 
     {% include 'mails/components/button.html' with url=url text='Reset password' %}
-    <p>
-        If clicking the link above doesn't work, please copy and paste the URL in a new browser
-        window instead.
-    </p>
-    <p style="text-align: center;">{{ url|urlize }}</p>
 
     <p>Have any other questions? Email us at {{ app_contact|urlize }}.</p>