authnzerver.actions.user module

This contains functions to drive user account related auth actions.

authnzerver.actions.user.change_user_password(payload, override_authdb_path=None, raiseonfail=False, min_pass_length=12, max_similarity=30)[source]

Changes the user’s password.

Parameters:
  • payload (dict) –

    This is a dict with the following required keys:

    • user_id: int
    • session_token: str
    • full_name: str
    • email: str
    • current_password: str
    • new_password: str

    In addition to these items received from an authnzerver client, the payload must also include the following keys (usually added in by a wrapping function):

    • reqid: int or str
    • pii_salt: str
  • override_authdb_path (str or None) – If given as a str, is the alternative path to the auth DB.
  • raiseonfail (bool) – If True, will raise an Exception if something goes wrong.
  • min_pass_length (int) – The minimum required character length of the password.
  • max_similarity (int) – The maximum UQRatio required to fuzzy-match the input password against the server’s domain name, the user’s email, or their name.
Returns:

Returns a dict with the user’s user_id and email as keys if successful.
Return type:

dict

Notes

This logs out the user from all of their other sessions.

authnzerver.actions.user.create_new_user(payload, min_pass_length=12, max_similarity=30, override_authdb_path=None, raiseonfail=False)[source]

Makes a new user.

Parameters:
  • payload (dict) –

    This is a dict with the following required keys:

    • full_name: str
    • email: str
    • password: str

    In addition to these items received from an authnzerver client, the payload must also include the following keys (usually added in by a wrapping function):

    • reqid: int or str
    • pii_salt: str
  • override_authdb_path (str or None) – If given as a str, is the alternative path to the auth DB.
  • raiseonfail (bool) – If True, will raise an Exception if something goes wrong.
  • min_pass_length (int) – The minimum required character length of the password.
  • max_similarity (int) – The maximum UQRatio required to fuzzy-match the input password against the server’s domain name, the user’s email, or their name.
Returns:

Returns a dict with the user’s user_id and user_email, and a boolean for send_verification.
Return type:

dict

Notes

The emailverify_sent_datetime is set to the current time. The initial account’s is_active is set to False and user_role is set to ‘locked’.

The email verification token sent by the frontend expires in 2 hours. If the user doesn’t get to it by then, they’ll have to wait at least 24 hours until another one can be sent.

If the email address already exists in the database, then either the user has forgotten that they have an account or someone else is being annoying. In this case, if is_active is True, we’ll tell the user that we’ve sent an email but won’t do anything. If is_active is False and emailverify_sent_datetime is at least 24 hours in the past, we’ll send a new email verification email and update the emailverify_sent_datetime. In this case, we’ll just tell the user that we’ve sent the email but won’t tell them if their account exists.

Only after the user verifies their email, is_active will be set to True and user_role will be set to ‘authenticated’.

authnzerver.actions.user.delete_user(payload, raiseonfail=False, override_authdb_path=None)[source]

Deletes a user.

This can only be called by the user themselves or the superuser.

This will also immediately invalidate all sessions corresponding to the target user.

Superuser accounts cannot be deleted.

Parameters:
  • payload (dict) –

    This is a dict with the following required keys:

    • email: str
    • user_id: int
    • password: str

    In addition to these items received from an authnzerver client, the payload must also include the following keys (usually added in by a wrapping function):

    • reqid: int or str
    • pii_salt: str
  • override_authdb_path (str or None) – If given as a str, is the alternative path to the auth DB.
  • raiseonfail (bool) – If True, will raise an Exception if something goes wrong.
Returns:

Returns a dict containing a success key indicating if the user was deleted.
Return type:

dict
authnzerver.actions.user.validate_input_password(full_name, email, password, pii_salt, min_length=12, max_match_threshold=20)[source]

Validates user input passwords.

  1. must be at least min_length characters (we’ll truncate the password at 1024 characters since we don’t want to store entire novels)
  2. must not match within max_match_threshold of their email or full_name
  3. must not match within max_match_threshold of the site’s FQDN
  4. must not have a single case-folded character take up more than 20% of the length of the password
  5. must not be completely numeric
  6. must not be in the top 10k passwords list
Parameters:
  • full_name (str) – The full name of the user creating the account.
  • email (str) – The email address of the user creating the account.
  • password (str) – The password of the user creating the account.
  • pii_salt (str) – The PII salt value passed in from a wrapping function. Used to censor personally identifying information in the logs emitted from this function.
  • min_length (int) – The minimum required character length of the password.
  • max_match_threshold (int) – The maximum UQRatio required to fuzzy-match the input password against the server’s domain name, the user’s email, or their name.
Returns:

Returns True if the password is OK to use and meets all specification. False otherwise.
Return type:

bool
authnzerver.actions.user.verify_password_reset(payload, raiseonfail=False, override_authdb_path=None, min_pass_length=12, max_similarity=30)[source]

Verifies a password reset request.

Parameters:
  • payload (dict) –

    This is a dict with the following required keys:

    • email_address: str
    • new_password: str
    • session_token: str

    In addition to these items received from an authnzerver client, the payload must also include the following keys (usually added in by a wrapping function):

    • reqid: int or str
    • pii_salt: str
  • raiseonfail (bool) – If True, will raise an Exception if something goes wrong.
  • override_authdb_path (str or None) – If given as a str, is the alternative path to the auth DB.
  • min_pass_length (int) – The minimum required character length of the password.
  • max_similarity (int) – The maximum UQRatio required to fuzzy-match the input password against the server’s domain name, the user’s email, or their name.
Returns:

Returns a dict containing a success key indicating if the user’s password was reset.
Return type:

dict