Security News
Research
Data Theft Repackaged: A Case Study in Malicious Wrapper Packages on npm
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
Auth module for Django/DRF projects. Part of GarpixCMS.
Used packages:
Install with pip:
pip install garpix_user
Add the garpix_user
to your INSTALLED_APPS
:
# settings.py
# ...
INSTALLED_APPS = [
# ...
'garpix_user',
]
and to migration modules:
# settings.py
# ...
MIGRATION_MODULES = {
'garpix_user': 'app.migrations.garpix_user',
}
Add to urls.py
:
from garpix_user.views import LogoutView, LoginView
# ...
urlpatterns = [
# ...
# garpix_user
path('', include(('garpix_user.urls', 'user'), namespace='garpix_user')),
path('logout/', LogoutView.as_view(url='/'), name="logout"),
path('login/', LoginView.as_view(template_name="accounts/login.html"), name="authorize"),
]
Use GarpixUser
from garpix_user.models
as base for your user model class:
# user.models.user.py
from garpix_user.models import GarpixUser
class User(GarpixUser):
class Meta:
verbose_name = 'Пользователь'
verbose_name_plural = 'Пользователи'
def __str__(self):
return self.username
Use UserAdmin
from garpix_user.admin
as base for your user admin class:
from django.contrib import admin
from garpix_user.admin import UserAdmin
from user.models import User
@admin.register(User)
class UserAdmin(UserAdmin):
pass
For custom auth with phone and/or email use this in settings.py
:
# ...
AUTHENTICATION_BACKENDS = (
# Django
'garpix_user.utils.backends.CustomAuthenticationBackend'
)
and USERNAME_FIELDS
to your User
model:
# user.models.user.py
from garpix_user.models import GarpixUser
class User(GarpixUser):
USERNAME_FIELDS = ('email', ) # default is username
class Meta:
verbose_name = 'Пользователь'
verbose_name_plural = 'Пользователи'
def __str__(self):
return self.username
Import settings from garpix_user
:
# settings.py
from garpix_user.settings import *
Add this for SPA:
# ...
INSTALLED_APPS += [
# ...
'rest_framework',
'rest_framework.authtoken',
'oauth2_provider',
'social_django',
'rest_framework_social_oauth2',
# ...
]
REST_FRAMEWORK = {
'DEFAULT_AUTHENTICATION_CLASSES': {
'garpix_user.rest.authentication.MainAuthentication',
'oauth2_provider.contrib.rest_framework.OAuth2Authentication',
'rest_framework_social_oauth2.authentication.SocialAuthentication',
}
}
You can use JWT token. To do it set REST_AUTH_TOKEN_JWT
settings to True. You also need to
set JWT_SECRET_KEY
, JWT_SERIALIZER
settings:
# settings.py
# ...
GARPIX_USER = {
'REST_AUTH_TOKEN_JWT': True,
'JWT_SECRET_KEY': env('JWT_SECRET_KEY'), # secret code to validate JWT token
'JWT_SERIALIZER': 'garpix_user.serializers.JWTDataSerializer'
}
# Hint: see all available settings in the end of this document.
You can override the Bearer authorization header by REST_AUTH_HEADER_KEY
setting.
And also allow this custom header for cors-headers:
# settings.py
# ...
from corsheaders.defaults import default_headers
GARPIX_USER = {
'REST_AUTH_HEADER_KEY': 'HTTP_BEARER_AUTHORIZATION'
}
# Hint: see all available settings in the end of this document.
CORS_ALLOW_HEADERS = list(default_headers) + [
"Bearer-Authorization",
]
Now you need to add Bearer-Authorization
header instead of Authorization
header with your Bearer token to all
requests.
garpix_user
adds default registration for with phone
and/or email
and password
fields. To add fields to this form override RegistrationSerializer
and add it to settings
:
# settings.py
GARPIX_USER = {
# registration
'REGISTRATION_SERIALIZER': 'app.serializers.RegistrationCustSerializer'
}
# Hint: see all available settings in the end of this document.
# app.serializers.py
from django.contrib.auth import get_user_model
from rest_framework import serializers
from garpix_user.serializers import RegistrationSerializer
User = get_user_model()
class RegistrationCustSerializer(RegistrationSerializer):
extra_field = serializers.CharField(write_only=True)
class Meta(RegistrationSerializer.Meta):
model = User
fields = RegistrationSerializer.Meta.fields + ('extra_field',)
You also can add password security settings:
# settings.py
GARPIX_USER = {
# registration
'MIN_LENGTH_PASSWORD': 8,
'MIN_DIGITS_PASSWORD': 2,
'MIN_CHARS_PASSWORD': 2,
'MIN_UPPERCASE_PASSWORD': 1,
}
# Hint: see all available settings in the end of this document.
To use email and phone confirmation or (and) restore password functionality add the garpix_notify
to your INSTALLED_APPS
:
# settings.py
# ...
INSTALLED_APPS = [
# ...
'garpix_notify',
]
and to migration modules:
# settings.py
MIGRATION_MODULES = {
'garpix_notify': 'app.migrations.garpix_notify',
}
Add corresponding settings:
# settings.py
GARPIX_USER = {
'USE_EMAIL_CONFIRMATION': True,
'USE_PHONE_CONFIRMATION': True,
'USE_EMAIL_RESTORE_PASSWORD': True,
'USE_PHONE_RESTORE_PASSWORD': True,
}
# Hint: see all available settings in the end of this document.
You also need to add notify events:
# settings.py
NOTIFY_EVENTS.update(GARPIX_USER_NOTIFY_EVENTS)
You can specify email and phone code length, lifetime, confirmation lifetime and time delay before next attempt:
#settings.py
GARPIX_USER = {
'CONFIRM_PHONE_CODE_LENGTH': 6,
'CONFIRM_EMAIL_CODE_LENGTH': 6,
'TIME_LAST_REQUEST': 1,
'CONFIRM_PHONE_CODE_LIFE_TIME': 5, # in minutes
'CONFIRM_EMAIL_CODE_LIFE_TIME': 2,
'CONFIRM_EMAIL_CODE_LIFE_TIME_TYPE': 'days', # available types are: ['days', 'minutes'], default is 'days'
'PHONE_CONFIRMATION_LIFE_TIME': 2, # in days
'EMAIL_CONFIRMATION_LIFE_TIME': 2, # in days
}
# Hint: see all available settings in the end of this document.
Notice: the minimum and maximum values for CONFIRM_CODE_LENGTH
are 4 and 255. These values will be hard used in case your settings are not in this interval.
If you need to use pre-registration email or phone confirmation, you need to set corresponding variables to True:
# settings.py
GARPIX_USER = {
'USE_PREREGISTRATION_EMAIL_CONFIRMATION': True,
'USE_PREREGISTRATION_PHONE_CONFIRMATION': True,
}
# Hint: see all available settings in the end of this document.
If you need to use email confirmation by link, you need to set corresponding variable:
# settings.py
GARPIX_USER = {
'USE_EMAIL_LINK_CONFIRMATION': True
}
# Hint: see all available settings in the end of this document.
You can also override confirm_link_redirect_url
method of User
model to form confirmation link as you need.
By default, users with unconfirmed email/phone number will be deleted in 10 days. You can set up it using CONFIRMATION_DELAY
:
# settings.py
GARPIX_USER = {
# ...
'CONFIRMATION_DELAY': 10, # in days
}
# Hint: see all available settings in the end of this document.
You can also use referral links in your project with garpix_user. To add this functionality, just add the corresponding settings:
# settings.py
GARPIX_USER = {
'USE_REFERRAL_LINKS': True,
'REFERRAL_REDIRECT_URL': '/', # link to the page user needs to see
}
# Hint: see all available settings in the end of this document.
Using garpix_user
you can also store info about unregistered user sessions. The package already consists of model and views for it.
To create the unregistered user send POST
request to {API_URL}/user_session/create_user_session/
The request returns UserSession
object with token_number
field. You need to send this token number in each request passing in to header as user-session-token
.
By default, on log in current user session instance will be dropped, if system has registered
user session instance for authorized user. You can override set_user_session
method of User
model to add custom logic.
# settings.py
GARPIX_USER = {
# base settings
'USE_REFERRAL_LINKS': False,
'REFERRAL_REDIRECT_URL': '/',
# email/phone confirmation
'USE_EMAIL_CONFIRMATION': True,
'USE_PHONE_CONFIRMATION': True,
'USE_PREREGISTRATION_EMAIL_CONFIRMATION': True,
'USE_PREREGISTRATION_PHONE_CONFIRMATION': True,
'USE_EMAIL_LINK_CONFIRMATION': True,
'CONFIRM_PHONE_CODE_LENGTH': 6,
'CONFIRM_EMAIL_CODE_LENGTH': 6,
'TIME_LAST_REQUEST': 1,
'CONFIRM_PHONE_CODE_LIFE_TIME': 5, # in minutes
'CONFIRM_EMAIL_CODE_LIFE_TIME': 2,
'CONFIRM_EMAIL_CODE_LIFE_TIME_TYPE': 'days',
'PHONE_CONFIRMATION_LIFE_TIME': 2, # in days
'EMAIL_CONFIRMATION_LIFE_TIME': 2, # in days
'CONFIRMATION_DELAY': 10, # in days
# restore password
'USE_RESTORE_PASSWORD': True,
# registration
'USE_REGISTRATION': True,
'REGISTRATION_SERIALIZER': 'app.serializers.RegistrationCustSerializer',
'MIN_LENGTH_PASSWORD': 8,
'MIN_DIGITS_PASSWORD': 2,
'MIN_CHARS_PASSWORD': 2,
'MIN_UPPERCASE_PASSWORD': 1,
# authorization
'REST_AUTH_HEADER_KEY': 'HTTP_AUTHORIZATION',
'REST_AUTH_TOKEN_JWT': False,
'JWT_SERIALIZER': 'garpix_user.serializers.JWTDataSerializer',
# response messages
'WAIT_RESPONSE': 'Не прошло 1 мин с момента предыдущего запроса',
'USER_REGISTERED_RESPONSE': 'Пользователь с таким {field} уже зарегистрирован', # as 'field' will be used email/phone according to the request
'INCORRECT_CODE_RESPONSE': 'Некорретный код',
'NO_TIME_LEFT_RESPONSE': 'Код недействителен. Запросите повторно',
'NOT_AUTHENTICATED_RESPONSE': 'Учетные данные не были предоставлены'
}
See garpix_user/tests/test_api/*.py
for examples.
See CHANGELOG.md.
See CONTRIBUTING.md.
Developed by Garpix / https://garpix.com
FAQs
Unknown package
We found that garpix-user demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
Research
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
Research
Security News
Attackers used a malicious npm package typosquatting a popular ESLint plugin to steal sensitive data, execute commands, and exploit developer systems.
Security News
The Ultralytics' PyPI Package was compromised four times in one weekend through GitHub Actions cache poisoning and failure to rotate previously compromised API tokens.