Hugging Face's logo

Spaces:
Piyush1225
/
auth
Running

App Files Community
auth / adaptiveauth /core /security.py
Prasannata's picture
Prasannata
first commit
7d369c8
raw
history blame contribute delete
6.34 kB
 """
AdaptiveAuth Core - Security Module
Password hashing, JWT management, and cryptographic utilities.
"""
from datetime import datetime, timedelta
from typing import Optional, Dict, Any, Union
from jose import JWTError, jwt
import bcrypt
import secrets
import hashlib
from ..config import get_settings
# ======================== PASSWORD HASHING ========================
def hash_password(password: str) -> str:
"""Hash a password using bcrypt."""
# Bcrypt has a 72 byte limit, truncate if necessary
password_bytes = password.encode('utf-8')
if len(password_bytes) > 72:
password_bytes = password_bytes[:72]
salt = bcrypt.gensalt()
return bcrypt.hashpw(password_bytes, salt).decode('utf-8')
def verify_password(plain_password: str, hashed_password: str) -> bool:
"""Verify a password against its hash."""
try:
# Bcrypt has a 72 byte limit, truncate if necessary
password_bytes = plain_password.encode('utf-8')
if len(password_bytes) > 72:
password_bytes = password_bytes[:72]
return bcrypt.checkpw(password_bytes, hashed_password.encode('utf-8'))
except Exception:
return False
def validate_password_strength(password: str) -> Dict[str, Any]:
"""Validate password meets security requirements."""
settings = get_settings()
errors = []
if len(password) < settings.MIN_PASSWORD_LENGTH:
errors.append(f"Password must be at least {settings.MIN_PASSWORD_LENGTH} characters")
if settings.REQUIRE_UPPERCASE and not any(c.isupper() for c in password):
errors.append("Password must contain at least one uppercase letter")
if settings.REQUIRE_LOWERCASE and not any(c.islower() for c in password):
errors.append("Password must contain at least one lowercase letter")
if settings.REQUIRE_DIGIT and not any(c.isdigit() for c in password):
errors.append("Password must contain at least one digit")
if settings.REQUIRE_SPECIAL and not any(c in "!@#$%^&*()_+-=[]{}|;:,.<>?" for c in password):
errors.append("Password must contain at least one special character")
return {
"valid": len(errors) == 0,
"errors": errors
}
# ======================== JWT MANAGEMENT ========================
def create_access_token(
subject: Union[str, int],
expires_delta: Optional[timedelta] = None,
extra_claims: Optional[Dict[str, Any]] = None
) -> str:
"""Create JWT access token."""
settings = get_settings()
if expires_delta:
expire = datetime.utcnow() + expires_delta
else:
expire = datetime.utcnow() + timedelta(minutes=settings.ACCESS_TOKEN_EXPIRE_MINUTES)
to_encode = {
"sub": str(subject),
"exp": expire,
"iat": datetime.utcnow(),
"type": "access"
}
if extra_claims:
to_encode.update(extra_claims)
encoded_jwt = jwt.encode(to_encode, settings.SECRET_KEY, algorithm=settings.ALGORITHM)
return encoded_jwt
def create_refresh_token(
subject: Union[str, int],
expires_delta: Optional[timedelta] = None
) -> str:
"""Create JWT refresh token."""
settings = get_settings()
if expires_delta:
expire = datetime.utcnow() + expires_delta
else:
expire = datetime.utcnow() + timedelta(days=settings.REFRESH_TOKEN_EXPIRE_DAYS)
to_encode = {
"sub": str(subject),
"exp": expire,
"iat": datetime.utcnow(),
"type": "refresh",
"jti": generate_token(32) # Unique token ID
}
encoded_jwt = jwt.encode(to_encode, settings.SECRET_KEY, algorithm=settings.ALGORITHM)
return encoded_jwt
def decode_token(token: str) -> Optional[Dict[str, Any]]:
"""Decode and validate JWT token."""
settings = get_settings()
try:
payload = jwt.decode(token, settings.SECRET_KEY, algorithms=[settings.ALGORITHM])
return payload
except JWTError:
return None
def verify_token(token: str, token_type: str = "access") -> Optional[str]:
"""Verify token and return subject if valid."""
payload = decode_token(token)
if payload is None:
return None
if payload.get("type") != token_type:
return None
return payload.get("sub")
def get_token_expiry(token: str) -> Optional[datetime]:
"""Get token expiration time."""
payload = decode_token(token)
if payload is None:
return None
exp = payload.get("exp")
if exp:
return datetime.fromtimestamp(exp)
return None
# ======================== TOKEN GENERATION ========================
def generate_token(length: int = 32) -> str:
"""Generate a secure random token."""
return secrets.token_urlsafe(length)
def generate_session_token() -> str:
"""Generate a unique session token."""
return secrets.token_urlsafe(48)
def generate_reset_code() -> str:
"""Generate password reset code."""
return secrets.token_urlsafe(32)
def generate_verification_code(length: int = 6) -> str:
"""Generate numeric verification code."""
return ''.join([str(secrets.randbelow(10)) for _ in range(length)])
# ======================== DEVICE FINGERPRINTING ========================
def generate_device_fingerprint(
user_agent: str,
ip_address: str,
extra_data: Optional[Dict[str, str]] = None
) -> str:
"""Generate a device fingerprint from request data."""
data_parts = [user_agent, ip_address]
if extra_data:
for key in sorted(extra_data.keys()):
data_parts.append(f"{key}:{extra_data[key]}")
fingerprint_data = "|".join(data_parts)
return hashlib.sha256(fingerprint_data.encode()).hexdigest()[:32]
def generate_browser_hash(user_agent: str) -> str:
"""Generate a hash for browser identification."""
return hashlib.md5(user_agent.encode()).hexdigest()[:16]
# ======================== ENCRYPTION UTILITIES ========================
def hash_token(token: str) -> str:
"""Hash a token for storage (e.g., refresh tokens)."""
return hashlib.sha256(token.encode()).hexdigest()
def constant_time_compare(val1: str, val2: str) -> bool:
"""Compare two strings in constant time to prevent timing attacks."""
return secrets.compare_digest(val1, val2)