mirror/AdventureLog
1
0
Fork 0
mirror of https://github.com/seanmorley15/AdventureLog.git synced 2026-05-09 07:25:01 -04:00
Code Issues Packages Projects Releases Wiki Activity
Files
fe127b5097efcd11b2541cfdc799eab97833cba6
AdventureLog/backend/server/users/models.py

123 lines
4.3 KiB
Python
Raw Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
import hashlib
import secrets
import uuid
from django.conf import settings
from django.contrib.auth.models import AbstractUser
from django.db import models
from django_resized import ResizedImageField
CURRENCY_CHOICES = (
('USD', 'US Dollar'),
('EUR', 'Euro'),
('GBP', 'British Pound'),
('JPY', 'Japanese Yen'),
('AUD', 'Australian Dollar'),
('CAD', 'Canadian Dollar'),
('CHF', 'Swiss Franc'),
('CNY', 'Chinese Yuan'),
('HKD', 'Hong Kong Dollar'),
('SGD', 'Singapore Dollar'),
('SEK', 'Swedish Krona'),
('NOK', 'Norwegian Krone'),
('DKK', 'Danish Krone'),
('NZD', 'New Zealand Dollar'),
('INR', 'Indian Rupee'),
('MXN', 'Mexican Peso'),
('BRL', 'Brazilian Real'),
('ZAR', 'South African Rand'),
('AED', 'UAE Dirham'),
('TRY', 'Turkish Lira'),
)
class CustomUser(AbstractUser):
email = models.EmailField(unique=True) # Override the email field with unique constraint
profile_pic = ResizedImageField(force_format="WEBP", quality=75, null=True, blank=True, upload_to='profile-pics/')
uuid = models.UUIDField(default=uuid.uuid4, editable=False, unique=True)
public_profile = models.BooleanField(default=False)
disable_password = models.BooleanField(default=False)
measurement_system = models.CharField(max_length=10, choices=[('metric', 'Metric'), ('imperial', 'Imperial')], default='metric')
default_currency = models.CharField(max_length=5, choices=CURRENCY_CHOICES, default='USD')
def __str__(self):
return self.username
class APIKey(models.Model):
"""
Personal API keys for authenticating programmatic access.
Security design:
- A 32-byte cryptographically random token is generated with the prefix ``al_``.
- Only a PBKDF2-HMAC-SHA256 derived hash of the full token is persisted;
the plaintext is returned exactly once at creation time and never stored.
- The first 12 characters of the token are kept as ``key_prefix`` so users can
identify their keys without revealing the secret.
"""
_KEY_HASH_ITERATIONS = 600000
_KEY_HASH_SALT_NAMESPACE = "users.APIKey"
id = models.UUIDField(primary_key=True, default=uuid.uuid4, editable=False)
user = models.ForeignKey(
CustomUser, on_delete=models.CASCADE, related_name='api_keys'
)
name = models.CharField(max_length=100)
key_prefix = models.CharField(max_length=12, editable=False)
key_hash = models.CharField(max_length=64, unique=True, editable=False)
created_at = models.DateTimeField(auto_now_add=True)
last_used_at = models.DateTimeField(null=True, blank=True)
class Meta:
ordering = ['-created_at']
def __str__(self):
return f"{self.user.username} {self.name} ({self.key_prefix}…)"
@classmethod
def _hash_raw_key(cls, raw_key: str) -> str:
"""Derive a computationally expensive hash for API key persistence."""
salt = f"{cls._KEY_HASH_SALT_NAMESPACE}:{settings.SECRET_KEY}".encode("utf-8")
return hashlib.pbkdf2_hmac(
"sha256",
raw_key.encode("utf-8"),
salt,
cls._KEY_HASH_ITERATIONS,
).hex()
@classmethod
def generate(cls, user, name: str) -> tuple['APIKey', str]:
"""
Create a new APIKey for *user* with the given *name*.
Returns a ``(instance, raw_key)`` tuple. The raw key is shown to the
user once and must never be stored anywhere after that.
"""
raw_key = f"al_{secrets.token_urlsafe(32)}"
key_hash = cls._hash_raw_key(raw_key)
key_prefix = raw_key[:12]
instance = cls.objects.create(
user=user,
name=name,
key_prefix=key_prefix,
key_hash=key_hash,
)
return instance, raw_key
@classmethod
def authenticate(cls, raw_key: str):
"""
Look up an APIKey by its raw value.
Returns the matching ``APIKey`` instance (updating ``last_used_at``) or
``None`` if not found.
"""
key_hash = cls._hash_raw_key(raw_key)
try:
api_key = cls.objects.select_related('user').get(key_hash=key_hash)
except cls.DoesNotExist:
return None
from django.utils import timezone
cls.objects.filter(pk=api_key.pk).update(last_used_at=timezone.now())
return api_key
Reference in New Issue View Git Blame Copy Permalink