Add support for session based login

.env.example

@@ -90,3 +90,10 @@ AWS_SECRET_ACCESS_KEY=
 ENABLE_DEFENDER=
 # Defender Redis url. Required if Defender is enabled. Same as cache url format
 DEFENDER_REDIS_URL=
+# set session cookie domain. Default is None which is same as current api domain.
+# Setting this variable enable two extra API for login and logout for non staff user
+SESSION_COOKIE_DOMAIN=
+# Age for session cookie. Default is 2 weeks
+SESSION_COOKIE_AGE=
+# Name of session cookie. Default is sessionid
+SESSION_COOKIE_NAME=

.github/workflows/codeql-analysis.yml

@@ -24,7 +24,7 @@ jobs:
       - name: Install Poetry
         uses: snok/install-poetry@v1.3.1
         with:
-          version: 1.2.1
+          version: 1.3.0
           virtualenvs-create: true
           virtualenvs-in-project: true
       - name: Setup cache

.github/workflows/lint.yml

@@ -19,7 +19,7 @@ jobs:
       - name: Install Poetry
         uses: snok/install-poetry@v1.3.1
         with:
-          version: 1.2.1
+          version: 1.3.0
           virtualenvs-create: true
           virtualenvs-in-project: true
       - name: Setup cache

.github/workflows/test.yml

@@ -16,7 +16,7 @@ jobs:
 
     steps:
       - uses: actions/checkout@v3
-      - uses: iamsauravsharma/create-dotenv@v1.2.1
+      - uses: iamsauravsharma/create-dotenv@v1.2.2
         with:
           env-prefix: 'ENV_'
         env:

Dockerfile

@@ -32,7 +32,7 @@ ENV PYTHONUNBUFFERED=1 \
     PIP_NO_CACHE_DIR=off \
     PIP_DISABLE_PIP_VERSION_CHECK=on \
     PIP_DEFAULT_TIMEOUT=100 \
-    POETRY_VERSION=1.2.1 \
+    POETRY_VERSION=1.3.0 \
     POETRY_HOME="/opt/poetry" \
     POETRY_VIRTUALENVS_IN_PROJECT=true \
     POETRY_NO_INTERACTION=1

neatplus/authentication.py

@@ -2,15 +2,15 @@
 from defender import utils as defender_utils
 from django.utils.translation import gettext_lazy as _
 from rest_framework import exceptions
+from rest_framework.authentication import SessionAuthentication
 from rest_framework_simplejwt.authentication import JWTAuthentication
 
 
 class JWTAuthenticationDefender(JWTAuthentication):
     def authenticate(self, request):
         response = super().authenticate(request)
         if response is None:
-            msg = _("Unable to log in with provided credentials.")
-            raise exceptions.AuthenticationFailed(msg)
+            return None
 
         block_detail_message = _(
             "You have attempted to login {failure_limit} times with no success. Wait {cooloff_time_seconds} seconds to re login"
@@ -37,3 +37,8 @@ def authenticate(self, request):
             return response
         else:
             raise block_exception
+
+
+class CsrfExemptSessionAuthentication(SessionAuthentication):
+    def enforce_csrf(self, request):
+        pass

neatplus/settings.py

@@ -385,7 +385,7 @@
     ] = "neatplus.serializers.TokenObtainPairDefenderSerializer"
 
 # CORS settings
-CORS_URLS_REGEX = r"^(/api/).*$"
+CORS_URLS_REGEX = r"^/api/.*$"
 CORS_ALLOWED_ORIGIN_REGEXES = env.list(
     "CORS_ALLOWED_ORIGIN_REGEXES", default=[], subcast=str
 )
@@ -631,3 +631,14 @@
     DEFENDER_COOLOFF_TIME = 60 * 60  # seconds
     DEFENDER_REDIS_URL = env.str("DEFENDER_REDIS_URL")
     DEFENDER_USE_CELERY = ENABLE_CELERY
+
+# Session cookie domain
+SESSION_COOKIE_DOMAIN = env.str("SESSION_COOKIE_DOMAIN", default=None)
+SESSION_COOKIE_AGE = env.int("SESSION_COOKIE_AGE", default=2 * 7 * 24 * 60 * 60)
+SESSION_COOKIE_NAME = env.str("SESSION_COOKIE_NAME", default="sessionid")
+CSRF_COOKIE_DOMAIN = SESSION_COOKIE_DOMAIN
+CSRF_TRUSTED_ORIGINS = [SESSION_COOKIE_DOMAIN]
+
+if SESSION_COOKIE_DOMAIN:
+    CORS_ALLOW_CREDENTIALS = True
+    CSRF_USE_SESSIONS = SESSION_COOKIE_DOMAIN

pyproject.toml

@@ -23,14 +23,14 @@ python = "^3.10"
 Django = "^3.2.15"
 environs = { version = "^9.5.0", extras = ["django"] }
 marshmallow = "^3.17.0"
-uvicorn = { version = "^0.18.2", extras = ["standard"], optional = true }
+uvicorn = { version = "^0.20.0", extras = ["standard"], optional = true }
 gunicorn = { version = "^20.1.0", optional = true }
 psycopg2-binary = "^2.9.3"
 djangorestframework = "^3.13.1"
 django-filter = "^22.1"
 djangorestframework-simplejwt = "^5.2.0"
 djangorestframework-camel-case = "^1.3.0"
-django-admin-interface = "^0.19.1"
+django-admin-interface = "^0.24.2"
 django-otp = "^1.1.3"
 qrcode = "^7.3.1"
 django-cors-headers = "^3.13.0"
@@ -40,14 +40,14 @@ sentry-sdk = "^1.7.0"
 celery = { version = "^5.2.7", extras = ["redis"] }
 django-modeltranslation = "^0.18.2"
 django-ordered-model = "^3.6"
-drf-spectacular = "^0.22.1"
+drf-spectacular = "^0.25.1"
 Pillow = "^9.2.0"
 django-ckeditor = "^6.4.2"
 djangorestframework-gis = "^1.0"
 django-admin-autocomplete-filter = "^0.7.1"
 drf-recaptcha = "^2.0.7"
 PyYAML = "^6.0"
-django-mptt = "^0.13.4"
+django-mptt = "^0.14.0"
 django-oauth-toolkit = "^2.1.0"
 watchtower = "^3.0.0"
 django-defender = "^0.9.5"
@@ -58,7 +58,7 @@ isort = "^5.10.1"
 safety = "^2.0.0"
 pre-commit = "^2.20.0"
 django-extensions = "^3.2.0"
-Werkzeug = "^2.0.3, <2.1.0"
+Werkzeug = "^2.0.3"
 model-bakery = "^1.6.0"
 
 [tool.poetry.extras]

user/serializers.py

@@ -156,3 +156,8 @@ def validate(self, attrs):
 
 class UploadImageSerializer(serializers.Serializer):
     file = serializers.ImageField()
+
+
+class SessionLoginSerializer(serializers.Serializer):
+    username = serializers.CharField()
+    password = serializers.CharField()

user/views.py

@@ -1,5 +1,8 @@
 import os
 
+from django.contrib.auth import authenticate as django_authenticate
+from django.contrib.auth import login as auth_login
+from django.contrib.auth import logout as auth_logout
 from django.contrib.auth.password_validation import validate_password
 from django.core.exceptions import ValidationError
 from django.core.files.storage import default_storage
@@ -12,6 +15,7 @@
 from rest_framework.decorators import action
 from rest_framework.response import Response
 
+from neatplus.authentication import CsrfExemptSessionAuthentication
 from neatplus.utils import gen_random_number, gen_random_string
 from support.models import EmailTemplate
 
@@ -24,6 +28,7 @@
     PasswordResetPasswordChangeSerializer,
     PinVerifySerializer,
     PrivateUserSerializer,
+    SessionLoginSerializer,
     UploadImageSerializer,
     UserNameSerializer,
     UserSerializer,
@@ -680,3 +685,54 @@ def upload_image(self, request, *args, **kwargs):
         url = request.build_absolute_uri(default_storage.url(saved_file))
         data = {"name": saved_file, "url": url}
         return Response(data)
+
+    @extend_schema(responses={status.HTTP_204_NO_CONTENT, serializers.Serializer})
+    @action(
+        methods=["post"],
+        detail=False,
+        serializer_class=SessionLoginSerializer,
+        permission_classes=[permissions.AllowAny],
+    )
+    def login(self, request, *args, **kwargs):
+        serializer = self.get_serializer(data=request.data)
+        if not serializer.is_valid():
+            return Response(serializer.errors, status=status.HTTP_400_BAD_REQUEST)
+        user = django_authenticate(request, **serializer.validated_data)
+        if user is None:
+            return Response(
+                {"error": _("Invalid authentication")},
+                status=status.HTTP_400_BAD_REQUEST,
+            )
+        if user.is_staff:
+            return Response(
+                {"error": _("Invalid login for staff use django admin login")},
+                status=status.HTTP_400_BAD_REQUEST,
+            )
+        auth_login(request, user)
+        return Response(status=status.HTTP_204_NO_CONTENT)
+
+    @extend_schema(responses={status.HTTP_204_NO_CONTENT, serializers.Serializer})
+    @action(
+        methods=["post"],
+        detail=False,
+        serializer_class=serializers.Serializer,
+        authentication_classes=[CsrfExemptSessionAuthentication],
+    )
+    def logout(self, request, *args, **kwargs):
+        auth_logout(request)
+        return Response(status=status.HTTP_204_NO_CONTENT)
+
+    @extend_schema(
+        responses=inline_serializer(
+            name="IsAuthenticatedResponseSerializer",
+            fields={"is_authenticated": serializers.BooleanField()},
+        )
+    )
+    @action(
+        methods=["get"],
+        detail=False,
+        serializer_class=serializers.Serializer,
+        permission_classes=[permissions.AllowAny],
+    )
+    def is_authenticated(self, request, *args, **kwargs):
+        return Response({"is_authenticated": self.request.user.is_authenticated})