payton / django-siwe-auth Goto Github PK

Currently, GroupManager implementations require the is_member function to accept a string (ethereum_address) as input. This should be replaced with the Wallet user model.

This change will allow users to use the user_passes_test decorator and related mixin. Additionally, users will be able to implement GroupManager instances to take advantage of all core user model attributes along with any project-specific models that are one-to-one with users.

ethereum/web3.py does not yet support the get_text function for ENS.

Pending ethereum/web3.py#2286

Hiya, I don't know much about Django, but I think instead of managing nonces explicitly, they could be incorporated in sessions.

Write unit tests for...

1. nonce_is_valid function

   django-siwe-auth/siwe_auth/backend.py

   Lines 28 to 39 in 12c6d95

   	def _nonce_is_valid(nonce: str) -> bool:
   	"""
   	Check if given nonce exists and has not yet expired.
   	:param nonce: The nonce string to validate.
   	:return: True if valid else False.
   	"""
   	n = Nonce.objects.get(value=nonce)
   	is_valid = False
   	if n is not None and n.expiration > datetime.datetime.now(tz=pytz.UTC):
   	is_valid = True
   	n.delete()
   	return is_valid

2. Nonce model itself

   django-siwe-auth/siwe_auth/models.py

   Lines 74 to 79 in 12c6d95

   	class Nonce(models.Model):
   	value = models.CharField(max_length=24, primary_key=True)
   	expiration = models.DateTimeField()
   	def __str__(self):
   	return self.value

3. Nonce scrubbing logic (with freezegun?)

   django-siwe-auth/siwe_auth/views.py

   Lines 53 to 68 in 12c6d95

   	@ratelimit(key='ip', rate='5/m')
   	@require_http_methods(["GET"])
   	def nonce(request):
   	now = datetime.now(tz=pytz.UTC)
   	_scrub_nonce()
   	n = Nonce(value=secrets.token_hex(12), expiration=now + timedelta(hours=12))
   	n.save()
   	return JsonResponse({"nonce": n.value})
   	def _scrub_nonce():
   	# Delete all expired nonce's
   	for n in Nonce.objects.filter(expiration__lte=datetime.now(tz=pytz.UTC)):
   	n.delete()

This should redirect to the configured login endpoint, which is set at settings.LOGIN_URL.

I noticed that when running yarn dev in examples/notepad/frontend it doesn't run, because the ../siwe directory is missing. I also noticed that siwe isn't added to packages.

Is this intentional? I was guessing that you have a local copy of siwe in examples/notepad/siwe.

The title says it all.

Currently, the GroupManager has implementations that go "one layer deep".

• GroupManager
  • ERC20OwnerManager
  • ERC721OwnerManager
  • ERC1155OwnerManager

These OwnerManager implementations do the following:

1. Call a contract function
2. Return true if result is greater than zero

I'd like to build out a second layer that instead takes a lambda as input to generalize step 2. This would then make the hierarchy look something like this:

• GroupManager
  • ERC20Manager
    • ERC20OwnerManager (> 0)
    • ERC20NewcomerManager (< 10)
  • ERC721Manager
    • ERC721OwnerManager (> 0)
    • ERC721WhaleManager (> 20)
  • ERC1155Manager
    • ERC1155OwnerManager (> 0)

This expression layer won't be advertised. It will allow new users to void any complexities by using the leaf layer while supporting experienced users who want to use all features this app provides.

IPFS is slow. Cloudflare is fast(er). https://developers.cloudflare.com/web3/ipfs-gateway/reference/updating-for-ipfs/

Excuse me, after the authentication is switched to django-siwe-auth, what should I do for the django admin login?

Add configurable rate limiting on authentication endpoints to deter bad actors.

Django Ratelimit seems to be a good OOTB solution: https://django-ratelimit.readthedocs.io/en/stable/

Create a second example application with much simpler implementation.

This should just be a login screen and success screen.

In order to minimize the lift for new users to adopt the project, move documentation over to an external vendor.

Options:

• https://readthedocs.org/
• https://readme.com/
• https://www.gitbook.com/
• GitHub Wiki

When I'm logged in as a non-admin account, I get the message:

However, the non-admin user doesn't have the option to logout. (I had to manually delete the sessionid cookie in my browser.)

So, we should add the ability to log out on the admin page. I'm surprised that it didn't come along with the login.html form we modified?

So, in other django plugins the migrations are generated and included in the source code.

such as:
https://github.com/django/django/tree/main/django/contrib/auth/migrations

Not having it means that when I deploy, I need to run ./manage.py makemigrations and then ./manage.py migrate. The migration files I make in makemigrations are also transient, since they're just for an installed dependency.

Currently, the Django admin login page defaults to password authentication. This is no longer plausible for key-pair authentication.

Issue identified in #15

Refactor existing time-based tests with FreezeGun for more consistent testing: https://github.com/spulec/freezegun

In an ideal world, we no longer store passwords on the server side.

However, Django is a feature-full framework with plenty of valuable 3rd party applications. Many of these will depend on the base user model.

In order to maximize adoption, we should consider building an alternative user model that extends the base user. This would abstract the username/password fields such that:

username -> ethereum address
password -> non-usable password

This would not be the 'default', but it would be configurable.

python3 manage.py createsuperuser currently fails after inputting an Ethereum address with:

TypeError: __init__() missing 1 required positional argument: 'message'

SIWE was initially included as a submodule to repurpose the frontend. Since then, we have diverged a lot. It would make more sense to remove the submodule, any backend references, and credit the SIWE repository in the example's README.

This will make the example much more understandable and remove unneeded code while still giving credit to the original repository.

The feature to detect an ENS name (as well as ERC721 membership) is great, but it'd be cool to have an option for disable ENS-checking so that the settings.PROVIDER settings can be optional. After all, the authentication doesn't need it! I think this'd help speed up users playing with the library too.

Want to add this option, so that admins can also make users both admins and superusers. (Superusers have access to edit all table rows that have been configured in a project's admin.pys.)

Create a new AdminSite instance that overrides the admin login view (linked below). This will allow the administrator view to also Sing-In with Ethereum instead of expecting a password (which is already set to a non-usable value).

https://docs.djangoproject.com/en/dev/ref/contrib/admin/#root-and-login-templates

I'm getting an error when I point at the goerli test network, which uses POA.

It's the same error as in this SO: https://stackoverflow.com/questions/70812529/the-field-extradata-is-97-bytes-but-should-be-32-it-is-quite-likely-that-you-a

And I think the fix would be the same, but I don't know (and haven't extensively tested) if geth_poa_middleware still works with the proof of work networks

Add to the utils package.

Create a customer decorator that allows for initialization of a new GroupManager instance with its own configuration.

Example:

from siwe_auth.custom_groups.erc721 import ERC20OwnerManager

@GroupManagerRestricted(ERC20OwnerManager(config={'contract': '0x1234'}))
def example_restricted_view(request):
    pass