Clients also implemented.

I think the only things left are the login history and other past errors

brewman/core/security.py

@@ -1,6 +1,6 @@
 import uuid
 from datetime import datetime, timedelta
-from typing import List, Union
+from typing import List, Union, Optional
 from jwt import PyJWTError
 
 from fastapi import Depends, HTTPException, status, Security
@@ -10,7 +10,7 @@ from sqlalchemy.orm import Session
 from jose import jwt
 from jose.exceptions import ExpiredSignatureError
 
-from brewman.models.auth import User as UserModel
+from brewman.models.auth import User as UserModel, Client
 from ..db.session import SessionLocal
 
 
@@ -73,14 +73,36 @@ def get_user(username: str, id_: str, locked_out: bool, scopes: List[str]) -> Us
 
 
 def authenticate_user(
-    username: str, password: str, db: Session
-) -> Union[UserModel, bool]:
-    found, user = UserModel.auth(username, password, db)
-    if not found:
-        return False
+    username: str, password: str, client_id: Optional[int], otp: int, db: Session
+) -> Optional[UserModel]:
+    user = UserModel.auth(username, password, db)
     return user
 
 
+def client_allowed(user: UserModel, client_id: int, otp: Optional[int] = None, db: Session = None) -> (bool, int):
+    client = db.query(Client).filter(Client.code == client_id).first() if client_id else None
+    allowed = "clients" in set(
+        [
+            p.name.replace(" ", "-").lower()
+            for r in user.roles
+            for p in r.permissions
+        ]
+    )
+    if allowed:
+        return True, 0
+    elif client is None:
+        client = Client.create(db)
+        return False, client.code
+    elif client.enabled:
+        return True, client.code
+    elif client.otp == otp:
+        client.otp = None
+        client.enabled = True
+        return True, client.code
+    else:
+        return False, client.code
+
+
 async def get_current_user(
     security_scopes: SecurityScopes, token: str = Depends(oauth2_scheme),
 ) -> UserToken:

brewman/models/auth.py

@@ -6,7 +6,7 @@ from datetime import datetime
 
 from sqlalchemy.schema import ForeignKey, Table
 from sqlalchemy import Column, Boolean, Unicode, Integer, DateTime, UniqueConstraint
-from sqlalchemy.orm import synonym, relationship
+from sqlalchemy.orm import synonym, relationship, Session
 
 from brewman.models.guidtype import GUID
 from .meta import Base
@@ -46,14 +46,6 @@ class Client(Base):
         )
         self.id = id_
 
-    @classmethod
-    def by_code(cls, code, dbsession):
-        if code is None:
-            return None
-        if not isinstance(code, int):
-            code = int(code)
-        return dbsession.query(cls).filter(cls.code == code).first()
-
     @classmethod
     def create(cls, dbsession):
         client_code = random.randint(1000, 9999)
@@ -114,16 +106,16 @@ class User(Base):
         self.id = id_
 
     @classmethod
-    def auth(cls, name, password, db) -> (bool, any):
+    def auth(cls, name, password, db) -> any:
         if password is None:
-            return False, None
+            return None
         user = db.query(User).filter(User.name.ilike(name)).first()
         if not user:
-            return False, None
+            return None
         if user.password != encrypt(password) or user.locked_out:
-            return False, None
+            return None
         else:
-            return True, user
+            return user
 
 
 class LoginHistory(Base):

brewman/routers/login.py

@@ -1,13 +1,14 @@
 from datetime import timedelta
 
-from fastapi import APIRouter, Depends, HTTPException, status, Security
+from fastapi import APIRouter, Depends, HTTPException, status, Security, Cookie, Form, Response
 from fastapi.security import OAuth2PasswordRequestForm
+from fastapi.responses import JSONResponse
 from sqlalchemy.orm import Session
 from ..core.security import (
     Token,
     authenticate_user,
     ACCESS_TOKEN_EXPIRE_MINUTES,
-    create_access_token, get_current_active_user,
+    create_access_token, get_current_active_user, client_allowed,
 )
 from ..db.session import SessionLocal
 from ..schemas.auth import UserToken
@@ -26,15 +27,31 @@ def get_db():
 
 @router.post("/token", response_model=Token)
 async def login_for_access_token(
-    form_data: OAuth2PasswordRequestForm = Depends(), db: Session = Depends(get_db)
+    response: Response,
+    form_data: OAuth2PasswordRequestForm = Depends(),
+    client_id: int = Cookie(None),
+    otp: int = Form(None),
+    db: Session = Depends(get_db),
 ):
-    user = authenticate_user(form_data.username, form_data.password, db)
+    user = authenticate_user(form_data.username, form_data.password, client_id, otp, db)
     if not user:
         raise HTTPException(
             status_code=status.HTTP_401_UNAUTHORIZED,
             detail="Incorrect username or password",
             headers={"WWW-Authenticate": "Bearer"},
         )
+    allowed, c_id = client_allowed(user, client_id, otp, db)
+    db.commit()
+    if c_id and c_id != client_id:
+        response.set_cookie(key="client_id", value=str(c_id), max_age=10 * 365 * 24 * 60 * 60)
+    if not allowed:
+        not_allowed_response = JSONResponse(
+            status_code=status.HTTP_401_UNAUTHORIZED,
+            headers={"WWW-Authenticate": "Bearer"},
+            content={"detail": "Client is not registered"}
+        )
+        not_allowed_response.set_cookie(key="client_id", value=str(c_id), max_age=10 * 365 * 24 * 60 * 60)
+        return not_allowed_response
     access_token_expires = timedelta(minutes=ACCESS_TOKEN_EXPIRE_MINUTES)
     access_token = create_access_token(
         data={