Coverage for opt/mealie/lib/python3.12/site-packages/mealie/core/security/providers/credentials_provider.py: 72%

Shortcuts on this page

r m x p toggle line displays

j k next/prev highlighted chunk

0 (zero) top of page

1 (one) first highlighted chunk

[ ] prev/next file

u up to the index

? show/hide this help

43 statements

« prev ^ index » next coverage.py v7.10.6, created at 2025-11-25 15:32 +0000

1from datetime import timedelta 1 ctx1a

3from sqlalchemy.orm.session import Session 1 ctx1a

5from mealie.core import root_logger 1 ctx1a

6from mealie.core.config import get_app_settings 1 ctx1a

7from mealie.core.exceptions import UserLockedOut 1 ctx1a

8from mealie.core.security.hasher import get_hasher 1 ctx1a

9from mealie.core.security.providers.auth_provider import AuthProvider 1 ctx1a

10from mealie.db.models.users.users import AuthMethod 1 ctx1a

11from mealie.repos.all_repositories import get_repositories 1 ctx1a

12from mealie.schema.user.auth import CredentialsRequest 1 ctx1a

13from mealie.services.user_services.user_service import UserService 1 ctx1a

16class CredentialsProvider(AuthProvider[CredentialsRequest]): 1 ctx1a

17 """Authentication provider that authenticates a user the database using username/password combination"""

19 _logger = root_logger.get_logger("credentials_provider") 1 ctx1a

21 def __init__(self, session: Session, data: CredentialsRequest) -> None: 1 ctx1a

22 super().__init__(session, data) 10 ctx1cdefghbijk

24 def authenticate(self) -> tuple[str, timedelta] | None: 1 ctx1a

25 """Attempt to authenticate a user given a username and password"""

26 settings = get_app_settings() 10 ctx1cdefghbijk

27 db = get_repositories(self.session, group_id=None, household_id=None) 10 ctx1cdefghbijk

28 user = self.try_get_user(self.data.username) 10 ctx1cdefghbijk

30 if not user: 10 ctx1cdefghbijk

31 self.verify_fake_password() 10 ctx1defghbijlk

32 return None 10 ctx1defghbijlk

34 if user.auth_method != AuthMethod.MEALIE: 34 ↛ 35line 34 didn't jump to line 35 because the condition on line 34 was never true2 ctx1cb

35 self.verify_fake_password()

36 self._logger.warning(

37 "Found user but their auth method is not 'Mealie'. Unable to continue with credentials login"

38 )

39 return None

41 if user.login_attemps >= settings.SECURITY_MAX_LOGIN_ATTEMPTS or user.is_locked: 41 ↛ 42line 41 didn't jump to line 42 because the condition on line 41 was never true2 ctx1cb

42 raise UserLockedOut()

44 if not CredentialsProvider.verify_password(self.data.password, user.password): 44 ↛ 45line 44 didn't jump to line 45 because the condition on line 44 was never true2 ctx1cb

45 user.login_attemps += 1

46 db.users.update(user.id, user)

48 if user.login_attemps >= settings.SECURITY_MAX_LOGIN_ATTEMPTS:

49 user_service = UserService(db)

50 user_service.lock_user(user)

52 return None

54 user.login_attemps = 0 2 ctx1cb

55 user = db.users.update(user.id, user) 2 ctx1cb

56 return self.get_access_token(user, self.data.remember_me) # type: ignore 2 ctx1cb

58 def verify_fake_password(self): 1 ctx1a

59 # To prevent user enumeration we perform the verify_password computation to ensure

60 # server side time is relatively constant and not vulnerable to timing attacks.

61 CredentialsProvider.verify_password( 10 ctx1defghbijlk

62 "abc123cba321",

63 "$2b$12$JdHtJOlkPFwyxdjdygEzPOtYmdQF5/R5tHxw5Tq8pxjubyLqdIX5i",

64 )

66 @staticmethod 1 ctx1a

67 def verify_password(plain_password: str, hashed_password: str) -> bool: 1 ctx1a

68 """Compares a plain string to a hashed password"""

69 return get_hasher().verify(plain_password, hashed_password) 11 ctx1cdefghbijlk