minor refactoring of auth logging

Author: Massimo Di Pierro

apps/_scaffold/common.py

@@ -37,11 +37,6 @@
 # #######################################################
 logger = make_logger("py4web:" + settings.APP_NAME, settings.LOGGERS)
 
-# this export the logger to the auth module
-# so that it can be used in auth plugins
-import py4web.utils.auth as auth_module
-auth_module.logger = logger
-
 # #######################################################
 # connect to db
 # #######################################################
@@ -66,7 +61,7 @@
     session = Session(secret=settings.SESSION_SECRET_KEY)
 
 elif settings.SESSION_TYPE == "redis":
-    import redis # type: ignore[reportMissingImports]
+    import redis  # type: ignore[reportMissingImports]
 
     host, port = settings.REDIS_SERVER.split(":")
     # for more options: https://github.com/andymccurdy/redis-py/blob/master/redis/client.py
@@ -81,7 +76,7 @@
 elif settings.SESSION_TYPE == "memcache":
     import time
 
-    import memcache # type: ignore[reportMissingImports]
+    import memcache  # type: ignore[reportMissingImports]
 
     conn = memcache.Client(settings.MEMCACHE_CLIENTS, debug=0)
     session = Session(secret=settings.SESSION_SECRET_KEY, storage=conn)
@@ -106,6 +101,7 @@
 auth.param.default_login_enabled = settings.DEFAULT_LOGIN_ENABLED
 auth.define_tables()
 auth.fix_actions()
+auth.logger = logger
 
 flash = auth.flash
 
@@ -138,7 +134,7 @@
 if settings.USE_LDAP:
     from py4web.utils.auth_plugins.ldap_plugin import LDAPPlugin
 
-    auth.register_plugin(LDAPPlugin(db=db, groups=groups, logger=logger, **settings.LDAP_SETTINGS))
+    auth.register_plugin(LDAPPlugin(db=db, groups=groups, **settings.LDAP_SETTINGS))
 
 if settings.OAUTH2GOOGLE_CLIENT_ID:
     from py4web.utils.auth_plugins.oauth2google import OAuth2Google  # TESTED

py4web/utils/auth.py

@@ -38,17 +38,17 @@
 [ ] Force new password every x days.
 """
 
+
 # Allow logger to be set externally before importing this module
-try:
-    logger  # type: ignore  # pylance: ignore undefined
-except NameError:
-    # If not set, define a default logger
-    logger = logging.getLogger("py4web.auth")
+def make_default_logger(name="py4web.auth"):
+    """Makes a default logger"""
+    logger = logging.getLogger(name)
     if not logger.hasHandlers():
         handler = logging.StreamHandler()
         formatter = logging.Formatter("%(asctime)s - %(levelname)s - %(message)s")
         handler.setFormatter(formatter)
         logger.addHandler(handler)
+    return logger
 
 
 def b16e(text):
@@ -244,6 +244,7 @@ def __init__(
         two_factor_send=None,
         two_factor_validate=None,
         template_args=None,
+        logger=None,
     ):
         # configuration parameters
         self.param = Param(
@@ -290,6 +291,7 @@ def __init__(
         self.session = session
         self.sender = sender
         self.route = "auth"
+        self.logger = logger or make_default_logger()
         self.use_username = use_username  # if False, uses email only
         self.password_in_db = password_in_db  # if False, password is never saved in db
         self.use_phone_number = use_phone_number
@@ -689,20 +691,26 @@ def login(self, email, password):
         for plugin in self.plugins.values():
             if not hasattr(plugin, "get_login_url"):
                 prevent_db_lookup = True
-                logger.debug(f"Trying plugin: {plugin.name}, mode: {getattr(plugin, 'mode', None)}")
+                self.logger.debug(
+                    f"Trying plugin: {plugin.name}, mode: {getattr(plugin, 'mode', None)}"
+                )
                 if plugin.check_credentials(email, password):
-                    logger.debug(f"Plugin {plugin.name} accepted credentials for {email}")
+                    self.logger.debug(
+                        f"Plugin {plugin.name} accepted credentials for {email}"
+                    )
                     user_info = {}
                     user_info["sso_id"] = plugin.name + ":" + email
                     if self.use_username or "@" not in email:
                         user_info["username"] = email
                     if "@" in email:
                         user_info["email"] = email
                     else:
-                        logger.debug(f"Constructing email from username: {email}@example.com")
+                        self.logger.debug(
+                            f"Constructing email from username: {email}@example.com"
+                        )
                         user_info["email"] = email + "@example.com"
                     user = self.get_or_register_user(user_info)
-                    logger.debug(f"User after get_or_register_user: {user}")
+                    self.logger.debug(f"User after get_or_register_user: {user}")
                     break
 
         # else check against database
@@ -1295,9 +1303,13 @@ def login(auth):
         if "pam" in auth.plugins or "ldap" in auth.plugins:
             plugin_name = "pam" if "pam" in auth.plugins else "ldap"
             plugin = auth.plugins[plugin_name]
-            logger.debug(f"AuthAPI.login: Trying plugin {plugin_name} for user {username}")
+            self.logger.debug(
+                f"AuthAPI.login: Trying plugin {plugin_name} for user {username}"
+            )
             check = plugin.check_credentials(username, password)
-            logger.debug(f"AuthAPI.login: plugin.check_credentials returned {check}")
+            self.logger.debug(
+                f"AuthAPI.login: plugin.check_credentials returned {check}"
+            )
             if check:
                 data = {
                     "username": username,
@@ -1306,13 +1318,19 @@ def login(auth):
                 }
                 # and register the user if we have one, just in case
                 if auth.db:
-                    logger.debug(f"AuthAPI.login: Calling get_or_register_user with data={data}")
+                    self.logger.debug(
+                        f"AuthAPI.login: Calling get_or_register_user with data={data}"
+                    )
                     user = auth.get_or_register_user(data)
-                    logger.debug(f"AuthAPI.login: User after get_or_register_user: {user}")
+                    self.logger.debug(
+                        f"AuthAPI.login: User after get_or_register_user: {user}"
+                    )
                     auth.store_user_in_session(user["id"])
                 # else: if we're here - check is OK, but user is not in the session - is it right?
             else:
-                logger.debug(f"AuthAPI.login: plugin.check_credentials failed for {username}")
+                self.logger.debug(
+                    f"AuthAPI.login: plugin.check_credentials failed for {username}"
+                )
                 data = auth._error(
                     auth.param.messages["errors"].get("invalid_credentials")
                 )
@@ -1699,9 +1717,7 @@ def login(self, model=False):
             # Get plain text password directly from request, on Windows this is needed
             # because form.vars.get("password", "") returns an hashed password.
             plain_password = request.forms.get("password", "")
-            user, error = self.auth.login(
-                form.vars.get("email", ""), plain_password
-            )
+            user, error = self.auth.login(form.vars.get("email", ""), plain_password)
             form.accepted = not error
 
             # Stops processing if there is a login error

py4web/utils/auth_plugins/ldap_plugin.py

@@ -242,7 +242,7 @@ def check_credentials(self, username, password):
             return False
         logger.debug(
             f"mode: {str(mode)}, manage_user: {str(manage_user)}, \
-            custom_scope: {str(custom_scope)}, manage_groups: {str(manage_groups)}" \
+            custom_scope: {str(custom_scope)}, manage_groups: {str(manage_groups)}"
         )
         if manage_user:
             if user_firstname_attrib.count(":") > 0:
@@ -279,7 +279,7 @@ def check_credentials(self, username, password):
                     for x in base_dn.split(","):
                         if "DC=" in x.upper():
                             domain.append(x.split("=")[-1])
-                    username = f"{username}@{".".join(domain)}"
+                    username = f"{username}@{'.'.join(domain)}"
                 username_bare = username.split("@")[0]
                 con.set_option(ldap.OPT_PROTOCOL_VERSION, 3)
                 # In cases where ForestDnsZones and DomainDnsZones are found,
@@ -351,7 +351,7 @@ def check_credentials(self, username, password):
                     con.simple_bind_s(bind_dn, bind_pw)
                     dn = "uid=" + username + "," + base_dn
                     dn = con.search_s(
-                        base_dn, ldap.SCOPE_SUBTREE, f"(uid={username, [""]})"
+                        base_dn, ldap.SCOPE_SUBTREE, f"(uid={username, ['']})"
                     )[0][0]
                 else:
                     dn = "uid=" + username + "," + base_dn
@@ -393,7 +393,9 @@ def check_credentials(self, username, password):
                     basedns = base_dn
                 else:
                     basedns = [base_dn]
-                filter = f"(&(uid={ldap.filter.escape_filter_chars(username)})({filterstr}))"
+                filter = (
+                    f"(&(uid={ldap.filter.escape_filter_chars(username)})({filterstr}))"
+                )
                 found = False
                 for basedn in basedns:
                     try:
@@ -726,7 +728,7 @@ def get_user_groups_from_ldap(self, username=None, password=None):
                 for x in base_dn.split(","):
                     if "DC=" in x.upper():
                         domain.append(x.split("=")[-1])
-                username = f"{username}@{".".join(domain)}" 
+                username = f"{username}@{'.'.join(domain)}"
             username_bare = username.split("@")[0]
             con = self._init_ldap()
             con.set_option(ldap.OPT_PROTOCOL_VERSION, 3)