fix: bumped security risks and enabled newer packages installed

fix: added timeouts to the requests to fix Bandit issue
fix: fixed random issue (codacy)
2026-04-12 19:30:30 +02:00 · 2024-12-04 20:05:19 +01:00 · 2024-11-25 13:20:17 +01:00 · 2024-11-25 13:14:07 +01:00 · 2024-11-25 12:55:35 +01:00
6 changed files with 24 additions and 17 deletions
--- a/creyPY/helpers.py
+++ b/creyPY/helpers.py
@@ -1,4 +1,4 @@
-import random
+import secrets
 import string


@@ -6,11 +6,11 @@ def create_random_password(length: int = 12) -> str:
    all_characters = string.ascii_letters + string.digits + string.punctuation

    password = [
-        random.choice(string.ascii_lowercase),
-        random.choice(string.ascii_uppercase),
-        random.choice(string.digits),
-        random.choice(string.punctuation),
+        secrets.choice(string.ascii_lowercase),
+        secrets.choice(string.ascii_uppercase),
+        secrets.choice(string.digits),
+        secrets.choice(string.punctuation),
    ]
-    password += random.choices(all_characters, k=length - 4)
-    random.shuffle(password)
+    password += [secrets.choice(all_characters) for _ in range(length - 4)]
+    secrets.SystemRandom().shuffle(password)
    return "".join(password)
--- a/creyPY/services/init.py
+++ b/creyPY/services/init.py
@@ -0,0 +1 @@
+from .auth0 import *  # noqa
--- a/creyPY/services/auth0/manage.py
+++ b/creyPY/services/auth0/manage.py
@@ -8,7 +8,7 @@ cache = TTLCache(maxsize=100, ttl=600)

@cached(cache)
 def get_management_token() -> str:
-    re = requests.post(
+    response = requests.post(
        f"https://{AUTH0_DOMAIN}/oauth/token",
        json={
            "client_id": AUTH0_CLIENT_ID,
@@ -16,5 +16,6 @@ def get_management_token() -> str:
            "audience": f"https://{AUTH0_DOMAIN}/api/v2/",  # This should be the management audience
            "grant_type": "client_credentials",
        },
+        timeout=5,  # Add a timeout parameter to avoid hanging requests
    ).json()
-    return re["access_token"]
+    return response["access_token"]
--- a/creyPY/services/auth0/utils.py
+++ b/creyPY/services/auth0/utils.py
@@ -54,6 +54,7 @@ def get_user(sub) -> dict:
    re = requests.get(
        f"https://{AUTH0_DOMAIN}/api/v2/users/{sub}",
        headers={"Authorization": f"Bearer {get_management_token()}"},
+        timeout=5,
    )
    if re.status_code != 200:
        raise HTTPException(re.status_code, re.json())
@@ -65,6 +66,7 @@ def patch_user(input_obj: dict, sub) -> dict:
        f"https://{AUTH0_DOMAIN}/api/v2/users/{sub}",
        headers={"Authorization": f"Bearer {get_management_token()}"},
        json=input_obj,
+        timeout=5,
    )
    if re.status_code != 200:
        raise HTTPException(re.status_code, re.json())
@@ -92,6 +94,7 @@ def request_verification_mail(sub: str) -> None:
        f"https://{AUTH0_DOMAIN}/api/v2/jobs/verification-email",
        headers={"Authorization": f"Bearer {get_management_token()}"},
        json={"user_id": sub},
+        timeout=5,
    )
    if re.status_code != 201:
        raise HTTPException(re.status_code, re.json())
@@ -109,6 +112,7 @@ def create_user_invite(email: str) -> dict:
            "verify_email": False,
            "app_metadata": {"invitedToMyApp": True},
        },
+        timeout=5,
    )
    if re.status_code != 201:
        raise HTTPException(re.status_code, re.json())
@@ -124,6 +128,7 @@ def password_change_mail(email: str) -> bool:
            "email": email,
            "connection": "Username-Password-Authentication",
        },
+        timeout=5,
    )

    if re.status_code != 200:
--- a/requirements.auth0.txt
+++ b/requirements.auth0.txt
@@ -1,7 +1,7 @@
-cachetools==5.5.0 # for caching
-charset-normalizer==3.4.0 # Auth0 API interactions
-requests==2.32.3 # Auth0 API interactions
-pyjwt==2.10.0 # Auth0 API interactions
-cffi==1.17.1 # Auth0 API interactions
-cryptography==43.0.3 # Auth0 API interactions
-pycparser==2.22 # Auth0 API interactions
+cachetools>=5.5.0 # for caching
+charset-normalizer>=3.4.0 # Auth0 API interactions
+requests>=2.32.3 # Auth0 API interactions
+pyjwt>=2.10.1 # Auth0 API interactions
+cffi>=1.17.1 # Auth0 API interactions
+cryptography>=43.0.3 # Auth0 API interactions
+pycparser>=2.22 # Auth0 API interactions
--- a/requirements.txt
+++ b/requirements.txt
@@ -11,7 +11,7 @@ starlette>=0.37.2 # FastAPI

 fastapi-pagination>=0.12.26 # Pagination
 sqlalchemy>=2.0.31 # SQLAlchemy
-sqlalchemy-utils==0.41.2  # For managing databases
+sqlalchemy-utils>=0.41.2  # For managing databases

 python-dotenv>=1.0.1 # Environment variables
Author	SHA1	Message	Date
Conrad	2176b1a37d	fix: bumped security risks and enabled newer packages installed	2024-12-04 20:05:19 +01:00
Conrad	5daddf260e	fix: added timeouts to the requests to fix Bandit issue	2024-11-25 13:20:17 +01:00
Conrad	364e07daa1	fix: fixed random issue (codacy)	2024-11-25 13:14:07 +01:00
Conrad	5daf6eb8c5	fix: fixed missing import	2024-11-25 12:55:35 +01:00