fix: bumped security risks and enabled newer packages installed

creyPY/helpers.py

@@ -1,4 +1,4 @@
-import random
+import secrets
 import string
 
 
@@ -6,11 +6,11 @@ def create_random_password(length: int = 12) -> str:
     all_characters = string.ascii_letters + string.digits + string.punctuation
 
     password = [
-        random.choice(string.ascii_lowercase),
+        secrets.choice(string.ascii_lowercase),
-        random.choice(string.ascii_uppercase),
+        secrets.choice(string.ascii_uppercase),
-        random.choice(string.digits),
+        secrets.choice(string.digits),
-        random.choice(string.punctuation),
+        secrets.choice(string.punctuation),
     ]
-    password += random.choices(all_characters, k=length - 4)
+    password += [secrets.choice(all_characters) for _ in range(length - 4)]
-    random.shuffle(password)
+    secrets.SystemRandom().shuffle(password)
     return "".join(password)

creyPY/services/__init__.py

@@ -0,0 +1 @@
+from .auth0 import *  # noqa

creyPY/services/auth0/manage.py

@@ -8,7 +8,7 @@ cache = TTLCache(maxsize=100, ttl=600)
 
 @cached(cache)
 def get_management_token() -> str:
-    re = requests.post(
+    response = requests.post(
         f"https://{AUTH0_DOMAIN}/oauth/token",
         json={
             "client_id": AUTH0_CLIENT_ID,
@@ -16,5 +16,6 @@ def get_management_token() -> str:
             "audience": f"https://{AUTH0_DOMAIN}/api/v2/",  # This should be the management audience
             "grant_type": "client_credentials",
         },
+        timeout=5,  # Add a timeout parameter to avoid hanging requests
     ).json()
-    return re["access_token"]
+    return response["access_token"]

creyPY/services/auth0/utils.py

@@ -54,6 +54,7 @@ def get_user(sub) -> dict:
     re = requests.get(
         f"https://{AUTH0_DOMAIN}/api/v2/users/{sub}",
         headers={"Authorization": f"Bearer {get_management_token()}"},
+        timeout=5,
     )
     if re.status_code != 200:
         raise HTTPException(re.status_code, re.json())
@@ -65,6 +66,7 @@ def patch_user(input_obj: dict, sub) -> dict:
         f"https://{AUTH0_DOMAIN}/api/v2/users/{sub}",
         headers={"Authorization": f"Bearer {get_management_token()}"},
         json=input_obj,
+        timeout=5,
     )
     if re.status_code != 200:
         raise HTTPException(re.status_code, re.json())
@@ -92,6 +94,7 @@ def request_verification_mail(sub: str) -> None:
         f"https://{AUTH0_DOMAIN}/api/v2/jobs/verification-email",
         headers={"Authorization": f"Bearer {get_management_token()}"},
         json={"user_id": sub},
+        timeout=5,
     )
     if re.status_code != 201:
         raise HTTPException(re.status_code, re.json())
@@ -109,6 +112,7 @@ def create_user_invite(email: str) -> dict:
             "verify_email": False,
             "app_metadata": {"invitedToMyApp": True},
         },
+        timeout=5,
     )
     if re.status_code != 201:
         raise HTTPException(re.status_code, re.json())
@@ -124,6 +128,7 @@ def password_change_mail(email: str) -> bool:
             "email": email,
             "connection": "Username-Password-Authentication",
         },
+        timeout=5,
     )
 
     if re.status_code != 200:

requirements.auth0.txt

@@ -1,7 +1,7 @@
-cachetools==5.5.0 # for caching
+cachetools>=5.5.0 # for caching
-charset-normalizer==3.4.0 # Auth0 API interactions
+charset-normalizer>=3.4.0 # Auth0 API interactions
-requests==2.32.3 # Auth0 API interactions
+requests>=2.32.3 # Auth0 API interactions
-pyjwt==2.10.0 # Auth0 API interactions
+pyjwt>=2.10.1 # Auth0 API interactions
-cffi==1.17.1 # Auth0 API interactions
+cffi>=1.17.1 # Auth0 API interactions
-cryptography==43.0.3 # Auth0 API interactions
+cryptography>=43.0.3 # Auth0 API interactions
-pycparser==2.22 # Auth0 API interactions
+pycparser>=2.22 # Auth0 API interactions

requirements.txt

@@ -11,7 +11,7 @@ starlette>=0.37.2 # FastAPI
 
 fastapi-pagination>=0.12.26 # Pagination
 sqlalchemy>=2.0.31 # SQLAlchemy
-sqlalchemy-utils==0.41.2  # For managing databases
+sqlalchemy-utils>=0.41.2  # For managing databases
 
 python-dotenv>=1.0.1 # Environment variables