IinSrSSKrSSKrSSKrSSKJrJr SSKJr SSK J r SSK J r J r SSKJr "SS \5r\(aS S KJrJr "S S 5rg)z&Authentication and session management.N)Enumauto) TYPE_CHECKING)PasswordHasher)VerifyMismatchErrorInvalidHashError) TrustLevelcB\rSrSrSr\"5r\"5r\"5rSr g) AuthResultz$Result of an authentication attempt.N) __name__ __module__ __qualname____firstlineno____doc__rSUCCESSUSER_NOT_FOUNDWRONG_PASSWORD__static_attributes__r /c:\Users\dbart\PlayPalace11\server\auth\auth.pyr r s.fGVNVNrr )Database UserRecordc \rSrSrSrS$SjrS\S\4SjrS\S\4SjrS\S\ 4S jr S\S\S\ 4S jr S \S\S\ 4S jr S SS.S \S\S\ S\S\ 4 SjjrS \S\S\ 4SjrS \SS4SjrS \S\S\\\44SjrS\S\S-4SjrS\SS4SjrS \SS4SjrS \S\S\\\44SjrS\S \S!\S\\\\\\4S-4S"jrS#rg)% AuthManagerzHandle user authentication and session management. Uses Argon2 for password hashing and supports migration from legacy SHA-256 hashes on successful login. c<Xl0Ul[5Ulg)z4Initialize the auth manager with a database backend.N)_db _sessionsr_hasher)selfdatabases r__init__AuthManager.__init__"s57%' rpasswordreturnc8URRU5$)zHash a password using Argon2.)r"hashr#r's r hash_passwordAuthManager.hash_password(s||  **rcf[R"UR55R5$)z*Legacy SHA-256 hash for migration support.)hashlibsha256encode hexdigestr+s r_hash_password_sha256!AuthManager._hash_password_sha256,s!~~hoo/0::<.AuthManager._is_legacy_hash..2s0 -B# #-Bs)lenalllower)r#r5s r_is_legacy_hashAuthManager._is_legacy_hash0s6=!R' C0 -:-@-@-B0 -  rcURRX!5 g![[4a Of=fUR U5(aUR U5U:H$g)zMVerify a password against its hash (supports both Argon2 and legacy SHA-256).TF)r"verifyrrrAr3)r#r'r5s rverify_passwordAuthManager.verify_password6s`  LL   8#%56       . .--h7=H Hs 11usernamec~URRU5nU(d[R$UR X#R 5(d[R $URUR 5(a,URU5nURRX5 [R$)zAuthenticate a user. Args: username: Username to authenticate. password: Plaintext password to verify. Returns: AuthResult indicating success or failure reason. ) r get_userr rrEr5rrAr,update_user_passwordr)r#rGr'usernew_hashs r authenticateAuthManager.authenticateEsxx  *,, ,##H.@.@AA,, ,    2 2 3 3))(3H HH ) )( =!!!rFen)approvedlocalerPrQcURRU5(ag[RnUR U5nURR XXEU5 g)aRegister a new user. Args: username: Username to create. password: Plaintext password. approved: Whether the account is pre-approved (skips admin approval). locale: Preferred locale. Returns: True if registration succeeded, False if username taken. FT)r user_existsr USERr, create_user)r#rGr'rPrQ trust_levelr5s rregisterAuthManager.register]sN 88   ) ) oo **84  Xf8Tr new_passwordcURRU5(dgURU5nURRX5 g)zReset a user's password. Args: username: Username to update. new_password: New plaintext password. Returns: True if successful, False if user doesn't exist. FT)r rSr,rJ)r#rGrYr5s rreset_passwordAuthManager.reset_passwordssAxx##H--**<8  %%h>rzUserRecord | Nonec8URRU5$)zGet a user record.)r rI)r#rGs rrIAuthManager.get_usersxx  **r ttl_secondsc[R"S5n[[R"55U-nX4URU'X44$)z[Create an access session token for a user. Returns: (token, expires_at_epoch_seconds) )secrets token_hexinttimer!)r#rGr_token expires_ats rcreate_sessionAuthManager.create_sessionsC !!"%% 3 !) 6u  rrfNcURRU5nU(dgUup4U[[R"55::aURR US5 gU$)z!Validate an access session token.N)r!getrdrepop)r#rfentryrGrgs rvalidate_sessionAuthManager.validate_sessionsS""5)$ TYY[) ) NN  ud +rc<URRUS5 g)zDInvalidate a session token. Args: token: Session token string. N)r!rl)r#rfs rinvalidate_sessionAuthManager.invalidate_sessions 5$'rcURR5VVVs/sHunup4X1:XdMUPM nnnnUHnURU M gs snnnf)zhInvalidate all sessions for a user. Args: username: Username whose sessions should be invalidated. N)r!items)r#rGtu _expires_at to_removerfs rinvalidate_user_sessions$AuthManager.invalidate_user_sessionssO 37..2F2F2HZ2H.1.qAMQ2H ZEu%[s AAc[R"S5n[[R"55nXB-nURR XXT5 X54$)z#Create and persist a refresh token.ra)rbrcrdrer store_refresh_token)r#rGr_rfnowrgs rcreate_refresh_token AuthManager.create_refresh_tokensG!!"%$))+&  $$XjF  r refresh_tokenaccess_ttl_secondsrefresh_ttl_secondsc URRU5nU(dgUSnURRU5(dg[[R"55nUSc US(agUSU::aURR X5 g[ R"S5nXc-nURRXWX5 URR XUS9 URXR5upXYXU4$)zRotate refresh token and issue a new access token. Returns: (username, access_token, access_expires_at, refresh_token, refresh_expires_at) NrG revoked_at replaced_byrgra)r) r get_refresh_tokenrSrdrerevoke_refresh_tokenrbrcr|rh) r#rrrrecordrGr}new_refresh_tokennew_refresh_expires access_tokenaccess_expiress rrefresh_sessionAuthManager.refresh_sessions++M:*%xx##H--$))+ ,  +vm/D , 3 & HH ) )- =#--b1!7 $$XBU[ %%mFW%X'+':':8'X$ ~J]]]r)r r"r!)r$r)rrrrrr%strr,r3boolrArEr rMrWr[rIrdtuplerhrnrqryr~rrr rrrrs ( +c+c+=c=c= S T  C D "S"C"J"0JO^b$X[gk,s#$"++)<+ !s ! !sCx ! c cDj (((&&&!S!s!uSRUX!^ ^69^PS^ sCc3& '$ .^rr)rr/rbreenumrrtypingrargon2rargon2.exceptionsrrserver.core.users.baser r persistence.databaserrrr rrrsB,  !C-;z^z^r