chore(passport): make user email unique

duanhongyi · duanhongyi · commit 61c948d75371 · 2021-12-24T21:58:11.000+08:00
diff --git a/rootfs/api/admin.py b/rootfs/api/admin.py
@@ -0,0 +1,15 @@
+from django.contrib import admin
+from django.contrib.auth.admin import UserAdmin as BaseUserAdmin
+
+from .models import User
+
+class UserAdmin(BaseUserAdmin):
+    add_fieldsets = (
+        (None, {
+            'classes': ('wide',),
+            'fields': ('username', 'password1', 'password2', 'email'),
+        }),
+    )
+
+
+admin.site.register(User, UserAdmin)
diff --git a/rootfs/api/management/commands/create_oauth2_application.py b/rootfs/api/management/commands/create_oauth2_application.py
@@ -1,8 +1,10 @@
 import os
-from django.contrib.auth.models import User
+from django.contrib.auth import get_user_model
 from django.core.management.base import BaseCommand
 from oauth2_provider.models import Application
 
+User = get_user_model()
+
 
 class Command(BaseCommand):
     """Management command for create Oauth2 application"""
diff --git a/rootfs/api/migrations/0001_initial.py b/rootfs/api/migrations/0001_initial.py
@@ -0,0 +1,44 @@
+# Generated by Django 3.2.5 on 2021-12-16 03:45
+
+import django.contrib.auth.models
+import django.contrib.auth.validators
+from django.db import migrations, models
+import django.utils.timezone
+
+
+class Migration(migrations.Migration):
+
+    initial = True
+
+    dependencies = [
+        ('auth', '0012_alter_user_first_name_max_length'),
+    ]
+
+    operations = [
+        migrations.CreateModel(
+            name='User',
+            fields=[
+                ('id', models.BigAutoField(auto_created=True, primary_key=True, serialize=False, verbose_name='ID')),
+                ('password', models.CharField(max_length=128, verbose_name='password')),
+                ('last_login', models.DateTimeField(blank=True, null=True, verbose_name='last login')),
+                ('is_superuser', models.BooleanField(default=False, help_text='Designates that this user has all permissions without explicitly assigning them.', verbose_name='superuser status')),
+                ('username', models.CharField(error_messages={'unique': 'A user with that username already exists.'}, help_text='Required. 150 characters or fewer. Letters, digits and @/./+/-/_ only.', max_length=150, unique=True, validators=[django.contrib.auth.validators.UnicodeUsernameValidator()], verbose_name='username')),
+                ('first_name', models.CharField(blank=True, max_length=150, verbose_name='first name')),
+                ('last_name', models.CharField(blank=True, max_length=150, verbose_name='last name')),
+                ('is_staff', models.BooleanField(default=False, help_text='Designates whether the user can log into this admin site.', verbose_name='staff status')),
+                ('is_active', models.BooleanField(default=True, help_text='Designates whether this user should be treated as active. Unselect this instead of deleting accounts.', verbose_name='active')),
+                ('date_joined', models.DateTimeField(default=django.utils.timezone.now, verbose_name='date joined')),
+                ('email', models.EmailField(max_length=254, unique=True, verbose_name='email address')),
+                ('groups', models.ManyToManyField(blank=True, help_text='The groups this user belongs to. A user will get all permissions granted to each of their groups.', related_name='user_set', related_query_name='user', to='auth.Group', verbose_name='groups')),
+                ('user_permissions', models.ManyToManyField(blank=True, help_text='Specific permissions for this user.', related_name='user_set', related_query_name='user', to='auth.Permission', verbose_name='user permissions')),
+            ],
+            options={
+                'verbose_name': 'user',
+                'verbose_name_plural': 'users',
+                'abstract': False,
+            },
+            managers=[
+                ('objects', django.contrib.auth.models.UserManager()),
+            ],
+        ),
+    ]
diff --git a/rootfs/api/migrations/__init__.py b/rootfs/api/migrations/__init__.py
diff --git a/rootfs/api/models.py b/rootfs/api/models.py
@@ -0,0 +1,7 @@
+from django.db import models
+from django.contrib.auth.models import AbstractUser
+from django.utils.translation import gettext_lazy as _
+
+
+class User(AbstractUser):
+    email = models.EmailField(_('email address'), unique=True)
diff --git a/rootfs/api/serializers.py b/rootfs/api/serializers.py
@@ -5,13 +5,14 @@
 
 from django.contrib.admin.models import LogEntry
 from django.contrib.auth.forms import UserCreationForm
-from django.contrib.auth.models import User
+from django.contrib.auth import get_user_model
 from oauth2_provider.models import Grant, AccessToken
 from oauth2_provider.oauth2_validators import OAuth2Validator
 from rest_framework import serializers
 
 from api.utils import timestamp2datetime
 
+User = get_user_model()
 logger = logging.getLogger(__name__)
 
 
diff --git a/rootfs/api/settings/production.py b/rootfs/api/settings/production.py
@@ -14,7 +14,7 @@
 
 BASE_DIR = os.path.dirname(os.path.dirname(os.path.abspath(__file__)))
 # SECURITY WARNING: don't run with debug turned on in production!
-DEBUG = bool(os.environ.get('DRYCC_DEBUG', False))
+DEBUG = os.environ.get('DRYCC_DEBUG', 'false').lower() != 'false'
 
 # If set to True, Django's normal exception handling of view functions
 # will be suppressed, and exceptions will propagate upwards
@@ -29,7 +29,8 @@
 # https://docs.djangoproject.com/en/2.2/ref/checks/#security
 SILENCED_SYSTEM_CHECKS = [
     'security.W004',
-    'security.W008'
+    'security.W008',
+    'security.W012',
 ]
 
 CONN_MAX_AGE = 60 * 3
@@ -111,6 +112,9 @@
     'api'
 )
 
+AUTH_USER_MODEL = "api.User"
+DEFAULT_AUTO_FIELD = "django.db.models.BigAutoField"
+
 AUTHENTICATION_BACKENDS = (
     "django.contrib.auth.backends.ModelBackend",
     "guardian.backends.ObjectPermissionBackend",
@@ -155,8 +159,8 @@
 CSRF_COOKIE_SAMESITE = None
 SECURE_CONTENT_TYPE_NOSNIFF = True
 SECURE_BROWSER_XSS_FILTER = True
-CSRF_COOKIE_SECURE = bool(os.environ.get('CSRF_COOKIE_SECURE', False))
-SESSION_COOKIE_SECURE = bool(os.environ.get('SESSION_COOKIE_SECURE', False))
+CSRF_COOKIE_SECURE = os.environ.get('CSRF_COOKIE_SECURE', 'true').lower() != 'false'
+SESSION_COOKIE_SECURE = os.environ.get('SESSION_COOKIE_SECURE', 'false').lower() != 'false'
 
 # Honor HTTPS from a trusted proxy
 # see https://docs.djangoproject.com/en/2.2/ref/settings/#secure-proxy-ssl-header
@@ -255,7 +259,7 @@
 SECRET_KEY = os.environ.get('DRYCC_SECRET_KEY', random_secret)
 
 # database setting
-DRYCC_DATABASE_URL = os.environ.get('DRYCC_DATABASE_URL', 'postgres://:@:5432/passport')  # noqa
+DRYCC_DATABASE_URL = os.environ.get('DRYCC_DATABASE_URL', 'postgres://postgres:123456@49.232.207.93:5432/drycc_passport')  # noqa
 DATABASES = {
     'default': dj_database_url.config(default=DRYCC_DATABASE_URL,
                                       conn_max_age=600)
@@ -269,9 +273,16 @@
 
 # Avatar URL
 AVATAR_URL = "https://cravatar.cn/avatar/"
+
 # see: https://django-oauth-toolkit.readthedocs.io/en/latest/oidc.html?highlight=oidc.key#creating-rsa-private-key  # noqa
-with open('/var/run/secrets/drycc/passport/oidc-rsa-private-key') as f:
-    OIDC_RSA_PRIVATE_KEY = f.read()
+OIDC_ENABLED = False
+OIDC_RSA_PRIVATE_KEY = None
+OIDC_RSA_PRIVATE_KEY_FILE = '/var/run/secrets/drycc/passport/oidc-rsa-private-key'
+if os.path.exists(OIDC_RSA_PRIVATE_KEY_FILE):
+    with open('/var/run/secrets/drycc/passport/oidc-rsa-private-key') as f:
+        OIDC_RSA_PRIVATE_KEY = f.read()
+        OIDC_ENABLED = True
+
 OAUTH2_PROVIDER = {
     "OIDC_ENABLED": True,
     "OIDC_RSA_PRIVATE_KEY": OIDC_RSA_PRIVATE_KEY,
diff --git a/rootfs/api/urls.py b/rootfs/api/urls.py
@@ -13,7 +13,7 @@
     re_path(r'update/(?P<uidb64>.+)/(?P<token>.+)/?$',
             views.UpdateAccount.as_view(), name='user_update_account'),
     re_path(r'^avatar/(?P<username>[-_\w]+)/?$',
-        views.UserAvatarViewSet.as_view({'get': 'avatar'})),
+            views.UserAvatarViewSet.as_view({'get': 'avatar'})),
     re_path(r'registration/?$', views.RegistrationView.as_view(), name='registration'),
     re_path(r'activate/(?P<uidb64>.+)/(?P<token>.+)/?$',
             views.ActivateAccount.as_view(), name='user_activate_account'),
diff --git a/rootfs/api/views.py b/rootfs/api/views.py
@@ -6,8 +6,8 @@
 from django.views.decorators.cache import cache_page
 from django.contrib import messages, auth
 from django.contrib.auth import login
-from django.contrib.auth.models import User
 from django.contrib.auth import views
+from django.contrib.auth import get_user_model
 from django.db.models import Q
 from django.shortcuts import redirect, get_object_or_404, render
 from django.template.loader import render_to_string
@@ -30,6 +30,7 @@
 from api.utils import token_generator, get_local_host
 from api.viewset import NormalUserViewSet
 
+User = get_user_model()
 logger = logging.getLogger(__name__)
 
 
@@ -153,9 +154,11 @@ def get_object(self):
         return self.request.user
 
     def update(self, request, *args, **kwargs):
-        user_serializer = self.serializer_class(data=request.data,
-                                          instance=request.user,
-                                          partial=True)
+        user_serializer = self.serializer_class(
+            data=request.data,
+            instance=request.user,
+            partial=True
+        )
         if user_serializer.is_valid():
             if settings.EMAIL_HOST:
                 user = self.get_object()
@@ -204,7 +207,7 @@ def avatar(self, request, *args, **kwargs):
         md5 = hashlib.md5()
         if user:
             md5.update(user.email.encode("utf8"))
-        return HttpResponseRedirect(settings.AVATAR_URL + md5.hexdigest() + "?s=" + size)  
+        return HttpResponseRedirect(settings.AVATAR_URL + md5.hexdigest() + "?s=" + size)
 
 
 class UserEmailView(NormalUserViewSet):
