bump, clean, and switch to using keycloak custom TOTP API

.github/pull_request_template.md

@@ -0,0 +1,19 @@
+## What
+
+_what the PR changes_
+
+## Why
+
+_why these changes were made_
+
+## Test Plan
+
+_how did you verify these changes did what you expected_
+
+## Env Vars
+
+_did you add, remove, or rename any environment variables_
+
+## Checklist
+
+- [ ] Tested all changes locally

.github/workflows/python-app.yml

@@ -18,10 +18,10 @@ jobs:
     - name: Install ldap dependencies
       run: sudo apt-get install libldap2-dev libsasl2-dev
     - uses: actions/checkout@v2
-    - name: Set up Python 3.6
+    - name: Set up Python 3.13
       uses: actions/setup-python@v2
       with:
-        python-version: 3.6
+        python-version: 3.13
     - name: Install dependencies
       run: |
         python -m pip install --upgrade pip

.pylintrc

@@ -16,7 +16,7 @@ persistent=yes
 
 # List of plugins (as comma separated values of python modules names) to load,
 # usually to register additional checkers.
-load-plugins=
+#load-plugins=
 
 # Use multiple processes to speed up Pylint.
 jobs=1
@@ -28,14 +28,14 @@ unsafe-load-any-extension=no
 # A comma-separated list of package or module names from where C extensions may
 # be loaded. Extensions are loading into the active Python interpreter and may
 # run arbitrary code
-extension-pkg-whitelist=
+#extension-pkg-whitelist=
 
 
 [MESSAGES CONTROL]
 
 # Only show warnings with the listed confidence levels. Leave empty to show
 # all. Valid levels: HIGH, INFERENCE, INFERENCE_FAILURE, UNDEFINED
-confidence=
+#confidence=
 
 # Enable the message, report, category or checker with the given id(s). You can
 # either give multiple identifier separated by comma (,) or put this option
@@ -62,12 +62,11 @@ disable=
     too-few-public-methods,
     no-member,
     too-many-format-args,
-    bad-continuation,
     bare-except,
     inconsistent-return-statements,
     no-name-in-module,
     cyclic-import,
-    unnecessary-pass,
+    unnecessary-pass
 
 
 [REPORTS]
@@ -77,11 +76,6 @@ disable=
 # mypackage.mymodule.MyReporterClass.
 output-format=text
 
-# Put messages in a separate file for each module / package specified on the
-# command line instead of printing them on stdout. Reports (if any) will be
-# written in a file name "pylint_global.[txt|html]".
-files-output=no
-
 # Tells whether to display a full report or only the messages
 reports=no
 
@@ -136,7 +130,7 @@ dummy-variables-rgx=_$|dummy
 
 # List of additional names supposed to be defined in builtins. Remember that
 # you should avoid to define new builtins when possible.
-additional-builtins=
+#additional-builtins=
 
 # List of strings which can identify a callback function by name. A callback
 # name must start or end with one of those strings.
@@ -155,9 +149,6 @@ ignore-long-lines=^\s*(# )?<?https?://\S+>?$
 # else.
 single-line-if-stmt=no
 
-# List of optional constructs for which whitespace checking is disabled
-no-space-check=trailing-comma,dict-separator
-
 # Maximum number of lines in a module
 max-module-lines=2000
 
@@ -169,14 +160,11 @@ indent-string='    '
 indent-after-paren=4
 
 # Expected format of line ending, e.g. empty (any line ending), LF or CRLF.
-expected-line-ending-format=
+#expected-line-ending-format=
 
 
 [BASIC]
 
-# List of builtins function names that should not be used, separated by a comma
-bad-functions=map,filter,input
-
 # Good variable names which should always be accepted, separated by a comma
 good-names=i,j,k,ex,Run,_
 
@@ -185,71 +173,41 @@ bad-names=foo,bar,baz,toto,tutu,tata
 
 # Colon-delimited sets of names that determine each other's naming style when
 # the name regexes allow several styles.
-name-group=
+#name-group=
 
 # Include a hint for the correct naming format with invalid-name
 include-naming-hint=no
 
 # Regular expression matching correct function names
 function-rgx=[a-z_][a-z0-9_]{2,30}$
 
-# Naming hint for function names
-function-name-hint=[a-z_][a-z0-9_]{2,30}$
-
 # Regular expression matching correct variable names
 variable-rgx=[a-z_][a-z0-9_]{2,30}$
 
-# Naming hint for variable names
-variable-name-hint=[a-z_][a-z0-9_]{2,30}$
-
 # Regular expression matching correct constant names
 const-rgx=[a-z_][a-z0-9_]{2,30}$
 
-# Naming hint for constant names
-const-name-hint=(([A-Z_][A-Z0-9_]*)|(__.*__))$
-
 # Regular expression matching correct attribute names
 attr-rgx=[a-z_][a-z0-9_]{2,30}$
 
-# Naming hint for attribute names
-attr-name-hint=[a-z_][a-z0-9_]{2,30}$
-
 # Regular expression matching correct argument names
 argument-rgx=[a-z_][a-z0-9_]{2,30}$
 
-# Naming hint for argument names
-argument-name-hint=[a-z_][a-z0-9_]{2,30}$
-
 # Regular expression matching correct class attribute names
 class-attribute-rgx=([A-Za-z_][A-Za-z0-9_]{2,30}|(__.*__))$
 
-# Naming hint for class attribute names
-class-attribute-name-hint=([A-Za-z_][A-Za-z0-9_]{2,30}|(__.*__))$
-
 # Regular expression matching correct inline iteration names
 inlinevar-rgx=[A-Za-z_][A-Za-z0-9_]*$
 
-# Naming hint for inline iteration names
-inlinevar-name-hint=[A-Za-z_][A-Za-z0-9_]*$
-
 # Regular expression matching correct class names
 class-rgx=[A-Z_][a-zA-Z0-9]+$
 
-# Naming hint for class names
-class-name-hint=[A-Z_][a-zA-Z0-9]+$
-
 # Regular expression matching correct module names
 module-rgx=(([a-z_][a-z0-9_]*)|([A-Z][a-zA-Z0-9]+))$
 
-# Naming hint for module names
-module-name-hint=(([a-z_][a-z0-9_]*)|([A-Z][a-zA-Z0-9]+))$
-
 # Regular expression matching correct method names
 method-rgx=[a-z_][a-z0-9_]{2,30}$
 
-# Naming hint for method names
-method-name-hint=[a-z_][a-z0-9_]{2,30}$
-
 # Regular expression which should only match function or class names that do
 # not require a docstring.
 no-docstring-rgx=__.*__
@@ -271,11 +229,11 @@ ignore-mixin-members=yes
 # List of module names for which member attributes should not be checked
 # (useful for modules/projects where namespaces are manipulated during runtime
 # and thus existing member attributes cannot be deduced by static analysis
-ignored-modules=
+#ignored-modules=
 
 # List of classes names for which member attributes should not be checked
 # (useful for classes with attributes dynamically set).
-ignored-classes=SQLObject, optparse.Values, thread._local, _thread._local
+ignored-classes=SQLObject,optparse.Values,thread._local,_thread._local
 
 # List of members which are set dynamically and missed by pylint inference
 # system, and so shouldn't trigger E1101 when accessed. Python regular
@@ -291,13 +249,13 @@ contextmanager-decorators=contextlib.contextmanager
 
 # Spelling dictionary name. Available dictionaries: none. To make it working
 # install python-enchant package.
-spelling-dict=
+#spelling-dict=
 
 # List of comma separated words that should not be checked.
-spelling-ignore-words=
+#spelling-ignore-words=
 
 # A path to a file that contains private dictionary; one word per line.
-spelling-private-dict-file=
+#spelling-private-dict-file=
 
 # Tells whether to store unknown words to indicated private dictionary in
 # --spelling-private-dict-file option instead of raising a message.
@@ -361,19 +319,19 @@ deprecated-modules=regsub,TERMIOS,Bastion,rexec
 
 # Create a graph of every (i.e. internal and external) dependencies in the
 # given file (report RP0402 must not be disabled)
-import-graph=
+#import-graph=
 
 # Create a graph of external dependencies in the given file (report RP0402 must
 # not be disabled)
-ext-import-graph=
+#ext-import-graph=
 
 # Create a graph of internal dependencies in the given file (report RP0402 must
 # not be disabled)
-int-import-graph=
+#int-import-graph=
 
 
 [EXCEPTIONS]
 
 # Exceptions that will emit a warning when being caught. Defaults to
 # "Exception"
-overgeneral-exceptions=Exception
+overgeneral-exceptions=builtins.Exception

Dockerfile

@@ -0,0 +1,20 @@
+FROM docker.io/python:3.13-slim
+MAINTAINER Computer Science House <webmaster@csh.rit.edu>
+
+RUN mkdir /opt/selfservice
+
+ADD requirements.txt /opt/selfservice
+
+WORKDIR /opt/selfservice
+
+RUN apt-get -yq update && \
+    apt-get -yq install libsasl2-dev libldap2-dev libldap-common libssl-dev git gcc g++ make && \
+    pip install -r requirements.txt && \
+    apt-get -yq clean all
+
+ADD . /opt/selfservice
+
+EXPOSE 8080
+
+CMD ["gunicorn", "selfservice:app", "--bind=0.0.0.0:8080", "--access-logfile=-", "--timeout=256"]
+

config.env.py

@@ -35,12 +35,12 @@
 )
 SQLALCHEMY_TRACK_MODIFICATIONS = False
 
-RECAPTCHA_ENABLED = True
-RECAPTCHA_SITE_KEY = os.environ.get("RECAPTCHA_SITE_KEY", "")
-RECAPTCHA_SECRET_KEY = os.environ.get("RECAPTCHA_SECRET_KEY", "")
-RECAPTCHA_THEME = "light"
-RECAPTCHA_TYPE = "image"
-RECAPTCHA_SIZE = "normal"
+XCAPTCHA_ENABLED = True
+XCAPTCHA_SITE_KEY = os.environ.get("XCAPTCHA_SITE_KEY", "")
+XCAPTCHA_SECRET_KEY = os.environ.get("XCAPTCHA_SECRET_KEY", "")
+XCAPTCHA_THEME = "light"
+XCAPTCHA_TYPE = "image"
+XCAPTCHA_SIZE = "normal"
 
 TWILIO_SID = os.environ.get("TWILIO_SID", "")
 TWILIO_TOKEN = os.environ.get("TWILIO_TOKEN", "")

docker-compose.yaml

@@ -1,7 +1,7 @@
 version: '2'
 services:
     postgres:
-        image: postgres:9.6
+        image: docker.io/postgres:9.6
         container_name: selfservice-postgres
         restart: always
         volumes:
@@ -12,7 +12,7 @@ services:
         ports:
             - 127.0.0.1:5433:5432
     phppgadmin:
-        image: bitnami/phppgadmin:latest
+        image: docker.io/dockage/phppgadmin:latest
         container_name: selfservice-pgadmin
         links:
             - postgres
@@ -22,4 +22,4 @@ services:
         restart: always
         ports:
             - 127.0.0.1:8081:8080
-            - 127.0.0.1:8444:8443
+            - 127.0.0.1:8444:8443

migrations/versions/a83f363599a0_.py

@@ -20,8 +20,8 @@ def upgrade():
     # ### commands auto generated by Alembic - please adjust! ###
     op.create_table('otp_session',
     sa.Column('secret', sa.String(length=100), nullable=False),
-    sa.Column('form', sa.Binary(), nullable=True),
-    sa.Column('session', sa.Binary(), nullable=True),
+    sa.Column('form', sa.LargeBinary(), nullable=True),
+    sa.Column('session', sa.LargeBinary(), nullable=True),
     sa.PrimaryKeyConstraint('secret')
     )
     op.create_table('session',

migrations/versions/fdb69cd98e19_remove_otpsession_table.py

@@ -0,0 +1,33 @@
+"""Remove OTPSession table
+
+Revision ID: fdb69cd98e19
+Revises: a541afdca952
+Create Date: 2025-12-21 15:34:01.851353
+
+"""
+from alembic import op
+import sqlalchemy as sa
+from sqlalchemy.dialects import postgresql
+
+# revision identifiers, used by Alembic.
+revision = 'fdb69cd98e19'
+down_revision = 'a541afdca952'
+branch_labels = None
+depends_on = None
+
+
+def upgrade():
+    # ### commands auto generated by Alembic - please adjust! ###
+    op.drop_table('otp_session')
+    # ### end Alembic commands ###
+
+
+def downgrade():
+    # ### commands auto generated by Alembic - please adjust! ###
+    op.create_table('otp_session',
+    sa.Column('secret', sa.VARCHAR(length=100), autoincrement=False, nullable=False),
+    sa.Column('form', postgresql.BYTEA(), autoincrement=False, nullable=True),
+    sa.Column('session', postgresql.BYTEA(), autoincrement=False, nullable=True),
+    sa.PrimaryKeyConstraint('secret', name=op.f('otp_session_pkey'))
+    )
+    # ### end Alembic commands ###