Hoist admin status determination from authentication to a secondary function called by get_authenticated_user
Create mock objects for struct_group and struct_passwd, migrate existing mock group objects to it
Remove old admin mock stuff for authenticate
- refresh_user may return True in the common case, identifying that everything is up-to-date
- return False for "needs login"
- return auth_data dict when an update can be performed without logging in again
- `.get_current_user` is called in the `prepare` stage for all handlers
- use `.current_user` to access current user in methods
- adds Authenticator.refresh_user for refreshing user auth (unused at this point)
JH can now differentiate between authenticated and authorized users via PAM
This allows JH to respect PAM-accessible user access controls.
This also fixes missing PAMAuthenticator.encoding usages.
Allows authenticators to optionally enable this flag
and signal that auth_state will be used,
enabling early check and exit if encryption is not available.
only raise ImportError on pamela if PAMAuthenticator is actually used
avoids failure to start in rare cases where pamela is not importable (e.g. broken libpam)
opt-in option for deleting users that have been invalidated,
e.g. for LocalAuthenticators when system users have been removed and `create_system_users` is False.
Since it’s opt-in, log config to do so when the error is seen and option is not enabled.
Simplifies login URL, handler login
- all login redirects go to `settings['login_url']`
- `login_url` is unconditionally `/hub/login`
- `/hub/login` renders form page or 'login with...' button
- enabling auto_login redirects from /hub/login to Authenticator.login_url()
likely cause is `set('string')` typo instead of `set(['string'])`,
so include that in the error message:
whitelist contains single-character names: ['i', 'k', 'm', 'n', 'r']; did you mean set(['ikmnr']) instead of set('ikmnr')?
it's often buggy and rarely necessary,
so allow it to be disabled when it's causing problems.
It's still on by default for backward-compatibility,
though maybe it shouldn't be.
