fix: format and lint

Author: costowell

.pylintrc

@@ -16,7 +16,7 @@ persistent=yes
 
 # List of plugins (as comma separated values of python modules names) to load,
 # usually to register additional checkers.
-load-plugins=
+#load-plugins=
 
 # Use multiple processes to speed up Pylint.
 jobs=1
@@ -28,14 +28,14 @@ unsafe-load-any-extension=no
 # A comma-separated list of package or module names from where C extensions may
 # be loaded. Extensions are loading into the active Python interpreter and may
 # run arbitrary code
-extension-pkg-whitelist=
+#extension-pkg-whitelist=
 
 
 [MESSAGES CONTROL]
 
 # Only show warnings with the listed confidence levels. Leave empty to show
 # all. Valid levels: HIGH, INFERENCE, INFERENCE_FAILURE, UNDEFINED
-confidence=
+#confidence=
 
 # Enable the message, report, category or checker with the given id(s). You can
 # either give multiple identifier separated by comma (,) or put this option
@@ -62,12 +62,11 @@ disable=
     too-few-public-methods,
     no-member,
     too-many-format-args,
-    bad-continuation,
     bare-except,
     inconsistent-return-statements,
     no-name-in-module,
     cyclic-import,
-    unnecessary-pass,
+    unnecessary-pass
 
 
 [REPORTS]
@@ -77,11 +76,6 @@ disable=
 # mypackage.mymodule.MyReporterClass.
 output-format=text
 
-# Put messages in a separate file for each module / package specified on the
-# command line instead of printing them on stdout. Reports (if any) will be
-# written in a file name "pylint_global.[txt|html]".
-files-output=no
-
 # Tells whether to display a full report or only the messages
 reports=no
 
@@ -136,7 +130,7 @@ dummy-variables-rgx=_$|dummy
 
 # List of additional names supposed to be defined in builtins. Remember that
 # you should avoid to define new builtins when possible.
-additional-builtins=
+#additional-builtins=
 
 # List of strings which can identify a callback function by name. A callback
 # name must start or end with one of those strings.
@@ -155,9 +149,6 @@ ignore-long-lines=^\s*(# )?<?https?://\S+>?$
 # else.
 single-line-if-stmt=no
 
-# List of optional constructs for which whitespace checking is disabled
-no-space-check=trailing-comma,dict-separator
-
 # Maximum number of lines in a module
 max-module-lines=2000
 
@@ -169,14 +160,11 @@ indent-string='    '
 indent-after-paren=4
 
 # Expected format of line ending, e.g. empty (any line ending), LF or CRLF.
-expected-line-ending-format=
+#expected-line-ending-format=
 
 
 [BASIC]
 
-# List of builtins function names that should not be used, separated by a comma
-bad-functions=map,filter,input
-
 # Good variable names which should always be accepted, separated by a comma
 good-names=i,j,k,ex,Run,_
 
@@ -185,71 +173,41 @@ bad-names=foo,bar,baz,toto,tutu,tata
 
 # Colon-delimited sets of names that determine each other's naming style when
 # the name regexes allow several styles.
-name-group=
+#name-group=
 
 # Include a hint for the correct naming format with invalid-name
 include-naming-hint=no
 
 # Regular expression matching correct function names
 function-rgx=[a-z_][a-z0-9_]{2,30}$
 
-# Naming hint for function names
-function-name-hint=[a-z_][a-z0-9_]{2,30}$
-
 # Regular expression matching correct variable names
 variable-rgx=[a-z_][a-z0-9_]{2,30}$
 
-# Naming hint for variable names
-variable-name-hint=[a-z_][a-z0-9_]{2,30}$
-
 # Regular expression matching correct constant names
 const-rgx=[a-z_][a-z0-9_]{2,30}$
 
-# Naming hint for constant names
-const-name-hint=(([A-Z_][A-Z0-9_]*)|(__.*__))$
-
 # Regular expression matching correct attribute names
 attr-rgx=[a-z_][a-z0-9_]{2,30}$
 
-# Naming hint for attribute names
-attr-name-hint=[a-z_][a-z0-9_]{2,30}$
-
 # Regular expression matching correct argument names
 argument-rgx=[a-z_][a-z0-9_]{2,30}$
 
-# Naming hint for argument names
-argument-name-hint=[a-z_][a-z0-9_]{2,30}$
-
 # Regular expression matching correct class attribute names
 class-attribute-rgx=([A-Za-z_][A-Za-z0-9_]{2,30}|(__.*__))$
 
-# Naming hint for class attribute names
-class-attribute-name-hint=([A-Za-z_][A-Za-z0-9_]{2,30}|(__.*__))$
-
 # Regular expression matching correct inline iteration names
 inlinevar-rgx=[A-Za-z_][A-Za-z0-9_]*$
 
-# Naming hint for inline iteration names
-inlinevar-name-hint=[A-Za-z_][A-Za-z0-9_]*$
-
 # Regular expression matching correct class names
 class-rgx=[A-Z_][a-zA-Z0-9]+$
 
-# Naming hint for class names
-class-name-hint=[A-Z_][a-zA-Z0-9]+$
-
 # Regular expression matching correct module names
 module-rgx=(([a-z_][a-z0-9_]*)|([A-Z][a-zA-Z0-9]+))$
 
-# Naming hint for module names
-module-name-hint=(([a-z_][a-z0-9_]*)|([A-Z][a-zA-Z0-9]+))$
-
 # Regular expression matching correct method names
 method-rgx=[a-z_][a-z0-9_]{2,30}$
 
-# Naming hint for method names
-method-name-hint=[a-z_][a-z0-9_]{2,30}$
-
 # Regular expression which should only match function or class names that do
 # not require a docstring.
 no-docstring-rgx=__.*__
@@ -271,11 +229,11 @@ ignore-mixin-members=yes
 # List of module names for which member attributes should not be checked
 # (useful for modules/projects where namespaces are manipulated during runtime
 # and thus existing member attributes cannot be deduced by static analysis
-ignored-modules=
+#ignored-modules=
 
 # List of classes names for which member attributes should not be checked
 # (useful for classes with attributes dynamically set).
-ignored-classes=SQLObject, optparse.Values, thread._local, _thread._local
+ignored-classes=SQLObject,optparse.Values,thread._local,_thread._local
 
 # List of members which are set dynamically and missed by pylint inference
 # system, and so shouldn't trigger E1101 when accessed. Python regular
@@ -291,13 +249,13 @@ contextmanager-decorators=contextlib.contextmanager
 
 # Spelling dictionary name. Available dictionaries: none. To make it working
 # install python-enchant package.
-spelling-dict=
+#spelling-dict=
 
 # List of comma separated words that should not be checked.
-spelling-ignore-words=
+#spelling-ignore-words=
 
 # A path to a file that contains private dictionary; one word per line.
-spelling-private-dict-file=
+#spelling-private-dict-file=
 
 # Tells whether to store unknown words to indicated private dictionary in
 # --spelling-private-dict-file option instead of raising a message.
@@ -361,19 +319,19 @@ deprecated-modules=regsub,TERMIOS,Bastion,rexec
 
 # Create a graph of every (i.e. internal and external) dependencies in the
 # given file (report RP0402 must not be disabled)
-import-graph=
+#import-graph=
 
 # Create a graph of external dependencies in the given file (report RP0402 must
 # not be disabled)
-ext-import-graph=
+#ext-import-graph=
 
 # Create a graph of internal dependencies in the given file (report RP0402 must
 # not be disabled)
-int-import-graph=
+#int-import-graph=
 
 
 [EXCEPTIONS]
 
 # Exceptions that will emit a warning when being caught. Defaults to
 # "Exception"
-overgeneral-exceptions=Exception
+overgeneral-exceptions=builtins.Exception

requirements.in

@@ -16,3 +16,5 @@ pyotp~=2.9.0
 passlib~=1.7.4
 xkcdpass~=1.20.0
 gunicorn~=23.0.0
+black~=25.12.0
+pylint~=4.0.4

requirements.txt

@@ -18,10 +18,14 @@ annotated-types==0.7.0
     # via pydantic
 anyio==4.12.0
     # via httpx
+astroid==4.0.2
+    # via pylint
 async-property==0.2.2
     # via python-keycloak
 attrs==25.4.0
     # via aiohttp
+black==25.12.0
+    # via -r requirements.in
 blinker==1.9.0
     # via
     #   flask
@@ -37,7 +41,9 @@ cffi==2.0.0
 charset-normalizer==3.4.4
     # via requests
 click==8.3.1
-    # via flask
+    # via
+    #   black
+    #   flask
 cryptography==46.0.3
     # via
     #   jwcrypto
@@ -50,6 +56,8 @@ deprecated==1.3.1
     # via limits
 deprecation==2.1.0
     # via python-keycloak
+dill==0.4.0
+    # via pylint
 dnspython==2.8.0
     # via srvlookup
 flask==3.1.2
@@ -100,6 +108,8 @@ idna==3.11
     #   yarl
 importlib-resources==6.5.2
     # via flask-pyoidc
+isort==7.0.0
+    # via pylint
 itsdangerous==2.2.0
     # via flask
 jinja2==3.1.6
@@ -120,23 +130,34 @@ markupsafe==3.0.3
     #   mako
     #   sentry-sdk
     #   werkzeug
+mccabe==0.7.0
+    # via pylint
 multidict==6.7.0
     # via
     #   aiohttp
     #   yarl
+mypy-extensions==1.1.0
+    # via black
 oic==1.6.1
     # via flask-pyoidc
 ordered-set==4.1.0
     # via flask-limiter
 packaging==25.0
     # via
+    #   black
     #   deprecation
     #   gunicorn
     #   limits
 passlib==1.7.4
     # via -r requirements.in
+pathspec==0.12.1
+    # via black
 pillow==12.0.0
     # via flask-qrcode
+platformdirs==4.5.1
+    # via
+    #   black
+    #   pylint
 propcache==0.4.1
     # via
     #   aiohttp
@@ -165,6 +186,8 @@ pyjwkest==1.4.4
     # via oic
 pyjwt==2.10.1
     # via twilio
+pylint==4.0.4
+    # via -r requirements.in
 pyotp==2.9.0
     # via -r requirements.in
 python-dotenv==1.2.1
@@ -175,6 +198,8 @@ python-keycloak==5.8.1
     # via -r requirements.in
 python-ldap==3.4.5
     # via csh-ldap
+pytokens==0.3.0
+    # via black
 qrcode==8.2
     # via flask-qrcode
 requests==2.32.5
@@ -201,6 +226,8 @@ srvlookup==3.0.0
     # via
     #   -r requirements.in
     #   csh-ldap
+tomlkit==0.13.3
+    # via pylint
 twilio==9.9.0
     # via -r requirements.in
 typing-extensions==4.15.0

selfservice/__init__.py

@@ -79,6 +79,8 @@
     limiter = Limiter(
         get_remote_address, app=app, default_limits=["50 per day", "10 per hour"]
     )
+else:
+    limiter = Limiter(get_remote_address, app=app, default_limits=[])
 
 # Initialize QR Code Generator
 qr = QRcode(app)

selfservice/blueprints/otp.py

@@ -20,7 +20,7 @@
 )
 from selfservice.utilities.ldap import create_ipa_otp, has_ipa_otp, delete_ipa_otp
 from selfservice.utilities.app_passwd import set_app_passwd, delete_app_passwd
-from selfservice import version, auth, db, OIDC_PROVIDER
+from selfservice import version, auth, OIDC_PROVIDER
 
 otp_bp = Blueprint("otp", __name__)
 
@@ -44,37 +44,49 @@ def enable():
 
         # If its registered in one place but not the other
         if kc_registered != ipa_registered:
-            LOG.warn(f"{username} does not have TOTP in both Keycloak and LDAP (kc_registered={kc_registered}, ipa_registered={ipa_registered})")
+            LOG.warning(
+                "%s does not have TOTP in both Keycloak and LDAP "
+                "(kc_registered=%s, ipa_registered=%s)",
+                username,
+                kc_registered,
+                ipa_registered,
+            )
 
         # If already registered *somewhere*
         if kc_registered or ipa_registered:
             return render_template("otp.html", version=version, configured=True)
 
         secret = generate_kc_otp(username)
         otp_uri = pyotp.totp.TOTP(secret).provisioning_uri(
-            "{}@csh.rit.edu".format(username), issuer_name="CSH"
+            f"{username}@csh.rit.edu", issuer_name="CSH"
         )
 
         return render_template(
             "otp.html", version=version, otp_uri=otp_uri, secret=secret
         )
 
     otp_uri = pyotp.totp.TOTP(secret).provisioning_uri(
-        "{}@csh.rit.edu".format(username), issuer_name="CSH"
+        f"{username}@csh.rit.edu", issuer_name="CSH"
     )
     if not secret:
         flash("Invalid secret provided. Please try again.")
         return redirect("/otp")
     if not otp_code:
-        flash("No one time password provided. Please scan the code and try again.")
+        flash(
+            "One time password provided did not match expected value. "
+            "Please scan the code and try again."
+        )
         return render_template(
             "otp.html", version=version, otp_uri=otp_uri, secret=secret
         )
 
     try:
         register_kc_otp(username, secret, otp_code)
     except OTPInvalidCode:
-        flash("One time password provided did not match expected value. Please scan the code and try again.")
+        flash(
+            "One time password provided did not match expected value."
+            "Please scan the code and try again."
+        )
         return render_template(
             "otp.html", version=version, otp_uri=otp_uri, secret=secret
         )