@weirdfingers/baseboards 0.2.0

package/templates/api/src/boards/auth/middleware.py

@@ -0,0 +1,221 @@
+"""Authentication middleware for FastAPI."""
+
+from __future__ import annotations
+
+from uuid import UUID
+
+from fastapi import Header, HTTPException
+
+from ..database.connection import get_async_session
+from ..database.seed_data import ensure_tenant
+from ..logging import get_logger
+from .adapters.base import AuthenticationError
+from .context import DEFAULT_TENANT_UUID, AuthContext
+from .factory import get_auth_adapter_cached
+from .provisioning import ensure_local_user
+from .tenant_extraction import extract_tenant_from_claims
+
+logger = get_logger(__name__)
+
+
+async def get_auth_context(
+    authorization: str | None = Header(None),
+    x_tenant: str | None = Header(None, alias="X-Tenant"),
+) -> AuthContext:
+    """
+    Extract authentication context from request headers.
+
+    This function:
+    1. Extracts Bearer token from Authorization header
+    2. Verifies token using the configured auth adapter
+    3. Resolves tenant (defaults to 'default' for single-tenant)
+    4. Performs JIT user provisioning
+    5. Returns AuthContext for the request
+
+    For no-auth mode, any token (or "dev-token") will work.
+
+    Args:
+        authorization: Authorization header (Bearer token)
+        x_tenant: Tenant identifier header
+
+    Returns:
+        AuthContext with user, tenant, and token info
+    """
+    adapter = get_auth_adapter_cached()
+
+    # Check if we're in no-auth mode
+    is_no_auth_mode = hasattr(adapter, "default_user_id")  # NoAuthAdapter has this attribute
+
+    # Handle unauthenticated requests
+    if not authorization:
+        if is_no_auth_mode:
+            # In no-auth mode, create a default token
+            authorization = "Bearer dev-token"
+        else:
+            # Use header tenant or default for unauthenticated requests
+            tenant_slug = x_tenant or "default"
+            tenant_uuid = await _resolve_tenant_uuid(tenant_slug)
+            return AuthContext(
+                user_id=None,
+                tenant_id=tenant_uuid,
+                principal=None,
+                token=None,
+            )
+
+    # Extract Bearer token
+    if not authorization.startswith("Bearer "):
+        logger.warning("Invalid authorization format received")
+        raise HTTPException(
+            status_code=401,
+            detail="Invalid authorization format. Expected: Bearer <token>",
+            headers={"WWW-Authenticate": "Bearer"},
+        )
+
+    token = authorization[7:]  # Remove "Bearer " prefix
+
+    if not token:
+        logger.warning("Empty token provided")
+        raise HTTPException(
+            status_code=401,
+            detail="Empty token",
+            headers={"WWW-Authenticate": "Bearer"},
+        )
+
+    try:
+        # Verify token with auth adapter
+        principal = await adapter.verify_token(token)
+
+        # Extract tenant from JWT/OIDC claims with fallback to header
+        tenant_slug = extract_tenant_from_claims(principal, fallback_tenant=x_tenant)
+
+        logger.debug(
+            "Tenant resolved for authenticated request",
+            tenant_slug=tenant_slug,
+            header_tenant=x_tenant,
+            provider=principal.get("provider"),
+            subject=principal.get("subject"),
+        )
+
+        # Resolve tenant slug to UUID and perform JIT user provisioning
+        try:
+            async with get_async_session() as db:
+                # Ensure tenant exists and get its UUID
+                tenant_uuid = await ensure_tenant(db, slug=tenant_slug)
+                # Now provision the user with the tenant UUID
+                user_id = await ensure_local_user(db, tenant_uuid, principal)
+
+            logger.debug(
+                "User provisioned and tenant resolved",
+                user_id=str(user_id),
+                tenant_uuid=str(tenant_uuid),
+                tenant_slug=tenant_slug,
+            )
+        except Exception as db_error:
+            # Database connection failed, use the same deterministic fallback
+            logger.error(
+                "Database connection failed, using fallback user ID generation",
+                error=str(db_error),
+                principal_provider=principal.get("provider"),
+                principal_subject=principal.get("subject"),
+            )
+
+            import hashlib
+
+            provider = principal.get("provider", "unknown")
+            subject = principal.get("subject", "anonymous")
+            stable_input = f"{provider}:{subject}:{tenant_slug}"
+            user_id_hash = hashlib.sha256(stable_input.encode()).hexdigest()[:32]
+            # Format hash as UUID: 8-4-4-4-12 pattern
+            formatted_uuid = (
+                f"{user_id_hash[:8]}-{user_id_hash[8:12]}-"
+                f"{user_id_hash[12:16]}-{user_id_hash[16:20]}-"
+                f"{user_id_hash[20:32]}"
+            )
+            from uuid import UUID
+
+            user_id = UUID(formatted_uuid)
+
+            # Also resolve tenant_uuid in this fallback path
+            tenant_uuid = await _resolve_tenant_uuid(tenant_slug)
+
+        return AuthContext(
+            user_id=user_id,
+            tenant_id=tenant_uuid,
+            principal=principal,
+            token=token,
+        )
+
+    except AuthenticationError as e:
+        logger.warning("Authentication failed", error=str(e))
+        raise HTTPException(
+            status_code=401,
+            detail=str(e),
+            headers={"WWW-Authenticate": "Bearer"},
+        ) from e
+    except Exception as e:
+        logger.error("Unexpected authentication error", error=str(e))
+        raise HTTPException(
+            status_code=401,
+            detail="Authentication failed",
+            headers={"WWW-Authenticate": "Bearer"},
+        ) from e
+
+
+async def get_auth_context_optional(
+    authorization: str | None = Header(None),
+    x_tenant: str | None = Header(None, alias="X-Tenant"),
+) -> AuthContext:
+    """
+    Optional authentication - returns unauthenticated context if no token.
+
+    Use this for endpoints that work both authenticated and unauthenticated.
+    """
+    try:
+        return await get_auth_context(authorization, x_tenant)
+    except HTTPException:
+        # Return unauthenticated context
+        tenant_slug = x_tenant or "default"
+        tenant_uuid = await _resolve_tenant_uuid(tenant_slug)
+        return AuthContext(
+            user_id=None,
+            tenant_id=tenant_uuid,
+            principal=None,
+            token=None,
+        )
+
+
+async def _resolve_tenant_uuid(tenant_slug: str) -> UUID:
+    """
+    Resolve a tenant slug to its UUID.
+
+    Falls back to DEFAULT_TENANT_UUID if:
+    - Database lookup fails
+    - Tenant doesn't exist
+    - Running in single-tenant mode
+
+    Args:
+        tenant_slug: The tenant slug to resolve (e.g., "default", "acme-corp")
+
+    Returns:
+        UUID of the tenant, or DEFAULT_TENANT_UUID if resolution fails
+    """
+    try:
+        from ..database.connection import get_async_session
+        from ..database.seed_data import ensure_tenant
+
+        async with get_async_session() as db:
+            tenant_uuid = await ensure_tenant(db, slug=tenant_slug)
+            logger.debug(
+                "Resolved tenant slug to UUID",
+                tenant_slug=tenant_slug,
+                tenant_uuid=str(tenant_uuid),
+            )
+            return tenant_uuid
+    except Exception as e:
+        logger.warning(
+            "Failed to resolve tenant UUID, using default",
+            tenant_slug=tenant_slug,
+            error=str(e),
+            default_uuid=str(DEFAULT_TENANT_UUID),
+        )
+        return DEFAULT_TENANT_UUID

package/templates/api/src/boards/auth/provisioning.py

@@ -0,0 +1,129 @@
+"""User provisioning and management."""
+
+from __future__ import annotations
+
+from uuid import UUID
+
+from sqlalchemy import and_, select
+from sqlalchemy.ext.asyncio import AsyncSession
+
+from ..dbmodels import Users
+from ..logging import get_logger
+from .adapters.base import Principal
+
+logger = get_logger(__name__)
+
+
+async def ensure_local_user(db: AsyncSession, tenant_id: UUID, principal: Principal) -> UUID:
+    """
+    Ensure a local user exists for the given principal (JIT provisioning).
+
+    This function creates a local user record if one doesn't exist for the
+    given (tenant_id, auth_provider, auth_subject) combination.
+
+    Args:
+        db: Database session
+        tenant_id: Tenant UUID
+        principal: Authenticated principal from auth provider
+
+    Returns:
+        UUID of the local user
+    """
+    provider = principal["provider"]
+    subject = principal["subject"]
+
+    # Ensure tenant_id is a UUID
+    if not isinstance(tenant_id, UUID):
+        raise ValueError(f"tenant_id must be a UUID, got {type(tenant_id)}")
+
+    # Try to find existing user
+    stmt = select(Users).where(
+        and_(
+            Users.tenant_id == tenant_id,
+            Users.auth_provider == provider,
+            Users.auth_subject == subject,
+        )
+    )
+
+    result = await db.execute(stmt)
+    user = result.scalar_one_or_none()
+
+    if user:
+        # Update user info if provided in principal, but preserve existing non-empty values
+        updated = False
+
+        email = principal.get("email")
+        if email and not user.email:  # Only update if current email is empty/None
+            user.email = email
+            updated = True
+
+        display_name = principal.get("display_name")
+        # Only update if current display_name is empty/None
+        if display_name and not user.display_name:
+            user.display_name = display_name
+            updated = True
+
+        avatar_url = principal.get("avatar_url")
+        if avatar_url and not user.avatar_url:  # Only update if current avatar_url is empty/None
+            user.avatar_url = avatar_url
+            updated = True
+
+        if updated:
+            await db.commit()
+            await db.refresh(user)
+            logger.info("Updated user info (preserving existing values)", user_id=str(user.id))
+
+        return user.id
+
+    # Create new user
+    user = Users(
+        tenant_id=tenant_id,
+        auth_provider=provider,
+        auth_subject=subject,
+        email=principal.get("email"),
+        display_name=principal.get("display_name"),
+        avatar_url=principal.get("avatar_url"),
+        metadata_={
+            "created_via": "jit_provisioning",
+            "provider_claims": principal.get("claims", {}),
+        },
+    )
+
+    db.add(user)
+    await db.commit()
+    await db.refresh(user)
+
+    logger.info(
+        "Created new user via JIT provisioning",
+        user_id=str(user.id),
+        tenant_id=tenant_id,
+        provider=provider,
+    )
+
+    return user.id
+
+
+async def get_user_by_id(db: AsyncSession, user_id: UUID) -> Users | None:
+    """Get a user by ID."""
+    stmt = select(Users).where(Users.id == user_id)
+    result = await db.execute(stmt)
+    return result.scalar_one_or_none()
+
+
+async def get_user_by_auth_info(
+    db: AsyncSession, tenant_id: UUID, auth_provider: str, auth_subject: str
+) -> Users | None:
+    """Get a user by auth provider information."""
+    # Ensure tenant_id is a UUID
+    if not isinstance(tenant_id, UUID):
+        raise ValueError(f"tenant_id must be a UUID, got {type(tenant_id)}")
+
+    stmt = select(Users).where(
+        and_(
+            Users.tenant_id == tenant_id,
+            Users.auth_provider == auth_provider,
+            Users.auth_subject == auth_subject,
+        )
+    )
+    result = await db.execute(stmt)
+    return result.scalar_one_or_none()

package/templates/api/src/boards/auth/tenant_extraction.py

@@ -0,0 +1,278 @@
+"""
+Tenant extraction utilities for multi-tenant authentication.
+
+This module provides utilities to extract tenant information from JWT/OIDC claims
+and other authentication contexts.
+"""
+
+from __future__ import annotations
+
+from typing import Any
+
+from ..config import settings
+from ..logging import get_logger
+from .context import Principal
+
+logger = get_logger(__name__)
+
+
+def extract_tenant_from_claims(
+    principal: Principal,
+    fallback_tenant: str | None = None,
+) -> str:
+    """
+    Extract tenant slug from JWT/OIDC claims.
+
+    This function supports multiple tenant extraction strategies:
+    1. Direct 'tenant' claim in JWT
+    2. Organization-based claims (org, organization, org_slug)
+    3. Custom claims (configurable via settings)
+    4. Domain-based extraction from email
+    5. Fallback to header or default
+
+    Args:
+        principal: Principal with claims from JWT/OIDC
+        fallback_tenant: Fallback tenant slug if no tenant found in claims
+
+    Returns:
+        Tenant slug extracted from claims or fallback
+    """
+    claims = principal.get("claims", {})
+
+    if not claims:
+        logger.debug("No claims available in principal, using fallback")
+        return fallback_tenant or settings.default_tenant_slug
+
+    # Strategy 1: Direct tenant claim
+    if tenant_slug := claims.get("tenant"):
+        logger.info("Extracted tenant from 'tenant' claim", tenant_slug=tenant_slug)
+        return _validate_tenant_slug(tenant_slug)
+
+    # Strategy 2: Organization-based claims
+    org_claims = ["org", "organization", "org_slug", "org_name"]
+    for claim_name in org_claims:
+        if org_value := claims.get(claim_name):
+            tenant_slug = _normalize_tenant_slug(org_value)
+            logger.info(
+                "Extracted tenant from organization claim",
+                claim_name=claim_name,
+                org_value=org_value,
+                tenant_slug=tenant_slug,
+            )
+            return tenant_slug
+
+    # Strategy 3: Custom claims (configurable)
+    custom_tenant_claim = getattr(settings, "jwt_tenant_claim", None)
+    if custom_tenant_claim and (custom_value := claims.get(custom_tenant_claim)):
+        tenant_slug = _normalize_tenant_slug(custom_value)
+        logger.info(
+            "Extracted tenant from custom claim",
+            claim_name=custom_tenant_claim,
+            custom_value=custom_value,
+            tenant_slug=tenant_slug,
+        )
+        return tenant_slug
+
+    # Strategy 4: Domain-based extraction from email
+    if settings.multi_tenant_mode and (email := claims.get("email")):
+        tenant_slug = _extract_tenant_from_email_domain(email)
+        if tenant_slug:
+            logger.info(
+                "Extracted tenant from email domain",
+                email=email,
+                tenant_slug=tenant_slug,
+            )
+            return tenant_slug
+
+    # Strategy 5: Namespace/sub-organization claims
+    namespace_claims = ["namespace", "group", "team", "workspace"]
+    for claim_name in namespace_claims:
+        if namespace_value := claims.get(claim_name):
+            tenant_slug = _normalize_tenant_slug(namespace_value)
+            logger.info(
+                "Extracted tenant from namespace claim",
+                claim_name=claim_name,
+                namespace_value=namespace_value,
+                tenant_slug=tenant_slug,
+            )
+            return tenant_slug
+
+    # No tenant found in claims, use fallback
+    logger.debug(
+        "No tenant information found in JWT/OIDC claims",
+        available_claims=list(claims.keys()),
+        using_fallback=fallback_tenant or settings.default_tenant_slug,
+    )
+    return fallback_tenant or settings.default_tenant_slug
+
+
+def extract_tenant_from_oidc_userinfo(
+    userinfo: dict[str, Any],
+    fallback_tenant: str | None = None,
+) -> str:
+    """
+    Extract tenant slug from OIDC userinfo endpoint response.
+
+    Args:
+        userinfo: Response from OIDC userinfo endpoint
+        fallback_tenant: Fallback tenant slug if no tenant found
+
+    Returns:
+        Tenant slug extracted from userinfo or fallback
+    """
+    if not userinfo:
+        return fallback_tenant or settings.default_tenant_slug
+
+    # Similar extraction strategies as claims
+    if tenant_slug := userinfo.get("tenant"):
+        return _validate_tenant_slug(tenant_slug)
+
+    # Organization-based extraction
+    for org_field in ["organization", "org", "company"]:
+        if org_value := userinfo.get(org_field):
+            return _normalize_tenant_slug(org_value)
+
+    # Groups/roles extraction
+    if groups := userinfo.get("groups", []):
+        if isinstance(groups, list) and groups:
+            # Use first group as tenant
+            return _normalize_tenant_slug(groups[0])
+
+    return fallback_tenant or settings.default_tenant_slug
+
+
+def _normalize_tenant_slug(value: Any) -> str:
+    """
+    Normalize a value to a valid tenant slug.
+
+    Args:
+        value: Value to normalize (string, dict, etc.)
+
+    Returns:
+        Normalized tenant slug
+    """
+    if isinstance(value, dict):
+        # Extract slug if it's an object with slug/id fields
+        return _normalize_tenant_slug(value.get("slug") or value.get("id") or value.get("name", ""))
+
+    # Convert to string and normalize
+    slug = str(value).lower().strip()
+
+    # Replace spaces and invalid characters with hyphens
+    import re
+
+    slug = re.sub(r"[^a-z0-9-]", "-", slug)
+
+    # Remove multiple consecutive hyphens
+    slug = re.sub(r"-+", "-", slug)
+
+    # Remove leading/trailing hyphens
+    slug = slug.strip("-")
+
+    # Ensure it's not empty and not too long
+    if not slug:
+        slug = "unknown"
+    elif len(slug) > 50:  # Reasonable limit for tenant slugs
+        slug = slug[:50].rstrip("-")
+
+    return slug
+
+
+def _validate_tenant_slug(slug: str) -> str:
+    """
+    Validate a tenant slug format.
+
+    Args:
+        slug: Tenant slug to validate
+
+    Returns:
+        Validated slug
+
+    Raises:
+        ValueError: If slug is invalid
+    """
+    if not slug:
+        raise ValueError("Tenant slug cannot be empty")
+
+    if len(slug) > 255:
+        raise ValueError("Tenant slug too long (max 255 characters)")
+
+    import re
+
+    if not re.match(r"^[a-z0-9-]+$", slug):
+        raise ValueError("Tenant slug must contain only lowercase letters, numbers, and hyphens")
+
+    if slug.startswith("-") or slug.endswith("-"):
+        raise ValueError("Tenant slug cannot start or end with hyphen")
+
+    return slug
+
+
+def _extract_tenant_from_email_domain(email: str) -> str | None:
+    """
+    Extract tenant slug from email domain.
+
+    This is useful for organizations that want to automatically
+    assign tenants based on email domains.
+
+    Args:
+        email: Email address
+
+    Returns:
+        Tenant slug derived from domain, or None if not applicable
+    """
+    try:
+        domain = email.split("@")[1].lower()
+
+        # Skip common public email domains
+        public_domains = {
+            "gmail.com",
+            "yahoo.com",
+            "outlook.com",
+            "hotmail.com",
+            "icloud.com",
+            "protonmail.com",
+            "aol.com",
+        }
+
+        if domain in public_domains:
+            logger.debug(
+                "Skipping tenant extraction from public email domain",
+                domain=domain,
+            )
+            return None
+
+        # Extract organization name from domain
+        # e.g., "user@acme-corp.com" -> "acme-corp"
+        org_name = domain.split(".")[0]
+        return _normalize_tenant_slug(org_name)
+
+    except (IndexError, AttributeError):
+        logger.warning("Invalid email format for domain extraction", email=email)
+        return None
+
+
+def get_tenant_extraction_config() -> dict[str, Any]:
+    """
+    Get current tenant extraction configuration.
+
+    Returns:
+        Dictionary with tenant extraction settings
+    """
+    return {
+        "multi_tenant_mode": settings.multi_tenant_mode,
+        "default_tenant_slug": settings.default_tenant_slug,
+        "custom_tenant_claim": getattr(settings, "jwt_tenant_claim", None),
+        "domain_based_extraction": settings.multi_tenant_mode,
+        "supported_claim_names": [
+            "tenant",
+            "org",
+            "organization",
+            "org_slug",
+            "org_name",
+            "namespace",
+            "group",
+            "team",
+            "workspace",
+        ],
+    }