npm - @weirdfingers/baseboards - Versions diffs - 0.9.5 → 0.9.7 - Mend

@weirdfingers/baseboards 0.9.5 → 0.9.7

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (237) hide show

package/templates/api/src/boards/auth/adapters/auth0.py DELETED Viewed

@@ -1,220 +0,0 @@
-"""Auth0 OIDC authentication adapter."""
-from __future__ import annotations
-from typing import Any
-from uuid import UUID
-import httpx
-import jwt
-from ...logging import get_logger
-from .base import AuthenticationError, Principal
-logger = get_logger(__name__)
-class Auth0OIDCAdapter:
-    """Auth0 OIDC authentication adapter."""
-    def __init__(
-        self,
-        domain: str,
-        audience: str,
-        client_id: str | None = None,
-        client_secret: str | None = None,
-    ):
-        """
-        Initialize Auth0 adapter.
-        Args:
-            domain: Auth0 domain (e.g., "myapp.us.auth0.com")
-            audience: Auth0 API identifier/audience
-            client_id: Optional client ID for API calls
-            client_secret: Optional client secret for API calls
-        """
-        self.domain = domain
-        self.audience = audience
-        self.client_id = client_id
-        self.client_secret = client_secret
-        self.issuer = f"https://{domain}/"
-        self.jwks_url = f"https://{domain}/.well-known/jwks.json"
-        self._jwks_cache: dict[str, Any] = {}
-        self._http_client = httpx.AsyncClient()
-    async def verify_token(self, token: str) -> Principal:
-        """Verify an Auth0 JWT token and return the principal."""
-        try:
-            # JWT library already imported
-            from jwt.exceptions import InvalidTokenError
-            # Get JWKS for verification
-            jwks = await self._get_jwks()
-            # Decode JWT header to get key ID
-            unverified_header = jwt.get_unverified_header(token)
-            kid = unverified_header.get("kid")
-            if not kid:
-                raise AuthenticationError("Missing 'kid' in JWT header")
-            # Find the matching key
-            key = None
-            for jwk in jwks.get("keys", []):
-                if jwk.get("kid") == kid:
-                    # Store the JWK - PyJWT handles conversion internally
-                    key = jwk
-                    break
-            if not key:
-                raise AuthenticationError(f"Unable to find key with kid: {kid}")
-            # Verify and decode the token
-            payload = jwt.decode(
-                token,
-                key,
-                algorithms=["RS256"],
-                issuer=self.issuer,
-                audience=self.audience,
-                options={
-                    "verify_exp": True,
-                    "verify_nbf": True,
-                    "verify_iat": True,
-                    "verify_aud": True,
-                    "verify_iss": True,
-                },
-            )
-            # Extract required claims
-            subject = payload.get("sub")
-            if not subject:
-                raise AuthenticationError("Missing 'sub' claim in token")
-            # Build principal from Auth0 claims
-            principal = Principal(
-                provider="auth0",
-                subject=subject,
-            )
-            # Add optional claims
-            if email := payload.get("email"):
-                principal["email"] = email
-            # Extract name information
-            if name := payload.get("name"):
-                principal["display_name"] = name
-            elif given_name := payload.get("given_name"):
-                family_name = payload.get("family_name", "")
-                principal["display_name"] = f"{given_name} {family_name}".strip()
-            elif nickname := payload.get("nickname"):
-                principal["display_name"] = nickname
-            if picture := payload.get("picture"):
-                principal["avatar_url"] = picture
-            # Store all claims for additional context
-            principal["claims"] = payload
-            return principal
-        except ImportError as e:
-            raise AuthenticationError("PyJWT is required for Auth0 authentication") from e
-        except InvalidTokenError as e:
-            logger.warning(f"Auth0 JWT token validation failed: {e}")
-            raise AuthenticationError(f"Invalid token: {e}") from e
-        except Exception as e:
-            logger.error(f"Unexpected error verifying Auth0 token: {e}")
-            raise AuthenticationError("Token verification failed") from e
-    async def issue_token(self, user_id: UUID | None = None, claims: dict | None = None) -> str:
-        """
-        Issue a new token via Auth0 Management API (requires client credentials).
-        This is rarely used as Auth0 typically handles token issuance via client libraries.
-        """
-        if not self.client_id or not self.client_secret:
-            raise NotImplementedError("Token issuance requires client_id and client_secret")
-        try:
-            # Get management API access token first
-            await self._get_management_token()
-            # This would require implementing Auth0's Management API token creation
-            # which is complex and rarely used. Most apps use client-side auth.
-            raise NotImplementedError(
-                "Server-side token issuance not commonly supported. "
-                "Use Auth0 client libraries for authentication."
-            )
-        except Exception as e:
-            logger.error(f"Failed to issue Auth0 token: {e}")
-            raise AuthenticationError("Token issuance failed") from e
-    async def get_user_info(self, token: str) -> dict:
-        """Get additional user information from Auth0 userinfo endpoint."""
-        try:
-            response = await self._http_client.get(
-                f"https://{self.domain}/userinfo",
-                headers={
-                    "Authorization": f"Bearer {token}",
-                    "Content-Type": "application/json",
-                },
-            )
-            if response.status_code == 200:
-                return response.json()
-            else:
-                logger.warning(f"Failed to get Auth0 user info: {response.status_code}")
-                return {}
-        except Exception as e:
-            logger.warning(f"Failed to get Auth0 user info: {e}")
-            return {}
-    async def _get_jwks(self) -> dict[str, Any]:
-        """Get JWKS from Auth0 for JWT verification."""
-        try:
-            # Check cache first (in production, implement TTL)
-            if self._jwks_cache:
-                return self._jwks_cache
-            response = await self._http_client.get(self.jwks_url)
-            response.raise_for_status()
-            jwks = response.json()
-            self._jwks_cache = jwks
-            return jwks
-        except Exception as e:
-            logger.error(f"Failed to fetch JWKS from Auth0: {e}")
-            raise AuthenticationError("Unable to verify token - JWKS unavailable") from e
-    async def _get_management_token(self) -> str:
-        """Get Auth0 Management API access token."""
-        try:
-            response = await self._http_client.post(
-                f"https://{self.domain}/oauth/token",
-                json={
-                    "client_id": self.client_id,
-                    "client_secret": self.client_secret,
-                    "audience": f"https://{self.domain}/api/v2/",
-                    "grant_type": "client_credentials",
-                },
-                headers={"Content-Type": "application/json"},
-            )
-            response.raise_for_status()
-            data = response.json()
-            return data["access_token"]
-        except Exception as e:
-            logger.error(f"Failed to get Auth0 management token: {e}")
-            raise AuthenticationError("Unable to get management token") from e
-    async def __aenter__(self):
-        return self
-    async def __aexit__(self, exc_type, exc_val, exc_tb):
-        await self._http_client.aclose()

package/templates/api/src/boards/auth/adapters/base.py DELETED Viewed

@@ -1,73 +0,0 @@
-"""Base authentication adapter interface and types."""
-from __future__ import annotations
-from typing import Literal, NotRequired, Protocol, TypedDict
-from uuid import UUID
-class Principal(TypedDict):
-    """Identity extracted from an incoming token."""
-    provider: Literal["supabase", "clerk", "auth0", "oidc", "jwt", "none"]
-    subject: str  # provider user id (sub)
-    email: NotRequired[str]
-    display_name: NotRequired[str]
-    avatar_url: NotRequired[str]
-    claims: NotRequired[dict]
-class AuthAdapter(Protocol):
-    """Provider-agnostic authentication adapter interface."""
-    async def verify_token(self, token: str) -> Principal:
-        """
-        Verify a token and return the principal identity.
-        Args:
-            token: The authentication token to verify
-        Returns:
-            Principal containing identity information
-        Raises:
-            AuthenticationError: If token is invalid or expired
-        """
-        ...
-    async def issue_token(self, user_id: UUID | None = None, claims: dict | None = None) -> str:
-        """
-        Issue a new token (optional - not all providers support this).
-        Args:
-            user_id: Optional user ID to include in token
-            claims: Optional additional claims to include
-        Returns:
-            Signed token string
-        """
-        ...
-    async def get_user_info(self, token: str) -> dict:
-        """
-        Get provider-specific user information (optional enrichment).
-        Args:
-            token: Valid authentication token
-        Returns:
-            Dictionary of provider-specific user data
-        """
-        ...
-class AuthenticationError(Exception):
-    """Raised when authentication fails."""
-    pass
-class AuthorizationError(Exception):
-    """Raised when authorization fails."""
-    pass

package/templates/api/src/boards/auth/adapters/clerk.py DELETED Viewed

@@ -1,172 +0,0 @@
-"""Clerk authentication adapter."""
-from __future__ import annotations
-from typing import Any
-from uuid import UUID
-import httpx
-from ...logging import get_logger
-from .base import AuthenticationError, Principal
-logger = get_logger(__name__)
-class ClerkAuthAdapter:
-    """Clerk authentication adapter."""
-    def __init__(self, secret_key: str, jwks_url: str | None = None):
-        """
-        Initialize Clerk adapter.
-        Args:
-            secret_key: Clerk secret key for API calls
-            jwks_url: Optional JWKS URL for JWT verification (auto-discovered if not provided)
-        """
-        self.secret_key = secret_key
-        self.jwks_url = jwks_url or "https://api.clerk.dev/v1/jwks"
-        self._jwks_cache: dict[str, Any] = {}
-        self._http_client = httpx.AsyncClient()
-    async def verify_token(self, token: str) -> Principal:
-        """Verify a Clerk JWT token and return the principal."""
-        try:
-            import jwt
-            from jwt.exceptions import InvalidTokenError
-            # Get JWKS for verification
-            jwks = await self._get_jwks()
-            # Decode JWT header to get key ID
-            unverified_header = jwt.get_unverified_header(token)
-            kid = unverified_header.get("kid")
-            if not kid:
-                raise AuthenticationError("Missing 'kid' in JWT header")
-            # Find the matching key
-            key = None
-            for jwk in jwks.get("keys", []):
-                if jwk.get("kid") == kid:
-                    # Store the JWK - PyJWT handles conversion internally
-                    key = jwk
-                    break
-            if not key:
-                raise AuthenticationError(f"Unable to find key with kid: {kid}")
-            # Verify and decode the token
-            payload = jwt.decode(
-                token,
-                key,
-                algorithms=["RS256"],
-                options={
-                    "verify_exp": True,
-                    "verify_nbf": True,
-                    "verify_iat": True,
-                },
-            )
-            # Extract required claims
-            subject = payload.get("sub")
-            if not subject:
-                raise AuthenticationError("Missing 'sub' claim in token")
-            # Build principal from Clerk claims
-            principal = Principal(
-                provider="clerk",
-                subject=subject,
-            )
-            # Add optional claims
-            if email := payload.get("email"):
-                principal["email"] = email
-            elif email_addresses := payload.get("email_addresses"):
-                # Clerk sometimes uses email_addresses array
-                if email_addresses and len(email_addresses) > 0:
-                    principal["email"] = email_addresses[0].get("email_address")
-            # Extract name information
-            if first_name := payload.get("given_name"):
-                last_name = payload.get("family_name", "")
-                principal["display_name"] = f"{first_name} {last_name}".strip()
-            elif name := payload.get("name"):
-                principal["display_name"] = name
-            if picture := payload.get("picture"):
-                principal["avatar_url"] = picture
-            # Store all claims for additional context
-            principal["claims"] = payload
-            return principal
-        except ImportError as e:
-            raise AuthenticationError("PyJWT is required for Clerk authentication") from e
-        except InvalidTokenError as e:
-            logger.warning(f"Clerk JWT token validation failed: {e}")
-            raise AuthenticationError(f"Invalid token: {e}") from e
-        except Exception as e:
-            logger.error(f"Unexpected error verifying Clerk token: {e}")
-            raise AuthenticationError("Token verification failed") from e
-    async def issue_token(self, user_id: UUID | None = None, claims: dict | None = None) -> str:
-        """
-        Issue a new token via Clerk (not commonly used).
-        Note: Clerk typically handles token issuance on the client side.
-        This method is provided for completeness but may not be used in practice.
-        """
-        raise NotImplementedError("Token issuance should be handled by Clerk client libraries")
-    async def get_user_info(self, token: str) -> dict:
-        """Get additional user information from Clerk API."""
-        try:
-            # First verify the token to get the subject
-            principal = await self.verify_token(token)
-            user_id = principal["subject"]
-            # Get additional user info from Clerk API
-            response = await self._http_client.get(
-                f"https://api.clerk.dev/v1/users/{user_id}",
-                headers={
-                    "Authorization": f"Bearer {self.secret_key}",
-                    "Content-Type": "application/json",
-                },
-            )
-            if response.status_code == 200:
-                return response.json()
-            else:
-                logger.warning(f"Failed to get Clerk user info: {response.status_code}")
-                return {}
-        except Exception as e:
-            logger.warning(f"Failed to get Clerk user info: {e}")
-            return {}
-    async def _get_jwks(self) -> dict[str, Any]:
-        """Get JWKS from Clerk for JWT verification."""
-        try:
-            # Check cache first
-            if self._jwks_cache:
-                return self._jwks_cache
-            response = await self._http_client.get(self.jwks_url)
-            response.raise_for_status()
-            jwks = response.json()
-            self._jwks_cache = jwks
-            return jwks
-        except Exception as e:
-            logger.error(f"Failed to fetch JWKS from Clerk: {e}")
-            raise AuthenticationError("Unable to verify token - JWKS unavailable") from e
-    async def __aenter__(self):
-        return self
-    async def __aexit__(self, exc_type, exc_val, exc_tb):
-        await self._http_client.aclose()

package/templates/api/src/boards/auth/adapters/jwt.py DELETED Viewed

@@ -1,122 +0,0 @@
-"""JWT authentication adapter for self-issued tokens."""
-from __future__ import annotations
-from datetime import UTC, datetime, timedelta
-from uuid import UUID
-import jwt
-from jwt.exceptions import InvalidTokenError
-from ...logging import get_logger
-from .base import AuthenticationError, Principal
-logger = get_logger(__name__)
-class JWTAuthAdapter:
-    """JWT authentication adapter for self-issued tokens."""
-    def __init__(
-        self,
-        secret_key: str,
-        algorithm: str = "HS256",
-        issuer: str = "boards",
-        audience: str = "boards-api",
-        token_expiry_hours: int = 24,
-    ):
-        self.secret_key = secret_key
-        self.algorithm = algorithm
-        self.issuer = issuer
-        self.audience = audience
-        self.token_expiry_hours = token_expiry_hours
-    async def verify_token(self, token: str) -> Principal:
-        """Verify a JWT token and return the principal."""
-        try:
-            payload = jwt.decode(
-                token,
-                self.secret_key,
-                algorithms=[self.algorithm],
-                issuer=self.issuer,
-                audience=self.audience,
-                options={
-                    "verify_exp": True,
-                    "verify_nbf": True,
-                    "verify_iat": True,
-                },
-            )
-            # Extract required claims
-            subject = payload.get("sub")
-            if not subject:
-                raise AuthenticationError("Missing 'sub' claim in token")
-            # Build principal from JWT claims
-            principal = Principal(
-                provider="jwt",
-                subject=subject,
-            )
-            # Add optional claims
-            if email := payload.get("email"):
-                principal["email"] = email
-            if display_name := payload.get("name"):
-                principal["display_name"] = display_name
-            if avatar_url := payload.get("picture"):
-                principal["avatar_url"] = avatar_url
-            # Store all claims for additional context
-            principal["claims"] = payload
-            return principal
-        except AuthenticationError:
-            # Re-raise our own authentication errors
-            raise
-        except InvalidTokenError as e:
-            logger.warning("JWT token validation failed", error=str(e))
-            raise AuthenticationError("Invalid token") from e
-        except Exception as e:
-            logger.error(f"Unexpected error verifying JWT token: {e}")
-            raise AuthenticationError("Token verification failed") from e
-    async def issue_token(self, user_id: UUID | None = None, claims: dict | None = None) -> str:
-        """Issue a new JWT token."""
-        now = datetime.now(UTC)
-        payload = {
-            "iss": self.issuer,
-            "aud": self.audience,
-            "iat": now,
-            "nbf": now,
-            "exp": now + timedelta(hours=self.token_expiry_hours),
-        }
-        if user_id:
-            payload["sub"] = str(user_id)
-        if claims:
-            payload.update(claims)
-        return jwt.encode(payload, self.secret_key, algorithm=self.algorithm)
-    async def get_user_info(self, token: str) -> dict:
-        """Get user info from JWT claims."""
-        try:
-            payload = jwt.decode(
-                token,
-                self.secret_key,
-                algorithms=[self.algorithm],
-                issuer=self.issuer,
-                audience=self.audience,
-                options={
-                    "verify_exp": True,
-                    "verify_nbf": True,
-                    "verify_iat": True,
-                },
-            )
-            return payload
-        except Exception as e:
-            logger.warning("Failed to decode JWT for user info", error=str(e))
-            return {}

package/templates/api/src/boards/auth/adapters/none.py DELETED Viewed

@@ -1,102 +0,0 @@
-"""No-auth adapter for local development without authentication."""
-from __future__ import annotations
-import os
-from uuid import UUID
-from ...logging import get_logger
-from .base import AuthenticationError, Principal
-logger = get_logger(__name__)
-class NoAuthAdapter:
-    """
-    No-auth adapter that bypasses authentication for local development.
-    This adapter treats any request as authenticated with a default test user.
-    WARNING: Only use this in development environments!
-    """
-    def __init__(self, default_user_id: str = "dev-user", default_tenant: str = "default"):
-        self.default_user_id = default_user_id
-        self.default_tenant = default_tenant
-        # Production safety checks
-        environment = os.getenv("ENVIRONMENT", "").lower()
-        if environment in ("production", "prod"):
-            logger.error(
-                "NoAuthAdapter detected in production environment! "
-                "This is a security risk and should never be used in production.",
-                environment=environment,
-            )
-            raise RuntimeError(
-                "NoAuthAdapter cannot be used in production environments. "
-                "Please configure a proper authentication provider."
-            )
-        # Check for production-like domains
-        api_url = os.getenv("BOARDS_API_URL", "")
-        if api_url and not any(
-            domain in api_url for domain in ["localhost", "127.0.0.1", "dev.", "staging."]
-        ):
-            logger.warning(
-                "NoAuthAdapter detected with production-like URL. "
-                "Ensure this is intentional and not deployed to production.",
-                api_url=api_url,
-            )
-        logger.warning(
-            "NoAuthAdapter is active - ALL requests will be treated as authenticated! "
-            "This should ONLY be used in development.",
-            user_id=default_user_id,
-            environment=os.getenv("ENVIRONMENT", "unknown"),
-        )
-    async def verify_token(self, token: str) -> Principal:
-        """
-        Always returns a default principal - no actual verification.
-        Any non-empty token will be accepted. The token content doesn't matter.
-        """
-        if not token:
-            raise AuthenticationError("Token required (even in no-auth mode)")
-        # Return a default principal for development
-        principal = Principal(
-            provider="none",
-            subject=self.default_user_id,
-            email="dev@example.com",
-            display_name="Development User",
-            claims={
-                "mode": "development",
-                "token": token[:20] + "..." if len(token) > 20 else token,
-            },
-        )
-        # avatar_url is NotRequired, so we can add it as None if needed for tests
-        principal["avatar_url"] = ""
-        return principal
-    async def issue_token(self, user_id: UUID | None = None, claims: dict | None = None) -> str:
-        """Issue a fake development token."""
-        token_parts = [
-            "dev-token",
-            str(user_id) if user_id else self.default_user_id,
-            "no-auth-mode",
-        ]
-        if claims:
-            token_parts.extend(f"{k}={v}" for k, v in claims.items())
-        return "|".join(token_parts)
-    async def get_user_info(self, token: str) -> dict:
-        """Return fake user info for development."""
-        return {
-            "id": self.default_user_id,
-            "email": "dev@example.com",
-            "name": "Development User",
-            "mode": "no-auth",
-            "token_preview": token[:20] + "..." if len(token) > 20 else token,
-        }