npm - @weirdfingers/baseboards - Versions diffs - 0.9.5 → 0.9.7 - Mend

@weirdfingers/baseboards 0.9.5 → 0.9.7

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (237) hide show

package/templates/api/src/boards/auth/adapters/oidc.py DELETED Viewed

@@ -1,284 +0,0 @@
-"""Generic OIDC authentication adapter."""
-from __future__ import annotations
-import time
-from typing import Any
-from uuid import UUID
-import httpx
-import jwt
-from ...logging import get_logger
-from .base import AuthenticationError, Principal
-logger = get_logger(__name__)
-class OIDCAdapter:
-    """Generic OIDC authentication adapter."""
-    def __init__(
-        self,
-        issuer: str,
-        client_id: str,
-        client_secret: str | None = None,
-        audience: str | None = None,
-        jwks_url: str | None = None,
-        jwks_cache_ttl: int = 3600,  # 1 hour default TTL
-    ):
-        """
-        Initialize OIDC adapter.
-        Args:
-            issuer: OIDC issuer URL (e.g., "https://accounts.google.com")
-            client_id: OIDC client ID
-            client_secret: Optional client secret for API calls
-            audience: Optional audience/client_id for token validation
-            jwks_url: Optional JWKS URL (auto-discovered if not provided)
-            jwks_cache_ttl: JWKS cache TTL in seconds (default: 3600 = 1 hour)
-        """
-        self.issuer = issuer.rstrip("/")
-        self.client_id = client_id
-        self.client_secret = client_secret
-        self.audience = audience or client_id
-        self.jwks_url = jwks_url
-        self.jwks_cache_ttl = jwks_cache_ttl
-        self._oidc_config: dict[str, Any] = {}
-        # Cache structure: {"data": jwks_data, "expires_at": timestamp}
-        self._jwks_cache: dict[str, Any] = {}
-        self._http_client = httpx.AsyncClient()
-    async def verify_token(self, token: str) -> Principal:
-        """Verify an OIDC JWT token and return the principal."""
-        try:
-            # JWT library already imported
-            from jwt.exceptions import InvalidTokenError
-            # Get OIDC configuration and JWKS
-            await self._ensure_oidc_config()
-            jwks = await self._get_jwks()
-            # Decode JWT header to get key ID
-            unverified_header = jwt.get_unverified_header(token)
-            kid = unverified_header.get("kid")
-            if not kid:
-                raise AuthenticationError("Missing 'kid' in JWT header")
-            # Find the matching key
-            key = None
-            for jwk in jwks.get("keys", []):
-                if jwk.get("kid") == kid:
-                    # Store the JWK - PyJWT handles RSA/EC conversion internally
-                    key = jwk
-                    break
-            if not key:
-                raise AuthenticationError(f"Unable to find key with kid: {kid}")
-            # Determine algorithm from JWK
-            alg = jwk.get("alg", "RS256")
-            # Verify and decode the token
-            payload = jwt.decode(
-                token,
-                key,
-                algorithms=[alg],
-                issuer=self.issuer,
-                audience=self.audience,
-                options={
-                    "verify_exp": True,
-                    "verify_nbf": True,
-                    "verify_iat": True,
-                    "verify_aud": True,
-                    "verify_iss": True,
-                },
-            )
-            # Extract required claims
-            subject = payload.get("sub")
-            if not subject:
-                raise AuthenticationError("Missing 'sub' claim in token")
-            # Build principal from OIDC claims
-            principal = Principal(
-                provider="oidc",
-                subject=subject,
-            )
-            # Add optional standard OIDC claims
-            if email := payload.get("email"):
-                principal["email"] = email
-            # Extract name information
-            if name := payload.get("name"):
-                principal["display_name"] = name
-            elif given_name := payload.get("given_name"):
-                family_name = payload.get("family_name", "")
-                principal["display_name"] = f"{given_name} {family_name}".strip()
-            elif preferred_username := payload.get("preferred_username"):
-                principal["display_name"] = preferred_username
-            if picture := payload.get("picture"):
-                principal["avatar_url"] = picture
-            # Store all claims for additional context
-            principal["claims"] = payload
-            return principal
-        except ImportError as e:
-            raise AuthenticationError("PyJWT is required for OIDC authentication") from e
-        except InvalidTokenError as e:
-            logger.warning(f"OIDC JWT token validation failed: {e}")
-            raise AuthenticationError(f"Invalid token: {e}") from e
-        except Exception as e:
-            logger.error(f"Unexpected error verifying OIDC token: {e}")
-            raise AuthenticationError("Token verification failed") from e
-    async def issue_token(self, user_id: UUID | None = None, claims: dict | None = None) -> str:
-        """
-        Issue a new token via OIDC provider (rarely supported).
-        Most OIDC providers handle token issuance via client libraries.
-        """
-        raise NotImplementedError("Token issuance should be handled by OIDC client libraries")
-    async def get_user_info(self, token: str) -> dict:
-        """Get additional user information from OIDC userinfo endpoint."""
-        try:
-            await self._ensure_oidc_config()
-            userinfo_endpoint = self._oidc_config.get("userinfo_endpoint")
-            if not userinfo_endpoint:
-                logger.warning("No userinfo_endpoint in OIDC configuration")
-                return {}
-            response = await self._http_client.get(
-                userinfo_endpoint,
-                headers={
-                    "Authorization": f"Bearer {token}",
-                    "Content-Type": "application/json",
-                },
-            )
-            if response.status_code == 200:
-                return response.json()
-            else:
-                logger.warning(f"Failed to get OIDC user info: {response.status_code}")
-                return {}
-        except Exception as e:
-            logger.warning(f"Failed to get OIDC user info: {e}")
-            return {}
-    async def _ensure_oidc_config(self) -> None:
-        """Ensure OIDC discovery configuration is loaded."""
-        if self._oidc_config:
-            return
-        try:
-            # OIDC Discovery
-            discovery_url = f"{self.issuer}/.well-known/openid_configuration"
-            response = await self._http_client.get(discovery_url)
-            response.raise_for_status()
-            self._oidc_config = response.json()
-            # Set JWKS URL if not provided
-            if not self.jwks_url:
-                self.jwks_url = self._oidc_config.get("jwks_uri")
-            if not self.jwks_url:
-                raise AuthenticationError("Unable to determine JWKS URL")
-        except Exception as e:
-            logger.error(f"Failed to load OIDC configuration: {e}")
-            raise AuthenticationError("Unable to load OIDC configuration") from e
-    async def _get_jwks(self) -> dict[str, Any]:
-        """Get JWKS from OIDC provider for JWT verification with TTL caching."""
-        try:
-            # Ensure we have JWKS URL
-            if not self.jwks_url:
-                await self._ensure_oidc_config()
-            current_time = time.time()
-            # Check cache first with TTL
-            if (
-                self._jwks_cache
-                and "data" in self._jwks_cache
-                and "expires_at" in self._jwks_cache
-                and current_time < self._jwks_cache["expires_at"]
-            ):
-                logger.debug(
-                    "Returning cached JWKS",
-                    cache_expires_in=int(self._jwks_cache["expires_at"] - current_time),
-                )
-                return self._jwks_cache["data"]
-            # Cache expired or empty, fetch fresh JWKS
-            if self._jwks_cache:
-                logger.info(
-                    "JWKS cache expired, fetching fresh data",
-                    cache_age=int(
-                        current_time
-                        - (self._jwks_cache.get("expires_at", current_time) - self.jwks_cache_ttl)
-                    ),
-                )
-            # Ensure jwks_url is available after config check
-            if not self.jwks_url:
-                raise AuthenticationError("JWKS URL not available after configuration")
-            logger.debug("Fetching JWKS from provider", jwks_url=self.jwks_url)
-            response = await self._http_client.get(self.jwks_url)
-            response.raise_for_status()
-            jwks = response.json()
-            # Determine TTL from cache-control header or use default
-            cache_ttl = self.jwks_cache_ttl
-            cache_control = response.headers.get("cache-control", "")
-            if "max-age=" in cache_control:
-                try:
-                    # Extract max-age value from cache-control header
-                    max_age_str = cache_control.split("max-age=")[1].split(",")[0].split(";")[0]
-                    header_ttl = int(max_age_str)
-                    # Use the smaller of header TTL and configured TTL for security
-                    cache_ttl = min(header_ttl, self.jwks_cache_ttl)
-                    logger.debug(
-                        "Using cache-control max-age",
-                        header_ttl=header_ttl,
-                        effective_ttl=cache_ttl,
-                    )
-                except (ValueError, IndexError):
-                    logger.debug(
-                        "Could not parse cache-control max-age, using default TTL",
-                        default_ttl=cache_ttl,
-                    )
-            # Update cache with TTL
-            expires_at = current_time + cache_ttl
-            self._jwks_cache = {"data": jwks, "expires_at": expires_at}
-            logger.info(
-                "Updated JWKS cache",
-                cache_ttl=cache_ttl,
-                expires_at=int(expires_at),
-                keys_count=len(jwks.get("keys", [])),
-            )
-            return jwks
-        except Exception as e:
-            logger.error("Failed to fetch JWKS from OIDC provider", error=str(e))
-            raise AuthenticationError("Unable to verify token - JWKS unavailable") from e
-    async def __aenter__(self):
-        return self
-    async def __aexit__(self, exc_type, exc_val, exc_tb):
-        await self._http_client.aclose()

package/templates/api/src/boards/auth/adapters/supabase.py DELETED Viewed

@@ -1,110 +0,0 @@
-"""Supabase authentication adapter."""
-from __future__ import annotations
-from uuid import UUID
-import jwt
-from supabase import Client, create_client
-from ...logging import get_logger
-from .base import AuthenticationError, Principal
-logger = get_logger(__name__)
-class SupabaseAuthAdapter:
-    """Supabase authentication adapter."""
-    def __init__(self, url: str, service_role_key: str):
-        """
-        Initialize Supabase adapter.
-        Args:
-            url: Supabase project URL
-            service_role_key: Service role key for admin operations
-        """
-        self.url = url
-        self.service_role_key = service_role_key
-        self.client: Client = create_client(url, service_role_key)
-    async def verify_token(self, token: str) -> Principal:
-        """Verify a Supabase JWT token and return the principal."""
-        try:
-            # Get user info from Supabase auth
-            user_response = self.client.auth.get_user(token)
-            if not user_response or not user_response.user:
-                raise AuthenticationError("Invalid or expired token")
-            user = user_response.user
-            # Build principal from Supabase user
-            principal = Principal(
-                provider="supabase",
-                subject=user.id,
-            )
-            # Add optional user data
-            if user.email:
-                principal["email"] = user.email
-            # Extract display name from user metadata
-            if user.user_metadata:
-                if display_name := user.user_metadata.get("display_name") or user.user_metadata.get(
-                    "full_name"
-                ):
-                    principal["display_name"] = display_name
-                if avatar_url := user.user_metadata.get("avatar_url"):
-                    principal["avatar_url"] = avatar_url
-            # Store raw claims for additional context
-            try:
-                # Decode JWT without verification to get all claims
-                # (we already verified via Supabase API)
-                decoded = jwt.decode(token, options={"verify_signature": False})
-                principal["claims"] = decoded
-            except Exception as e:
-                logger.debug("Could not decode JWT claims", error=str(e))
-            return principal
-        except Exception as e:
-            logger.warning("Supabase token validation failed", error=str(e))
-            raise AuthenticationError(f"Invalid token: {e}") from e
-    async def issue_token(self, user_id: UUID | None = None, claims: dict | None = None) -> str:
-        """
-        Issue a new token via Supabase (not commonly used).
-        Note: Supabase typically handles token issuance on the client side.
-        This method is provided for completeness but may not be used in practice.
-        """
-        # Supabase doesn't provide a direct server-side token issuance API
-        # This would typically be done on the client side
-        raise NotImplementedError("Token issuance should be handled by Supabase client libraries")
-    async def get_user_info(self, token: str) -> dict:
-        """Get additional user information from Supabase."""
-        try:
-            user_response = self.client.auth.get_user(token)
-            if not user_response or not user_response.user:
-                return {}
-            user = user_response.user
-            return {
-                "id": user.id,
-                "email": user.email,
-                "email_confirmed_at": user.email_confirmed_at,
-                "phone": user.phone,
-                "created_at": user.created_at,
-                "updated_at": user.updated_at,
-                "user_metadata": user.user_metadata,
-                "app_metadata": user.app_metadata,
-            }
-        except Exception as e:
-            logger.warning("Failed to get Supabase user info", error=str(e))
-            return {}

package/templates/api/src/boards/auth/context.py DELETED Viewed

@@ -1,35 +0,0 @@
-"""Authentication context for request handling."""
-from __future__ import annotations
-from dataclasses import dataclass
-from uuid import UUID
-from .adapters.base import Principal
-# Default tenant UUID for single-tenant deployments or when tenant resolution fails
-# This null UUID (00000000-0000-0000-0000-000000000000) is used when:
-# - Running in single-tenant mode
-# - Local development without multi-tenant setup
-# - Tenant slug resolution fails
-DEFAULT_TENANT_UUID = UUID("00000000-0000-0000-0000-000000000000")
-@dataclass
-class AuthContext:
-    """Runtime authentication context for a request."""
-    user_id: UUID | None
-    tenant_id: UUID
-    principal: Principal | None
-    token: str | None
-    @property
-    def is_authenticated(self) -> bool:
-        """Check if the request is authenticated."""
-        return self.user_id is not None and self.principal is not None
-    @property
-    def provider(self) -> str | None:
-        """Get the authentication provider name."""
-        return self.principal["provider"] if self.principal else None

package/templates/api/src/boards/auth/factory.py DELETED Viewed

@@ -1,129 +0,0 @@
-"""Factory for creating auth adapters based on configuration."""
-from __future__ import annotations
-import json
-import os
-from .adapters.auth0 import Auth0OIDCAdapter
-from .adapters.base import AuthAdapter
-from .adapters.clerk import ClerkAuthAdapter
-from .adapters.jwt import JWTAuthAdapter
-from .adapters.none import NoAuthAdapter
-from .adapters.oidc import OIDCAdapter
-# Optional Supabase adapter - imported conditionally
-try:
-    from .adapters.supabase import SupabaseAuthAdapter
-    SUPABASE_AVAILABLE = True
-except ImportError:
-    SUPABASE_AVAILABLE = False
-    SupabaseAuthAdapter = None  # type: ignore
-def get_auth_adapter() -> AuthAdapter:
-    """Create and return the configured auth adapter."""
-    provider = os.getenv("BOARDS_AUTH_PROVIDER", "none")  # Default to no-auth for dev
-    config_str = os.getenv("BOARDS_AUTH_CONFIG", "{}")
-    try:
-        config = json.loads(config_str)
-    except json.JSONDecodeError:
-        config = {}
-    if provider == "none":
-        # No-auth mode for local development
-        return NoAuthAdapter(
-            default_user_id=config.get("default_user_id", "dev-user"),
-            default_tenant=config.get("default_tenant", "default"),
-        )
-    elif provider == "jwt":
-        secret_key = config.get("secret_key") or os.getenv("BOARDS_JWT_SECRET")
-        if not secret_key:
-            raise ValueError(
-                "JWT secret key is required. Set BOARDS_JWT_SECRET or provide in config."
-            )
-        return JWTAuthAdapter(
-            secret_key=secret_key,
-            algorithm=config.get("algorithm", "HS256"),
-            issuer=config.get("issuer", "boards"),
-            audience=config.get("audience", "boards-api"),
-        )
-    elif provider == "supabase":
-        if not SUPABASE_AVAILABLE:
-            raise ValueError(
-                "Supabase auth provider is not available. "
-                "Install the supabase package: pip install 'weirdfingers-boards[auth-supabase]'"
-            )
-        url = config.get("url") or os.getenv("SUPABASE_URL")
-        service_role_key = config.get("service_role_key") or os.getenv("SUPABASE_SERVICE_ROLE_KEY")
-        if not url or not service_role_key:
-            raise ValueError(
-                "Supabase URL and service role key are required. "
-                "Set SUPABASE_URL and SUPABASE_SERVICE_ROLE_KEY or provide in config."
-            )
-        return SupabaseAuthAdapter(url=url, service_role_key=service_role_key)  # type: ignore
-    elif provider == "clerk":
-        secret_key = config.get("secret_key") or os.getenv("CLERK_SECRET_KEY")
-        if not secret_key:
-            raise ValueError(
-                "Clerk secret key is required. Set CLERK_SECRET_KEY or provide in config."
-            )
-        return ClerkAuthAdapter(
-            secret_key=secret_key,
-            jwks_url=config.get("jwks_url"),
-        )
-    elif provider == "auth0":
-        domain = config.get("domain") or os.getenv("AUTH0_DOMAIN")
-        audience = config.get("audience") or os.getenv("AUTH0_AUDIENCE")
-        if not domain or not audience:
-            raise ValueError(
-                "Auth0 domain and audience are required. "
-                "Set AUTH0_DOMAIN and AUTH0_AUDIENCE or provide in config."
-            )
-        return Auth0OIDCAdapter(
-            domain=domain,
-            audience=audience,
-            client_id=config.get("client_id") or os.getenv("AUTH0_CLIENT_ID"),
-            client_secret=config.get("client_secret") or os.getenv("AUTH0_CLIENT_SECRET"),
-        )
-    elif provider == "oidc":
-        issuer = config.get("issuer") or os.getenv("OIDC_ISSUER")
-        client_id = config.get("client_id") or os.getenv("OIDC_CLIENT_ID")
-        if not issuer or not client_id:
-            raise ValueError(
-                "OIDC issuer and client_id are required. "
-                "Set OIDC_ISSUER and OIDC_CLIENT_ID or provide in config."
-            )
-        return OIDCAdapter(
-            issuer=issuer,
-            client_id=client_id,
-            client_secret=config.get("client_secret") or os.getenv("OIDC_CLIENT_SECRET"),
-            audience=config.get("audience") or os.getenv("OIDC_AUDIENCE"),
-            jwks_url=config.get("jwks_url") or os.getenv("OIDC_JWKS_URL"),
-        )
-    else:
-        raise ValueError(f"Unsupported auth provider: {provider}")
-def get_auth_adapter_cached() -> AuthAdapter:
-    """Get the auth adapter instance (no global caching for thread safety)."""
-    # Create fresh adapter each time to avoid global state issues
-    # The cost of adapter creation is minimal and this ensures thread/test safety
-    return get_auth_adapter()