npm - @weirdfingers/baseboards - Versions diffs - 0.9.6 → 0.9.7 - Mend

@weirdfingers/baseboards 0.9.6 → 0.9.7

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (237) hide show

package/templates/api/src/boards/auth/middleware.py DELETED Viewed

@@ -1,221 +0,0 @@
-"""Authentication middleware for FastAPI."""
-from __future__ import annotations
-from uuid import UUID
-from fastapi import Header, HTTPException
-from ..database.connection import get_async_session
-from ..database.seed_data import ensure_tenant
-from ..logging import get_logger
-from .adapters.base import AuthenticationError
-from .context import DEFAULT_TENANT_UUID, AuthContext
-from .factory import get_auth_adapter_cached
-from .provisioning import ensure_local_user
-from .tenant_extraction import extract_tenant_from_claims
-logger = get_logger(__name__)
-async def get_auth_context(
-    authorization: str | None = Header(None),
-    x_tenant: str | None = Header(None, alias="X-Tenant"),
-) -> AuthContext:
-    """
-    Extract authentication context from request headers.
-    This function:
-    1. Extracts Bearer token from Authorization header
-    2. Verifies token using the configured auth adapter
-    3. Resolves tenant (defaults to 'default' for single-tenant)
-    4. Performs JIT user provisioning
-    5. Returns AuthContext for the request
-    For no-auth mode, any token (or "dev-token") will work.
-    Args:
-        authorization: Authorization header (Bearer token)
-        x_tenant: Tenant identifier header
-    Returns:
-        AuthContext with user, tenant, and token info
-    """
-    adapter = get_auth_adapter_cached()
-    # Check if we're in no-auth mode
-    is_no_auth_mode = hasattr(adapter, "default_user_id")  # NoAuthAdapter has this attribute
-    # Handle unauthenticated requests
-    if not authorization:
-        if is_no_auth_mode:
-            # In no-auth mode, create a default token
-            authorization = "Bearer dev-token"
-        else:
-            # Use header tenant or default for unauthenticated requests
-            tenant_slug = x_tenant or "default"
-            tenant_uuid = await _resolve_tenant_uuid(tenant_slug)
-            return AuthContext(
-                user_id=None,
-                tenant_id=tenant_uuid,
-                principal=None,
-                token=None,
-            )
-    # Extract Bearer token
-    if not authorization.startswith("Bearer "):
-        logger.warning("Invalid authorization format received")
-        raise HTTPException(
-            status_code=401,
-            detail="Invalid authorization format. Expected: Bearer <token>",
-            headers={"WWW-Authenticate": "Bearer"},
-        )
-    token = authorization[7:]  # Remove "Bearer " prefix
-    if not token:
-        logger.warning("Empty token provided")
-        raise HTTPException(
-            status_code=401,
-            detail="Empty token",
-            headers={"WWW-Authenticate": "Bearer"},
-        )
-    try:
-        # Verify token with auth adapter
-        principal = await adapter.verify_token(token)
-        # Extract tenant from JWT/OIDC claims with fallback to header
-        tenant_slug = extract_tenant_from_claims(principal, fallback_tenant=x_tenant)
-        logger.debug(
-            "Tenant resolved for authenticated request",
-            tenant_slug=tenant_slug,
-            header_tenant=x_tenant,
-            provider=principal.get("provider"),
-            subject=principal.get("subject"),
-        )
-        # Resolve tenant slug to UUID and perform JIT user provisioning
-        try:
-            async with get_async_session() as db:
-                # Ensure tenant exists and get its UUID
-                tenant_uuid = await ensure_tenant(db, slug=tenant_slug)
-                # Now provision the user with the tenant UUID
-                user_id = await ensure_local_user(db, tenant_uuid, principal)
-            logger.debug(
-                "User provisioned and tenant resolved",
-                user_id=str(user_id),
-                tenant_uuid=str(tenant_uuid),
-                tenant_slug=tenant_slug,
-            )
-        except Exception as db_error:
-            # Database connection failed, use the same deterministic fallback
-            logger.error(
-                "Database connection failed, using fallback user ID generation",
-                error=str(db_error),
-                principal_provider=principal.get("provider"),
-                principal_subject=principal.get("subject"),
-            )
-            import hashlib
-            provider = principal.get("provider", "unknown")
-            subject = principal.get("subject", "anonymous")
-            stable_input = f"{provider}:{subject}:{tenant_slug}"
-            user_id_hash = hashlib.sha256(stable_input.encode()).hexdigest()[:32]
-            # Format hash as UUID: 8-4-4-4-12 pattern
-            formatted_uuid = (
-                f"{user_id_hash[:8]}-{user_id_hash[8:12]}-"
-                f"{user_id_hash[12:16]}-{user_id_hash[16:20]}-"
-                f"{user_id_hash[20:32]}"
-            )
-            from uuid import UUID
-            user_id = UUID(formatted_uuid)
-            # Also resolve tenant_uuid in this fallback path
-            tenant_uuid = await _resolve_tenant_uuid(tenant_slug)
-        return AuthContext(
-            user_id=user_id,
-            tenant_id=tenant_uuid,
-            principal=principal,
-            token=token,
-        )
-    except AuthenticationError as e:
-        logger.warning("Authentication failed", error=str(e))
-        raise HTTPException(
-            status_code=401,
-            detail=str(e),
-            headers={"WWW-Authenticate": "Bearer"},
-        ) from e
-    except Exception as e:
-        logger.error("Unexpected authentication error", error=str(e))
-        raise HTTPException(
-            status_code=401,
-            detail="Authentication failed",
-            headers={"WWW-Authenticate": "Bearer"},
-        ) from e
-async def get_auth_context_optional(
-    authorization: str | None = Header(None),
-    x_tenant: str | None = Header(None, alias="X-Tenant"),
-) -> AuthContext:
-    """
-    Optional authentication - returns unauthenticated context if no token.
-    Use this for endpoints that work both authenticated and unauthenticated.
-    """
-    try:
-        return await get_auth_context(authorization, x_tenant)
-    except HTTPException:
-        # Return unauthenticated context
-        tenant_slug = x_tenant or "default"
-        tenant_uuid = await _resolve_tenant_uuid(tenant_slug)
-        return AuthContext(
-            user_id=None,
-            tenant_id=tenant_uuid,
-            principal=None,
-            token=None,
-        )
-async def _resolve_tenant_uuid(tenant_slug: str) -> UUID:
-    """
-    Resolve a tenant slug to its UUID.
-    Falls back to DEFAULT_TENANT_UUID if:
-    - Database lookup fails
-    - Tenant doesn't exist
-    - Running in single-tenant mode
-    Args:
-        tenant_slug: The tenant slug to resolve (e.g., "default", "acme-corp")
-    Returns:
-        UUID of the tenant, or DEFAULT_TENANT_UUID if resolution fails
-    """
-    try:
-        from ..database.connection import get_async_session
-        from ..database.seed_data import ensure_tenant
-        async with get_async_session() as db:
-            tenant_uuid = await ensure_tenant(db, slug=tenant_slug)
-            logger.debug(
-                "Resolved tenant slug to UUID",
-                tenant_slug=tenant_slug,
-                tenant_uuid=str(tenant_uuid),
-            )
-            return tenant_uuid
-    except Exception as e:
-        logger.warning(
-            "Failed to resolve tenant UUID, using default",
-            tenant_slug=tenant_slug,
-            error=str(e),
-            default_uuid=str(DEFAULT_TENANT_UUID),
-        )
-        return DEFAULT_TENANT_UUID

package/templates/api/src/boards/auth/provisioning.py DELETED Viewed

@@ -1,129 +0,0 @@
-"""User provisioning and management."""
-from __future__ import annotations
-from uuid import UUID
-from sqlalchemy import and_, select
-from sqlalchemy.ext.asyncio import AsyncSession
-from ..dbmodels import Users
-from ..logging import get_logger
-from .adapters.base import Principal
-logger = get_logger(__name__)
-async def ensure_local_user(db: AsyncSession, tenant_id: UUID, principal: Principal) -> UUID:
-    """
-    Ensure a local user exists for the given principal (JIT provisioning).
-    This function creates a local user record if one doesn't exist for the
-    given (tenant_id, auth_provider, auth_subject) combination.
-    Args:
-        db: Database session
-        tenant_id: Tenant UUID
-        principal: Authenticated principal from auth provider
-    Returns:
-        UUID of the local user
-    """
-    provider = principal["provider"]
-    subject = principal["subject"]
-    # Ensure tenant_id is a UUID
-    if not isinstance(tenant_id, UUID):
-        raise ValueError(f"tenant_id must be a UUID, got {type(tenant_id)}")
-    # Try to find existing user
-    stmt = select(Users).where(
-        and_(
-            Users.tenant_id == tenant_id,
-            Users.auth_provider == provider,
-            Users.auth_subject == subject,
-        )
-    )
-    result = await db.execute(stmt)
-    user = result.scalar_one_or_none()
-    if user:
-        # Update user info if provided in principal, but preserve existing non-empty values
-        updated = False
-        email = principal.get("email")
-        if email and not user.email:  # Only update if current email is empty/None
-            user.email = email
-            updated = True
-        display_name = principal.get("display_name")
-        # Only update if current display_name is empty/None
-        if display_name and not user.display_name:
-            user.display_name = display_name
-            updated = True
-        avatar_url = principal.get("avatar_url")
-        if avatar_url and not user.avatar_url:  # Only update if current avatar_url is empty/None
-            user.avatar_url = avatar_url
-            updated = True
-        if updated:
-            await db.commit()
-            await db.refresh(user)
-            logger.info("Updated user info (preserving existing values)", user_id=str(user.id))
-        return user.id
-    # Create new user
-    user = Users(
-        tenant_id=tenant_id,
-        auth_provider=provider,
-        auth_subject=subject,
-        email=principal.get("email"),
-        display_name=principal.get("display_name"),
-        avatar_url=principal.get("avatar_url"),
-        metadata_={
-            "created_via": "jit_provisioning",
-            "provider_claims": principal.get("claims", {}),
-        },
-    )
-    db.add(user)
-    await db.commit()
-    await db.refresh(user)
-    logger.info(
-        "Created new user via JIT provisioning",
-        user_id=str(user.id),
-        tenant_id=tenant_id,
-        provider=provider,
-    )
-    return user.id
-async def get_user_by_id(db: AsyncSession, user_id: UUID) -> Users | None:
-    """Get a user by ID."""
-    stmt = select(Users).where(Users.id == user_id)
-    result = await db.execute(stmt)
-    return result.scalar_one_or_none()
-async def get_user_by_auth_info(
-    db: AsyncSession, tenant_id: UUID, auth_provider: str, auth_subject: str
-) -> Users | None:
-    """Get a user by auth provider information."""
-    # Ensure tenant_id is a UUID
-    if not isinstance(tenant_id, UUID):
-        raise ValueError(f"tenant_id must be a UUID, got {type(tenant_id)}")
-    stmt = select(Users).where(
-        and_(
-            Users.tenant_id == tenant_id,
-            Users.auth_provider == auth_provider,
-            Users.auth_subject == auth_subject,
-        )
-    )
-    result = await db.execute(stmt)
-    return result.scalar_one_or_none()

package/templates/api/src/boards/auth/tenant_extraction.py DELETED Viewed

@@ -1,278 +0,0 @@
-"""
-Tenant extraction utilities for multi-tenant authentication.
-This module provides utilities to extract tenant information from JWT/OIDC claims
-and other authentication contexts.
-"""
-from __future__ import annotations
-from typing import Any
-from ..config import settings
-from ..logging import get_logger
-from .context import Principal
-logger = get_logger(__name__)
-def extract_tenant_from_claims(
-    principal: Principal,
-    fallback_tenant: str | None = None,
-) -> str:
-    """
-    Extract tenant slug from JWT/OIDC claims.
-    This function supports multiple tenant extraction strategies:
-    1. Direct 'tenant' claim in JWT
-    2. Organization-based claims (org, organization, org_slug)
-    3. Custom claims (configurable via settings)
-    4. Domain-based extraction from email
-    5. Fallback to header or default
-    Args:
-        principal: Principal with claims from JWT/OIDC
-        fallback_tenant: Fallback tenant slug if no tenant found in claims
-    Returns:
-        Tenant slug extracted from claims or fallback
-    """
-    claims = principal.get("claims", {})
-    if not claims:
-        logger.debug("No claims available in principal, using fallback")
-        return fallback_tenant or settings.default_tenant_slug
-    # Strategy 1: Direct tenant claim
-    if tenant_slug := claims.get("tenant"):
-        logger.info("Extracted tenant from 'tenant' claim", tenant_slug=tenant_slug)
-        return _validate_tenant_slug(tenant_slug)
-    # Strategy 2: Organization-based claims
-    org_claims = ["org", "organization", "org_slug", "org_name"]
-    for claim_name in org_claims:
-        if org_value := claims.get(claim_name):
-            tenant_slug = _normalize_tenant_slug(org_value)
-            logger.info(
-                "Extracted tenant from organization claim",
-                claim_name=claim_name,
-                org_value=org_value,
-                tenant_slug=tenant_slug,
-            )
-            return tenant_slug
-    # Strategy 3: Custom claims (configurable)
-    custom_tenant_claim = getattr(settings, "jwt_tenant_claim", None)
-    if custom_tenant_claim and (custom_value := claims.get(custom_tenant_claim)):
-        tenant_slug = _normalize_tenant_slug(custom_value)
-        logger.info(
-            "Extracted tenant from custom claim",
-            claim_name=custom_tenant_claim,
-            custom_value=custom_value,
-            tenant_slug=tenant_slug,
-        )
-        return tenant_slug
-    # Strategy 4: Domain-based extraction from email
-    if settings.multi_tenant_mode and (email := claims.get("email")):
-        tenant_slug = _extract_tenant_from_email_domain(email)
-        if tenant_slug:
-            logger.info(
-                "Extracted tenant from email domain",
-                email=email,
-                tenant_slug=tenant_slug,
-            )
-            return tenant_slug
-    # Strategy 5: Namespace/sub-organization claims
-    namespace_claims = ["namespace", "group", "team", "workspace"]
-    for claim_name in namespace_claims:
-        if namespace_value := claims.get(claim_name):
-            tenant_slug = _normalize_tenant_slug(namespace_value)
-            logger.info(
-                "Extracted tenant from namespace claim",
-                claim_name=claim_name,
-                namespace_value=namespace_value,
-                tenant_slug=tenant_slug,
-            )
-            return tenant_slug
-    # No tenant found in claims, use fallback
-    logger.debug(
-        "No tenant information found in JWT/OIDC claims",
-        available_claims=list(claims.keys()),
-        using_fallback=fallback_tenant or settings.default_tenant_slug,
-    )
-    return fallback_tenant or settings.default_tenant_slug
-def extract_tenant_from_oidc_userinfo(
-    userinfo: dict[str, Any],
-    fallback_tenant: str | None = None,
-) -> str:
-    """
-    Extract tenant slug from OIDC userinfo endpoint response.
-    Args:
-        userinfo: Response from OIDC userinfo endpoint
-        fallback_tenant: Fallback tenant slug if no tenant found
-    Returns:
-        Tenant slug extracted from userinfo or fallback
-    """
-    if not userinfo:
-        return fallback_tenant or settings.default_tenant_slug
-    # Similar extraction strategies as claims
-    if tenant_slug := userinfo.get("tenant"):
-        return _validate_tenant_slug(tenant_slug)
-    # Organization-based extraction
-    for org_field in ["organization", "org", "company"]:
-        if org_value := userinfo.get(org_field):
-            return _normalize_tenant_slug(org_value)
-    # Groups/roles extraction
-    if groups := userinfo.get("groups", []):
-        if isinstance(groups, list) and groups:
-            # Use first group as tenant
-            return _normalize_tenant_slug(groups[0])
-    return fallback_tenant or settings.default_tenant_slug
-def _normalize_tenant_slug(value: Any) -> str:
-    """
-    Normalize a value to a valid tenant slug.
-    Args:
-        value: Value to normalize (string, dict, etc.)
-    Returns:
-        Normalized tenant slug
-    """
-    if isinstance(value, dict):
-        # Extract slug if it's an object with slug/id fields
-        return _normalize_tenant_slug(value.get("slug") or value.get("id") or value.get("name", ""))
-    # Convert to string and normalize
-    slug = str(value).lower().strip()
-    # Replace spaces and invalid characters with hyphens
-    import re
-    slug = re.sub(r"[^a-z0-9-]", "-", slug)
-    # Remove multiple consecutive hyphens
-    slug = re.sub(r"-+", "-", slug)
-    # Remove leading/trailing hyphens
-    slug = slug.strip("-")
-    # Ensure it's not empty and not too long
-    if not slug:
-        slug = "unknown"
-    elif len(slug) > 50:  # Reasonable limit for tenant slugs
-        slug = slug[:50].rstrip("-")
-    return slug
-def _validate_tenant_slug(slug: str) -> str:
-    """
-    Validate a tenant slug format.
-    Args:
-        slug: Tenant slug to validate
-    Returns:
-        Validated slug
-    Raises:
-        ValueError: If slug is invalid
-    """
-    if not slug:
-        raise ValueError("Tenant slug cannot be empty")
-    if len(slug) > 255:
-        raise ValueError("Tenant slug too long (max 255 characters)")
-    import re
-    if not re.match(r"^[a-z0-9-]+$", slug):
-        raise ValueError("Tenant slug must contain only lowercase letters, numbers, and hyphens")
-    if slug.startswith("-") or slug.endswith("-"):
-        raise ValueError("Tenant slug cannot start or end with hyphen")
-    return slug
-def _extract_tenant_from_email_domain(email: str) -> str | None:
-    """
-    Extract tenant slug from email domain.
-    This is useful for organizations that want to automatically
-    assign tenants based on email domains.
-    Args:
-        email: Email address
-    Returns:
-        Tenant slug derived from domain, or None if not applicable
-    """
-    try:
-        domain = email.split("@")[1].lower()
-        # Skip common public email domains
-        public_domains = {
-            "gmail.com",
-            "yahoo.com",
-            "outlook.com",
-            "hotmail.com",
-            "icloud.com",
-            "protonmail.com",
-            "aol.com",
-        }
-        if domain in public_domains:
-            logger.debug(
-                "Skipping tenant extraction from public email domain",
-                domain=domain,
-            )
-            return None
-        # Extract organization name from domain
-        # e.g., "user@acme-corp.com" -> "acme-corp"
-        org_name = domain.split(".")[0]
-        return _normalize_tenant_slug(org_name)
-    except (IndexError, AttributeError):
-        logger.warning("Invalid email format for domain extraction", email=email)
-        return None
-def get_tenant_extraction_config() -> dict[str, Any]:
-    """
-    Get current tenant extraction configuration.
-    Returns:
-        Dictionary with tenant extraction settings
-    """
-    return {
-        "multi_tenant_mode": settings.multi_tenant_mode,
-        "default_tenant_slug": settings.default_tenant_slug,
-        "custom_tenant_claim": getattr(settings, "jwt_tenant_claim", None),
-        "domain_based_extraction": settings.multi_tenant_mode,
-        "supported_claim_names": [
-            "tenant",
-            "org",
-            "organization",
-            "org_slug",
-            "org_name",
-            "namespace",
-            "group",
-            "team",
-            "workspace",
-        ],
-    }