create-workframe 0.1.0 → 0.1.1

package/workframe-api/oidc_jwt.py

@@ -1,108 +1,108 @@
-"""Minimal OIDC id_token verification (RS256 + JWKS) — no extra dependencies."""
-
-from __future__ import annotations
-
-import base64
-import json
-import time
-import urllib.error
-import urllib.request
-from typing import Any
-
-from cryptography.hazmat.primitives import hashes
-from cryptography.hazmat.primitives.asymmetric import padding, rsa
-from cryptography.hazmat.primitives.asymmetric.rsa import RSAPublicKey
-
-_JWKS_CACHE: dict[str, tuple[float, dict[str, Any]]] = {}
-_JWKS_TTL = 3600.0
-
-
-def _b64url_decode(raw: str) -> bytes:
-    padded = raw + "=" * (-len(raw) % 4)
-    return base64.urlsafe_b64decode(padded.encode("ascii"))
-
-
-def _jwk_to_rsa(key: dict[str, Any]) -> RSAPublicKey:
-    n = int.from_bytes(_b64url_decode(str(key["n"])), "big")
-    e = int.from_bytes(_b64url_decode(str(key["e"])), "big")
-    return rsa.RSAPublicNumbers(e, n).public_key()
-
-
-def _fetch_jwks(jwks_url: str) -> dict[str, Any]:
-    now = time.time()
-    cached = _JWKS_CACHE.get(jwks_url)
-    if cached and cached[0] > now:
-        return cached[1]
-    req = urllib.request.Request(jwks_url, headers={"Accept": "application/json"})
-    with urllib.request.urlopen(req, timeout=15) as resp:
-        payload = json.loads(resp.read().decode("utf-8"))
-    if not isinstance(payload, dict):
-        raise ValueError("invalid jwks")
-    _JWKS_CACHE[jwks_url] = (now + _JWKS_TTL, payload)
-    return payload
-
-
-def verify_rs256_id_token(
-    token: str,
-    *,
-    audience: str,
-    issuer: str | tuple[str, ...] = (),
-    jwks_url: str,
-    clock_skew: int = 60,
-) -> dict[str, Any]:
-    parts = str(token or "").split(".")
-    if len(parts) != 3:
-        raise ValueError("invalid id_token")
-    header = json.loads(_b64url_decode(parts[0]))
-    payload = json.loads(_b64url_decode(parts[1]))
-    if str(header.get("alg") or "") != "RS256":
-        raise ValueError("unsupported jwt alg")
-    kid = str(header.get("kid") or "")
-    jwks = _fetch_jwks(jwks_url)
-    keys = jwks.get("keys") if isinstance(jwks.get("keys"), list) else []
-    pub: RSAPublicKey | None = None
-    for entry in keys:
-        if not isinstance(entry, dict):
-            continue
-        if kid and str(entry.get("kid") or "") != kid:
-            continue
-        if str(entry.get("kty") or "") != "RSA":
-            continue
-        pub = _jwk_to_rsa(entry)
-        break
-    if pub is None:
-        raise ValueError("jwks key not found")
-    signing_input = f"{parts[0]}.{parts[1]}".encode("ascii")
-    signature = _b64url_decode(parts[2])
-    pub.verify(signature, signing_input, padding.PKCS1v15(), hashes.SHA256())
-
-    now = int(time.time())
-    exp = int(payload.get("exp") or 0)
-    if exp and now > exp + clock_skew:
-        raise ValueError("id_token expired")
-    iat = int(payload.get("iat") or 0)
-    if iat and now + clock_skew < iat:
-        raise ValueError("id_token not yet valid")
-
-    iss = str(payload.get("iss") or "")
-    allowed_iss = issuer or ()
-    if allowed_iss and iss not in allowed_iss:
-        raise ValueError("issuer mismatch")
-
-    aud = payload.get("aud")
-    aud_ok = audience in (aud if isinstance(aud, list) else [aud])
-    if not aud_ok:
-        raise ValueError("audience mismatch")
-
-    if not isinstance(payload, dict):
-        raise ValueError("invalid claims")
-    return payload
-
-
-def verify_google_id_token(token: str, client_id: str) -> dict[str, Any]:
-    return verify_rs256_id_token(
-        token,
-        audience=str(client_id or "").strip(),
-        issuer=("https://accounts.google.com", "accounts.google.com"),
-        jwks_url="https://www.googleapis.com/oauth2/v3/certs",
-    )
+"""Minimal OIDC id_token verification (RS256 + JWKS) — no extra dependencies."""
+
+from __future__ import annotations
+
+import base64
+import json
+import time
+import urllib.error
+import urllib.request
+from typing import Any
+
+from cryptography.hazmat.primitives import hashes
+from cryptography.hazmat.primitives.asymmetric import padding, rsa
+from cryptography.hazmat.primitives.asymmetric.rsa import RSAPublicKey
+
+_JWKS_CACHE: dict[str, tuple[float, dict[str, Any]]] = {}
+_JWKS_TTL = 3600.0
+
+
+def _b64url_decode(raw: str) -> bytes:
+    padded = raw + "=" * (-len(raw) % 4)
+    return base64.urlsafe_b64decode(padded.encode("ascii"))
+
+
+def _jwk_to_rsa(key: dict[str, Any]) -> RSAPublicKey:
+    n = int.from_bytes(_b64url_decode(str(key["n"])), "big")
+    e = int.from_bytes(_b64url_decode(str(key["e"])), "big")
+    return rsa.RSAPublicNumbers(e, n).public_key()
+
+
+def _fetch_jwks(jwks_url: str) -> dict[str, Any]:
+    now = time.time()
+    cached = _JWKS_CACHE.get(jwks_url)
+    if cached and cached[0] > now:
+        return cached[1]
+    req = urllib.request.Request(jwks_url, headers={"Accept": "application/json"})
+    with urllib.request.urlopen(req, timeout=15) as resp:
+        payload = json.loads(resp.read().decode("utf-8"))
+    if not isinstance(payload, dict):
+        raise ValueError("invalid jwks")
+    _JWKS_CACHE[jwks_url] = (now + _JWKS_TTL, payload)
+    return payload
+
+
+def verify_rs256_id_token(
+    token: str,
+    *,
+    audience: str,
+    issuer: str | tuple[str, ...] = (),
+    jwks_url: str,
+    clock_skew: int = 60,
+) -> dict[str, Any]:
+    parts = str(token or "").split(".")
+    if len(parts) != 3:
+        raise ValueError("invalid id_token")
+    header = json.loads(_b64url_decode(parts[0]))
+    payload = json.loads(_b64url_decode(parts[1]))
+    if str(header.get("alg") or "") != "RS256":
+        raise ValueError("unsupported jwt alg")
+    kid = str(header.get("kid") or "")
+    jwks = _fetch_jwks(jwks_url)
+    keys = jwks.get("keys") if isinstance(jwks.get("keys"), list) else []
+    pub: RSAPublicKey | None = None
+    for entry in keys:
+        if not isinstance(entry, dict):
+            continue
+        if kid and str(entry.get("kid") or "") != kid:
+            continue
+        if str(entry.get("kty") or "") != "RSA":
+            continue
+        pub = _jwk_to_rsa(entry)
+        break
+    if pub is None:
+        raise ValueError("jwks key not found")
+    signing_input = f"{parts[0]}.{parts[1]}".encode("ascii")
+    signature = _b64url_decode(parts[2])
+    pub.verify(signature, signing_input, padding.PKCS1v15(), hashes.SHA256())
+
+    now = int(time.time())
+    exp = int(payload.get("exp") or 0)
+    if exp and now > exp + clock_skew:
+        raise ValueError("id_token expired")
+    iat = int(payload.get("iat") or 0)
+    if iat and now + clock_skew < iat:
+        raise ValueError("id_token not yet valid")
+
+    iss = str(payload.get("iss") or "")
+    allowed_iss = issuer or ()
+    if allowed_iss and iss not in allowed_iss:
+        raise ValueError("issuer mismatch")
+
+    aud = payload.get("aud")
+    aud_ok = audience in (aud if isinstance(aud, list) else [aud])
+    if not aud_ok:
+        raise ValueError("audience mismatch")
+
+    if not isinstance(payload, dict):
+        raise ValueError("invalid claims")
+    return payload
+
+
+def verify_google_id_token(token: str, client_id: str) -> dict[str, Any]:
+    return verify_rs256_id_token(
+        token,
+        audience=str(client_id or "").strip(),
+        issuer=("https://accounts.google.com", "accounts.google.com"),
+        jwks_url="https://www.googleapis.com/oauth2/v3/certs",
+    )

package/workframe-api/package.json

@@ -1,13 +1,12 @@
-{
-  "name": "@workframe/workframe-api",
-  "version": "0.1.0",
-  "private": true,
-  "type": "module",
-  "scripts": {
-    "dev": "python3 server.py",
-    "start": "python3 server.py",
-    "test": "python3 -m unittest discover -s tests",
-    "typecheck": "python3 -m py_compile server.py zk_auth.py email_sender.py",
-    "build": "python3 -m py_compile server.py zk_auth.py email_sender.py"
-  }
-}
+{
+  "name": "@workframe/workframe-api",
+  "version": "0.1.1",
+  "private": true,
+  "type": "module",
+  "scripts": {
+    "dev": "python3 server.py",
+    "start": "python3 server.py",
+    "typecheck": "python3 -m py_compile server.py zk_auth.py email_sender.py",
+    "build": "python3 -m py_compile server.py zk_auth.py email_sender.py"
+  }
+}

package/workframe-api/public/assets/index-DPXu_lGn.css

@@ -1 +1 @@
-:root{--lightningcss-light: ;--lightningcss-dark:initial;color-scheme:dark;--wf-font-sans:"Inter Tight", ui-sans-serif, system-ui, sans-serif;--wf-font-mono:"JetBrains Mono", ui-monospace, SFMono-Regular, Menlo, Consolas, monospace;--wf-blur:34px;--wf-header-height:56px;--wf-footer-height:28px}[data-theme=dark]{--lightningcss-light: ;--lightningcss-dark:initial;color-scheme:dark;--wf-bg:#0a0a0f;--wf-text:#e8e8ee;--wf-muted:#727280;--wf-border:#ffffff12;--wf-border-strong:#ffffff1c;--wf-surface:#12121a94;--wf-surface-soft:#12121a61;--wf-primary:#ffffffe6;--wf-primary-foreground:#0a0a0f;--wf-violet:#6d28d9;--wf-violet-glow:#7c3aed;--wf-ring:#6d28d961}[data-theme=light]{--lightningcss-light:initial;--lightningcss-dark: ;color-scheme:light;--wf-bg:#f2f2f7;--wf-text:#1c1c1e;--wf-muted:#8e8e93;--wf-border:#00000014;--wf-border-strong:#0000001f;--wf-surface:#fffc;--wf-surface-soft:#ffffff80;--wf-primary:#000;--wf-primary-foreground:#fff;--wf-violet:#6d28d9;--wf-violet-glow:#7c3aed;--wf-ring:#6d28d961}*{box-sizing:border-box;margin:0;padding:0}body{font-family:var(--wf-font-sans);background:var(--wf-bg);color:var(--wf-text);-webkit-font-smoothing:antialiased;line-height:1.5}.wf-shell{flex-direction:column;min-height:100vh;display:flex}.wf-shell--centered{justify-content:center;align-items:center}.wf-header{height:var(--wf-header-height);border-bottom:1px solid var(--wf-border);background:var(--wf-surface);-webkit-backdrop-filter:blur(var(--wf-blur));backdrop-filter:blur(var(--wf-blur));justify-content:space-between;align-items:center;padding:0 20px;display:flex}.wf-header__brand{letter-spacing:-.02em;color:var(--wf-text);font-size:18px;font-weight:700}.wf-header__actions{gap:8px;display:flex}.wf-auth{background:var(--wf-surface);border:1px solid var(--wf-border);width:100%;max-width:400px;-webkit-backdrop-filter:blur(var(--wf-blur));backdrop-filter:blur(var(--wf-blur));border-radius:16px;padding:32px}.wf-auth__title{letter-spacing:-.02em;margin:0 0 8px;font-size:24px;font-weight:700}.wf-auth__subtitle{color:var(--wf-muted);margin:0 0 24px;font-size:14px}.wf-field{margin-bottom:16px}.wf-field__label{color:var(--wf-muted);margin-bottom:6px;font-size:13px;font-weight:500;display:block}.wf-input{background:var(--wf-surface-soft);border:1px solid var(--wf-border);width:100%;height:40px;color:var(--wf-text);font-size:14px;font-family:var(--wf-font-sans);border-radius:8px;outline:none;padding:0 12px;transition:border-color .15s}.wf-input:focus{border-color:var(--wf-violet);box-shadow:0 0 0 3px var(--wf-ring)}.wf-input::placeholder{color:var(--wf-muted)}.wf-btn{height:40px;font-size:14px;font-weight:500;font-family:var(--wf-font-sans);cursor:pointer;border:none;border-radius:8px;justify-content:center;align-items:center;padding:0 16px;transition:all .15s;display:inline-flex}.wf-btn--primary{background:var(--wf-primary);color:var(--wf-primary-foreground)}.wf-btn--primary:hover{opacity:.9}.wf-btn--secondary{background:var(--wf-surface-soft);color:var(--wf-text);border:1px solid var(--wf-border)}.wf-btn--secondary:hover{background:var(--wf-border)}.wf-btn--ghost{color:var(--wf-text);background:0 0}.wf-btn--ghost:hover{background:var(--wf-surface-soft)}.wf-btn--sm{height:32px;padding:0 12px;font-size:13px}.wf-btn:disabled{opacity:.5;cursor:not-allowed}.wf-error{color:#ef4444;background:#ef44441a;border:1px solid #ef444433;border-radius:8px;margin-bottom:16px;padding:10px 12px;font-size:13px}.wf-success{color:#22c55e;background:#22c55e1a;border:1px solid #22c55e33;border-radius:8px;margin-bottom:16px;padding:10px 12px;font-size:13px}.wf-otp{justify-content:center;gap:8px;margin-bottom:16px;display:flex}.wf-otp__digit{text-align:center;width:44px;height:48px;font-size:20px;font-weight:600;font-family:var(--wf-font-mono);background:var(--wf-surface-soft);border:1px solid var(--wf-border);color:var(--wf-text);border-radius:8px;outline:none;padding:0;transition:border-color .15s}.wf-otp__digit:focus{border-color:var(--wf-violet);box-shadow:0 0 0 3px var(--wf-ring)}.wf-layout{flex:1;display:flex;overflow:hidden}.wf-sidebar{border-right:1px solid var(--wf-border);background:var(--wf-surface);width:200px;padding:16px 0}.wf-sidebar__link{color:var(--wf-muted);cursor:pointer;padding:8px 20px;font-size:14px;text-decoration:none;transition:all .15s;display:block}.wf-sidebar__link:hover{color:var(--wf-text);background:var(--wf-surface-soft)}.wf-sidebar__link--active{color:var(--wf-text);background:var(--wf-surface-soft);font-weight:500}.wf-main{flex:1;padding:24px;overflow-y:auto}.wf-profile{max-width:480px}.wf-profile__avatar{background:var(--wf-violet);color:#fff;border-radius:50%;justify-content:center;align-items:center;width:64px;height:64px;margin-bottom:24px;font-size:24px;font-weight:600;display:flex}.wf-profile__name{margin:0 0 4px;font-size:20px;font-weight:600}.wf-profile__email{color:var(--wf-muted);margin:0 0 24px;font-size:14px}.wf-otp{gap:8px;margin-bottom:16px;display:flex}.wf-otp .wf-input{text-align:center;letter-spacing:4px;font-size:20px;font-weight:600}
+:root{--lightningcss-light: ;--lightningcss-dark:initial;color-scheme:dark;--wf-font-sans:"Inter Tight", ui-sans-serif, system-ui, sans-serif;--wf-font-mono:"JetBrains Mono", ui-monospace, SFMono-Regular, Menlo, Consolas, monospace;--wf-blur:34px;--wf-header-height:56px;--wf-footer-height:28px}[data-theme=dark]{--lightningcss-light: ;--lightningcss-dark:initial;color-scheme:dark;--wf-bg:#0a0a0f;--wf-text:#e8e8ee;--wf-muted:#727280;--wf-border:#ffffff12;--wf-border-strong:#ffffff1c;--wf-surface:#12121a94;--wf-surface-soft:#12121a61;--wf-primary:#ffffffe6;--wf-primary-foreground:#0a0a0f;--wf-violet:#6d28d9;--wf-violet-glow:#7c3aed;--wf-ring:#6d28d961}[data-theme=light]{--lightningcss-light:initial;--lightningcss-dark: ;color-scheme:light;--wf-bg:#f2f2f7;--wf-text:#1c1c1e;--wf-muted:#8e8e93;--wf-border:#00000014;--wf-border-strong:#0000001f;--wf-surface:#fffc;--wf-surface-soft:#ffffff80;--wf-primary:#000;--wf-primary-foreground:#fff;--wf-violet:#6d28d9;--wf-violet-glow:#7c3aed;--wf-ring:#6d28d961}*{box-sizing:border-box;margin:0;padding:0}body{font-family:var(--wf-font-sans);background:var(--wf-bg);color:var(--wf-text);-webkit-font-smoothing:antialiased;line-height:1.5}.wf-shell{flex-direction:column;min-height:100vh;display:flex}.wf-shell--centered{justify-content:center;align-items:center}.wf-header{height:var(--wf-header-height);border-bottom:1px solid var(--wf-border);background:var(--wf-surface);-webkit-backdrop-filter:blur(var(--wf-blur));backdrop-filter:blur(var(--wf-blur));justify-content:space-between;align-items:center;padding:0 20px;display:flex}.wf-header__brand{letter-spacing:-.02em;color:var(--wf-text);font-size:18px;font-weight:700}.wf-header__actions{gap:8px;display:flex}.wf-auth{background:var(--wf-surface);border:1px solid var(--wf-border);width:100%;max-width:400px;-webkit-backdrop-filter:blur(var(--wf-blur));backdrop-filter:blur(var(--wf-blur));border-radius:16px;padding:32px}.wf-auth__title{letter-spacing:-.02em;margin:0 0 8px;font-size:24px;font-weight:700}.wf-auth__subtitle{color:var(--wf-muted);margin:0 0 24px;font-size:14px}.wf-field{margin-bottom:16px}.wf-field__label{color:var(--wf-muted);margin-bottom:6px;font-size:13px;font-weight:500;display:block}.wf-input{background:var(--wf-surface-soft);border:1px solid var(--wf-border);width:100%;height:40px;color:var(--wf-text);font-size:14px;font-family:var(--wf-font-sans);border-radius:8px;outline:none;padding:0 12px;transition:border-color .15s}.wf-input:focus{border-color:var(--wf-violet);box-shadow:0 0 0 3px var(--wf-ring)}.wf-input::placeholder{color:var(--wf-muted)}.wf-btn{height:40px;font-size:14px;font-weight:500;font-family:var(--wf-font-sans);cursor:pointer;border:none;border-radius:8px;justify-content:center;align-items:center;padding:0 16px;transition:all .15s;display:inline-flex}.wf-btn--primary{background:var(--wf-primary);color:var(--wf-primary-foreground)}.wf-btn--primary:hover{opacity:.9}.wf-btn--secondary{background:var(--wf-surface-soft);color:var(--wf-text);border:1px solid var(--wf-border)}.wf-btn--secondary:hover{background:var(--wf-border)}.wf-btn--ghost{color:var(--wf-text);background:0 0}.wf-btn--ghost:hover{background:var(--wf-surface-soft)}.wf-btn--sm{height:32px;padding:0 12px;font-size:13px}.wf-btn:disabled{opacity:.5;cursor:not-allowed}.wf-error{color:#ef4444;background:#ef44441a;border:1px solid #ef444433;border-radius:8px;margin-bottom:16px;padding:10px 12px;font-size:13px}.wf-success{color:#22c55e;background:#22c55e1a;border:1px solid #22c55e33;border-radius:8px;margin-bottom:16px;padding:10px 12px;font-size:13px}.wf-otp{justify-content:center;gap:8px;margin-bottom:16px;display:flex}.wf-otp__digit{text-align:center;width:44px;height:48px;font-size:20px;font-weight:600;font-family:var(--wf-font-mono);background:var(--wf-surface-soft);border:1px solid var(--wf-border);color:var(--wf-text);border-radius:8px;outline:none;padding:0;transition:border-color .15s}.wf-otp__digit:focus{border-color:var(--wf-violet);box-shadow:0 0 0 3px var(--wf-ring)}.wf-layout{flex:1;display:flex;overflow:hidden}.wf-sidebar{border-right:1px solid var(--wf-border);background:var(--wf-surface);width:200px;padding:16px 0}.wf-sidebar__link{color:var(--wf-muted);cursor:pointer;padding:8px 20px;font-size:14px;text-decoration:none;transition:all .15s;display:block}.wf-sidebar__link:hover{color:var(--wf-text);background:var(--wf-surface-soft)}.wf-sidebar__link--active{color:var(--wf-text);background:var(--wf-surface-soft);font-weight:500}.wf-main{flex:1;padding:24px;overflow-y:auto}.wf-profile{max-width:480px}.wf-profile__avatar{background:var(--wf-violet);color:#fff;border-radius:50%;justify-content:center;align-items:center;width:64px;height:64px;margin-bottom:24px;font-size:24px;font-weight:600;display:flex}.wf-profile__name{margin:0 0 4px;font-size:20px;font-weight:600}.wf-profile__email{color:var(--wf-muted);margin:0 0 24px;font-size:14px}.wf-otp{gap:8px;margin-bottom:16px;display:flex}.wf-otp .wf-input{text-align:center;letter-spacing:4px;font-size:20px;font-weight:600}