Fast-Permissions 0.1.0b0__tar.gz

fast_permissions-0.1.0b0/PKG-INFO

@@ -0,0 +1,233 @@
+Metadata-Version: 2.1
+Name: Fast-Permissions
+Version: 0.1.0b0
+Summary: Add robust authentication to your FastAPI endpoints
+Keywords: authentication,authorization,fastapi,permissions,security,access
+Author-Email: Cody M Sommer <bassmastacod@gmail.com>
+License: MIT
+Classifier: License :: OSI Approved :: MIT License
+Classifier: Programming Language :: Python :: 3.10
+Classifier: Programming Language :: Python :: 3.11
+Classifier: Programming Language :: Python :: 3.12
+Classifier: Programming Language :: Python :: 3.13
+Classifier: Programming Language :: Python :: 3.14
+Classifier: Development Status :: 4 - Beta
+Classifier: Intended Audience :: Developers
+Classifier: Topic :: Software Development :: Libraries
+Classifier: Typing :: Typed
+Project-URL: Repository, https://github.com/BassMastaCod/Fast-Permissions.git
+Project-URL: Issues, https://github.com/BassMastaCod/Fast-Permissions/issues
+Requires-Python: >=3.10
+Requires-Dist: fastapi
+Requires-Dist: daomodel
+Requires-Dist: pyjwt
+Requires-Dist: python-multipart
+Requires-Dist: jinja2
+Requires-Dist: bcrypt
+Provides-Extra: pwa
+Requires-Dist: fastpwa[controller]; extra == "pwa"
+Description-Content-Type: text/markdown
+
+# Fast-Permissions
+
+Fast-Permissions is a library designed to add authentication and authorization capabilities to FastAPI applications,
+particularly those using the Fast-Controller framework.
+
+## Installation
+
+```bash
+pip install Fast-Permissions
+```
+
+For PWA functionality, install with the PWA extra:
+
+```bash
+pip install Fast-Permissions[pwa]
+```
+
+**NOTE**: The rest of the README is AI-generated.
+I will rewrite once the library is in a stable state with most of the planned features implemented.
+
+## Usage
+
+Here's a simple example of how to use Fast-Permissions with Fast-Controller:
+
+```python
+from fastapi import FastAPI, Request
+from typing import Optional
+
+from daomodel.db import create_engine, init_db
+from daomodel.fields import Identifier
+from fast_controller import Resource, Action
+from fast_permissions import RestrictedController
+from fast_permissions.models import User
+from fast_permissions.service import UserService, Unauthorized
+
+# Define your resources
+class Item(Resource, table=True):
+    name: Identifier[str]
+    description: Optional[str] = None
+
+# Set up the database
+engine = create_engine("sqlite:///app.db")
+init_db(engine)
+
+# Create the FastAPI app
+app = FastAPI()
+
+# Define a function to get the current user from the request
+def get_current_user(request: Request) -> User:
+    token = request.cookies.get('access_token')
+    if not token:
+        raise Unauthorized('No access token provided')
+
+    # You'll need to provide a way to get DAOs - this is just an example
+    with controller.dao_context() as daos:
+        return UserService(daos).from_token(token)
+
+# Create a RestrictedController
+controller = RestrictedController(
+    app=app, 
+    engine=engine,
+    get_current_user=get_current_user,
+    public_by_default=True  # Set to False to require auth by default
+)
+
+# Register your resources, specifying which actions don't require authentication
+# When public_by_default=True, all actions are public unless marked restricted
+controller.register_resource(Item)
+
+# Create an admin user (for development/testing)
+# In production, you would create users through your API
+controller.register_admin("secure-password")
+```
+
+## Authentication
+
+Fast-Permissions uses cookie-based authentication with JWT tokens. Users can authenticate by sending a POST request to the `/api/sessions` endpoint:
+
+```
+POST /api/sessions
+Content-Type: application/x-www-form-urlencoded
+
+username=admin&password=secure-password
+```
+
+This will set an HTTP-only cookie with the JWT token. The authentication is handled automatically through cookies, so no manual token management is required in the browser.
+
+## Configuration
+
+Before using Fast-Permissions, you need to set a secret key for JWT token signing:
+
+```python
+from fast_permissions import config
+config.SECRET_KEY = "your-secret-key-here"
+```
+
+## User Management
+
+You can manage users through the User resource that is automatically registered by RestrictedController:
+
+```python
+# Create a new user
+POST /user
+{
+  "username": "john",
+  "password": "password123"
+}
+
+# Get a user
+GET /user/john
+
+# Update a user's password
+PUT /user/john
+{
+  "password": "new-password"
+}
+
+# Delete a user
+DELETE /user/john
+```
+
+## Resource Ownership
+
+Fast-Permissions provides two base classes for resource ownership:
+
+1. `OrphanableResource`: Resources that can exist without an owner
+2. `OwnedResource`: Resources that are deleted when their owner is deleted
+
+Example:
+
+```python
+from daomodel.fields import Identifier
+from fast_permissions.models import OwnedResource
+
+class Note(OwnedResource, table=True):
+    id: Identifier[int]
+    content: str
+```
+
+When a user creates a Note, they automatically become its owner. Only the owner can modify or delete the Note.
+
+
+## PWA (Progressive Web App) Support
+
+Fast-Permissions provides PWA support through the `PWAWithAuth` class, which extends the FastPWA library with authentication capabilities.
+
+### Installation
+
+To use PWA features, install with the PWA extra:
+
+```bash
+pip install Fast-Permissions[pwa]
+```
+
+### Basic PWA Setup
+
+```python
+from fast_permissions.pwa import PWAWithAuth
+
+# Create a PWA with authentication
+pwa = PWAWithAuth(
+    title="My App",
+    public_by_default=True,  # Set to False to require auth by default
+    unauthorized_redirect="/login"  # Where to redirect when not authenticated
+)
+
+# Register a simple login page
+pwa.register_simple_login_page()
+
+# Create restricted pages that require authentication
+@pwa.restricted_page('/dashboard', 'dashboard.html')
+async def dashboard(request):
+    return {'title': 'Dashboard'}
+
+# Create public pages (no authentication required)
+@pwa.page('/public', 'public.html')
+async def public_page(request):
+    return {'title': 'Public Page'}
+```
+
+### Custom Authentication
+
+You can provide your own authentication function:
+
+```python
+from fastapi import Request
+from fast_permissions.models import User
+from fast_permissions.service import UserService, Unauthorized
+
+def my_get_current_user(request: Request) -> User:
+    # Your custom authentication logic
+    token = request.cookies.get('access_token')
+    if not token:
+        raise Unauthorized('No token provided')
+    # ... validate token and return user
+    return user
+
+pwa = PWAWithAuth(
+    title="My App",
+    get_current_user=my_get_current_user,
+    unauthorized_redirect="/login"
+)
+```

fast_permissions-0.1.0b0/README.md

@@ -0,0 +1,203 @@
+# Fast-Permissions
+
+Fast-Permissions is a library designed to add authentication and authorization capabilities to FastAPI applications,
+particularly those using the Fast-Controller framework.
+
+## Installation
+
+```bash
+pip install Fast-Permissions
+```
+
+For PWA functionality, install with the PWA extra:
+
+```bash
+pip install Fast-Permissions[pwa]
+```
+
+**NOTE**: The rest of the README is AI-generated.
+I will rewrite once the library is in a stable state with most of the planned features implemented.
+
+## Usage
+
+Here's a simple example of how to use Fast-Permissions with Fast-Controller:
+
+```python
+from fastapi import FastAPI, Request
+from typing import Optional
+
+from daomodel.db import create_engine, init_db
+from daomodel.fields import Identifier
+from fast_controller import Resource, Action
+from fast_permissions import RestrictedController
+from fast_permissions.models import User
+from fast_permissions.service import UserService, Unauthorized
+
+# Define your resources
+class Item(Resource, table=True):
+    name: Identifier[str]
+    description: Optional[str] = None
+
+# Set up the database
+engine = create_engine("sqlite:///app.db")
+init_db(engine)
+
+# Create the FastAPI app
+app = FastAPI()
+
+# Define a function to get the current user from the request
+def get_current_user(request: Request) -> User:
+    token = request.cookies.get('access_token')
+    if not token:
+        raise Unauthorized('No access token provided')
+
+    # You'll need to provide a way to get DAOs - this is just an example
+    with controller.dao_context() as daos:
+        return UserService(daos).from_token(token)
+
+# Create a RestrictedController
+controller = RestrictedController(
+    app=app, 
+    engine=engine,
+    get_current_user=get_current_user,
+    public_by_default=True  # Set to False to require auth by default
+)
+
+# Register your resources, specifying which actions don't require authentication
+# When public_by_default=True, all actions are public unless marked restricted
+controller.register_resource(Item)
+
+# Create an admin user (for development/testing)
+# In production, you would create users through your API
+controller.register_admin("secure-password")
+```
+
+## Authentication
+
+Fast-Permissions uses cookie-based authentication with JWT tokens. Users can authenticate by sending a POST request to the `/api/sessions` endpoint:
+
+```
+POST /api/sessions
+Content-Type: application/x-www-form-urlencoded
+
+username=admin&password=secure-password
+```
+
+This will set an HTTP-only cookie with the JWT token. The authentication is handled automatically through cookies, so no manual token management is required in the browser.
+
+## Configuration
+
+Before using Fast-Permissions, you need to set a secret key for JWT token signing:
+
+```python
+from fast_permissions import config
+config.SECRET_KEY = "your-secret-key-here"
+```
+
+## User Management
+
+You can manage users through the User resource that is automatically registered by RestrictedController:
+
+```python
+# Create a new user
+POST /user
+{
+  "username": "john",
+  "password": "password123"
+}
+
+# Get a user
+GET /user/john
+
+# Update a user's password
+PUT /user/john
+{
+  "password": "new-password"
+}
+
+# Delete a user
+DELETE /user/john
+```
+
+## Resource Ownership
+
+Fast-Permissions provides two base classes for resource ownership:
+
+1. `OrphanableResource`: Resources that can exist without an owner
+2. `OwnedResource`: Resources that are deleted when their owner is deleted
+
+Example:
+
+```python
+from daomodel.fields import Identifier
+from fast_permissions.models import OwnedResource
+
+class Note(OwnedResource, table=True):
+    id: Identifier[int]
+    content: str
+```
+
+When a user creates a Note, they automatically become its owner. Only the owner can modify or delete the Note.
+
+
+## PWA (Progressive Web App) Support
+
+Fast-Permissions provides PWA support through the `PWAWithAuth` class, which extends the FastPWA library with authentication capabilities.
+
+### Installation
+
+To use PWA features, install with the PWA extra:
+
+```bash
+pip install Fast-Permissions[pwa]
+```
+
+### Basic PWA Setup
+
+```python
+from fast_permissions.pwa import PWAWithAuth
+
+# Create a PWA with authentication
+pwa = PWAWithAuth(
+    title="My App",
+    public_by_default=True,  # Set to False to require auth by default
+    unauthorized_redirect="/login"  # Where to redirect when not authenticated
+)
+
+# Register a simple login page
+pwa.register_simple_login_page()
+
+# Create restricted pages that require authentication
+@pwa.restricted_page('/dashboard', 'dashboard.html')
+async def dashboard(request):
+    return {'title': 'Dashboard'}
+
+# Create public pages (no authentication required)
+@pwa.page('/public', 'public.html')
+async def public_page(request):
+    return {'title': 'Public Page'}
+```
+
+### Custom Authentication
+
+You can provide your own authentication function:
+
+```python
+from fastapi import Request
+from fast_permissions.models import User
+from fast_permissions.service import UserService, Unauthorized
+
+def my_get_current_user(request: Request) -> User:
+    # Your custom authentication logic
+    token = request.cookies.get('access_token')
+    if not token:
+        raise Unauthorized('No token provided')
+    # ... validate token and return user
+    return user
+
+pwa = PWAWithAuth(
+    title="My App",
+    get_current_user=my_get_current_user,
+    unauthorized_redirect="/login"
+)
+```

fast_permissions-0.1.0b0/fast_permissions/__init__.py

@@ -0,0 +1,155 @@
+from typing import Annotated, Callable
+
+from daomodel.db import DAOFactory
+
+from fast_controller import Controller, Action
+from fast_controller.util import no_cache
+from fastapi import Depends, APIRouter, Response, Request, status, FastAPI, Security, HTTPException
+from fastapi.security import OAuth2PasswordRequestForm, APIKeyCookie
+
+from fast_permissions import config
+from fast_permissions.exceptions import Unauthorized
+from fast_permissions.models import Session, User
+from fast_permissions.service import UserService
+
+
+_security = Security(APIKeyCookie(name='HTTP Only Cookie', description='Must use endpoint to login', auto_error=False))
+
+
+class Auth:
+    """Provides decorators for specifying access levels for endpoints."""
+    def access(self, level: str):
+        """Decorator that sets the access level of an endpoint i.e. public, restricted, etc..."""
+        def wrapper(func):
+            func._fp_access = level
+            return func
+        return wrapper
+
+    @property
+    def public(self):
+        """Decorator that configures an endpoint to have no access restrictions."""
+        return self.access('public')
+
+    @property
+    def restricted(self):
+        """Decorator that configures an endpoint to require authentication."""
+        return self.access('restricted')
+
+auth = Auth()
+
+
+def default_session_endpoints(router: APIRouter, controller: Controller):
+    @router.post('', status_code=status.HTTP_204_NO_CONTENT)
+    @auth.public
+    async def login(response: Response,
+                    form_data: Annotated[OAuth2PasswordRequestForm, Depends()],
+                    daos: DAOFactory = controller.daos) -> None:
+        """Authenticates the user and sets a cookie with the access token."""
+        try:
+            user = UserService(daos).authenticate(form_data.username, form_data.password)
+            response.set_cookie(
+                key='access_token',
+                value=user.access_token,
+                httponly=True,
+                secure=True,
+                samesite='lax',
+                max_age=60 * 60 * 24,
+                path='/'
+            )
+        except TypeError:
+            if config.SECRET_KEY is None:
+                raise HTTPException(status_code=status.HTTP_500_INTERNAL_SERVER_ERROR, detail='Fast-Permissions SECRET_KEY is not configured')
+        except Unauthorized:
+            raise HTTPException(status_code=status.HTTP_400_BAD_REQUEST, detail='Incorrect username or password')
+
+    @router.delete('', status_code=status.HTTP_204_NO_CONTENT)
+    @auth.restricted
+    async def logout(response: Response, request: Request, daos: DAOFactory = controller.daos) -> None:
+        """Invalidates the caller's token and clears the cookie."""
+        caller_token = request.cookies.get('access_token')
+        UserService(daos).invalidate_token(caller_token)
+
+        response.status_code = status.HTTP_204_NO_CONTENT
+        response.delete_cookie(key='access_token', path='/')
+
+    @no_cache
+    @router.head('')
+    @auth.restricted
+    async def check_auth() -> Response:
+        """Checks if the user is authenticated.
+
+        Returns 200 if the caller has a valid access token and 401 otherwise.
+        """
+        return Response()
+
+
+class RestrictedRouter(APIRouter):
+    """A custom APIRouter that automatically adds authentication middleware.
+
+    :param user_dep: The dependency that validates the user
+    :param public_by_default: True to only require authentication for endpoints marked with @auth.restricted
+    """
+    def __init__(self, *args, user_dep: Depends, public_by_default: bool = False, **kwargs):
+        super().__init__(*args, **kwargs)
+        self.user_dep = user_dep
+        self.public_by_default = public_by_default
+
+    def add_api_route(self, path, endpoint, **kwargs) -> None:
+        """Overrides the default add_api_route method to add authentication middleware."""
+        deps = kwargs.pop('dependencies')
+        if not deps:
+            deps = []
+
+        level = getattr(endpoint, '_fp_access', None)
+        if level == 'restricted':
+            deps.append(Depends(self.user_dep))
+            deps.append(_security)
+        elif level == 'public':
+            pass
+        else:
+            if not self.public_by_default:
+                deps.append(Depends(self.user_dep))
+                deps.append(_security)
+        kwargs['dependencies'] = deps
+        super().add_api_route(path, endpoint, **kwargs)
+
+
+class RestrictedController(Controller):
+    """A controller that includes authentication middleware."""
+    def __init__(self, *args,
+                 get_current_user: Callable,
+                 public_by_default: bool = False,
+                 token_endpoints: Callable = default_session_endpoints,
+                 **kwargs):
+        self.get_current_user = get_current_user
+        self.public_by_default = public_by_default
+        super().__init__(*args, **kwargs)
+        self.register_resource(Session, skip=set(Action), additional_endpoints=token_endpoints)
+        self.register_resource(User)
+
+    def _create_router(self) -> APIRouter:
+        return RestrictedRouter(
+            prefix=self.prefix,
+            user_dep=self.get_current_user,
+            public_by_default=self.public_by_default
+        )
+
+    def include_controller(self, app: FastAPI) -> None:
+        super().include_controller(app)
+
+        @app.exception_handler(Unauthorized)
+        async def unauthorized_handler(request: Request, exc: Unauthorized):
+            return Response(status_code=status.HTTP_401_UNAUTHORIZED)
+
+    def register_admin(self, password: str) -> None:
+        """Creates an admin user having the given password.
+
+        This only needs to be called once.
+        Once logged in as the admin, additional users can be created through the ReST API.
+
+        :param password: The password for the admin user (this will be hashed and stored in the database).
+        """
+        admin = User(username='admin')
+        admin.password = password
+        with self.dao_context() as daos:
+            daos[User].upsert(admin)

fast_permissions-0.1.0b0/fast_permissions/config.py

@@ -0,0 +1,2 @@
+SECRET_KEY = None
+ALGORITHM = 'HS256'

fast_permissions-0.1.0b0/fast_permissions/exceptions.py

@@ -0,0 +1,6 @@
+class InvalidPassword(Exception):
+    pass
+
+
+class Unauthorized(Exception):
+    pass

fast_permissions-0.1.0b0/fast_permissions/html.py

@@ -0,0 +1,28 @@
+login_template = '''
+<!DOCTYPE html>
+<html lang="en">
+<head>
+    <meta charset="UTF-8">
+    <meta name="viewport" content="width=device-width, initial-scale=1.0">
+    <title>Login</title>
+    <style>
+        body { font-family: Arial, sans-serif; text-align: center; margin: 0; padding: 0; background-color: #f4f4f4; }
+        .login-form { width: 300px; margin: 100px auto; padding: 20px; background: white; border: 1px solid #ccc; border-radius: 5px; }
+        .login-form h2 { margin-bottom: 20px; }
+        .login-form input { width: calc(100% - 20px); margin-bottom: 15px; padding: 8px; border: 1px solid #ccc; border-radius: 5px; }
+        .login-form button { padding: 10px 20px; border: none; border-radius: 5px; background: #007BFF; color: white; cursor: pointer; }
+        .login-form button:hover { background: #0056b3; }
+    </style>
+</head>
+<body>
+    <div class="login-form">
+        <h2>Login</h2>
+        <form action="${path}" method="post">
+            <input type="text" name="username" placeholder="Username" required>
+            <input type="password" name="password" placeholder="Password" required>
+            <button type="submit">Login</button>
+        </form>
+    </div>
+</body>
+</html>
+'''

fast_permissions-0.1.0b0/fast_permissions/models.py

@@ -0,0 +1,51 @@
+from typing import Optional, Any
+
+import bcrypt
+from daomodel.fields import Identifier, Unsearchable
+from fast_controller import Resource
+from fast_controller.schema import schemas
+
+from fast_permissions.exceptions import InvalidPassword
+
+
+class UserBase(Resource):
+    username: Identifier[str]
+
+
+@schemas(output=UserBase)
+class User(UserBase, table=True):
+    password: Unsearchable[str]
+
+    def __setattr__(self, key: str, value: Any) -> None:
+        # Automatically hash any set password
+        if key == 'password':
+            value = bcrypt.hashpw(value.encode('utf-8'), bcrypt.gensalt()).decode('utf-8')
+        super.__setattr__(self, key, value)
+
+    def verify(self, password: str) -> None:
+        """Verify the user's password, raises InvalidPassword if incorrect."""
+        if not bcrypt.checkpw(password.encode('utf-8'), self.password.encode('utf-8')):
+            raise InvalidPassword()
+
+
+class OrphanableResource(Resource):
+    """A resource that can be owned by a user, but not necessarily."""
+    __abstract__ = True
+    owner: Optional[User]
+
+    def is_owned(self) -> bool:
+        return self.owner is not None
+
+    def is_owned_by(self, user: User) -> bool:
+        return self.owner == user.username
+
+
+class OwnedResource(OrphanableResource):
+    """A resource that belongs to a specific User."""
+    __abstract__ = True
+    owner: User
+
+
+class Session(OwnedResource, table=True):
+    access_token: Identifier[str]
+    token_type: str = 'bearer'  # is this valid or needed/weanted?

fast_permissions-0.1.0b0/fast_permissions/pwa.py

@@ -0,0 +1,136 @@
+from pathlib import Path
+from typing import Optional, Callable
+from urllib.parse import quote
+
+from daomodel.db import init_db, create_engine
+from fastapi import Request, Depends, HTTPException, status
+from fastapi.responses import HTMLResponse
+
+from fast_permissions import RestrictedController
+from fast_permissions.html import login_template
+from fast_permissions.models import User
+from fast_permissions.service import Unauthorized, UserService
+
+try:
+    from fastpwa import PWA, ensure_list, logger
+except ImportError:
+    raise ImportError(
+        'PWAWithAuth requires FastPWA. Install with: pip install fast-permissions[pwa]'
+    )
+
+
+class Redirect(HTTPException):
+    """HTTP Response that redirects the client to the given URL."""
+    def __init__(self, url: str, code: int = status.HTTP_302_FOUND):
+        super().__init__(
+            status_code=code,
+            headers={"Location": url}
+        )
+
+
+class PWAWithAuth(PWA):
+    """Extension of PWA that adds authentication functionality.
+
+    This implementation provides a way to create pages that require authentication.
+    """
+    def __init__(self, *args,
+                 get_current_user: Optional[Callable] = None,
+                 public_by_default: Optional[bool] = None,
+                 unauthorized_redirect: Optional[str] = None,
+                 **kwargs):
+        self.get_current_user = get_current_user or self._default_get_current_user
+        self.public_by_default = public_by_default
+        if public_by_default is not None:
+            if get_current_user:
+                raise ValueError('`public_by_default` can only be set if not using a custom `get_current_user` function')
+        self.unauthorized_redirect = unauthorized_redirect
+        super().__init__(*args, **kwargs)
+
+    def _default_controller(self):
+        controller = RestrictedController(
+            prefix=self.api_prefix,
+            get_current_user=self.get_current_user,
+            public_by_default=self.public_by_default
+        )
+        controller.engine = create_engine('database.db')
+        init_db(controller.engine)
+        return controller
+
+    def _default_get_current_user(self, request: Request) -> User:
+        """Returns the currently logged-in user, or raises Unauthorized if not logged in."""
+        token = request.cookies.get('access_token')
+        with self.controller.dao_context() as daos:
+            return UserService(daos).from_token(token)
+
+    @property
+    def restricted_dep(self):
+        return Depends(self.get_current_user_with_redirect(no_return=True))
+
+    def register_simple_login_page(self,
+            page_path: str = 'login',
+            api_path: str = '/api/sessions',
+            redirect: bool = True) -> None:
+        """Creates a basic login page.
+
+        This page is extremely rudimentary and is only intended for developer use.
+        UX is lacking; it does not redirect after login or even provide feedback to the user.
+
+        :param page_path: Where to host the login page (/login by default)
+        :param api_path: Where to send the login form (/api/sessions by default)
+        :param redirect: False to avoid automatically redirecting to this page when not logged in
+        """
+        @self.page(page_path, html=login_template.replace('${path}', api_path))
+        async def login_page() -> dict:
+            return {'title': f'{self.title} Login'}
+
+        if redirect:
+            self.unauthorized_redirect = '/login'
+
+    def get_current_user_with_redirect(self, url: Optional[str] = None, no_return: bool = False):
+        """Returns a dependency that validates the user and redirects back to the original page once logged in."""
+        if not url:
+            if not self.unauthorized_redirect:
+                raise ValueError('Unauthorized redirect URL not specified. '
+                                 'Please set unauthorized_redirect= when creating PWA or page.')
+            url = self.unauthorized_redirect
+        async def wrapper(request: Request):
+            try:
+                return self.get_current_user(request)
+            except Unauthorized:
+                if no_return:
+                    raise Redirect(url)
+                original = quote(request.url.path)
+                sep = '&' if '?' in url else '?'
+                raise Redirect(f'{url}{sep}from={original}')
+        return wrapper
+
+    def restricted_page(self,
+                        route: str,
+                        html: str | Path,
+                        css: Optional[str | list[str]] = None,
+                        js: Optional[str | list[str]] = None,
+                        js_libraries: Optional[str | list[str]] = None,
+                        color: Optional[str] = None,
+                        unauthorized_redirect: Optional[str] = None,
+                        **get_kwargs):
+        """Decorator that creates a page requiring authentication."""
+        route = self.with_prefix(route)
+        url = unauthorized_redirect or self.unauthorized_redirect
+        get_user = self.get_current_user_with_redirect(url) if url else self.get_current_user
+
+        def decorator(func):
+            async def response_wrapper(request: Request, context: dict = Depends(func), user: User = Depends(get_user)):
+                return HTMLResponse(self.page_template.render(
+                    path_prefix=self.prefix,
+                    request=request,
+                    title=context.get('title', self.title),
+                    color=color,
+                    css=ensure_list(css) + self.global_css,
+                    js=ensure_list(js) + self.global_js,
+                    js_libraries=ensure_list(js_libraries),
+                    body=self.env.get_template(html).render(**context)
+                ))
+            self.get(route, include_in_schema=False, **get_kwargs)(response_wrapper)
+            logger.info(f'Registered restricted page at {route}')
+            return func
+        return decorator

fast_permissions-0.1.0b0/fast_permissions/service.py

@@ -0,0 +1,116 @@
+from datetime import timedelta, datetime, timezone
+from typing import Optional, Any
+
+import jwt
+from daomodel.dao import NotFound
+from daomodel.db import DAOFactory
+from fastapi import HTTPException
+
+from fast_permissions import config
+from fast_permissions.exceptions import InvalidPassword, Unauthorized
+from fast_permissions.models import User, Session, OwnedResource
+
+
+def create_access_token(data: dict, expires_delta: Optional[timedelta] = None) -> str:
+    """Creates a JWT access token.
+
+    :param data: The payload to include in the token
+    :param expires_delta: The duration for which the token is valid
+    :return: The encoded access token
+    """
+    expire = datetime.now(timezone.utc) + (expires_delta or timedelta(minutes=15))
+    to_encode = {**data, 'exp': expire}
+    return jwt.encode(to_encode, config.SECRET_KEY, algorithm=config.ALGORITHM)
+
+
+def decode_token(token: str) -> dict[str, Any]:
+    """Decodes a JWT token and returns the payload."""
+    try:
+        payload = jwt.decode(token, config.SECRET_KEY, algorithms=[config.ALGORITHM])
+        if not payload.get('username'):
+            raise HTTPException(status_code=401, detail='Invalid token')
+        return payload
+    except jwt.ExpiredSignatureError:
+        raise HTTPException(status_code=401, detail='Token expired')
+    except Exception:
+        raise HTTPException(status_code=401, detail='Invalid token')
+
+
+class UserService:
+    def __init__(self, daos: DAOFactory):
+        self.daos = daos
+        self.user_dao = daos[User]
+        self.token_dao = daos[Session]
+
+    def register(self, username: str, password: str) -> User:
+        """Creates a new User and saves it to the database.
+
+        :param username: The new username
+        :param password: The unencrypted password for the new username
+        :return: The newly created User
+        :raises PrimaryKeyConflict: If the username is already taken
+        """
+        user = self.user_dao.create_with(commit=False, username=username)
+        self.set_password(user, password)
+        return user
+
+    def authenticate(self, username: str, password: str) -> User:
+        """Authenticates a User and returns a token if successful.
+
+        :param username: The username to authenticate
+        :param password: The unencrypted password for the username
+        :return: The authenticated User, containing the access token
+        :raises HTTPException: If the username or password is incorrect
+        """
+        try:
+            user = self.get_user(username)
+            user.verify(password)
+            user.access_token = create_access_token(user.model_dump(), expires_delta=timedelta(days=1))
+            self.token_dao.create_with(access_token=user.access_token, owner=user.username)
+            return user
+        except (NotFound, InvalidPassword) as e:
+            raise Unauthorized('Authentication failed due to incorrect username or password') from e
+
+    def get_user(self, username: str) -> User:
+        """Finds a User by their username."""
+        return self.user_dao.get(username)
+
+    def set_password(self, user: User, password: str) -> None:
+        """Sets a new password for a user and updates the User record in the database."""
+        user.password = password
+        self.user_dao.update(user)
+
+    def get_owned(self, user: User, resource: type[OwnedResource]) -> list[OwnedResource]:
+        """Returns resources that belong to a specific User.
+
+        :param user: The user whose resources to find
+        :param resource: The type of resource to find
+        :return: A list of resources owned by the user
+        """
+        return self.daos[resource].find(owner=user.username)
+
+    def from_token(self, token: str) -> User:
+        """Finds a User by their token.
+
+        :param token: The token the User is authenticated with
+        :return: The User associated with the token
+        """
+        if not token:
+            raise Unauthorized('No token provided')
+        try:
+            payload = decode_token(token)
+            username = payload['username']
+            self.token_dao.get(token)
+            return self.get_user(username)
+        except Exception as e:
+            raise Unauthorized(f'Authentication failed: {str(e)}') from e
+
+    def invalidate_token(self, token: str) -> None:
+        """Deauthenticates a session by invalidating its token."""
+        if not token:
+            return
+        try:
+            entry = self.token_dao.get(token)
+            self.token_dao.remove(entry)
+        except NotFound:
+            pass

fast_permissions-0.1.0b0/pyproject.toml

@@ -0,0 +1,65 @@
+[build-system]
+requires = [
+    "pdm-backend",
+]
+build-backend = "pdm.backend"
+
+[project]
+name = "Fast-Permissions"
+dynamic = []
+authors = [
+    { name = "Cody M Sommer", email = "bassmastacod@gmail.com" },
+]
+description = "Add robust authentication to your FastAPI endpoints"
+keywords = [
+    "authentication",
+    "authorization",
+    "fastapi",
+    "permissions",
+    "security",
+    "access",
+]
+readme = "README.md"
+requires-python = ">=3.10"
+dependencies = [
+    "fastapi",
+    "daomodel",
+    "pyjwt",
+    "python-multipart",
+    "jinja2",
+    "bcrypt",
+]
+classifiers = [
+    "License :: OSI Approved :: MIT License",
+    "Programming Language :: Python :: 3.10",
+    "Programming Language :: Python :: 3.11",
+    "Programming Language :: Python :: 3.12",
+    "Programming Language :: Python :: 3.13",
+    "Programming Language :: Python :: 3.14",
+    "Development Status :: 4 - Beta",
+    "Intended Audience :: Developers",
+    "Topic :: Software Development :: Libraries",
+    "Typing :: Typed",
+]
+version = "0.1.0b0"
+
+[project.license]
+text = "MIT"
+
+[project.urls]
+Repository = "https://github.com/BassMastaCod/Fast-Permissions.git"
+Issues = "https://github.com/BassMastaCod/Fast-Permissions/issues"
+
+[project.optional-dependencies]
+pwa = [
+    "fastpwa[controller]",
+]
+
+[tool.pdm.version]
+source = "scm"
+
+[tool.pytest.ini_options]
+pythonpath = "fast_permissions"
+addopts = [
+    "--import-mode=importlib",
+]