amsdal 0.3.3__cp311-cp311-macosx_10_9_universal2.whl → 0.5.29__cp311-cp311-macosx_10_9_universal2.whl

amsdal/contrib/auth/utils/mfa.py

@@ -0,0 +1,257 @@
+"""
+Utilities for Multi-Factor Authentication (MFA).
+
+This module provides helper functions for generating and verifying MFA codes
+for different authentication methods (TOTP, backup codes, email codes).
+"""
+
+import secrets
+import string
+import typing as t
+from datetime import UTC
+from datetime import datetime
+from datetime import timedelta
+from enum import StrEnum
+
+import pyotp
+from amsdal_utils.models.enums import Versions
+
+from amsdal.contrib.auth.settings import auth_settings
+
+if t.TYPE_CHECKING:
+    from amsdal.contrib.auth.models.mfa_device import MFADevice
+    from amsdal.contrib.auth.models.user import User
+
+
+class DeviceType(StrEnum):
+    TOTP = 'totp'
+    BACKUP_CODE = 'backup_code'
+    EMAIL = 'email'
+    SMS = 'sms'
+
+
+def get_active_user_devices(user: 'User') -> dict[DeviceType, list['MFADevice']]:
+    from amsdal.contrib.auth.models.backup_code import BackupCode
+    from amsdal.contrib.auth.models.email_mfa_device import EmailMFADevice
+    from amsdal.contrib.auth.models.sms_device import SMSDevice
+    from amsdal.contrib.auth.models.totp_device import TOTPDevice
+
+    _result: dict[DeviceType, list[MFADevice]] = {}
+    for device_class, device_type in [
+        (TOTPDevice, DeviceType.TOTP),
+        (BackupCode, DeviceType.BACKUP_CODE),
+        (EmailMFADevice, DeviceType.EMAIL),
+        (SMSDevice, DeviceType.SMS),
+    ]:
+        devices = device_class.objects.filter(  # type: ignore[attr-defined]
+            user_email=user.email,
+            is_active=True,
+            confirmed=True,
+            _address__object_version=Versions.LATEST,
+        ).execute()
+        _result[device_type] = devices
+
+    return _result
+
+
+async def aget_active_user_devices(user: 'User') -> dict[DeviceType, list['MFADevice']]:
+    from amsdal.contrib.auth.models.backup_code import BackupCode
+    from amsdal.contrib.auth.models.email_mfa_device import EmailMFADevice
+    from amsdal.contrib.auth.models.sms_device import SMSDevice
+    from amsdal.contrib.auth.models.totp_device import TOTPDevice
+
+    _result: dict[DeviceType, list[MFADevice]] = {}
+    for device_class, device_type in [
+        (TOTPDevice, DeviceType.TOTP),
+        (BackupCode, DeviceType.BACKUP_CODE),
+        (EmailMFADevice, DeviceType.EMAIL),
+        (SMSDevice, DeviceType.SMS),
+    ]:
+        devices = await device_class.objects.filter(  # type: ignore[attr-defined]
+            user_email=user.email,
+            is_active=True,
+            confirmed=True,
+            _address__object_version=Versions.LATEST,
+        ).aexecute()
+        _result[device_type] = devices
+
+    return _result
+
+
+def generate_totp_secret() -> str:
+    """
+    Generate a new TOTP secret key.
+
+    Returns:
+        str: A base32-encoded random secret key.
+    """
+    return pyotp.random_base32()
+
+
+def generate_qr_code_url(secret: str, email: str, issuer: str | None = None) -> str:
+    """
+    Generate a QR code URL for TOTP device setup.
+
+    This creates an otpauth:// URL that can be scanned by authenticator apps
+    like Google Authenticator, Authy, etc.
+
+    Args:
+        secret (str): The TOTP secret key.
+        email (str): The user's email address.
+        issuer (str | None): The issuer name to display in the app. If None, uses the
+            MFA_TOTP_ISSUER setting.
+
+    Returns:
+        str: The otpauth:// URL for QR code generation.
+    """
+    if issuer is None:
+        issuer = auth_settings.MFA_TOTP_ISSUER
+
+    # Create TOTP object
+    totp = pyotp.TOTP(secret)
+
+    # Generate provisioning URI
+    uri = totp.provisioning_uri(
+        name=email,
+        issuer_name=issuer,
+    )
+
+    return uri
+
+
+def verify_totp_code(
+    secret: str,
+    code: str,
+    digits: int = 6,
+    step: int = 30,
+    valid_window: int = 1,
+) -> bool:
+    """
+    Verify a TOTP code against a secret.
+
+    This function validates the provided code against the TOTP secret, allowing
+    for a time window to account for clock drift between the server and the device.
+
+    Args:
+        secret (str): The TOTP secret key.
+        code (str): The code to verify.
+        digits (int): Number of digits in the code (default: 6).
+        step (int): Time step in seconds (default: 30).
+        valid_window (int): Number of time steps to check before and after the current time
+            (default: 1, which means ±30 seconds with default step).
+
+    Returns:
+        bool: True if the code is valid, False otherwise.
+    """
+    try:
+        totp = pyotp.TOTP(secret, digits=digits, interval=step)
+        return totp.verify(code, valid_window=valid_window)
+    except Exception:
+        return False
+
+
+def generate_backup_codes(count: int | None = None) -> list[str]:
+    """
+    Generate a set of backup recovery codes.
+
+    Each code is a random alphanumeric string that can be used once for authentication
+    when the primary MFA device is unavailable.
+
+    Args:
+        count (int | None): Number of codes to generate. If None, uses the
+            MFA_BACKUP_CODES_COUNT setting.
+
+    Returns:
+        list[str]: List of generated backup codes.
+    """
+    if count is None:
+        count = auth_settings.MFA_BACKUP_CODES_COUNT
+
+    codes = []
+    for _ in range(count):
+        # Generate 8-character alphanumeric code (without ambiguous characters)
+        alphabet = string.ascii_uppercase + string.digits
+        alphabet = alphabet.replace('O', '').replace('0', '').replace('I', '').replace('1', '')
+        code = ''.join(secrets.choice(alphabet) for _ in range(8))
+        # Format as XXXX-XXXX for readability
+        formatted_code = f'{code[:4]}-{code[4:]}'
+        codes.append(formatted_code)
+
+    return codes
+
+
+def hash_backup_code(code: str) -> bytes:
+    """
+    Hash a backup code for secure storage.
+
+    Uses bcrypt for hashing, similar to password hashing.
+
+    Args:
+        code (str): The backup code to hash.
+
+    Returns:
+        bytes: The hashed code.
+    """
+    import bcrypt
+
+    # Remove formatting (dashes) before hashing
+    clean_code = code.replace('-', '')
+    return bcrypt.hashpw(clean_code.encode('utf-8'), bcrypt.gensalt())
+
+
+def verify_backup_code(hashed_code: bytes, code: str) -> bool:
+    """
+    Verify a backup code against its hash.
+
+    Args:
+        hashed_code (bytes): The stored hashed code.
+        code (str): The code to verify.
+
+    Returns:
+        bool: True if the code matches, False otherwise.
+    """
+    import bcrypt
+
+    try:
+        # Remove formatting (dashes) before verification
+        clean_code = code.replace('-', '')
+        return bcrypt.checkpw(clean_code.encode('utf-8'), hashed_code)
+    except Exception:
+        return False
+
+
+def generate_email_mfa_code(length: int = 6) -> str:
+    """
+    Generate a random numeric code for email-based MFA.
+
+    Args:
+        length (int): Length of the code (default: 6).
+
+    Returns:
+        str: A random numeric code.
+    """
+    return ''.join(secrets.choice(string.digits) for _ in range(length))
+
+
+def get_email_code_expiration() -> datetime:
+    """
+    Calculate the expiration time for an email MFA code.
+
+    Returns:
+        datetime: The expiration timestamp.
+    """
+    expiration_seconds = auth_settings.MFA_EMAIL_CODE_EXPIRATION
+    return datetime.now(tz=UTC) + timedelta(seconds=expiration_seconds)
+
+
+def is_email_code_valid(code_expires_at: datetime) -> bool:
+    """
+    Check if an email MFA code is still valid (not expired).
+
+    Args:
+        code_expires_at (datetime): The expiration timestamp of the code.
+
+    Returns:
+        bool: True if the code is still valid, False if expired.
+    """
+    return datetime.now(tz=UTC) < code_expires_at

amsdal/contrib/auth/utils/mfa.pyi

@@ -0,0 +1,119 @@
+from amsdal.contrib.auth.models.mfa_device import MFADevice as MFADevice
+from amsdal.contrib.auth.models.user import User as User
+from amsdal.contrib.auth.settings import auth_settings as auth_settings
+from datetime import datetime
+from enum import StrEnum
+
+class DeviceType(StrEnum):
+    TOTP = 'totp'
+    BACKUP_CODE = 'backup_code'
+    EMAIL = 'email'
+    SMS = 'sms'
+
+def get_active_user_devices(user: User) -> dict[DeviceType, list['MFADevice']]: ...
+async def aget_active_user_devices(user: User) -> dict[DeviceType, list['MFADevice']]: ...
+def generate_totp_secret() -> str:
+    """
+    Generate a new TOTP secret key.
+
+    Returns:
+        str: A base32-encoded random secret key.
+    """
+def generate_qr_code_url(secret: str, email: str, issuer: str | None = None) -> str:
+    """
+    Generate a QR code URL for TOTP device setup.
+
+    This creates an otpauth:// URL that can be scanned by authenticator apps
+    like Google Authenticator, Authy, etc.
+
+    Args:
+        secret (str): The TOTP secret key.
+        email (str): The user's email address.
+        issuer (str | None): The issuer name to display in the app. If None, uses the
+            MFA_TOTP_ISSUER setting.
+
+    Returns:
+        str: The otpauth:// URL for QR code generation.
+    """
+def verify_totp_code(secret: str, code: str, digits: int = 6, step: int = 30, valid_window: int = 1) -> bool:
+    """
+    Verify a TOTP code against a secret.
+
+    This function validates the provided code against the TOTP secret, allowing
+    for a time window to account for clock drift between the server and the device.
+
+    Args:
+        secret (str): The TOTP secret key.
+        code (str): The code to verify.
+        digits (int): Number of digits in the code (default: 6).
+        step (int): Time step in seconds (default: 30).
+        valid_window (int): Number of time steps to check before and after the current time
+            (default: 1, which means ±30 seconds with default step).
+
+    Returns:
+        bool: True if the code is valid, False otherwise.
+    """
+def generate_backup_codes(count: int | None = None) -> list[str]:
+    """
+    Generate a set of backup recovery codes.
+
+    Each code is a random alphanumeric string that can be used once for authentication
+    when the primary MFA device is unavailable.
+
+    Args:
+        count (int | None): Number of codes to generate. If None, uses the
+            MFA_BACKUP_CODES_COUNT setting.
+
+    Returns:
+        list[str]: List of generated backup codes.
+    """
+def hash_backup_code(code: str) -> bytes:
+    """
+    Hash a backup code for secure storage.
+
+    Uses bcrypt for hashing, similar to password hashing.
+
+    Args:
+        code (str): The backup code to hash.
+
+    Returns:
+        bytes: The hashed code.
+    """
+def verify_backup_code(hashed_code: bytes, code: str) -> bool:
+    """
+    Verify a backup code against its hash.
+
+    Args:
+        hashed_code (bytes): The stored hashed code.
+        code (str): The code to verify.
+
+    Returns:
+        bool: True if the code matches, False otherwise.
+    """
+def generate_email_mfa_code(length: int = 6) -> str:
+    """
+    Generate a random numeric code for email-based MFA.
+
+    Args:
+        length (int): Length of the code (default: 6).
+
+    Returns:
+        str: A random numeric code.
+    """
+def get_email_code_expiration() -> datetime:
+    """
+    Calculate the expiration time for an email MFA code.
+
+    Returns:
+        datetime: The expiration timestamp.
+    """
+def is_email_code_valid(code_expires_at: datetime) -> bool:
+    """
+    Check if an email MFA code is still valid (not expired).
+
+    Args:
+        code_expires_at (datetime): The expiration timestamp of the code.
+
+    Returns:
+        bool: True if the code is still valid, False if expired.
+    """

amsdal/contrib/frontend_configs/conversion/convert.py

@@ -1,3 +1,4 @@
+from contextlib import suppress
 from datetime import date
 from datetime import datetime
 from enum import Enum
@@ -9,16 +10,19 @@ from typing import Any
 from typing import ClassVar
 from typing import ForwardRef
 from typing import Union
+from typing import get_args
+from typing import get_origin
 
-from amsdal_models.classes.manager import ClassManager
+from amsdal_models.classes.class_manager import ClassManager
 from amsdal_models.classes.model import LegacyModel
 from amsdal_models.classes.model import Model
+from amsdal_models.classes.model import TypeModel
+from amsdal_models.classes.relationships.constants import MANY_TO_MANY_FIELDS
+from amsdal_models.schemas.object_schema import model_to_object_schema
 from amsdal_utils.models.data_models.reference import Reference
 from pydantic import BaseModel
 from pydantic_core import PydanticUndefined
 
-from amsdal.schemas.manager import SchemaManager
-
 default_types_map = {
     int: 'number',
     float: 'number',
@@ -32,11 +36,19 @@ default_types_map = {
 
 def _process_union(value: UnionType, *, is_transaction: bool = False) -> dict[str, Any]:
     arg_type = {'required': True}
-    for arg in value.__args__:
+
+    for arg in get_args(value):
         if arg is type(None):
             arg_type['required'] = False
             continue
 
+        if not is_transaction:
+            with suppress(TypeError):
+                if issubclass(arg, Model):
+                    arg_type['type'] = 'object_latest'  # type: ignore[assignment]
+                    arg_type['entityType'] = arg.__name__
+                    continue
+
         control = convert_to_frontend_config(arg, is_transaction=is_transaction)
         if control:
             arg_type.update(control)
@@ -59,9 +71,10 @@ def convert_to_frontend_config(value: Any, *, is_transaction: bool = False) -> d
     Returns:
         dict[str, Any]: A dictionary representing the frontend configuration for the given value.
     """
-    if hasattr(value, '__origin__'):
-        origin_class = value.__origin__
+    schema = None
+    origin_class = get_origin(value)
 
+    if origin_class:
         if origin_class in [ClassVar]:
             return {}
 
@@ -100,7 +113,7 @@ def convert_to_frontend_config(value: Any, *, is_transaction: bool = False) -> d
 
     if isinstance(value, ForwardRef):
         class_name = value.__forward_arg__
-        _class = ClassManager().import_class(class_name, ClassManager().resolve_schema_type(class_name))
+        _class = ClassManager().import_class(class_name)
 
         if issubclass(_class, Model):
             return {
@@ -127,6 +140,19 @@ def convert_to_frontend_config(value: Any, *, is_transaction: bool = False) -> d
         return {
             'type': 'text',
         }
+    if value.__class__.__name__ == '_LiteralGenericAlias' and hasattr(value, '__origin__'):
+        options = get_args(value)
+        return {
+            'type': 'select',
+            'options': [{'label': str(option), 'value': option} for option in options],
+        }
+
+    if value.__class__.__name__ == '_AnnotatedAlias' and hasattr(value, '__origin__'):
+        # Handle Annotated types
+        options = get_args(value)
+        if options:
+            val = convert_to_frontend_config(options[0], is_transaction=is_transaction)
+            return val
 
     if isinstance(value, FunctionType):
         function_controls = []
@@ -163,7 +189,8 @@ def convert_to_frontend_config(value: Any, *, is_transaction: bool = False) -> d
                 control['value'] = _param.default
                 control['required'] = False
 
-            function_controls.append(control)
+            if not control['name'].startswith('_'):
+                function_controls.append(control)
 
         return {
             'type': 'group',
@@ -172,10 +199,13 @@ def convert_to_frontend_config(value: Any, *, is_transaction: bool = False) -> d
             'controls': function_controls,
         }
 
-    if issubclass(value, Reference):
-        return {
-            'type': 'object_latest',
-        }
+    try:
+        if issubclass(value, Reference):
+            return {
+                'type': 'object_latest',
+            }
+    except TypeError:
+        return {}
 
     if is_transaction and issubclass(value, Model):
         if value.__name__ == 'File':
@@ -190,27 +220,38 @@ def convert_to_frontend_config(value: Any, *, is_transaction: bool = False) -> d
     if issubclass(value, LegacyModel):
         return {}
 
+    is_timestamp_mixin = False
     if issubclass(value, BaseModel):
         model_controls = []
 
         try:
-            schema = SchemaManager().get_schema_by_name(value.__name__)
+            if issubclass(value, Model | TypeModel):
+                schema = model_to_object_schema(value)
+
+                _mro = value.mro()
+
+                # remove updated_at and created_at fields
+                if any(cls.__name__ == 'TimestampMixin' for cls in _mro):
+                    is_timestamp_mixin = True
+
         except FileNotFoundError:
             schema = None
 
-        for field_name, field in value.__annotations__.items():
-            control = convert_to_frontend_config(field, is_transaction=is_transaction)
+        if value.__name__ == 'File':
+            return {
+                'type': 'file',
+            }
+
+        for field_name, field in value.model_fields.items():
+            control = convert_to_frontend_config(field.annotation, is_transaction=is_transaction)
 
             if not control:
                 continue
 
             control.setdefault('required', True)
 
-            if field_name in value.model_fields:
-                _field = value.model_fields[field_name]
-
-                if _field.default is not PydanticUndefined:
-                    control['value'] = _field.default
+            if field.default is not PydanticUndefined:
+                control['value'] = field.default
 
             control['name'] = field_name
             control['label'] = field_name
@@ -232,8 +273,24 @@ def convert_to_frontend_config(value: Any, *, is_transaction: bool = False) -> d
                 if schema_property.title:
                     control['label'] = schema_property.title
 
+            if not control['name'].startswith('_'):
+                model_controls.append(control)
+
+        for m2m, (m2m_ref, _, _, field_info) in (getattr(value, MANY_TO_MANY_FIELDS, None) or {}).items():
+            pass
+            control = convert_to_frontend_config(list[Reference | m2m_ref], is_transaction=is_transaction)  # type: ignore[valid-type]
+
+            if getattr(field_info, 'default', PydanticUndefined) is not PydanticUndefined:
+                control['value'] = field_info.default
+
+            control['name'] = m2m
+            control['label'] = m2m
+            control['required'] = False
             model_controls.append(control)
 
+        if is_timestamp_mixin:
+            model_controls = [c for c in model_controls if c['name'] not in ('created_at', 'updated_at')]
+
         return {
             'type': 'group',
             'name': value.__name__,
@@ -241,10 +298,13 @@ def convert_to_frontend_config(value: Any, *, is_transaction: bool = False) -> d
             'controls': model_controls,
         }
 
-    if issubclass(value, Enum):
-        return {
-            'type': 'select',
-            'options': [{'label': option.name, 'value': option.value} for option in value],
-        }
+    try:
+        if issubclass(value, Enum):
+            return {
+                'type': 'select',
+                'options': [{'label': option.name, 'value': option.value} for option in value],
+            }
+    except TypeError:
+        pass
 
     return {}

amsdal/contrib/frontend_configs/conversion/convert.pyi

@@ -1,5 +1,4 @@
 from _typeshed import Incomplete
-from amsdal.schemas.manager import SchemaManager as SchemaManager
 from types import UnionType
 from typing import Any
 

amsdal/contrib/frontend_configs/lifecycle/consumer.py

@@ -1,3 +1,4 @@
+# mypy: disable-error-code="arg-type"
 import contextlib
 import logging
 from typing import Any
@@ -7,14 +8,14 @@ from amsdal_utils.lifecycle.consumer import LifecycleConsumer
 from amsdal_utils.models.data_models.address import Address
 from amsdal_utils.models.data_models.core import LegacyDictSchema
 from amsdal_utils.models.data_models.enums import CoreTypes
-from amsdal_utils.models.data_models.schema import PropertyData
-from amsdal_utils.models.enums import SchemaTypes
 from amsdal_utils.models.enums import Versions
+from amsdal_utils.schemas.schema import PropertyData
 
 logger = logging.getLogger(__name__)
 
 core_to_frontend_types = {
     CoreTypes.NUMBER.value: 'number',
+    CoreTypes.INTEGER.value: 'integer',
     CoreTypes.BOOLEAN.value: 'checkbox',
     CoreTypes.STRING.value: 'text',
     CoreTypes.ANYTHING.value: 'text',
@@ -126,6 +127,7 @@ def populate_frontend_config_with_values(config: dict[str, Any], values: dict[st
 
     if config.get('name') in values:
         config['value'] = values[config['name']]
+
     return config
 
 
@@ -167,23 +169,36 @@ def get_default_control(class_name: str) -> dict[str, Any]:
     Returns:
         dict[str, Any]: A dictionary representing the frontend control configuration for the given class.
     """
-    from amsdal_models.classes.manager import ClassManager
+    from amsdal_models.classes.class_manager import ClassManager
 
     from amsdal.contrib.frontend_configs.conversion import convert_to_frontend_config
-    from models.contrib.frontend_control_config import FrontendControlConfig  # type: ignore[import-not-found]
+    from amsdal.contrib.frontend_configs.models.frontend_control_config import (
+        FrontendControlConfig,  # type: ignore[import-not-found]
+    )
+    from amsdal.models.core.file import File
 
     target_class = None
-    for schema_type in [SchemaTypes.USER, SchemaTypes.CONTRIB, SchemaTypes.CORE]:
-        with contextlib.suppress(AmsdalClassNotFoundError):
-            target_class = ClassManager().import_class(class_name, schema_type)
-
-        if target_class:
-            break
+    with contextlib.suppress(AmsdalClassNotFoundError):
+        target_class = ClassManager().import_class(class_name)
 
     if not target_class:
         return {}
 
-    return FrontendControlConfig(**convert_to_frontend_config(target_class)).model_dump(
+    if target_class is File:
+        config = {
+            'type': 'group',
+            'name': 'File',
+            'label': 'File',
+            'controls': [
+                {'label': 'Filename', 'name': 'filename', 'type': 'text', 'required': True},
+                {'label': 'Data', 'name': 'data', 'type': 'Bytes', 'required': True},
+                {'label': 'Size', 'name': 'size', 'type': 'number', 'required': False},
+            ],
+        }
+    else:
+        config = convert_to_frontend_config(target_class, is_transaction=False)
+
+    return FrontendControlConfig(**config).model_dump(
         exclude_none=True,
     )
 
@@ -212,7 +227,9 @@ class ProcessResponseConsumer(LifecycleConsumer):
         Returns:
             None
         """
-        from models.contrib.frontend_model_config import FrontendModelConfig  # type: ignore[import-not-found]
+        from amsdal.contrib.frontend_configs.models.frontend_model_config import (
+            FrontendModelConfig,  # type: ignore[import-not-found]
+        )
 
         class_name = None
         values = {}
@@ -257,7 +274,9 @@ class ProcessResponseConsumer(LifecycleConsumer):
         Returns:
             None
         """
-        from models.contrib.frontend_model_config import FrontendModelConfig  # type: ignore[import-not-found]
+        from amsdal.contrib.frontend_configs.models.frontend_model_config import (
+            FrontendModelConfig,  # type: ignore[import-not-found]
+        )
 
         class_name = None
         values = {}

amsdal/contrib/frontend_configs/lifecycle/consumer.pyi

@@ -1,6 +1,6 @@
 from _typeshed import Incomplete
 from amsdal_utils.lifecycle.consumer import LifecycleConsumer
-from amsdal_utils.models.data_models.schema import PropertyData
+from amsdal_utils.schemas.schema import PropertyData
 from typing import Any
 
 logger: Incomplete