auth-sdk-m8 0.1.0.2__tar.gz

auth_sdk_m8-0.1.0.2/.github/workflows/PiPy.yml

@@ -0,0 +1,70 @@
+# This workflow will upload a Python Package to PyPI when a release is created
+# For more information see: https://docs.github.com/en/actions/automating-builds-and-tests/building-and-testing-python#publishing-to-package-registries
+
+# This workflow uses actions that are not certified by GitHub.
+# They are provided by a third-party and are governed by
+# separate terms of service, privacy policy, and support
+# documentation.
+
+name: Upload Python Package
+
+on:
+  release:
+    types: [published]
+
+permissions:
+  contents: read
+
+jobs:
+  release-build:
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: actions/setup-python@v5
+        with:
+          python-version: "3.x"
+
+      - name: Build release distributions
+        run: |
+          # NOTE: put your own distribution build steps here.
+          python -m pip install build
+          python -m build
+
+      - name: Upload distributions
+        uses: actions/upload-artifact@v4
+        with:
+          name: release-dists
+          path: dist/
+
+  pypi-publish:
+    runs-on: ubuntu-latest
+    needs:
+      - release-build
+    permissions:
+      # IMPORTANT: this permission is mandatory for trusted publishing
+      id-token: write
+
+    # Dedicated environments with protections for publishing are strongly recommended.
+    # For more information, see: https://docs.github.com/en/actions/deployment/targeting-different-environments/using-environments-for-deployment#deployment-protection-rules
+    environment:
+      name: pypi
+      # OPTIONAL: uncomment and update to include your PyPI project URL in the deployment status:
+      #url: https://pypi.org/p/auth_sdk_m8
+      #
+      # ALTERNATIVE: if your GitHub Release name is the PyPI project version string
+      # ALTERNATIVE: exactly, uncomment the following line instead:
+      url: https://pypi.org/project/auth_sdk_m8/${{ github.event.release.name }}
+
+    steps:
+      - name: Retrieve release distributions
+        uses: actions/download-artifact@v4
+        with:
+          name: release-dists
+          path: dist/
+
+      - name: Publish release distributions to PyPI
+        uses: pypa/gh-action-pypi-publish@release/v1
+        with:
+          password: ${{ secrets.PYPI_API_TOKEN }}

auth_sdk_m8-0.1.0.2/.gitignore

@@ -0,0 +1,218 @@
+# Byte-compiled / optimized / DLL files
+__pycache__/
+*.py[codz]
+*$py.class
+
+# C extensions
+*.so
+
+# Distribution / packaging
+.Python
+build/
+develop-eggs/
+dist/
+downloads/
+eggs/
+.eggs/
+lib/
+lib64/
+parts/
+sdist/
+var/
+wheels/
+share/python-wheels/
+*.egg-info/
+.installed.cfg
+*.egg
+MANIFEST
+
+# PyInstaller
+#   Usually these files are written by a python script from a template
+#   before PyInstaller builds the exe, so as to inject date/other infos into it.
+*.manifest
+*.spec
+
+# Installer logs
+pip-log.txt
+pip-delete-this-directory.txt
+
+# Unit test / coverage reports
+htmlcov/
+.tox/
+.nox/
+.coverage
+.coverage.*
+.cache
+nosetests.xml
+coverage.xml
+*.cover
+*.py.cover
+.hypothesis/
+.pytest_cache/
+cover/
+
+# Translations
+*.mo
+*.pot
+
+# Django stuff:
+*.log
+local_settings.py
+db.sqlite3
+db.sqlite3-journal
+
+# Flask stuff:
+instance/
+.webassets-cache
+
+# Scrapy stuff:
+.scrapy
+
+# Sphinx documentation
+docs/_build/
+
+# PyBuilder
+.pybuilder/
+target/
+
+# Jupyter Notebook
+.ipynb_checkpoints
+
+# IPython
+profile_default/
+ipython_config.py
+
+# pyenv
+#   For a library or package, you might want to ignore these files since the code is
+#   intended to run in multiple environments; otherwise, check them in:
+# .python-version
+
+# pipenv
+#   According to pypa/pipenv#598, it is recommended to include Pipfile.lock in version control.
+#   However, in case of collaboration, if having platform-specific dependencies or dependencies
+#   having no cross-platform support, pipenv may install dependencies that don't work, or not
+#   install all needed dependencies.
+# Pipfile.lock
+
+# UV
+#   Similar to Pipfile.lock, it is generally recommended to include uv.lock in version control.
+#   This is especially recommended for binary packages to ensure reproducibility, and is more
+#   commonly ignored for libraries.
+# uv.lock
+
+# poetry
+#   Similar to Pipfile.lock, it is generally recommended to include poetry.lock in version control.
+#   This is especially recommended for binary packages to ensure reproducibility, and is more
+#   commonly ignored for libraries.
+#   https://python-poetry.org/docs/basic-usage/#commit-your-poetrylock-file-to-version-control
+# poetry.lock
+# poetry.toml
+
+# pdm
+#   Similar to Pipfile.lock, it is generally recommended to include pdm.lock in version control.
+#   pdm recommends including project-wide configuration in pdm.toml, but excluding .pdm-python.
+#   https://pdm-project.org/en/latest/usage/project/#working-with-version-control
+# pdm.lock
+# pdm.toml
+.pdm-python
+.pdm-build/
+
+# pixi
+#   Similar to Pipfile.lock, it is generally recommended to include pixi.lock in version control.
+# pixi.lock
+#   Pixi creates a virtual environment in the .pixi directory, just like venv module creates one
+#   in the .venv directory. It is recommended not to include this directory in version control.
+.pixi
+
+# PEP 582; used by e.g. github.com/David-OConnor/pyflow and github.com/pdm-project/pdm
+__pypackages__/
+
+# Celery stuff
+celerybeat-schedule
+celerybeat.pid
+
+# Redis
+*.rdb
+*.aof
+*.pid
+
+# RabbitMQ
+mnesia/
+rabbitmq/
+rabbitmq-data/
+
+# ActiveMQ
+activemq-data/
+
+# SageMath parsed files
+*.sage.py
+
+# Environments
+.env
+.envrc
+.venv
+env/
+venv/
+ENV/
+env.bak/
+venv.bak/
+
+# Spyder project settings
+.spyderproject
+.spyproject
+
+# Rope project settings
+.ropeproject
+
+# mkdocs documentation
+/site
+
+# mypy
+.mypy_cache/
+.dmypy.json
+dmypy.json
+
+# Pyre type checker
+.pyre/
+
+# pytype static type analyzer
+.pytype/
+
+# Cython debug symbols
+cython_debug/
+
+# PyCharm
+#   JetBrains specific template is maintained in a separate JetBrains.gitignore that can
+#   be found at https://github.com/github/gitignore/blob/main/Global/JetBrains.gitignore
+#   and can be added to the global gitignore or merged into this file.  For a more nuclear
+#   option (not recommended) you can uncomment the following to ignore the entire idea folder.
+# .idea/
+
+# Abstra
+#   Abstra is an AI-powered process automation framework.
+#   Ignore directories containing user credentials, local state, and settings.
+#   Learn more at https://abstra.io/docs
+.abstra/
+
+# Visual Studio Code
+#   Visual Studio Code specific template is maintained in a separate VisualStudioCode.gitignore 
+#   that can be found at https://github.com/github/gitignore/blob/main/Global/VisualStudioCode.gitignore
+#   and can be added to the global gitignore or merged into this file. However, if you prefer, 
+#   you could uncomment the following to ignore the entire vscode folder
+# .vscode/
+# Temporary file for partial code execution
+tempCodeRunnerFile.py
+
+# Ruff stuff:
+.ruff_cache/
+
+# PyPI configuration file
+.pypirc
+
+# Marimo
+marimo/_static/
+marimo/_lsp/
+__marimo__/
+
+# Streamlit
+.streamlit/secrets.toml

auth_sdk_m8-0.1.0.2/.vscode/settings.json

@@ -0,0 +1,9 @@
+{
+    "python.testing.pytestArgs": [
+       
+    ],
+    "python.testing.unittestEnabled": false,
+    "python.testing.pytestEnabled": true,
+    "python-envs.defaultEnvManager": "ms-python.python:conda",
+    "python-envs.defaultPackageManager": "ms-python.python:conda"
+}

auth_sdk_m8-0.1.0.2/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2026 Eli Serra
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

auth_sdk_m8-0.1.0.2/PKG-INFO

@@ -0,0 +1,287 @@
+Metadata-Version: 2.4
+Name: auth-sdk-m8
+Version: 0.1.0.2
+Summary: Shared authentication schemas, JWT utilities and FastAPI base components for m8 microservices.
+Project-URL: Homepage, https://gitlab.com/yourorg/auth-sdk-m8
+Project-URL: Repository, https://gitlab.com/yourorg/auth-sdk-m8
+Project-URL: Issue Tracker, https://gitlab.com/yourorg/auth-sdk-m8/-/issues
+Author-email: Eli Serra <mex.serra@gmail.com>
+License: MIT License
+        
+        Copyright (c) 2026 Eli Serra
+        
+        Permission is hereby granted, free of charge, to any person obtaining a copy
+        of this software and associated documentation files (the "Software"), to deal
+        in the Software without restriction, including without limitation the rights
+        to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+        copies of the Software, and to permit persons to whom the Software is
+        furnished to do so, subject to the following conditions:
+        
+        The above copyright notice and this permission notice shall be included in all
+        copies or substantial portions of the Software.
+        
+        THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+        IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+        FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+        AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+        LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+        OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+        SOFTWARE.
+License-File: LICENSE
+Keywords: auth,fastapi,jwt,microservices,pydantic
+Classifier: Development Status :: 3 - Alpha
+Classifier: Framework :: FastAPI
+Classifier: Intended Audience :: Developers
+Classifier: License :: OSI Approved :: MIT License
+Classifier: Programming Language :: Python :: 3.11
+Classifier: Programming Language :: Python :: 3.12
+Classifier: Topic :: Software Development :: Libraries
+Requires-Python: >=3.11
+Requires-Dist: email-validator>=2.2.0
+Requires-Dist: pydantic>=2.10.6
+Provides-Extra: all
+Requires-Dist: fastapi>=0.115.7; extra == 'all'
+Requires-Dist: pydantic-settings>=2.7.1; extra == 'all'
+Requires-Dist: pyjwt>=2.10.1; extra == 'all'
+Requires-Dist: redis>=5.2.1; extra == 'all'
+Requires-Dist: sqlalchemy>=2.0.38; extra == 'all'
+Requires-Dist: sqlmodel>=0.0.22; extra == 'all'
+Provides-Extra: config
+Requires-Dist: pydantic-settings>=2.7.1; extra == 'config'
+Provides-Extra: db
+Requires-Dist: sqlalchemy>=2.0.38; extra == 'db'
+Requires-Dist: sqlmodel>=0.0.22; extra == 'db'
+Provides-Extra: dev
+Requires-Dist: fastapi>=0.115.7; extra == 'dev'
+Requires-Dist: pydantic-settings>=2.7.1; extra == 'dev'
+Requires-Dist: pyjwt>=2.10.1; extra == 'dev'
+Requires-Dist: pytest-asyncio>=0.23; extra == 'dev'
+Requires-Dist: pytest-cov>=5.0; extra == 'dev'
+Requires-Dist: pytest>=8.3; extra == 'dev'
+Requires-Dist: redis>=5.2.1; extra == 'dev'
+Requires-Dist: ruff>=0.9; extra == 'dev'
+Requires-Dist: sqlalchemy>=2.0.38; extra == 'dev'
+Requires-Dist: sqlmodel>=0.0.22; extra == 'dev'
+Provides-Extra: fastapi
+Requires-Dist: fastapi>=0.115.7; extra == 'fastapi'
+Provides-Extra: redis
+Requires-Dist: redis>=5.2.1; extra == 'redis'
+Provides-Extra: security
+Requires-Dist: pyjwt>=2.10.1; extra == 'security'
+Description-Content-Type: text/markdown
+
+# auth-sdk-m8
+
+Shared authentication schemas, JWT utilities, and FastAPI base components for **m8 microservices**.
+
+This package is extracted from `auth_user_service` and is intended to be installed by any service
+that integrates with it via Docker Compose. It provides the Pydantic schemas matching the auth
+service's API, JWT validation helpers, and optional FastAPI/SQLModel base classes.
+
+---
+
+## Installation
+
+### From GitLab Package Registry (recommended after first publish)
+
+```bash
+pip install auth-sdk-m8 \
+  --index-url https://gitlab.com/api/v4/projects/<PROJECT_ID>/packages/pypi/simple \
+  --extra-index-url https://pypi.org/simple
+```
+
+With a deploy token in `pip.conf` or `~/.netrc`:
+```ini
+# pip.conf
+[global]
+index-url = https://gitlab.com/api/v4/projects/<PROJECT_ID>/packages/pypi/simple
+extra-index-url = https://pypi.org/simple
+```
+
+### Directly from GitLab via git
+
+```bash
+pip install "auth-sdk-m8 @ git+https://gitlab.com/yourorg/auth-sdk-m8.git@v0.1.0"
+```
+
+### For development (editable install)
+
+```bash
+git clone https://gitlab.com/yourorg/auth-sdk-m8.git
+cd auth-sdk-m8
+pip install -e ".[all,dev]"
+```
+
+---
+
+## Optional dependency groups
+
+Install only what your service needs:
+
+| Extra | Installs | Use when |
+|---|---|---|
+| *(none)* | `pydantic`, `email-validator` | schemas only |
+| `[security]` | `PyJWT` | local JWT validation |
+| `[fastapi]` | `fastapi` | cookie helpers, `BaseController` |
+| `[redis]` | `redis` | Redis event bus |
+| `[config]` | `pydantic-settings` | `CommonSettings` base class |
+| `[db]` | `sqlmodel`, `sqlalchemy` | `TimestampMixin`, DB error parsing |
+| `[all]` | everything above | full feature set |
+
+Examples:
+
+```bash
+# A service that only validates tokens locally
+pip install "auth-sdk-m8[security]"
+
+# A FastAPI service using BaseController and JWT
+pip install "auth-sdk-m8[security,fastapi,db]"
+
+# A service that only listens to Redis events
+pip install "auth-sdk-m8[redis]"
+```
+
+---
+
+## Quick start
+
+### Validate a JWT from auth_user_service
+
+```python
+from auth_sdk_m8.core.security import ComSecurityHelper
+from auth_sdk_m8.core.exceptions import InvalidToken
+from auth_sdk_m8.schemas.auth import TokenDecodeProps
+from pydantic import SecretStr
+
+try:
+    user = ComSecurityHelper.decode_access_token(
+        TokenDecodeProps(
+            access_token=bearer_token,
+            secret_key=SecretStr(ACCESS_SECRET_KEY),
+            algorithm="HS256",
+        )
+    )
+    print(user.email, user.role)
+except InvalidToken:
+    # token expired or invalid signature
+    ...
+```
+
+### FastAPI dependency for token validation
+
+```python
+from fastapi import Depends, HTTPException
+from fastapi.security import OAuth2PasswordBearer
+from auth_sdk_m8.core.security import ComSecurityHelper
+from auth_sdk_m8.core.exceptions import InvalidToken
+from auth_sdk_m8.schemas.auth import TokenDecodeProps
+from auth_sdk_m8.schemas.user import UserModel
+from pydantic import SecretStr
+
+oauth2 = OAuth2PasswordBearer(tokenUrl="/auth/login/access-token")
+
+def get_current_user(token: str = Depends(oauth2)) -> UserModel:
+    try:
+        payload = ComSecurityHelper.decode_access_token(
+            TokenDecodeProps(
+                access_token=token,
+                secret_key=SecretStr(settings.ACCESS_SECRET_KEY),
+                algorithm=settings.TOKEN_ALGORITHM,
+            )
+        )
+    except InvalidToken as exc:
+        raise HTTPException(status_code=403, detail="Could not validate credentials.") from exc
+    return UserModel(id=payload.sub, **payload.model_dump(exclude={"sub", "jti", "exp", "type"}))
+```
+
+### Extend CommonSettings for your service
+
+```python
+from pathlib import Path
+from auth_sdk_m8.core.config import CommonSettings
+from auth_sdk_m8.utils.paths import find_dotenv
+from pydantic_settings import SettingsConfigDict
+
+class Settings(CommonSettings):
+    ENV_FILE_DIR = Path(__file__).resolve().parent
+    model_config = SettingsConfigDict(
+        env_file=find_dotenv(ENV_FILE_DIR),
+        env_file_encoding="utf-8",
+    )
+    # add service-specific fields here
+    MY_SERVICE_SECRET: str
+
+settings = Settings()
+```
+
+### Listen to Redis events from auth_user_service
+
+```python
+import asyncio
+from auth_sdk_m8.redis_events.event_bus import EventBus
+from auth_sdk_m8.schemas.user_events import UserDeletedEvent
+
+bus = EventBus(redis_url="redis://localhost:6379")
+
+async def on_user_deleted(event: UserDeletedEvent) -> None:
+    print(f"User {event.user_id} was deleted — cleaning up local data.")
+
+async def main():
+    await bus.subscribe("user.deleted", UserDeletedEvent, on_user_deleted)
+    await asyncio.sleep(3600)  # keep running
+
+asyncio.run(main())
+```
+
+---
+
+## Package layout
+
+```
+src/auth_sdk_m8/
+├── schemas/
+│   ├── auth.py          # JWT payload schemas (TokenUserData, TokenAccessData, …)
+│   ├── base.py          # Enums (AuthProviderType, RoleType, Period) + response models
+│   ├── shared.py        # ValidationConstants (regex patterns)
+│   ├── user.py          # UserModel, SessionModel
+│   ├── redis_events.py  # EventBase
+│   └── user_events.py   # UserDeletedEvent
+├── core/
+│   ├── config.py        # CommonSettings (pydantic-settings base class)
+│   ├── exceptions.py    # InvalidToken
+│   └── security.py      # ComSecurityHelper: JWT decode, PKCE, token hashing
+├── redis_events/
+│   ├── event_bus.py     # EventBus (typed pub/sub)
+│   ├── publisher.py     # EventPublisher
+│   └── subscriber.py    # EventSubscriber
+├── controllers/
+│   └── base.py          # BaseController: unified exception → JSONResponse
+├── models/
+│   └── shared.py        # TimestampMixin, Message, Token, TokenPayload (SQLModel)
+└── utils/
+    ├── errors_parser.py # parse_integrity_error, parse_pydantic_errors
+    └── paths.py         # find_dotenv
+```
+
+---
+
+## Publishing a new version
+
+1. Bump `version` in `pyproject.toml`
+2. Add an entry to `CHANGELOG.md`
+3. Commit and push
+4. Create a git tag: `git tag v0.2.0 && git push origin v0.2.0`
+5. GitLab CI builds and publishes automatically to the Package Registry
+
+---
+
+## Architecture note
+
+This SDK is intentionally thin. It contains **no business logic** — only schemas,
+validation helpers, and infrastructure base classes. Each consuming service validates
+JWTs locally using `ComSecurityHelper` (no network call per request). The `auth_user_service`
+remains the sole authority for issuing tokens; this SDK only provides the tools to
+**read** them.
+
+For production deployments with multiple teams, consider switching to **RS256** asymmetric
+signing so consuming services only need the public key (never the secret).