authentikate 2.2.0__tar.gz → 2.2.1__tar.gz

{authentikate-2.2.0 → authentikate-2.2.1}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: authentikate
-Version: 2.2.0
+Version: 2.2.1
 Author-email: jhnnsrs <jhnnsrs@gmail.com>
 License-Expression: MIT
 License-File: LICENSE

{authentikate-2.2.0 → authentikate-2.2.1}/authentikate/base_models.py

@@ -1,7 +1,7 @@
 import hashlib
 import logging
 import asyncio
-from typing import Literal, Type, Union, Annotated, cast
+from typing import Literal, Union, Annotated, cast
 import httpx
 from pydantic import (
     BaseModel,
@@ -94,30 +94,28 @@ class JWTToken(BaseModel):
     """ The client device identifier """
 
     @field_validator("aud", mode="before")
-    def aud_to_list(
-        cls: Type["JWTToken"], v: str | list[str] | None
-    ) -> list[str] | None:
+    @classmethod
+    def aud_to_list(cls, v: str | list[str] | None) -> list[str] | None:
         """Convert the aud to a list"""
         return coerce_aud_to_list(v)
 
     @field_validator("sub", mode="before")
-    def sub_to_username(cls: Type["JWTToken"], v: str) -> str:
+    @classmethod
+    def sub_to_username(cls, v: str) -> str:
         """Convert the sub to a username compatible string"""
         if isinstance(v, int):
             return str(v)
         return v
 
     @field_validator("iat", mode="before")
-    def iat_to_datetime(
-        cls: Type["JWTToken"], v: int
-    ) -> datetime.datetime | None:
+    @classmethod
+    def iat_to_datetime(cls, v: int) -> datetime.datetime | None:
         """Convert the iat to a datetime object"""
         return coerce_unix_to_datetime(v)
 
     @field_validator("exp", mode="before")
-    def exp_to_datetime(
-        cls: Type["JWTToken"], v: int
-    ) -> datetime.datetime | None:
+    @classmethod
+    def exp_to_datetime(cls, v: int) -> datetime.datetime | None:
         """Convert the exp to a datetime object"""
         return coerce_unix_to_datetime(v)
 
@@ -266,7 +264,8 @@ class JWKIssuer(Issuer):
     """The JWKS document of the issuer (a dict with a "keys" list)"""
 
     @field_validator("jwks", mode="before")
-    def validate_jwks_dict(cls: Type["JWKIssuer"], v: Dict[str, Any]) -> Dict[str, Any]:
+    @classmethod
+    def validate_jwks_dict(cls, v: Dict[str, Any]) -> Dict[str, Any]:
         """Validate the jwks dict"""
         if not isinstance(v, dict):
             raise ValueError("jwks_dict must be a dict")
@@ -531,7 +530,8 @@ class ProvenanceSettings(BaseModel):
     """The signature algorithms allowed for provenance tokens (alg is pinned)."""
 
     @field_validator("algorithms")
-    def reject_unsafe_algorithms(cls: Type["ProvenanceSettings"], v: list[str]) -> list[str]:
+    @classmethod
+    def reject_unsafe_algorithms(cls, v: list[str]) -> list[str]:
         """Pin the alg per RFC 8725: forbid an empty list and the ``none`` alg.
 
         An empty allow-list or ``alg: none`` would let an attacker present an

{authentikate-2.2.0 → authentikate-2.2.1}/authentikate/expand.py

@@ -1,5 +1,6 @@
 from dataclasses import dataclass
 from django.contrib.auth.models import Group
+from django.db import IntegrityError
 from authentikate import base_models, models
 import logging
 from typing import cast
@@ -167,26 +168,7 @@ async def aexpand_user_from_token(
 
     try:
         user = await models.User.objects.aget(sub=token.sub, iss=token.iss)
-        if user.changed_hash != token.changed_hash:
-            # User has changed, update the user object
-            user.first_name = token.preferred_username
-            user.changed_hash = token.changed_hash
-
-            if organization is not None:
-                user.active_organization = organization
-            elif token.active_org:
-                current_org, _ = await models.Organization.objects.aget_or_create(
-                    slug=token.active_org,
-                )
-                user.active_organization = current_org
-
-            await user.asave()
-            await aset_user_groups(user, token.roles)
-
-        return user
-
     except models.User.DoesNotExist:
-
         user = models.User(
             sub=token.sub,
             username=token_to_username(token),
@@ -196,6 +178,30 @@ async def aexpand_user_from_token(
         user.first_name = token.preferred_username
         user.changed_hash = token.changed_hash
 
+        if organization is not None:
+            user.active_organization = organization
+        elif token.active_org:
+            current_org, _ = await models.Organization.objects.aget_or_create(
+                slug=token.active_org,
+            )
+            user.active_organization = current_org
+
+        try:
+            await user.asave()
+            await aset_user_groups(user, token.roles)
+            return user
+        except IntegrityError:
+            # Lost a concurrent create race: another request authenticating the
+            # same token already inserted this (sub, iss) user. Fall through to
+            # treat the winner's row as an existing user instead of propagating
+            # the IntegrityError.
+            user = await models.User.objects.aget(sub=token.sub, iss=token.iss)
+
+    if user.changed_hash != token.changed_hash:
+        # The token's user metadata changed since we last saw it: sync it across.
+        user.first_name = token.preferred_username
+        user.changed_hash = token.changed_hash
+
         if organization is not None:
             user.active_organization = organization
         elif token.active_org:
@@ -206,7 +212,8 @@ async def aexpand_user_from_token(
 
         await user.asave()
         await aset_user_groups(user, token.roles)
-        return user
+
+    return user
 
 
 async def aexpand_token_context(
@@ -240,25 +247,7 @@ def expand_user_from_token(
 
     try:
         user = models.User.objects.get(sub=token.sub, iss=token.iss)
-        if user.changed_hash != token.changed_hash:
-            # User has changed, update the user object
-            user.first_name = token.preferred_username
-            user.changed_hash = token.changed_hash
-            set_user_groups(user, token.roles)
-
-            if token.active_org:
-                current_org, _ = models.Organization.objects.get_or_create(
-                    slug=token.active_org
-                )
-
-                user.active_organization = current_org
-
-            user.save()
-
-        return user
-
     except models.User.DoesNotExist:
-
         user = models.User(
             sub=token.sub,
             username=(token_to_username(token)),
@@ -268,6 +257,29 @@ def expand_user_from_token(
         user.first_name = token.preferred_username
         user.changed_hash = token.changed_hash
 
+        if token.active_org:
+            current_org, _ = models.Organization.objects.get_or_create(
+                slug=token.active_org
+            )
+
+            user.active_organization = current_org
+
+        try:
+            user.save()
+            set_user_groups(user, token.roles)
+            return user
+        except IntegrityError:
+            # Lost a concurrent create race: another request authenticating the
+            # same token already inserted this (sub, iss) user. Fall through to
+            # treat the winner's row as an existing user instead of propagating
+            # the IntegrityError.
+            user = models.User.objects.get(sub=token.sub, iss=token.iss)
+
+    if user.changed_hash != token.changed_hash:
+        # The token's user metadata changed since we last saw it: sync it across.
+        user.first_name = token.preferred_username
+        user.changed_hash = token.changed_hash
+
         if token.active_org:
             current_org, _ = models.Organization.objects.get_or_create(
                 slug=token.active_org
@@ -277,7 +289,8 @@ def expand_user_from_token(
 
         user.save()
         set_user_groups(user, token.roles)
-        return user
+
+    return user
 
 
 async def aexpand_client_from_token(

authentikate-2.2.1/authentikate/migrations/0006_alter_app_identifier_alter_release_unique_together.py

@@ -0,0 +1,22 @@
+# Generated by Django 6.0.5 on 2026-06-29 15:00
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("authentikate", "0005_alter_client_client_id"),
+    ]
+
+    operations = [
+        migrations.AlterField(
+            model_name="app",
+            name="identifier",
+            field=models.CharField(max_length=2000, unique=True),
+        ),
+        migrations.AlterUniqueTogether(
+            name="release",
+            unique_together={("app", "version")},
+        ),
+    ]

{authentikate-2.2.0 → authentikate-2.2.1}/authentikate/models.py

@@ -82,7 +82,7 @@ class Device(models.Model):
 class App(models.Model):
     """An App model to represent an application in the system"""
 
-    identifier = models.CharField(max_length=2000)
+    identifier = models.CharField(max_length=2000, unique=True)
     """The application identifier (from the token's client_app claim)"""
 
     def __str__(self) -> str:
@@ -101,6 +101,8 @@ class Release(models.Model):
     class Meta:
         """Meta class for Release"""
 
+        unique_together = ("app", "version")
+
 
 class Client(models.Model):
     """An Oauth2 Client

{authentikate-2.2.0 → authentikate-2.2.1}/authentikate/provenance/models.py

@@ -7,7 +7,7 @@ verification entrypoint.
 """
 
 import datetime
-from typing import Any, Type
+from typing import Any
 
 from pydantic import BaseModel, ConfigDict, field_validator
 
@@ -73,23 +73,20 @@ class ProvenanceToken(BaseModel):
     """The raw original token string."""
 
     @field_validator("aud", mode="before")
-    def aud_to_list(
-        cls: Type["ProvenanceToken"], v: str | list[str] | None
-    ) -> list[str] | None:
+    @classmethod
+    def aud_to_list(cls, v: str | list[str] | None) -> list[str] | None:
         """Convert the aud to a list"""
         return coerce_aud_to_list(v)
 
     @field_validator("iat", mode="before")
-    def iat_to_datetime(
-        cls: Type["ProvenanceToken"], v: int
-    ) -> datetime.datetime | None:
+    @classmethod
+    def iat_to_datetime(cls, v: int) -> datetime.datetime | None:
         """Convert the iat to a datetime object"""
         return coerce_unix_to_datetime(v)
 
     @field_validator("exp", mode="before")
-    def exp_to_datetime(
-        cls: Type["ProvenanceToken"], v: int
-    ) -> datetime.datetime | None:
+    @classmethod
+    def exp_to_datetime(cls, v: int) -> datetime.datetime | None:
         """Convert the exp to a datetime object"""
         return coerce_unix_to_datetime(v)
 

{authentikate-2.2.0 → authentikate-2.2.1}/authentikate/strawberry/extension.py

@@ -144,7 +144,10 @@ class AuthentikateExtension(SchemaExtension):
                             dict(context.headers), settings
                         )
                         if provenance is not None:
-                            context.request.set_provenance(provenance)
+                            # ProvenanceToken structurally satisfies kante's
+                            # Provenance protocol at runtime; the nested Actor
+                            # types differ only by protocol invariance.
+                            context.request.set_provenance(provenance)  # pyright: ignore[reportArgumentType]
                             context.request.set_extension("provenance", provenance)
             else:
                 raise ValueError(

{authentikate-2.2.0 → authentikate-2.2.1}/pyproject.toml

@@ -1,6 +1,6 @@
 [project]
 name = "authentikate"
-version = "2.2.0"
+version = "2.2.1"
 description = ""
 authors = [{ name = "jhnnsrs", email = "jhnnsrs@gmail.com" }]
 requires-python = ">=3.12, <4.0"
@@ -23,7 +23,8 @@ dev-dependencies =  [
     "cryptography>=45.0.1",
     "ruff>=0.0.282,<0.0.283",
     "black>=22",
-    "django-stubs>=4.2.7,<5",
+    "basedpyright>=1.10.0",
+    "django-types>=0.19.1",
     "python-semantic-release>=9.21.1",
     "daphne>=4.1.2",
     "pytest-asyncio>=0.23.8",
@@ -34,11 +35,16 @@ omit = [
     "test_project/*"
 ]
 
-[tool.mypy]
-exclude = ["venv/", "tests/", "examples/"]
-plugins = ["mypy_django_plugin.main","pydantic.mypy"]
-ignore_missing_imports = true
-strict = true
+[tool.basedpyright]
+include = ["authentikate"]
+exclude = ["**/migrations", "venv", ".venv", "tests", "examples"]
+pythonVersion = "3.12"
+typeCheckingMode = "standard"
+reportMissingTypeStubs = false
+# Pydantic models intentionally narrow inherited fields (e.g. a discriminator
+# `kind: str` -> `Literal[...]`, or an optional base field made required in a
+# subclass). Pyright flags these because mutable attributes are invariant.
+reportIncompatibleVariableOverride = false
 
 [tool.hatch.build.targets.sdist]
 include = ["authentikate"]
@@ -50,9 +56,6 @@ include = ["authentikate"]
 requires = ["hatchling"]
 build-backend = "hatchling.build"
 
-[tool.django-stubs]
-django_settings_module = "test_project.settings"
-
 [tool.pytest.ini_options]
 DJANGO_SETTINGS_MODULE = "test_project.settings"
 
@@ -61,7 +64,7 @@ DJANGO_SETTINGS_MODULE = "test_project.settings"
 # Unlike Flake8, Ruff doesn't enable pycodestyle warnings (`W`) or
 # McCabe complexity (`C901`) by default.
 extend-select = ["ANN", "D1"]
-extend-ignore = [ "ANN002", "ANN003", "D100", "ANN401", "ANN101"]
+extend-ignore = [ "ANN002", "ANN003", "D100", "ANN401", "ANN101", "ANN102"]
 
 # Exclude a variety of commonly ignored directories.
 exclude = [