bluefox-auth 0.1.0__tar.gz

bluefox_auth-0.1.0/.github/workflows/ci.yml

@@ -0,0 +1,11 @@
+name: CI
+on: [push, pull_request]
+
+jobs:
+  ci:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: astral-sh/setup-uv@v5
+      - run: make install
+      - run: make ci

bluefox_auth-0.1.0/.github/workflows/publish.yml

@@ -0,0 +1,20 @@
+name: Publish to PyPI
+on:
+  push:
+    tags: ["v*"]
+
+jobs:
+  publish:
+    runs-on: ubuntu-latest
+    environment: pypi
+    permissions:
+      contents: read
+      id-token: write
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-python@v5
+        with:
+          python-version: "3.12"
+      - uses: astral-sh/setup-uv@v5
+      - run: uv build
+      - uses: pypa/gh-action-pypi-publish@release/v1

bluefox_auth-0.1.0/.gitignore

@@ -0,0 +1,207 @@
+# Byte-compiled / optimized / DLL files
+__pycache__/
+*.py[codz]
+*$py.class
+
+# C extensions
+*.so
+
+# Distribution / packaging
+.Python
+build/
+develop-eggs/
+dist/
+downloads/
+eggs/
+.eggs/
+lib/
+lib64/
+parts/
+sdist/
+var/
+wheels/
+share/python-wheels/
+*.egg-info/
+.installed.cfg
+*.egg
+MANIFEST
+
+# PyInstaller
+#  Usually these files are written by a python script from a template
+#  before PyInstaller builds the exe, so as to inject date/other infos into it.
+*.manifest
+*.spec
+
+# Installer logs
+pip-log.txt
+pip-delete-this-directory.txt
+
+# Unit test / coverage reports
+htmlcov/
+.tox/
+.nox/
+.coverage
+.coverage.*
+.cache
+nosetests.xml
+coverage.xml
+*.cover
+*.py.cover
+.hypothesis/
+.pytest_cache/
+cover/
+
+# Translations
+*.mo
+*.pot
+
+# Django stuff:
+*.log
+local_settings.py
+db.sqlite3
+db.sqlite3-journal
+
+# Flask stuff:
+instance/
+.webassets-cache
+
+# Scrapy stuff:
+.scrapy
+
+# Sphinx documentation
+docs/_build/
+
+# PyBuilder
+.pybuilder/
+target/
+
+# Jupyter Notebook
+.ipynb_checkpoints
+
+# IPython
+profile_default/
+ipython_config.py
+
+# pyenv
+#   For a library or package, you might want to ignore these files since the code is
+#   intended to run in multiple environments; otherwise, check them in:
+# .python-version
+
+# pipenv
+#   According to pypa/pipenv#598, it is recommended to include Pipfile.lock in version control.
+#   However, in case of collaboration, if having platform-specific dependencies or dependencies
+#   having no cross-platform support, pipenv may install dependencies that don't work, or not
+#   install all needed dependencies.
+#Pipfile.lock
+
+# UV
+#   Similar to Pipfile.lock, it is generally recommended to include uv.lock in version control.
+#   This is especially recommended for binary packages to ensure reproducibility, and is more
+#   commonly ignored for libraries.
+#uv.lock
+
+# poetry
+#   Similar to Pipfile.lock, it is generally recommended to include poetry.lock in version control.
+#   This is especially recommended for binary packages to ensure reproducibility, and is more
+#   commonly ignored for libraries.
+#   https://python-poetry.org/docs/basic-usage/#commit-your-poetrylock-file-to-version-control
+#poetry.lock
+#poetry.toml
+
+# pdm
+#   Similar to Pipfile.lock, it is generally recommended to include pdm.lock in version control.
+#   pdm recommends including project-wide configuration in pdm.toml, but excluding .pdm-python.
+#   https://pdm-project.org/en/latest/usage/project/#working-with-version-control
+#pdm.lock
+#pdm.toml
+.pdm-python
+.pdm-build/
+
+# pixi
+#   Similar to Pipfile.lock, it is generally recommended to include pixi.lock in version control.
+#pixi.lock
+#   Pixi creates a virtual environment in the .pixi directory, just like venv module creates one
+#   in the .venv directory. It is recommended not to include this directory in version control.
+.pixi
+
+# PEP 582; used by e.g. github.com/David-OConnor/pyflow and github.com/pdm-project/pdm
+__pypackages__/
+
+# Celery stuff
+celerybeat-schedule
+celerybeat.pid
+
+# SageMath parsed files
+*.sage.py
+
+# Environments
+.env
+.envrc
+.venv
+env/
+venv/
+ENV/
+env.bak/
+venv.bak/
+
+# Spyder project settings
+.spyderproject
+.spyproject
+
+# Rope project settings
+.ropeproject
+
+# mkdocs documentation
+/site
+
+# mypy
+.mypy_cache/
+.dmypy.json
+dmypy.json
+
+# Pyre type checker
+.pyre/
+
+# pytype static type analyzer
+.pytype/
+
+# Cython debug symbols
+cython_debug/
+
+# PyCharm
+#  JetBrains specific template is maintained in a separate JetBrains.gitignore that can
+#  be found at https://github.com/github/gitignore/blob/main/Global/JetBrains.gitignore
+#  and can be added to the global gitignore or merged into this file.  For a more nuclear
+#  option (not recommended) you can uncomment the following to ignore the entire idea folder.
+#.idea/
+
+# Abstra
+# Abstra is an AI-powered process automation framework.
+# Ignore directories containing user credentials, local state, and settings.
+# Learn more at https://abstra.io/docs
+.abstra/
+
+# Visual Studio Code
+#  Visual Studio Code specific template is maintained in a separate VisualStudioCode.gitignore 
+#  that can be found at https://github.com/github/gitignore/blob/main/Global/VisualStudioCode.gitignore
+#  and can be added to the global gitignore or merged into this file. However, if you prefer, 
+#  you could uncomment the following to ignore the entire vscode folder
+# .vscode/
+
+# Ruff stuff:
+.ruff_cache/
+
+# PyPI configuration file
+.pypirc
+
+# Cursor
+#  Cursor is an AI-powered code editor. `.cursorignore` specifies files/directories to
+#  exclude from AI features like autocomplete and code analysis. Recommended for sensitive data
+#  refer to https://docs.cursor.com/context/ignore-files
+.cursorignore
+.cursorindexingignore
+
+# Marimo
+marimo/_static/
+marimo/_lsp/
+__marimo__/

bluefox_auth-0.1.0/Makefile

@@ -0,0 +1,33 @@
+.PHONY: install test lint format type-check ci fix clean
+
+# Install all dependencies (dev + test)
+install:
+	uv sync --group dev --extra test
+
+# Run all tests
+test:
+	uv run pytest tests/ -v --tb=short
+
+# Lint with ruff
+lint:
+	uv run ruff check bluefox_auth/ tests/
+
+# Type check with ty
+type-check:
+	uv run ty check bluefox_auth/ tests/
+
+# Check formatting
+format:
+	uv run ruff format --check bluefox_auth/ tests/
+
+# Full CI pipeline: lint, format, type-check, tests
+ci: lint format type-check test
+
+# Auto-fix lint issues
+fix:
+	uv run ruff check --fix bluefox_auth/ tests/
+	uv run ruff format bluefox_auth/ tests/
+
+# Remove build artifacts
+clean:
+	rm -rf dist/ *.egg-info .pytest_cache

bluefox_auth-0.1.0/PKG-INFO

@@ -0,0 +1,15 @@
+Metadata-Version: 2.4
+Name: bluefox-auth
+Version: 0.1.0
+Summary: JWT authentication, user management, and authorization for Bluefox apps
+License-Expression: MIT
+Requires-Python: >=3.12
+Requires-Dist: bcrypt>=4.1
+Requires-Dist: bluefox-core<1.0,>=0.1.0
+Requires-Dist: pyjwt>=2.8
+Requires-Dist: python-multipart>=0.0.9
+Provides-Extra: test
+Requires-Dist: bluefox-test<1.0,>=0.1.0; extra == 'test'
+Requires-Dist: httpx>=0.27; extra == 'test'
+Requires-Dist: pytest-asyncio>=0.24; extra == 'test'
+Requires-Dist: pytest>=8.0; extra == 'test'

bluefox_auth-0.1.0/README.md

@@ -0,0 +1,3 @@
+# bluefox-auth
+
+JWT authentication, user management, and authorization for Bluefox apps.

bluefox_auth-0.1.0/bluefox_auth/models.py

@@ -0,0 +1,54 @@
+from datetime import datetime
+
+from bluefox_core.database import BluefoxBase
+from sqlalchemy import Boolean, DateTime, ForeignKey, String, func
+from sqlalchemy.orm import Mapped, mapped_column
+
+
+class BluefoxUser(BluefoxBase):
+    """
+    Base user model for authentication.
+
+    Use directly or extend with custom fields:
+
+        class User(BluefoxUser):
+            __tablename__ = "users"
+            company_id: Mapped[int] = mapped_column(ForeignKey("companies.id"))
+    """
+
+    __tablename__ = "users"
+
+    id: Mapped[int] = mapped_column(primary_key=True)
+    email: Mapped[str] = mapped_column(String(255), unique=True, index=True)
+    password_hash: Mapped[str] = mapped_column(String(255))
+    is_active: Mapped[bool] = mapped_column(Boolean, default=True)
+    is_superuser: Mapped[bool] = mapped_column(Boolean, default=False)
+    email_verified: Mapped[bool] = mapped_column(Boolean, default=False)
+    created_at: Mapped[datetime] = mapped_column(
+        DateTime(timezone=True), server_default=func.now()
+    )
+    updated_at: Mapped[datetime] = mapped_column(
+        DateTime(timezone=True), server_default=func.now(), onupdate=func.now()
+    )
+
+
+class RefreshToken(BluefoxBase):
+    """
+    Server-side refresh token record for rotation and revocation.
+
+    Each refresh token belongs to a "family" — a chain of rotated tokens
+    originating from a single login. If a revoked token is replayed,
+    the entire family is invalidated (reuse detection).
+    """
+
+    __tablename__ = "refresh_tokens"
+
+    id: Mapped[int] = mapped_column(primary_key=True)
+    jti: Mapped[str] = mapped_column(String(64), unique=True, index=True)
+    user_id: Mapped[int] = mapped_column(ForeignKey("users.id", ondelete="CASCADE"), index=True)
+    family_id: Mapped[str] = mapped_column(String(64), index=True)
+    is_revoked: Mapped[bool] = mapped_column(Boolean, default=False)
+    expires_at: Mapped[datetime] = mapped_column(DateTime(timezone=True))
+    created_at: Mapped[datetime] = mapped_column(
+        DateTime(timezone=True), server_default=func.now()
+    )

bluefox_auth-0.1.0/bluefox_auth/passwords.py

@@ -0,0 +1,21 @@
+import bcrypt
+
+# Pre-computed bcrypt hash for timing-safe comparisons when user is not found.
+_DUMMY_HASH = "$2b$12$LJ3m4ys3Lg2VBe4sFNGDe.NU0TGi5LjGnS/RhOsKNBQPNKZHPIsfG"
+
+
+def hash_password(plain: str) -> str:
+    return bcrypt.hashpw(plain.encode("utf-8"), bcrypt.gensalt()).decode("utf-8")
+
+
+def verify_password(plain: str, hashed: str) -> bool:
+    return bcrypt.checkpw(plain.encode("utf-8"), hashed.encode("utf-8"))
+
+
+def verify_password_timing_safe(plain: str, hashed: str | None) -> bool:
+    """
+    Verify a password, falling back to a dummy hash if hashed is None.
+    Prevents timing-based user enumeration.
+    """
+    target = hashed if hashed is not None else _DUMMY_HASH
+    return verify_password(plain, target) and hashed is not None

bluefox_auth-0.1.0/bluefox_auth/utils.py

@@ -0,0 +1,3 @@
+def normalize_email(email: str) -> str:
+    """Normalize an email: strip whitespace, lowercase."""
+    return email.strip().lower()

bluefox_auth-0.1.0/pyproject.toml

@@ -0,0 +1,44 @@
+[build-system]
+requires = ["hatchling"]
+build-backend = "hatchling.build"
+
+[project]
+name = "bluefox-auth"
+version = "0.1.0"
+description = "JWT authentication, user management, and authorization for Bluefox apps"
+requires-python = ">=3.12"
+license = "MIT"
+dependencies = [
+    "bluefox-core>=0.1.0,<1.0",
+    "PyJWT>=2.8",
+    "bcrypt>=4.1",
+    "python-multipart>=0.0.9",
+]
+
+[project.optional-dependencies]
+test = [
+    "bluefox-test>=0.1.0,<1.0",
+    "pytest>=8.0",
+    "pytest-asyncio>=0.24",
+    "httpx>=0.27",
+]
+
+[dependency-groups]
+dev = [
+    "ruff>=0.15",
+    "ty>=0.0.23",
+]
+
+[tool.pytest.ini_options]
+testpaths = ["tests"]
+asyncio_mode = "auto"
+
+[tool.ruff]
+target-version = "py312"
+line-length = 99
+
+[tool.ruff.lint]
+select = ["E", "F", "W", "I", "UP", "B", "SIM", "RUF"]
+
+[tool.ty.environment]
+python-version = "3.12"

bluefox_auth-0.1.0/tests/conftest.py

@@ -0,0 +1,10 @@
+from bluefox_core.database import BluefoxBase
+from bluefox_test import bluefox_test_setup
+
+globals().update(
+    bluefox_test_setup(
+        base=BluefoxBase,
+        app_factory=None,
+        session_dependency=None,
+    )
+)

bluefox_auth-0.1.0/tests/test_models.py

@@ -0,0 +1,116 @@
+from datetime import UTC
+
+import pytest
+from sqlalchemy import select
+from sqlalchemy.exc import IntegrityError
+
+from bluefox_auth.models import BluefoxUser, RefreshToken
+
+
+async def test_bluefox_user__creates_with_required_fields(db):
+    user = BluefoxUser(
+        email="test@example.com",
+        password_hash="hashed_password",
+    )
+    db.add(user)
+    await db.flush()
+
+    assert user.id is not None
+    assert user.email == "test@example.com"
+    assert user.password_hash == "hashed_password"
+
+
+async def test_bluefox_user__defaults(db):
+    user = BluefoxUser(
+        email="defaults@example.com",
+        password_hash="hashed_password",
+    )
+    db.add(user)
+    await db.flush()
+
+    assert user.is_active is True
+    assert user.is_superuser is False
+    assert user.email_verified is False
+
+
+async def test_bluefox_user__email_unique_constraint(db):
+    user1 = BluefoxUser(email="dupe@example.com", password_hash="hash1")
+    user2 = BluefoxUser(email="dupe@example.com", password_hash="hash2")
+    db.add(user1)
+    await db.flush()
+    db.add(user2)
+    with pytest.raises(IntegrityError):
+        await db.flush()
+
+
+async def test_bluefox_user__timestamps_set_on_create(db):
+    user = BluefoxUser(email="ts@example.com", password_hash="hash")
+    db.add(user)
+    await db.flush()
+    await db.refresh(user)
+
+    assert user.created_at is not None
+    assert user.updated_at is not None
+
+
+async def test_refresh_token__creates_with_required_fields(db):
+    user = BluefoxUser(email="rt@example.com", password_hash="hash")
+    db.add(user)
+    await db.flush()
+
+    from datetime import datetime
+
+    token = RefreshToken(
+        jti="test-jti-001",
+        user_id=user.id,
+        family_id="family-001",
+        expires_at=datetime(2099, 1, 1, tzinfo=UTC),
+    )
+    db.add(token)
+    await db.flush()
+
+    assert token.id is not None
+    assert token.jti == "test-jti-001"
+    assert token.user_id == user.id
+    assert token.family_id == "family-001"
+    assert token.is_revoked is False
+
+
+async def test_refresh_token__jti_unique_constraint(db):
+    user = BluefoxUser(email="jti@example.com", password_hash="hash")
+    db.add(user)
+    await db.flush()
+
+    from datetime import datetime
+
+    expires = datetime(2099, 1, 1, tzinfo=UTC)
+    t1 = RefreshToken(jti="dupe-jti", user_id=user.id, family_id="f1", expires_at=expires)
+    t2 = RefreshToken(jti="dupe-jti", user_id=user.id, family_id="f2", expires_at=expires)
+    db.add(t1)
+    await db.flush()
+    db.add(t2)
+    with pytest.raises(IntegrityError):
+        await db.flush()
+
+
+async def test_refresh_token__cascade_deletes_on_user_delete(db):
+    user = BluefoxUser(email="cascade@example.com", password_hash="hash")
+    db.add(user)
+    await db.flush()
+
+    from datetime import datetime
+
+    token = RefreshToken(
+        jti="cascade-jti",
+        user_id=user.id,
+        family_id="f1",
+        expires_at=datetime(2099, 1, 1, tzinfo=UTC),
+    )
+    db.add(token)
+    await db.flush()
+
+    await db.delete(user)
+    await db.flush()
+
+    result = await db.execute(select(RefreshToken).where(RefreshToken.jti == "cascade-jti"))
+    assert result.scalar_one_or_none() is None

bluefox_auth-0.1.0/tests/test_passwords.py

@@ -0,0 +1,46 @@
+from bluefox_auth.passwords import hash_password, verify_password, verify_password_timing_safe
+
+
+def test_hash_password__returns_bcrypt_hash():
+    hashed = hash_password("my-password")
+    assert hashed.startswith("$2b$")
+
+
+def test_verify_password__correct_password():
+    hashed = hash_password("correct-horse")
+    assert verify_password("correct-horse", hashed) is True
+
+
+def test_verify_password__wrong_password():
+    hashed = hash_password("correct-horse")
+    assert verify_password("wrong-horse", hashed) is False
+
+
+def test_hash_password__different_salts():
+    h1 = hash_password("same-password")
+    h2 = hash_password("same-password")
+    assert h1 != h2
+
+
+def test_hash_password__rejects_over_72_bytes():
+    """Documents the bcrypt limitation: passwords over 72 bytes raise ValueError."""
+    import pytest
+
+    over_limit = "a" * 73
+    with pytest.raises(ValueError, match="72 bytes"):
+        hash_password(over_limit)
+
+
+def test_verify_password_timing_safe__correct_password():
+    hashed = hash_password("safe-pass")
+    assert verify_password_timing_safe("safe-pass", hashed) is True
+
+
+def test_verify_password_timing_safe__wrong_password():
+    hashed = hash_password("safe-pass")
+    assert verify_password_timing_safe("wrong-pass", hashed) is False
+
+
+def test_verify_password_timing_safe__none_hash_returns_false():
+    # Should still run bcrypt (against dummy hash) but return False
+    assert verify_password_timing_safe("any-password", None) is False

bluefox_auth-0.1.0/tests/test_utils.py

@@ -0,0 +1,13 @@
+from bluefox_auth.utils import normalize_email
+
+
+def test_normalize_email__lowercases():
+    assert normalize_email("Hugo@Example.COM") == "hugo@example.com"
+
+
+def test_normalize_email__strips_whitespace():
+    assert normalize_email("  user@example.com  ") == "user@example.com"
+
+
+def test_normalize_email__combined():
+    assert normalize_email("  Hugo@Example.COM  ") == "hugo@example.com"