ccp4i2-api 0.3.0__tar.gz

ccp4i2_api-0.3.0/.gitignore

@@ -0,0 +1,12 @@
+# TypeScript build output (tsc → lib/)
+lib/
+# Python build output (python -m build → dist/)
+dist/
+build/
+node_modules/
+*.egg-info/
+__pycache__/
+*.pyc
+.pytest_cache/
+coverage/
+.coverage

ccp4i2_api-0.3.0/PKG-INFO

@@ -0,0 +1,98 @@
+Metadata-Version: 2.4
+Name: ccp4i2-api
+Version: 0.3.0
+Summary: Shared API contract (auth, api-fetch, request/response types) for CCP4i2 and consumers
+Project-URL: Homepage, https://github.com/ccp4/ccp4i2/tree/django-sliced/packages/ccp4i2-api
+Project-URL: Repository, https://github.com/ccp4/ccp4i2
+Project-URL: Issues, https://github.com/ccp4/ccp4i2/issues
+Author: CCP4i2 contributors
+License: LGPL-3.0-or-later
+Requires-Python: >=3.9
+Requires-Dist: certifi>=2024.0.0
+Requires-Dist: django<5.0,>=4.2
+Requires-Dist: djangorestframework>=3.14
+Requires-Dist: pyjwt[crypto]>=2.10
+Provides-Extra: test
+Requires-Dist: pytest; extra == 'test'
+Requires-Dist: pytest-django; extra == 'test'
+Description-Content-Type: text/markdown
+
+# `@ccp4/ccp4i2-api` / `ccp4i2-api`
+
+Shared API contract for CCP4i2 and consumers (CCP4i2 Compounds, third-party
+integrators) — auth handshake, api-fetch helpers, and request/response
+types. One package, two language artifacts: TypeScript on the client side
+(browser, Electron) and Python on the server side (Django middleware, DRF
+authentication). Both halves agree on the canonical bearer-token format,
+401 response shape, and the typed payloads carried over the authenticated
+channel.
+
+## Status
+
+**Draft v0 — published to npm + PyPI from the in-tree workspace.** Source
+of truth lives at
+[`packages/ccp4i2-api/`](https://github.com/ccp4/ccp4i2/tree/django-sliced/packages/ccp4i2-api)
+inside the `ccp4/ccp4i2` monorepo on the `django-sliced` branch and stays
+there. The companion `ccp4/ccp4i2-api` GitHub repo (created for the npm
+namespace and external visibility) does not host source.
+
+Versions `0.1.0`–`0.3.0` were published under the previous name
+`@ccp4/ccp4i2-auth` / `ccp4i2-auth`; the package was renamed at `0.3.0`
+because its scope had grown beyond auth to cover the broader API contract.
+The old name is unpublished/yanked; consumers should depend on
+`@ccp4/ccp4i2-api` and `ccp4i2-api` from `0.3.0` onward.
+
+Versioning follows semver from `0.x.y` onwards. The v0 contract is
+documented in
+[`docs/CCP4I2_SERVICE_CONTRACT.md`](https://github.com/ccp4/ccp4i2/blob/django-sliced/docs/CCP4I2_SERVICE_CONTRACT.md);
+field stability promises take effect from this version.
+
+## Layout
+
+| Path | Purpose |
+|---|---|
+| `src/` | TypeScript source. Built to `lib/` via `npm run build`. |
+| `lib/` | Built TypeScript output. Generated; gitignored. |
+| `dist/` | Python distribution output (`python -m build`). Generated; gitignored. Kept distinct from `lib/` so `twine upload dist/*` doesn't accidentally pick up TypeScript artefacts. |
+| `ccp4i2_api/` | Python source. Installed editable via `pip install -e .`. |
+| `tests/js/` | TypeScript tests (vitest, when added). |
+| `tests/python/` | Python tests (pytest, when added). |
+
+## Consumer wiring
+
+In-monorepo consumers can reference this package by local path for fast
+iteration; out-of-monorepo consumers pull the published versions.
+
+**TypeScript** — in-monorepo (`client/package.json`):
+
+```json
+"dependencies": {
+  "@ccp4/ccp4i2-api": "file:../packages/ccp4i2-api"
+}
+```
+
+(Path depth varies by consumer location.) Out-of-monorepo consumers use the
+published range, e.g. `"@ccp4/ccp4i2-api": "^0.3.0"`.
+
+**Python** — in-monorepo (`Docker/server/Dockerfile`, local dev setup):
+
+```bash
+pip install -e packages/ccp4i2-api/
+```
+
+Out-of-monorepo consumers `pip install ccp4i2-api>=0.3`.
+
+## Development
+
+```bash
+# TypeScript
+cd packages/ccp4i2-api
+npm install
+npm run build       # produces lib/
+npm run watch       # rebuilds on change
+
+# Python
+cd packages/ccp4i2-api
+ccp4-python -m pip install -e .
+ccp4-python -c "import ccp4i2_api; print(ccp4i2_api.__version__)"
+```

ccp4i2_api-0.3.0/README.md

@@ -0,0 +1,79 @@
+# `@ccp4/ccp4i2-api` / `ccp4i2-api`
+
+Shared API contract for CCP4i2 and consumers (CCP4i2 Compounds, third-party
+integrators) — auth handshake, api-fetch helpers, and request/response
+types. One package, two language artifacts: TypeScript on the client side
+(browser, Electron) and Python on the server side (Django middleware, DRF
+authentication). Both halves agree on the canonical bearer-token format,
+401 response shape, and the typed payloads carried over the authenticated
+channel.
+
+## Status
+
+**Draft v0 — published to npm + PyPI from the in-tree workspace.** Source
+of truth lives at
+[`packages/ccp4i2-api/`](https://github.com/ccp4/ccp4i2/tree/django-sliced/packages/ccp4i2-api)
+inside the `ccp4/ccp4i2` monorepo on the `django-sliced` branch and stays
+there. The companion `ccp4/ccp4i2-api` GitHub repo (created for the npm
+namespace and external visibility) does not host source.
+
+Versions `0.1.0`–`0.3.0` were published under the previous name
+`@ccp4/ccp4i2-auth` / `ccp4i2-auth`; the package was renamed at `0.3.0`
+because its scope had grown beyond auth to cover the broader API contract.
+The old name is unpublished/yanked; consumers should depend on
+`@ccp4/ccp4i2-api` and `ccp4i2-api` from `0.3.0` onward.
+
+Versioning follows semver from `0.x.y` onwards. The v0 contract is
+documented in
+[`docs/CCP4I2_SERVICE_CONTRACT.md`](https://github.com/ccp4/ccp4i2/blob/django-sliced/docs/CCP4I2_SERVICE_CONTRACT.md);
+field stability promises take effect from this version.
+
+## Layout
+
+| Path | Purpose |
+|---|---|
+| `src/` | TypeScript source. Built to `lib/` via `npm run build`. |
+| `lib/` | Built TypeScript output. Generated; gitignored. |
+| `dist/` | Python distribution output (`python -m build`). Generated; gitignored. Kept distinct from `lib/` so `twine upload dist/*` doesn't accidentally pick up TypeScript artefacts. |
+| `ccp4i2_api/` | Python source. Installed editable via `pip install -e .`. |
+| `tests/js/` | TypeScript tests (vitest, when added). |
+| `tests/python/` | Python tests (pytest, when added). |
+
+## Consumer wiring
+
+In-monorepo consumers can reference this package by local path for fast
+iteration; out-of-monorepo consumers pull the published versions.
+
+**TypeScript** — in-monorepo (`client/package.json`):
+
+```json
+"dependencies": {
+  "@ccp4/ccp4i2-api": "file:../packages/ccp4i2-api"
+}
+```
+
+(Path depth varies by consumer location.) Out-of-monorepo consumers use the
+published range, e.g. `"@ccp4/ccp4i2-api": "^0.3.0"`.
+
+**Python** — in-monorepo (`Docker/server/Dockerfile`, local dev setup):
+
+```bash
+pip install -e packages/ccp4i2-api/
+```
+
+Out-of-monorepo consumers `pip install ccp4i2-api>=0.3`.
+
+## Development
+
+```bash
+# TypeScript
+cd packages/ccp4i2-api
+npm install
+npm run build       # produces lib/
+npm run watch       # rebuilds on change
+
+# Python
+cd packages/ccp4i2-api
+ccp4-python -m pip install -e .
+ccp4-python -c "import ccp4i2_api; print(ccp4i2_api.__version__)"
+```

ccp4i2_api-0.3.0/ccp4i2_api/__init__.py

@@ -0,0 +1,13 @@
+"""Shared API contract for CCP4i2 and consumers.
+
+This package is the Python half of a bilingual API library; the TypeScript
+half is published as ``@ccp4/ccp4i2-api``. Both halves implement the same
+canonical bearer-token format, 401 response shape, and typed payloads
+carried over the authenticated channel.
+
+See the package README for current status and
+``docs/CCP4I2_SERVICE_CONTRACT.md`` in the ccp4i2 monorepo for the
+contract specification.
+"""
+
+__version__ = "0.3.0"

ccp4i2_api-0.3.0/ccp4i2_api/drf.py

@@ -0,0 +1,58 @@
+"""DRF authentication classes for CCP4i2.
+
+These classes work in tandem with the middleware in
+``ccp4i2_api.middleware`` — the middleware validates the bearer token
+and sets ``request.user`` plus the ``REQUEST_FLAG_ATTR`` trust flag; the
+DRF auth class checks the flag and surfaces ``request.user`` to DRF's
+``IsAuthenticated`` permission.
+"""
+
+from rest_framework.authentication import BaseAuthentication
+
+from .middleware.base import REQUEST_FLAG_ATTR
+
+
+class AzureADAuthentication(BaseAuthentication):
+    """
+    DRF authentication class that uses the user set by AzureADAuthMiddleware.
+
+    This allows DRF's IsAuthenticated permission to work with our middleware.
+    The middleware does the actual JWT validation; this class just passes
+    the authenticated user to DRF.
+
+    In dev/Electron mode (CCP4I2_REQUIRE_AUTH not set), the middleware
+    auto-assigns a dev_admin user, which this class also recognizes.
+
+    Security: Only trusts users when our middleware has explicitly processed
+    the request (marked by ``REQUEST_FLAG_ATTR`` attribute). This prevents
+    spoofing attacks where a request might have ``request.user`` set by
+    some other means.
+
+    Note: this class is bound to the trust flag, not to the AzureAD chain
+    specifically; it works equally for any middleware that inherits from
+    ``BaseAuthMiddleware`` (e.g., LocalSessionAuthMiddleware in desktop
+    mode), because they all set the same flag.
+    """
+
+    def authenticate(self, request):
+        """
+        Return the user if already authenticated by middleware, None otherwise.
+
+        Returns:
+            Tuple of (user, None) if authenticated, None if not.
+        """
+        # Check if middleware already validated and set user
+        # The middleware sets these attributes on the underlying Django request
+        django_request = getattr(request, '_request', request)
+
+        # Security check: only trust users set by our middleware
+        # This prevents spoofing where request.user might be set elsewhere
+        if not getattr(django_request, REQUEST_FLAG_ATTR, False):
+            return None
+
+        # Middleware ran - trust the user it set
+        user = getattr(django_request, 'user', None)
+        if user and user.is_authenticated and not user.is_anonymous:
+            return (user, None)
+
+        return None

ccp4i2_api-0.3.0/ccp4i2_api/exceptions.py

@@ -0,0 +1,18 @@
+"""Exceptions used by the shared auth middleware contract."""
+
+
+class AuthenticationFailed(Exception):
+    """Raised by ``BaseAuthMiddleware.authenticate()`` to signal a 401.
+
+    The exception's first argument is the message returned in the canonical
+    401 response body (``{"success": false, "error": "..."}``).
+    """
+
+
+class AuthorizationFailed(Exception):
+    """Raised by ``BaseAuthMiddleware.authenticate()`` to signal a 403.
+
+    Use when the request is *authenticated* (we know who is calling) but
+    *not authorized* (e.g., not a member of an allowed group). The first
+    argument is the message returned in the canonical 403 response body.
+    """

ccp4i2_api-0.3.0/ccp4i2_api/middleware/__init__.py

@@ -0,0 +1,23 @@
+"""Django middleware shipped by the shared auth package.
+
+Each module in this package implements one auth scheme; consumers select
+which to enable via Django ``MIDDLEWARE`` settings. All non-dev schemes
+inherit from ``BaseAuthMiddleware`` (or will, after the AzureAD refactor),
+which defines the canonical 401 response shape and the ``REQUEST_FLAG_ATTR``
+trust signal.
+"""
+
+from .azure_ad import AzureADAuthMiddleware
+from .base import REQUEST_FLAG_ATTR, BaseAuthMiddleware
+from .dev import DevAuthMiddleware
+from .dev_admin import DevAdminMiddleware
+from .local_session import LocalSessionAuthMiddleware
+
+__all__ = [
+    "AzureADAuthMiddleware",
+    "BaseAuthMiddleware",
+    "DevAdminMiddleware",
+    "DevAuthMiddleware",
+    "LocalSessionAuthMiddleware",
+    "REQUEST_FLAG_ATTR",
+]