conduit-auth 0.1.0__tar.gz

conduit_auth-0.1.0/.gitignore

@@ -0,0 +1,14 @@
+__pycache__/
+*.pyc
+.env
+.vscode/settings.json
+Resources/BCP/*.xlsx
+scratchpad/*.sql
+.env.*
+.vscode/settings.json
+
+# Dependencies and build output
+node_modules/
+dist/
+
+.claude/settings.local.json

conduit_auth-0.1.0/PKG-INFO

@@ -0,0 +1,22 @@
+Metadata-Version: 2.4
+Name: conduit-auth
+Version: 0.1.0
+Summary: Shared Entra ID authentication for the Conduit suite
+Requires-Python: >=3.11
+Requires-Dist: cryptography>=41.0
+Requires-Dist: httpx>=0.25
+Requires-Dist: pydantic-settings>=2.0
+Requires-Dist: pyjwt[crypto]>=2.8
+Provides-Extra: dev
+Requires-Dist: fastapi>=0.100; extra == 'dev'
+Requires-Dist: flask>=3.0; extra == 'dev'
+Requires-Dist: httpx>=0.25; extra == 'dev'
+Requires-Dist: pytest-asyncio>=0.21; extra == 'dev'
+Requires-Dist: pytest>=7.0; extra == 'dev'
+Requires-Dist: respx>=0.20; extra == 'dev'
+Requires-Dist: starlette[full]>=0.27; extra == 'dev'
+Requires-Dist: uvicorn>=0.20; extra == 'dev'
+Provides-Extra: fastapi
+Requires-Dist: fastapi>=0.100; extra == 'fastapi'
+Provides-Extra: flask
+Requires-Dist: flask>=3.0; extra == 'flask'

conduit_auth-0.1.0/pyproject.toml

@@ -0,0 +1,36 @@
+[project]
+name = "conduit-auth"
+version = "0.1.0"
+description = "Shared Entra ID authentication for the Conduit suite"
+requires-python = ">=3.11"
+dependencies = [
+    "PyJWT[crypto]>=2.8",
+    "cryptography>=41.0",
+    "httpx>=0.25",
+    "pydantic-settings>=2.0",
+]
+
+[project.optional-dependencies]
+fastapi = ["fastapi>=0.100"]
+flask = ["flask>=3.0"]
+dev = [
+    "pytest>=7.0",
+    "pytest-asyncio>=0.21",
+    "respx>=0.20",
+    "httpx>=0.25",
+    "fastapi>=0.100",
+    "flask>=3.0",
+    "uvicorn>=0.20",
+    "starlette[full]>=0.27",
+]
+
+[build-system]
+requires = ["hatchling"]
+build-backend = "hatchling.build"
+
+[tool.hatch.build.targets.wheel]
+packages = ["src/conduit_auth"]
+
+[tool.pytest.ini_options]
+testpaths = ["tests"]
+asyncio_mode = "auto"

conduit_auth-0.1.0/src/conduit_auth/__init__.py

@@ -0,0 +1,27 @@
+"""Conduit Auth — Shared Entra ID authentication for the Conduit suite.
+
+Usage (FastAPI):
+    from conduit_auth import AuthSettings
+    from conduit_auth.fastapi import AuthMiddleware, get_current_user
+
+    settings = AuthSettings()
+    app.add_middleware(AuthMiddleware, settings=settings)
+
+Usage (Flask):
+    from conduit_auth import AuthSettings
+    from conduit_auth.flask import init_auth, get_current_user
+
+    settings = AuthSettings()
+    init_auth(app, settings)
+"""
+
+from .config import AuthSettings
+from .exceptions import AuthenticationError, TokenExpiredError
+from .models import AuthenticatedUser
+
+__all__ = [
+    "AuthSettings",
+    "AuthenticatedUser",
+    "AuthenticationError",
+    "TokenExpiredError",
+]

conduit_auth-0.1.0/src/conduit_auth/config.py

@@ -0,0 +1,32 @@
+"""Authentication configuration via Pydantic settings."""
+
+from pydantic_settings import BaseSettings
+
+
+class AuthSettings(BaseSettings):
+    """Conduit auth configuration, loaded from environment variables.
+
+    Required:
+        ENTRA_CLIENT_ID: App registration client ID from Azure portal.
+
+    Optional:
+        ENTRA_TENANT_ID: Set to "common" for multi-tenant (default).
+            Use a specific tenant GUID to restrict to a single tenant.
+        ENTRA_AUDIENCE: Token audience to validate. Defaults to ENTRA_CLIENT_ID.
+        JWKS_URI: Microsoft's JWKS key endpoint. Override only for testing.
+        JWKS_CACHE_TTL: How long to cache JWKS keys (seconds). Default 1 hour.
+        AUTH_DISABLED: Set True for local dev to bypass validation entirely.
+        AUTH_EXCLUDE_PATHS: Paths that skip auth (health checks, etc).
+    """
+
+    ENTRA_CLIENT_ID: str
+    ENTRA_TENANT_ID: str = "common"
+    ENTRA_AUDIENCE: str | None = None
+    JWKS_URI: str = (
+        "https://login.microsoftonline.com/common/discovery/v2.0/keys"
+    )
+    JWKS_CACHE_TTL: int = 3600
+    AUTH_DISABLED: bool = False
+    AUTH_EXCLUDE_PATHS: list[str] = ["/health", "/api/health"]
+
+    model_config = {"env_prefix": "", "env_file": ".env"}

conduit_auth-0.1.0/src/conduit_auth/exceptions.py

@@ -0,0 +1,9 @@
+"""Authentication exceptions for the Conduit auth module."""
+
+
+class AuthenticationError(Exception):
+    """Raised when token validation fails."""
+
+
+class TokenExpiredError(AuthenticationError):
+    """Raised when the JWT has expired."""

conduit_auth-0.1.0/src/conduit_auth/fastapi/__init__.py

@@ -0,0 +1,6 @@
+"""FastAPI integration for Conduit auth."""
+
+from .middleware import AuthMiddleware
+from .dependencies import get_current_user
+
+__all__ = ["AuthMiddleware", "get_current_user"]

conduit_auth-0.1.0/src/conduit_auth/fastapi/dependencies.py

@@ -0,0 +1,23 @@
+"""FastAPI dependency injection for authenticated user."""
+
+from fastapi import HTTPException, Request
+
+from ..models import AuthenticatedUser
+
+
+async def get_current_user(request: Request) -> AuthenticatedUser:
+    """FastAPI dependency that extracts the authenticated user.
+
+    Usage:
+        from conduit_auth.fastapi import get_current_user
+        from conduit_auth import AuthenticatedUser
+
+        @app.get("/api/projects")
+        async def list_projects(user: AuthenticatedUser = Depends(get_current_user)):
+            # user.tenant_id, user.email, etc.
+            ...
+    """
+    user = getattr(request.state, "user", None)
+    if user is None:
+        raise HTTPException(status_code=401, detail="Not authenticated")
+    return user

conduit_auth-0.1.0/src/conduit_auth/fastapi/middleware.py

@@ -0,0 +1,69 @@
+"""FastAPI/Starlette middleware for JWT authentication."""
+
+from starlette.middleware.base import BaseHTTPMiddleware
+from starlette.requests import Request
+from starlette.responses import JSONResponse
+
+from ..config import AuthSettings
+from ..exceptions import AuthenticationError
+from ..models import AuthenticatedUser
+from ..token import get_key_cache, validate_token
+
+
+class AuthMiddleware(BaseHTTPMiddleware):
+    """Validates Bearer JWT tokens on /api/* routes.
+
+    Usage:
+        from conduit_auth.fastapi import AuthMiddleware
+        from conduit_auth import AuthSettings
+
+        settings = AuthSettings()
+        app.add_middleware(AuthMiddleware, settings=settings)
+    """
+
+    def __init__(self, app, settings: AuthSettings) -> None:
+        super().__init__(app)
+        self.settings = settings
+        self._key_cache = get_key_cache()
+
+    async def dispatch(self, request: Request, call_next):
+        path = request.url.path
+
+        # Skip excluded paths (health checks, etc.)
+        if path in self.settings.AUTH_EXCLUDE_PATHS:
+            return await call_next(request)
+
+        # Only protect /api/* routes — static assets are served by nginx
+        if not path.startswith("/api/"):
+            return await call_next(request)
+
+        # Dev bypass — injects a mock user
+        if self.settings.AUTH_DISABLED:
+            request.state.user = AuthenticatedUser(
+                tenant_id="dev-tenant-00000000",
+                user_id="dev-user-00000000",
+                email="dev@localhost",
+                display_name="Dev User",
+                roles=[],
+                raw_claims={},
+            )
+            return await call_next(request)
+
+        # Extract Bearer token
+        auth_header = request.headers.get("Authorization", "")
+        if not auth_header.startswith("Bearer "):
+            return JSONResponse(
+                {"error": "Missing or invalid Authorization header"},
+                status_code=401,
+            )
+        token = auth_header[7:]
+
+        # Validate
+        try:
+            jwks_keys = await self._key_cache.get_keys_async(self.settings)
+            user = validate_token(token, jwks_keys, self.settings)
+        except AuthenticationError as e:
+            return JSONResponse({"error": str(e)}, status_code=401)
+
+        request.state.user = user
+        return await call_next(request)

conduit_auth-0.1.0/src/conduit_auth/flask/__init__.py

@@ -0,0 +1,6 @@
+"""Flask integration for Conduit auth."""
+
+from .middleware import init_auth, get_current_user
+from .decorators import require_auth
+
+__all__ = ["init_auth", "get_current_user", "require_auth"]

conduit_auth-0.1.0/src/conduit_auth/flask/decorators.py

@@ -0,0 +1,29 @@
+"""Flask route decorators for authentication."""
+
+from functools import wraps
+
+from flask import g, jsonify
+
+
+def require_auth(f):
+    """Decorator for routes that require an authenticated user.
+
+    Use this when init_auth() is not applied globally, or as an
+    explicit marker on routes that need auth.
+
+    Usage:
+        @app.route("/api/projects")
+        @require_auth
+        def list_projects():
+            user = get_current_user()
+            ...
+    """
+
+    @wraps(f)
+    def decorated(*args, **kwargs):
+        user = getattr(g, "user", None)
+        if user is None:
+            return jsonify({"error": "Not authenticated"}), 401
+        return f(*args, **kwargs)
+
+    return decorated

conduit_auth-0.1.0/src/conduit_auth/flask/middleware.py

@@ -0,0 +1,86 @@
+"""Flask middleware for JWT authentication."""
+
+from flask import Flask, g, jsonify, request
+
+from ..config import AuthSettings
+from ..exceptions import AuthenticationError
+from ..models import AuthenticatedUser
+from ..token import get_key_cache, validate_token
+
+
+def init_auth(app: Flask, settings: AuthSettings) -> None:
+    """Register JWT auth middleware on a Flask app.
+
+    Validates Bearer tokens on all /api/* routes. Stores the authenticated
+    user on Flask's g.user for access in route handlers.
+
+    Usage:
+        from conduit_auth.flask import init_auth
+        from conduit_auth import AuthSettings
+
+        settings = AuthSettings()
+        init_auth(app, settings)
+
+        # In routes:
+        from conduit_auth.flask import get_current_user
+        user = get_current_user()
+    """
+    @app.before_request
+    def _validate_auth():
+        path = request.path
+
+        # Skip excluded paths
+        if path in settings.AUTH_EXCLUDE_PATHS:
+            return None
+
+        # Only protect /api/* routes
+        if not path.startswith("/api/"):
+            return None
+
+        # Dev bypass
+        if settings.AUTH_DISABLED:
+            g.user = AuthenticatedUser(
+                tenant_id="dev-tenant-00000000",
+                user_id="dev-user-00000000",
+                email="dev@localhost",
+                display_name="Dev User",
+                roles=[],
+                raw_claims={},
+            )
+            return None
+
+        # Extract Bearer token
+        auth_header = request.headers.get("Authorization", "")
+        if not auth_header.startswith("Bearer "):
+            return (
+                jsonify({"error": "Missing or invalid Authorization header"}),
+                401,
+            )
+        token = auth_header[7:]
+
+        # Validate
+        try:
+            jwks_keys = get_key_cache().get_keys(settings)
+            user = validate_token(token, jwks_keys, settings)
+        except AuthenticationError as e:
+            return jsonify({"error": str(e)}), 401
+
+        g.user = user
+        return None
+
+
+def get_current_user() -> AuthenticatedUser:
+    """Get the authenticated user from Flask's request context.
+
+    Returns:
+        The AuthenticatedUser set by init_auth middleware.
+
+    Raises:
+        401 abort if no user is set (request wasn't authenticated).
+    """
+    user = getattr(g, "user", None)
+    if user is None:
+        from flask import abort
+
+        abort(401)
+    return user

conduit_auth-0.1.0/src/conduit_auth/models.py

@@ -0,0 +1,24 @@
+"""Core data models for the Conduit auth module."""
+
+from dataclasses import dataclass, field
+
+
+@dataclass
+class AuthenticatedUser:
+    """Represents a user authenticated via Entra ID.
+
+    Fields map to Entra ID token claims:
+    - tenant_id: tid claim (which Azure AD tenant the user belongs to)
+    - user_id: oid claim (user's object ID within their tenant)
+    - email: preferred_username claim
+    - display_name: name claim
+    - roles: app roles assigned in Entra ID (if configured)
+    - raw_claims: full decoded JWT for app-specific use
+    """
+
+    tenant_id: str
+    user_id: str
+    email: str
+    display_name: str
+    roles: list[str] = field(default_factory=list)
+    raw_claims: dict = field(default_factory=dict)

conduit_auth-0.1.0/src/conduit_auth/token.py

@@ -0,0 +1,155 @@
+"""JWT token validation against Microsoft Entra ID JWKS keys."""
+
+import re
+import time
+import threading
+
+import httpx
+import jwt
+from jwt.algorithms import RSAAlgorithm
+
+from .config import AuthSettings
+from .exceptions import AuthenticationError, TokenExpiredError
+from .models import AuthenticatedUser
+
+# Multi-tenant issuer patterns (v2.0 and v1.0 endpoints)
+_ISSUER_V2 = re.compile(
+    r"https://login\.microsoftonline\.com/"
+    r"[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}/v2\.0"
+)
+_ISSUER_V1 = re.compile(
+    r"https://sts\.windows\.net/"
+    r"[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}/"
+)
+
+
+class JWKSKeyCache:
+    """Thread-safe cache for Microsoft's JWKS signing keys."""
+
+    def __init__(self) -> None:
+        self._keys: list[dict] = []
+        self._fetched_at: float = 0
+        self._lock = threading.Lock()
+
+    def get_keys(self, settings: AuthSettings) -> list[dict]:
+        """Get JWKS keys, fetching from Microsoft if cache has expired."""
+        now = time.time()
+        if now - self._fetched_at < settings.JWKS_CACHE_TTL and self._keys:
+            return self._keys
+
+        with self._lock:
+            # Double-check after acquiring lock
+            if now - self._fetched_at < settings.JWKS_CACHE_TTL and self._keys:
+                return self._keys
+            return self._fetch_sync(settings)
+
+    async def get_keys_async(self, settings: AuthSettings) -> list[dict]:
+        """Get JWKS keys asynchronously."""
+        now = time.time()
+        if now - self._fetched_at < settings.JWKS_CACHE_TTL and self._keys:
+            return self._keys
+
+        return await self._fetch_async(settings)
+
+    def _fetch_sync(self, settings: AuthSettings) -> list[dict]:
+        resp = httpx.get(settings.JWKS_URI, timeout=10)
+        resp.raise_for_status()
+        self._keys = resp.json()["keys"]
+        self._fetched_at = time.time()
+        return self._keys
+
+    async def _fetch_async(self, settings: AuthSettings) -> list[dict]:
+        async with httpx.AsyncClient() as client:
+            resp = await client.get(settings.JWKS_URI, timeout=10)
+            resp.raise_for_status()
+            self._keys = resp.json()["keys"]
+            self._fetched_at = time.time()
+            return self._keys
+
+    def clear(self) -> None:
+        """Clear the cache (useful for testing)."""
+        self._keys = []
+        self._fetched_at = 0
+
+
+# Module-level cache instance
+_key_cache = JWKSKeyCache()
+
+
+def get_key_cache() -> JWKSKeyCache:
+    """Get the module-level JWKS key cache."""
+    return _key_cache
+
+
+def validate_token(
+    token: str,
+    jwks_keys: list[dict],
+    settings: AuthSettings,
+) -> AuthenticatedUser:
+    """Validate a JWT and return an AuthenticatedUser.
+
+    Args:
+        token: The raw JWT string (without "Bearer " prefix).
+        jwks_keys: List of JWKS key dicts from Microsoft's endpoint.
+        settings: Auth configuration.
+
+    Returns:
+        AuthenticatedUser with claims extracted from the token.
+
+    Raises:
+        AuthenticationError: If the token is invalid.
+        TokenExpiredError: If the token has expired.
+    """
+    audience = settings.ENTRA_AUDIENCE or settings.ENTRA_CLIENT_ID
+
+    # Decode header to find the signing key
+    try:
+        unverified_header = jwt.get_unverified_header(token)
+    except jwt.exceptions.DecodeError as e:
+        raise AuthenticationError(f"Malformed token header: {e}")
+
+    kid = unverified_header.get("kid")
+    if not kid:
+        raise AuthenticationError("Token header missing 'kid' field")
+
+    matching_key = next((k for k in jwks_keys if k["kid"] == kid), None)
+    if not matching_key:
+        raise AuthenticationError("Token signing key not found in JWKS")
+
+    # Build the public key from the JWK
+    try:
+        public_key = RSAAlgorithm.from_jwk(matching_key)
+    except Exception as e:
+        raise AuthenticationError(f"Failed to construct public key: {e}")
+
+    # Decode and validate the token
+    try:
+        claims = jwt.decode(
+            token,
+            public_key,
+            algorithms=["RS256"],
+            audience=audience,
+            options={"verify_iss": False},  # We validate issuer manually below
+        )
+    except jwt.ExpiredSignatureError:
+        raise TokenExpiredError("Token has expired")
+    except jwt.InvalidAudienceError:
+        raise AuthenticationError(
+            f"Token audience mismatch: expected '{audience}'"
+        )
+    except jwt.InvalidTokenError as e:
+        raise AuthenticationError(f"Invalid token: {e}")
+
+    # Multi-tenant issuer validation: accept any valid Azure AD tenant
+    issuer = claims.get("iss", "")
+    if not (_ISSUER_V2.match(issuer) or _ISSUER_V1.match(issuer)):
+        raise AuthenticationError(f"Unexpected token issuer: {issuer}")
+
+    return AuthenticatedUser(
+        tenant_id=claims.get("tid", ""),
+        user_id=claims.get("oid", ""),
+        email=claims.get("preferred_username", ""),
+        display_name=claims.get("name", ""),
+        roles=claims.get("roles", []),
+        raw_claims=claims,
+    )

conduit_auth-0.1.0/tests/conftest.py

@@ -0,0 +1,139 @@
+"""Shared test fixtures: RSA keys, test JWTs, mock JWKS endpoint."""
+
+import json
+import time
+import uuid
+
+import jwt as pyjwt
+import pytest
+from cryptography.hazmat.primitives import serialization
+from cryptography.hazmat.primitives.asymmetric import rsa
+
+from conduit_auth import AuthSettings
+from conduit_auth.token import get_key_cache
+
+
+@pytest.fixture(autouse=True)
+def _clear_key_cache():
+    """Clear the JWKS key cache between tests."""
+    get_key_cache().clear()
+
+
+@pytest.fixture
+def rsa_keypair():
+    """Generate a test RSA key pair."""
+    private_key = rsa.generate_private_key(
+        public_exponent=65537,
+        key_size=2048,
+    )
+    return private_key
+
+
+@pytest.fixture
+def kid():
+    """A fixed key ID for test tokens."""
+    return "test-kid-12345"
+
+
+@pytest.fixture
+def jwks_keys(rsa_keypair, kid):
+    """JWKS key list matching the test RSA key."""
+    public_key = rsa_keypair.public_key()
+    public_numbers = public_key.public_numbers()
+
+    # Encode as base64url (matching JWKS format)
+    import base64
+
+    def _b64url(num: int, length: int) -> str:
+        return (
+            base64.urlsafe_b64encode(num.to_bytes(length, "big"))
+            .rstrip(b"=")
+            .decode()
+        )
+
+    n_bytes = (public_numbers.n.bit_length() + 7) // 8
+
+    return [
+        {
+            "kty": "RSA",
+            "use": "sig",
+            "kid": kid,
+            "n": _b64url(public_numbers.n, n_bytes),
+            "e": _b64url(public_numbers.e, 3),
+            "alg": "RS256",
+        }
+    ]
+
+
+@pytest.fixture
+def test_tenant_id():
+    return "aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee"
+
+
+@pytest.fixture
+def test_user_id():
+    return "11111111-2222-3333-4444-555555555555"
+
+
+@pytest.fixture
+def test_client_id():
+    return "cccccccc-dddd-eeee-ffff-000000000000"
+
+
+@pytest.fixture
+def auth_settings(test_client_id):
+    """AuthSettings for testing."""
+    return AuthSettings(
+        ENTRA_CLIENT_ID=test_client_id,
+        AUTH_DISABLED=False,
+    )
+
+
+@pytest.fixture
+def make_token(rsa_keypair, kid, test_tenant_id, test_user_id, test_client_id):
+    """Factory for creating signed test JWTs."""
+
+    def _make(
+        tenant_id: str | None = None,
+        user_id: str | None = None,
+        email: str = "user@example.com",
+        name: str = "Test User",
+        audience: str | None = None,
+        issuer: str | None = None,
+        expired: bool = False,
+        extra_claims: dict | None = None,
+        use_kid: str | None = None,
+    ) -> str:
+        tid = tenant_id or test_tenant_id
+        now = time.time()
+
+        claims = {
+            "aud": audience or test_client_id,
+            "iss": issuer
+            or f"https://login.microsoftonline.com/{tid}/v2.0",
+            "iat": int(now) - 60,
+            "nbf": int(now) - 60,
+            "exp": int(now) - 300 if expired else int(now) + 3600,
+            "tid": tid,
+            "oid": user_id or test_user_id,
+            "preferred_username": email,
+            "name": name,
+            "sub": str(uuid.uuid4()),
+        }
+        if extra_claims:
+            claims.update(extra_claims)
+
+        private_pem = rsa_keypair.private_bytes(
+            encoding=serialization.Encoding.PEM,
+            format=serialization.PrivateFormat.PKCS8,
+            encryption_algorithm=serialization.NoEncryption(),
+        )
+
+        return pyjwt.encode(
+            claims,
+            private_pem,
+            algorithm="RS256",
+            headers={"kid": use_kid or kid},
+        )
+
+    return _make

conduit_auth-0.1.0/tests/test_fastapi.py

@@ -0,0 +1,117 @@
+"""Tests for FastAPI middleware and dependencies."""
+
+from unittest.mock import patch
+
+import pytest
+from fastapi import Depends, FastAPI
+from fastapi.testclient import TestClient
+
+from conduit_auth import AuthSettings, AuthenticatedUser
+from conduit_auth.fastapi import AuthMiddleware, get_current_user
+
+
+def _create_app(settings: AuthSettings) -> FastAPI:
+    """Create a test FastAPI app with auth middleware."""
+    app = FastAPI()
+    app.add_middleware(AuthMiddleware, settings=settings)
+
+    @app.get("/api/protected")
+    async def protected(user: AuthenticatedUser = Depends(get_current_user)):
+        return {
+            "tenant_id": user.tenant_id,
+            "user_id": user.user_id,
+            "email": user.email,
+            "display_name": user.display_name,
+        }
+
+    @app.get("/health")
+    async def health():
+        return {"status": "ok"}
+
+    @app.get("/not-api")
+    async def not_api():
+        return {"message": "public"}
+
+    return app
+
+
+class TestAuthMiddleware:
+    def test_missing_auth_header(self, auth_settings):
+        client = TestClient(_create_app(auth_settings))
+        resp = client.get("/api/protected")
+
+        assert resp.status_code == 401
+        assert "Authorization" in resp.json()["error"]
+
+    def test_invalid_auth_header(self, auth_settings):
+        client = TestClient(_create_app(auth_settings))
+        resp = client.get(
+            "/api/protected", headers={"Authorization": "Basic abc"}
+        )
+
+        assert resp.status_code == 401
+
+    def test_valid_token(self, auth_settings, make_token, jwks_keys):
+        client = TestClient(_create_app(auth_settings))
+        token = make_token()
+
+        with patch(
+            "conduit_auth.fastapi.middleware.get_key_cache"
+        ) as mock_cache:
+            mock_cache.return_value.get_keys_async = (
+                lambda *a, **kw: _async_return(jwks_keys)
+            )
+            resp = client.get(
+                "/api/protected",
+                headers={"Authorization": f"Bearer {token}"},
+            )
+
+        assert resp.status_code == 200
+        data = resp.json()
+        assert data["email"] == "user@example.com"
+        assert data["tenant_id"] == "aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee"
+
+    def test_expired_token(self, auth_settings, make_token, jwks_keys):
+        client = TestClient(_create_app(auth_settings))
+        token = make_token(expired=True)
+
+        with patch(
+            "conduit_auth.fastapi.middleware.get_key_cache"
+        ) as mock_cache:
+            mock_cache.return_value.get_keys_async = (
+                lambda *a, **kw: _async_return(jwks_keys)
+            )
+            resp = client.get(
+                "/api/protected",
+                headers={"Authorization": f"Bearer {token}"},
+            )
+
+        assert resp.status_code == 401
+        assert "expired" in resp.json()["error"]
+
+    def test_health_excluded(self, auth_settings):
+        client = TestClient(_create_app(auth_settings))
+        resp = client.get("/health")
+
+        assert resp.status_code == 200
+
+    def test_non_api_path_excluded(self, auth_settings):
+        client = TestClient(_create_app(auth_settings))
+        resp = client.get("/not-api")
+
+        assert resp.status_code == 200
+
+    def test_auth_disabled(self, test_client_id):
+        settings = AuthSettings(
+            ENTRA_CLIENT_ID=test_client_id, AUTH_DISABLED=True
+        )
+        client = TestClient(_create_app(settings))
+        resp = client.get("/api/protected")
+
+        assert resp.status_code == 200
+        assert resp.json()["email"] == "dev@localhost"
+        assert resp.json()["tenant_id"] == "dev-tenant-00000000"
+
+
+async def _async_return(value):
+    return value

conduit_auth-0.1.0/tests/test_flask.py

@@ -0,0 +1,123 @@
+"""Tests for Flask middleware and decorators."""
+
+from unittest.mock import patch
+
+import pytest
+from flask import Flask
+
+from conduit_auth import AuthSettings
+from conduit_auth.flask import get_current_user, init_auth, require_auth
+
+
+def _create_app(settings: AuthSettings) -> Flask:
+    """Create a test Flask app with auth middleware."""
+    app = Flask(__name__)
+    app.config["TESTING"] = True
+    init_auth(app, settings)
+
+    @app.route("/api/protected")
+    def protected():
+        user = get_current_user()
+        return {
+            "tenant_id": user.tenant_id,
+            "user_id": user.user_id,
+            "email": user.email,
+            "display_name": user.display_name,
+        }
+
+    @app.route("/api/decorated")
+    @require_auth
+    def decorated():
+        user = get_current_user()
+        return {"email": user.email}
+
+    @app.route("/health")
+    def health():
+        return {"status": "ok"}
+
+    @app.route("/not-api")
+    def not_api():
+        return {"message": "public"}
+
+    return app
+
+
+class TestFlaskMiddleware:
+    def test_missing_auth_header(self, auth_settings):
+        app = _create_app(auth_settings)
+        with app.test_client() as client:
+            resp = client.get("/api/protected")
+
+        assert resp.status_code == 401
+        assert "Authorization" in resp.json["error"]
+
+    def test_valid_token(self, auth_settings, make_token, jwks_keys):
+        app = _create_app(auth_settings)
+        token = make_token()
+
+        with patch("conduit_auth.flask.middleware.get_key_cache") as mock_cache:
+            mock_cache.return_value.get_keys.return_value = jwks_keys
+            with app.test_client() as client:
+                resp = client.get(
+                    "/api/protected",
+                    headers={"Authorization": f"Bearer {token}"},
+                )
+
+        assert resp.status_code == 200
+        assert resp.json["email"] == "user@example.com"
+        assert resp.json["tenant_id"] == "aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee"
+
+    def test_expired_token(self, auth_settings, make_token, jwks_keys):
+        app = _create_app(auth_settings)
+        token = make_token(expired=True)
+
+        with patch("conduit_auth.flask.middleware.get_key_cache") as mock_cache:
+            mock_cache.return_value.get_keys.return_value = jwks_keys
+            with app.test_client() as client:
+                resp = client.get(
+                    "/api/protected",
+                    headers={"Authorization": f"Bearer {token}"},
+                )
+
+        assert resp.status_code == 401
+        assert "expired" in resp.json["error"]
+
+    def test_health_excluded(self, auth_settings):
+        app = _create_app(auth_settings)
+        with app.test_client() as client:
+            resp = client.get("/health")
+
+        assert resp.status_code == 200
+
+    def test_non_api_path_excluded(self, auth_settings):
+        app = _create_app(auth_settings)
+        with app.test_client() as client:
+            resp = client.get("/not-api")
+
+        assert resp.status_code == 200
+
+    def test_auth_disabled(self, test_client_id):
+        settings = AuthSettings(
+            ENTRA_CLIENT_ID=test_client_id, AUTH_DISABLED=True
+        )
+        app = _create_app(settings)
+        with app.test_client() as client:
+            resp = client.get("/api/protected")
+
+        assert resp.status_code == 200
+        assert resp.json["email"] == "dev@localhost"
+
+    def test_require_auth_decorator(self, auth_settings, make_token, jwks_keys):
+        app = _create_app(auth_settings)
+        token = make_token()
+
+        with patch("conduit_auth.flask.middleware.get_key_cache") as mock_cache:
+            mock_cache.return_value.get_keys.return_value = jwks_keys
+            with app.test_client() as client:
+                resp = client.get(
+                    "/api/decorated",
+                    headers={"Authorization": f"Bearer {token}"},
+                )
+
+        assert resp.status_code == 200
+        assert resp.json["email"] == "user@example.com"

conduit_auth-0.1.0/tests/test_token.py

@@ -0,0 +1,92 @@
+"""Tests for JWT token validation."""
+
+import pytest
+
+from conduit_auth.exceptions import AuthenticationError, TokenExpiredError
+from conduit_auth.token import validate_token
+
+
+class TestValidateToken:
+    """Tests for validate_token()."""
+
+    def test_valid_token(self, make_token, jwks_keys, auth_settings):
+        token = make_token()
+        user = validate_token(token, jwks_keys, auth_settings)
+
+        assert user.tenant_id == "aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee"
+        assert user.user_id == "11111111-2222-3333-4444-555555555555"
+        assert user.email == "user@example.com"
+        assert user.display_name == "Test User"
+        assert user.roles == []
+        assert "tid" in user.raw_claims
+
+    def test_valid_token_with_roles(self, make_token, jwks_keys, auth_settings):
+        token = make_token(extra_claims={"roles": ["Admin", "Reader"]})
+        user = validate_token(token, jwks_keys, auth_settings)
+
+        assert user.roles == ["Admin", "Reader"]
+
+    def test_expired_token(self, make_token, jwks_keys, auth_settings):
+        token = make_token(expired=True)
+
+        with pytest.raises(TokenExpiredError, match="expired"):
+            validate_token(token, jwks_keys, auth_settings)
+
+    def test_wrong_audience(self, make_token, jwks_keys, auth_settings):
+        token = make_token(audience="wrong-audience")
+
+        with pytest.raises(AuthenticationError, match="audience"):
+            validate_token(token, jwks_keys, auth_settings)
+
+    def test_invalid_issuer(self, make_token, jwks_keys, auth_settings):
+        token = make_token(issuer="https://evil.example.com/v2.0")
+
+        with pytest.raises(AuthenticationError, match="issuer"):
+            validate_token(token, jwks_keys, auth_settings)
+
+    def test_v1_issuer_accepted(self, make_token, jwks_keys, auth_settings):
+        tid = "aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee"
+        token = make_token(issuer=f"https://sts.windows.net/{tid}/")
+        user = validate_token(token, jwks_keys, auth_settings)
+
+        assert user.tenant_id == tid
+
+    def test_multi_tenant_different_tenants(
+        self, make_token, jwks_keys, auth_settings
+    ):
+        """Tokens from different tenants should all be accepted."""
+        for tid in [
+            "11111111-1111-1111-1111-111111111111",
+            "22222222-2222-2222-2222-222222222222",
+            "33333333-3333-3333-3333-333333333333",
+        ]:
+            token = make_token(tenant_id=tid)
+            user = validate_token(token, jwks_keys, auth_settings)
+            assert user.tenant_id == tid
+
+    def test_unknown_kid(self, make_token, jwks_keys, auth_settings):
+        token = make_token(use_kid="unknown-kid")
+
+        with pytest.raises(AuthenticationError, match="not found"):
+            validate_token(token, jwks_keys, auth_settings)
+
+    def test_malformed_token(self, jwks_keys, auth_settings):
+        with pytest.raises(AuthenticationError, match="Malformed"):
+            validate_token("not-a-jwt", jwks_keys, auth_settings)
+
+    def test_custom_audience_setting(
+        self, make_token, jwks_keys, test_client_id
+    ):
+        custom_audience = "api://my-custom-audience"
+        settings = type(
+            "Settings",
+            (),
+            {
+                "ENTRA_CLIENT_ID": test_client_id,
+                "ENTRA_AUDIENCE": custom_audience,
+            },
+        )()
+        token = make_token(audience=custom_audience)
+        user = validate_token(token, jwks_keys, settings)
+
+        assert user.email == "user@example.com"