django-clerk-users 0.0.1__py3-none-any.whl → 0.1.0__py3-none-any.whl

django_clerk_users/management/commands/sync_clerk_organizations.py

@@ -0,0 +1,191 @@
+"""
+Management command to sync organizations from Clerk to Django.
+"""
+
+from django.core.management.base import BaseCommand
+
+from django_clerk_users.client import get_clerk_client
+
+
+class Command(BaseCommand):
+    help = "Sync organizations from Clerk to Django database"
+
+    def add_arguments(self, parser):
+        parser.add_argument(
+            "--limit",
+            type=int,
+            default=100,
+            help="Maximum number of organizations to sync per batch (default: 100)",
+        )
+        parser.add_argument(
+            "--offset",
+            type=int,
+            default=0,
+            help="Offset to start syncing from (default: 0)",
+        )
+        parser.add_argument(
+            "--all",
+            action="store_true",
+            help="Sync all organizations (paginate through all results)",
+        )
+        parser.add_argument(
+            "--sync-members",
+            action="store_true",
+            help="Also sync organization members",
+        )
+        parser.add_argument(
+            "--dry-run",
+            action="store_true",
+            help="Show what would be synced without making changes",
+        )
+
+    def handle(self, *args, **options):
+        # Check if organizations app is installed
+        try:
+            from django_clerk_users.organizations.models import Organization
+            from django_clerk_users.organizations.webhooks import (
+                update_or_create_organization,
+            )
+        except ImportError:
+            self.stderr.write(
+                self.style.ERROR(
+                    "Organizations app is not installed. "
+                    "Add 'django_clerk_users.organizations' to INSTALLED_APPS."
+                )
+            )
+            return
+
+        limit = options["limit"]
+        offset = options["offset"]
+        sync_all = options["all"]
+        sync_members = options["sync_members"]
+        dry_run = options["dry_run"]
+
+        clerk = get_clerk_client()
+
+        created_count = 0
+        updated_count = 0
+        error_count = 0
+        total_count = 0
+
+        self.stdout.write("Starting organization sync from Clerk...")
+
+        if dry_run:
+            self.stdout.write(self.style.WARNING("DRY RUN - No changes will be made"))
+
+        while True:
+            self.stdout.write(
+                f"Fetching organizations (offset={offset}, limit={limit})..."
+            )
+
+            try:
+                response = clerk.organizations.list(limit=limit, offset=offset)
+                orgs = response.data if hasattr(response, "data") else response
+            except Exception as e:
+                self.stderr.write(
+                    self.style.ERROR(f"Failed to fetch organizations: {e}")
+                )
+                break
+
+            if not orgs:
+                self.stdout.write("No more organizations to sync.")
+                break
+
+            for clerk_org in orgs:
+                total_count += 1
+                org_id = getattr(clerk_org, "id", None)
+                name = getattr(clerk_org, "name", "Unknown")
+
+                if not org_id:
+                    error_count += 1
+                    continue
+
+                if dry_run:
+                    self.stdout.write(f"  Would sync: {name} ({org_id})")
+                    continue
+
+                try:
+                    organization, created = update_or_create_organization(org_id)
+                    if created:
+                        created_count += 1
+                        self.stdout.write(
+                            self.style.SUCCESS(f"  Created: {organization.name}")
+                        )
+                    else:
+                        updated_count += 1
+                        self.stdout.write(f"  Updated: {organization.name}")
+
+                    if sync_members and organization:
+                        self._sync_organization_members(organization, org_id, dry_run)
+
+                except Exception as e:
+                    error_count += 1
+                    self.stderr.write(
+                        self.style.ERROR(f"  Failed to sync {name}: {e}")
+                    )
+
+            if not sync_all:
+                break
+
+            offset += limit
+
+        self.stdout.write("")
+        self.stdout.write(self.style.SUCCESS("Sync complete!"))
+        self.stdout.write(f"  Total processed: {total_count}")
+        if not dry_run:
+            self.stdout.write(f"  Created: {created_count}")
+            self.stdout.write(f"  Updated: {updated_count}")
+        self.stdout.write(f"  Errors: {error_count}")
+
+    def _sync_organization_members(self, organization, org_id, dry_run):
+        """Sync members for a specific organization."""
+        from django.contrib.auth import get_user_model
+
+        from django_clerk_users.client import get_clerk_client
+        from django_clerk_users.organizations.models import OrganizationMember
+        from django_clerk_users.utils import update_or_create_clerk_user
+
+        User = get_user_model()
+        clerk = get_clerk_client()
+
+        try:
+            response = clerk.organizations.get_membership_list(
+                organization_id=org_id, limit=100
+            )
+            memberships = response.data if hasattr(response, "data") else response
+        except Exception as e:
+            self.stderr.write(
+                self.style.WARNING(f"    Failed to fetch members: {e}")
+            )
+            return
+
+        for membership in memberships or []:
+            membership_id = getattr(membership, "id", None)
+            user_data = getattr(membership, "public_user_data", None)
+            user_id = getattr(user_data, "user_id", None) if user_data else None
+
+            if not membership_id or not user_id:
+                continue
+
+            if dry_run:
+                self.stdout.write(f"    Would sync member: {user_id}")
+                continue
+
+            try:
+                user = User.objects.filter(clerk_id=user_id).first()
+                if not user:
+                    user, _ = update_or_create_clerk_user(user_id)
+
+                OrganizationMember.objects.update_or_create(
+                    clerk_membership_id=membership_id,
+                    defaults={
+                        "organization": organization,
+                        "user": user,
+                        "role": getattr(membership, "role", "member"),
+                    },
+                )
+                self.stdout.write(f"    Synced member: {user.email}")
+            except Exception as e:
+                self.stderr.write(
+                    self.style.WARNING(f"    Failed to sync member {user_id}: {e}")
+                )

django_clerk_users/management/commands/sync_clerk_users.py

@@ -0,0 +1,114 @@
+"""
+Management command to sync users from Clerk to Django.
+"""
+
+from django.core.management.base import BaseCommand
+
+from django_clerk_users.client import get_clerk_client
+from django_clerk_users.utils import update_or_create_clerk_user
+
+
+class Command(BaseCommand):
+    help = "Sync users from Clerk to Django database"
+
+    def add_arguments(self, parser):
+        parser.add_argument(
+            "--limit",
+            type=int,
+            default=100,
+            help="Maximum number of users to sync per batch (default: 100)",
+        )
+        parser.add_argument(
+            "--offset",
+            type=int,
+            default=0,
+            help="Offset to start syncing from (default: 0)",
+        )
+        parser.add_argument(
+            "--all",
+            action="store_true",
+            help="Sync all users (paginate through all results)",
+        )
+        parser.add_argument(
+            "--dry-run",
+            action="store_true",
+            help="Show what would be synced without making changes",
+        )
+
+    def handle(self, *args, **options):
+        limit = options["limit"]
+        offset = options["offset"]
+        sync_all = options["all"]
+        dry_run = options["dry_run"]
+
+        clerk = get_clerk_client()
+
+        created_count = 0
+        updated_count = 0
+        error_count = 0
+        total_count = 0
+
+        self.stdout.write("Starting user sync from Clerk...")
+
+        if dry_run:
+            self.stdout.write(self.style.WARNING("DRY RUN - No changes will be made"))
+
+        while True:
+            self.stdout.write(f"Fetching users (offset={offset}, limit={limit})...")
+
+            try:
+                response = clerk.users.list(limit=limit, offset=offset)
+                users = response.data if hasattr(response, "data") else response
+            except Exception as e:
+                self.stderr.write(self.style.ERROR(f"Failed to fetch users: {e}"))
+                break
+
+            if not users:
+                self.stdout.write("No more users to sync.")
+                break
+
+            for clerk_user in users:
+                total_count += 1
+                clerk_id = getattr(clerk_user, "id", None)
+
+                if not clerk_id:
+                    error_count += 1
+                    continue
+
+                email = None
+                email_addresses = getattr(clerk_user, "email_addresses", []) or []
+                if email_addresses:
+                    email = getattr(email_addresses[0], "email_address", None)
+
+                if dry_run:
+                    self.stdout.write(f"  Would sync: {email} ({clerk_id})")
+                    continue
+
+                try:
+                    user, created = update_or_create_clerk_user(clerk_id)
+                    if created:
+                        created_count += 1
+                        self.stdout.write(
+                            self.style.SUCCESS(f"  Created: {user.email}")
+                        )
+                    else:
+                        updated_count += 1
+                        self.stdout.write(f"  Updated: {user.email}")
+                except Exception as e:
+                    error_count += 1
+                    self.stderr.write(
+                        self.style.ERROR(f"  Failed to sync {clerk_id}: {e}")
+                    )
+
+            if not sync_all:
+                break
+
+            offset += limit
+
+        self.stdout.write("")
+        self.stdout.write(self.style.SUCCESS("Sync complete!"))
+        self.stdout.write(f"  Total processed: {total_count}")
+        if not dry_run:
+            self.stdout.write(f"  Created: {created_count}")
+            self.stdout.write(f"  Updated: {updated_count}")
+        self.stdout.write(f"  Errors: {error_count}")

django_clerk_users/managers.py

@@ -0,0 +1,120 @@
+"""
+Custom managers for django-clerk-users models.
+"""
+
+from __future__ import annotations
+
+from typing import TYPE_CHECKING, Any
+
+from django.contrib.auth.models import BaseUserManager
+
+if TYPE_CHECKING:
+    from django_clerk_users.models import AbstractClerkUser
+
+
+class ClerkUserManager(BaseUserManager["AbstractClerkUser"]):
+    """
+    Custom manager for ClerkUser model.
+
+    Handles user creation with clerk_id as the primary identifier.
+    """
+
+    def create_user(
+        self,
+        email: str,
+        clerk_id: str | None = None,
+        password: str | None = None,
+        **extra_fields: Any,
+    ) -> "AbstractClerkUser":
+        """
+        Create and save a user with the given email and optional clerk_id.
+
+        Args:
+            email: The user's email address (required).
+            clerk_id: The Clerk user ID (optional for Django admin users).
+            password: Optional password (required for Django admin users).
+            **extra_fields: Additional fields for the user model.
+
+        Returns:
+            The created user instance.
+
+        Raises:
+            ValueError: If email is not provided.
+        """
+        if not email:
+            raise ValueError("The email must be set")
+
+        email = self.normalize_email(email)
+        extra_fields.setdefault("is_active", True)
+        extra_fields.setdefault("is_staff", False)
+        extra_fields.setdefault("is_superuser", False)
+
+        user = self.model(clerk_id=clerk_id, email=email, **extra_fields)
+        if password:
+            user.set_password(password)
+        else:
+            user.set_unusable_password()
+        user.save(using=self._db)
+        return user
+
+    def create_superuser(
+        self,
+        email: str,
+        password: str | None = None,
+        clerk_id: str | None = None,
+        **extra_fields: Any,
+    ) -> "AbstractClerkUser":
+        """
+        Create and save a superuser with the given email.
+
+        Args:
+            email: The user's email address (required).
+            password: Password for the superuser (required for Django admin access).
+            clerk_id: The Clerk user ID (optional).
+            **extra_fields: Additional fields for the user model.
+
+        Returns:
+            The created superuser instance.
+        """
+        extra_fields.setdefault("is_staff", True)
+        extra_fields.setdefault("is_superuser", True)
+        extra_fields.setdefault("is_active", True)
+
+        if extra_fields.get("is_staff") is not True:
+            raise ValueError("Superuser must have is_staff=True.")
+        if extra_fields.get("is_superuser") is not True:
+            raise ValueError("Superuser must have is_superuser=True.")
+
+        return self.create_user(
+            email=email, clerk_id=clerk_id, password=password, **extra_fields
+        )
+
+    def get_by_clerk_id(self, clerk_id: str) -> "AbstractClerkUser | None":
+        """
+        Get a user by their Clerk ID.
+
+        Args:
+            clerk_id: The Clerk user ID.
+
+        Returns:
+            The user instance or None if not found.
+        """
+        try:
+            return self.get(clerk_id=clerk_id)
+        except self.model.DoesNotExist:
+            return None
+
+    def get_by_email(self, email: str) -> "AbstractClerkUser | None":
+        """
+        Get a user by their email address.
+
+        Args:
+            email: The user's email address.
+
+        Returns:
+            The user instance or None if not found.
+        """
+        try:
+            return self.get(email=self.normalize_email(email))
+        except self.model.DoesNotExist:
+            return None

django_clerk_users/middleware/__init__.py

@@ -0,0 +1,9 @@
+"""
+Middleware for django-clerk-users.
+"""
+
+from django_clerk_users.middleware.auth import ClerkAuthMiddleware
+
+__all__ = [
+    "ClerkAuthMiddleware",
+]

django_clerk_users/middleware/auth.py

@@ -0,0 +1,230 @@
+"""
+Clerk authentication middleware.
+
+This middleware validates Clerk JWT tokens and creates Django sessions
+for authenticated users. It uses manual session handling instead of
+Django's login() to avoid triggering signals that may conflict with Clerk.
+"""
+
+from __future__ import annotations
+
+import logging
+import time
+from typing import TYPE_CHECKING, Callable
+
+from django.conf import settings
+from django.contrib.auth.models import AnonymousUser
+
+from django_clerk_users.authentication.utils import (
+    get_clerk_payload_from_request,
+    get_or_create_user_from_payload,
+)
+from django_clerk_users.exceptions import ClerkAuthenticationError, ClerkTokenError
+from django_clerk_users.settings import CLERK_SESSION_REVALIDATION_SECONDS
+
+if TYPE_CHECKING:
+    from django.http import HttpRequest, HttpResponse
+
+logger = logging.getLogger(__name__)
+
+# Authentication backend path
+CLERK_BACKEND = "django_clerk_users.authentication.ClerkBackend"
+
+
+class ClerkAuthMiddleware:
+    """
+    Middleware that authenticates users via Clerk JWT tokens.
+
+    This middleware implements a session-based optimization strategy:
+    1. On first request: Validates JWT, creates Django session
+    2. On subsequent requests: Uses session (avoids repeated validation)
+    3. Periodically re-validates to detect token expiration
+
+    After processing, the middleware sets:
+    - request.user: The authenticated Django user (or AnonymousUser)
+    - request.clerk_user: Same as request.user (for explicit Clerk access)
+    - request.clerk_payload: The decoded JWT payload (if authenticated)
+    - request.org: The organization ID from the token (if present)
+
+    Note: This middleware manually sets session data instead of using Django's
+    login() function to avoid triggering signals that may conflict with Clerk's
+    authentication flow.
+    """
+
+    def __init__(self, get_response: Callable[["HttpRequest"], "HttpResponse"]):
+        self.get_response = get_response
+        self.debug = getattr(settings, "DEBUG", False)
+
+    def __call__(self, request: "HttpRequest") -> "HttpResponse":
+        # Process authentication before the view
+        self.process_request(request)
+
+        # Call the next middleware/view
+        response = self.get_response(request)
+
+        return response
+
+    def process_request(self, request: "HttpRequest") -> None:
+        """
+        Process the request and authenticate the user.
+
+        Sets request.user, request.clerk_user, request.clerk_payload,
+        and request.org based on the authentication result.
+
+        Supports hybrid authentication:
+        - If user is authenticated via Django session (e.g., admin login),
+          respects that authentication and skips Clerk JWT validation
+        - Otherwise, attempts Clerk JWT authentication
+        """
+        # Initialize attributes
+        request.clerk_user = None  # type: ignore
+        request.clerk_payload = None  # type: ignore
+        request.org = None  # type: ignore
+
+        # Check if user is already authenticated via Django's standard auth
+        # (e.g., admin login with username/password)
+        if hasattr(request, "user") and request.user.is_authenticated:
+            # Check if this is a Clerk session or a traditional Django session
+            if self._is_clerk_session(request):
+                # This is a Clerk session, validate it
+                if self._is_session_valid(request):
+                    # Clerk session is still valid
+                    request.clerk_user = request.user  # type: ignore
+                    request.org = request.session.get("clerk_org_id")  # type: ignore
+                    return
+                # Clerk session expired, clear it and try JWT auth below
+                self._clear_session(request)
+            else:
+                # This is a traditional Django session (e.g., admin login)
+                # Don't interfere with it - just skip Clerk authentication
+                logger.debug("Using existing Django session (non-Clerk)")
+                return
+
+        # Try to authenticate via JWT token
+        try:
+            payload = get_clerk_payload_from_request(request)
+        except ClerkTokenError as e:
+            logger.debug(f"Token validation failed: {e}")
+            self._set_anonymous(request)
+            return
+
+        if not payload:
+            # No token provided - anonymous user
+            self._set_anonymous(request)
+            return
+
+        # Get or create the Django user
+        try:
+            user, created = get_or_create_user_from_payload(payload)
+        except ClerkAuthenticationError as e:
+            logger.warning(f"Failed to get/create user: {e}")
+            self._set_anonymous(request)
+            return
+        except Exception as e:
+            logger.error(f"ClerkAuthMiddleware error: {e}", exc_info=True)
+            if self.debug:
+                raise
+            self._set_anonymous(request)
+            return
+
+        if not user.is_active:
+            logger.debug(f"User {user.clerk_id} is inactive")
+            self._set_anonymous(request)
+            return
+
+        # Create Django session (without calling login())
+        self._create_session(request, user, payload)
+
+        # Set request attributes
+        user.backend = CLERK_BACKEND
+        request.user = user
+        request.clerk_user = user  # type: ignore
+        request.clerk_payload = payload  # type: ignore
+        request.org = payload.get("org_id")  # type: ignore
+
+        if created:
+            logger.info(f"Created new user: {user.email} ({user.clerk_id})")
+
+    def _is_clerk_session(self, request: "HttpRequest") -> bool:
+        """
+        Check if the current session is a Clerk-authenticated session.
+
+        Returns True if this session was created by Clerk authentication,
+        False if it's a traditional Django session (e.g., admin login).
+        """
+        # Clerk sessions have the last_clerk_check timestamp
+        return "last_clerk_check" in request.session
+
+    def _is_session_valid(self, request: "HttpRequest") -> bool:
+        """
+        Check if the current Clerk session is valid and doesn't need revalidation.
+
+        Returns True if:
+        1. User is authenticated in session
+        2. The session hasn't expired
+        3. The re-validation interval hasn't passed
+
+        Note: This method should only be called for Clerk sessions.
+        """
+        if not hasattr(request, "user") or not request.user.is_authenticated:
+            return False
+
+        # Check if re-validation is needed
+        last_check = request.session.get("last_clerk_check", 0)
+        now = int(time.time())
+
+        if now - last_check > CLERK_SESSION_REVALIDATION_SECONDS:
+            # Re-validation needed - try to validate the token
+            try:
+                payload = get_clerk_payload_from_request(request)
+                if payload:
+                    # Token is still valid, update session
+                    request.session["last_clerk_check"] = now
+                    request.session["clerk_org_id"] = payload.get("org_id")
+                    request.clerk_payload = payload  # type: ignore
+                    return True
+
+                # Missing token or invalid payload - end the session
+                self._clear_session(request)
+                return False
+            except ClerkTokenError:
+                # Token is invalid - invalidate session
+                self._clear_session(request)
+                return False
+
+        return True
+
+    def _create_session(self, request: "HttpRequest", user, payload: dict) -> None:
+        """
+        Create a Django session for the authenticated user.
+
+        Note: We manually set session data instead of calling login() to avoid
+        triggering Django signals (like user_logged_in) that may conflict with
+        Clerk's authentication flow.
+        """
+        # Manually set session auth data (what login() would do internally)
+        request.session["_auth_user_id"] = str(user.pk)
+        request.session["_auth_user_backend"] = CLERK_BACKEND
+        request.session["_auth_user_hash"] = ""
+
+        # Store Clerk-specific session data
+        request.session["last_clerk_check"] = int(time.time())
+        request.session["clerk_org_id"] = payload.get("org_id")
+
+        logger.debug(f"Created session for user {user.email}")
+
+    def _clear_session(self, request: "HttpRequest") -> None:
+        """
+        Clear the Django session.
+        """
+        request.session.flush()
+
+    def _set_anonymous(self, request: "HttpRequest") -> None:
+        """
+        Set the request user to anonymous.
+        """
+        if not hasattr(request, "user") or request.user.is_authenticated:
+            request.user = AnonymousUser()
+        request.clerk_user = None  # type: ignore
+        request.clerk_payload = None  # type: ignore
+        request.org = None  # type: ignore