django-clerk-users 0.0.2__tar.gz → 0.1.0__tar.gz

django_clerk_users-0.1.0/.flake8

@@ -0,0 +1,17 @@
+[flake8]
+max-line-length = 88
+extend-ignore = E203, W503, LOG011, LOG005
+exclude =
+    .git,
+    __pycache__,
+    example_project,
+    .venv,
+    .tox,
+    build,
+    dist,
+    *.egg-info
+per-file-ignores =
+    # Imported but unused in __init__ files
+    __init__.py:F401
+    # Docstring examples can be long
+    */views.py:E501

django_clerk_users-0.1.0/.github/workflows/main.yaml

@@ -0,0 +1,114 @@
+name: CI
+
+on:
+  # workflow_dispatch:
+  push:
+    branches:
+    - main
+    tags:
+    - '**'
+  pull_request:
+
+concurrency:
+  group: ${{ github.head_ref || github.run_id }}
+  cancel-in-progress: true
+
+jobs:
+  tests:
+    name: Python ${{ matrix.python-version }}
+    runs-on: ubuntu-24.04
+
+    strategy:
+      matrix:
+        python-version:
+        - '3.12'
+        - '3.13'
+        - '3.14'
+
+    steps:
+    - uses: actions/checkout@v4
+
+    - uses: actions/setup-python@v5
+      with:
+        python-version: ${{ matrix.python-version }}
+        allow-prereleases: true
+
+    - name: Install uv
+      uses: astral-sh/setup-uv@v4
+      with:
+        enable-cache: true
+        cache-dependency-glob: uv.lock
+
+    - name: Install dependencies
+      run: uv pip install --system tox tox-uv
+
+    - name: Run tox targets for ${{ matrix.python-version }}
+      run: tox run -f py$(echo ${{ matrix.python-version }} | tr -d .)
+
+    - name: Upload coverage data
+      uses: actions/upload-artifact@v4
+      with:
+        name: coverage-data-${{ matrix.python-version }}
+        path: '${{ github.workspace }}/.coverage.*'
+        include-hidden-files: true
+        if-no-files-found: warn
+
+  coverage:
+    name: Coverage
+    runs-on: ubuntu-24.04
+    needs: tests
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: actions/setup-python@v5
+        with:
+          python-version: '3.12'
+
+      - name: Install uv
+        uses: astral-sh/setup-uv@v4
+
+      - name: Install dependencies
+        run: uv pip install --system coverage[toml]
+
+      - name: Download data
+        uses: actions/download-artifact@v4
+        with:
+          path: ${{ github.workspace }}
+          pattern: coverage-data-*
+          merge-multiple: true
+
+      - name: Combine coverage and fail if it's <100%
+        run: |
+          python -m coverage combine
+          python -m coverage html --skip-covered --skip-empty
+          python -m coverage report --fail-under=100
+          echo "## Coverage summary" >> $GITHUB_STEP_SUMMARY
+          python -m coverage report --format=markdown >> $GITHUB_STEP_SUMMARY
+        continue-on-error: true
+
+      - name: Upload HTML report
+        if: ${{ failure() }}
+        uses: actions/upload-artifact@v4
+        with:
+          name: html-report
+          path: htmlcov
+
+  release:
+    needs: [coverage]
+    if: success() && startsWith(github.ref, 'refs/tags/')
+    runs-on: ubuntu-24.04
+    environment: release
+
+    permissions:
+      contents: read
+      id-token: write
+
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: astral-sh/setup-uv@v4
+
+      - name: Build
+        run: uv build
+
+      - uses: pypa/gh-action-pypi-publish@release/v1

django_clerk_users-0.1.0/.gitignore

@@ -0,0 +1,185 @@
+example/
+
+.DS_Store
+
+# Byte-compiled / optimized / DLL files
+__pycache__/
+*.py[cod]
+*$py.class
+
+# C extensions
+*.so
+
+# Distribution / packaging
+.Python
+build/
+develop-eggs/
+dist/
+downloads/
+eggs/
+.eggs/
+lib/
+lib64/
+parts/
+sdist/
+var/
+wheels/
+share/python-wheels/
+*.egg-info/
+.installed.cfg
+*.egg
+MANIFEST
+
+# PyInstaller
+#  Usually these files are written by a python script from a template
+#  before PyInstaller builds the exe, so as to inject date/other infos into it.
+*.manifest
+*.spec
+
+# Installer logs
+pip-log.txt
+pip-delete-this-directory.txt
+
+# Unit test / coverage reports
+htmlcov/
+.tox/
+.nox/
+.coverage
+.coverage.*
+.cache
+nosetests.xml
+coverage.xml
+*.cover
+*.py,cover
+.hypothesis/
+.pytest_cache/
+cover/
+
+# Translations
+*.mo
+*.pot
+
+# Django stuff:
+*.log
+local_settings.py
+db.sqlite3
+db.sqlite3-journal
+
+# Flask stuff:
+instance/
+.webassets-cache
+
+# Scrapy stuff:
+.scrapy
+
+# Sphinx documentation
+docs/_build/
+
+# PyBuilder
+.pybuilder/
+target/
+
+# Jupyter Notebook
+.ipynb_checkpoints
+
+# IPython
+profile_default/
+ipython_config.py
+
+# pyenv
+#   For a library or package, you might want to ignore these files since the code is
+#   intended to run in multiple environments; otherwise, check them in:
+# .python-version
+
+# pipenv
+#   According to pypa/pipenv#598, it is recommended to include Pipfile.lock in version control.
+#   However, in case of collaboration, if having platform-specific dependencies or dependencies
+#   having no cross-platform support, pipenv may install dependencies that don't work, or not
+#   install all needed dependencies.
+#Pipfile.lock
+
+# UV
+#   Similar to Pipfile.lock, it is generally recommended to include uv.lock in version control.
+#   This is especially recommended for binary packages to ensure reproducibility, and is more
+#   commonly ignored for libraries.
+#uv.lock
+
+# poetry
+#   Similar to Pipfile.lock, it is generally recommended to include poetry.lock in version control.
+#   This is especially recommended for binary packages to ensure reproducibility, and is more
+#   commonly ignored for libraries.
+#   https://python-poetry.org/docs/basic-usage/#commit-your-poetrylock-file-to-version-control
+#poetry.lock
+
+# pdm
+#   Similar to Pipfile.lock, it is generally recommended to include pdm.lock in version control.
+#pdm.lock
+#   pdm stores project-wide configurations in .pdm.toml, but it is recommended to not include it
+#   in version control.
+#   https://pdm.fming.dev/latest/usage/project/#working-with-version-control
+.pdm.toml
+.pdm-python
+.pdm-build/
+
+# PEP 582; used by e.g. github.com/David-OConnor/pyflow and github.com/pdm-project/pdm
+__pypackages__/
+
+# Celery stuff
+celerybeat-schedule
+celerybeat.pid
+
+# SageMath parsed files
+*.sage.py
+
+# Environments
+.env
+.venv
+env/
+venv/
+ENV/
+env.bak/
+venv.bak/
+
+# Spyder project settings
+.spyderproject
+.spyproject
+
+# Rope project settings
+.ropeproject
+
+# mkdocs documentation
+/site
+
+# mypy
+.mypy_cache/
+.dmypy.json
+dmypy.json
+
+# Pyre type checker
+.pyre/
+
+# pytype static type analyzer
+.pytype/
+
+# Cython debug symbols
+cython_debug/
+
+# PyCharm
+#  JetBrains specific template is maintained in a separate JetBrains.gitignore that can
+#  be found at https://github.com/github/gitignore/blob/main/Global/JetBrains.gitignore
+#  and can be added to the global gitignore or merged into this file.  For a more nuclear
+#  option (not recommended) you can uncomment the following to ignore the entire idea folder.
+#.idea/
+
+# PyPI configuration file
+.pypirc
+
+# Playwright MCP cache
+.playwright-mcp/
+
+# Development notes
+issues.md
+
+# Test artifacts
+tests/ui_*.py
+tests/*.sqlite3

django_clerk_users-0.1.0/.pre-commit-config.yaml

@@ -0,0 +1,70 @@
+ci:
+  autoupdate_schedule: monthly
+
+default_language_version:
+  python: python3.12
+
+repos:
+- repo: https://github.com/pre-commit/pre-commit-hooks
+  rev: v5.0.0
+  hooks:
+  - id: check-added-large-files
+  - id: check-case-conflict
+  - id: check-json
+  - id: check-merge-conflict
+  - id: check-symlinks
+  - id: check-toml
+  - id: end-of-file-fixer
+  - id: trailing-whitespace
+- repo: https://github.com/tox-dev/pyproject-fmt
+  rev: v2.5.0
+  hooks:
+  - id: pyproject-fmt
+- repo: https://github.com/tox-dev/tox-ini-fmt
+  rev: 1.4.1
+  hooks:
+  - id: tox-ini-fmt
+- repo: https://github.com/rstcheck/rstcheck
+  rev: v6.2.4
+  hooks:
+  - id: rstcheck
+    additional_dependencies:
+    - sphinx==6.1.3
+    - tomli==2.0.1
+- repo: https://github.com/sphinx-contrib/sphinx-lint
+  rev: v1.0.0
+  hooks:
+  - id: sphinx-lint
+- repo: https://github.com/asottile/pyupgrade
+  rev: v3.19.0
+  hooks:
+  - id: pyupgrade
+    args: [--py39-plus]
+- repo: https://github.com/adamchainz/django-upgrade
+  rev: 1.22.2
+  hooks:
+  - id: django-upgrade
+    args: [--target-version, '4.2']
+- repo: https://github.com/psf/black-pre-commit-mirror
+  rev: 24.10.0
+  hooks:
+  - id: black
+- repo: https://github.com/adamchainz/blacken-docs
+  rev: 1.19.1
+  hooks:
+  - id: blacken-docs
+    additional_dependencies:
+    - black==23.1.0
+- repo: https://github.com/astral-sh/ruff-pre-commit
+  # Ruff version.
+  rev: v0.14.1
+  hooks:
+    # Run the linter.
+    - id: ruff-check
+      args: [ --fix ]
+    # Run the formatter.
+    - id: ruff-format
+- repo: https://github.com/adamchainz/djade-pre-commit
+  rev: 1.6.0
+  hooks:
+  - id: djade

django_clerk_users-0.1.0/.python-version

@@ -0,0 +1 @@
+3.12

django_clerk_users-0.1.0/CLAUDE.md

@@ -0,0 +1,116 @@
+# CLAUDE.md
+
+This file provides guidance to Claude Code (claude.ai/code) when working with code in this repository.
+
+## Project Overview
+
+django-clerk-users is a Django package for integrating Clerk authentication with Django. It provides:
+
+- Custom user model (`ClerkUser`) with Clerk integration
+- JWT token validation via Clerk SDK
+- Session-based authentication middleware (validates once, caches in session)
+- Webhook handling with Svix signature verification
+- Optional organizations support (separate sub-app)
+- Django REST Framework authentication (optional)
+
+## Development Commands
+
+```bash
+# Install dependencies
+uv sync
+
+# Run tests
+uv run python -m pytest
+
+# Run a single test
+uv run python -m pytest tests/test_import.py::TestModels::test_clerk_user_model -v
+
+# Run tests with coverage across Python versions (3.12, 3.13, 3.14)
+uv run tox
+
+# Run pre-commit hooks
+uv run pre-commit run --all-files
+
+# Install package in development mode
+uv pip install -e .
+```
+
+## Code Architecture
+
+### Package Structure
+
+```
+src/django_clerk_users/
+├── models.py              # AbstractClerkUser, ClerkUser, ClerkUserManager
+├── settings.py            # Package settings (CLERK_* settings)
+├── client.py              # Clerk SDK client singleton
+├── authentication/        # Auth backends and token utilities
+│   ├── backends.py        # ClerkBackend (Django auth)
+│   ├── drf.py             # ClerkAuthentication (DRF, optional)
+│   └── utils.py           # Token validation, user creation
+├── middleware/
+│   └── auth.py            # ClerkAuthMiddleware
+├── webhooks/
+│   ├── views.py           # Webhook endpoint
+│   ├── security.py        # Svix verification
+│   ├── handlers.py        # Event handlers
+│   └── signals.py         # Django signals for extensibility
+├── organizations/         # Optional sub-app
+│   ├── models.py          # Organization, OrganizationMember, OrganizationInvitation
+│   ├── middleware.py      # ClerkOrganizationMiddleware
+│   └── webhooks.py        # Organization event handlers
+├── decorators.py          # @clerk_user_required, @clerk_org_required
+├── caching.py             # User/org caching utilities
+├── utils.py               # update_or_create_clerk_user, etc.
+└── management/commands/
+    ├── sync_clerk_users.py
+    ├── sync_clerk_organizations.py
+    └── migrate_users_to_clerk.py
+```
+
+### Key Patterns
+
+1. **Session-based optimization**: JWT validated once, then cached in Django session. Re-validates every 5 minutes.
+
+2. **Lazy imports**: `__init__.py` uses `__getattr__` to avoid loading models before Django apps are ready.
+
+3. **Swappable user model**: Provides both `AbstractClerkUser` (for custom models) and `ClerkUser` (concrete).
+
+4. **Signal-based webhooks**: Handlers emit signals (`clerk_user_created`, etc.) for extensibility.
+
+5. **Optional DRF**: Install with `uv pip install django-clerk-users[drf]` for DRF authentication.
+
+## Configuration
+
+```python
+# Required settings
+CLERK_SECRET_KEY = env("CLERK_SECRET_KEY")
+CLERK_WEBHOOK_SIGNING_KEY = env("CLERK_WEBHOOK_SIGNING_KEY")
+CLERK_FRONTEND_HOSTS = ["https://myapp.com"]
+
+# Optional settings
+CLERK_SESSION_REVALIDATION_SECONDS = 300  # 5 minutes
+CLERK_CACHE_TIMEOUT = 300  # 5 minutes
+```
+
+## Testing
+
+- Tests use pytest-django with settings in `tests/settings.py`
+- Tests use mock Clerk credentials (no actual API calls)
+- Run `uv run python -m pytest -v` for verbose output
+
+## Releasing
+
+Releases are automated via GitHub Actions (`.github/workflows/main.yaml`).
+
+To release a new version:
+
+1. Update version in `pyproject.toml`
+2. Commit changes: `git commit -am "Release vX.Y.Z"`
+3. Push to main: `git push origin main`
+4. Create and push a tag: `git tag vX.Y.Z && git push origin vX.Y.Z`
+
+The workflow will:
+- Run tests on Python 3.12, 3.13, 3.14
+- Build the package
+- Publish to PyPI (using trusted publishing)

django_clerk_users-0.1.0/HYBRID_AUTH.md

@@ -0,0 +1,134 @@
+# Hybrid Authentication Feature
+
+## Overview
+
+This feature adds support for hybrid authentication, allowing django-clerk-users to work alongside Django's traditional admin authentication. This is particularly useful when your admin panel is on a different domain than your frontend.
+
+## Changes Made
+
+### 1. Middleware Updates (`src/django_clerk_users/middleware/auth.py`)
+
+- Added `_is_clerk_session()` method to distinguish between Clerk sessions and Django admin sessions
+- Updated `process_request()` to respect existing Django admin sessions without interference
+- Clerk sessions are identified by the presence of `last_clerk_check` in the session
+- Django admin sessions (created by `ModelBackend`) are preserved and not validated against Clerk
+
+### 2. Model Updates (`src/django_clerk_users/models.py`)
+
+- Made `clerk_id` field nullable (`null=True`, `blank=True`)
+- Updated help text to clarify that `clerk_id` can be null for Django admin users
+- Changed `REQUIRED_FIELDS` from `["clerk_id"]` to `[]` to support admin user creation
+- Password field (inherited from `AbstractBaseUser`) is now functional for admin users
+
+### 3. Migration (`src/django_clerk_users/migrations/0002_make_clerk_id_nullable.py`)
+
+- New migration to alter `clerk_id` field to allow NULL values
+- Maintains unique constraint while allowing NULL
+
+### 4. Documentation Updates (`README.md`)
+
+- Added "Hybrid Authentication" section explaining the feature
+- Updated authentication backend configuration to show both options:
+  - Clerk-only: `[ClerkBackend]`
+  - Hybrid: `[ModelBackend, ClerkBackend]`
+- Added instructions for creating admin users via `createsuperuser`
+- Explained session handling differences
+- Added use cases for hybrid authentication
+
+### 5. Tests (`tests/test_hybrid_auth.py`)
+
+- New test file for hybrid authentication scenarios
+- Tests for Django admin session preservation
+- Tests for Clerk session handling
+- Tests for middleware behavior with both authentication types
+
+## Configuration
+
+### For Clerk-only authentication (existing behavior):
+
+```python
+AUTHENTICATION_BACKENDS = [
+    "django_clerk_users.authentication.ClerkBackend",
+]
+```
+
+### For hybrid authentication (new feature):
+
+```python
+AUTHENTICATION_BACKENDS = [
+    "django.contrib.auth.backends.ModelBackend",  # For Django admin
+    "django_clerk_users.authentication.ClerkBackend",  # For Clerk JWT
+]
+```
+
+## How It Works
+
+1. **Clerk Users**: Authenticated via JWT tokens
+   - JWT validated on first request
+   - Session created with `last_clerk_check` marker
+   - Re-validated every 5 minutes (configurable)
+   - Has `clerk_id` field populated
+
+2. **Admin Users**: Authenticated via username/password
+   - Traditional Django session (no `last_clerk_check` marker)
+   - Created via `createsuperuser` command
+   - No `clerk_id` (NULL)
+   - Can access Django admin panel
+
+3. **Middleware Behavior**:
+   - Checks if user is already authenticated
+   - If `last_clerk_check` exists → Clerk session (validate/revalidate)
+   - If no `last_clerk_check` → Django admin session (preserve as-is)
+   - Never interferes with Django admin sessions
+
+## Use Cases
+
+1. **Cross-domain admin access**: Admin on different domain than frontend
+2. **Internal staff access**: Staff use Django admin without Clerk accounts
+3. **Gradual migration**: Migrate from Django auth to Clerk incrementally
+4. **Mixed user types**: Frontend users via Clerk, internal users via Django
+
+## Breaking Changes
+
+- `clerk_id` is now nullable (requires migration)
+- `REQUIRED_FIELDS` changed from `["clerk_id"]` to `[]`
+
+Existing deployments will need to run the migration:
+
+```bash
+python manage.py migrate django_clerk_users
+```
+
+## Testing
+
+Run the new hybrid authentication tests:
+
+```bash
+python -m pytest tests/test_hybrid_auth.py -v
+```
+
+## Example: Creating Admin User
+
+```bash
+# Create superuser (no Clerk account needed)
+python manage.py createsuperuser
+
+# Login to Django admin
+# Visit: http://your-domain.com/admin/
+# Use the email/password you just created
+```
+
+## Example: User Table After Migration
+
+| id | email | clerk_id | is_staff | is_superuser | Created via |
+|----|-------|----------|----------|--------------|-------------|
+| 1 | admin@example.com | NULL | True | True | createsuperuser |
+| 2 | user@example.com | user_2abc123 | False | False | Clerk webhook |
+| 3 | staff@example.com | user_2def456 | True | False | Clerk webhook + manual flag |
+
+## Notes
+
+- Django admin users (NULL clerk_id) cannot authenticate via Clerk JWT
+- Clerk users (with clerk_id) can authenticate via either method if they have a password set
+- The middleware automatically detects which auth method was used
+- No changes needed to existing Clerk-only deployments (backward compatible)