ecodev-core 0.0.53__tar.gz → 0.0.55__tar.gz

{ecodev_core-0.0.53 → ecodev_core-0.0.55}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.1
 Name: ecodev-core
-Version: 0.0.53
+Version: 0.0.55
 Summary: Low level sqlmodel/fastapi/pydantic building blocks
 License: MIT
 Author: Thomas Epelbaum
@@ -43,7 +43,7 @@ Requires-Dist: pandas (>=2,<3)
 Requires-Dist: passlib[bcyrypt] (>=1,<2)
 Requires-Dist: progressbar2 (>=4.4.2,<5.0.0)
 Requires-Dist: psycopg2-binary (>=2,<3)
-Requires-Dist: pydantic (==2.9.2)
+Requires-Dist: pydantic (==2.11.7)
 Requires-Dist: pydantic-settings (>=2,<3)
 Requires-Dist: python-jose[cryptography] (>=3,<4)
 Requires-Dist: pyyaml (>=6,<7)

{ecodev_core-0.0.53 → ecodev_core-0.0.55}/ecodev_core/__init__.py

@@ -12,6 +12,7 @@ from ecodev_core.app_user import select_user
 from ecodev_core.app_user import upsert_app_users
 from ecodev_core.auth_configuration import AUTH
 from ecodev_core.authentication import attempt_to_log
+from ecodev_core.authentication import ban_token
 from ecodev_core.authentication import get_access_token
 from ecodev_core.authentication import get_app_services
 from ecodev_core.authentication import get_current_user
@@ -88,6 +89,7 @@ from ecodev_core.safe_utils import SimpleReturn
 from ecodev_core.safe_utils import stringify
 from ecodev_core.settings import SETTINGS
 from ecodev_core.settings import Settings
+from ecodev_core.token_banlist import TokenBanlist
 from ecodev_core.version import db_to_value
 from ecodev_core.version import get_row_versions
 from ecodev_core.version import get_versions
@@ -108,4 +110,4 @@ __all__ = [
     'sort_by_keys', 'sort_by_values', 'Settings', 'load_yaml_file', 'Deployment', 'Version',
     'sfield', 'field', 'upsert_df_data', 'upsert_deletor', 'get_row_versions', 'get_versions',
     'db_to_value', 'upsert_data', 'upsert_selector', 'get_sfield_columns', 'filter_to_sfield_dict',
-    'SETTINGS', 'add_missing_enum_values']
+    'SETTINGS', 'add_missing_enum_values', 'ban_token', 'TokenBanlist']

{ecodev_core-0.0.53 → ecodev_core-0.0.55}/ecodev_core/authentication.py

@@ -33,7 +33,7 @@ from ecodev_core.db_connection import engine
 from ecodev_core.logger import logger_get
 from ecodev_core.permissions import Permission
 from ecodev_core.pydantic_utils import Frozen
-
+from ecodev_core.token_banlist import TokenBanlist
 
 SCHEME = OAuth2PasswordBearer(tokenUrl='login')
 auth_router = APIRouter(tags=['authentication'])
@@ -44,6 +44,7 @@ INVALID_USER = 'Invalid User'
 INVALID_TFA = 'Invalid TFA code'
 ADMIN_ERROR = 'Could not validate credentials. You need admin rights to call this'
 INVALID_CREDENTIALS = 'Invalid Credentials'
+REVOKED_TOKEN = 'This token has been revoked (by a logout action), please login again.'
 log = logger_get(__name__)
 
 
@@ -62,7 +63,7 @@ class TokenData(Frozen):
     id: int
 
 
-def get_access_token(token: Dict[str, Any]):
+def get_access_token(token: Dict[str, Any]) -> str | None:
     """
     Robust method to return access token or None
     """
@@ -158,6 +159,9 @@ def is_authorized_user(token: str = Depends(SCHEME)) -> bool:
     """
     Check if the passed token corresponds to an authorized user
     """
+    if _is_banned(token):
+        return False
+
     try:
         return get_current_user(token) is not None
     except Exception:
@@ -180,12 +184,38 @@ def get_user(token: str = Depends(SCHEME),
     """
     Retrieves (if it exists) the db user corresponding to the passed token
     """
+    if _is_banned(token):
+        raise HTTPException(status_code=status.HTTP_401_UNAUTHORIZED, detail=REVOKED_TOKEN,
+                            headers={'WWW-Authenticate': 'Bearer'})
     if user := get_current_user(token, tfa_value, tfa_check):
         return user
     raise HTTPException(status_code=status.HTTP_401_UNAUTHORIZED, detail=INVALID_CREDENTIALS,
                         headers={'WWW-Authenticate': 'Bearer'})
 
 
+def ban_token(token: str, session: Session) -> None:
+    """
+    Ban the passed token
+    """
+    session.add(TokenBanlist(token=token))
+    session.commit()
+
+
+def _is_banned(token: str) -> bool:
+    """
+    Check if the passed token is banned.
+
+    NB: Clean the TokenBanlist table (deleting old entries) on the fly
+    """
+    with Session(engine) as session:
+        threshold = datetime.now() - timedelta(minutes=EXPIRATION_LENGTH)
+        for token_banned in session.exec(
+                select(TokenBanlist).where(TokenBanlist.created_at <= threshold)).all():
+            session.delete(token_banned)
+        session.commit()
+        return token in session.exec(select(TokenBanlist.token)).all()
+
+
 def get_current_user(token: str,
                      tfa_value: Optional[str] = None,
                      tfa_check: bool = False
@@ -202,6 +232,10 @@ def is_admin_user(token: str = Depends(SCHEME)) -> AppUser:
     """
     Retrieves (if it exists) the admin (meaning who has valid credentials) user from the db
     """
+    if _is_banned(token):
+        raise HTTPException(status_code=status.HTTP_401_UNAUTHORIZED, detail=REVOKED_TOKEN,
+                            headers={'WWW-Authenticate': 'Bearer'})
+
     if (user := get_current_user(token)) and user.permission == Permission.ADMIN:
         return user
     raise HTTPException(status_code=status.HTTP_401_UNAUTHORIZED, detail=ADMIN_ERROR,
@@ -212,6 +246,10 @@ def is_monitoring_user(token: str = Depends(SCHEME)) -> AppUser:
     """
     Retrieves (if it exists) the monitoring user from the db
     """
+    if _is_banned(token):
+        raise HTTPException(status_code=status.HTTP_401_UNAUTHORIZED, detail=REVOKED_TOKEN,
+                            headers={'WWW-Authenticate': 'Bearer'})
+
     if (user := get_current_user(token)) and user.user == MONITORING:
         return user
     raise HTTPException(status_code=status.HTTP_401_UNAUTHORIZED,

{ecodev_core-0.0.53 → ecodev_core-0.0.55}/ecodev_core/db_upsertion.py

@@ -32,7 +32,9 @@ SA_COLUMN_KWARGS = 'sa_column_kwargs'
 def add_missing_enum_values(enum: EnumType, session: Session, new_vals: list | None = None) -> None:
     """
     Add to an existing enum its missing db values. Do so by retrieving what is already in db, and
-    insert what is new
+    insert what is new.
+
+    NB: new_val argument is there for testing purposes
     """
 
     for val in [e.name for e in new_vals or enum if e.name not in get_enum_values(enum, session)]:

ecodev_core-0.0.55/ecodev_core/token_banlist.py

@@ -0,0 +1,18 @@
+"""
+Module implementing the token ban list table
+"""
+from datetime import datetime
+from typing import Optional
+
+from sqlmodel import Field
+from sqlmodel import SQLModel
+
+
+class TokenBanlist(SQLModel, table=True):  # type: ignore
+    """
+    A token banlist: timestamped banned token.
+    """
+    __tablename__ = 'token_banlist'
+    id: Optional[int] = Field(default=None, primary_key=True)
+    created_at: datetime = Field(default_factory=datetime.utcnow)
+    token: str = Field(index=True)

{ecodev_core-0.0.53 → ecodev_core-0.0.55}/pyproject.toml

@@ -1,6 +1,6 @@
 [tool.poetry]
 name = "ecodev-core"
-version = "0.0.53"
+version = "0.0.55"
 description = "Low level sqlmodel/fastapi/pydantic building blocks"
 authors = ["Thomas Epelbaum <tomepel@gmail.com>",
 					 "Olivier Gabriel <olivier.gabriel.geom@gmail.com>",
@@ -52,7 +52,7 @@ pandas = "~2"
 passlib = {version = "~1", extras = ["bcyrypt"]}
 progressbar2 = "^4.4.2"
 psycopg2-binary = "~2"
-pydantic = "2.9.2"
+pydantic = "2.11.7"
 pydantic-settings = "~2"
 python-jose = {version = "~3", extras = ["cryptography"]}
 pyyaml = "~6"