enlace_auth 0.1.1__tar.gz

enlace_auth-0.1.1/.github/workflows/ci.yml

@@ -0,0 +1,256 @@
+name: Continuous Integration (uv)
+on: [push, pull_request]
+
+# Note: Environment variables (PROJECT_NAME and vars from [tool.wads.ci.env])
+# are set by the read-ci-config action in the setup job and made available
+# to all subsequent jobs via GITHUB_ENV
+
+jobs:
+  # First job: Read configuration from pyproject.toml
+  setup:
+    name: Read Configuration
+    runs-on: ubuntu-latest
+    outputs:
+      project-name: ${{ steps.config.outputs.project-name }}
+      python-versions: ${{ steps.config.outputs.python-versions }}
+      pytest-args: ${{ steps.config.outputs.pytest-args }}
+      coverage-enabled: ${{ steps.config.outputs.coverage-enabled }}
+      exclude-paths: ${{ steps.config.outputs.exclude-paths }}
+      test-on-windows: ${{ steps.config.outputs.test-on-windows }}
+      build-sdist: ${{ steps.config.outputs.build-sdist }}
+      build-wheel: ${{ steps.config.outputs.build-wheel }}
+      metrics-enabled: ${{ steps.config.outputs.metrics-enabled }}
+      metrics-config-path: ${{ steps.config.outputs.metrics-config-path }}
+      metrics-storage-branch: ${{ steps.config.outputs.metrics-storage-branch }}
+      metrics-python-version: ${{ steps.config.outputs.metrics-python-version }}
+      metrics-force-run: ${{ steps.config.outputs.metrics-force-run }}
+
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Set up uv
+        uses: astral-sh/setup-uv@v5
+
+      - name: Set up Python
+        run: uv python install 3.11
+
+      - name: Read CI Config
+        id: config
+        uses: i2mint/wads/actions/read-ci-config@master
+        with:
+          pyproject-path: .
+
+  # Second job: Validation using the config
+  validation:
+    name: Validation
+    if: "!contains(github.event.head_commit.message, '[skip ci]')"
+    needs: setup
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        python-version: ${{ fromJson(needs.setup.outputs.python-versions) }}
+
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Set up uv
+        uses: astral-sh/setup-uv@v5
+        with:
+          enable-cache: true
+
+      - name: Set up Python ${{ matrix.python-version }}
+        run: |
+          uv python install ${{ matrix.python-version }}
+          uv venv --python ${{ matrix.python-version }}
+
+      - name: Install System Dependencies
+        uses: i2mint/wads/actions/install-system-deps@master
+        with:
+          pyproject-path: .
+
+      - name: Install Dependencies
+        run: |
+          source .venv/bin/activate
+          uv pip install -e ".[dev]"
+
+      - name: Format Source Code
+        run: uvx ruff format .
+
+      - name: Lint Validation
+        run: uvx ruff check --output-format=github ${{ needs.setup.outputs.project-name }}
+
+      - name: Run Tests
+        run: |
+          source .venv/bin/activate
+          PYTEST_ARGS="${{ needs.setup.outputs.pytest-args }}"
+          EXCLUDE="${{ needs.setup.outputs.exclude-paths }}"
+          COVERAGE="${{ needs.setup.outputs.coverage-enabled }}"
+          ROOT_DIR="${{ needs.setup.outputs.project-name }}"
+
+          CMD="python -m pytest"
+
+          # Add coverage flags
+          if [ "$COVERAGE" = "true" ]; then
+            uv pip install pytest-cov
+            CMD="$CMD --cov=$ROOT_DIR --cov-report=term-missing"
+          fi
+
+          # Add doctest flags
+          CMD="$CMD --doctest-modules"
+          CMD="$CMD -o doctest_optionflags='ELLIPSIS IGNORE_EXCEPTION_DETAIL'"
+
+          # Add exclude paths
+          if [ -n "$EXCLUDE" ]; then
+            IFS=',' read -ra PATHS <<< "$EXCLUDE"
+            for path in "${PATHS[@]}"; do
+              path=$(echo "$path" | xargs)
+              CMD="$CMD --ignore=$path"
+            done
+          fi
+
+          # Add extra pytest args
+          if [ -n "$PYTEST_ARGS" ]; then
+            CMD="$CMD $PYTEST_ARGS"
+          fi
+
+          echo "Running: $CMD"
+          eval $CMD
+
+      - name: Track Code Metrics
+        if: needs.setup.outputs.metrics-enabled == 'true'
+        uses: i2mint/umpyre/actions/track-metrics@master
+        continue-on-error: true
+        with:
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          config-path: ${{ needs.setup.outputs.metrics-config-path }}
+          storage-branch: ${{ needs.setup.outputs.metrics-storage-branch }}
+          python-version: ${{ needs.setup.outputs.metrics-python-version }}
+          force-run: ${{ needs.setup.outputs.metrics-force-run }}
+
+  # Optional Windows testing (if enabled in config)
+  windows-validation:
+    name: Windows Tests
+    if: "!contains(github.event.head_commit.message, '[skip ci]') && needs.setup.outputs.test-on-windows == 'true'"
+    needs: setup
+    runs-on: windows-latest
+    continue-on-error: true
+
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Set up uv
+        uses: astral-sh/setup-uv@v5
+        with:
+          enable-cache: true
+
+      - name: Set up Python
+        run: |
+          uv python install ${{ fromJson(needs.setup.outputs.python-versions)[0] }}
+          uv venv
+
+      - name: Install System Dependencies
+        uses: i2mint/wads/actions/install-system-deps@master
+        with:
+          pyproject-path: .
+
+      - name: Install Dependencies
+        run: |
+          .venv\Scripts\activate
+          uv pip install -e ".[dev]"
+
+      - name: Run tests
+        id: test
+        continue-on-error: true
+        run: |
+          .venv\Scripts\activate
+          pytest
+
+      - name: Report test results
+        if: always()
+        run: |
+          if ("${{ steps.test.outcome }}" -eq "failure") {
+            echo "::warning::Windows tests failed but workflow continues"
+            echo "## ⚠️ Windows Tests Failed" >> $env:GITHUB_STEP_SUMMARY
+            echo "Tests failed on Windows but this is informational only." >> $env:GITHUB_STEP_SUMMARY
+          } else {
+            echo "## ✅ Windows Tests Passed" >> $env:GITHUB_STEP_SUMMARY
+          }
+
+  # Publishing job
+  publish:
+    name: Publish
+    permissions:
+      contents: write
+    if: "!contains(github.event.head_commit.message, '[skip ci]') && (github.ref == 'refs/heads/master' || github.ref == 'refs/heads/main')"
+    needs: [setup, validation]
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+          token: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Set up uv
+        uses: astral-sh/setup-uv@v5
+
+      - name: Set up Python
+        run: uv python install ${{ fromJson(needs.setup.outputs.python-versions)[0] }}
+
+      - name: Format Source Code
+        run: uvx ruff format .
+
+      - name: Update Version Number
+        id: version
+        uses: i2mint/isee/actions/bump-version-number@master
+
+      - name: Build Distribution
+        run: |
+          BUILD_ARGS=""
+          if [ "${{ needs.setup.outputs.build-sdist }}" = "false" ]; then
+            BUILD_ARGS="$BUILD_ARGS --no-sdist"
+          fi
+          if [ "${{ needs.setup.outputs.build-wheel }}" = "false" ]; then
+            BUILD_ARGS="$BUILD_ARGS --no-wheel"
+          fi
+          uv build $BUILD_ARGS
+
+      - name: Publish to PyPI
+        env:
+          UV_PUBLISH_TOKEN: ${{ secrets.PYPI_PASSWORD }}
+        run: uv publish dist/*
+
+      - name: Force SSH for git remote
+        run: |
+          git remote set-url origin git@github.com:${{ github.repository }}.git
+
+      - name: Commit Changes
+        uses: i2mint/wads/actions/git-commit@master
+        with:
+          commit-message: "**CI** Formatted code + Updated version to ${{ env.VERSION }} [skip ci]"
+          ssh-private-key: ${{ secrets.SSH_PRIVATE_KEY }}
+          push: true
+
+      - name: Tag Repository
+        uses: i2mint/wads/actions/git-tag@master
+        with:
+          tag: ${{ env.VERSION }}
+          message: "Release version ${{ env.VERSION }}"
+          push: true
+
+  # Optional GitHub Pages
+  github-pages:
+    name: Publish GitHub Pages
+    permissions:
+      contents: write
+      pages: write
+      id-token: write
+    if: "!contains(github.event.head_commit.message, '[skip ci]') && github.ref == format('refs/heads/{0}', github.event.repository.default_branch)"
+    needs: publish
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: i2mint/epythet/actions/publish-github-pages@master
+        with:
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          ignore: "tests/,scrap/,examples/"

enlace_auth-0.1.1/.gitignore

@@ -0,0 +1,121 @@
+wads_configs.json
+data/wads_configs.json
+wads/data/wads_configs.json
+
+# Byte-compiled / optimized / DLL files
+__pycache__/
+*.py[cod]
+*$py.class
+
+
+.DS_Store
+# C extensions
+*.so
+
+# TLS certificates
+## Ignore all PEM files anywhere
+*.pem
+## Also ignore any certs directory
+certs/
+
+# Distribution / packaging
+.Python
+build/
+develop-eggs/
+dist/
+downloads/
+eggs/
+.eggs/
+lib/
+lib64/
+parts/
+sdist/
+var/
+wheels/
+*.egg-info/
+.installed.cfg
+*.egg
+MANIFEST
+_build
+
+# PyInstaller
+#  Usually these files are written by a python script from a template
+#  before PyInstaller builds the exe, so as to inject date/other infos into it.
+*.manifest
+*.spec
+
+# Installer logs
+pip-log.txt
+pip-delete-this-directory.txt
+
+# Unit test / coverage reports
+htmlcov/
+.tox/
+.coverage
+.coverage.*
+.cache
+nosetests.xml
+coverage.xml
+*.cover
+.hypothesis/
+.pytest_cache/
+
+# Translations
+*.mo
+*.pot
+
+# Django stuff:
+*.log
+local_settings.py
+db.sqlite3
+
+# Flask stuff:
+instance/
+.webassets-cache
+
+# Scrapy stuff:
+.scrapy
+
+# Sphinx documentation
+docs/_build/
+docs/*
+
+# PyBuilder
+target/
+
+# Jupyter Notebook
+.ipynb_checkpoints
+
+# pyenv
+.python-version
+
+# celery beat schedule file
+celerybeat-schedule
+
+# SageMath parsed files
+*.sage.py
+
+# Environments
+.env
+.venv
+env/
+venv/
+ENV/
+env.bak/
+venv.bak/
+
+# Spyder project settings
+.spyderproject
+.spyproject
+
+# Rope project settings
+.ropeproject
+
+# mkdocs documentation
+/site
+
+# mypy
+.mypy_cache/
+
+# PyCharm
+.idea

enlace_auth-0.1.1/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2026 Thor Whalen
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

enlace_auth-0.1.1/PKG-INFO

@@ -0,0 +1,106 @@
+Metadata-Version: 2.4
+Name: enlace_auth
+Version: 0.1.1
+Summary: Authentication, sessions, admin dashboard, and per-user stores for the enlace platform
+Project-URL: Homepage, https://github.com/i2mint/enlace_auth
+Author: Thor Whalen
+License: Apache-2.0
+License-File: LICENSE
+Keywords: admin,argon2,auth,enlace,fastapi,platform,session
+Requires-Python: >=3.10
+Requires-Dist: argh>=0.31.0
+Requires-Dist: argon2-cffi>=23
+Requires-Dist: dol>=0.2
+Requires-Dist: email-validator>=2.0
+Requires-Dist: enlace>=0.1.0
+Requires-Dist: fastapi>=0.100.0
+Requires-Dist: itsdangerous>=2.1
+Requires-Dist: pydantic>=2.0.0
+Provides-Extra: dev
+Requires-Dist: authlib>=1.3; extra == 'dev'
+Requires-Dist: httpx; extra == 'dev'
+Requires-Dist: pytest; extra == 'dev'
+Requires-Dist: pytest-asyncio; extra == 'dev'
+Provides-Extra: oauth
+Requires-Dist: authlib>=1.3; extra == 'oauth'
+Requires-Dist: httpx>=0.24.0; extra == 'oauth'
+Description-Content-Type: text/markdown
+
+# enlace_auth
+
+Authentication, sessions, an admin dashboard, and per-user stores for the
+[enlace](https://github.com/i2mint/enlace) multi-app platform.
+
+`enlace` itself is auth-agnostic — it composes apps and routes traffic. This
+package plugs in at compose time and adds:
+
+- `/auth/login`, `/auth/logout`, `/auth/register`, `/auth/whoami`,
+  `/auth/csrf`, `/auth/me/password`, `/auth/shared-login`
+- `/_admin/api/*` — list/create/delete users, admin password reset, view app
+  policy. Gated by an admin allowlist.
+- per-user data injection via `request.state.store`
+- `PlatformAuthMiddleware` + `CSRFMiddleware`
+- optional OAuth2 / OIDC via Authlib
+
+## Quick start
+
+```python
+from enlace import build_backend, PlatformConfig
+from enlace_auth import plugin as auth_plugin
+
+config = PlatformConfig.from_toml("platform.toml")
+app = build_backend(config, plugins=[auth_plugin])
+```
+
+Or, if you serve via `uvicorn --factory enlace.compose:create_app`, set:
+
+```bash
+export ENLACE_PLUGINS=enlace_auth:plugin
+```
+
+## Configuration
+
+In `platform.toml`:
+
+```toml
+[auth]
+enabled = true
+session_cookie_name = "enlace_session"
+session_max_age_seconds = 86400
+signing_key_env = "ENLACE_SIGNING_KEY"
+secure_cookies = true
+
+[auth.stores]
+backend = "file"
+path = "~/.enlace/platform_store"
+
+[stores.user_data]
+backend = "file"
+path = "~/.enlace/user_data"
+```
+
+Plus environment variables:
+
+- `ENLACE_SIGNING_KEY` — signing key (32+ chars). Generate with `python -c
+  "import secrets; print(secrets.token_urlsafe(32))"`.
+- `ENLACE_ADMIN_EMAILS` — comma-separated admin emails (gate `/_admin`).
+- `ENLACE_ALLOW_UNSIGNED=1` — opt-out from fail-fast (diagnostics only).
+
+## Doctor checks
+
+```python
+from enlace.doctor import run_doctor
+from enlace_auth.diagnostics import static_checks, http_checks
+
+report = run_doctor(
+    config,
+    base_url="http://localhost:8000",
+    extra_static_checks=static_checks,
+    extra_http_checks=http_checks,
+)
+```
+
+## Status
+
+Extracted from `enlace` 0.0.11. The Python API is stable; an admin frontend
+ships separately as a normal enlaced app.

enlace_auth-0.1.1/README.md

@@ -0,0 +1,78 @@
+# enlace_auth
+
+Authentication, sessions, an admin dashboard, and per-user stores for the
+[enlace](https://github.com/i2mint/enlace) multi-app platform.
+
+`enlace` itself is auth-agnostic — it composes apps and routes traffic. This
+package plugs in at compose time and adds:
+
+- `/auth/login`, `/auth/logout`, `/auth/register`, `/auth/whoami`,
+  `/auth/csrf`, `/auth/me/password`, `/auth/shared-login`
+- `/_admin/api/*` — list/create/delete users, admin password reset, view app
+  policy. Gated by an admin allowlist.
+- per-user data injection via `request.state.store`
+- `PlatformAuthMiddleware` + `CSRFMiddleware`
+- optional OAuth2 / OIDC via Authlib
+
+## Quick start
+
+```python
+from enlace import build_backend, PlatformConfig
+from enlace_auth import plugin as auth_plugin
+
+config = PlatformConfig.from_toml("platform.toml")
+app = build_backend(config, plugins=[auth_plugin])
+```
+
+Or, if you serve via `uvicorn --factory enlace.compose:create_app`, set:
+
+```bash
+export ENLACE_PLUGINS=enlace_auth:plugin
+```
+
+## Configuration
+
+In `platform.toml`:
+
+```toml
+[auth]
+enabled = true
+session_cookie_name = "enlace_session"
+session_max_age_seconds = 86400
+signing_key_env = "ENLACE_SIGNING_KEY"
+secure_cookies = true
+
+[auth.stores]
+backend = "file"
+path = "~/.enlace/platform_store"
+
+[stores.user_data]
+backend = "file"
+path = "~/.enlace/user_data"
+```
+
+Plus environment variables:
+
+- `ENLACE_SIGNING_KEY` — signing key (32+ chars). Generate with `python -c
+  "import secrets; print(secrets.token_urlsafe(32))"`.
+- `ENLACE_ADMIN_EMAILS` — comma-separated admin emails (gate `/_admin`).
+- `ENLACE_ALLOW_UNSIGNED=1` — opt-out from fail-fast (diagnostics only).
+
+## Doctor checks
+
+```python
+from enlace.doctor import run_doctor
+from enlace_auth.diagnostics import static_checks, http_checks
+
+report = run_doctor(
+    config,
+    base_url="http://localhost:8000",
+    extra_static_checks=static_checks,
+    extra_http_checks=http_checks,
+)
+```
+
+## Status
+
+Extracted from `enlace` 0.0.11. The Python API is stable; an admin frontend
+ships separately as a normal enlaced app.

enlace_auth-0.1.1/enlace_auth/__init__.py

@@ -0,0 +1,40 @@
+"""enlace_auth — authentication, sessions, admin dashboard, and per-user stores.
+
+Plug into ``enlace`` at compose time::
+
+    from enlace import build_backend, PlatformConfig
+    from enlace_auth import plugin as auth_plugin
+
+    config = PlatformConfig.from_toml()
+    app = build_backend(config, plugins=[auth_plugin])
+
+When ``config.auth.enabled`` is True the plugin mounts:
+
+- ``/auth/*``      — login, logout, register, whoami, csrf, me/password
+- ``/_admin/api/*`` — admin user/app management (gated by admin allowlist)
+- ``/api/{app}/store/*`` — per-user data store
+- middleware: PlatformAuthMiddleware, CSRFMiddleware, StoreInjectionMiddleware
+
+When it's False the plugin is a no-op, so installing this package never
+changes platform behavior unless the operator opts in.
+"""
+
+from enlace_auth.config import (
+    AccessLevel,
+    AuthConfig,
+    OAuthProviderConfig,
+    StoreBackendConfig,
+)
+from enlace_auth.plugin import EnlaceAuthConfigError, plugin, wire
+
+__version__ = "0.0.1"
+
+__all__ = [
+    "AccessLevel",
+    "AuthConfig",
+    "EnlaceAuthConfigError",
+    "OAuthProviderConfig",
+    "StoreBackendConfig",
+    "plugin",
+    "wire",
+]