fastapi-fullauth 0.2.0__tar.gz → 0.3.0__tar.gz

fastapi_fullauth-0.3.0/CHANGELOG.md

@@ -0,0 +1,87 @@
+# Changelog
+
+## 0.3.0
+
+### Breaking changes
+
+- **`create_refresh_token` returns `RefreshTokenMeta`** — previously returned a plain `str`. Now returns a `NamedTuple` with `.token`, `.expires_at`, `.family_id`. Callers that used the raw string must access `.token`.
+- **`create_token_pair` returns `tuple[str, RefreshTokenMeta]`** — second element is now `RefreshTokenMeta` instead of `str`.
+- **`revoke_all_user_refresh_tokens` is now required** on custom adapters — new abstract method on `AbstractUserAdapter`.
+
+### Added
+
+- `current_superuser` dependency and `SuperUser` annotated type
+- `CurrentUser`, `VerifiedUser`, `SuperUser` annotated types in `dependencies.current_user` for cleaner route signatures
+- `RefreshTokenMeta` named tuple — avoids decoding freshly created tokens just to read `expires_at` and `family_id`
+- `FullAuth.get_custom_claims(user)` — moved custom claims logic from router into the class, with validation against reserved JWT keys (`sub`, `exp`, `type`, etc.)
+- `revoke_all_user_refresh_tokens(user_id)` on all adapters — bulk session revocation
+- Session revocation on password reset, password change, and account deletion
+- `configure_hasher()` — wires `PASSWORD_HASH_ALGORITHM` config to the actual hasher; supports `argon2id` and `bcrypt`
+- Automatic password rehash on login when hash algorithm or params have changed
+- Register now checks uniqueness on `login_field` (not just email) when `login_field != "email"`
+- `InMemoryBlacklist` now respects `ttl_seconds` — expired entries are evicted on lookup
+- `RateLimiter` evicts keys with empty timestamp lists to prevent unbounded dict growth
+- `description` parameter on all route decorators for Swagger docs
+
+### Fixed
+
+- `current_active_verified_user` was missing `payload.type != "access"` check — refresh tokens could pass through
+- Purpose tokens (password reset, email verify) could be used as regular access tokens — `current_user` now rejects tokens with `extra.purpose`
+- Duplicate token decode + user lookup across dependencies, router endpoints, and admin routes — consolidated into reusable `current_user` dependency chain
+- Duplicate `roles` + `extra_claims` fetch in refresh route — pulled above the if/else branch
+- Login flow fetched the user from DB twice (once in router, once in `login()`) — now accepts pre-fetched user
+- Unused `request: Request` parameters in dependencies and routes
+- Removed duplicate docstrings on routes (kept `description=` on decorators)
+- `require_permission` was a full copy of `require_role` — now delegates to it
+
+### Internal
+
+- Route order follows auth lifecycle: register → login → refresh → logout → user → email/password → admin
+- `require_role` / `require_permission` use `Depends(current_user)` instead of duplicating token logic
+- Removed `_get_custom_claims` module-level function from router
+
+## 0.2.0
+
+### Breaking changes
+
+- **JSON login** — `POST /login` now accepts `{"email": "...", "password": "..."}` instead of form data. Swagger auth uses bearer token input instead of username/password form.
+- **No default User model** — SQLModel and SQLAlchemy adapters no longer ship a concrete `User`/`UserModel` table class. Users must define their own model from `UserBase`. This eliminates relationship conflicts when subclassing.
+- **`user_model` is required** — `SQLModelAdapter(session_maker, user_model=MyUser)` — no default.
+- **Removed `min_length=8`** from `CreateUserSchema` — password length is now fully controlled by `PasswordValidator` and `PASSWORD_MIN_LENGTH` config.
+- **`SQLAlchemyAdapter` renamed `UserModel` to `UserBase`** — import `UserBase` instead.
+
+### Added
+
+- `POST /auth/change-password` — verifies current password, validates new
+- `PATCH /auth/me` — update profile with protected field filtering
+- `DELETE /auth/me` — self-deletion
+- `expires_in` in login/refresh responses
+- Per-IP auth rate limiting on login, register, password-reset (`AUTH_RATE_LIMIT_*` config)
+- `LOGIN_FIELD` config — login by email, username, phone, or any model field
+- `get_user_by_field()` on all adapters for generic field lookups
+- Structured example apps (`examples/memory_app/`, `examples/sqlmodel_app/`)
+
+### Fixed
+
+- `InMemoryAdapter.update_user` returning base `UserSchema` instead of custom schema
+- Stale `User.id` / `UserModel` references in adapter queries after model removal
+- Parameter ordering in adapter constructors (required params before optional)
+
+## 0.1.0
+
+Initial release.
+
+- JWT access/refresh tokens with rotation and blacklisting
+- Argon2id password hashing
+- Auth flows: register, login, logout, password reset, email verification
+- Brute-force lockout, per-IP rate limiting, CSRF, security headers
+- Bearer and cookie backends
+- SQLAlchemy, SQLModel, and InMemory adapters
+- Redis blacklist backend
+- Refresh token persistence with family tracking and reuse detection
+- Flat config (`secret_key=...`) or full `FullAuthConfig` object
+- Auto-derive schemas from ORM model fields
+- Auto-wire middleware from config flags
+- Route enum, event hooks, email hooks
+- `current_user`, `current_active_verified_user`, `require_role` dependencies
+- 97 tests

{fastapi_fullauth-0.2.0 → fastapi_fullauth-0.3.0}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: fastapi-fullauth
-Version: 0.2.0
+Version: 0.3.0
 Summary: Production-grade, async-native authentication and authorization library for FastAPI
 Project-URL: Homepage, https://github.com/mdfarhankc/fastapi-fullauth
 Project-URL: Documentation, https://github.com/mdfarhankc/fastapi-fullauth
@@ -25,29 +25,12 @@ Requires-Dist: fastapi>=0.110
 Requires-Dist: pydantic-settings>=2.0
 Requires-Dist: pydantic[email]>=2.0
 Requires-Dist: pyjwt>=2.8
-Requires-Dist: python-multipart>=0.0.22
 Requires-Dist: uuid-utils>=0.14.1
 Provides-Extra: all
 Requires-Dist: alembic>=1.13; extra == 'all'
-Requires-Dist: beanie>=1.25; extra == 'all'
-Requires-Dist: httpx-oauth>=0.13; extra == 'all'
-Requires-Dist: itsdangerous>=2.1; extra == 'all'
-Requires-Dist: pyotp>=2.9; extra == 'all'
-Requires-Dist: qrcode>=7.4; extra == 'all'
 Requires-Dist: redis>=5.0; extra == 'all'
 Requires-Dist: sqlalchemy[asyncio]>=2.0; extra == 'all'
 Requires-Dist: sqlmodel>=0.0.16; extra == 'all'
-Requires-Dist: tortoise-orm>=0.21; extra == 'all'
-Requires-Dist: webauthn>=2.0; extra == 'all'
-Provides-Extra: audit
-Provides-Extra: beanie
-Requires-Dist: beanie>=1.25; extra == 'beanie'
-Provides-Extra: magic-link
-Requires-Dist: itsdangerous>=2.1; extra == 'magic-link'
-Provides-Extra: oauth
-Requires-Dist: httpx-oauth>=0.13; extra == 'oauth'
-Provides-Extra: passkeys
-Requires-Dist: webauthn>=2.0; extra == 'passkeys'
 Provides-Extra: redis
 Requires-Dist: redis>=5.0; extra == 'redis'
 Provides-Extra: sqlalchemy
@@ -56,12 +39,6 @@ Requires-Dist: sqlalchemy[asyncio]>=2.0; extra == 'sqlalchemy'
 Provides-Extra: sqlmodel
 Requires-Dist: alembic>=1.13; extra == 'sqlmodel'
 Requires-Dist: sqlmodel>=0.0.16; extra == 'sqlmodel'
-Provides-Extra: tenants
-Provides-Extra: tortoise
-Requires-Dist: tortoise-orm>=0.21; extra == 'tortoise'
-Provides-Extra: totp
-Requires-Dist: pyotp>=2.9; extra == 'totp'
-Requires-Dist: qrcode>=7.4; extra == 'totp'
 Description-Content-Type: text/markdown
 
 # fastapi-fullauth
@@ -131,16 +108,31 @@ No need to create separate schema classes or subclass the adapter. Registration
 
 ## Protected routes
 
+Use the `Annotated` types for clean route signatures:
+
 ```python
-from fastapi import Depends
-from fastapi_fullauth.dependencies import current_user, require_role
+from fastapi_fullauth.dependencies import CurrentUser, VerifiedUser, SuperUser, require_role
 
 @app.get("/profile")
-async def profile(user=Depends(current_user)):
+async def profile(user: CurrentUser):
     return user
 
+@app.get("/dashboard")
+async def dashboard(user: VerifiedUser):
+    # only email-verified users
+    return {"email": user.email}
+
 @app.delete("/admin/users/{id}")
-async def delete_user(user=Depends(require_role("admin"))):
+async def delete_user(user: SuperUser):
+    # only superusers
+    ...
+
+# or use require_role for custom roles
+from fastapi import Depends
+from fastapi_fullauth.dependencies import require_role
+
+@app.get("/editor")
+async def editor_panel(user=Depends(require_role("editor"))):
     ...
 ```
 
@@ -190,15 +182,44 @@ fullauth.hooks.on("after_register", welcome)
 
 Events: `after_register`, `after_login`, `after_logout`, `after_password_change`, `after_password_reset`, `after_email_verify`, `send_verification_email`, `send_password_reset_email`
 
-## Route control
+## Custom token claims
+
+Embed app-specific data into JWTs (available in `payload.extra`):
 
 ```python
-from fastapi_fullauth import Route
+async def add_claims(user):
+    return {"tenant_id": "acme", "plan": "pro"}
+
+fullauth = FullAuth(
+    secret_key="...",
+    adapter=adapter,
+    on_create_token_claims=add_claims,
+)
+```
 
+Reserved keys (`sub`, `exp`, `iat`, `jti`, `type`, `roles`, `extra`, `family_id`) are rejected to prevent accidental overwrites.
+
+## Password hashing
+
+Argon2id by default. Switch to bcrypt via config:
+
+```python
+fullauth = FullAuth(
+    secret_key="...",
+    adapter=adapter,
+    password_hash_algorithm="bcrypt",  # requires: pip install bcrypt
+)
+```
+
+When switching algorithms, existing users are transparently rehashed on their next login.
+
+## Route control
+
+```python
 fullauth = FullAuth(
     secret_key="...",
     adapter=adapter,
-    enabled_routes=[Route.LOGIN, Route.LOGOUT, Route.REFRESH],
+    enabled_routes=["login", "logout", "refresh"],
 )
 ```
 

{fastapi_fullauth-0.2.0 → fastapi_fullauth-0.3.0}/README.md

@@ -65,16 +65,31 @@ No need to create separate schema classes or subclass the adapter. Registration
 
 ## Protected routes
 
+Use the `Annotated` types for clean route signatures:
+
 ```python
-from fastapi import Depends
-from fastapi_fullauth.dependencies import current_user, require_role
+from fastapi_fullauth.dependencies import CurrentUser, VerifiedUser, SuperUser, require_role
 
 @app.get("/profile")
-async def profile(user=Depends(current_user)):
+async def profile(user: CurrentUser):
     return user
 
+@app.get("/dashboard")
+async def dashboard(user: VerifiedUser):
+    # only email-verified users
+    return {"email": user.email}
+
 @app.delete("/admin/users/{id}")
-async def delete_user(user=Depends(require_role("admin"))):
+async def delete_user(user: SuperUser):
+    # only superusers
+    ...
+
+# or use require_role for custom roles
+from fastapi import Depends
+from fastapi_fullauth.dependencies import require_role
+
+@app.get("/editor")
+async def editor_panel(user=Depends(require_role("editor"))):
     ...
 ```
 
@@ -124,15 +139,44 @@ fullauth.hooks.on("after_register", welcome)
 
 Events: `after_register`, `after_login`, `after_logout`, `after_password_change`, `after_password_reset`, `after_email_verify`, `send_verification_email`, `send_password_reset_email`
 
-## Route control
+## Custom token claims
+
+Embed app-specific data into JWTs (available in `payload.extra`):
 
 ```python
-from fastapi_fullauth import Route
+async def add_claims(user):
+    return {"tenant_id": "acme", "plan": "pro"}
+
+fullauth = FullAuth(
+    secret_key="...",
+    adapter=adapter,
+    on_create_token_claims=add_claims,
+)
+```
 
+Reserved keys (`sub`, `exp`, `iat`, `jti`, `type`, `roles`, `extra`, `family_id`) are rejected to prevent accidental overwrites.
+
+## Password hashing
+
+Argon2id by default. Switch to bcrypt via config:
+
+```python
+fullauth = FullAuth(
+    secret_key="...",
+    adapter=adapter,
+    password_hash_algorithm="bcrypt",  # requires: pip install bcrypt
+)
+```
+
+When switching algorithms, existing users are transparently rehashed on their next login.
+
+## Route control
+
+```python
 fullauth = FullAuth(
     secret_key="...",
     adapter=adapter,
-    enabled_routes=[Route.LOGIN, Route.LOGOUT, Route.REFRESH],
+    enabled_routes=["login", "logout", "refresh"],
 )
 ```
 

{fastapi_fullauth-0.2.0 → fastapi_fullauth-0.3.0}/examples/sqlmodel_app/auth.py

@@ -21,8 +21,8 @@ async def add_custom_claims(user: UserSchema) -> dict:
 fullauth = FullAuth(
     secret_key="change-me-use-a-32-byte-key-here",
     adapter=SQLModelAdapter(session_maker=session_maker, user_model=User),
-    on_send_verification_email=send_verification_email,
-    on_send_password_reset_email=send_password_reset_email,
     on_create_token_claims=add_custom_claims,
     include_user_in_login=True,
 )
+fullauth.hooks.on("send_verification_email", send_verification_email)
+fullauth.hooks.on("send_password_reset_email", send_password_reset_email)

{fastapi_fullauth-0.2.0 → fastapi_fullauth-0.3.0}/fastapi_fullauth/__init__.py

@@ -1,8 +1,8 @@
-__version__ = "0.2.0"
+__version__ = "0.3.0"
 
 from fastapi_fullauth.config import FullAuthConfig
 from fastapi_fullauth.fullauth import FullAuth
-from fastapi_fullauth.types import Route
+from fastapi_fullauth.types import RouteName
 from fastapi_fullauth.utils import create_superuser, generate_secret_key
 from fastapi_fullauth.validators import PasswordValidator
 
@@ -10,7 +10,7 @@ __all__ = [
     "FullAuth",
     "FullAuthConfig",
     "PasswordValidator",
-    "Route",
+    "RouteName",
     "create_superuser",
     "generate_secret_key",
 ]

{fastapi_fullauth-0.2.0 → fastapi_fullauth-0.3.0}/fastapi_fullauth/adapters/base.py

@@ -55,6 +55,9 @@ class AbstractUserAdapter(ABC):
     @abstractmethod
     async def revoke_refresh_token_family(self, family_id: str) -> None: ...
 
+    @abstractmethod
+    async def revoke_all_user_refresh_tokens(self, user_id: str) -> None: ...
+
     @abstractmethod
     async def set_user_verified(self, user_id: str) -> None: ...
 

{fastapi_fullauth-0.2.0 → fastapi_fullauth-0.3.0}/fastapi_fullauth/adapters/memory.py

@@ -82,6 +82,11 @@ class InMemoryAdapter(AbstractUserAdapter):
             if tok.family_id == family_id:
                 tok.revoked = True
 
+    async def revoke_all_user_refresh_tokens(self, user_id: str) -> None:
+        for tok in self._refresh_tokens.values():
+            if tok.user_id == user_id:
+                tok.revoked = True
+
     async def set_user_verified(self, user_id: str) -> None:
         if user_id in self._users:
             self._users[user_id]["is_verified"] = True

{fastapi_fullauth-0.2.0 → fastapi_fullauth-0.3.0}/fastapi_fullauth/adapters/sqlalchemy/adapter.py

@@ -203,6 +203,15 @@ class SQLAlchemyAdapter(AbstractUserAdapter):
             )
             await session.commit()
 
+    async def revoke_all_user_refresh_tokens(self, user_id: str) -> None:
+        async with self._session_maker() as session:
+            await session.execute(
+                update(RefreshTokenModel)
+                .where(RefreshTokenModel.user_id == user_id)
+                .values(revoked=True)
+            )
+            await session.commit()
+
     async def set_user_verified(self, user_id: str) -> None:
         async with self._session_maker() as session:
             await session.execute(

{fastapi_fullauth-0.2.0 → fastapi_fullauth-0.3.0}/fastapi_fullauth/adapters/sqlmodel/adapter.py

@@ -180,6 +180,15 @@ class SQLModelAdapter(AbstractUserAdapter):
             )
             await session.commit()
 
+    async def revoke_all_user_refresh_tokens(self, user_id: str) -> None:
+        async with self._session_maker() as session:
+            await session.execute(
+                update(RefreshTokenRecord)
+                .where(RefreshTokenRecord.user_id == user_id)
+                .values(revoked=True)
+            )
+            await session.commit()
+
     async def set_user_verified(self, user_id: str) -> None:
         async with self._session_maker() as session:
             await session.execute(

fastapi_fullauth-0.3.0/fastapi_fullauth/core/crypto.py

@@ -0,0 +1,47 @@
+from typing import Literal
+
+from argon2 import PasswordHasher
+from argon2.exceptions import VerificationError, VerifyMismatchError
+
+_argon2_hasher = PasswordHasher()
+_algorithm: Literal["argon2id", "bcrypt"] = "argon2id"
+
+
+def configure_hasher(algorithm: Literal["argon2id", "bcrypt"] = "argon2id") -> None:
+    global _algorithm
+    if algorithm == "bcrypt":
+        try:
+            import bcrypt  # noqa: F401
+        except ImportError:
+            raise ImportError(
+                "bcrypt is not installed. Install it with: pip install bcrypt"
+            ) from None
+    _algorithm = algorithm
+
+
+def hash_password(password: str) -> str:
+    if _algorithm == "bcrypt":
+        import bcrypt
+
+        return bcrypt.hashpw(password.encode(), bcrypt.gensalt()).decode()
+    return _argon2_hasher.hash(password)
+
+
+def verify_password(plain: str, hashed: str) -> bool:
+    if _algorithm == "bcrypt" or hashed.startswith("$2b$"):
+        try:
+            import bcrypt
+
+            return bcrypt.checkpw(plain.encode(), hashed.encode())
+        except ImportError:
+            return False
+    try:
+        return _argon2_hasher.verify(hashed, plain)
+    except (VerifyMismatchError, VerificationError):
+        return False
+
+
+def password_needs_rehash(hashed: str) -> bool:
+    if hashed.startswith("$2b$"):
+        return _algorithm != "bcrypt"
+    return _argon2_hasher.check_needs_rehash(hashed)

{fastapi_fullauth-0.2.0 → fastapi_fullauth-0.3.0}/fastapi_fullauth/core/tokens.py

@@ -1,3 +1,4 @@
+import time
 import uuid
 from datetime import datetime, timedelta, timezone
 
@@ -5,7 +6,7 @@ import jwt
 
 from fastapi_fullauth.config import FullAuthConfig
 from fastapi_fullauth.exceptions import TokenBlacklistedError, TokenError, TokenExpiredError
-from fastapi_fullauth.types import TokenPayload
+from fastapi_fullauth.types import RefreshTokenMeta, TokenPayload
 
 
 class TokenBlacklist:
@@ -18,13 +19,20 @@ class TokenBlacklist:
 
 class InMemoryBlacklist(TokenBlacklist):
     def __init__(self) -> None:
-        self._blacklisted: set[str] = set()
+        self._blacklisted: dict[str, float | None] = {}
 
     async def add(self, jti: str, ttl_seconds: int | None = None) -> None:
-        self._blacklisted.add(jti)
+        expires_at = (time.monotonic() + ttl_seconds) if ttl_seconds else None
+        self._blacklisted[jti] = expires_at
 
     async def is_blacklisted(self, jti: str) -> bool:
-        return jti in self._blacklisted
+        expires_at = self._blacklisted.get(jti)
+        if expires_at is None and jti not in self._blacklisted:
+            return False
+        if expires_at is not None and time.monotonic() > expires_at:
+            del self._blacklisted[jti]
+            return False
+        return True
 
 
 class TokenEngine:
@@ -54,17 +62,20 @@ class TokenEngine:
         self,
         user_id: str,
         family_id: str | None = None,
-    ) -> str:
+    ) -> RefreshTokenMeta:
         now = datetime.now(timezone.utc)
+        expires_at = now + timedelta(days=self.config.REFRESH_TOKEN_EXPIRE_DAYS)
+        resolved_family_id = family_id or uuid.uuid4().hex
         payload = {
             "sub": user_id,
-            "exp": now + timedelta(days=self.config.REFRESH_TOKEN_EXPIRE_DAYS),
+            "exp": expires_at,
             "iat": now,
             "jti": uuid.uuid4().hex,
             "type": "refresh",
-            "family_id": family_id or uuid.uuid4().hex,
+            "family_id": resolved_family_id,
         }
-        return jwt.encode(payload, self.config.SECRET_KEY, algorithm=self.config.ALGORITHM)
+        token = jwt.encode(payload, self.config.SECRET_KEY, algorithm=self.config.ALGORITHM)
+        return RefreshTokenMeta(token=token, expires_at=expires_at, family_id=resolved_family_id)
 
     async def decode_token(self, token: str) -> TokenPayload:
         try:
@@ -98,7 +109,7 @@ class TokenEngine:
         roles: list[str] | None = None,
         extra: dict | None = None,
         family_id: str | None = None,
-    ) -> tuple[str, str]:
+    ) -> tuple[str, RefreshTokenMeta]:
         access = self.create_access_token(user_id, roles, extra)
         refresh = self.create_refresh_token(user_id, family_id)
         return access, refresh

{fastapi_fullauth-0.2.0 → fastapi_fullauth-0.3.0}/fastapi_fullauth/dependencies/__init__.py

@@ -1,21 +1,20 @@
-from typing import Annotated
-
-from fastapi import Depends
-
 from fastapi_fullauth.dependencies.current_user import (
     current_active_verified_user,
+    current_superuser,
     current_user,
+    CurrentUser,
+    VerifiedUser,
+    SuperUser,
 )
 from fastapi_fullauth.dependencies.require_role import require_permission, require_role
-from fastapi_fullauth.types import UserSchema
 
-CurrentUser = Annotated[UserSchema, Depends(current_user)]
-VerifiedUser = Annotated[UserSchema, Depends(current_active_verified_user)]
 
 __all__ = [
     "CurrentUser",
     "VerifiedUser",
+    "SuperUser",
     "current_active_verified_user",
+    "current_superuser",
     "current_user",
     "require_permission",
     "require_role",

{fastapi_fullauth-0.2.0 → fastapi_fullauth-0.3.0}/fastapi_fullauth/dependencies/current_user.py

@@ -1,4 +1,4 @@
-from typing import TYPE_CHECKING
+from typing import TYPE_CHECKING, Annotated
 
 from fastapi import Depends, Request
 from fastapi.security import HTTPAuthorizationCredentials, HTTPBearer
@@ -6,6 +6,7 @@ from fastapi.security import HTTPAuthorizationCredentials, HTTPBearer
 from fastapi_fullauth.exceptions import CREDENTIALS_EXCEPTION
 from fastapi_fullauth.types import UserSchema
 
+
 if TYPE_CHECKING:
     from fastapi_fullauth.fullauth import FullAuth
 
@@ -14,7 +15,8 @@ _bearer_scheme = HTTPBearer(auto_error=False)
 
 
 def _get_fullauth(request: Request) -> "FullAuth":
-    fullauth: FullAuth | None = request.app.state.fullauth  # type: ignore[union-attr]
+    # type: ignore[union-attr]
+    fullauth: FullAuth | None = request.app.state.fullauth
     if fullauth is None:
         raise RuntimeError("FullAuth not initialized on app.state")
     return fullauth
@@ -36,7 +38,6 @@ async def _extract_token(
 
 
 async def current_user(
-    request: Request,
     fullauth: "FullAuth" = Depends(_get_fullauth),
     token: str = Depends(_extract_token),
 ) -> UserSchema:
@@ -50,6 +51,9 @@ async def current_user(
     if payload.type != "access":
         raise CREDENTIALS_EXCEPTION
 
+    if payload.extra.get("purpose"):
+        raise CREDENTIALS_EXCEPTION
+
     user = await fullauth.adapter.get_user_by_id(payload.sub)
     if user is None or not user.is_active:
         raise CREDENTIALS_EXCEPTION
@@ -57,22 +61,28 @@ async def current_user(
     return user
 
 
+CurrentUser = Annotated[UserSchema, Depends(current_user)]
+
+
 async def current_active_verified_user(
-    request: Request,
-    fullauth: "FullAuth" = Depends(_get_fullauth),
-    token: str = Depends(_extract_token),
+    user: CurrentUser,
 ) -> UserSchema:
-    from fastapi_fullauth.exceptions import FORBIDDEN_EXCEPTION, TokenError
-
-    try:
-        payload = await fullauth.token_engine.decode_token(token)
-    except TokenError:
-        raise CREDENTIALS_EXCEPTION
+    from fastapi_fullauth.exceptions import FORBIDDEN_EXCEPTION
 
-    user = await fullauth.adapter.get_user_by_id(payload.sub)
-    if user is None or not user.is_active:
-        raise CREDENTIALS_EXCEPTION
     if not user.is_verified:
         raise FORBIDDEN_EXCEPTION
+    return user
 
+
+async def current_superuser(
+    user: CurrentUser,
+) -> UserSchema:
+    from fastapi_fullauth.exceptions import FORBIDDEN_EXCEPTION
+
+    if not user.is_superuser:
+        raise FORBIDDEN_EXCEPTION
     return user
+
+
+VerifiedUser = Annotated[UserSchema, Depends(current_active_verified_user)]
+SuperUser = Annotated[UserSchema, Depends(current_superuser)]

fastapi_fullauth-0.3.0/fastapi_fullauth/dependencies/require_role.py

@@ -0,0 +1,33 @@
+from fastapi import Depends
+
+from fastapi_fullauth.dependencies.current_user import current_user
+from fastapi_fullauth.exceptions import FORBIDDEN_EXCEPTION
+from fastapi_fullauth.types import UserSchema
+
+
+def require_role(*roles: str):
+    """Dependency that checks the user has at least one of the given roles."""
+
+    async def _dep(
+        user: UserSchema = Depends(current_user),
+    ) -> UserSchema:
+        if user.is_superuser:
+            return user
+
+        user_roles = set(user.roles)
+        if not user_roles.intersection(roles):
+            raise FORBIDDEN_EXCEPTION
+
+        return user
+
+    return _dep
+
+
+def require_permission(*permissions: str):
+    """Dependency that checks the user has at least one of the given permissions.
+
+    Permissions use the format 'resource:action' (e.g. 'posts:delete').
+    When a full permission engine is added, this will resolve permissions
+    against it. For now, permissions map 1:1 to roles.
+    """
+    return require_role(*permissions)