PyPI - fastapi-fullauth - Versions diffs - 0.2.0__tar.gz → 0.4.0__tar.gz - Mend

fastapi-fullauth 0.2.0tar.gz → 0.4.0tar.gz

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (92) hide show

fastapi_fullauth-0.4.0/CHANGELOG.md ADDED Viewed

@@ -0,0 +1,109 @@
+# Changelog
+## 0.4.0
+### Added
+- **OAuth2 social login** — Google and GitHub out of the box, extensible for custom providers
+  - `GET /oauth/{provider}/authorize` — get authorization URL
+  - `POST /oauth/{provider}/callback` — exchange code for JWT tokens
+  - `GET /oauth/providers` — list configured providers
+  - `GET /oauth/accounts` — list linked OAuth accounts
+  - `DELETE /oauth/accounts/{provider}` — unlink a provider (with lockout prevention)
+- `OAuthProvider` abstract base class for implementing custom providers
+- `OAuthAccount` and `OAuthUserInfo` types
+- `OAuthAccountRecord` / `OAuthAccountModel` for SQLModel and SQLAlchemy adapters
+- OAuth adapter methods on all adapters (memory, SQLModel, SQLAlchemy)
+- `OAUTH_PROVIDERS`, `OAUTH_STATE_EXPIRE_SECONDS`, `OAUTH_AUTO_LINK_BY_EMAIL` config fields
+- `after_oauth_login` hook event
+- `oauth` optional dependency group (`pip install fastapi-fullauth[oauth]`)
+- Auto-link OAuth to existing user by email (configurable)
+- Auto-verify email when provider confirms it
+- Lockout prevention — can't unlink last login method
+- Multiple `redirect_uris` per OAuth provider — supports web, mobile, and production frontends from one config. Client passes `?redirect_uri=` on authorize, validated against allowed list.
+## 0.3.0
+### Breaking changes
+- **`create_refresh_token` returns `RefreshTokenMeta`** — previously returned a plain `str`. Now returns a `NamedTuple` with `.token`, `.expires_at`, `.family_id`. Callers that used the raw string must access `.token`.
+- **`create_token_pair` returns `tuple[str, RefreshTokenMeta]`** — second element is now `RefreshTokenMeta` instead of `str`.
+- **`revoke_all_user_refresh_tokens` is now required** on custom adapters — new abstract method on `AbstractUserAdapter`.
+### Added
+- `current_superuser` dependency and `SuperUser` annotated type
+- `CurrentUser`, `VerifiedUser`, `SuperUser` annotated types in `dependencies.current_user` for cleaner route signatures
+- `RefreshTokenMeta` named tuple — avoids decoding freshly created tokens just to read `expires_at` and `family_id`
+- `FullAuth.get_custom_claims(user)` — moved custom claims logic from router into the class, with validation against reserved JWT keys (`sub`, `exp`, `type`, etc.)
+- `revoke_all_user_refresh_tokens(user_id)` on all adapters — bulk session revocation
+- Session revocation on password reset, password change, and account deletion
+- `configure_hasher()` — wires `PASSWORD_HASH_ALGORITHM` config to the actual hasher; supports `argon2id` and `bcrypt`
+- Automatic password rehash on login when hash algorithm or params have changed
+- Register now checks uniqueness on `login_field` (not just email) when `login_field != "email"`
+- `InMemoryBlacklist` now respects `ttl_seconds` — expired entries are evicted on lookup
+- `RateLimiter` evicts keys with empty timestamp lists to prevent unbounded dict growth
+- `description` parameter on all route decorators for Swagger docs
+### Fixed
+- `current_active_verified_user` was missing `payload.type != "access"` check — refresh tokens could pass through
+- Purpose tokens (password reset, email verify) could be used as regular access tokens — `current_user` now rejects tokens with `extra.purpose`
+- Duplicate token decode + user lookup across dependencies, router endpoints, and admin routes — consolidated into reusable `current_user` dependency chain
+- Duplicate `roles` + `extra_claims` fetch in refresh route — pulled above the if/else branch
+- Login flow fetched the user from DB twice (once in router, once in `login()`) — now accepts pre-fetched user
+- Unused `request: Request` parameters in dependencies and routes
+- Removed duplicate docstrings on routes (kept `description=` on decorators)
+- `require_permission` was a full copy of `require_role` — now delegates to it
+### Internal
+- Route order follows auth lifecycle: register → login → refresh → logout → user → email/password → admin
+- `require_role` / `require_permission` use `Depends(current_user)` instead of duplicating token logic
+- Removed `_get_custom_claims` module-level function from router
+## 0.2.0
+### Breaking changes
+- **JSON login** — `POST /login` now accepts `{"email": "...", "password": "..."}` instead of form data. Swagger auth uses bearer token input instead of username/password form.
+- **No default User model** — SQLModel and SQLAlchemy adapters no longer ship a concrete `User`/`UserModel` table class. Users must define their own model from `UserBase`. This eliminates relationship conflicts when subclassing.
+- **`user_model` is required** — `SQLModelAdapter(session_maker, user_model=MyUser)` — no default.
+- **Removed `min_length=8`** from `CreateUserSchema` — password length is now fully controlled by `PasswordValidator` and `PASSWORD_MIN_LENGTH` config.
+- **`SQLAlchemyAdapter` renamed `UserModel` to `UserBase`** — import `UserBase` instead.
+### Added
+- `POST /auth/change-password` — verifies current password, validates new
+- `PATCH /auth/me` — update profile with protected field filtering
+- `DELETE /auth/me` — self-deletion
+- `expires_in` in login/refresh responses
+- Per-IP auth rate limiting on login, register, password-reset (`AUTH_RATE_LIMIT_*` config)
+- `LOGIN_FIELD` config — login by email, username, phone, or any model field
+- `get_user_by_field()` on all adapters for generic field lookups
+- Structured example apps (`examples/memory_app/`, `examples/sqlmodel_app/`)
+### Fixed
+- `InMemoryAdapter.update_user` returning base `UserSchema` instead of custom schema
+- Stale `User.id` / `UserModel` references in adapter queries after model removal
+- Parameter ordering in adapter constructors (required params before optional)
+## 0.1.0
+Initial release.
+- JWT access/refresh tokens with rotation and blacklisting
+- Argon2id password hashing
+- Auth flows: register, login, logout, password reset, email verification
+- Brute-force lockout, per-IP rate limiting, CSRF, security headers
+- Bearer and cookie backends
+- SQLAlchemy, SQLModel, and InMemory adapters
+- Redis blacklist backend
+- Refresh token persistence with family tracking and reuse detection
+- Flat config (`secret_key=...`) or full `FullAuthConfig` object
+- Auto-derive schemas from ORM model fields
+- Auto-wire middleware from config flags
+- Route enum, event hooks, email hooks
+- `current_user`, `current_active_verified_user`, `require_role` dependencies
+- 97 tests

{fastapi_fullauth-0.2.0 → fastapi_fullauth-0.4.0}/PKG-INFO RENAMED Viewed

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: fastapi-fullauth
-Version: 0.2.0
+Version: 0.4.0
 Summary: Production-grade, async-native authentication and authorization library for FastAPI
 Project-URL: Homepage, https://github.com/mdfarhankc/fastapi-fullauth
 Project-URL: Documentation, https://github.com/mdfarhankc/fastapi-fullauth
@@ -25,29 +25,15 @@ Requires-Dist: fastapi>=0.110
 Requires-Dist: pydantic-settings>=2.0
 Requires-Dist: pydantic[email]>=2.0
 Requires-Dist: pyjwt>=2.8
-Requires-Dist: python-multipart>=0.0.22
 Requires-Dist: uuid-utils>=0.14.1
 Provides-Extra: all
 Requires-Dist: alembic>=1.13; extra == 'all'
-Requires-Dist: beanie>=1.25; extra == 'all'
-Requires-Dist: httpx-oauth>=0.13; extra == 'all'
-Requires-Dist: itsdangerous>=2.1; extra == 'all'
-Requires-Dist: pyotp>=2.9; extra == 'all'
-Requires-Dist: qrcode>=7.4; extra == 'all'
+Requires-Dist: httpx>=0.25; extra == 'all'
 Requires-Dist: redis>=5.0; extra == 'all'
 Requires-Dist: sqlalchemy[asyncio]>=2.0; extra == 'all'
 Requires-Dist: sqlmodel>=0.0.16; extra == 'all'
-Requires-Dist: tortoise-orm>=0.21; extra == 'all'
-Requires-Dist: webauthn>=2.0; extra == 'all'
-Provides-Extra: audit
-Provides-Extra: beanie
-Requires-Dist: beanie>=1.25; extra == 'beanie'
-Provides-Extra: magic-link
-Requires-Dist: itsdangerous>=2.1; extra == 'magic-link'
 Provides-Extra: oauth
-Requires-Dist: httpx-oauth>=0.13; extra == 'oauth'
-Provides-Extra: passkeys
-Requires-Dist: webauthn>=2.0; extra == 'passkeys'
+Requires-Dist: httpx>=0.25; extra == 'oauth'
 Provides-Extra: redis
 Requires-Dist: redis>=5.0; extra == 'redis'
 Provides-Extra: sqlalchemy
@@ -56,12 +42,6 @@ Requires-Dist: sqlalchemy[asyncio]>=2.0; extra == 'sqlalchemy'
 Provides-Extra: sqlmodel
 Requires-Dist: alembic>=1.13; extra == 'sqlmodel'
 Requires-Dist: sqlmodel>=0.0.16; extra == 'sqlmodel'
-Provides-Extra: tenants
-Provides-Extra: tortoise
-Requires-Dist: tortoise-orm>=0.21; extra == 'tortoise'
-Provides-Extra: totp
-Requires-Dist: pyotp>=2.9; extra == 'totp'
-Requires-Dist: qrcode>=7.4; extra == 'totp'
 Description-Content-Type: text/markdown
 # fastapi-fullauth
@@ -82,6 +62,8 @@ pip install fastapi-fullauth[sqlmodel]
 pip install fastapi-fullauth[sqlalchemy]
 # with redis for token blacklisting:
 pip install fastapi-fullauth[sqlmodel,redis]
+# with OAuth2 social login:
+pip install fastapi-fullauth[sqlmodel,oauth]
 ```
 ## Quick start
@@ -131,16 +113,31 @@ No need to create separate schema classes or subclass the adapter. Registration
 ## Protected routes
+Use the `Annotated` types for clean route signatures:
 ```python
-from fastapi import Depends
-from fastapi_fullauth.dependencies import current_user, require_role
+from fastapi_fullauth.dependencies import CurrentUser, VerifiedUser, SuperUser, require_role
 @app.get("/profile")
-async def profile(user=Depends(current_user)):
+async def profile(user: CurrentUser):
     return user
+@app.get("/dashboard")
+async def dashboard(user: VerifiedUser):
+    # only email-verified users
+    return {"email": user.email}
 @app.delete("/admin/users/{id}")
-async def delete_user(user=Depends(require_role("admin"))):
+async def delete_user(user: SuperUser):
+    # only superusers
+    ...
+# or use require_role for custom roles
+from fastapi import Depends
+from fastapi_fullauth.dependencies import require_role
+@app.get("/editor")
+async def editor_panel(user=Depends(require_role("editor"))):
     ...
 ```
@@ -190,15 +187,83 @@ fullauth.hooks.on("after_register", welcome)
 Events: `after_register`, `after_login`, `after_logout`, `after_password_change`, `after_password_reset`, `after_email_verify`, `send_verification_email`, `send_password_reset_email`
-## Route control
+## Custom token claims
+Embed app-specific data into JWTs (available in `payload.extra`):
+```python
+async def add_claims(user):
+    return {"tenant_id": "acme", "plan": "pro"}
+fullauth = FullAuth(
+    secret_key="...",
+    adapter=adapter,
+    on_create_token_claims=add_claims,
+)
+```
+Reserved keys (`sub`, `exp`, `iat`, `jti`, `type`, `roles`, `extra`, `family_id`) are rejected to prevent accidental overwrites.
+## Password hashing
+Argon2id by default. Switch to bcrypt via config:
+```python
+fullauth = FullAuth(
+    secret_key="...",
+    adapter=adapter,
+    password_hash_algorithm="bcrypt",  # requires: pip install bcrypt
+)
+```
+When switching algorithms, existing users are transparently rehashed on their next login.
+## OAuth2 social login
+Add Google and/or GitHub login with a few config lines:
 ```python
-from fastapi_fullauth import Route
+fullauth = FullAuth(
+    secret_key="...",
+    adapter=adapter,
+    oauth_providers={
+        "google": {
+            "client_id": "your-google-client-id",
+            "client_secret": "your-google-secret",
+            "redirect_uris": [
+                "http://localhost:3000/auth/callback",
+                "https://myapp.com/auth/callback",
+                "myapp://auth/callback",  # Flutter deep link
+            ],
+        },
+        "github": {
+            "client_id": "your-github-client-id",
+            "client_secret": "your-github-secret",
+            "redirect_uri": "http://localhost:3000/auth/callback",  # single URI also works
+        },
+    },
+)
+```
+This registers these routes automatically:
+- `GET /auth/oauth/providers` — list configured providers
+- `GET /auth/oauth/{provider}/authorize?redirect_uri=...` — get the authorization URL (optional `redirect_uri` param, validated against allowed list, defaults to first)
+- `POST /auth/oauth/{provider}/callback` — exchange code for JWT tokens
+- `GET /auth/oauth/accounts` — list linked OAuth accounts
+- `DELETE /auth/oauth/accounts/{provider}` — unlink a provider
+Users can link multiple providers and keep email/password login alongside OAuth. New users are auto-created on first OAuth login, and existing users are auto-linked by email.
+Requires `httpx`: `pip install fastapi-fullauth[oauth]`
+## Route control
+```python
 fullauth = FullAuth(
     secret_key="...",
     adapter=adapter,
-    enabled_routes=[Route.LOGIN, Route.LOGOUT, Route.REFRESH],
+    enabled_routes=["login", "logout", "refresh"],
 )
 ```

{fastapi_fullauth-0.2.0 → fastapi_fullauth-0.4.0}/README.md RENAMED Viewed

@@ -16,6 +16,8 @@ pip install fastapi-fullauth[sqlmodel]
 pip install fastapi-fullauth[sqlalchemy]
 # with redis for token blacklisting:
 pip install fastapi-fullauth[sqlmodel,redis]
+# with OAuth2 social login:
+pip install fastapi-fullauth[sqlmodel,oauth]
 ```
 ## Quick start
@@ -65,16 +67,31 @@ No need to create separate schema classes or subclass the adapter. Registration
 ## Protected routes
+Use the `Annotated` types for clean route signatures:
 ```python
-from fastapi import Depends
-from fastapi_fullauth.dependencies import current_user, require_role
+from fastapi_fullauth.dependencies import CurrentUser, VerifiedUser, SuperUser, require_role
 @app.get("/profile")
-async def profile(user=Depends(current_user)):
+async def profile(user: CurrentUser):
     return user
+@app.get("/dashboard")
+async def dashboard(user: VerifiedUser):
+    # only email-verified users
+    return {"email": user.email}
 @app.delete("/admin/users/{id}")
-async def delete_user(user=Depends(require_role("admin"))):
+async def delete_user(user: SuperUser):
+    # only superusers
+    ...
+# or use require_role for custom roles
+from fastapi import Depends
+from fastapi_fullauth.dependencies import require_role
+@app.get("/editor")
+async def editor_panel(user=Depends(require_role("editor"))):
     ...
 ```
@@ -124,15 +141,83 @@ fullauth.hooks.on("after_register", welcome)
 Events: `after_register`, `after_login`, `after_logout`, `after_password_change`, `after_password_reset`, `after_email_verify`, `send_verification_email`, `send_password_reset_email`
-## Route control
+## Custom token claims
+Embed app-specific data into JWTs (available in `payload.extra`):
+```python
+async def add_claims(user):
+    return {"tenant_id": "acme", "plan": "pro"}
+fullauth = FullAuth(
+    secret_key="...",
+    adapter=adapter,
+    on_create_token_claims=add_claims,
+)
+```
+Reserved keys (`sub`, `exp`, `iat`, `jti`, `type`, `roles`, `extra`, `family_id`) are rejected to prevent accidental overwrites.
+## Password hashing
+Argon2id by default. Switch to bcrypt via config:
+```python
+fullauth = FullAuth(
+    secret_key="...",
+    adapter=adapter,
+    password_hash_algorithm="bcrypt",  # requires: pip install bcrypt
+)
+```
+When switching algorithms, existing users are transparently rehashed on their next login.
+## OAuth2 social login
+Add Google and/or GitHub login with a few config lines:
 ```python
-from fastapi_fullauth import Route
+fullauth = FullAuth(
+    secret_key="...",
+    adapter=adapter,
+    oauth_providers={
+        "google": {
+            "client_id": "your-google-client-id",
+            "client_secret": "your-google-secret",
+            "redirect_uris": [
+                "http://localhost:3000/auth/callback",
+                "https://myapp.com/auth/callback",
+                "myapp://auth/callback",  # Flutter deep link
+            ],
+        },
+        "github": {
+            "client_id": "your-github-client-id",
+            "client_secret": "your-github-secret",
+            "redirect_uri": "http://localhost:3000/auth/callback",  # single URI also works
+        },
+    },
+)
+```
+This registers these routes automatically:
+- `GET /auth/oauth/providers` — list configured providers
+- `GET /auth/oauth/{provider}/authorize?redirect_uri=...` — get the authorization URL (optional `redirect_uri` param, validated against allowed list, defaults to first)
+- `POST /auth/oauth/{provider}/callback` — exchange code for JWT tokens
+- `GET /auth/oauth/accounts` — list linked OAuth accounts
+- `DELETE /auth/oauth/accounts/{provider}` — unlink a provider
+Users can link multiple providers and keep email/password login alongside OAuth. New users are auto-created on first OAuth login, and existing users are auto-linked by email.
+Requires `httpx`: `pip install fastapi-fullauth[oauth]`
+## Route control
+```python
 fullauth = FullAuth(
     secret_key="...",
     adapter=adapter,
-    enabled_routes=[Route.LOGIN, Route.LOGOUT, Route.REFRESH],
+    enabled_routes=["login", "logout", "refresh"],
 )
 ```

{fastapi_fullauth-0.2.0 → fastapi_fullauth-0.4.0}/examples/sqlmodel_app/auth.py RENAMED Viewed

@@ -21,8 +21,8 @@ async def add_custom_claims(user: UserSchema) -> dict:
 fullauth = FullAuth(
     secret_key="change-me-use-a-32-byte-key-here",
     adapter=SQLModelAdapter(session_maker=session_maker, user_model=User),
-    on_send_verification_email=send_verification_email,
-    on_send_password_reset_email=send_password_reset_email,
     on_create_token_claims=add_custom_claims,
     include_user_in_login=True,
 )
+fullauth.hooks.on("send_verification_email", send_verification_email)
+fullauth.hooks.on("send_password_reset_email", send_password_reset_email)

{fastapi_fullauth-0.2.0 → fastapi_fullauth-0.4.0}/fastapi_fullauth/__init__.py RENAMED Viewed

@@ -1,8 +1,8 @@
-__version__ = "0.2.0"
+__version__ = "0.4.0"
 from fastapi_fullauth.config import FullAuthConfig
 from fastapi_fullauth.fullauth import FullAuth
-from fastapi_fullauth.types import Route
+from fastapi_fullauth.types import RouteName
 from fastapi_fullauth.utils import create_superuser, generate_secret_key
 from fastapi_fullauth.validators import PasswordValidator
@@ -10,7 +10,7 @@ __all__ = [
     "FullAuth",
     "FullAuthConfig",
     "PasswordValidator",
-    "Route",
+    "RouteName",
     "create_superuser",
     "generate_secret_key",
 ]

{fastapi_fullauth-0.2.0 → fastapi_fullauth-0.4.0}/fastapi_fullauth/adapters/base.py RENAMED Viewed

@@ -1,7 +1,7 @@
 from abc import ABC, abstractmethod
 from typing import Any
-from fastapi_fullauth.types import CreateUserSchema, RefreshToken, UserSchema
+from fastapi_fullauth.types import CreateUserSchema, OAuthAccount, RefreshToken, UserSchema
 class AbstractUserAdapter(ABC):
@@ -55,6 +55,9 @@ class AbstractUserAdapter(ABC):
     @abstractmethod
     async def revoke_refresh_token_family(self, family_id: str) -> None: ...
+    @abstractmethod
+    async def revoke_all_user_refresh_tokens(self, user_id: str) -> None: ...
     @abstractmethod
     async def set_user_verified(self, user_id: str) -> None: ...
@@ -63,3 +66,22 @@ class AbstractUserAdapter(ABC):
     @abstractmethod
     async def remove_role(self, user_id: str, role_name: str) -> None: ...
+    # ── OAuth (optional — override when using OAuth) ─────────────────
+    async def get_oauth_account(self, provider: str, provider_user_id: str) -> OAuthAccount | None:
+        raise NotImplementedError("Implement OAuth adapter methods to use OAuth")
+    async def get_user_oauth_accounts(self, user_id: str) -> list[OAuthAccount]:
+        raise NotImplementedError("Implement OAuth adapter methods to use OAuth")
+    async def create_oauth_account(self, data: OAuthAccount) -> OAuthAccount:
+        raise NotImplementedError("Implement OAuth adapter methods to use OAuth")
+    async def update_oauth_account(
+        self, provider: str, provider_user_id: str, data: dict[str, Any]
+    ) -> OAuthAccount | None:
+        raise NotImplementedError("Implement OAuth adapter methods to use OAuth")
+    async def delete_oauth_account(self, provider: str, provider_user_id: str) -> None:
+        raise NotImplementedError("Implement OAuth adapter methods to use OAuth")

{fastapi_fullauth-0.2.0 → fastapi_fullauth-0.4.0}/fastapi_fullauth/adapters/memory.py RENAMED Viewed

@@ -3,7 +3,7 @@ from typing import Any
 from uuid_utils import uuid7
 from fastapi_fullauth.adapters.base import AbstractUserAdapter
-from fastapi_fullauth.types import CreateUserSchema, RefreshToken, UserSchema
+from fastapi_fullauth.types import CreateUserSchema, OAuthAccount, RefreshToken, UserSchema
 class InMemoryAdapter(AbstractUserAdapter):
@@ -13,6 +13,7 @@ class InMemoryAdapter(AbstractUserAdapter):
         self._passwords: dict[str, str] = {}
         self._refresh_tokens: dict[str, RefreshToken] = {}
         self._roles: dict[str, list[str]] = {}
+        self._oauth_accounts: dict[tuple[str, str], OAuthAccount] = {}
     async def get_user_by_id(self, user_id: str) -> UserSchema | None:
         data = self._users.get(user_id)
@@ -82,6 +83,11 @@ class InMemoryAdapter(AbstractUserAdapter):
             if tok.family_id == family_id:
                 tok.revoked = True
+    async def revoke_all_user_refresh_tokens(self, user_id: str) -> None:
+        for tok in self._refresh_tokens.values():
+            if tok.user_id == user_id:
+                tok.revoked = True
     async def set_user_verified(self, user_id: str) -> None:
         if user_id in self._users:
             self._users[user_id]["is_verified"] = True
@@ -99,3 +105,29 @@ class InMemoryAdapter(AbstractUserAdapter):
             roles.remove(role_name)
         if user_id in self._users:
             self._users[user_id]["roles"] = roles
+    # ── OAuth ────────────────────────────────────────────────────────
+    async def get_oauth_account(self, provider: str, provider_user_id: str) -> OAuthAccount | None:
+        return self._oauth_accounts.get((provider, provider_user_id))
+    async def get_user_oauth_accounts(self, user_id: str) -> list[OAuthAccount]:
+        return [a for a in self._oauth_accounts.values() if a.user_id == user_id]
+    async def create_oauth_account(self, data: OAuthAccount) -> OAuthAccount:
+        self._oauth_accounts[(data.provider, data.provider_user_id)] = data
+        return data
+    async def update_oauth_account(
+        self, provider: str, provider_user_id: str, data: dict[str, Any]
+    ) -> OAuthAccount | None:
+        key = (provider, provider_user_id)
+        account = self._oauth_accounts.get(key)
+        if account is None:
+            return None
+        updated = account.model_copy(update=data)
+        self._oauth_accounts[key] = updated
+        return updated
+    async def delete_oauth_account(self, provider: str, provider_user_id: str) -> None:
+        self._oauth_accounts.pop((provider, provider_user_id), None)

{fastapi_fullauth-0.2.0 → fastapi_fullauth-0.4.0}/fastapi_fullauth/adapters/sqlalchemy/adapter.py RENAMED Viewed

@@ -6,11 +6,12 @@ from sqlalchemy.orm import selectinload
 from fastapi_fullauth.adapters.base import AbstractUserAdapter
 from fastapi_fullauth.adapters.sqlalchemy.models import (
+    OAuthAccountModel,
     RefreshTokenModel,
     RoleModel,
     UserBase,
 )
-from fastapi_fullauth.types import CreateUserSchema, RefreshToken, UserSchema
+from fastapi_fullauth.types import CreateUserSchema, OAuthAccount, RefreshToken, UserSchema
 # Map SQLAlchemy column types to Python types for schema auto-derivation
 _SA_TYPE_MAP: dict[type, type] = {}
@@ -203,6 +204,15 @@ class SQLAlchemyAdapter(AbstractUserAdapter):
             )
             await session.commit()
+    async def revoke_all_user_refresh_tokens(self, user_id: str) -> None:
+        async with self._session_maker() as session:
+            await session.execute(
+                update(RefreshTokenModel)
+                .where(RefreshTokenModel.user_id == user_id)
+                .values(revoked=True)
+            )
+            await session.commit()
     async def set_user_verified(self, user_id: str) -> None:
         async with self._session_maker() as session:
             await session.execute(
@@ -244,3 +254,77 @@ class SQLAlchemyAdapter(AbstractUserAdapter):
             if user:
                 user.roles = [r for r in user.roles if r.name != role_name]
                 await session.commit()
+    # ── OAuth ────────────────────────────────────────────────────────
+    def _to_oauth_account(self, row: OAuthAccountModel) -> OAuthAccount:
+        return OAuthAccount(
+            provider=row.provider,
+            provider_user_id=row.provider_user_id,
+            user_id=str(row.user_id),
+            provider_email=row.provider_email,
+            access_token=row.access_token,
+            refresh_token=row.refresh_token,
+            expires_at=row.expires_at,
+        )
+    async def get_oauth_account(self, provider: str, provider_user_id: str) -> OAuthAccount | None:
+        async with self._session_maker() as session:
+            result = await session.execute(
+                select(OAuthAccountModel).where(
+                    OAuthAccountModel.provider == provider,
+                    OAuthAccountModel.provider_user_id == provider_user_id,
+                )
+            )
+            row = result.scalars().first()
+            return self._to_oauth_account(row) if row else None
+    async def get_user_oauth_accounts(self, user_id: str) -> list[OAuthAccount]:
+        async with self._session_maker() as session:
+            result = await session.execute(
+                select(OAuthAccountModel).where(OAuthAccountModel.user_id == user_id)
+            )
+            return [self._to_oauth_account(row) for row in result.scalars().all()]
+    async def create_oauth_account(self, data: OAuthAccount) -> OAuthAccount:
+        async with self._session_maker() as session:
+            record = OAuthAccountModel(
+                provider=data.provider,
+                provider_user_id=data.provider_user_id,
+                user_id=data.user_id,
+                provider_email=data.provider_email,
+                access_token=data.access_token,
+                refresh_token=data.refresh_token,
+                expires_at=data.expires_at,
+            )
+            session.add(record)
+            await session.commit()
+            return data
+    async def update_oauth_account(
+        self, provider: str, provider_user_id: str, data: dict[str, Any]
+    ) -> OAuthAccount | None:
+        async with self._session_maker() as session:
+            await session.execute(
+                update(OAuthAccountModel)
+                .where(
+                    OAuthAccountModel.provider == provider,
+                    OAuthAccountModel.provider_user_id == provider_user_id,
+                )
+                .values(**data)
+            )
+            await session.commit()
+            return await self.get_oauth_account(provider, provider_user_id)
+    async def delete_oauth_account(self, provider: str, provider_user_id: str) -> None:
+        async with self._session_maker() as session:
+            result = await session.execute(
+                select(OAuthAccountModel).where(
+                    OAuthAccountModel.provider == provider,
+                    OAuthAccountModel.provider_user_id == provider_user_id,
+                )
+            )
+            row = result.scalars().first()
+            if row:
+                await session.delete(row)
+                await session.commit()

fastapi-fullauth 0.2.0__tar.gz → 0.4.0__tar.gz

fastapi-fullauth 0.2.0tar.gz → 0.4.0tar.gz