fastapi-fullauth 0.4.0__tar.gz → 0.5.0__tar.gz

fastapi_fullauth-0.5.0/.github/workflows/docs.yml

@@ -0,0 +1,26 @@
+name: Docs
+
+on:
+  push:
+    branches: [main]
+    paths:
+      - "docs/**"
+      - "mkdocs.yml"
+  workflow_dispatch:
+
+permissions:
+  contents: write
+
+jobs:
+  deploy:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: actions/setup-python@v5
+        with:
+          python-version: "3.12"
+
+      - run: pip install mkdocs-material
+
+      - run: mkdocs gh-deploy --force

{fastapi_fullauth-0.4.0 → fastapi_fullauth-0.5.0}/.gitignore

@@ -28,7 +28,13 @@ Thumbs.db
 .coverage
 htmlcov/
 
+# Linting
+.ruff_cache/
+
 # Distribution
 *.tar.gz
 *.whl
 architecture.md
+
+# Docs build
+site/

{fastapi_fullauth-0.4.0 → fastapi_fullauth-0.5.0}/CHANGELOG.md

@@ -1,5 +1,28 @@
 # Changelog
 
+## 0.5.0
+
+### Added
+
+- **Structured logging** across all auth flows, security middleware, and OAuth — failed logins, account lockouts, token reuse, CSRF violations, rate limit hits, role changes, and account deletions are all logged via `logging.getLogger("fastapi_fullauth.*")`
+- **Documentation site** — MkDocs with Material theme, auto-deployed to GitHub Pages via CI
+- **Proxy-aware rate limiting** — new `TRUSTED_PROXY_HEADERS` config to read real client IPs from `X-Forwarded-For` and similar headers
+- **SQLAlchemy example app** (`examples/sqlalchemy_app/`)
+- **`update_user` field validation** — rejects unknown fields with 422 instead of passing them to the DB
+- SQLModel adapter now accepts both SQLModel's and SQLAlchemy's `AsyncSession`
+- `OAuthAccountRecord` exported from `fastapi_fullauth.adapters.sqlmodel`
+
+### Fixed
+
+- **OAuth state token TTL was ignored** — `OAUTH_STATE_EXPIRE_SECONDS` config had no effect; state tokens used `ACCESS_TOKEN_EXPIRE_MINUTES` (30 min) instead of the configured 5 min
+- **Refresh token reuse detection race condition** — two concurrent `/refresh` requests could both succeed before either revoked the token; added explicit blacklist check before issuing new tokens
+- **OAuth error messages leaked provider internals** — raw API responses from Google/GitHub were exposed in HTTP error details; now logged internally and replaced with generic messages
+
+### Changed
+
+- README rewritten with centered hero layout, badges, and documentation links
+- Documentation URL updated in `pyproject.toml` to point to GitHub Pages
+
 ## 0.4.0
 
 ### Added

fastapi_fullauth-0.5.0/PKG-INFO

@@ -0,0 +1,281 @@
+Metadata-Version: 2.4
+Name: fastapi-fullauth
+Version: 0.5.0
+Summary: Production-grade, async-native authentication and authorization library for FastAPI
+Project-URL: Homepage, https://github.com/mdfarhankc/fastapi-fullauth
+Project-URL: Documentation, https://mdfarhankc.github.io/fastapi-fullauth
+Project-URL: Repository, https://github.com/mdfarhankc/fastapi-fullauth
+License-Expression: MIT
+License-File: LICENSE
+Keywords: argon2,authentication,authorization,fastapi,jwt,security
+Classifier: Development Status :: 3 - Alpha
+Classifier: Framework :: FastAPI
+Classifier: Intended Audience :: Developers
+Classifier: License :: OSI Approved :: MIT License
+Classifier: Programming Language :: Python :: 3.10
+Classifier: Programming Language :: Python :: 3.11
+Classifier: Programming Language :: Python :: 3.12
+Classifier: Programming Language :: Python :: 3.13
+Classifier: Programming Language :: Python :: 3.14
+Classifier: Topic :: Security
+Classifier: Typing :: Typed
+Requires-Python: >=3.10
+Requires-Dist: argon2-cffi>=23.0
+Requires-Dist: fastapi>=0.110
+Requires-Dist: pydantic-settings>=2.0
+Requires-Dist: pydantic[email]>=2.0
+Requires-Dist: pyjwt>=2.8
+Requires-Dist: uuid-utils>=0.14.1
+Provides-Extra: all
+Requires-Dist: alembic>=1.13; extra == 'all'
+Requires-Dist: httpx>=0.25; extra == 'all'
+Requires-Dist: redis>=5.0; extra == 'all'
+Requires-Dist: sqlalchemy[asyncio]>=2.0; extra == 'all'
+Requires-Dist: sqlmodel>=0.0.16; extra == 'all'
+Provides-Extra: oauth
+Requires-Dist: httpx>=0.25; extra == 'oauth'
+Provides-Extra: redis
+Requires-Dist: redis>=5.0; extra == 'redis'
+Provides-Extra: sqlalchemy
+Requires-Dist: alembic>=1.13; extra == 'sqlalchemy'
+Requires-Dist: sqlalchemy[asyncio]>=2.0; extra == 'sqlalchemy'
+Provides-Extra: sqlmodel
+Requires-Dist: alembic>=1.13; extra == 'sqlmodel'
+Requires-Dist: sqlmodel>=0.0.16; extra == 'sqlmodel'
+Description-Content-Type: text/markdown
+
+<p align="center">
+  <img src="https://img.icons8.com/fluency/96/shield.png" alt="FastAPI FullAuth" width="96" height="96">
+</p>
+
+<h1 align="center">FastAPI FullAuth</h1>
+
+<p align="center">
+  <em>Production-grade, async-native authentication and authorization for FastAPI.</em>
+</p>
+
+<p align="center">
+  <a href="https://pypi.org/project/fastapi-fullauth/"><img src="https://img.shields.io/pypi/v/fastapi-fullauth?color=009688&label=pypi" alt="PyPI"></a>
+  <a href="https://pypi.org/project/fastapi-fullauth/"><img src="https://img.shields.io/pypi/pyversions/fastapi-fullauth?color=009688" alt="Python"></a>
+  <a href="https://github.com/mdfarhankc/fastapi-fullauth/actions/workflows/ci.yml"><img src="https://github.com/mdfarhankc/fastapi-fullauth/actions/workflows/ci.yml/badge.svg" alt="CI"></a>
+  <a href="https://opensource.org/licenses/MIT"><img src="https://img.shields.io/badge/license-MIT-009688" alt="License"></a>
+  <a href="https://mdfarhankc.github.io/fastapi-fullauth"><img src="https://img.shields.io/badge/docs-mdfarhankc.github.io-009688" alt="Docs"></a>
+</p>
+
+<p align="center">
+  <strong>Documentation</strong>: <a href="https://mdfarhankc.github.io/fastapi-fullauth">https://mdfarhankc.github.io/fastapi-fullauth</a>
+  <br>
+  <strong>Source Code</strong>: <a href="https://github.com/mdfarhankc/fastapi-fullauth">https://github.com/mdfarhankc/fastapi-fullauth</a>
+</p>
+
+---
+
+Add a complete authentication and authorization system to your **FastAPI** project. FastAPI FullAuth is designed to be production-ready, async-native, and pluggable — handling JWT tokens, refresh rotation, password hashing, email verification, OAuth2 social login, and role-based access out of the box.
+
+## Features
+
+- **JWT access + refresh tokens** with configurable expiry
+- **Refresh token rotation** with reuse detection — revokes entire session family on replay
+- **Password hashing** via Argon2id (default) or bcrypt, with transparent rehashing
+- **Email verification** and **password reset** flows with event hooks
+- **OAuth2 social login** — Google and GitHub, with multi-redirect-URI support
+- **Role-based access control** — `CurrentUser`, `VerifiedUser`, `SuperUser`, `require_role()`
+- **Rate limiting** — per-route auth limits + global middleware (memory or Redis)
+- **CSRF protection** and **security headers** middleware, auto-wired
+- **Pluggable adapters** — SQLModel, SQLAlchemy, or in-memory
+- **Auto-derived schemas** — custom user fields picked up automatically
+- **Event hooks** — `after_register`, `after_login`, `send_verification_email`, etc.
+- **Custom JWT claims** — embed app-specific data in tokens
+- **Structured logging** — all auth events, security violations, and failures logged
+- **Redis support** — token blacklist and rate limiter backends
+- **Python 3.10 – 3.14** supported
+
+## Installation
+
+```bash
+pip install fastapi-fullauth
+
+# with an ORM adapter
+pip install fastapi-fullauth[sqlmodel]
+pip install fastapi-fullauth[sqlalchemy]
+
+# with Redis for token blacklisting
+pip install fastapi-fullauth[sqlmodel,redis]
+
+# with OAuth2 social login
+pip install fastapi-fullauth[sqlmodel,oauth]
+
+# everything
+pip install fastapi-fullauth[all]
+```
+
+## Quick start
+
+```python
+from fastapi import FastAPI
+from fastapi_fullauth import FullAuth
+from fastapi_fullauth.adapters.memory import InMemoryAdapter
+
+app = FastAPI()
+
+fullauth = FullAuth(
+    secret_key="your-secret-key",
+    adapter=InMemoryAdapter(),
+)
+fullauth.init_app(app)
+```
+
+That's it — 15+ auth routes are registered under `/api/v1/auth/` automatically.
+
+Omit `secret_key` in dev and a random one is generated (tokens won't survive restarts).
+
+## Routes
+
+| Method | Path | Description |
+|--------|------|-------------|
+| `POST` | `/auth/register` | Create a new user |
+| `POST` | `/auth/login` | Authenticate, get tokens |
+| `POST` | `/auth/logout` | Blacklist token |
+| `POST` | `/auth/refresh` | Rotate token pair |
+| `GET` | `/auth/me` | Get current user |
+| `GET` | `/auth/me/verified` | Verified users only |
+| `PATCH` | `/auth/me` | Update profile |
+| `DELETE` | `/auth/me` | Delete account |
+| `POST` | `/auth/change-password` | Change password |
+| `POST` | `/auth/verify-email/request` | Request verification email |
+| `POST` | `/auth/verify-email/confirm` | Confirm email |
+| `POST` | `/auth/password-reset/request` | Request password reset |
+| `POST` | `/auth/password-reset/confirm` | Reset password |
+| `POST` | `/auth/admin/assign-role` | Assign role (superuser) |
+| `POST` | `/auth/admin/remove-role` | Remove role (superuser) |
+
+With OAuth enabled, additional routes are registered under `/auth/oauth/`. All routes are prefixed with `/api/v1` by default.
+
+## Custom user fields
+
+Define your model — schemas are auto-derived:
+
+```python
+from sqlmodel import Field, Relationship
+from fastapi_fullauth.adapters.sqlmodel import (
+    UserBase, Role, UserRoleLink, RefreshTokenRecord, SQLModelAdapter,
+)
+
+class User(UserBase, table=True):
+    __tablename__ = "fullauth_users"
+
+    display_name: str = Field(default="", max_length=100)
+    phone: str = Field(default="", max_length=20)
+
+    roles: list[Role] = Relationship(link_model=UserRoleLink)
+    refresh_tokens: list[RefreshTokenRecord] = Relationship()
+
+fullauth = FullAuth(
+    secret_key="...",
+    adapter=SQLModelAdapter(session_maker, user_model=User),
+)
+```
+
+Registration and response schemas pick up `display_name` and `phone` automatically. No separate schema classes needed.
+
+## Protected routes
+
+```python
+from fastapi import Depends
+from fastapi_fullauth.dependencies import CurrentUser, VerifiedUser, SuperUser, require_role
+
+@app.get("/profile")
+async def profile(user: CurrentUser):
+    return user
+
+@app.get("/dashboard")
+async def dashboard(user: VerifiedUser):
+    return {"email": user.email}
+
+@app.delete("/admin/users/{id}")
+async def delete_user(user: SuperUser):
+    ...
+
+@app.get("/editor")
+async def editor_panel(user=Depends(require_role("editor"))):
+    ...
+```
+
+## OAuth2 social login
+
+```python
+fullauth = FullAuth(
+    secret_key="...",
+    adapter=adapter,
+    oauth_providers={
+        "google": {
+            "client_id": "your-google-client-id",
+            "client_secret": "your-google-secret",
+            "redirect_uris": [
+                "http://localhost:3000/auth/callback",
+                "https://myapp.com/auth/callback",
+            ],
+        },
+        "github": {
+            "client_id": "your-github-client-id",
+            "client_secret": "your-github-secret",
+            "redirect_uri": "http://localhost:3000/auth/callback",
+        },
+    },
+)
+```
+
+Requires `httpx`: `pip install fastapi-fullauth[oauth]`
+
+## Event hooks
+
+```python
+async def welcome(user):
+    await send_email(user.email, "Welcome!")
+
+async def send_verify(email, token):
+    await send_email(email, f"Verify: https://myapp.com/verify?token={token}")
+
+fullauth.hooks.on("after_register", welcome)
+fullauth.hooks.on("send_verification_email", send_verify)
+```
+
+Events: `after_register`, `after_login`, `after_logout`, `after_password_change`, `after_password_reset`, `after_email_verify`, `send_verification_email`, `send_password_reset_email`, `after_oauth_login`
+
+## Configuration
+
+Pass inline kwargs or a config object. All options read from env vars with `FULLAUTH_` prefix.
+
+```python
+fullauth = FullAuth(
+    secret_key="...",
+    adapter=adapter,
+    access_token_expire_minutes=60,
+    api_prefix="/api/v2",
+    login_field="username",
+    password_hash_algorithm="bcrypt",
+    blacklist_backend="redis",
+    redis_url="redis://localhost:6379/0",
+    rate_limit_enabled=True,
+    trusted_proxy_headers=["X-Forwarded-For"],
+)
+```
+
+See [Configuration docs](https://mdfarhankc.github.io/fastapi-fullauth/configuration/) for all options.
+
+## Development
+
+```bash
+git clone https://github.com/mdfarhankc/fastapi-fullauth.git
+cd fastapi-fullauth
+uv sync --dev --extra sqlalchemy --extra sqlmodel
+uv run pytest tests/ -v
+
+# run examples
+uv run uvicorn examples.memory_app.main:app --reload
+uv run uvicorn examples.sqlmodel_app.main:app --reload
+```
+
+## License
+
+MIT

fastapi_fullauth-0.5.0/README.md

@@ -0,0 +1,235 @@
+<p align="center">
+  <img src="https://img.icons8.com/fluency/96/shield.png" alt="FastAPI FullAuth" width="96" height="96">
+</p>
+
+<h1 align="center">FastAPI FullAuth</h1>
+
+<p align="center">
+  <em>Production-grade, async-native authentication and authorization for FastAPI.</em>
+</p>
+
+<p align="center">
+  <a href="https://pypi.org/project/fastapi-fullauth/"><img src="https://img.shields.io/pypi/v/fastapi-fullauth?color=009688&label=pypi" alt="PyPI"></a>
+  <a href="https://pypi.org/project/fastapi-fullauth/"><img src="https://img.shields.io/pypi/pyversions/fastapi-fullauth?color=009688" alt="Python"></a>
+  <a href="https://github.com/mdfarhankc/fastapi-fullauth/actions/workflows/ci.yml"><img src="https://github.com/mdfarhankc/fastapi-fullauth/actions/workflows/ci.yml/badge.svg" alt="CI"></a>
+  <a href="https://opensource.org/licenses/MIT"><img src="https://img.shields.io/badge/license-MIT-009688" alt="License"></a>
+  <a href="https://mdfarhankc.github.io/fastapi-fullauth"><img src="https://img.shields.io/badge/docs-mdfarhankc.github.io-009688" alt="Docs"></a>
+</p>
+
+<p align="center">
+  <strong>Documentation</strong>: <a href="https://mdfarhankc.github.io/fastapi-fullauth">https://mdfarhankc.github.io/fastapi-fullauth</a>
+  <br>
+  <strong>Source Code</strong>: <a href="https://github.com/mdfarhankc/fastapi-fullauth">https://github.com/mdfarhankc/fastapi-fullauth</a>
+</p>
+
+---
+
+Add a complete authentication and authorization system to your **FastAPI** project. FastAPI FullAuth is designed to be production-ready, async-native, and pluggable — handling JWT tokens, refresh rotation, password hashing, email verification, OAuth2 social login, and role-based access out of the box.
+
+## Features
+
+- **JWT access + refresh tokens** with configurable expiry
+- **Refresh token rotation** with reuse detection — revokes entire session family on replay
+- **Password hashing** via Argon2id (default) or bcrypt, with transparent rehashing
+- **Email verification** and **password reset** flows with event hooks
+- **OAuth2 social login** — Google and GitHub, with multi-redirect-URI support
+- **Role-based access control** — `CurrentUser`, `VerifiedUser`, `SuperUser`, `require_role()`
+- **Rate limiting** — per-route auth limits + global middleware (memory or Redis)
+- **CSRF protection** and **security headers** middleware, auto-wired
+- **Pluggable adapters** — SQLModel, SQLAlchemy, or in-memory
+- **Auto-derived schemas** — custom user fields picked up automatically
+- **Event hooks** — `after_register`, `after_login`, `send_verification_email`, etc.
+- **Custom JWT claims** — embed app-specific data in tokens
+- **Structured logging** — all auth events, security violations, and failures logged
+- **Redis support** — token blacklist and rate limiter backends
+- **Python 3.10 – 3.14** supported
+
+## Installation
+
+```bash
+pip install fastapi-fullauth
+
+# with an ORM adapter
+pip install fastapi-fullauth[sqlmodel]
+pip install fastapi-fullauth[sqlalchemy]
+
+# with Redis for token blacklisting
+pip install fastapi-fullauth[sqlmodel,redis]
+
+# with OAuth2 social login
+pip install fastapi-fullauth[sqlmodel,oauth]
+
+# everything
+pip install fastapi-fullauth[all]
+```
+
+## Quick start
+
+```python
+from fastapi import FastAPI
+from fastapi_fullauth import FullAuth
+from fastapi_fullauth.adapters.memory import InMemoryAdapter
+
+app = FastAPI()
+
+fullauth = FullAuth(
+    secret_key="your-secret-key",
+    adapter=InMemoryAdapter(),
+)
+fullauth.init_app(app)
+```
+
+That's it — 15+ auth routes are registered under `/api/v1/auth/` automatically.
+
+Omit `secret_key` in dev and a random one is generated (tokens won't survive restarts).
+
+## Routes
+
+| Method | Path | Description |
+|--------|------|-------------|
+| `POST` | `/auth/register` | Create a new user |
+| `POST` | `/auth/login` | Authenticate, get tokens |
+| `POST` | `/auth/logout` | Blacklist token |
+| `POST` | `/auth/refresh` | Rotate token pair |
+| `GET` | `/auth/me` | Get current user |
+| `GET` | `/auth/me/verified` | Verified users only |
+| `PATCH` | `/auth/me` | Update profile |
+| `DELETE` | `/auth/me` | Delete account |
+| `POST` | `/auth/change-password` | Change password |
+| `POST` | `/auth/verify-email/request` | Request verification email |
+| `POST` | `/auth/verify-email/confirm` | Confirm email |
+| `POST` | `/auth/password-reset/request` | Request password reset |
+| `POST` | `/auth/password-reset/confirm` | Reset password |
+| `POST` | `/auth/admin/assign-role` | Assign role (superuser) |
+| `POST` | `/auth/admin/remove-role` | Remove role (superuser) |
+
+With OAuth enabled, additional routes are registered under `/auth/oauth/`. All routes are prefixed with `/api/v1` by default.
+
+## Custom user fields
+
+Define your model — schemas are auto-derived:
+
+```python
+from sqlmodel import Field, Relationship
+from fastapi_fullauth.adapters.sqlmodel import (
+    UserBase, Role, UserRoleLink, RefreshTokenRecord, SQLModelAdapter,
+)
+
+class User(UserBase, table=True):
+    __tablename__ = "fullauth_users"
+
+    display_name: str = Field(default="", max_length=100)
+    phone: str = Field(default="", max_length=20)
+
+    roles: list[Role] = Relationship(link_model=UserRoleLink)
+    refresh_tokens: list[RefreshTokenRecord] = Relationship()
+
+fullauth = FullAuth(
+    secret_key="...",
+    adapter=SQLModelAdapter(session_maker, user_model=User),
+)
+```
+
+Registration and response schemas pick up `display_name` and `phone` automatically. No separate schema classes needed.
+
+## Protected routes
+
+```python
+from fastapi import Depends
+from fastapi_fullauth.dependencies import CurrentUser, VerifiedUser, SuperUser, require_role
+
+@app.get("/profile")
+async def profile(user: CurrentUser):
+    return user
+
+@app.get("/dashboard")
+async def dashboard(user: VerifiedUser):
+    return {"email": user.email}
+
+@app.delete("/admin/users/{id}")
+async def delete_user(user: SuperUser):
+    ...
+
+@app.get("/editor")
+async def editor_panel(user=Depends(require_role("editor"))):
+    ...
+```
+
+## OAuth2 social login
+
+```python
+fullauth = FullAuth(
+    secret_key="...",
+    adapter=adapter,
+    oauth_providers={
+        "google": {
+            "client_id": "your-google-client-id",
+            "client_secret": "your-google-secret",
+            "redirect_uris": [
+                "http://localhost:3000/auth/callback",
+                "https://myapp.com/auth/callback",
+            ],
+        },
+        "github": {
+            "client_id": "your-github-client-id",
+            "client_secret": "your-github-secret",
+            "redirect_uri": "http://localhost:3000/auth/callback",
+        },
+    },
+)
+```
+
+Requires `httpx`: `pip install fastapi-fullauth[oauth]`
+
+## Event hooks
+
+```python
+async def welcome(user):
+    await send_email(user.email, "Welcome!")
+
+async def send_verify(email, token):
+    await send_email(email, f"Verify: https://myapp.com/verify?token={token}")
+
+fullauth.hooks.on("after_register", welcome)
+fullauth.hooks.on("send_verification_email", send_verify)
+```
+
+Events: `after_register`, `after_login`, `after_logout`, `after_password_change`, `after_password_reset`, `after_email_verify`, `send_verification_email`, `send_password_reset_email`, `after_oauth_login`
+
+## Configuration
+
+Pass inline kwargs or a config object. All options read from env vars with `FULLAUTH_` prefix.
+
+```python
+fullauth = FullAuth(
+    secret_key="...",
+    adapter=adapter,
+    access_token_expire_minutes=60,
+    api_prefix="/api/v2",
+    login_field="username",
+    password_hash_algorithm="bcrypt",
+    blacklist_backend="redis",
+    redis_url="redis://localhost:6379/0",
+    rate_limit_enabled=True,
+    trusted_proxy_headers=["X-Forwarded-For"],
+)
+```
+
+See [Configuration docs](https://mdfarhankc.github.io/fastapi-fullauth/configuration/) for all options.
+
+## Development
+
+```bash
+git clone https://github.com/mdfarhankc/fastapi-fullauth.git
+cd fastapi-fullauth
+uv sync --dev --extra sqlalchemy --extra sqlmodel
+uv run pytest tests/ -v
+
+# run examples
+uv run uvicorn examples.memory_app.main:app --reload
+uv run uvicorn examples.sqlmodel_app.main:app --reload
+```
+
+## License
+
+MIT

fastapi_fullauth-0.5.0/docs/adapters/index.md

@@ -0,0 +1,49 @@
+# Adapters
+
+Adapters are the database layer for fastapi-fullauth. They implement `AbstractUserAdapter`, which defines how users, refresh tokens, roles, and OAuth accounts are stored and retrieved.
+
+## Available adapters
+
+| Adapter | Backend | Install |
+|---------|---------|---------|
+| [SQLModel](sqlmodel.md) | Any SQLAlchemy-supported DB | `pip install fastapi-fullauth[sqlmodel]` |
+| [SQLAlchemy](sqlalchemy.md) | Any SQLAlchemy-supported DB | `pip install fastapi-fullauth[sqlalchemy]` |
+| [In-Memory](memory.md) | Python dicts | Included (no extras) |
+
+## Choosing an adapter
+
+- **SQLModel** — recommended for most projects. Clean model definitions, good type support.
+- **SQLAlchemy** — use if your project already uses SQLAlchemy's declarative base.
+- **In-Memory** — for testing and prototyping only. Data is lost on restart.
+
+## Custom adapters
+
+You can implement your own adapter for any database by subclassing `AbstractUserAdapter`:
+
+```python
+from fastapi_fullauth.adapters.base import AbstractUserAdapter
+from fastapi_fullauth.types import CreateUserSchema, RefreshToken, UserSchema
+
+class MongoAdapter(AbstractUserAdapter):
+    async def get_user_by_id(self, user_id: str) -> UserSchema | None:
+        ...
+
+    async def get_user_by_email(self, email: str) -> UserSchema | None:
+        ...
+
+    async def create_user(self, data: CreateUserSchema, hashed_password: str) -> UserSchema:
+        ...
+
+    # ... implement all abstract methods
+```
+
+See the [source of AbstractUserAdapter](https://github.com/mdfarhankc/fastapi-fullauth/blob/main/fastapi_fullauth/adapters/base.py) for the full interface.
+
+## Auto-derived schemas
+
+All adapters support automatic schema derivation. When you add custom fields to your user model, fastapi-fullauth detects them and includes them in:
+
+- **Registration schema** — extra fields appear in `POST /auth/register`
+- **User response schema** — extra fields appear in `GET /auth/me` and other user responses
+
+No need to create separate Pydantic models. You can still pass explicit `user_schema` or `create_user_schema` to `SQLModelAdapter` / `FullAuth` if you want full control.

fastapi_fullauth-0.5.0/docs/adapters/memory.md

@@ -0,0 +1,32 @@
+# In-Memory Adapter
+
+A simple adapter that stores everything in Python dictionaries. Useful for testing and quick prototyping.
+
+!!! warning
+    All data is lost when the process restarts. Do not use in production.
+
+## Usage
+
+```python
+from fastapi_fullauth import FullAuth
+from fastapi_fullauth.adapters.memory import InMemoryAdapter
+
+fullauth = FullAuth(
+    secret_key="dev-secret",
+    adapter=InMemoryAdapter(),
+)
+```
+
+No database, no migrations, no setup. Just works.
+
+## When to use
+
+- **Unit tests** — all fastapi-fullauth tests use this adapter
+- **Prototyping** — try out the library without setting up a database
+- **Demos** — run the `examples/memory_app` example
+
+## Limitations
+
+- No persistence across restarts
+- No concurrent access safety (single-process only)
+- OAuth account methods are supported but also in-memory