fastapi-fullauth 0.6.0__tar.gz → 0.7.0__tar.gz

{fastapi_fullauth-0.6.0 → fastapi_fullauth-0.7.0}/CHANGELOG.md

@@ -1,5 +1,57 @@
 # Changelog
 
+## 0.7.0
+
+### Breaking changes
+
+- **InMemory adapter removed** — use SQLModel + SQLite for prototyping instead.
+- **`UserID` is now `UUID`** (was `str | int | UUID`) — all adapter methods, `RefreshToken.user_id`, `OAuthAccount.user_id`, and `RoleAssignment.user_id` are now `UUID`.
+- **OAuth providers passed as objects** — `FullAuth(providers=[GoogleOAuthProvider(...)])` replaces `OAUTH_PROVIDERS` dict in config. `OAuthProviderConfig` removed.
+- **`OAuthProvider` simplified** — only `redirect_uris: list[str]` (removed singular `redirect_uri`). `get_redirect_uri()` removed.
+- **`redirect_uri` required in authorize URL** — clients must pass `?redirect_uri=` in the OAuth authorize request.
+
+### Breaking changes (audit cleanup)
+
+- **`include_user_in_login` moved to config** — use `FullAuthConfig(INCLUDE_USER_IN_LOGIN=True)` or `FULLAUTH_INCLUDE_USER_IN_LOGIN=true` env var instead of `FullAuth(include_user_in_login=True)`.
+- **Login response always includes `user` field** — when `INCLUDE_USER_IN_LOGIN=False`, `user` is `null` (previously the key was absent). When `True`, `user` contains the full user schema object.
+
+### Added
+
+- **Redis lockout backend** — `LOCKOUT_BACKEND="redis"` for multi-worker deployments
+- `LOCKOUT_ENABLED` config — disable account lockout entirely (`False`)
+- `INCLUDE_USER_IN_LOGIN` config — include user object in login/OAuth callback response
+- `LoginResponse` dynamic model — login and OAuth callback routes now have proper `response_model` with typed `user` field matching the configured user schema
+- `validate_profile_updates` flow — profile field filtering extracted from router to `flows/update_profile.py`
+- `NoValidFieldsError`, `UnknownFieldsError` exceptions for profile update validation
+- `change_password` flow — business logic extracted from profile router
+- `PROTECTED_FIELDS` ClassVar on `UserSchema` — users can extend in subclasses
+- Password validation moved to flows (`register`, `reset_password`, `change_password`)
+- `Makefile` with `make check`, `make test`, `make lint`, `make format`, `make docs`, etc.
+
+### Changed
+
+- `LockoutManager` is now an abstract base class with async methods
+- `InMemoryLockoutManager` replaces the old sync `LockoutManager`
+- `migrations/` package flattened to single `migrations.py` module (import paths unchanged)
+- 4 `type: ignore` comments fixed (replaced with `getattr`, assertions, `model_validate`)
+- Misplaced `type: ignore` comments moved inline
+- 204 routes (`delete_me`, `unlink_oauth_account`) no longer return unnecessary `Response` objects
+- Logout route return type corrected to `Response` (needs it for cookie deletion)
+- All tests migrated from InMemory to SQLModel + SQLite
+- Tests regrouped: `test_auth`, `test_profile`, `test_config`, `test_hooks`, `test_security`, `test_rbac`
+- `UUID(payload.sub)` conversion at token boundaries (dependencies, router, flows)
+- Removed `isinstance` str-to-UUID guards from adapters
+- Removed `str(user.id)` / `str(row.user_id)` conversions — UUID used directly
+
+### Removed
+
+- `InMemoryAdapter` and `examples/memory_app/`
+- `OAuthProviderConfig` from config
+- `OAUTH_PROVIDERS` from `FullAuthConfig`
+- `FullAuth._build_oauth_providers()` and `_OAUTH_PROVIDER_REGISTRY`
+- `OAuthProvider.get_redirect_uri()` method
+- `rbac/` package (was empty, just re-exported from `dependencies`)
+
 ## 0.6.0
 
 ### Breaking changes
@@ -28,7 +80,7 @@
 - `fullauth.router` still works as before (composes all sub-routers), `fullauth.init_app(app)` unchanged
 - `hash_password()` and `password_needs_rehash()` now accept explicit `algorithm` parameter (default `argon2id`)
 - Shared request/response models extracted to `router/_models.py`
-- RBAC permissions (`require_role`, `require_permission`) available via `fastapi_fullauth.dependencies` (removed `rbac/` re-export package will happen in next release)
+- RBAC permissions (`require_role`, `require_permission`) available via `fastapi_fullauth.dependencies`
 
 ### Removed
 

fastapi_fullauth-0.7.0/Makefile

@@ -0,0 +1,64 @@
+.PHONY: install test lint format check fix clean build docs
+
+# Install dependencies
+install:
+	uv sync --dev --extra sqlalchemy --extra sqlmodel --extra oauth --extra redis
+
+# Run tests
+test:
+	uv run pytest tests/ -x --tb=short
+
+# Run tests with verbose output
+test-v:
+	uv run pytest tests/ -v
+
+# Run a specific test file
+# Usage: make test-file FILE=test_auth
+test-file:
+	uv run pytest tests/$(FILE).py -x --tb=short -v
+
+# Lint check (no changes)
+lint:
+	uv run ruff check .
+
+# Format check (no changes)
+format-check:
+	uv run ruff format --check .
+
+# Fix lint issues
+fix:
+	uv run ruff check --fix .
+
+# Format code
+format:
+	uv run ruff format .
+
+# Run all checks (format + lint + tests) — run before committing
+check: format-check lint test
+
+# Fix all issues then verify
+fix-all: format fix test
+
+# Build package
+build:
+	uv build
+
+# Serve docs locally
+docs:
+	uv run mkdocs serve
+
+# Build docs
+docs-build:
+	uv run mkdocs build
+
+# Run example apps
+run-sqlmodel:
+	uv run uvicorn examples.sqlmodel_app.main:app --reload
+
+run-sqlalchemy:
+	uv run uvicorn examples.sqlalchemy_app.main:app --reload
+
+# Clean build artifacts
+clean:
+	rm -rf dist/ build/ *.egg-info .pytest_cache .ruff_cache
+	find . -type d -name __pycache__ -exec rm -rf {} + 2>/dev/null || true

{fastapi_fullauth-0.6.0 → fastapi_fullauth-0.7.0}/PKG-INFO

@@ -1,13 +1,13 @@
 Metadata-Version: 2.4
 Name: fastapi-fullauth
-Version: 0.6.0
+Version: 0.7.0
 Summary: Production-grade, async-native authentication and authorization library for FastAPI
 Project-URL: Homepage, https://github.com/mdfarhankc/fastapi-fullauth
 Project-URL: Documentation, https://mdfarhankc.github.io/fastapi-fullauth
 Project-URL: Repository, https://github.com/mdfarhankc/fastapi-fullauth
 License-Expression: MIT
 License-File: LICENSE
-Keywords: argon2,authentication,authorization,fastapi,jwt,security
+Keywords: argon2,async,authentication,authorization,bcrypt,csrf,fastapi,jwt,oauth2,password-hashing,pydantic,rbac,redis,refresh-token,role-based-access-control,security,sqlalchemy,sqlmodel
 Classifier: Development Status :: 3 - Alpha
 Classifier: Framework :: FastAPI
 Classifier: Intended Audience :: Developers
@@ -82,7 +82,7 @@ Add a complete authentication and authorization system to your **FastAPI** proje
 - **Role-based access control** — `CurrentUser`, `VerifiedUser`, `SuperUser`, `require_role()`
 - **Rate limiting** — per-route auth limits + global middleware (memory or Redis)
 - **CSRF protection** and **security headers** middleware, auto-wired
-- **Pluggable adapters** — SQLModel, SQLAlchemy, or in-memory
+- **Pluggable adapters** — SQLModel or SQLAlchemy
 - **Generic type parameters** — define your own schemas with full IDE support and type safety
 - **Composable routers** — include only the route groups you need
 - **Event hooks** — `after_register`, `after_login`, `send_verification_email`, etc.
@@ -115,12 +115,12 @@ pip install fastapi-fullauth[all]
 ```python
 from fastapi import FastAPI
 from fastapi_fullauth import FullAuth, FullAuthConfig
-from fastapi_fullauth.adapters.memory import InMemoryAdapter
+from fastapi_fullauth.adapters.sqlmodel import SQLModelAdapter
 
 app = FastAPI()
 
 fullauth = FullAuth(
-    adapter=InMemoryAdapter(),
+    adapter=SQLModelAdapter(session_maker=session_maker, user_model=User),
     config=FullAuthConfig(SECRET_KEY="your-secret-key"),
 )
 fullauth.init_app(app)
@@ -257,26 +257,28 @@ async def editor_panel(user=Depends(require_role("editor"))):
 ## OAuth2 social login
 
 ```python
+from fastapi_fullauth import FullAuth, FullAuthConfig
+from fastapi_fullauth.oauth.google import GoogleOAuthProvider
+from fastapi_fullauth.oauth.github import GitHubOAuthProvider
+
 fullauth = FullAuth(
     adapter=adapter,
-    config=FullAuthConfig(
-        SECRET_KEY="...",
-        OAUTH_PROVIDERS={
-            "google": {
-                "client_id": "your-google-client-id",
-                "client_secret": "your-google-secret",
-                "redirect_uris": [
-                    "http://localhost:3000/auth/callback",
-                    "https://myapp.com/auth/callback",
-                ],
-            },
-            "github": {
-                "client_id": "your-github-client-id",
-                "client_secret": "your-github-secret",
-                "redirect_uri": "http://localhost:3000/auth/callback",
-            },
-        },
-    ),
+    config=FullAuthConfig(SECRET_KEY="..."),
+    providers=[
+        GoogleOAuthProvider(
+            client_id="your-google-client-id",
+            client_secret="your-google-secret",
+            redirect_uris=[
+                "http://localhost:3000/auth/callback",
+                "https://myapp.com/auth/callback",
+            ],
+        ),
+        GitHubOAuthProvider(
+            client_id="your-github-client-id",
+            client_secret="your-github-secret",
+            redirect_uris=["http://localhost:3000/auth/callback"],
+        ),
+    ],
 )
 ```
 
@@ -320,6 +322,15 @@ fullauth = FullAuth(
 
 See [Configuration docs](https://mdfarhankc.github.io/fastapi-fullauth/configuration/) for all options.
 
+## AI-friendly docs
+
+Using an AI coding assistant? Point it at our LLM-optimized docs:
+
+- **[llms.txt](https://mdfarhankc.github.io/fastapi-fullauth/llms.txt)** — concise overview with links to all doc pages
+- **[llms-full.txt](https://mdfarhankc.github.io/fastapi-fullauth/llms-full.txt)** — full documentation in a single file
+
+Works with Claude, Cursor, Copilot, and any tool that accepts a docs URL.
+
 ## Development
 
 ```bash
@@ -329,7 +340,6 @@ uv sync --dev --extra sqlalchemy --extra sqlmodel
 uv run pytest tests/ -v
 
 # run examples
-uv run uvicorn examples.memory_app.main:app --reload
 uv run uvicorn examples.sqlmodel_app.main:app --reload
 ```
 

{fastapi_fullauth-0.6.0 → fastapi_fullauth-0.7.0}/README.md

@@ -36,7 +36,7 @@ Add a complete authentication and authorization system to your **FastAPI** proje
 - **Role-based access control** — `CurrentUser`, `VerifiedUser`, `SuperUser`, `require_role()`
 - **Rate limiting** — per-route auth limits + global middleware (memory or Redis)
 - **CSRF protection** and **security headers** middleware, auto-wired
-- **Pluggable adapters** — SQLModel, SQLAlchemy, or in-memory
+- **Pluggable adapters** — SQLModel or SQLAlchemy
 - **Generic type parameters** — define your own schemas with full IDE support and type safety
 - **Composable routers** — include only the route groups you need
 - **Event hooks** — `after_register`, `after_login`, `send_verification_email`, etc.
@@ -69,12 +69,12 @@ pip install fastapi-fullauth[all]
 ```python
 from fastapi import FastAPI
 from fastapi_fullauth import FullAuth, FullAuthConfig
-from fastapi_fullauth.adapters.memory import InMemoryAdapter
+from fastapi_fullauth.adapters.sqlmodel import SQLModelAdapter
 
 app = FastAPI()
 
 fullauth = FullAuth(
-    adapter=InMemoryAdapter(),
+    adapter=SQLModelAdapter(session_maker=session_maker, user_model=User),
     config=FullAuthConfig(SECRET_KEY="your-secret-key"),
 )
 fullauth.init_app(app)
@@ -211,26 +211,28 @@ async def editor_panel(user=Depends(require_role("editor"))):
 ## OAuth2 social login
 
 ```python
+from fastapi_fullauth import FullAuth, FullAuthConfig
+from fastapi_fullauth.oauth.google import GoogleOAuthProvider
+from fastapi_fullauth.oauth.github import GitHubOAuthProvider
+
 fullauth = FullAuth(
     adapter=adapter,
-    config=FullAuthConfig(
-        SECRET_KEY="...",
-        OAUTH_PROVIDERS={
-            "google": {
-                "client_id": "your-google-client-id",
-                "client_secret": "your-google-secret",
-                "redirect_uris": [
-                    "http://localhost:3000/auth/callback",
-                    "https://myapp.com/auth/callback",
-                ],
-            },
-            "github": {
-                "client_id": "your-github-client-id",
-                "client_secret": "your-github-secret",
-                "redirect_uri": "http://localhost:3000/auth/callback",
-            },
-        },
-    ),
+    config=FullAuthConfig(SECRET_KEY="..."),
+    providers=[
+        GoogleOAuthProvider(
+            client_id="your-google-client-id",
+            client_secret="your-google-secret",
+            redirect_uris=[
+                "http://localhost:3000/auth/callback",
+                "https://myapp.com/auth/callback",
+            ],
+        ),
+        GitHubOAuthProvider(
+            client_id="your-github-client-id",
+            client_secret="your-github-secret",
+            redirect_uris=["http://localhost:3000/auth/callback"],
+        ),
+    ],
 )
 ```
 
@@ -274,6 +276,15 @@ fullauth = FullAuth(
 
 See [Configuration docs](https://mdfarhankc.github.io/fastapi-fullauth/configuration/) for all options.
 
+## AI-friendly docs
+
+Using an AI coding assistant? Point it at our LLM-optimized docs:
+
+- **[llms.txt](https://mdfarhankc.github.io/fastapi-fullauth/llms.txt)** — concise overview with links to all doc pages
+- **[llms-full.txt](https://mdfarhankc.github.io/fastapi-fullauth/llms-full.txt)** — full documentation in a single file
+
+Works with Claude, Cursor, Copilot, and any tool that accepts a docs URL.
+
 ## Development
 
 ```bash
@@ -283,7 +294,6 @@ uv sync --dev --extra sqlalchemy --extra sqlmodel
 uv run pytest tests/ -v
 
 # run examples
-uv run uvicorn examples.memory_app.main:app --reload
 uv run uvicorn examples.sqlmodel_app.main:app --reload
 ```
 

{fastapi_fullauth-0.6.0 → fastapi_fullauth-0.7.0}/docs/adapters/index.md

@@ -8,13 +8,11 @@ Adapters are the database layer for fastapi-fullauth. They implement `AbstractUs
 |---------|---------|---------|
 | [SQLModel](sqlmodel.md) | Any SQLAlchemy-supported DB | `pip install fastapi-fullauth[sqlmodel]` |
 | [SQLAlchemy](sqlalchemy.md) | Any SQLAlchemy-supported DB | `pip install fastapi-fullauth[sqlalchemy]` |
-| [In-Memory](memory.md) | Python dicts | Included (no extras) |
 
 ## Choosing an adapter
 
-- **SQLModel** — recommended for most projects. Clean model definitions, good type support.
+- **SQLModel** — recommended for most projects. Clean model definitions, good type support. Use SQLite for prototyping.
 - **SQLAlchemy** — use if your project already uses SQLAlchemy's declarative base.
-- **In-Memory** — for testing and prototyping only. Data is lost on restart.
 
 ## Custom adapters
 
@@ -39,11 +37,23 @@ class MongoAdapter(AbstractUserAdapter):
 
 See the [source of AbstractUserAdapter](https://github.com/mdfarhankc/fastapi-fullauth/blob/main/fastapi_fullauth/adapters/base.py) for the full interface.
 
-## Auto-derived schemas
+## Custom schemas
 
-All adapters support automatic schema derivation. When you add custom fields to your user model, fastapi-fullauth detects them and includes them in:
+Define your own user schemas by extending `UserSchema` and `CreateUserSchema`, then pass them to the adapter:
 
-- **Registration schema** — extra fields appear in `POST /auth/register`
-- **User response schema** — extra fields appear in `GET /auth/me` and other user responses
+```python
+from fastapi_fullauth import UserSchema, CreateUserSchema
+
+class MyUserSchema(UserSchema):
+    display_name: str = ""
 
-No need to create separate Pydantic models. You can still pass explicit `user_schema` or `create_user_schema` to `SQLModelAdapter` / `FullAuth` if you want full control.
+class MyCreateSchema(CreateUserSchema):
+    display_name: str = ""
+
+adapter = SQLModelAdapter(
+    session_maker=session_maker,
+    user_model=User,
+    user_schema=MyUserSchema,
+    create_user_schema=MyCreateSchema,
+)
+```

{fastapi_fullauth-0.6.0 → fastapi_fullauth-0.7.0}/docs/api-reference.md

@@ -12,10 +12,9 @@ from fastapi_fullauth import FullAuth, FullAuthConfig
 fullauth = FullAuth(
     adapter=adapter,                # required — database adapter
     config=FullAuthConfig(...),     # FullAuthConfig object (see Configuration)
+    providers=None,                 # list of OAuthProvider instances
     backends=None,                  # [BearerBackend()] by default
     password_validator=None,        # PasswordValidator instance
-    include_user_in_login=False,    # include user data in login response
-    create_user_schema=None,        # custom registration schema
     on_create_token_claims=None,    # async callback for custom JWT claims
 )
 ```
@@ -66,14 +65,22 @@ from fastapi_fullauth.types import (
 
 ```python
 class UserSchema(BaseModel):
-    id: str | int | UUID
+    id: UUID
     email: EmailStr
     is_active: bool = True
     is_verified: bool = False
     is_superuser: bool = False
     roles: list[str] = []
+
+    PROTECTED_FIELDS: ClassVar[set[str]] = {
+        "id", "email", "hashed_password", "is_active",
+        "is_verified", "is_superuser", "roles", "password",
+        "created_at", "refresh_tokens",
+    }
 ```
 
+Extend `PROTECTED_FIELDS` in subclasses to protect custom sensitive fields from profile updates.
+
 ### TokenPair
 
 ```python
@@ -84,6 +91,10 @@ class TokenPair(BaseModel):
     expires_in: int | None = None
 ```
 
+### LoginResponse
+
+Returned by login and OAuth callback routes. Extends `TokenPair` with an optional `user` field. The `user` field contains the full user schema object when `INCLUDE_USER_IN_LOGIN=True`, otherwise `null`. The user type matches your configured user schema (e.g., `MyUserSchema`).
+
 ### TokenPayload
 
 ```python

{fastapi_fullauth-0.6.0 → fastapi_fullauth-0.7.0}/docs/configuration.md

@@ -64,6 +64,9 @@ Pass config inline or as an object:
 | Option | Type | Default | Description |
 |--------|------|---------|-------------|
 | `LOGIN_FIELD` | `str` | `"email"` | Field used for login (`"email"`, `"username"`, etc.). |
+| `INCLUDE_USER_IN_LOGIN` | `bool` | `False` | Include user object in login/OAuth callback response. |
+| `LOCKOUT_ENABLED` | `bool` | `True` | Enable account lockout after failed login attempts. |
+| `LOCKOUT_BACKEND` | `"memory" \| "redis"` | `"memory"` | Lockout storage backend. Use `"redis"` for multi-worker deployments. |
 | `MAX_LOGIN_ATTEMPTS` | `int` | `5` | Failed attempts before account lockout. |
 | `LOCKOUT_DURATION_MINUTES` | `int` | `15` | Lockout duration after max attempts. |
 
@@ -115,7 +118,6 @@ Pass config inline or as an object:
 
 | Option | Type | Default | Description |
 |--------|------|---------|-------------|
-| `OAUTH_PROVIDERS` | `dict` | `{}` | OAuth provider configurations. See [OAuth2](oauth.md). |
 | `OAUTH_STATE_EXPIRE_SECONDS` | `int` | `300` | OAuth state token TTL (5 min). |
 | `OAUTH_AUTO_LINK_BY_EMAIL` | `bool` | `True` | Auto-link OAuth accounts to existing users by email. |
 

{fastapi_fullauth-0.6.0 → fastapi_fullauth-0.7.0}/docs/getting-started.md

@@ -138,10 +138,13 @@ Response:
   "access_token": "eyJ...",
   "refresh_token": "eyJ...",
   "token_type": "bearer",
-  "expires_in": 1800
+  "expires_in": 1800,
+  "user": null
 }
 ```
 
+When `INCLUDE_USER_IN_LOGIN=True`, `user` contains the full user object instead of `null`.
+
 **Get current user:**
 
 ```bash

{fastapi_fullauth-0.6.0 → fastapi_fullauth-0.7.0}/docs/index.md

@@ -35,7 +35,7 @@ Add a complete authentication and authorization system to your **FastAPI** proje
 - **Role-based access control** — `CurrentUser`, `VerifiedUser`, `SuperUser`, `require_role()`
 - **Rate limiting** — per-route auth limits + global middleware (memory or Redis)
 - **CSRF protection** and **security headers** middleware
-- **Pluggable adapters** — SQLModel, SQLAlchemy, or in-memory
+- **Pluggable adapters** — SQLModel or SQLAlchemy
 - **Generic type parameters** — define your own schemas with full IDE support and type safety
 - **Composable routers** — include only the route groups you need
 - **Event hooks** — `after_register`, `after_login`, `send_verification_email`, etc.
@@ -67,12 +67,12 @@ pip install fastapi-fullauth[all]
 ```python
 from fastapi import FastAPI
 from fastapi_fullauth import FullAuth, FullAuthConfig
-from fastapi_fullauth.adapters.memory import InMemoryAdapter
+from fastapi_fullauth.adapters.sqlmodel import SQLModelAdapter
 
 app = FastAPI()
 
 fullauth = FullAuth(
-    adapter=InMemoryAdapter(),
+    adapter=SQLModelAdapter(session_maker=session_maker, user_model=User),
     config=FullAuthConfig(
         SECRET_KEY="your-secret-key",
     ),
@@ -138,6 +138,15 @@ With OAuth enabled, additional routes are registered under `/auth/oauth/`. See [
 
 All routes are prefixed with `/api/v1` by default (configurable via `API_PREFIX`).
 
+## AI-friendly docs
+
+Using an AI coding assistant? Point it at our LLM-optimized docs:
+
+- **[llms.txt](llms.txt)** — concise overview with links to all doc pages
+- **[llms-full.txt](llms-full.txt)** — full documentation in a single file
+
+Works with Claude, Cursor, Copilot, and any tool that accepts a docs URL.
+
 ## License
 
 MIT