fastapi-jwt-authkit 0.1.0__py3-none-any.whl

authkit/__init__.py

@@ -0,0 +1,5 @@
+from  .settings import AuthSettings
+
+__all__ = [
+    "AuthSettings",
+]

authkit/__init__.pyi

@@ -0,0 +1,3 @@
+from .settings import AuthSettings
+
+__all__: list[str]

authkit/authenticator.py

@@ -0,0 +1,47 @@
+from fastapi import HTTPException,status, Request
+from .settings import  AuthSettings
+from  .extractors import  extract_access_token
+from .tokens import  decode_access
+from .protocols import  AsyncUserProtocol , SyncUserProtocol , UserProtocol
+
+
+class AsyncAuthenticator:
+    def __init__(self,settings:AuthSettings, repo:AsyncUserProtocol ):
+        self.settings = settings
+        self.repo = repo
+
+
+    async def current_user(self,request:Request) -> UserProtocol:
+        token = extract_access_token(request,self.settings)
+        if not token:
+            raise HTTPException(status_code=status.HTTP_401_UNAUTHORIZED,detail="Not authenticated")
+        payload = decode_access(self.settings,token)
+        sub = payload.get("sub")
+        if not sub:
+            raise HTTPException(status_code=status.HTTP_401_UNAUTHORIZED,detail="Invalid token payload")
+
+        user = await self.repo.get_by_id(int(sub))
+        if  not user:
+            raise  HTTPException(status_code=status.HTTP_401_UNAUTHORIZED,detail="User not found")
+        return user
+
+
+class SyncAuthenticator:
+    def __init__(self,settings:AuthSettings,repo:SyncUserProtocol):
+        self.settings = settings
+        self.repo = repo
+
+    def  current_user(self,request:Request) -> UserProtocol:
+        token = extract_access_token(request,self.settings)
+        if not token:
+            raise HTTPException(status_code=status.HTTP_401_UNAUTHORIZED,detail="Not authenticated")
+        payload = decode_access(self.settings,token)
+        sub = payload.get("sub")
+        if not sub:
+            raise HTTPException(status_code=status.HTTP_401_UNAUTHORIZED,detail="Invalid token payload")
+
+        user = self.repo.get_by_id(int(sub))
+        if  not user:
+            raise  HTTPException(status_code=status.HTTP_401_UNAUTHORIZED,detail="User not found")
+
+        return user

authkit/authenticator.pyi

@@ -0,0 +1,11 @@
+from fastapi import Request
+from .settings import AuthSettings
+from .protocols import AsyncUserProtocol, SyncUserProtocol, UserProtocol
+
+class AsyncAuthenticator:
+    def __init__(self, settings: AuthSettings, repo: AsyncUserProtocol) -> None: ...
+    async def current_user(self, request: Request) -> UserProtocol: ...
+
+class SyncAuthenticator:
+    def __init__(self, settings: AuthSettings, repo: SyncUserProtocol) -> None: ...
+    def current_user(self, request: Request) -> UserProtocol: ...

authkit/ext/sqlalchemy/__init__.py

@@ -0,0 +1,6 @@
+from .sa_async import SQLAlchemyAsyncUserProtocol
+from .sa_sync import SQLAlchemySyncUserProtocol
+
+
+__all__ = ["SQLAlchemyAsyncUserProtocol", "SQLAlchemySyncUserProtocol"]
+

authkit/ext/sqlalchemy/sa_async.py

@@ -0,0 +1,44 @@
+from typing import Any
+from sqlalchemy.ext.asyncio import AsyncSession
+from sqlalchemy import select, or_
+
+class SQLAlchemyAsyncUserProtocol:
+    """
+    Adapter repo for SQLAlchemy AsyncSession.
+    You pass your User model class in user_model.
+    """
+    def __init__(self, session: AsyncSession, user_model: type[Any]):
+        self.session = session
+        self.user_model = user_model
+
+    async def get_by_id(self, user_id: int):
+        return await self.session.get(self.user_model, user_id)
+
+    async def get_by_email_or_username(self, value: str):
+        user_model = self.user_model
+        stmt = select(user_model).where(or_(user_model.email == value, user_model.username == value))
+        return (await self.session.execute(stmt)).scalar_one_or_none()
+
+    async def create_user(
+        self,
+        *,
+        email: str,
+        username: str,
+        password: str,
+        is_active: bool = True,
+        is_staff: bool = False,
+        is_superuser: bool = False,
+    ):
+        user_model = self.user_model
+        user = user_model(
+            email=email,
+            username=username,
+            password_hash=password,
+            is_active=is_active,
+            is_staff=is_staff,
+            is_superuser=is_superuser,
+        )
+        self.session.add(user)
+        await self.session.commit()
+        await self.session.refresh(user)
+        return user

authkit/ext/sqlalchemy/sa_sync.py

@@ -0,0 +1,60 @@
+from typing import Any, Type
+from sqlalchemy.orm import Session
+from sqlalchemy import select, or_
+
+
+class SQLAlchemySyncUserProtocol:
+    """
+    Adapter repository for SQLAlchemy Session (sync).
+    """
+
+    def __init__(self, session: Session, user_model: Type[Any]):
+        self.session = session
+        self.user_model = user_model
+
+    def get_by_id(self, user_id: int):
+        return self.session.get(self.user_model, user_id)
+
+    def get_by_email_or_username(self, value: str):
+        stmt = select(self.user_model).where(
+            or_(
+                self.user_model.email == value,
+                self.user_model.username == value,
+            )
+        )
+        return self.session.execute(stmt).scalar_one_or_none()
+
+    def get_by_email(self, email: str):
+        stmt = select(self.user_model).where(
+            self.user_model.email == email
+        )
+        return self.session.execute(stmt).scalar_one_or_none()
+
+    def get_by_username(self, username: str):
+        stmt = select(self.user_model).where(
+            self.user_model.username == username
+        )
+        return self.session.execute(stmt).scalar_one_or_none()
+
+    def create_user(
+        self,
+        *,
+        email: str,
+        username: str,
+        password: str,
+        is_active: bool = True,
+        is_staff: bool = False,
+        is_superuser: bool = False,
+    ):
+        user = self.user_model(
+            email=email,
+            username=username,
+            password_hash=password,
+            is_active=is_active,
+            is_staff=is_staff,
+            is_superuser=is_superuser,
+        )
+        self.session.add(user)
+        self.session.commit()
+        self.session.refresh(user)
+        return user

authkit/ext/sqlalchmey/__init__.pyi

@@ -0,0 +1,4 @@
+from .sa_async import SQLAlchemyAsyncUserRepo
+from .sa_sync import SQLAlchemySyncUserRepo
+
+__all__: list[str]

authkit/ext/sqlalchmey/sa_async.pyi

@@ -0,0 +1,13 @@
+from typing import Any
+from sqlalchemy.ext.asyncio import AsyncSession
+from packages.authkit.src.authkit.protocols import UserProtocol
+
+
+class SQLAlchemyAsyncUserRepo:
+    def __init__(self, session: AsyncSession, user_model: type[Any]) -> None: ...
+    async def get_by_id(self, user_id: int) -> UserProtocol | None: ...
+    async def get_by_email_or_username(self, value: str) -> UserProtocol | None: ...
+    async def create_user(
+        self, *, email: str, username: str, password_hash: str,
+        is_active: bool = ..., is_staff: bool = ..., is_superuser: bool = ...
+    ) -> UserProtocol: ...

authkit/ext/sqlalchmey/sa_sync.pyi

@@ -0,0 +1,13 @@
+from typing import Any
+from sqlalchemy.orm import Session
+
+from packages.authkit.src.authkit.protocols import UserProtocol
+
+class SQLAlchemySyncUserRepo:
+    def __init__(self, session: Session, user_model: type[Any]) -> None: ...
+    def get_by_id(self, user_id: int) -> UserProtocol | None: ...
+    def get_by_email_or_username(self, value: str) -> UserProtocol | None: ...
+    def create_user(
+        self, *, email: str, username: str, password_hash: str,
+        is_active: bool = ..., is_staff: bool = ..., is_superuser: bool = ...
+    ) -> UserProtocol: ...

authkit/extractors.py

@@ -0,0 +1,28 @@
+from fastapi import Request
+from  .settings import AuthSettings
+
+def extract_access_token(request: Request, settings: AuthSettings) -> str | None:
+    if settings.accept_header:
+        auth_header = request.headers.get("Authorization")
+        if auth_header and auth_header.startswith("Bearer "):
+            return auth_header[7:]
+
+    if settings.accept_cookie:
+        cookie_name = settings.cookie_name_access
+        return request.cookies.get(cookie_name)
+
+    return None
+
+def  extract_refresh_token(request: Request, settings: AuthSettings) -> str | None:
+    if settings.accept_header:
+        auth_header = request.headers.get("Authorization")
+        if auth_header and auth_header.startswith("Bearer "):
+            return auth_header[7:]
+
+    if settings.accept_cookie:
+        cookie_name = settings.cookie_name_refresh
+        return request.cookies.get(cookie_name)
+
+    return None
+
+

authkit/extractors.pyi

@@ -0,0 +1,5 @@
+from fastapi import Request
+from .settings import AuthSettings
+
+def extract_access_token(request: Request, settings: AuthSettings) -> str | None: ...
+def extract_refresh_token(request: Request, settings: AuthSettings) -> str | None: ...

authkit/fastapi/__init__.py

@@ -0,0 +1,3 @@
+from .routers import build_auth_router_sync , build_auth_router_async
+
+__all__ = ["build_auth_router_sync", "build_auth_router_async"]

authkit/fastapi/__init__.pyi

@@ -0,0 +1,2 @@
+from .router import build_auth_router_async, build_auth_router_sync
+__all__: list[str]

authkit/fastapi/routers.py

@@ -0,0 +1,204 @@
+from __future__ import annotations
+from typing import Any, Callable, Awaitable
+from fastapi import  APIRouter, Depends, HTTPException , Request , Response,status
+
+from ..ext.sqlalchemy import SQLAlchemyAsyncUserProtocol, SQLAlchemySyncUserProtocol
+from ..extractors import extract_refresh_token
+from ..settings import AuthSettings
+from ..service import  AuthService, AsyncAuthService
+from  ..authenticator import AsyncAuthenticator , SyncAuthenticator
+
+from .schema import RegisterInSchema, LoginInSchema
+
+
+def _set_access_cookie(response:Response , settings:AuthSettings, token:str):
+    response.set_cookie(
+        key=settings.cookie_name_access,
+        value=token,
+        httponly=True,
+        secure=settings.cookie_secure,
+        samesite=settings.cookie_samesite,
+        max_age=settings.cookie_max_age_access,
+    )
+
+
+def _set_refresh_cookie(response:Response,settings:AuthSettings, token:str):
+    response.set_cookie(
+        key=settings.cookie_name_refresh,
+        value=token,
+        httponly=True,
+        secure=settings.cookie_secure,
+        samesite=settings.cookie_samesite,
+        max_age=settings.cookie_max_age_refresh,
+    )
+
+def _clear_cookie(response:Response,settings:AuthSettings):
+        response.delete_cookie(
+            key=settings.cookie_name_access,
+        )
+        response.delete_cookie(
+            key=settings.cookie_name_refresh,
+        )
+
+def build_auth_router_async(
+        *,
+        settings:AuthSettings,
+        get_session:Callable[...,Any],
+        user_model:type[Any]
+)-> APIRouter:
+    """
+       Async FastAPI router.
+       get_session must provide an AsyncSession (dependency).
+    """
+
+    router = APIRouter()
+
+    def _svc(session=Depends(get_session))->AsyncAuthService:
+        repo = SQLAlchemyAsyncUserProtocol(session ,user_model=user_model)
+        return AsyncAuthService(settings, repo)
+
+    def _auth(session=Depends(get_session))->AsyncAuthenticator:
+        repo= SQLAlchemyAsyncUserProtocol(session ,user_model=user_model)
+        return AsyncAuthenticator(settings , repo)
+
+
+    @router.post("/register")
+    async def register(data:RegisterInSchema,svc:AsyncAuthService=Depends(_svc)):
+        user = await svc.create_user(data.email , data.username , data.password)
+        return {
+            "id": user.id,
+            "email": user.email,
+            "username": user.username,
+            "is_staff": user.is_staff,
+            "is_active": user.is_active,
+        }
+
+
+    @router.post("/login")
+    async def login(data:LoginInSchema, response:Response, svc:AsyncAuthService=Depends(_svc)):
+        user =  await svc.authenticate(data.username_or_email , data.password)
+        access, refresh = await svc.assign_token(user)
+
+        if  settings.set_cookie_on_login:
+            _set_access_cookie(response , settings , access)
+            _set_refresh_cookie(response , settings , refresh)
+        return {
+                "access_token": access,
+                "refresh_token": refresh,
+            }
+
+    @router.post("/refresh")
+    async def refresh(request:Request, response:Response, svc:AsyncAuthService=Depends(_svc)):
+        rt = extract_refresh_token(request,settings)
+        if not rt:
+            raise HTTPException(status_code=status.HTTP_401_UNAUTHORIZED , detail="Refresh token not found")
+        access,refresh = await svc.refresh_pair(rt)
+
+        if settings.set_cookie_on_login:
+            _set_access_cookie(response , settings , access)
+            _set_refresh_cookie(response , settings , refresh)
+
+        return {
+            "access_token": access,
+            "refresh_token": refresh,
+        }
+
+
+    @router.post("/logout")
+    async def logout(response:Response):
+        _clear_cookie(response , settings)
+        return {"logout": "success" , "ok":True}
+
+
+    @router.get("/me")
+    async def me(request:Request,auth:AsyncAuthenticator=Depends(_auth)):
+        user = await auth.current_user(request)
+        return {"id": user.id, "email": user.email, "username": user.username, "is_staff": user.is_staff, "is_superuser": user.is_superuser}
+
+    return router
+
+
+# ======= Sync Router =======#
+def build_auth_router_sync(
+        *,
+        settings:AuthSettings,
+        get_session:Callable[...,Any],
+        user_models:type[Any]
+)-> APIRouter:
+    """
+       Sync FastAPI router.
+       get_session must provide a Session (dependency).
+    """
+
+    router = APIRouter()
+
+    def _svc(session=Depends(get_session))->AuthService:
+        repo = SQLAlchemySyncUserProtocol(session ,user_model=user_models)
+        return  AuthService(settings, repo)
+
+
+    def _auth(session=Depends(get_session))->SyncAuthenticator:
+         repo =  SQLAlchemySyncUserProtocol(session ,user_model=user_models)
+         return SyncAuthenticator(settings , repo)
+
+
+    @router.post("/register")
+    def register(data:RegisterInSchema,svc:AuthService=Depends(_svc)):
+        user = svc.create_user(data.email , data.username , data.password)
+        return {
+            "id": user.id,
+            "email": user.email,
+            "username": user.username,
+            "is_staff": user.is_staff,
+            "is_active": user.is_active,
+        }
+
+    @router.post("/login")
+    def login(data:LoginInSchema, response:Response, svc:AuthService=Depends(_svc)):
+        user =  svc.authenticate(data.username_or_email , data.password)
+        access, refresh = svc.assign_token(user)
+
+        if  settings.set_cookie_on_login:
+            _set_access_cookie(response , settings , access)
+            _set_refresh_cookie(response , settings , refresh)
+        return {
+                "access_token": access,
+                "refresh_token": refresh,
+            }
+
+    @router.post("/refresh")
+    def refresh(request:Request, response:Response, svc:AuthService=Depends(_svc)):
+        rt = extract_refresh_token(request,settings)
+        if not rt:
+            raise HTTPException(status_code=status.HTTP_401_UNAUTHORIZED , detail="Refresh token not found")
+        access,refresh = svc.refresh_pair(rt)
+
+        if settings.set_cookie_on_login:
+            _set_access_cookie(response , settings , access)
+            _set_refresh_cookie(response , settings , refresh)
+
+        return {
+            "access_token": access,
+            "refresh_token": refresh,
+        }
+
+
+    @router.post("/logout")
+    def logout(response:Response):
+        _clear_cookie(response , settings)
+        return {"logout": "success" , "ok":True}
+
+
+    @router.get("/me")
+    def me(request:Request,auth:SyncAuthenticator=Depends(_auth)):
+        user = auth.current_user(request)
+        return {"id": user.id, "email": user.email, "username": user.username, "is_staff": user.is_staff, "is_superuser": user.is_superuser}
+
+    return router
+
+
+
+
+
+
+

authkit/fastapi/routers.pyi

@@ -0,0 +1,6 @@
+from typing import Any, Callable
+from fastapi import APIRouter
+from ..settings import AuthSettings
+
+def build_auth_router_async(*, settings: AuthSettings, get_session: Callable[..., Any], user_model: type[Any]) -> APIRouter: ...
+def build_auth_router_sync(*, settings: AuthSettings, get_session: Callable[..., Any], user_model: type[Any]) -> APIRouter: ...

authkit/fastapi/schema.py

@@ -0,0 +1,13 @@
+from pydantic import  BaseModel ,EmailStr
+
+class RegisterInSchema(BaseModel):
+    email: EmailStr
+    username: str
+    password: str
+
+
+class LoginInSchema(BaseModel):
+    username_or_email: str
+    password: str
+
+

authkit/hashing.py

@@ -0,0 +1,12 @@
+from  passlib.context import  CryptContext
+
+
+_PWD = CryptContext(schemes=["bcrypt"], deprecated="auto")
+
+
+
+def hash_password(password: str) -> str:
+    return _PWD.hash(password)
+
+def verify_password(password: str, hashed_password: str) -> bool:
+    return _PWD.verify(password, hashed_password)

authkit/hashing.pyi

@@ -0,0 +1,2 @@
+def hash_password(password: str) -> str: ...
+def verify_password(password: str, password_hash: str) -> bool: ...

authkit/protocols.py

@@ -0,0 +1,27 @@
+from  typing import  Protocol , Optional ,runtime_checkable
+
+@runtime_checkable
+class UserProtocol(Protocol):
+    id: str
+    email: str
+    username: str
+    password_hash: str
+    is_active: bool
+    is_staff: bool
+    is_superuser: bool
+
+
+
+class AsyncUserProtocol(Protocol):
+    async def get_by_id(self,user_id:int) -> Optional[UserProtocol]:...
+    async def get_by_email_or_username(self, value:str) -> Optional[UserProtocol]:...
+    async def create_user(self,* , email: str, username: str, password: str,is_staff:bool,is_active:bool,is_superuser:bool) -> UserProtocol: ...
+
+
+
+class SyncUserProtocol(Protocol):
+    def get_by_id(self,user_id:int) -> Optional[UserProtocol]:...
+    def get_by_email_or_username(self,value:str) -> Optional[UserProtocol]:...
+
+    def create_user(self,* , email: str, username: str, password: str,is_staff:bool,is_active:bool,is_superuser:bool) -> UserProtocol:...
+

authkit/protocols.pyi

@@ -0,0 +1,27 @@
+from typing import Protocol, Optional, runtime_checkable
+
+@runtime_checkable
+class UserProtocol(Protocol):
+    id: int
+    email: str
+    username: str
+    password_hash: str
+    is_active: bool
+    is_staff: bool
+    is_superuser: bool
+
+class AsyncUserProtocol(Protocol):
+    async def get_by_id(self, user_id: int) -> Optional[UserProtocol]: ...
+    async def get_by_email_or_username(self, value: str) -> Optional[UserProtocol]: ...
+    async def create_user(
+        self, *, email: str, username: str, password_hash: str,
+        is_active: bool = ..., is_staff: bool = ..., is_superuser: bool = ...
+    ) -> UserProtocol: ...
+
+class SyncUserProtocol(Protocol):
+    def get_by_id(self, user_id: int) -> Optional[UserProtocol]: ...
+    def get_by_email_or_username(self, value: str) -> Optional[UserProtocol]: ...
+    def create_user(
+        self, *, email: str, username: str, password_hash: str,
+        is_active: bool = ..., is_staff: bool = ..., is_superuser: bool = ...
+    ) -> UserProtocol: ...

authkit/service.py

@@ -0,0 +1,145 @@
+from  __future__ import annotations
+
+import secrets
+from fastapi import HTTPException , status
+
+from .hashing import  hash_password , verify_password
+from .settings import AuthSettings
+
+from .tokens  import (
+create_access_token,
+create_refresh_token,
+decode_refresh
+)
+from .protocols import  AsyncUserProtocol , SyncUserProtocol , UserProtocol
+
+
+class AsyncAuthService:
+    def __init__(self,settings:AuthSettings,repo:AsyncUserProtocol):
+        self.settings = settings
+        self.repo = repo
+
+    async def create_user(self, email:str, username:str, password:str) -> UserProtocol:
+        existing_user = await self.repo.get_by_email_or_username(email) or await self.repo.get_by_email_or_username(username)
+        if existing_user:
+            raise HTTPException(status_code=status.HTTP_400_BAD_REQUEST, detail="User with this email or username already exists")
+        return await self.repo.create_user(
+            email=email,
+            username=username,
+            password=hash_password(password),
+            is_active=True,
+            is_staff=False,
+            is_superuser=False,
+        )
+
+    async def create_superuser(self, email:str, username:str, password:str) -> UserProtocol:
+        existing_user = await self.repo.get_by_email_or_username(email) or await self.repo.get_by_email_or_username(username)
+        if existing_user:
+            raise HTTPException(status_code=status.HTTP_400_BAD_REQUEST, detail="User with this email or username already exists")
+        return await self.repo.create_user(
+            email=email,
+            username=username,
+            password=hash_password(password),
+            is_active=True,
+            is_staff=True,
+            is_superuser=True,
+        )
+
+
+    async def authenticate(self , user_name_or_email:str, password:str) -> UserProtocol:
+        user = await self.repo.get_by_email_or_username(user_name_or_email)
+        if not user or not verify_password(password, user.password_hash):
+            raise HTTPException(status_code=status.HTTP_401_UNAUTHORIZED, detail="Invalid credentials")
+        return user
+
+
+    async  def assign_token(self , user:UserProtocol) -> tuple[str, str]:
+        access_token = create_access_token(self.settings , subject=str(user.id))
+        refresh_token = create_refresh_token(self.settings , subject=str(user.id), jti=secrets.token_hex(16))
+        return access_token, refresh_token
+
+
+    async def refresh_pair(self , refresh_token:str) ->tuple[str, str|None]:
+        payload = decode_refresh(self.settings , refresh_token)
+        sub = payload.get("sub")
+        new_access_token = create_access_token(self.settings , subject=str(sub))
+        if self.settings.refresh_rotation:
+            new_refresh_token = create_refresh_token(self.settings , subject=str(sub) , jti=secrets.token_hex(16))
+            return new_access_token, new_refresh_token
+        return new_access_token, None
+
+
+class AuthService:
+    def __init__(self, settings: AuthSettings, repo: SyncUserProtocol):
+        self.settings = settings
+        self.repo = repo
+
+    def create_user(self, email: str, username: str, password: str) -> UserProtocol:
+        existing_user = (
+            self.repo.get_by_email_or_username(email)
+            or self.repo.get_by_email_or_username(username)
+        )
+        if existing_user:
+            raise HTTPException(
+                status_code=status.HTTP_400_BAD_REQUEST,
+                detail="User with this email or username already exists",
+            )
+
+        return self.repo.create_user(
+            email=email,
+            username=username,
+            password=hash_password(password),
+            is_active=True,
+            is_staff=False,
+            is_superuser=False,
+        )
+
+    def create_superuser(self, email: str, username: str, password: str) -> UserProtocol:
+        existing_user = (
+            self.repo.get_by_email_or_username(email)
+            or self.repo.get_by_email_or_username(username)
+        )
+        if existing_user:
+            raise HTTPException(
+                status_code=status.HTTP_400_BAD_REQUEST,
+                detail="User with this email or username already exists",
+            )
+
+        return self.repo.create_user(
+            email=email,
+            username=username,
+            password=hash_password(password),
+            is_active=True,
+            is_staff=True,
+            is_superuser=True,
+        )
+
+    def authenticate(self, user_name_or_email: str, password: str) -> UserProtocol:
+        user = self.repo.get_by_email_or_username(user_name_or_email)
+        if not user or not verify_password(password, user.password_hash):
+            raise HTTPException(
+                status_code=status.HTTP_401_UNAUTHORIZED,
+                detail="Invalid credentials",
+            )
+        return user
+
+    def assign_token(self, user: UserProtocol) -> tuple[str, str]:
+        access_token = create_access_token(self.settings, subject=str(user.id))
+        refresh_token = create_refresh_token(self.settings, subject=str(user.id), jti=secrets.token_hex(16))
+        return access_token, refresh_token
+
+    def refresh_pair(self, refresh_token: str) -> tuple[str, str | None]:
+        payload = decode_refresh(self.settings, refresh_token)
+        sub = payload.get("sub")
+
+        new_access_token = create_access_token(self.settings, subject=str(sub))
+
+        if self.settings.refresh_rotation:
+            new_refresh_token = create_refresh_token(
+                self.settings,
+                subject=str(sub),
+                jti=secrets.token_hex(16),
+            )
+            return new_access_token, new_refresh_token
+
+        return new_access_token, None

authkit/service.pyi

@@ -0,0 +1,18 @@
+from .settings import AuthSettings
+from .protocols import AsyncUserRepo, SyncUserRepo, UserLike
+
+class AuthServiceAsync:
+    def __init__(self, settings: AuthSettings, repo: AsyncUserRepo) -> None: ...
+    async def create_user(self, email: str, username: str, password: str) -> UserLike: ...
+    async def create_superuser(self, email: str, username: str, password: str) -> UserLike: ...
+    async def authenticate(self, username_or_email: str, password: str) -> UserLike: ...
+    async def issue_token_pair(self, user: UserLike) -> tuple[str, str]: ...
+    async def refresh_pair(self, refresh_token: str) -> tuple[str, str | None]: ...
+
+class AuthServiceSync:
+    def __init__(self, settings: AuthSettings, repo: SyncUserRepo) -> None: ...
+    def create_user(self, email: str, username: str, password: str) -> UserLike: ...
+    def create_superuser(self, email: str, username: str, password: str) -> UserLike: ...
+    def authenticate(self, username_or_email: str, password: str) -> UserLike: ...
+    def issue_token_pair(self, user: UserLike) -> tuple[str, str]: ...
+    def refresh_pair(self, refresh_token: str) -> tuple[str, str | None]: ...

authkit/settings.py

@@ -0,0 +1,26 @@
+from  dataclasses import dataclass
+from typing import Literal
+
+@dataclass(frozen=True)
+class AuthSettings:
+    secret_key: str
+    algorithm: str = "HS256"
+
+    access_minutes: int = 15
+    refresh_days: int = 7
+
+    cookie_name_access: str = "access_token"
+    cookie_name_refresh: str = "refresh_token"
+
+    accept_header: bool = True
+    accept_cookie: bool = True
+
+    set_cookie_on_login: bool = True
+    cookie_secure: bool = True
+    cookie_samesite: Literal["lax", "strict", "none"] = "lax"
+    cookie_max_age_access: int = 60 * 15
+    cookie_max_age_refresh: int = 60 * 60 * 24 * 7
+
+    # SimpleJWT-style extras
+    refresh_rotation: bool = True
+    blacklist_after_rotation: bool = True 

authkit/settings.pyi

@@ -0,0 +1,26 @@
+from dataclasses import dataclass
+from typing import  Literal
+
+
+@dataclass(frozen=True)
+class AuthSettings:
+    secret_key: str
+    algorithm: str = ...
+
+    access_minutes: int = ...
+    refresh_days: int = ...
+
+    accept_header: bool = ...
+    accept_cookie: bool = ...
+
+    cookie_name_access: str = ...
+    cookie_name_refresh: str = ...
+
+    set_cookie_on_login: bool = ...
+    cookie_secure: bool = ...
+    cookie_samesite: Literal["lax", "strict", "none"] = "lax"
+    cookie_max_age_access: int = ...
+    cookie_max_age_refresh: int = ...
+
+    refresh_rotation: bool = ...
+    blacklist_after_rotation: bool = ...

authkit/tokens.py

@@ -0,0 +1,45 @@
+from  datetime import  datetime , timedelta , timezone
+from  jose import  jwt , JWTError
+from fastapi import  HTTPException , status
+from .settings import AuthSettings
+
+
+def _encode(settings:AuthSettings , payload:dict) -> str:
+    return  jwt.encode(payload, settings.secret_key , algorithm=settings.algorithm)
+
+
+def _decode(settings:AuthSettings , token:str) -> dict[str, str]:
+    return  jwt.decode(token,settings.secret_key,algorithms=[settings.algorithm])
+
+def create_access_token(settings: AuthSettings, *, subject: str) -> str:
+    now = datetime.now(timezone.utc)
+    exp = now + timedelta(minutes=settings.access_minutes)
+    payload = {"sub": subject, "type": "access", "iat": int(now.timestamp()), "exp": int(exp.timestamp())}
+    return _encode(settings, payload)
+
+def create_refresh_token(settings: AuthSettings, *, subject: str, jti: str) -> str:
+    now = datetime.now(timezone.utc)
+    exp = now + timedelta(days=settings.refresh_days)
+    payload = {"sub": subject, "type": "refresh", "jti": jti, "iat": int(now.timestamp()), "exp": int(exp.timestamp())}
+    return _encode(settings, payload)
+
+
+def decode_access(settings:AuthSettings,token:str)->dict[str, str]:
+    try:
+        payload = _decode(settings, token)
+        if payload["type"] != "access":
+            raise HTTPException(status_code=401,detail="Invalid access token")
+        return payload
+    except JWTError:
+        raise HTTPException(status_code=401,detail="Invalid access token",headers={"WWW-Authenticate":"Bearer"})
+
+
+
+def decode_refresh(settings:AuthSettings,token:str)-> dict:
+    try:
+        payload = _decode(settings, token)
+        if payload["type"] != "refresh":
+            raise HTTPException(status_code=401,detail="Invalid refresh token")
+        return payload
+    except JWTError:
+        raise HTTPException(status_code=401,detail="Invalid refresh token",headers={"WWW-Authenticate":"Bearer"})

authkit/tokens.pyi

@@ -0,0 +1,6 @@
+from .settings import AuthSettings
+
+def create_access_token(settings: AuthSettings, *, subject: str) -> str: ...
+def create_refresh_token(settings: AuthSettings, *, subject: str, jti: str) -> str: ...
+def decode_access(settings: AuthSettings, token: str) -> dict: ...
+def decode_refresh(settings: AuthSettings, token: str) -> dict: ...

fastapi_jwt_authkit-0.1.0.dist-info/METADATA

@@ -0,0 +1,366 @@
+Metadata-Version: 2.4
+Name: fastapi-jwt-authkit
+Version: 0.1.0
+Summary: FastAPI authentication library with JWT access/refresh tokens, sync & async SQLAlchemy support, built-in auth routes (register/login/refresh/me), secure password hashing, and cookie/header token support.
+Project-URL: Homepage, https://github.com/azimhossaintuhin/fastapi-jwt-authkit
+Project-URL: Repository, https://github.com/azimhossaintuhin/fastapi-jwt-authkit
+Project-URL: Issues, https://github.com/azimhossaintuhin/fastapi-jwt-authkit/issues
+Author: Azim Hossain Tuhin
+License: MIT License
+        
+        Copyright (c) 2026 Fast Auth Kit contributors
+        
+        Permission is hereby granted, free of charge, to any person obtaining a copy
+        of this software and associated documentation files (the "Software"), to deal
+        in the Software without restriction, including without limitation the rights
+        to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+        copies of the Software, and to permit persons to whom the Software is
+        furnished to do so, subject to the following conditions:
+        
+        The above copyright notice and this permission notice shall be included in all
+        copies or substantial portions of the Software.
+        
+        THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+        IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+        FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+        AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+        LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+        OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+        SOFTWARE.
+License-File: LICENSE
+Keywords: access-token,async,auth,authentication,bcrypt,fastapi,fastapi-auth,fastapi-jwt,json-web-token,jwt,login,password-hashing,refresh-token,register,security,sqlalchemy,sync
+Classifier: Development Status :: 3 - Alpha
+Classifier: Framework :: FastAPI
+Classifier: Intended Audience :: Developers
+Classifier: License :: OSI Approved :: MIT License
+Classifier: Operating System :: OS Independent
+Classifier: Programming Language :: Python
+Classifier: Programming Language :: Python :: 3
+Classifier: Programming Language :: Python :: 3 :: Only
+Classifier: Programming Language :: Python :: 3.10
+Classifier: Programming Language :: Python :: 3.11
+Classifier: Programming Language :: Python :: 3.12
+Classifier: Programming Language :: Python :: 3.13
+Classifier: Topic :: Internet :: WWW/HTTP
+Classifier: Topic :: Security
+Requires-Python: >=3.10
+Requires-Dist: bcrypt<5.0.0,>=4.0.0
+Requires-Dist: fastapi>=0.110
+Requires-Dist: hatch>=1.16.3
+Requires-Dist: passlib[bcrypt]>=1.7.4
+Requires-Dist: pydantic[email]>=2.0.0
+Requires-Dist: python-jose[cryptography]>=3.3.0
+Requires-Dist: sqlalchemy>=2.0.0
+Provides-Extra: dev
+Requires-Dist: aiosqlite>=0.20.0; extra == 'dev'
+Requires-Dist: build>=1.4.0; extra == 'dev'
+Requires-Dist: httpx>=0.28.0; extra == 'dev'
+Requires-Dist: pytest-asyncio>=0.24.0; extra == 'dev'
+Requires-Dist: pytest>=8.0.0; extra == 'dev'
+Requires-Dist: twine>=6.2.0; extra == 'dev'
+Requires-Dist: uvicorn>=0.40.0; extra == 'dev'
+Description-Content-Type: text/markdown
+
+# FastAPI Auth Kit
+
+**FastAPI authentication library with JWT access/refresh tokens, sync & async SQLAlchemy support, built-in auth routes (register/login/refresh/me), secure password hashing, and cookie/header token support.**
+
+Complete authentication toolkit for FastAPI with JWT, designed for both sync and async SQLAlchemy backends. Provides batteries-included auth services, FastAPI routers, token utilities, and a clean protocol-driven repository interface.
+
+## Highlights
+
+- JWT access + refresh tokens with rotation
+- Sync and async SQLAlchemy adapters
+- Drop-in FastAPI routers for register, login, refresh, logout, and `/me`
+- Cookie and Authorization header support
+- Strong typing and protocol-based extensibility
+- Works with your own User model
+
+## Package Layout
+
+```
+packages/authkit/src/authkit/
+  fastapi/      # FastAPI router builders + schemas
+  ext/          # SQLAlchemy protocol adapters (sync/async)
+  authenticator.py
+  service.py
+  tokens.py
+  hashing.py
+  settings.py
+  extractors.py
+```
+
+## Installation
+
+### From this repo
+
+```bash
+uv sync
+```
+
+### In your project
+
+```bash
+pip install fastapi-jwt-authkit
+```
+
+> The PyPI package name is `fastapi-jwt-authkit`, the import name is `authkit`.
+
+### Typing support
+
+Type information (`.pyi` + `py.typed`) is bundled with the package for IDEs and
+static type checkers.
+
+## Quickstart (Async)
+
+```python
+from fastapi import FastAPI
+from sqlalchemy.ext.asyncio import AsyncSession, create_async_engine, async_sessionmaker
+
+from authkit import AuthSettings
+from authkit.fastapi.routers import build_auth_router_async
+
+from your_app.models import Base, User
+
+DATABASE_URL = "sqlite+aiosqlite:///./app.db"
+engine = create_async_engine(DATABASE_URL, echo=False)
+SessionLocal = async_sessionmaker(engine, class_=AsyncSession, expire_on_commit=False)
+
+async def get_session():
+    async with SessionLocal() as session:
+        try:
+            yield session
+            await session.commit()
+        except Exception:
+            await session.rollback()
+            raise
+
+settings = AuthSettings(secret_key="change-me", cookie_secure=False)
+
+app = FastAPI()
+auth_router = build_auth_router_async(
+    settings=settings,
+    get_session=get_session,
+    user_model=User,
+)
+app.include_router(auth_router, prefix="/auth", tags=["auth"])
+```
+
+## Quickstart (Sync)
+
+```python
+from fastapi import FastAPI
+from sqlalchemy import create_engine
+from sqlalchemy.orm import sessionmaker
+
+from authkit import AuthSettings
+from authkit.fastapi.routers import build_auth_router_sync
+
+from your_app.models import Base, User
+
+DATABASE_URL = "sqlite:///./app.db"
+engine = create_engine(DATABASE_URL, echo=False)
+SessionLocal = sessionmaker(bind=engine, autocommit=False, autoflush=False)
+
+def get_session():
+    session = SessionLocal()
+    try:
+        yield session
+        session.commit()
+    except Exception:
+        session.rollback()
+        raise
+    finally:
+        session.close()
+
+settings = AuthSettings(secret_key="change-me", cookie_secure=False)
+
+app = FastAPI()
+auth_router = build_auth_router_sync(
+    settings=settings,
+    get_session=get_session,
+    user_models=User,
+)
+app.include_router(auth_router, prefix="/auth", tags=["auth"])
+```
+
+## Core Concepts
+
+### AuthSettings
+
+All auth behavior is configured via `AuthSettings`:
+
+```python
+AuthSettings(
+    secret_key="your-secret",
+    algorithm="HS256",
+    access_minutes=15,
+    refresh_days=7,
+    accept_header=True,
+    accept_cookie=True,
+    set_cookie_on_login=True,
+    cookie_secure=True,
+    cookie_samesite="lax",
+)
+```
+
+### AuthService / AsyncAuthService
+
+Business logic for creating users, authenticating, and issuing tokens. Uses a
+repository protocol so you can plug in your own persistence layer.
+
+### SQLAlchemy Adapters
+
+- `SQLAlchemySyncUserProtocol`
+- `SQLAlchemyAsyncUserProtocol`
+
+These adapters expect a SQLAlchemy model with the following fields:
+
+```python
+class User(Base):
+    id: int
+    email: str
+    username: str
+    password_hash: str
+    is_active: bool
+    is_staff: bool
+    is_superuser: bool
+```
+
+## API Endpoints
+
+When you include the auth router with prefix `/auth`, the following endpoints
+are available:
+
+| Method | Path           | Description                 |
+|--------|----------------|-----------------------------|
+| POST   | /auth/register | Create a new user           |
+| POST   | /auth/login    | Authenticate + issue tokens |
+| POST   | /auth/refresh  | Refresh access token        |
+| POST   | /auth/logout   | Clear auth cookies          |
+| GET    | /auth/me       | Get current user            |
+
+### Request/Response Schemas
+
+**Register**
+```json
+{ "email": "user@example.com", "username": "user", "password": "secret" }
+```
+
+**Login**
+```json
+{ "username_or_email": "user", "password": "secret" }
+```
+
+**Token Response**
+```json
+{ "access_token": "jwt", "refresh_token": "jwt" }
+```
+
+## Cookies and Headers
+
+`AuthSettings` controls where tokens are accepted and how they are stored:
+
+- `accept_header`: allow `Authorization: Bearer <token>`
+- `accept_cookie`: allow cookies
+- `set_cookie_on_login`: set cookies on successful login
+
+Cookie names and TTL are customizable with:
+`cookie_name_access`, `cookie_name_refresh`, `cookie_max_age_access`,
+`cookie_max_age_refresh`.
+
+## Security Considerations
+
+- Use a strong `secret_key` and rotate regularly.
+- Set `cookie_secure=True` in production (HTTPS only).
+- Consider `cookie_samesite="strict"` for web apps with tight CSRF control.
+- Short access token TTLs with longer refresh TTLs are recommended.
+
+## Production Checklist
+
+- [x] `secret_key` stored in a secure secret manager
+- [x] HTTPS enforced
+- [x] `cookie_secure=True`, `cookie_samesite` set per app policy
+- [x] Rotate JWT secret or use KMS-backed signing
+- [x] Enable logging around login and refresh flows
+- [x] Implement account lockout or rate limiting at the API gateway
+- [x] Configure backups for the user datastore
+
+## Compatibility
+
+- Python: 3.10+
+- FastAPI: 0.110+
+- SQLAlchemy: 2.x
+
+## Observability
+
+This library raises standard `HTTPException` errors. For production:
+
+- Add structured logging around auth endpoints
+- Add tracing/metrics at the FastAPI middleware layer
+
+## Versioning
+
+Follows semantic versioning: `MAJOR.MINOR.PATCH`.
+
+## Testing
+
+Run the full test suite:
+
+```bash
+uv run pytest tests/ -v
+```
+
+All tests are under `tests/` and cover tokens, hashing, services, and router
+integration (sync + async).
+
+## Examples
+
+Working example apps are provided:
+
+- `examples/async_app.py`
+- `examples/sync_app.py`
+
+Run:
+
+```bash
+uv run python -m examples.async_app
+uv run python -m examples.sync_app
+```
+
+## Extending the Repo Layer
+
+Implement the repo protocol if you use a different persistence layer:
+
+```python
+class MyRepo:
+    def get_by_id(self, user_id: int): ...
+    def get_by_email_or_username(self, value: str): ...
+    def create_user(self, *, email: str, username: str, password: str,
+                    is_staff: bool, is_active: bool, is_superuser: bool): ...
+```
+
+Async version must expose the same methods as `async def`.
+
+## Typing Notes
+
+Type information is bundled with the package (`.pyi` + `py.typed`). If your IDE
+or type checker does not pick it up, ensure:
+
+- Your tooling supports PEP 561
+
+## Troubleshooting
+
+**Bcrypt errors on Windows**
+
+If you see bcrypt backend errors during hashing, ensure you have `bcrypt<5`
+installed. This repo pins it accordingly in `pyproject.toml`.
+
+**SQLite in-memory tests**
+
+In-memory SQLite needs a `StaticPool` so all sessions share the same DB
+connection. The tests already handle this.
+
+## License
+
+MIT (see `LICENSE`).

fastapi_jwt_authkit-0.1.0.dist-info/RECORD

@@ -0,0 +1,33 @@
+authkit/__init__.py,sha256=gsjMS3Rzt9fhv_KE1FQj83mqbifXoOZU7tUMNQHForI,74
+authkit/authenticator.py,sha256=DWxq5xiCQe5_AB6MqjM8RaZRi3fqv8tJMEeHD-o-BjI,1900
+authkit/extractors.py,sha256=bqd-FrF0azwQlbldfPXInHxeDL03c1pv3XEG18nuKfM,931
+authkit/hashing.py,sha256=XrUOLOCJnT3XLZKiQrImrEBnrhBgo1sg3FF_qTok35A,306
+authkit/protocols.py,sha256=E7n1VFVb2cr_vCrICaingEYNQ8Ln0ML-bM-6z7_cYlk,930
+authkit/service.py,sha256=gCY6bZ0CvhI4xnRkF9W4PVvme7EnRO2OBIhgCNdmkOk,5839
+authkit/settings.py,sha256=pNs2H0FVVU3BiyVaGD73E2mtGNXgIOvS2BCxv1IHK28,722
+authkit/tokens.py,sha256=ZGgo-ojF1dR6H_lM1IvRQU42L00nc8vmldjna6-qRjQ,1946
+authkit/ext/sqlalchemy/__init__.py,sha256=E99dNP7QXiWqtotp5zS9BcbN-9yzdLMi_lieYOsuqwI,179
+authkit/ext/sqlalchemy/sa_async.py,sha256=IHqiqGEGJaO8r9C-C2PK8lUol7ebmt1Kg3whdEkEhiY,1438
+authkit/ext/sqlalchemy/sa_sync.py,sha256=ou9wW61Xuxi9rog2kj0WvrfeLH6oyiT75IEJ92z2vjA,1790
+authkit/fastapi/__init__.py,sha256=WLmOv8aCLhA1bRuMAHeQMRtXhGGJ56JSkk_f07UGeqs,138
+authkit/fastapi/models.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
+authkit/fastapi/routers.py,sha256=7pnoNhKOtjqHCDB0nGS2O7ay34U1A2clyHK_TtzKqpE,6949
+authkit/fastapi/schema.py,sha256=jgR1HQ_97ktrGuMnUSIYmyvXK0AFmatisrVbQiKH76M,228
+authkit/__init__.pyi,sha256=0AUemrFriJT9zpaU7ykTbU9rnfeZx6wDsH-QR6HpJZ4,56
+authkit/authenticator.pyi,sha256=-nv299UzzB0kp0znvNuEKT-Rmcly0MB0Qu77CgOy6To,507
+authkit/extractors.pyi,sha256=tN7FWcNbohTlBc7Gc2qU-6Z-bRHqFyg6xzvvrG5CXXg,242
+authkit/hashing.pyi,sha256=q5eDOjBfigg1FoXzD3x1vNq_-3U2MptD3EUAumKfHO4,115
+authkit/protocols.pyi,sha256=6ES1giz4-igw8U__i0wnaNDwuibtiPDIsU7RyP5n3xg,1035
+authkit/py.typed,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
+authkit/service.pyi,sha256=VXubFz8NMxxcKX_scsh6S7MTcEqCUhrcCgWkzEaB5Uo,1168
+authkit/settings.pyi,sha256=Q8-yqDh_X_NhdNy2j4TP4A7KgFLo_0-f917ftUQ7MxI,648
+authkit/tokens.pyi,sha256=dhsPGciuQJlOcj0SloMgq9Il5KbeKHG7g4rFwo9pzCw,342
+authkit/ext/sqlalchmey/__init__.pyi,sha256=61eiQrAwk76Vh02EJqlPxilZXteAqWdXGIheAvXXNr0,114
+authkit/ext/sqlalchmey/sa_async.pyi,sha256=Ki5O9RB6LCl48NrRdlUVuf1emwQt-CR4ANcfQGiCEBM,616
+authkit/ext/sqlalchmey/sa_sync.pyi,sha256=C7qe0-EUc-Yt2IgAN4aWPA-a4u6ALdt1saofY2IKTR4,579
+authkit/fastapi/__init__.pyi,sha256=Zh4P3i5_DM5ion1Fm_mD7VRMQYWUMdPnTJW2twFL0f8,89
+authkit/fastapi/routers.pyi,sha256=j0P-H6gxl81SfPvnmNzlgmf1Pi9AneCzkjgmHQsV2Tc,363
+fastapi_jwt_authkit-0.1.0.dist-info/METADATA,sha256=JrEWVwySBhVzBrOEVrdviCPZx7iZGjfIKiWXY49H1zw,10906
+fastapi_jwt_authkit-0.1.0.dist-info/WHEEL,sha256=WLgqFyCfm_KASv4WHyYy0P3pM_m7J5L9k2skdKLirC8,87
+fastapi_jwt_authkit-0.1.0.dist-info/licenses/LICENSE,sha256=lGUjO1MnKSevCg_8dVVqs4q_JmqbMRnEBt7QtwFsLfs,1102
+fastapi_jwt_authkit-0.1.0.dist-info/RECORD,,

fastapi_jwt_authkit-0.1.0.dist-info/WHEEL

@@ -0,0 +1,4 @@
+Wheel-Version: 1.0
+Generator: hatchling 1.28.0
+Root-Is-Purelib: true
+Tag: py3-none-any

fastapi_jwt_authkit-0.1.0.dist-info/licenses/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2026 Fast Auth Kit contributors
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.