fastapi-sso 0.15.0__tar.gz → 0.17.0__tar.gz

{fastapi_sso-0.15.0 → fastapi_sso-0.17.0}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.1
 Name: fastapi-sso
-Version: 0.15.0
+Version: 0.17.0
 Summary: FastAPI plugin to enable SSO to most common providers (such as Facebook login, Google login and login via Microsoft Office 365 Account)
 Home-page: https://tomasvotava.github.io/fastapi-sso/
 License: MIT
@@ -15,10 +15,12 @@ Classifier: Programming Language :: Python :: 3.9
 Classifier: Programming Language :: Python :: 3.10
 Classifier: Programming Language :: Python :: 3.11
 Classifier: Programming Language :: Python :: 3.12
+Classifier: Programming Language :: Python :: 3.13
 Requires-Dist: fastapi (>=0.80)
 Requires-Dist: httpx (>=0.23.0)
 Requires-Dist: oauthlib (>=3.1.0)
 Requires-Dist: pydantic[email] (>=1.8.0)
+Requires-Dist: typing-extensions (>=4.12.2,<5.0.0) ; python_version < "3.10"
 Project-URL: Documentation, https://tomasvotava.github.io/fastapi-sso/
 Project-URL: Repository, https://github.com/tomasvotava/fastapi-sso
 Description-Content-Type: text/markdown
@@ -61,14 +63,53 @@ Quick links for the eager ones:
 - [Demo site](https://fastapi-sso-example.vercel.app/)
 - [Medium articles](https://medium.com/@christos.karvouniaris247)
 
-## Security warning
+## Security Notice
 
-Please note that versions preceding `0.7.0` had a security vulnerability.
-The SSO instance could share state between requests, which could lead to security issues.
-**Please update to `0.7.0` or newer**.
+### Version `0.16.0` Update: Race Condition Bug Fix & Context Manager Change
 
-Also, the preferred way of using the SSO instances is to use `with` statement, which will ensure the state is cleared.
-See example below.
+A race condition bug in the login flow that could, in rare cases, allow one user
+to assume the identity of another due to concurrent login requests was recently discovered
+by [@parikls](https://github.com/parikls).
+This issue was reported in [#186](https://github.com/tomasvotava/fastapi-sso/issues/186) and has been resolved
+in version `0.16.0`.
+
+**Details of the Fix:**
+
+The bug was mitigated by introducing an async lock mechanism that ensures only one user can attempt the login
+process at any given time. This prevents race conditions that could lead to unintended user identity crossover.
+
+**Important Change:**
+
+To fully support this fix, **users must now use the SSO instance within an `async with`
+context manager**. This adjustment is necessary for proper handling of asynchronous operations.
+
+The synchronous `with` context manager is now deprecated and will produce a warning.
+It will be removed in future versions to ensure best practices for async handling.
+
+**Impact:**
+
+This bug could potentially affect deployments with high concurrency or scenarios where multiple users initiate
+login requests simultaneously. To prevent potential issues and deprecation warnings, **update to
+version `0.16.0` or later and modify your code to use the async with context**.
+
+Code Example Update:
+
+```python
+# Before (deprecated)
+with sso:
+    openid = await sso.verify_and_process(request)
+
+# After (recommended)
+async with sso:
+    openid = await sso.verify_and_process(request)
+```
+
+Thanks to both [@parikls](https://github.com/parikls) and the community for helping me identify and improve the
+security of `fastapi-sso`. If you encounter any issues or potential vulnerabilities, please report them
+immediately so they can be addressed.
+
+For more details, refer to Issue [#186](https://github.com/tomasvotava/fastapi-sso/issues/186)
+and PR [#189](https://github.com/tomasvotava/fastapi-sso/pull/189).
 
 ## Support this project
 
@@ -101,6 +142,9 @@ I tend to process Pull Requests faster when properly caffeinated 😉.
 - Line (by Jimmy Yeh) - [jimmyyyeh](https://github.com/jimmyyyeh)
 - LinkedIn (by Alessandro Pischedda) - [Cereal84](https://github.com/Cereal84)
 - Yandex (by Akim Faskhutdinov) – [akimrx](https://github.com/akimrx)
+- Seznam (by Tomas Koutek) - [TomasKoutek](https://github.com/TomasKoutek)
+- Discord (by Kaelian Baudelet) - [afi-dev](https://github.com/afi-dev)
+- Bitbucket (by Kaelian Baudelet) - [afi-dev](https://github.com/afi-dev)
 
 See [Contributing](#contributing) for a guide on how to contribute your own login provider.
 

{fastapi_sso-0.15.0 → fastapi_sso-0.17.0}/README.md

@@ -36,14 +36,53 @@ Quick links for the eager ones:
 - [Demo site](https://fastapi-sso-example.vercel.app/)
 - [Medium articles](https://medium.com/@christos.karvouniaris247)
 
-## Security warning
+## Security Notice
 
-Please note that versions preceding `0.7.0` had a security vulnerability.
-The SSO instance could share state between requests, which could lead to security issues.
-**Please update to `0.7.0` or newer**.
+### Version `0.16.0` Update: Race Condition Bug Fix & Context Manager Change
 
-Also, the preferred way of using the SSO instances is to use `with` statement, which will ensure the state is cleared.
-See example below.
+A race condition bug in the login flow that could, in rare cases, allow one user
+to assume the identity of another due to concurrent login requests was recently discovered
+by [@parikls](https://github.com/parikls).
+This issue was reported in [#186](https://github.com/tomasvotava/fastapi-sso/issues/186) and has been resolved
+in version `0.16.0`.
+
+**Details of the Fix:**
+
+The bug was mitigated by introducing an async lock mechanism that ensures only one user can attempt the login
+process at any given time. This prevents race conditions that could lead to unintended user identity crossover.
+
+**Important Change:**
+
+To fully support this fix, **users must now use the SSO instance within an `async with`
+context manager**. This adjustment is necessary for proper handling of asynchronous operations.
+
+The synchronous `with` context manager is now deprecated and will produce a warning.
+It will be removed in future versions to ensure best practices for async handling.
+
+**Impact:**
+
+This bug could potentially affect deployments with high concurrency or scenarios where multiple users initiate
+login requests simultaneously. To prevent potential issues and deprecation warnings, **update to
+version `0.16.0` or later and modify your code to use the async with context**.
+
+Code Example Update:
+
+```python
+# Before (deprecated)
+with sso:
+    openid = await sso.verify_and_process(request)
+
+# After (recommended)
+async with sso:
+    openid = await sso.verify_and_process(request)
+```
+
+Thanks to both [@parikls](https://github.com/parikls) and the community for helping me identify and improve the
+security of `fastapi-sso`. If you encounter any issues or potential vulnerabilities, please report them
+immediately so they can be addressed.
+
+For more details, refer to Issue [#186](https://github.com/tomasvotava/fastapi-sso/issues/186)
+and PR [#189](https://github.com/tomasvotava/fastapi-sso/pull/189).
 
 ## Support this project
 
@@ -76,6 +115,9 @@ I tend to process Pull Requests faster when properly caffeinated 😉.
 - Line (by Jimmy Yeh) - [jimmyyyeh](https://github.com/jimmyyyeh)
 - LinkedIn (by Alessandro Pischedda) - [Cereal84](https://github.com/Cereal84)
 - Yandex (by Akim Faskhutdinov) – [akimrx](https://github.com/akimrx)
+- Seznam (by Tomas Koutek) - [TomasKoutek](https://github.com/TomasKoutek)
+- Discord (by Kaelian Baudelet) - [afi-dev](https://github.com/afi-dev)
+- Bitbucket (by Kaelian Baudelet) - [afi-dev](https://github.com/afi-dev)
 
 See [Contributing](#contributing) for a guide on how to contribute your own login provider.
 

{fastapi_sso-0.15.0 → fastapi_sso-0.17.0}/fastapi_sso/__init__.py

@@ -4,6 +4,8 @@
 """
 
 from .sso.base import OpenID, SSOBase, SSOLoginError
+from .sso.bitbucket import BitbucketSSO
+from .sso.discord import DiscordSSO
 from .sso.facebook import FacebookSSO
 from .sso.fitbit import FitbitSSO
 from .sso.generic import create_provider
@@ -37,4 +39,6 @@ __all__ = [
     "NotionSSO",
     "SpotifySSO",
     "TwitterSSO",
+    "BitbucketSSO",
+    "DiscordSSO",
 ]

{fastapi_sso-0.15.0 → fastapi_sso-0.17.0}/fastapi_sso/sso/base.py

@@ -1,11 +1,13 @@
 """SSO login base dependency."""
 
+import asyncio
 import json
 import logging
 import os
+import sys
 import warnings
 from types import TracebackType
-from typing import Any, ClassVar, Dict, List, Literal, Optional, Type, TypedDict, Union, overload
+from typing import Any, ClassVar, Dict, List, Literal, Optional, Type, TypedDict, TypeVar, Union, overload
 
 import httpx
 import pydantic
@@ -17,8 +19,19 @@ from starlette.responses import RedirectResponse
 from fastapi_sso.pkce import get_pkce_challenge_pair
 from fastapi_sso.state import generate_random_state
 
+if sys.version_info < (3, 10):
+    from typing import Callable  # pragma: no cover
+
+    from typing_extensions import ParamSpec  # pragma: no cover
+else:
+    from collections.abc import Callable
+    from typing import ParamSpec
+
 logger = logging.getLogger(__name__)
 
+T = TypeVar("T")
+P = ParamSpec("P")
+
 
 class DiscoveryDocument(TypedDict):
     """Discovery document."""
@@ -55,6 +68,26 @@ class OpenID(pydantic.BaseModel):
     provider: Optional[str] = None
 
 
+class SecurityWarning(UserWarning):
+    """Raised when insecure usage is detected"""
+
+
+def requires_async_context(func: Callable[P, T]) -> Callable[P, T]:
+    def wrapper(*args: P.args, **kwargs: P.kwargs) -> T:
+        if not args or not isinstance(args[0], SSOBase):
+            return func(*args, **kwargs)
+        if not args[0]._in_stack:
+            warnings.warn(
+                "Please make sure you are using SSO provider in an async context (using 'async with provider:'). "
+                "See https://github.com/tomasvotava/fastapi-sso/issues/186 for more information.",
+                category=SecurityWarning,
+                stacklevel=1,
+            )
+        return func(*args, **kwargs)
+
+    return wrapper
+
+
 class SSOBase:
     """Base class for all SSO providers."""
 
@@ -83,6 +116,8 @@ class SSOBase:
         self.client_secret: str = client_secret
         self.redirect_uri: Optional[Union[pydantic.AnyHttpUrl, str]] = redirect_uri
         self.allow_insecure_http: bool = allow_insecure_http
+        self._login_lock = asyncio.Lock()
+        self._in_stack = False
         self._oauth_client: Optional[WebApplicationClient] = None
         self._generated_state: Optional[str] = None
 
@@ -128,6 +163,7 @@ class SSOBase:
         return self._state
 
     @property
+    @requires_async_context
     def oauth_client(self) -> WebApplicationClient:
         """Retrieves the OAuth Client to aid in generating requests and parsing responses.
 
@@ -144,6 +180,7 @@ class SSOBase:
         return self._oauth_client
 
     @property
+    @requires_async_context
     def access_token(self) -> Optional[str]:
         """Retrieves the access token from token endpoint.
 
@@ -153,6 +190,7 @@ class SSOBase:
         return self.oauth_client.access_token
 
     @property
+    @requires_async_context
     def refresh_token(self) -> Optional[str]:
         """Retrieves the refresh token if returned from provider.
 
@@ -162,6 +200,7 @@ class SSOBase:
         return self._refresh_token or self.oauth_client.refresh_token
 
     @property
+    @requires_async_context
     def id_token(self) -> Optional[str]:
         """Retrieves the id token if returned from provider.
 
@@ -308,6 +347,7 @@ class SSOBase:
         convert_response: Literal[False],
     ) -> Optional[Dict[str, Any]]: ...
 
+    @requires_async_context
     async def verify_and_process(
         self,
         request: Request,
@@ -362,6 +402,12 @@ class SSOBase:
         )
 
     def __enter__(self) -> "SSOBase":
+        warnings.warn(
+            "SSO Providers are supposed to be used in async context, please change 'with provider' to "
+            "'async with provider'. See https://github.com/tomasvotava/fastapi-sso/issues/186 for more information.",
+            DeprecationWarning,
+            stacklevel=1,
+        )
         self._oauth_client = None
         self._refresh_token = None
         self._id_token = None
@@ -372,6 +418,28 @@ class SSOBase:
             self._pkce_code_verifier, self._pkce_code_challenge = get_pkce_challenge_pair(self._pkce_challenge_length)
         return self
 
+    async def __aenter__(self) -> "SSOBase":
+        await self._login_lock.acquire()
+        self._in_stack = True
+        self._oauth_client = None
+        self._refresh_token = None
+        self._id_token = None
+        self._state = None
+        if self.requires_state:
+            self._generated_state = generate_random_state()
+        if self.uses_pkce:
+            self._pkce_code_verifier, self._pkce_code_challenge = get_pkce_challenge_pair(self._pkce_challenge_length)
+        return self
+
+    async def __aexit__(
+        self,
+        _exc_type: Optional[Type[BaseException]],
+        _exc_val: Optional[BaseException],
+        _exc_tb: Optional[TracebackType],
+    ) -> None:
+        self._in_stack = False
+        self._login_lock.release()
+
     def __exit__(
         self,
         _exc_type: Optional[Type[BaseException]],
@@ -410,6 +478,7 @@ class SSOBase:
         convert_response: Literal[False],
     ) -> Optional[Dict[str, Any]]: ...
 
+    @requires_async_context
     async def process_login(
         self,
         code: str,

fastapi_sso-0.17.0/fastapi_sso/sso/bitbucket.py

@@ -0,0 +1,60 @@
+"""BitBucket SSO Oauth Helper class"""
+
+from typing import TYPE_CHECKING, ClassVar, List, Optional, Union
+
+import pydantic
+
+from fastapi_sso.sso.base import DiscoveryDocument, OpenID, SSOBase
+
+if TYPE_CHECKING:
+    import httpx  # pragma: no cover
+
+
+class BitbucketSSO(SSOBase):
+    """Class providing login using BitBucket OAuth"""
+
+    provider = "bitbucket"
+    scope: ClassVar = ["account", "email"]
+    version = "2.0"
+
+    def __init__(
+        self,
+        client_id: str,
+        client_secret: str,
+        redirect_uri: Optional[Union[pydantic.AnyHttpUrl, str]] = None,
+        allow_insecure_http: bool = False,
+        scope: Optional[List[str]] = None,
+    ):
+        super().__init__(
+            client_id=client_id,
+            client_secret=client_secret,
+            redirect_uri=redirect_uri,
+            allow_insecure_http=allow_insecure_http,
+            scope=scope,
+        )
+
+    async def get_useremail(self, session: Optional["httpx.AsyncClient"] = None) -> dict:
+        """Get user email"""
+        if session is None:
+            raise ValueError("Session is required to make HTTP requests")
+
+        response = await session.get(f"https://api.bitbucket.org/{self.version}/user/emails")
+        return response.json()
+
+    async def get_discovery_document(self) -> DiscoveryDocument:
+        return {
+            "authorization_endpoint": "https://bitbucket.org/site/oauth2/authorize",
+            "token_endpoint": "https://bitbucket.org/site/oauth2/access_token",
+            "userinfo_endpoint": f"https://api.bitbucket.org/{self.version}/user",
+        }
+
+    async def openid_from_response(self, response: dict, session: Optional["httpx.AsyncClient"] = None) -> OpenID:
+        email = await self.get_useremail(session=session)
+        return OpenID(
+            email=email["values"][0]["email"],
+            display_name=response.get("display_name"),
+            provider=self.provider,
+            id=str(response.get("uuid")).strip("{}"),
+            first_name=response.get("nickname"),
+            picture=response.get("links", {}).get("avatar", {}).get("href"),
+        )

fastapi_sso-0.17.0/fastapi_sso/sso/discord.py

@@ -0,0 +1,56 @@
+"""Discord SSO Oauth Helper class"""
+
+from typing import TYPE_CHECKING, ClassVar, List, Optional, Union
+
+import pydantic
+
+from fastapi_sso.sso.base import DiscoveryDocument, OpenID, SSOBase
+
+if TYPE_CHECKING:
+    import httpx  # pragma: no cover
+
+
+class DiscordSSO(SSOBase):
+    """Class providing login using Discord OAuth"""
+
+    provider = "discord"
+    scope: ClassVar = ["identify", "email", "openid"]
+
+    def __init__(
+        self,
+        client_id: str,
+        client_secret: str,
+        redirect_uri: Optional[Union[pydantic.AnyHttpUrl, str]] = None,
+        allow_insecure_http: bool = False,
+        scope: Optional[List[str]] = None,
+    ):
+        super().__init__(
+            client_id=client_id,
+            client_secret=client_secret,
+            redirect_uri=redirect_uri,
+            allow_insecure_http=allow_insecure_http,
+            scope=scope,
+        )
+
+    async def get_discovery_document(self) -> DiscoveryDocument:
+        return {
+            "authorization_endpoint": "https://discord.com/oauth2/authorize",
+            "token_endpoint": "https://discord.com/api/oauth2/token",
+            "userinfo_endpoint": "https://discord.com/api/users/@me",
+        }
+
+    async def openid_from_response(self, response: dict, session: Optional["httpx.AsyncClient"] = None) -> OpenID:
+        user_id = response.get("id")
+        avatar = response.get("avatar")
+        picture = None
+        if user_id and avatar:
+            picture = f"https://cdn.discordapp.com/avatars/{user_id}/{avatar}.png"
+
+        return OpenID(
+            email=response.get("email"),
+            display_name=response.get("global_name"),
+            provider=self.provider,
+            id=user_id,
+            first_name=response.get("username"),
+            picture=picture,
+        )

fastapi_sso-0.17.0/fastapi_sso/sso/seznam.py

@@ -0,0 +1,39 @@
+"""Seznam SSO Login Helper."""
+
+from typing import TYPE_CHECKING, ClassVar, Optional
+
+from fastapi_sso.sso.base import DiscoveryDocument, OpenID, SSOBase
+
+if TYPE_CHECKING:
+    import httpx  # pragma: no cover
+
+
+# https://vyvojari.seznam.cz/oauth/doc
+
+
+class SeznamSSO(SSOBase):
+    """Class providing login via Seznam OAuth."""
+
+    provider = "seznam"
+    base_url = "https://login.szn.cz/api/v1"
+    scope: ClassVar = ["identity", "avatar"]  # + ["contact-phone", "adulthood", "birthday", "gender"]
+
+    async def get_discovery_document(self) -> DiscoveryDocument:
+        """Get document containing handy urls."""
+        return {
+            "authorization_endpoint": f"{self.base_url}/oauth/auth",
+            "token_endpoint": f"{self.base_url}/oauth/token",
+            "userinfo_endpoint": f"{self.base_url}/user",
+        }
+
+    async def openid_from_response(self, response: dict, session: Optional["httpx.AsyncClient"] = None) -> OpenID:
+        """Return OpenID from user information provided by Seznam."""
+        return OpenID(
+            email=response.get("email"),
+            first_name=response.get("firstname"),
+            last_name=response.get("lastname"),
+            display_name=response.get("accountDisplayName"),
+            provider=self.provider,
+            id=response.get("oauth_user_id"),
+            picture=response.get("avatar_url"),
+        )

{fastapi_sso-0.15.0 → fastapi_sso-0.17.0}/pyproject.toml

@@ -1,6 +1,6 @@
 [tool.poetry]
 name = "fastapi-sso"
-version = "0.15.0"
+version = "0.17.0"
 description = "FastAPI plugin to enable SSO to most common providers (such as Facebook login, Google login and login via Microsoft Office 365 Account)"
 authors = ["Tomas Votava <info@tomasvotava.eu>"]
 readme = "README.md"
@@ -29,8 +29,6 @@ addopts = [
     "--cov-report=xml:coverage.xml",
     "--cov-report=json:coverage.json",
     "--cov-report=term-missing",
-    "-n",
-    "auto",
 ]
 
 
@@ -97,17 +95,15 @@ black = ">=23.7.0"
 isort = "^5"
 markdown-include = "^0.8.1"
 mkdocs-material = { extras = ["imaging"], version = "^9.3.2" }
-mkdocstrings = { extras = ["python"], version = ">=0.23,<0.26" }
+mkdocstrings = { extras = ["python"], version = ">=0.23,<0.27" }
 mypy = "^1"
-poethepoet = ">=0.21.1,<0.27.0"
+poethepoet = ">=0.21.1,<0.30.0"
 pre-commit = "^3"
 pytest = ">=7,<9"
-pytest-asyncio = ">=0.21.1,<0.24.0"
+pytest-asyncio = "^0.24"
 pytest-cov = ">=4,<6"
-pytest-xdist = "^3"
-tox = "^4"
 uvicorn = ">=0.23.1"
-ruff = "^0.4.2"
+ruff = ">=0.4.2,<0.8.0"
 
 [tool.poetry.dependencies]
 fastapi = ">=0.80"
@@ -115,6 +111,7 @@ httpx = ">=0.23.0"
 oauthlib = ">=3.1.0"
 pydantic = { extras = ["email"], version = ">=1.8.0" }
 python = ">=3.8,<4.0"
+typing-extensions = { version = "^4.12.2", python = "<3.10" }
 
 [build-system]
 requires = ["poetry-core>=1.0.0"]