flyfun-common 0.1.0__py3-none-any.whl

flyfun_common/__init__.py

@@ -0,0 +1 @@
+"""Shared user management and auth for flyfun services."""

flyfun_common/admin.py

@@ -0,0 +1,92 @@
+"""Admin helper utilities: token generation, HMAC verification, user management."""
+
+from __future__ import annotations
+
+import hashlib
+import hmac as hmac_mod
+import secrets
+import time
+import uuid
+from base64 import urlsafe_b64encode
+
+from fastapi import HTTPException
+from sqlalchemy.orm import Session
+
+from flyfun_common.db.models import ApiTokenRow, UserPreferencesRow, UserRow
+
+TOKEN_PREFIX = "ff_"
+
+
+def generate_api_token(prefix: str = TOKEN_PREFIX) -> str:
+    """Generate a random API token with the given prefix (~48 chars total)."""
+    return prefix + urlsafe_b64encode(secrets.token_bytes(32)).decode().rstrip("=")
+
+
+def hash_token(token: str) -> str:
+    """SHA-256 hash a plaintext token for storage."""
+    return hashlib.sha256(token.encode()).hexdigest()
+
+
+def verify_approval_hmac(
+    user_id: str, ts: str, sig: str, secret: str, expiry: int
+) -> None:
+    """Verify an HMAC-signed approval link. Raises HTTPException on failure."""
+    expected = hmac_mod.new(
+        secret.encode(), f"approve:{user_id}:{ts}".encode(), hashlib.sha256
+    ).hexdigest()
+
+    if not hmac_mod.compare_digest(sig, expected):
+        raise HTTPException(status_code=403, detail="Invalid approval link")
+
+    try:
+        link_time = int(ts)
+    except ValueError:
+        raise HTTPException(status_code=400, detail="Invalid timestamp")
+
+    age = time.time() - link_time
+    if age > expiry:
+        raise HTTPException(status_code=410, detail="Approval link expired")
+    if age < 0:
+        raise HTTPException(status_code=400, detail="Invalid timestamp")
+
+
+def create_agent_user(
+    db: Session, name: str, prefix: str = TOKEN_PREFIX
+) -> tuple[UserRow, str]:
+    """Create a bot/agent user with an initial API token.
+
+    Returns (user, plaintext_token). The plaintext token cannot be retrieved later.
+    """
+    user_id = f"agent-{uuid.uuid4().hex[:12]}"
+    user = UserRow(
+        id=user_id,
+        provider="api_token",
+        provider_sub=uuid.uuid4().hex,
+        email="",
+        display_name=name,
+        approved=True,
+    )
+    db.add(user)
+    db.flush()
+    db.add(UserPreferencesRow(user_id=user_id))
+
+    plaintext = generate_api_token(prefix)
+    db.add(
+        ApiTokenRow(
+            user_id=user_id,
+            token_hash=hash_token(plaintext),
+            name=name,
+        )
+    )
+    db.flush()
+    return user, plaintext
+
+
+def approve_user(db: Session, user_id: str) -> UserRow:
+    """Approve a user account. Raises HTTPException if not found."""
+    user = db.query(UserRow).filter(UserRow.id == user_id).first()
+    if not user:
+        raise HTTPException(status_code=404, detail="User not found")
+    user.approved = True
+    db.flush()
+    return user

flyfun_common/auth/__init__.py

@@ -0,0 +1,26 @@
+"""Auth utilities: JWT, OAuth, config."""
+
+from flyfun_common.auth.config import (
+    COOKIE_NAME,
+    COOKIE_DOMAIN,
+    SUPPORTED_PROVIDERS,
+    is_dev_mode,
+    get_jwt_secret,
+    get_registered_providers,
+    create_oauth,
+)
+from flyfun_common.auth.jwt_utils import create_token, decode_token
+from flyfun_common.auth.router import create_auth_router
+
+__all__ = [
+    "COOKIE_NAME",
+    "COOKIE_DOMAIN",
+    "SUPPORTED_PROVIDERS",
+    "is_dev_mode",
+    "get_jwt_secret",
+    "get_registered_providers",
+    "create_oauth",
+    "create_token",
+    "decode_token",
+    "create_auth_router",
+]

flyfun_common/auth/config.py

@@ -0,0 +1,120 @@
+"""Shared auth configuration: cookie, JWT secret, OAuth providers."""
+
+from __future__ import annotations
+
+import os
+
+from authlib.integrations.starlette_client import OAuth
+
+# Unified cookie name — same across all flyfun services
+COOKIE_NAME = "flyfun_auth"
+
+# Cookie domain — set to .flyfun.aero in prod for cross-subdomain SSO
+COOKIE_DOMAIN: str | None = None  # computed at runtime
+
+_DEV_JWT_SECRET = "dev-insecure-jwt-secret-do-not-use-in-production"
+
+# Providers that can be registered
+SUPPORTED_PROVIDERS = ("google", "apple")
+
+
+def is_dev_mode() -> bool:
+    return os.environ.get("ENVIRONMENT", "development") != "production"
+
+
+def get_cookie_domain() -> str | None:
+    """Return .flyfun.aero in production (enables SSO), None in dev."""
+    if is_dev_mode():
+        return None
+    return os.environ.get("COOKIE_DOMAIN", ".flyfun.aero")
+
+
+def get_jwt_secret() -> str:
+    secret = os.environ.get("JWT_SECRET")
+    if secret:
+        if not is_dev_mode() and secret == _DEV_JWT_SECRET:
+            raise ValueError(
+                "Production must use a unique JWT_SECRET, not the dev default"
+            )
+        return secret
+    if is_dev_mode():
+        return _DEV_JWT_SECRET
+    raise ValueError("JWT_SECRET environment variable must be set in production")
+
+
+def _apple_client_secret() -> str:
+    """Generate a short-lived JWT client_secret for Sign in with Apple.
+
+    Apple requires the client_secret to be an ES256-signed JWT containing:
+    - iss: Team ID
+    - sub: Client ID (Service ID)
+    - aud: https://appleid.apple.com
+    - iat/exp: issued/expiry (max 180 days)
+
+    Signed with the private key from Apple Developer Console.
+    """
+    import time
+
+    import jwt  # PyJWT
+
+    team_id = os.environ.get("APPLE_TEAM_ID", "")
+    key_id = os.environ.get("APPLE_KEY_ID", "")
+    client_id = os.environ.get("APPLE_CLIENT_ID", "")
+    private_key = os.environ.get("APPLE_PRIVATE_KEY", "")
+
+    if not all([team_id, key_id, client_id, private_key]):
+        raise ValueError(
+            "Apple Sign In requires APPLE_TEAM_ID, APPLE_KEY_ID, "
+            "APPLE_CLIENT_ID, and APPLE_PRIVATE_KEY environment variables"
+        )
+
+    # Replace literal \n with actual newlines (env vars can't contain real newlines)
+    private_key = private_key.replace("\\n", "\n")
+
+    now = int(time.time())
+    payload = {
+        "iss": team_id,
+        "sub": client_id,
+        "aud": "https://appleid.apple.com",
+        "iat": now,
+        "exp": now + 86400 * 180,  # 180 days (Apple's max)
+    }
+    return jwt.encode(payload, private_key, algorithm="ES256", headers={"kid": key_id})
+
+
+def create_oauth() -> OAuth:
+    """Create OAuth registry with available providers.
+
+    Providers are registered only if their client_id env var is set.
+    """
+    oauth = OAuth()
+
+    # Google
+    if os.environ.get("GOOGLE_CLIENT_ID"):
+        oauth.register(
+            name="google",
+            client_id=os.environ.get("GOOGLE_CLIENT_ID"),
+            client_secret=os.environ.get("GOOGLE_CLIENT_SECRET", ""),
+            server_metadata_url="https://accounts.google.com/.well-known/openid-configuration",
+            client_kwargs={"scope": "openid email profile"},
+        )
+
+    # Apple — Sign in with Apple (OIDC)
+    if os.environ.get("APPLE_CLIENT_ID"):
+        oauth.register(
+            name="apple",
+            client_id=os.environ.get("APPLE_CLIENT_ID"),
+            client_secret=_apple_client_secret(),
+            server_metadata_url="https://appleid.apple.com/.well-known/openid-configuration",
+            client_kwargs={
+                "scope": "openid email name",
+                "response_mode": "form_post",
+            },
+        )
+
+    return oauth
+
+
+def get_registered_providers(oauth: OAuth) -> list[str]:
+    """Return the list of provider names that were registered."""
+    return [p for p in SUPPORTED_PROVIDERS if hasattr(oauth, p)]

flyfun_common/auth/jwt_utils.py

@@ -0,0 +1,28 @@
+"""JWT token creation and validation."""
+
+from __future__ import annotations
+
+from datetime import datetime, timedelta, timezone
+
+import jwt
+
+JWT_ALGORITHM = "HS256"
+JWT_EXPIRY_DAYS = 7
+
+
+def create_token(user_id: str, email: str, name: str, secret: str) -> str:
+    """Create a signed JWT with user claims and 7-day expiry."""
+    now = datetime.now(timezone.utc)
+    payload = {
+        "sub": user_id,
+        "email": email,
+        "name": name,
+        "iat": now,
+        "exp": now + timedelta(days=JWT_EXPIRY_DAYS),
+    }
+    return jwt.encode(payload, secret, algorithm=JWT_ALGORITHM)
+
+
+def decode_token(token: str, secret: str) -> dict:
+    """Decode and validate a JWT."""
+    return jwt.decode(token, secret, algorithms=[JWT_ALGORITHM])

flyfun_common/auth/router.py

@@ -0,0 +1,372 @@
+"""Shared OAuth auth router: login, callback, logout, /auth/me.
+
+Each app calls create_auth_router() and mounts it on their FastAPI app.
+The callback creates/updates users in the shared DB and sets the
+cross-subdomain JWT cookie.
+
+Supports multiple OAuth providers (Google, Apple, etc.) via generic
+/{provider} routes.  Also supports native iOS Sign in with Apple via
+POST /auth/apple/token (identity token validation).
+"""
+
+from __future__ import annotations
+
+import json
+import logging
+import os
+import re
+import uuid
+from datetime import datetime, timezone
+from urllib.parse import quote
+
+import jwt as pyjwt
+from fastapi import APIRouter, Depends, HTTPException, Request
+from fastapi.responses import RedirectResponse
+from pydantic import BaseModel
+from sqlalchemy.orm import Session
+
+from flyfun_common.auth.config import (
+    COOKIE_NAME,
+    SUPPORTED_PROVIDERS,
+    create_oauth,
+    get_cookie_domain,
+    get_jwt_secret,
+    is_dev_mode,
+)
+from flyfun_common.auth.jwt_utils import create_token
+from flyfun_common.db.deps import current_user_id, get_db
+from flyfun_common.db.models import UserRow
+
+logger = logging.getLogger(__name__)
+
+# Apple's JWKS endpoint for verifying identity tokens
+_APPLE_JWKS_URL = "https://appleid.apple.com/auth/keys"
+_apple_jwks_client: pyjwt.PyJWKClient | None = None
+
+
+def _get_apple_jwks_client() -> pyjwt.PyJWKClient:
+    """Lazily create a cached JWKS client for Apple's public keys."""
+    global _apple_jwks_client
+    if _apple_jwks_client is None:
+        _apple_jwks_client = pyjwt.PyJWKClient(_APPLE_JWKS_URL, cache_keys=True)
+    return _apple_jwks_client
+
+
+def _extract_userinfo(provider: str, token: dict) -> tuple[str, str, str]:
+    """Extract (sub, email, display_name) from an OAuth token response.
+
+    Each provider returns user data differently:
+    - Google: standard OIDC userinfo with sub, email, name
+    - Apple: sub/email in id_token claims; name only on first login via
+             a separate 'user' JSON field in the POST body
+    """
+    if provider == "apple":
+        # Apple puts claims in the id_token (parsed by authlib into userinfo)
+        userinfo = token.get("userinfo") or {}
+        sub = userinfo.get("sub", "")
+        email = userinfo.get("email", "")
+        # Apple only sends the user's name on first authorization.
+        # It comes as a JSON blob in the POST body 'user' parameter,
+        # which authlib does NOT parse automatically — we handle it in
+        # the callback and pass it via the token dict.
+        user_data = token.get("_apple_user", {})
+        name_parts = user_data.get("name", {})
+        first = name_parts.get("firstName", "")
+        last = name_parts.get("lastName", "")
+        name = f"{first} {last}".strip() or email
+        return sub, email, name
+
+    # Default: Google and other standard OIDC providers
+    userinfo = token.get("userinfo")
+    if not userinfo:
+        raise ValueError(f"No userinfo in token from {provider}")
+    return userinfo["sub"], userinfo.get("email", ""), userinfo.get("name", "")
+
+
+def _find_or_create_user(
+    db: Session,
+    provider: str,
+    provider_sub: str,
+    email: str,
+    name: str,
+    on_new_user: callable | None = None,
+    request: Request | None = None,
+) -> UserRow:
+    """Find an existing user by (provider, provider_sub) or create a new one.
+
+    Updates email/name on returning users if changed.
+    """
+    user = (
+        db.query(UserRow)
+        .filter_by(provider=provider, provider_sub=provider_sub)
+        .first()
+    )
+    if user is None:
+        user = UserRow(
+            id=str(uuid.uuid4()),
+            provider=provider,
+            provider_sub=provider_sub,
+            email=email,
+            display_name=name,
+            approved=True,
+        )
+        db.add(user)
+        db.flush()
+        logger.info("New user created via %s: %s", provider, user.id)
+
+        if on_new_user and request:
+            try:
+                on_new_user(user, request, db)
+            except Exception:
+                logger.warning(
+                    "on_new_user callback failed for %s", user.id, exc_info=True
+                )
+
+    user.last_login_at = datetime.now(timezone.utc)
+    if email and user.email != email:
+        user.email = email
+    # Only update name if we got a real name (not just the email echoed back)
+    if name and name != email and user.display_name != name:
+        user.display_name = name
+    db.flush()
+    return user
+
+
+class AppleTokenRequest(BaseModel):
+    """Request body for native iOS Sign in with Apple."""
+
+    identity_token: str
+    first_name: str | None = None
+    last_name: str | None = None
+
+
+def create_auth_router(
+    on_new_user: callable | None = None,
+) -> APIRouter:
+    """Create an auth router.
+
+    Args:
+        on_new_user: Optional callback(user: UserRow, request: Request, db: Session)
+                     called after a new user is created (e.g. send welcome email).
+    """
+    router = APIRouter(prefix="/auth", tags=["auth"])
+    oauth = create_oauth()
+
+    def _get_oauth_client(provider: str):
+        """Get a registered OAuth client, or raise 404."""
+        client = getattr(oauth, provider, None)
+        if client is None:
+            raise HTTPException(
+                status_code=404,
+                detail=f"Auth provider '{provider}' is not configured",
+            )
+        return client
+
+    @router.get("/providers")
+    async def list_providers():
+        """Return the list of configured OAuth providers."""
+        from flyfun_common.auth.config import get_registered_providers
+
+        return {"providers": get_registered_providers(oauth)}
+
+    @router.get("/login/{provider}")
+    async def login(
+        provider: str,
+        request: Request,
+        platform: str | None = None,
+        scheme: str | None = None,
+    ):
+        if provider not in SUPPORTED_PROVIDERS:
+            raise HTTPException(status_code=404, detail=f"Unknown provider: {provider}")
+        client = _get_oauth_client(provider)
+        redirect_uri = request.url_for("callback", provider=provider)
+        if not is_dev_mode():
+            redirect_uri = str(redirect_uri).replace("http://", "https://")
+        if platform:
+            request.session["oauth_platform"] = platform
+        if scheme:
+            if not re.fullmatch(r"flyfun[a-z0-9\-]*", scheme):
+                raise HTTPException(
+                    status_code=400,
+                    detail="Invalid URL scheme",
+                )
+            request.session["oauth_scheme"] = scheme
+        return await client.authorize_redirect(request, redirect_uri)
+
+    @router.get("/callback/{provider}")
+    @router.post("/callback/{provider}")  # Apple uses form_post (POST)
+    async def callback(
+        provider: str, request: Request, db: Session = Depends(get_db)
+    ):
+        if provider not in SUPPORTED_PROVIDERS:
+            raise HTTPException(status_code=404, detail=f"Unknown provider: {provider}")
+        client = _get_oauth_client(provider)
+
+        try:
+            token = await client.authorize_access_token(request)
+        except Exception as exc:
+            logger.warning("OAuth callback failed for %s: %s", provider, exc)
+            raise HTTPException(
+                status_code=400, detail="OAuth authentication failed"
+            )
+
+        # Apple: extract the 'user' JSON from form body (only sent on first auth)
+        if provider == "apple":
+            form = await request.form()
+            user_json = form.get("user")
+            if user_json:
+                try:
+                    token["_apple_user"] = json.loads(user_json)
+                except (json.JSONDecodeError, TypeError):
+                    pass
+
+        try:
+            provider_sub, email, name = _extract_userinfo(provider, token)
+        except (ValueError, KeyError) as exc:
+            logger.warning("Failed to extract userinfo from %s: %s", provider, exc)
+            raise HTTPException(
+                status_code=400, detail=f"No user info from {provider}"
+            )
+
+        if not provider_sub:
+            raise HTTPException(
+                status_code=400, detail=f"No subject identifier from {provider}"
+            )
+
+        user = _find_or_create_user(
+            db, provider, provider_sub, email, name,
+            on_new_user=on_new_user, request=request,
+        )
+
+        if not user.approved:
+            return RedirectResponse(url="/login.html?status=pending", status_code=302)
+
+        jwt_token = create_token(
+            user.id, user.email, user.display_name, get_jwt_secret()
+        )
+
+        # iOS/native app: redirect to app-specific custom URL scheme
+        platform = request.session.pop("oauth_platform", None)
+        if platform == "ios":
+            scheme = request.session.pop("oauth_scheme", "flyfun")
+            redirect_url = f"{scheme}://auth/callback?token={quote(jwt_token)}"
+            return RedirectResponse(url=redirect_url, status_code=302)
+
+        response = RedirectResponse(url="/", status_code=302)
+        _set_session_cookie(response, jwt_token)
+        return response
+
+    # --- Native iOS Sign in with Apple ---
+
+    @router.post("/apple/token")
+    async def apple_token(
+        body: AppleTokenRequest,
+        request: Request,
+        db: Session = Depends(get_db),
+    ):
+        """Validate an Apple identity token from a native iOS app.
+
+        The iOS app uses ASAuthorizationAppleIDProvider to get an identity
+        token (JWT signed by Apple), then sends it here. We verify the
+        signature against Apple's public keys and extract the user info.
+
+        Returns a flyfun JWT token for the app to use in subsequent requests.
+        """
+        # Build the list of accepted audiences.
+        # APPLE_APP_IDS: comma-separated bundle IDs for all iOS apps
+        #   e.g. "aero.flyfun.weather,aero.flyfun.customs"
+        # Falls back to APPLE_APP_ID (single app) or APPLE_CLIENT_ID (web).
+        app_ids_raw = os.environ.get("APPLE_APP_IDS", "")
+        if app_ids_raw:
+            expected_audiences = [a.strip() for a in app_ids_raw.split(",") if a.strip()]
+        else:
+            single = os.environ.get(
+                "APPLE_APP_ID",
+                os.environ.get("APPLE_CLIENT_ID", ""),
+            )
+            expected_audiences = [single] if single else []
+
+        if not expected_audiences:
+            raise HTTPException(
+                status_code=503,
+                detail="Apple Sign In is not configured on this server",
+            )
+
+        try:
+            jwks_client = _get_apple_jwks_client()
+            signing_key = jwks_client.get_signing_key_from_jwt(body.identity_token)
+
+            # PyJWT accepts a list of audiences — token is valid if its
+            # aud matches ANY of them.
+            claims = pyjwt.decode(
+                body.identity_token,
+                signing_key.key,
+                algorithms=["RS256"],
+                audience=expected_audiences,
+                issuer="https://appleid.apple.com",
+            )
+        except pyjwt.ExpiredSignatureError:
+            raise HTTPException(status_code=401, detail="Identity token has expired")
+        except pyjwt.InvalidTokenError as exc:
+            logger.warning("Apple identity token validation failed: %s", exc)
+            raise HTTPException(status_code=401, detail="Invalid identity token")
+
+        sub = claims.get("sub", "")
+        email = claims.get("email", "")
+        if not sub:
+            raise HTTPException(status_code=400, detail="No subject in identity token")
+
+        # Build display name from optional first_name/last_name
+        # (only available on first iOS authorization)
+        name_parts = [p for p in [body.first_name, body.last_name] if p]
+        name = " ".join(name_parts) or email
+
+        user = _find_or_create_user(
+            db, "apple", sub, email, name,
+            on_new_user=on_new_user, request=request,
+        )
+
+        if not user.approved:
+            raise HTTPException(status_code=403, detail="Account is not approved")
+
+        jwt_token = create_token(
+            user.id, user.email, user.display_name, get_jwt_secret()
+        )
+
+        return {"token": jwt_token, "user_id": user.id}
+
+    @router.post("/logout")
+    async def logout():
+        response = RedirectResponse(url="/login.html", status_code=302)
+        response.delete_cookie(COOKIE_NAME, path="/", domain=get_cookie_domain())
+        return response
+
+    @router.get("/me")
+    async def get_me(
+        user_id: str = Depends(current_user_id), db: Session = Depends(get_db)
+    ):
+        user = db.get(UserRow, user_id)
+        if not user:
+            raise HTTPException(status_code=401, detail="User not found")
+        return {
+            "id": user.id,
+            "email": user.email,
+            "name": user.display_name,
+            "approved": user.approved,
+        }
+
+    return router
+
+
+def _set_session_cookie(response: RedirectResponse, token: str) -> None:
+    secure = not is_dev_mode()
+    response.set_cookie(
+        key=COOKIE_NAME,
+        value=token,
+        httponly=True,
+        samesite="lax",
+        secure=secure,
+        path="/",
+        domain=get_cookie_domain(),
+        max_age=7 * 24 * 3600,
+    )

flyfun_common/costs.py

@@ -0,0 +1,79 @@
+"""Cost ledger utilities: record, query, and check budget."""
+
+from __future__ import annotations
+
+import json
+from datetime import datetime
+
+from sqlalchemy import func
+from sqlalchemy.orm import Session
+
+from flyfun_common.db.models import CostLedgerRow, UserRow
+
+
+def record_cost(
+    db: Session,
+    user_id: str,
+    service: str,
+    action: str,
+    cost: float,
+    metadata: dict | None = None,
+) -> CostLedgerRow:
+    """Record a cost entry in the ledger."""
+    row = CostLedgerRow(
+        user_id=user_id,
+        service=service,
+        action=action,
+        cost=cost,
+        metadata_json=json.dumps(metadata) if metadata else None,
+    )
+    db.add(row)
+    db.flush()
+    return row
+
+
+def get_total_cost(db: Session, user_id: str, service: str | None = None) -> float:
+    """Sum of all costs for a user, optionally filtered by service."""
+    q = db.query(func.coalesce(func.sum(CostLedgerRow.cost), 0.0)).filter(
+        CostLedgerRow.user_id == user_id
+    )
+    if service:
+        q = q.filter(CostLedgerRow.service == service)
+    return float(q.scalar())
+
+
+def get_cost_since(
+    db: Session, user_id: str, since: datetime, service: str | None = None
+) -> float:
+    """Sum of costs since a given time."""
+    q = db.query(func.coalesce(func.sum(CostLedgerRow.cost), 0.0)).filter(
+        CostLedgerRow.user_id == user_id,
+        CostLedgerRow.created_at >= since,
+    )
+    if service:
+        q = q.filter(CostLedgerRow.service == service)
+    return float(q.scalar())
+
+
+def check_budget(db: Session, user_id: str) -> tuple[float, float]:
+    """Return (total_spent, spending_limit) for a user."""
+    total = get_total_cost(db, user_id)
+    user = db.get(UserRow, user_id)
+    limit = user.spending_limit if user else 500.0
+    return total, limit
+
+
+def get_cost_breakdown(
+    db: Session,
+    user_id: str,
+    service: str | None = None,
+    since: datetime | None = None,
+    limit: int = 50,
+) -> list[CostLedgerRow]:
+    """Return recent cost entries for a user."""
+    q = db.query(CostLedgerRow).filter(CostLedgerRow.user_id == user_id)
+    if service:
+        q = q.filter(CostLedgerRow.service == service)
+    if since:
+        q = q.filter(CostLedgerRow.created_at >= since)
+    return q.order_by(CostLedgerRow.created_at.desc()).limit(limit).all()

flyfun_common/credentials.py

@@ -0,0 +1,46 @@
+"""Encrypted credential storage helpers using UserPreferencesRow."""
+
+from __future__ import annotations
+
+import json
+import logging
+
+from sqlalchemy.orm import Session
+
+from flyfun_common.db.models import UserPreferencesRow
+from flyfun_common.encryption import decrypt, encrypt
+
+logger = logging.getLogger(__name__)
+
+
+def save_encrypted_creds(db: Session, user_id: str, creds_dict: dict) -> None:
+    """Encrypt and save credentials to UserPreferencesRow.encrypted_creds_json."""
+    row = db.get(UserPreferencesRow, user_id)
+    if row is None:
+        row = UserPreferencesRow(user_id=user_id)
+        db.add(row)
+    row.encrypted_creds_json = encrypt(json.dumps(creds_dict))
+    db.flush()
+
+
+def load_encrypted_creds(db: Session, user_id: str) -> dict | None:
+    """Load and decrypt credentials from UserPreferencesRow.
+
+    Returns the decrypted dict, or None if not configured.
+    """
+    row = db.get(UserPreferencesRow, user_id)
+    if not row or not row.encrypted_creds_json:
+        return None
+    try:
+        return json.loads(decrypt(row.encrypted_creds_json))
+    except Exception:
+        logger.warning("Failed to decrypt credentials for user %s", user_id)
+        return None
+
+
+def clear_encrypted_creds(db: Session, user_id: str) -> None:
+    """Clear stored credentials for a user."""
+    row = db.get(UserPreferencesRow, user_id)
+    if row:
+        row.encrypted_creds_json = ""
+        db.flush()

flyfun_common/db/__init__.py

@@ -0,0 +1,44 @@
+"""Database models and engine for shared user tables."""
+
+from flyfun_common.db.models import (
+    Base,
+    UserRow,
+    ApiTokenRow,
+    UserPreferencesRow,
+    CostLedgerRow,
+)
+from flyfun_common.db.engine import (
+    get_engine,
+    reset_engine,
+    init_shared_db,
+    ensure_dev_user,
+    SessionLocal,
+    DEV_USER_ID,
+)
+
+# Lazy imports to avoid circular dependency (deps → auth.config → auth → router → deps)
+
+
+def __getattr__(name: str):
+    if name in ("get_db", "current_user_id"):
+        from flyfun_common.db import deps
+
+        return getattr(deps, name)
+    raise AttributeError(f"module {__name__!r} has no attribute {name!r}")
+
+
+__all__ = [
+    "Base",
+    "UserRow",
+    "ApiTokenRow",
+    "UserPreferencesRow",
+    "CostLedgerRow",
+    "get_engine",
+    "reset_engine",
+    "init_shared_db",
+    "ensure_dev_user",
+    "SessionLocal",
+    "DEV_USER_ID",
+    "get_db",
+    "current_user_id",
+]

flyfun_common/db/deps.py

@@ -0,0 +1,127 @@
+"""FastAPI dependencies: DB session and auth.
+
+Supports three auth methods (in priority order):
+1. Dev mode bypass → DEV_USER_ID
+2. JWT cookie (set by OAuth login)
+3. Bearer token: JWT or hashed API token (ff_ prefix)
+"""
+
+from __future__ import annotations
+
+import hashlib
+from collections.abc import Generator
+from datetime import datetime, timezone
+
+import jwt
+from fastapi import Depends, HTTPException, Request
+from sqlalchemy.orm import Session
+
+from flyfun_common.auth.config import COOKIE_NAME, get_jwt_secret
+from flyfun_common.auth.jwt_utils import decode_token
+from flyfun_common.db.engine import DEV_USER_ID, SessionLocal, is_dev_mode
+from flyfun_common.db.models import ApiTokenRow, UserRow
+
+TOKEN_PREFIX = "ff_"
+_LEGACY_TOKEN_PREFIX = "wb_"  # accept old tokens during migration
+
+
+def get_db() -> Generator[Session, None, None]:
+    """Yield a SQLAlchemy session, committing on success or rolling back on error."""
+    session = SessionLocal()
+    try:
+        yield session
+        session.commit()
+    except Exception:
+        session.rollback()
+        raise
+    finally:
+        session.close()
+
+
+def _is_api_token(token: str) -> bool:
+    """Check if a bearer token is an API token (vs a JWT)."""
+    return token.startswith(TOKEN_PREFIX) or token.startswith(_LEGACY_TOKEN_PREFIX)
+
+
+def _authenticate_bearer_token(token: str, db: Session) -> str:
+    """Validate a hashed API token against the api_tokens table."""
+    if not _is_api_token(token):
+        raise HTTPException(status_code=401, detail="Invalid token format")
+
+    token_hash = hashlib.sha256(token.encode()).hexdigest()
+    row = (
+        db.query(ApiTokenRow)
+        .filter(ApiTokenRow.token_hash == token_hash)
+        .first()
+    )
+    if not row:
+        raise HTTPException(status_code=401, detail="Invalid token")
+    if row.revoked:
+        raise HTTPException(status_code=401, detail="Token revoked")
+    if row.expires_at:
+        expires = row.expires_at
+        if expires.tzinfo is None:
+            expires = expires.replace(tzinfo=timezone.utc)
+        if expires <= datetime.now(timezone.utc):
+            raise HTTPException(status_code=401, detail="Token expired")
+
+    row.last_used_at = datetime.now(timezone.utc)
+    db.flush()
+    return row.user_id
+
+
+def _decode_user_id(request: Request, db: Session) -> str:
+    """Extract user ID from JWT cookie or Bearer token.
+
+    Priority: dev mode → cookie → Bearer (JWT or API token).
+    """
+    if is_dev_mode():
+        return DEV_USER_ID
+
+    secret = get_jwt_secret()
+
+    # Try JWT cookie
+    cookie = request.cookies.get(COOKIE_NAME)
+    if cookie:
+        try:
+            payload = decode_token(cookie, secret)
+            return payload["sub"]
+        except jwt.ExpiredSignatureError:
+            raise HTTPException(status_code=401, detail="Session expired")
+        except (jwt.InvalidTokenError, KeyError):
+            raise HTTPException(status_code=401, detail="Invalid session")
+
+    # Try Bearer token
+    auth_header = request.headers.get("authorization", "")
+    if auth_header.startswith("Bearer "):
+        bearer_token = auth_header[7:]
+        if not _is_api_token(bearer_token):
+            try:
+                payload = decode_token(bearer_token, secret)
+                return payload["sub"]
+            except jwt.ExpiredSignatureError:
+                raise HTTPException(status_code=401, detail="Token expired")
+            except (jwt.InvalidTokenError, KeyError):
+                raise HTTPException(status_code=401, detail="Invalid token")
+        return _authenticate_bearer_token(bearer_token, db)
+
+    raise HTTPException(status_code=401, detail="Not authenticated")
+
+
+def current_user_id(
+    request: Request,
+    db: Session = Depends(get_db),
+) -> str:
+    """Return the authenticated user ID. Raises 401/403 on failure."""
+    user_id = _decode_user_id(request, db)
+
+    if is_dev_mode():
+        return user_id
+
+    user = db.query(UserRow).filter(UserRow.id == user_id).first()
+    if not user:
+        raise HTTPException(status_code=401, detail="User not found")
+    if not user.approved:
+        raise HTTPException(status_code=403, detail="Account suspended")
+
+    return user_id

flyfun_common/db/engine.py

@@ -0,0 +1,100 @@
+"""Database engine: singleton pattern, SQLite (dev) or MySQL (prod)."""
+
+from __future__ import annotations
+
+import logging
+import os
+
+from sqlalchemy import create_engine, event
+from sqlalchemy.engine import Engine
+from sqlalchemy.orm import Session, sessionmaker
+
+from flyfun_common.db.models import Base, UserPreferencesRow, UserRow
+
+logger = logging.getLogger(__name__)
+
+_engine: Engine | None = None
+SessionLocal: sessionmaker[Session] = sessionmaker()
+
+DEV_USER_ID = "dev-user-001"
+
+
+def is_dev_mode() -> bool:
+    return os.environ.get("ENVIRONMENT", "development") != "production"
+
+
+def get_engine(db_url: str | None = None) -> Engine:
+    """Return a singleton SQLAlchemy engine.
+
+    Dev: sqlite:///{DATA_DIR}/flyfun.db
+    Prod: DATABASE_URL env var (MySQL / PostgreSQL)
+    """
+    global _engine
+    if _engine is not None:
+        return _engine
+
+    if db_url is None:
+        if not is_dev_mode():
+            db_url = os.environ.get("DATABASE_URL")
+            if not db_url:
+                raise ValueError("DATABASE_URL must be set in production")
+        else:
+            data_dir = os.environ.get("DATA_DIR", "data")
+            os.makedirs(data_dir, exist_ok=True)
+            db_url = f"sqlite:///{data_dir}/flyfun.db"
+
+    connect_args = {}
+    if db_url.startswith("sqlite"):
+        connect_args["check_same_thread"] = False
+        connect_args["timeout"] = 30
+
+    _engine = create_engine(db_url, connect_args=connect_args)
+    SessionLocal.configure(bind=_engine)
+
+    if db_url.startswith("sqlite"):
+
+        @event.listens_for(_engine, "connect")
+        def _set_sqlite_pragma(dbapi_conn, _connection_record):
+            cursor = dbapi_conn.cursor()
+            cursor.execute("PRAGMA journal_mode=WAL")
+            cursor.execute("PRAGMA foreign_keys=ON")
+            cursor.close()
+
+    safe_url = db_url.split("@")[-1] if "@" in db_url else db_url.split("///")[-1]
+    logger.info("Shared DB engine created: %s", safe_url)
+    return _engine
+
+
+def reset_engine() -> None:
+    """Reset the singleton engine (for testing)."""
+    global _engine
+    if _engine is not None:
+        _engine.dispose()
+    _engine = None
+    SessionLocal.configure(bind=None)
+
+
+def init_shared_db(engine: Engine | None = None) -> None:
+    """Create shared tables (users, api_tokens). Dev only; prod uses Alembic."""
+    engine = engine or get_engine()
+    Base.metadata.create_all(engine)
+    logger.info("Shared tables created")
+
+
+def ensure_dev_user(session: Session) -> None:
+    """Create dev user for local development."""
+    user = session.get(UserRow, DEV_USER_ID)
+    if user is None:
+        user = UserRow(
+            id=DEV_USER_ID,
+            provider="local",
+            provider_sub="dev",
+            email="dev@localhost",
+            display_name="Dev User",
+            approved=True,
+        )
+        session.add(user)
+        session.flush()
+        session.add(UserPreferencesRow(user_id=DEV_USER_ID))
+        session.commit()
+        logger.info("Dev user created: %s", DEV_USER_ID)

flyfun_common/db/models.py

@@ -0,0 +1,83 @@
+"""Shared SQLAlchemy models: users, API tokens, preferences, cost ledger.
+
+App-specific models (flights, briefings, usage, etc.) stay in each app.
+Apps can add relationships to UserRow via SQLAlchemy backref or explicit
+relationship() on their own models pointing to "users.id".
+"""
+
+from __future__ import annotations
+
+from datetime import datetime, timezone
+
+from sqlalchemy import Boolean, DateTime, Float, ForeignKey, Integer, String, Text
+from sqlalchemy.orm import DeclarativeBase, Mapped, mapped_column
+
+
+class Base(DeclarativeBase):
+    pass
+
+
+class UserRow(Base):
+    __tablename__ = "users"
+
+    id: Mapped[str] = mapped_column(String(64), primary_key=True)
+    provider: Mapped[str] = mapped_column(String(32), default="local")
+    provider_sub: Mapped[str] = mapped_column(String(256), default="")
+    email: Mapped[str] = mapped_column(String(256), default="")
+    display_name: Mapped[str] = mapped_column(String(256), default="")
+    approved: Mapped[bool] = mapped_column(Boolean, default=True)
+    spending_limit: Mapped[float] = mapped_column(
+        Float, default=500.0, server_default="500.0"
+    )
+    created_at: Mapped[datetime] = mapped_column(
+        DateTime(timezone=True), default=lambda: datetime.now(timezone.utc)
+    )
+    last_login_at: Mapped[datetime | None] = mapped_column(
+        DateTime(timezone=True), nullable=True, default=None
+    )
+
+
+class ApiTokenRow(Base):
+    __tablename__ = "api_tokens"
+
+    id: Mapped[int] = mapped_column(Integer, primary_key=True, autoincrement=True)
+    user_id: Mapped[str] = mapped_column(String(64), index=True)
+    token_hash: Mapped[str] = mapped_column(String(64), unique=True, index=True)
+    name: Mapped[str] = mapped_column(String(256), default="")
+    created_at: Mapped[datetime] = mapped_column(
+        DateTime(timezone=True), default=lambda: datetime.now(timezone.utc)
+    )
+    expires_at: Mapped[datetime | None] = mapped_column(
+        DateTime(timezone=True), nullable=True, default=None
+    )
+    last_used_at: Mapped[datetime | None] = mapped_column(
+        DateTime(timezone=True), nullable=True, default=None
+    )
+    revoked: Mapped[bool] = mapped_column(Boolean, default=False)
+
+
+class UserPreferencesRow(Base):
+    __tablename__ = "user_preferences"
+
+    user_id: Mapped[str] = mapped_column(
+        String(64), ForeignKey("users.id", ondelete="CASCADE"), primary_key=True
+    )
+    setup_completed: Mapped[bool] = mapped_column(Boolean, default=False)
+    encrypted_creds_json: Mapped[str] = mapped_column(Text, default="")
+    app_prefs_json: Mapped[str] = mapped_column(Text, default="{}")
+
+
+class CostLedgerRow(Base):
+    __tablename__ = "cost_ledger"
+
+    id: Mapped[int] = mapped_column(Integer, primary_key=True, autoincrement=True)
+    user_id: Mapped[str] = mapped_column(
+        String(64), ForeignKey("users.id", ondelete="CASCADE"), index=True
+    )
+    service: Mapped[str] = mapped_column(String(64))
+    action: Mapped[str] = mapped_column(String(64))
+    cost: Mapped[float] = mapped_column(Float)
+    metadata_json: Mapped[str | None] = mapped_column(Text, nullable=True)
+    created_at: Mapped[datetime] = mapped_column(
+        DateTime(timezone=True), default=lambda: datetime.now(timezone.utc)
+    )

flyfun_common/encryption.py

@@ -0,0 +1,43 @@
+"""Fernet encryption for storing sensitive credentials at rest."""
+
+from __future__ import annotations
+
+import base64
+import hashlib
+import os
+
+from cryptography.fernet import Fernet
+
+from flyfun_common.auth.config import get_jwt_secret, is_dev_mode
+
+
+def _get_fernet_key() -> bytes:
+    """Get the Fernet encryption key.
+
+    Uses CREDENTIAL_ENCRYPTION_KEY env var if set.
+    In dev mode, derives a key from JWT_SECRET as a fallback.
+    """
+    explicit_key = os.environ.get("CREDENTIAL_ENCRYPTION_KEY")
+    if explicit_key:
+        return explicit_key.encode()
+
+    if is_dev_mode():
+        digest = hashlib.sha256(get_jwt_secret().encode()).digest()
+        return base64.urlsafe_b64encode(digest)
+
+    raise ValueError(
+        "CREDENTIAL_ENCRYPTION_KEY must be set in production. "
+        'Generate with: python -c "from cryptography.fernet import Fernet; print(Fernet.generate_key().decode())"'
+    )
+
+
+def encrypt(plaintext: str) -> str:
+    """Encrypt a plaintext string, returning a Fernet token as a string."""
+    f = Fernet(_get_fernet_key())
+    return f.encrypt(plaintext.encode()).decode()
+
+
+def decrypt(ciphertext: str) -> str:
+    """Decrypt a Fernet token string back to plaintext."""
+    f = Fernet(_get_fernet_key())
+    return f.decrypt(ciphertext.encode()).decode()

flyfun_common-0.1.0.dist-info/METADATA

@@ -0,0 +1,80 @@
+Metadata-Version: 2.4
+Name: flyfun-common
+Version: 0.1.0
+Summary: Shared user management and auth for flyfun services
+Project-URL: Homepage, https://flyfun.aero
+Project-URL: Repository, https://github.com/roznet/flyfun-common
+Author-email: Brice Rosenzweig <brice@ro-z.net>
+License-Expression: MIT
+License-File: LICENSE
+Keywords: auth,fastapi,flyfun,oauth
+Classifier: Development Status :: 4 - Beta
+Classifier: Framework :: FastAPI
+Classifier: Intended Audience :: Developers
+Classifier: License :: OSI Approved :: MIT License
+Classifier: Programming Language :: Python :: 3
+Classifier: Programming Language :: Python :: 3.11
+Classifier: Programming Language :: Python :: 3.12
+Classifier: Programming Language :: Python :: 3.13
+Requires-Python: >=3.11
+Requires-Dist: authlib>=1.3
+Requires-Dist: cryptography>=42.0
+Requires-Dist: fastapi>=0.109
+Requires-Dist: httpx
+Requires-Dist: pyjwt>=2.8
+Requires-Dist: sqlalchemy>=2.0
+Provides-Extra: dev
+Requires-Dist: httpx; extra == 'dev'
+Requires-Dist: pytest; extra == 'dev'
+Requires-Dist: pytest-asyncio; extra == 'dev'
+Description-Content-Type: text/markdown
+
+# flyfun-common
+
+Shared user management and authentication library for [flyfun](https://flyfun.aero) services.
+
+Provides OAuth login (Google, Apple), JWT session management, user database models, and API token administration — all as reusable FastAPI components.
+
+## Installation
+
+```bash
+pip install flyfun-common
+```
+
+## Usage
+
+```python
+from fastapi import FastAPI
+from flyfun_common.auth import create_auth_router
+from flyfun_common.db import init_db
+
+app = FastAPI()
+
+# Initialize database
+init_db()
+
+# Mount the auth router
+app.include_router(create_auth_router())
+```
+
+## Configuration
+
+All configuration is via environment variables:
+
+| Variable | Required | Description |
+|----------|----------|-------------|
+| `JWT_SECRET` | Production | Secret key for signing JWT tokens |
+| `DATABASE_URL` | No | SQLAlchemy database URL (defaults to local SQLite) |
+| `ENVIRONMENT` | No | `production` or `development` (default) |
+| `COOKIE_DOMAIN` | No | Cookie domain for cross-subdomain SSO |
+| `GOOGLE_CLIENT_ID` | No | Google OAuth client ID |
+| `GOOGLE_CLIENT_SECRET` | No | Google OAuth client secret |
+| `APPLE_CLIENT_ID` | No | Apple Sign In service ID |
+| `APPLE_TEAM_ID` | No | Apple Developer Team ID |
+| `APPLE_KEY_ID` | No | Apple Sign In key ID |
+| `APPLE_PRIVATE_KEY` | No | Apple Sign In private key (PEM) |
+| `CREDENTIAL_ENCRYPTION_KEY` | Production | Fernet key for encrypting stored credentials |
+
+## License
+
+MIT

flyfun_common-0.1.0.dist-info/RECORD

@@ -0,0 +1,17 @@
+flyfun_common/__init__.py,sha256=sne0db9Y4FxbtM0BComZy1Of2b1CvvXQKpjt0uK5igw,59
+flyfun_common/admin.py,sha256=FVOF1CYXBSvqHOLYV0InOFF02vbHHESWKJCpljKFv2g,2701
+flyfun_common/costs.py,sha256=ajQG6kSaxYnwn9G_5BTQeY8RNrOzOGXmxpd42_KmKfk,2294
+flyfun_common/credentials.py,sha256=O4dR5d41EJPd8qS0TLjCopK-LBtSA5_75MioNyh-18s,1423
+flyfun_common/encryption.py,sha256=mRMNGBs0qQ9Vl294GqxNZQaIFjx6xT2wf4pQBmguywg,1293
+flyfun_common/auth/__init__.py,sha256=Nyw-7xHs2rURHQa0inOoY9qT23R2s_O4aMyIpECUJso,597
+flyfun_common/auth/config.py,sha256=Sfg_P9WJnYe7Bg-ig8gXE50U3_ie3gsSBxhvKloq7Kg,3886
+flyfun_common/auth/jwt_utils.py,sha256=6bMEnckONLBkOFfVRo4lv1ldlaSfDVI-g7rcEnPTP2k,750
+flyfun_common/auth/router.py,sha256=6VwFhPB9oC2qQo3ZGRbzBF0mk2Ae4W5Tk7IYRCQXYvE,13228
+flyfun_common/db/__init__.py,sha256=UdNzCAzH1bsdcYp8zO9qq_rntksyt8G3LpKvnJMw8m0,925
+flyfun_common/db/deps.py,sha256=8zsPvFXQOoGstyGii6IExTKbl-NqcFqp3oGVH1ZHWxw,4188
+flyfun_common/db/engine.py,sha256=jZDFiLive9G1oiIl66qPMEGV4I1EbEI1CGXCvRDKBug,3027
+flyfun_common/db/models.py,sha256=vhRFoBV0_Ritqllxhu4ho_Zv6TD_U3ahW1yUCrqDcUU,3227
+flyfun_common-0.1.0.dist-info/METADATA,sha256=hA6OuzoHtwFIBvgCl8WK-IkZDZpphAWVTwscMEjHIVc,2536
+flyfun_common-0.1.0.dist-info/WHEEL,sha256=QccIxa26bgl1E6uMy58deGWi-0aeIkkangHcxk2kWfw,87
+flyfun_common-0.1.0.dist-info/licenses/LICENSE,sha256=7P9PLNMrF8Yu0-v6OUHgbUghvNPBiw0oqOlY5IezjO8,1078
+flyfun_common-0.1.0.dist-info/RECORD,,

flyfun_common-0.1.0.dist-info/WHEEL

@@ -0,0 +1,4 @@
+Wheel-Version: 1.0
+Generator: hatchling 1.29.0
+Root-Is-Purelib: true
+Tag: py3-none-any

flyfun_common-0.1.0.dist-info/licenses/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2024-2026 Brice Rosenzweig
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.