flyfun-common 0.1.0__tar.gz

flyfun_common-0.1.0/.gitignore

@@ -0,0 +1,8 @@
+__pycache__/
+*.egg-info/
+dist/
+build/
+.pytest_cache/
+*.pyc
+data/
+.env

flyfun_common-0.1.0/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2024-2026 Brice Rosenzweig
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

flyfun_common-0.1.0/PKG-INFO

@@ -0,0 +1,80 @@
+Metadata-Version: 2.4
+Name: flyfun-common
+Version: 0.1.0
+Summary: Shared user management and auth for flyfun services
+Project-URL: Homepage, https://flyfun.aero
+Project-URL: Repository, https://github.com/roznet/flyfun-common
+Author-email: Brice Rosenzweig <brice@ro-z.net>
+License-Expression: MIT
+License-File: LICENSE
+Keywords: auth,fastapi,flyfun,oauth
+Classifier: Development Status :: 4 - Beta
+Classifier: Framework :: FastAPI
+Classifier: Intended Audience :: Developers
+Classifier: License :: OSI Approved :: MIT License
+Classifier: Programming Language :: Python :: 3
+Classifier: Programming Language :: Python :: 3.11
+Classifier: Programming Language :: Python :: 3.12
+Classifier: Programming Language :: Python :: 3.13
+Requires-Python: >=3.11
+Requires-Dist: authlib>=1.3
+Requires-Dist: cryptography>=42.0
+Requires-Dist: fastapi>=0.109
+Requires-Dist: httpx
+Requires-Dist: pyjwt>=2.8
+Requires-Dist: sqlalchemy>=2.0
+Provides-Extra: dev
+Requires-Dist: httpx; extra == 'dev'
+Requires-Dist: pytest; extra == 'dev'
+Requires-Dist: pytest-asyncio; extra == 'dev'
+Description-Content-Type: text/markdown
+
+# flyfun-common
+
+Shared user management and authentication library for [flyfun](https://flyfun.aero) services.
+
+Provides OAuth login (Google, Apple), JWT session management, user database models, and API token administration — all as reusable FastAPI components.
+
+## Installation
+
+```bash
+pip install flyfun-common
+```
+
+## Usage
+
+```python
+from fastapi import FastAPI
+from flyfun_common.auth import create_auth_router
+from flyfun_common.db import init_db
+
+app = FastAPI()
+
+# Initialize database
+init_db()
+
+# Mount the auth router
+app.include_router(create_auth_router())
+```
+
+## Configuration
+
+All configuration is via environment variables:
+
+| Variable | Required | Description |
+|----------|----------|-------------|
+| `JWT_SECRET` | Production | Secret key for signing JWT tokens |
+| `DATABASE_URL` | No | SQLAlchemy database URL (defaults to local SQLite) |
+| `ENVIRONMENT` | No | `production` or `development` (default) |
+| `COOKIE_DOMAIN` | No | Cookie domain for cross-subdomain SSO |
+| `GOOGLE_CLIENT_ID` | No | Google OAuth client ID |
+| `GOOGLE_CLIENT_SECRET` | No | Google OAuth client secret |
+| `APPLE_CLIENT_ID` | No | Apple Sign In service ID |
+| `APPLE_TEAM_ID` | No | Apple Developer Team ID |
+| `APPLE_KEY_ID` | No | Apple Sign In key ID |
+| `APPLE_PRIVATE_KEY` | No | Apple Sign In private key (PEM) |
+| `CREDENTIAL_ENCRYPTION_KEY` | Production | Fernet key for encrypting stored credentials |
+
+## License
+
+MIT

flyfun_common-0.1.0/README.md

@@ -0,0 +1,49 @@
+# flyfun-common
+
+Shared user management and authentication library for [flyfun](https://flyfun.aero) services.
+
+Provides OAuth login (Google, Apple), JWT session management, user database models, and API token administration — all as reusable FastAPI components.
+
+## Installation
+
+```bash
+pip install flyfun-common
+```
+
+## Usage
+
+```python
+from fastapi import FastAPI
+from flyfun_common.auth import create_auth_router
+from flyfun_common.db import init_db
+
+app = FastAPI()
+
+# Initialize database
+init_db()
+
+# Mount the auth router
+app.include_router(create_auth_router())
+```
+
+## Configuration
+
+All configuration is via environment variables:
+
+| Variable | Required | Description |
+|----------|----------|-------------|
+| `JWT_SECRET` | Production | Secret key for signing JWT tokens |
+| `DATABASE_URL` | No | SQLAlchemy database URL (defaults to local SQLite) |
+| `ENVIRONMENT` | No | `production` or `development` (default) |
+| `COOKIE_DOMAIN` | No | Cookie domain for cross-subdomain SSO |
+| `GOOGLE_CLIENT_ID` | No | Google OAuth client ID |
+| `GOOGLE_CLIENT_SECRET` | No | Google OAuth client secret |
+| `APPLE_CLIENT_ID` | No | Apple Sign In service ID |
+| `APPLE_TEAM_ID` | No | Apple Developer Team ID |
+| `APPLE_KEY_ID` | No | Apple Sign In key ID |
+| `APPLE_PRIVATE_KEY` | No | Apple Sign In private key (PEM) |
+| `CREDENTIAL_ENCRYPTION_KEY` | Production | Fernet key for encrypting stored credentials |
+
+## License
+
+MIT

flyfun_common-0.1.0/pyproject.toml

@@ -0,0 +1,46 @@
+[build-system]
+requires = ["hatchling"]
+build-backend = "hatchling.build"
+
+[project]
+name = "flyfun-common"
+version = "0.1.0"
+description = "Shared user management and auth for flyfun services"
+readme = "README.md"
+license = "MIT"
+requires-python = ">=3.11"
+authors = [
+    { name = "Brice Rosenzweig", email = "brice@ro-z.net" },
+]
+keywords = ["flyfun", "auth", "oauth", "fastapi"]
+classifiers = [
+    "Development Status :: 4 - Beta",
+    "Framework :: FastAPI",
+    "Intended Audience :: Developers",
+    "License :: OSI Approved :: MIT License",
+    "Programming Language :: Python :: 3",
+    "Programming Language :: Python :: 3.11",
+    "Programming Language :: Python :: 3.12",
+    "Programming Language :: Python :: 3.13",
+]
+dependencies = [
+    "fastapi>=0.109",
+    "sqlalchemy>=2.0",
+    "PyJWT>=2.8",
+    "authlib>=1.3",
+    "httpx",
+    "cryptography>=42.0",
+]
+
+[project.optional-dependencies]
+dev = ["pytest", "pytest-asyncio", "httpx"]
+
+[project.urls]
+Homepage = "https://flyfun.aero"
+Repository = "https://github.com/roznet/flyfun-common"
+
+[tool.hatch.build.targets.sdist]
+exclude = ["tests/", "designs/", ".pytest_cache/"]
+
+[tool.hatch.build.targets.wheel]
+exclude = ["tests/", "designs/"]

flyfun_common-0.1.0/src/flyfun_common/__init__.py

@@ -0,0 +1 @@
+"""Shared user management and auth for flyfun services."""

flyfun_common-0.1.0/src/flyfun_common/admin.py

@@ -0,0 +1,92 @@
+"""Admin helper utilities: token generation, HMAC verification, user management."""
+
+from __future__ import annotations
+
+import hashlib
+import hmac as hmac_mod
+import secrets
+import time
+import uuid
+from base64 import urlsafe_b64encode
+
+from fastapi import HTTPException
+from sqlalchemy.orm import Session
+
+from flyfun_common.db.models import ApiTokenRow, UserPreferencesRow, UserRow
+
+TOKEN_PREFIX = "ff_"
+
+
+def generate_api_token(prefix: str = TOKEN_PREFIX) -> str:
+    """Generate a random API token with the given prefix (~48 chars total)."""
+    return prefix + urlsafe_b64encode(secrets.token_bytes(32)).decode().rstrip("=")
+
+
+def hash_token(token: str) -> str:
+    """SHA-256 hash a plaintext token for storage."""
+    return hashlib.sha256(token.encode()).hexdigest()
+
+
+def verify_approval_hmac(
+    user_id: str, ts: str, sig: str, secret: str, expiry: int
+) -> None:
+    """Verify an HMAC-signed approval link. Raises HTTPException on failure."""
+    expected = hmac_mod.new(
+        secret.encode(), f"approve:{user_id}:{ts}".encode(), hashlib.sha256
+    ).hexdigest()
+
+    if not hmac_mod.compare_digest(sig, expected):
+        raise HTTPException(status_code=403, detail="Invalid approval link")
+
+    try:
+        link_time = int(ts)
+    except ValueError:
+        raise HTTPException(status_code=400, detail="Invalid timestamp")
+
+    age = time.time() - link_time
+    if age > expiry:
+        raise HTTPException(status_code=410, detail="Approval link expired")
+    if age < 0:
+        raise HTTPException(status_code=400, detail="Invalid timestamp")
+
+
+def create_agent_user(
+    db: Session, name: str, prefix: str = TOKEN_PREFIX
+) -> tuple[UserRow, str]:
+    """Create a bot/agent user with an initial API token.
+
+    Returns (user, plaintext_token). The plaintext token cannot be retrieved later.
+    """
+    user_id = f"agent-{uuid.uuid4().hex[:12]}"
+    user = UserRow(
+        id=user_id,
+        provider="api_token",
+        provider_sub=uuid.uuid4().hex,
+        email="",
+        display_name=name,
+        approved=True,
+    )
+    db.add(user)
+    db.flush()
+    db.add(UserPreferencesRow(user_id=user_id))
+
+    plaintext = generate_api_token(prefix)
+    db.add(
+        ApiTokenRow(
+            user_id=user_id,
+            token_hash=hash_token(plaintext),
+            name=name,
+        )
+    )
+    db.flush()
+    return user, plaintext
+
+
+def approve_user(db: Session, user_id: str) -> UserRow:
+    """Approve a user account. Raises HTTPException if not found."""
+    user = db.query(UserRow).filter(UserRow.id == user_id).first()
+    if not user:
+        raise HTTPException(status_code=404, detail="User not found")
+    user.approved = True
+    db.flush()
+    return user

flyfun_common-0.1.0/src/flyfun_common/auth/__init__.py

@@ -0,0 +1,26 @@
+"""Auth utilities: JWT, OAuth, config."""
+
+from flyfun_common.auth.config import (
+    COOKIE_NAME,
+    COOKIE_DOMAIN,
+    SUPPORTED_PROVIDERS,
+    is_dev_mode,
+    get_jwt_secret,
+    get_registered_providers,
+    create_oauth,
+)
+from flyfun_common.auth.jwt_utils import create_token, decode_token
+from flyfun_common.auth.router import create_auth_router
+
+__all__ = [
+    "COOKIE_NAME",
+    "COOKIE_DOMAIN",
+    "SUPPORTED_PROVIDERS",
+    "is_dev_mode",
+    "get_jwt_secret",
+    "get_registered_providers",
+    "create_oauth",
+    "create_token",
+    "decode_token",
+    "create_auth_router",
+]

flyfun_common-0.1.0/src/flyfun_common/auth/config.py

@@ -0,0 +1,120 @@
+"""Shared auth configuration: cookie, JWT secret, OAuth providers."""
+
+from __future__ import annotations
+
+import os
+
+from authlib.integrations.starlette_client import OAuth
+
+# Unified cookie name — same across all flyfun services
+COOKIE_NAME = "flyfun_auth"
+
+# Cookie domain — set to .flyfun.aero in prod for cross-subdomain SSO
+COOKIE_DOMAIN: str | None = None  # computed at runtime
+
+_DEV_JWT_SECRET = "dev-insecure-jwt-secret-do-not-use-in-production"
+
+# Providers that can be registered
+SUPPORTED_PROVIDERS = ("google", "apple")
+
+
+def is_dev_mode() -> bool:
+    return os.environ.get("ENVIRONMENT", "development") != "production"
+
+
+def get_cookie_domain() -> str | None:
+    """Return .flyfun.aero in production (enables SSO), None in dev."""
+    if is_dev_mode():
+        return None
+    return os.environ.get("COOKIE_DOMAIN", ".flyfun.aero")
+
+
+def get_jwt_secret() -> str:
+    secret = os.environ.get("JWT_SECRET")
+    if secret:
+        if not is_dev_mode() and secret == _DEV_JWT_SECRET:
+            raise ValueError(
+                "Production must use a unique JWT_SECRET, not the dev default"
+            )
+        return secret
+    if is_dev_mode():
+        return _DEV_JWT_SECRET
+    raise ValueError("JWT_SECRET environment variable must be set in production")
+
+
+def _apple_client_secret() -> str:
+    """Generate a short-lived JWT client_secret for Sign in with Apple.
+
+    Apple requires the client_secret to be an ES256-signed JWT containing:
+    - iss: Team ID
+    - sub: Client ID (Service ID)
+    - aud: https://appleid.apple.com
+    - iat/exp: issued/expiry (max 180 days)
+
+    Signed with the private key from Apple Developer Console.
+    """
+    import time
+
+    import jwt  # PyJWT
+
+    team_id = os.environ.get("APPLE_TEAM_ID", "")
+    key_id = os.environ.get("APPLE_KEY_ID", "")
+    client_id = os.environ.get("APPLE_CLIENT_ID", "")
+    private_key = os.environ.get("APPLE_PRIVATE_KEY", "")
+
+    if not all([team_id, key_id, client_id, private_key]):
+        raise ValueError(
+            "Apple Sign In requires APPLE_TEAM_ID, APPLE_KEY_ID, "
+            "APPLE_CLIENT_ID, and APPLE_PRIVATE_KEY environment variables"
+        )
+
+    # Replace literal \n with actual newlines (env vars can't contain real newlines)
+    private_key = private_key.replace("\\n", "\n")
+
+    now = int(time.time())
+    payload = {
+        "iss": team_id,
+        "sub": client_id,
+        "aud": "https://appleid.apple.com",
+        "iat": now,
+        "exp": now + 86400 * 180,  # 180 days (Apple's max)
+    }
+    return jwt.encode(payload, private_key, algorithm="ES256", headers={"kid": key_id})
+
+
+def create_oauth() -> OAuth:
+    """Create OAuth registry with available providers.
+
+    Providers are registered only if their client_id env var is set.
+    """
+    oauth = OAuth()
+
+    # Google
+    if os.environ.get("GOOGLE_CLIENT_ID"):
+        oauth.register(
+            name="google",
+            client_id=os.environ.get("GOOGLE_CLIENT_ID"),
+            client_secret=os.environ.get("GOOGLE_CLIENT_SECRET", ""),
+            server_metadata_url="https://accounts.google.com/.well-known/openid-configuration",
+            client_kwargs={"scope": "openid email profile"},
+        )
+
+    # Apple — Sign in with Apple (OIDC)
+    if os.environ.get("APPLE_CLIENT_ID"):
+        oauth.register(
+            name="apple",
+            client_id=os.environ.get("APPLE_CLIENT_ID"),
+            client_secret=_apple_client_secret(),
+            server_metadata_url="https://appleid.apple.com/.well-known/openid-configuration",
+            client_kwargs={
+                "scope": "openid email name",
+                "response_mode": "form_post",
+            },
+        )
+
+    return oauth
+
+
+def get_registered_providers(oauth: OAuth) -> list[str]:
+    """Return the list of provider names that were registered."""
+    return [p for p in SUPPORTED_PROVIDERS if hasattr(oauth, p)]

flyfun_common-0.1.0/src/flyfun_common/auth/jwt_utils.py

@@ -0,0 +1,28 @@
+"""JWT token creation and validation."""
+
+from __future__ import annotations
+
+from datetime import datetime, timedelta, timezone
+
+import jwt
+
+JWT_ALGORITHM = "HS256"
+JWT_EXPIRY_DAYS = 7
+
+
+def create_token(user_id: str, email: str, name: str, secret: str) -> str:
+    """Create a signed JWT with user claims and 7-day expiry."""
+    now = datetime.now(timezone.utc)
+    payload = {
+        "sub": user_id,
+        "email": email,
+        "name": name,
+        "iat": now,
+        "exp": now + timedelta(days=JWT_EXPIRY_DAYS),
+    }
+    return jwt.encode(payload, secret, algorithm=JWT_ALGORITHM)
+
+
+def decode_token(token: str, secret: str) -> dict:
+    """Decode and validate a JWT."""
+    return jwt.decode(token, secret, algorithms=[JWT_ALGORITHM])