go-authgate 0.1.0__tar.gz

go_authgate-0.1.0/.github/workflows/release.yml

@@ -0,0 +1,33 @@
+name: Release
+
+on:
+  push:
+    tags: ["v*"]
+
+jobs:
+  test:
+    uses: ./.github/workflows/testing.yml
+
+  trivy:
+    uses: ./.github/workflows/trivy.yml
+
+  publish:
+    needs: [test, trivy]
+    runs-on: ubuntu-latest
+    permissions:
+      id-token: write
+
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Install uv
+        uses: astral-sh/setup-uv@v6
+
+      - name: Set up Python
+        run: uv python install 3.12
+
+      - name: Build
+        run: uv build
+
+      - name: Publish to PyPI
+        uses: pypa/gh-action-pypi-publish@release/v1

go_authgate-0.1.0/.github/workflows/testing.yml

@@ -0,0 +1,36 @@
+name: Testing
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
+  workflow_call:
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        python-version: ["3.10", "3.11", "3.12", "3.13"]
+
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Install uv
+        uses: astral-sh/setup-uv@v6
+
+      - name: Set up Python ${{ matrix.python-version }}
+        run: uv python install ${{ matrix.python-version }}
+
+      - name: Install dependencies
+        run: make install
+
+      - name: Lint
+        run: make lint
+
+      - name: Type check
+        run: make typecheck
+
+      - name: Test
+        run: make test

go_authgate-0.1.0/.github/workflows/trivy.yml

@@ -0,0 +1,35 @@
+name: Trivy Security Scan
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
+  schedule:
+    - cron: "0 15 * * *" # 23:00 UTC+8
+  workflow_call:
+
+jobs:
+  trivy:
+    runs-on: ubuntu-latest
+    permissions:
+      security-events: write
+
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Trivy vulnerability scan
+        uses: aquasecurity/trivy-action@0.35.0
+        with:
+          scan-type: fs
+          scan-ref: .
+          format: sarif
+          output: trivy-results.sarif
+          exit-code: 1
+          severity: CRITICAL,HIGH
+
+      - name: Upload results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@v3
+        if: always()
+        with:
+          sarif_file: trivy-results.sarif

go_authgate-0.1.0/.gitignore

@@ -0,0 +1,15 @@
+__pycache__/
+*.py[cod]
+*$py.class
+*.egg-info/
+dist/
+build/
+*.egg
+.mypy_cache/
+.pytest_cache/
+.ruff_cache/
+.coverage
+htmlcov/
+*.so
+.venv/
+venv/

go_authgate-0.1.0/CLAUDE.md

@@ -0,0 +1,44 @@
+# CLAUDE.md
+
+This file provides guidance to Claude Code when working with the Python SDK.
+
+## Project Overview
+
+Python SDK for AuthGate — mirrors the Go SDK's architecture using idiomatic Python patterns.
+
+Package: `authgate` (Python 3.10+, src layout with hatchling build)
+
+## Common Commands
+
+```bash
+make install       # uv sync --all-extras (install all deps)
+make test          # Run all tests with pytest
+make lint          # Run ruff linter
+make fmt           # Format code with ruff
+make typecheck     # Run mypy strict
+```
+
+Project is managed with [uv](https://docs.astral.sh/uv/). All `make` targets use `uv run` so no manual venv activation is needed.
+
+## Code Style
+
+- ruff for linting and formatting (line length 100)
+- mypy strict mode
+- Dataclasses over Pydantic (zero extra deps)
+- Sync + Async dual API in separate client classes
+- Framework-specific middleware: users only import what they need
+- `from __future__ import annotations` in all modules
+
+## Architecture
+
+- `oauth/` — Pure HTTP client layer (sync: `OAuthClient`, async: `AsyncOAuthClient`)
+- `discovery/` — OIDC auto-discovery with caching
+- `credstore/` — Generic credential storage (file, keyring, composite secure store)
+- `authflow/` — Device Code flow, Auth Code + PKCE, auto-refresh TokenSource
+- `middleware/` — Framework adapters (FastAPI, Flask, Django)
+- `clientcreds/` — M2M Client Credentials with auto-caching
+- `__init__.py` — `authenticate()` / `async_authenticate()` entry points
+
+## Before Committing
+
+All code must pass `make lint`, `make fmt`, and `make typecheck` before committing.

go_authgate-0.1.0/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2024 AuthGate Contributors
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

go_authgate-0.1.0/Makefile

@@ -0,0 +1,24 @@
+.PHONY: test lint fmt typecheck install clean
+
+install:
+	uv sync --all-extras
+
+test:
+	uv run pytest tests/ -v --tb=short
+
+coverage:
+	uv run coverage run -m pytest tests/ -v --tb=short
+	uv run coverage report -m
+
+lint:
+	uv run ruff check src/ tests/
+
+fmt:
+	uv run ruff format src/ tests/
+	uv run ruff check --fix src/ tests/
+
+typecheck:
+	uv run mypy src/authgate/
+
+clean:
+	rm -rf build/ dist/ *.egg-info src/*.egg-info .mypy_cache .pytest_cache .ruff_cache .coverage htmlcov/

go_authgate-0.1.0/PKG-INFO

@@ -0,0 +1,142 @@
+Metadata-Version: 2.4
+Name: go-authgate
+Version: 0.1.0
+Summary: Python SDK for AuthGate — OAuth 2.0 authentication and token management
+Author: AuthGate Contributors
+License-Expression: MIT
+License-File: LICENSE
+Classifier: Development Status :: 4 - Beta
+Classifier: Intended Audience :: Developers
+Classifier: License :: OSI Approved :: MIT License
+Classifier: Programming Language :: Python :: 3
+Classifier: Programming Language :: Python :: 3.10
+Classifier: Programming Language :: Python :: 3.11
+Classifier: Programming Language :: Python :: 3.12
+Classifier: Programming Language :: Python :: 3.13
+Classifier: Typing :: Typed
+Requires-Python: >=3.10
+Requires-Dist: httpx<1,>=0.27
+Requires-Dist: keyring<27,>=25
+Provides-Extra: dev
+Requires-Dist: coverage>=7; extra == 'dev'
+Requires-Dist: mypy>=1.10; extra == 'dev'
+Requires-Dist: pytest-asyncio>=0.23; extra == 'dev'
+Requires-Dist: pytest-httpx>=0.30; extra == 'dev'
+Requires-Dist: pytest>=8; extra == 'dev'
+Requires-Dist: ruff>=0.5; extra == 'dev'
+Provides-Extra: django
+Requires-Dist: django>=4.2; extra == 'django'
+Provides-Extra: fastapi
+Requires-Dist: fastapi>=0.100; extra == 'fastapi'
+Provides-Extra: flask
+Requires-Dist: flask>=2.3; extra == 'flask'
+Description-Content-Type: text/markdown
+
+# AuthGate Python SDK
+
+[![PyPI](https://img.shields.io/pypi/v/go-authgate)](https://pypi.org/project/go-authgate/)
+[![Python](https://img.shields.io/pypi/pyversions/go-authgate)](https://pypi.org/project/go-authgate/)
+[![CI](https://github.com/go-authgate/sdk-python/actions/workflows/testing.yml/badge.svg)](https://github.com/go-authgate/sdk-python/actions/workflows/testing.yml)
+[![License](https://img.shields.io/pypi/l/go-authgate)](LICENSE)
+
+Python SDK for [AuthGate](https://github.com/go-authgate) — OAuth 2.0 authentication and token management.
+
+## Installation
+
+```bash
+pip install go-authgate
+```
+
+With framework support:
+
+```bash
+pip install go-authgate[fastapi]
+pip install go-authgate[flask]
+pip install go-authgate[django]
+```
+
+## Quick Start
+
+```python
+from authgate import authenticate
+
+client, token = authenticate(
+    "https://auth.example.com",
+    "my-client-id",
+    scopes=["profile", "email"],
+)
+
+print(f"Access token: {token.access_token}")
+```
+
+## Async Usage
+
+```python
+from authgate import async_authenticate
+
+client, token = await async_authenticate(
+    "https://auth.example.com",
+    "my-client-id",
+    scopes=["profile", "email"],
+)
+```
+
+## Client Credentials (M2M)
+
+```python
+from authgate.oauth import OAuthClient, Endpoints
+from authgate.clientcreds import TokenSource, BearerAuth
+import httpx
+
+client = OAuthClient("my-service", endpoints, client_secret="secret")
+ts = TokenSource(client, scopes=["api"])
+
+# Auto-attaches Bearer token to every request
+with httpx.Client(auth=BearerAuth(ts)) as http:
+    resp = http.get("https://api.example.com/data")
+```
+
+## Middleware
+
+### FastAPI
+
+```python
+from fastapi import FastAPI, Depends
+from authgate.middleware.fastapi import BearerAuth
+from authgate.middleware.models import TokenInfo
+
+app = FastAPI()
+auth = BearerAuth(oauth_client)
+
+@app.get("/protected")
+async def protected(info: TokenInfo = Depends(auth)):
+    return {"user": info.user_id}
+```
+
+### Flask
+
+```python
+from flask import Flask
+from authgate.middleware.flask import bearer_auth, get_token_info
+
+app = Flask(__name__)
+
+@app.route("/protected")
+@bearer_auth(oauth_client)
+def protected():
+    info = get_token_info()
+    return {"user": info.user_id}
+```
+
+## Development
+
+```bash
+make install    # uv sync --all-extras
+make test
+make lint
+make typecheck
+```
+
+## License
+
+MIT

go_authgate-0.1.0/README.md

@@ -0,0 +1,108 @@
+# AuthGate Python SDK
+
+[![PyPI](https://img.shields.io/pypi/v/go-authgate)](https://pypi.org/project/go-authgate/)
+[![Python](https://img.shields.io/pypi/pyversions/go-authgate)](https://pypi.org/project/go-authgate/)
+[![CI](https://github.com/go-authgate/sdk-python/actions/workflows/testing.yml/badge.svg)](https://github.com/go-authgate/sdk-python/actions/workflows/testing.yml)
+[![License](https://img.shields.io/pypi/l/go-authgate)](LICENSE)
+
+Python SDK for [AuthGate](https://github.com/go-authgate) — OAuth 2.0 authentication and token management.
+
+## Installation
+
+```bash
+pip install go-authgate
+```
+
+With framework support:
+
+```bash
+pip install go-authgate[fastapi]
+pip install go-authgate[flask]
+pip install go-authgate[django]
+```
+
+## Quick Start
+
+```python
+from authgate import authenticate
+
+client, token = authenticate(
+    "https://auth.example.com",
+    "my-client-id",
+    scopes=["profile", "email"],
+)
+
+print(f"Access token: {token.access_token}")
+```
+
+## Async Usage
+
+```python
+from authgate import async_authenticate
+
+client, token = await async_authenticate(
+    "https://auth.example.com",
+    "my-client-id",
+    scopes=["profile", "email"],
+)
+```
+
+## Client Credentials (M2M)
+
+```python
+from authgate.oauth import OAuthClient, Endpoints
+from authgate.clientcreds import TokenSource, BearerAuth
+import httpx
+
+client = OAuthClient("my-service", endpoints, client_secret="secret")
+ts = TokenSource(client, scopes=["api"])
+
+# Auto-attaches Bearer token to every request
+with httpx.Client(auth=BearerAuth(ts)) as http:
+    resp = http.get("https://api.example.com/data")
+```
+
+## Middleware
+
+### FastAPI
+
+```python
+from fastapi import FastAPI, Depends
+from authgate.middleware.fastapi import BearerAuth
+from authgate.middleware.models import TokenInfo
+
+app = FastAPI()
+auth = BearerAuth(oauth_client)
+
+@app.get("/protected")
+async def protected(info: TokenInfo = Depends(auth)):
+    return {"user": info.user_id}
+```
+
+### Flask
+
+```python
+from flask import Flask
+from authgate.middleware.flask import bearer_auth, get_token_info
+
+app = Flask(__name__)
+
+@app.route("/protected")
+@bearer_auth(oauth_client)
+def protected():
+    info = get_token_info()
+    return {"user": info.user_id}
+```
+
+## Development
+
+```bash
+make install    # uv sync --all-extras
+make test
+make lint
+make typecheck
+```
+
+## License
+
+MIT

go_authgate-0.1.0/pyproject.toml

@@ -0,0 +1,90 @@
+[build-system]
+requires = ["hatchling"]
+build-backend = "hatchling.build"
+
+[project]
+name = "go-authgate"
+dynamic = ["version"]
+description = "Python SDK for AuthGate — OAuth 2.0 authentication and token management"
+readme = "README.md"
+license = "MIT"
+requires-python = ">=3.10"
+authors = [{ name = "AuthGate Contributors" }]
+classifiers = [
+    "Development Status :: 4 - Beta",
+    "Intended Audience :: Developers",
+    "License :: OSI Approved :: MIT License",
+    "Programming Language :: Python :: 3",
+    "Programming Language :: Python :: 3.10",
+    "Programming Language :: Python :: 3.11",
+    "Programming Language :: Python :: 3.12",
+    "Programming Language :: Python :: 3.13",
+    "Typing :: Typed",
+]
+dependencies = ["httpx>=0.27,<1", "keyring>=25,<27"]
+
+[project.optional-dependencies]
+fastapi = ["fastapi>=0.100"]
+flask = ["flask>=2.3"]
+django = ["django>=4.2"]
+dev = [
+    "pytest>=8",
+    "pytest-asyncio>=0.23",
+    "pytest-httpx>=0.30",
+    "coverage>=7",
+    "mypy>=1.10",
+    "ruff>=0.5",
+]
+
+[tool.hatch.version]
+path = "src/authgate/_version.py"
+
+[tool.hatch.build.targets.wheel]
+packages = ["src/authgate"]
+
+[tool.ruff]
+target-version = "py310"
+line-length = 100
+
+[tool.ruff.lint]
+select = [
+    "E",
+    "F",
+    "W",
+    "I",
+    "N",
+    "UP",
+    "B",
+    "A",
+    "SIM",
+    "RUF",
+]
+
+[tool.ruff.lint.isort]
+known-first-party = ["authgate"]
+
+[tool.mypy]
+python_version = "3.10"
+strict = true
+warn_return_any = true
+warn_unused_configs = true
+
+[[tool.mypy.overrides]]
+module = ["keyring", "keyring.errors"]
+ignore_missing_imports = true
+
+[[tool.mypy.overrides]]
+module = ["fastapi", "fastapi.*"]
+ignore_missing_imports = true
+
+[[tool.mypy.overrides]]
+module = ["flask", "flask.*"]
+ignore_missing_imports = true
+
+[[tool.mypy.overrides]]
+module = ["django", "django.*"]
+ignore_missing_imports = true
+
+[tool.pytest.ini_options]
+testpaths = ["tests"]
+asyncio_mode = "auto"

go_authgate-0.1.0/src/authgate/__init__.py

@@ -0,0 +1,137 @@
+"""AuthGate Python SDK — one-call authentication entry point."""
+
+from __future__ import annotations
+
+import enum
+
+from authgate._version import __version__
+from authgate.authflow.authcode import run_auth_code_flow
+from authgate.authflow.browser import check_browser_availability
+from authgate.authflow.device import async_run_device_flow, run_device_flow
+from authgate.authflow.token_source import TokenSource
+from authgate.credstore import default_token_secure_store
+from authgate.discovery.async_client import AsyncDiscoveryClient
+from authgate.discovery.client import DiscoveryClient
+from authgate.exceptions import AuthGateError
+from authgate.oauth.async_client import AsyncOAuthClient
+from authgate.oauth.client import OAuthClient
+from authgate.oauth.models import Token
+
+
+class FlowMode(enum.Enum):
+    """Authentication flow selection strategy."""
+
+    AUTO = "auto"
+    BROWSER = "browser"
+    DEVICE = "device"
+
+
+def authenticate(
+    authgate_url: str,
+    client_id: str,
+    *,
+    scopes: list[str] | None = None,
+    service_name: str = "authgate",
+    store_path: str = ".authgate-tokens.json",
+    local_port: int = 8088,
+    flow_mode: FlowMode = FlowMode.AUTO,
+) -> tuple[OAuthClient, Token]:
+    """Authenticate with an AuthGate server and return a ready-to-use client and token.
+
+    Cached tokens are reused automatically; expired tokens are refreshed.
+    When no valid token exists, the flow is determined by ``flow_mode``.
+    """
+    if not authgate_url:
+        raise AuthGateError("authgate: authgate_url is required")
+    if not client_id:
+        raise AuthGateError("authgate: client_id is required")
+
+    _scopes = scopes or []
+
+    # 1. Discover endpoints
+    disco = DiscoveryClient(authgate_url)
+    meta = disco.fetch()
+
+    # 2. Create OAuth client
+    client = OAuthClient(client_id, meta.to_endpoints())
+
+    # 3. Set up token store and source
+    store = default_token_secure_store(service_name, store_path)
+    ts = TokenSource(client, store=store)
+
+    # 4. Return cached/refreshed token if available
+    try:
+        token = ts.token()
+        return client, token
+    except Exception:
+        pass
+
+    # 5. No valid token — run the appropriate authentication flow
+    if flow_mode == FlowMode.BROWSER:
+        token = run_auth_code_flow(client, _scopes, local_port=local_port)
+    elif flow_mode == FlowMode.DEVICE:
+        token = run_device_flow(client, _scopes)
+    else:  # AUTO
+        if check_browser_availability():
+            token = run_auth_code_flow(client, _scopes, local_port=local_port)
+        else:
+            token = run_device_flow(client, _scopes)
+
+    # 6. Persist the new token
+    ts.save_token(token)
+
+    return client, token
+
+
+async def async_authenticate(
+    authgate_url: str,
+    client_id: str,
+    *,
+    scopes: list[str] | None = None,
+    service_name: str = "authgate",
+    store_path: str = ".authgate-tokens.json",
+    flow_mode: FlowMode = FlowMode.AUTO,
+) -> tuple[AsyncOAuthClient, Token]:
+    """Async version of authenticate().
+
+    Note: Auth Code flow is not available in async mode. Device flow is used for
+    BROWSER and AUTO modes when a browser is available.
+    """
+    if not authgate_url:
+        raise AuthGateError("authgate: authgate_url is required")
+    if not client_id:
+        raise AuthGateError("authgate: client_id is required")
+
+    _scopes = scopes or []
+
+    # 1. Discover endpoints
+    disco = AsyncDiscoveryClient(authgate_url)
+    meta = await disco.fetch()
+
+    # 2. Create async OAuth client
+    client = AsyncOAuthClient(client_id, meta.to_endpoints())
+
+    # 3. Check stored token (sync store, run in thread)
+    store = default_token_secure_store(service_name, store_path)
+    ts = TokenSource(OAuthClient(client_id, meta.to_endpoints()), store=store)
+    try:
+        token = ts.token()
+        return client, token
+    except Exception:
+        pass
+
+    # 4. Run device flow (always, since auth code needs sync HTTP server)
+    token = await async_run_device_flow(client, _scopes)
+
+    # 5. Persist
+    ts.save_token(token)
+
+    return client, token
+
+
+__all__ = [
+    "FlowMode",
+    "__version__",
+    "async_authenticate",
+    "authenticate",
+]

go_authgate-0.1.0/src/authgate/_version.py

@@ -0,0 +1,3 @@
+"""Version information."""
+
+__version__ = "0.1.0"