karrio-server 2026.1.3__py3-none-any.whl → 2026.1.4__py3-none-any.whl

karrio/server/VERSION

@@ -1 +1 @@
-2026.1.3
+2026.1.4

karrio/server/settings/base.py

@@ -513,6 +513,15 @@ SIMPLE_JWT = {
     "SLIDING_TOKEN_REFRESH_LIFETIME": timedelta(days=1),
 }
 
+# JWT Cookie settings for HTTP-only cookie authentication
+JWT_AUTH_COOKIE = config("JWT_AUTH_COOKIE", default="karrio_access_token")
+JWT_REFRESH_COOKIE = config("JWT_REFRESH_COOKIE", default="karrio_refresh_token")
+JWT_AUTH_COOKIE_SECURE = config(
+    "JWT_AUTH_COOKIE_SECURE", default=USE_HTTPS, cast=bool
+)
+JWT_AUTH_COOKIE_SAMESITE = config("JWT_AUTH_COOKIE_SAMESITE", default="Lax")
+JWT_AUTH_COOKIE_PATH = config("JWT_AUTH_COOKIE_PATH", default="/")
+
 # OAuth2 config
 OIDC_RSA_PRIVATE_KEY = config("OIDC_RSA_PRIVATE_KEY", default="").replace("\\n", "\n")
 OAUTH2_PROVIDER_APPLICATION_MODEL = "oauth2_provider.Application"

karrio/server/urls/jwt.py

@@ -1,7 +1,10 @@
 from django.urls import path
 from django.contrib.auth import get_user_model
 from django.utils.translation import gettext_lazy as _
-from rest_framework import serializers, exceptions
+from django.conf import settings
+from rest_framework import serializers, exceptions, status
+from rest_framework.response import Response
+from rest_framework.permissions import AllowAny
 from rest_framework_simplejwt import views as jwt_views, serializers as jwt
 from two_factor.utils import default_device
 
@@ -11,6 +14,99 @@ ENDPOINT_ID = "&&"  # This endpoint id is used to make operation ids unique make
 User = get_user_model()
 
 
+# --- Cookie helpers (shared by all JWT views) ---
+
+def get_cookie_config(include_max_age=True):
+    """Build cookie configuration from Django settings."""
+    config = dict(
+        access_cookie_name=getattr(settings, "JWT_AUTH_COOKIE", "karrio_access_token"),
+        refresh_cookie_name=getattr(settings, "JWT_REFRESH_COOKIE", "karrio_refresh_token"),
+        secure=getattr(settings, "JWT_AUTH_COOKIE_SECURE", getattr(settings, "USE_HTTPS", False)),
+        samesite=getattr(settings, "JWT_AUTH_COOKIE_SAMESITE", "Lax"),
+        path=getattr(settings, "JWT_AUTH_COOKIE_PATH", "/"),
+    )
+
+    if include_max_age:
+        jwt_config = getattr(settings, "SIMPLE_JWT", {})
+        access_lifetime = jwt_config.get("ACCESS_TOKEN_LIFETIME")
+        refresh_lifetime = jwt_config.get("REFRESH_TOKEN_LIFETIME")
+        config.update(
+            access_max_age=int(access_lifetime.total_seconds()) if access_lifetime else 1800,
+            refresh_max_age=int(refresh_lifetime.total_seconds()) if refresh_lifetime else 259200,
+        )
+
+    return config
+
+
+def set_auth_cookies(response, access_token, refresh_token):
+    """Set HTTP-only cookies for access and refresh tokens on the response."""
+    config = get_cookie_config()
+
+    response.set_cookie(
+        config["access_cookie_name"],
+        access_token,
+        max_age=config["access_max_age"],
+        httponly=True,
+        secure=config["secure"],
+        samesite=config["samesite"],
+        path=config["path"],
+    )
+    response.set_cookie(
+        config["refresh_cookie_name"],
+        refresh_token,
+        max_age=config["refresh_max_age"],
+        httponly=True,
+        secure=config["secure"],
+        samesite=config["samesite"],
+        path=config["path"],
+    )
+
+
+def clear_auth_cookies(response):
+    """Clear HTTP-only auth cookies by expiring them immediately."""
+    config = get_cookie_config(include_max_age=False)
+
+    for cookie_name in [config["access_cookie_name"], config["refresh_cookie_name"]]:
+        response.set_cookie(
+            cookie_name,
+            "",
+            max_age=0,
+            httponly=True,
+            secure=config["secure"],
+            samesite=config["samesite"],
+            path=config["path"],
+        )
+
+
+def get_refresh_token(request):
+    """Get refresh token from cookie, falling back to request body."""
+    cookie_name = getattr(settings, "JWT_REFRESH_COOKIE", "karrio_refresh_token")
+    refresh_token = (
+        request.COOKIES.get(cookie_name)
+        or request.data.get("refresh")
+    )
+
+    if not refresh_token:
+        raise exceptions.ValidationError(
+            {"refresh": _("Refresh token is required.")}
+        )
+
+    return refresh_token
+
+
+def _build_token_response(access_token, refresh_token):
+    """Build a 201 token pair response with no-cache headers."""
+    response = Response(
+        {"access": access_token, "refresh": refresh_token},
+        status=status.HTTP_201_CREATED,
+    )
+    response["Cache-Control"] = "no-store"
+    response["CDN-Cache-Control"] = "no-store"
+    return response
+
+
+# --- Serializers ---
+
 class AccessToken(serializers.Serializer):
     access = serializers.CharField()
 
@@ -49,7 +145,13 @@ class TokenObtainPairSerializer(jwt.TokenObtainPairSerializer):
 
 class TokenRefreshSerializer(jwt.TokenRefreshSerializer):
     def validate(self, attrs: dict):
-        refresh = jwt.RefreshToken(attrs["refresh"])
+        refresh_token = attrs.get("refresh")
+        if not refresh_token:
+            raise exceptions.ValidationError(
+                {"refresh": _("Refresh token is required.")}
+            )
+
+        refresh = jwt.RefreshToken(refresh_token)
 
         if not refresh["is_verified"]:
             raise exceptions.AuthenticationFailed(
@@ -86,7 +188,13 @@ class VerifiedTokenObtainPairSerializer(jwt.TokenRefreshSerializer):
     )
 
     def validate(self, attrs):
-        refresh = self.token_class(attrs["refresh"])
+        refresh_token = attrs.get("refresh")
+        if not refresh_token:
+            raise exceptions.ValidationError(
+                {"refresh": _("Refresh token is required.")}
+            )
+
+        refresh = self.token_class(refresh_token)
         user = User.objects.get(id=refresh["user_id"])
         refresh["is_verified"] = self._validate_otp(attrs["otp_token"], user)
 
@@ -126,6 +234,8 @@ class VerifiedTokenObtainPairSerializer(jwt.TokenRefreshSerializer):
         )
 
 
+# --- Views ---
+
 class TokenObtainPair(jwt_views.TokenObtainPairView):
     serializer_class = TokenObtainPairSerializer
 
@@ -134,13 +244,17 @@ class TokenObtainPair(jwt_views.TokenObtainPairView):
         tags=["Auth"],
         operation_id=f"{ENDPOINT_ID}authenticate",
         summary="Obtain auth token pair",
-        description="Authenticate the user and return a token pair",
+        description="Authenticate the user and return a token pair. Tokens are stored in HTTP-only cookies.",
         responses={201: TokenPair()},
     )
     def post(self, *args, **kwargs):
-        response = super().post(*args, **kwargs)
-        response["Cache-Control"] = "no-store"
-        response["CDN-Cache-Control"] = "no-store"
+        serializer = self.get_serializer(data=self.request.data)
+        serializer.is_valid(raise_exception=True)
+
+        data = serializer.validated_data
+        response = _build_token_response(data["access"], data["refresh"])
+        set_auth_cookies(response, data["access"], data["refresh"])
+
         return response
 
 
@@ -152,13 +266,23 @@ class TokenRefresh(jwt_views.TokenRefreshView):
         tags=["Auth"],
         operation_id=f"{ENDPOINT_ID}refresh_token",
         summary="Refresh auth token",
-        description="Authenticate the user and return a token pair",
+        description="Refresh the authentication token. Tokens are stored in HTTP-only cookies.",
         responses={201: TokenPair()},
     )
     def post(self, *args, **kwargs):
-        response = super().post(*args, **kwargs)
-        response["Cache-Control"] = "no-store"
-        response["CDN-Cache-Control"] = "no-store"
+        refresh_token = get_refresh_token(self.request)
+
+        serializer = self.get_serializer(data={"refresh": refresh_token})
+        serializer.is_valid(raise_exception=True)
+
+        data = serializer.validated_data
+        access = data["access"]
+        refresh = data.get("refresh")
+
+        response = _build_token_response(access, refresh or refresh_token)
+        if refresh is not None:
+            set_auth_cookies(response, access, refresh)
+
         return response
 
 
@@ -187,13 +311,52 @@ class VerifiedTokenPair(jwt_views.TokenVerifyView):
         tags=["Auth"],
         operation_id=f"{ENDPOINT_ID}get_verified_token",
         summary="Get verified JWT token",
-        description="Get a verified JWT token pair by submitting a Two-Factor authentication code.",
+        description="Get a verified JWT token pair by submitting a Two-Factor authentication code. Tokens are stored in HTTP-only cookies.",
         responses={201: TokenPair()},
     )
     def post(self, *args, **kwargs):
-        response = super().post(*args, **kwargs)
+        refresh_token = get_refresh_token(self.request)
+
+        serializer = self.get_serializer(data={
+            "refresh": refresh_token,
+            "otp_token": self.request.data.get("otp_token"),
+        })
+        serializer.is_valid(raise_exception=True)
+
+        data = serializer.validated_data
+        access = data["access"]
+        refresh = data.get("refresh")
+
+        response = _build_token_response(access, refresh or refresh_token)
+        if refresh is not None:
+            set_auth_cookies(response, access, refresh)
+
+        return response
+
+
+class LogoutView(jwt_views.TokenVerifyView):
+    """Logout view that clears HTTP-only auth cookies."""
+    permission_classes = [AllowAny]
+
+    @openapi.extend_schema(
+        auth=[],
+        tags=["Auth"],
+        operation_id=f"{ENDPOINT_ID}logout",
+        summary="Logout",
+        description="Clear authentication cookies and logout the user. Accessible without authentication.",
+        responses={200: openapi.OpenApiTypes.OBJECT},
+    )
+    def post(self, *args, **kwargs):
+        response = Response(
+            {"detail": "Successfully logged out."},
+            status=status.HTTP_200_OK,
+        )
+
+        clear_auth_cookies(response)
+
         response["Cache-Control"] = "no-store"
         response["CDN-Cache-Control"] = "no-store"
+
         return response
 
 
@@ -202,4 +365,5 @@ urlpatterns = [
     path("api/token/refresh", TokenRefresh.as_view(), name="jwt-refresh"),
     path("api/token/verify", TokenVerify.as_view(), name="jwt-verify"),
     path("api/token/verified", VerifiedTokenPair.as_view(), name="verified-jwt-pair"),
+    path("api/logout", LogoutView.as_view(), name="jwt-logout"),
 ]

{karrio_server-2026.1.3.dist-info → karrio_server-2026.1.4.dist-info}/METADATA

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: karrio_server
-Version: 2026.1.3
+Version: 2026.1.4
 Summary: Multi-carrier shipping API
 Author-email: karrio <hello@karrio.io>
 License-Expression: Apache-2.0

{karrio_server-2026.1.3.dist-info → karrio_server-2026.1.4.dist-info}/RECORD

@@ -1,4 +1,4 @@
-karrio/server/VERSION,sha256=WO9GTvjg5mWKSal2BTFuGS6jCULaqRd8bW8fb_aB_6A,8
+karrio/server/VERSION,sha256=QphdNAnHQVjVDgkk5LVXj3qpqRHRvOVtCt2bs_goMQ4,8
 karrio/server/__init__.py,sha256=iOEMwnlORWezdO8-2vxBIPSR37D7JGjluZ8f55vzxls,81
 karrio/server/__main__.py,sha256=hy2-Zb2wSVe_Pu6zWZ-BhiM4rBaGZ3D16HSuhudygqg,632
 karrio/server/asgi.py,sha256=LsZYMWo8U9zURVPdHnvUsziOhMjdCdQoD2-gMJbS2U0,462
@@ -7,7 +7,7 @@ karrio/server/wsgi.py,sha256=SpWqkEYlMsj89_znZ8p8IjH3EgTVRWRq_9eS8t64dMw,403
 karrio/server/lib/otel_huey.py,sha256=6MP6vX6b6x6RPF2K1m8B8L8S9GK1Q3vANmLidsxh65k,5428
 karrio/server/settings/__init__.py,sha256=iw-NBcReOnDYpnvSEBdYDfV7jC0040jYdupnmSdElec,866
 karrio/server/settings/apm.py,sha256=Zt8dP2y8DjPa_iNyv3ZywXTbHlULWc06SLPJhlTTA-A,19983
-karrio/server/settings/base.py,sha256=9Rfe24fieBtwyU8FjBAC2tDMrUPl8Unz-1_zpjZ5Oj4,23144
+karrio/server/settings/base.py,sha256=8macll9KmzuTd2jfqa5Pch_sTnDNh-MGezrNOXsmQbE,23598
 karrio/server/settings/cache.py,sha256=UYBd6pG-5pWSUlu4d3PuWGWYCiiDBL2oc1hYzq131zY,4045
 karrio/server/settings/constance.py,sha256=84Ldmwr_o_5WBy5awf-k5AWpYmpMt2dzO3xh6MoqEXU,8013
 karrio/server/settings/debug.py,sha256=fFyK2XX47UGeK0eRNSV-9ZLaComay5QvJW0692vaH98,527
@@ -73,10 +73,10 @@ karrio/server/static/karrio/js/karrio.js.map,sha256=9p642er0UNa_Knyf2OdHCEDbeV4G
 karrio/server/templates/admin/base_site.html,sha256=kbcdvehXZ1EHaw07JL7fSZmjrnVMKsnydjbTKa7Ondg,466
 karrio/server/templates/openapi/openapi.html,sha256=3ApCZ5pE6Wjv7CJllVbqD2WiDQuLy-BFS-IIHurXhBY,1133
 karrio/server/urls/__init__.py,sha256=SHmmXmVn9Hbf7eZ2wcL10hG84yQPBrcVaCsvi5cdrrA,2062
-karrio/server/urls/jwt.py,sha256=QN2L-EpUEQCF2UGYPu_VVlA49Fc0BtcY7Ov3-xpp7_U,6772
+karrio/server/urls/jwt.py,sha256=xZXgbdZAYPObeexgprokWKOeCXr8SqhTRlR5-P1Es5E,12198
 karrio/server/urls/tokens.py,sha256=5slk9F0HPgV3dRnR9UipAl-R8837eiGqKJ31QnCdLnU,8215
-karrio_server-2026.1.3.dist-info/METADATA,sha256=b65q090uHERze0GXM6kS09rMfK51QPnyuSsnOMHKgl0,4303
-karrio_server-2026.1.3.dist-info/WHEEL,sha256=wUyA8OaulRlbfwMtmQsvNngGrxQHAvkKcvRmdizlJi0,92
-karrio_server-2026.1.3.dist-info/entry_points.txt,sha256=c2eftt6MpJjyp0OFv1OmO9nUYSDemt9fGq_RDdvpGLw,55
-karrio_server-2026.1.3.dist-info/top_level.txt,sha256=D1D7x8R3cTfjF_15mfiO7wCQ5QMtuM4x8GaPr7z5i78,12
-karrio_server-2026.1.3.dist-info/RECORD,,
+karrio_server-2026.1.4.dist-info/METADATA,sha256=z6PS_ZXTUjxqx2nMUzqVnvM6a34hrU27mU1ks7Hu7vY,4303
+karrio_server-2026.1.4.dist-info/WHEEL,sha256=wUyA8OaulRlbfwMtmQsvNngGrxQHAvkKcvRmdizlJi0,92
+karrio_server-2026.1.4.dist-info/entry_points.txt,sha256=c2eftt6MpJjyp0OFv1OmO9nUYSDemt9fGq_RDdvpGLw,55
+karrio_server-2026.1.4.dist-info/top_level.txt,sha256=D1D7x8R3cTfjF_15mfiO7wCQ5QMtuM4x8GaPr7z5i78,12
+karrio_server-2026.1.4.dist-info/RECORD,,