mdb-engine 0.1.6__py3-none-any.whl → 0.2.0__py3-none-any.whl

mdb_engine/auth/token_store.py

@@ -11,8 +11,11 @@ from datetime import datetime, timedelta
 from typing import Optional
 
 try:
-    from pymongo.errors import (ConnectionFailure, OperationFailure,
-                                ServerSelectionTimeoutError)
+    from pymongo.errors import (
+        ConnectionFailure,
+        OperationFailure,
+        ServerSelectionTimeoutError,
+    )
 except ImportError:
     ConnectionFailure = Exception
     OperationFailure = Exception
@@ -54,9 +57,7 @@ class TokenBlacklist:
 
         try:
             # Create unique index on jti
-            await self.collection.create_index(
-                "jti", unique=True, name="jti_unique_idx"
-            )
+            await self.collection.create_index("jti", unique=True, name="jti_unique_idx")
 
             # Create TTL index on expires_at (auto-delete expired entries)
             await self.collection.create_index(
@@ -110,9 +111,7 @@ class TokenBlacklist:
             }
 
             # Use upsert to handle duplicate jti gracefully
-            await self.collection.update_one(
-                {"jti": jti}, {"$set": blacklist_entry}, upsert=True
-            )
+            await self.collection.update_one({"jti": jti}, {"$set": blacklist_entry}, upsert=True)
 
             logger.debug(f"Token {jti} added to blacklist (reason: {reason})")
             return True
@@ -158,15 +157,11 @@ class TokenBlacklist:
             ValueError,
             TypeError,
         ) as e:
-            logger.error(
-                f"Error checking token revocation status for {jti}: {e}", exc_info=True
-            )
+            logger.error(f"Error checking token revocation status for {jti}: {e}", exc_info=True)
             # On error, assume not revoked (fail open for availability)
             return False
 
-    async def revoke_all_user_tokens(
-        self, user_id: str, reason: Optional[str] = None
-    ) -> int:
+    async def revoke_all_user_tokens(self, user_id: str, reason: Optional[str] = None) -> int:
         """
         Revoke all tokens for a specific user.
 
@@ -189,8 +184,7 @@ class TokenBlacklist:
                 "user_id": user_id,
                 "revoked_at": datetime.utcnow(),
                 "reason": reason or "logout_all",
-                "expires_at": datetime.utcnow()
-                + timedelta(days=30),  # Keep for 30 days
+                "expires_at": datetime.utcnow() + timedelta(days=30),  # Keep for 30 days
             }
 
             # Use upsert to update or create marker
@@ -213,9 +207,7 @@ class TokenBlacklist:
             ValueError,
             TypeError,
         ) as e:
-            logger.error(
-                f"Error revoking all tokens for user {user_id}: {e}", exc_info=True
-            )
+            logger.error(f"Error revoking all tokens for user {user_id}: {e}", exc_info=True)
             return 0
 
     async def is_user_revoked(self, user_id: str) -> bool:
@@ -231,9 +223,7 @@ class TokenBlacklist:
         try:
             await self.ensure_indexes()
 
-            marker = await self.collection.find_one(
-                {"user_id": user_id, "type": "user_revocation"}
-            )
+            marker = await self.collection.find_one({"user_id": user_id, "type": "user_revocation"})
 
             if marker:
                 # Check if marker hasn't expired
@@ -269,9 +259,7 @@ class TokenBlacklist:
             Number of entries deleted
         """
         try:
-            result = await self.collection.delete_many(
-                {"expires_at": {"$lt": datetime.utcnow()}}
-            )
+            result = await self.collection.delete_many({"expires_at": {"$lt": datetime.utcnow()}})
             deleted_count = result.deleted_count
             if deleted_count > 0:
                 logger.info(f"Cleared {deleted_count} expired blacklist entries")
@@ -283,7 +271,5 @@ class TokenBlacklist:
             ValueError,
             TypeError,
         ) as e:
-            logger.error(
-                f"Error clearing expired blacklist entries: {e}", exc_info=True
-            )
+            logger.error(f"Error clearing expired blacklist entries: {e}", exc_info=True)
             return 0

mdb_engine/auth/users.py

@@ -22,9 +22,15 @@ from fastapi import Request
 from fastapi.responses import Response
 
 try:
-    from pymongo.errors import (ConnectionFailure, OperationFailure,
-                                ServerSelectionTimeoutError)
+    from bson.errors import InvalidId as BsonInvalidId
+    from pymongo.errors import (
+        ConnectionFailure,
+        OperationFailure,
+        PyMongoError,
+        ServerSelectionTimeoutError,
+    )
 except ImportError:
+    BsonInvalidId = ValueError  # Fallback if bson not available
     ConnectionFailure = Exception
     OperationFailure = Exception
     ServerSelectionTimeoutError = Exception
@@ -90,11 +96,8 @@ def _convert_user_id_to_objectid(user_id: Any) -> Tuple[Any, Optional[str]]:
         # If it's not a string or ObjectId, try to convert (for backward compatibility)
         try:
             return ObjectId(user_id), None
-        except (TypeError, ValueError) as e:
+        except (TypeError, ValueError, BsonInvalidId) as e:
             return None, f"Invalid user_id format: {user_id}: {e}"
-        except Exception:
-            logger.exception("Unexpected error converting user_id to ObjectId")
-            raise
 
     return user_id, None
 
@@ -154,9 +157,7 @@ async def get_app_user(
     db,
     config: Optional[Dict[str, Any]] = None,
     allow_demo_fallback: bool = False,
-    get_app_config_func: Optional[
-        Callable[[Request, str, Dict], Awaitable[Dict]]
-    ] = None,
+    get_app_config_func: Optional[Callable[[Request, str, Dict], Awaitable[Dict]]] = None,
 ) -> Optional[Dict[str, Any]]:
     """
     Get app-level user from session cookie.
@@ -279,9 +280,7 @@ async def _try_demo_mode(
             f"(MONGO_URI={MONGO_URI}, DB_NAME={DB_NAME})"
         )
 
-        demo_user = await get_or_create_demo_user(
-            db, slug_id, config, MONGO_URI, DB_NAME
-        )
+        demo_user = await get_or_create_demo_user(db, slug_id, config, MONGO_URI, DB_NAME)
 
         if not demo_user:
             logger.warning(
@@ -321,9 +320,7 @@ async def create_app_session(
     user_id: str,
     config: Optional[Dict[str, Any]] = None,
     response: Optional[Response] = None,
-    get_app_config_func: Optional[
-        Callable[[Request, str, Dict], Awaitable[Dict]]
-    ] = None,
+    get_app_config_func: Optional[Callable[[Request, str, Dict], Awaitable[Dict]]] = None,
 ) -> str:
     """
     Create a app-specific session token and set cookie.
@@ -387,9 +384,7 @@ async def create_app_session(
         cookie_name = f"{session_cookie_name}_{slug_id}"
 
         # Determine secure cookie setting
-        should_use_secure = (
-            request.url.scheme == "https" or os.getenv("G_NOME_ENV") == "production"
-        )
+        should_use_secure = request.url.scheme == "https" or os.getenv("G_NOME_ENV") == "production"
 
         response.set_cookie(
             key=cookie_name,
@@ -436,12 +431,9 @@ async def authenticate_app_user(
                 from bson.objectid import ObjectId
 
                 query["store_id"] = ObjectId(store_id)
-            except (TypeError, ValueError) as e:
+            except (TypeError, ValueError, BsonInvalidId) as e:
                 logger.warning(f"Invalid store_id format: {store_id}: {e}")
                 return None
-            except Exception:
-                logger.exception("Unexpected error converting store_id to ObjectId")
-                raise
 
         # Find user
         # Use getattr to access collection (works with ScopedMongoWrapper and AppDB)
@@ -479,10 +471,12 @@ async def authenticate_app_user(
     except (ValueError, TypeError):
         logger.exception("Validation error authenticating app user")
         return None
-    except Exception:
-        logger.exception("Unexpected error authenticating app user")
-        # Re-raise unexpected errors for debugging
-        raise
+    except PyMongoError:
+        logger.exception("Database error authenticating app user")
+        return None
+    except (AttributeError, KeyError):
+        logger.exception("Attribute access error authenticating app user")
+        return None
 
 
 async def create_app_user(
@@ -513,12 +507,7 @@ async def create_app_user(
         from bson.objectid import ObjectId
 
         # Validate email format
-        if (
-            not email
-            or not isinstance(email, str)
-            or "@" not in email
-            or "." not in email
-        ):
+        if not email or not isinstance(email, str) or "@" not in email or "." not in email:
             logger.warning(f"Invalid email format: {email}")
             return None
 
@@ -545,13 +534,9 @@ async def create_app_user(
         # Always hash password (plain text support removed for security)
         try:
             password_hash = bcrypt.hashpw(password.encode("utf-8"), bcrypt.gensalt())
-        except ValueError:
+        except (ValueError, TypeError, UnicodeEncodeError):
             logger.exception("Error encoding password for hashing")
             return None
-        except Exception:
-            logger.exception("Unexpected error hashing password")
-            # Re-raise unexpected errors
-            raise
 
         # Create user document
         user_doc = {
@@ -573,13 +558,15 @@ async def create_app_user(
 
         return user_doc
 
-    except (ValueError, TypeError):
+    except (ValueError, TypeError, BsonInvalidId):
         logger.exception("Validation error creating app user")
         return None
-    except Exception:
-        logger.exception("Unexpected error creating app user")
-        # Re-raise unexpected errors for debugging
-        raise
+    except PyMongoError:
+        logger.exception("Database error creating app user")
+        return None
+    except (AttributeError, KeyError):
+        logger.exception("Attribute access error creating app user")
+        return None
 
 
 async def get_or_create_anonymous_user(
@@ -587,9 +574,7 @@ async def get_or_create_anonymous_user(
     slug_id: str,
     db,
     config: Optional[Dict[str, Any]] = None,
-    get_app_config_func: Optional[
-        Callable[[Request, str, Dict], Awaitable[Dict]]
-    ] = None,
+    get_app_config_func: Optional[Callable[[Request, str, Dict], Awaitable[Dict]]] = None,
 ) -> Optional[Dict[str, Any]]:
     """
     Get or create an anonymous user for anonymous_session strategy.
@@ -655,9 +640,7 @@ async def get_or_create_anonymous_user(
     return user
 
 
-async def get_platform_demo_user(
-    mongo_uri: str, db_name: str
-) -> Optional[Dict[str, Any]]:
+async def get_platform_demo_user(mongo_uri: str, db_name: str) -> Optional[Dict[str, Any]]:
     """
     Get platform demo user information from top-level database.
 
@@ -669,8 +652,7 @@ async def get_platform_demo_user(
         Dict with demo user info (email, password from config, user_id) or None if not available
     """
     try:
-        from ..config import (DEMO_EMAIL_DEFAULT, DEMO_ENABLED,
-                              DEMO_PASSWORD_DEFAULT)
+        from ..config import DEMO_EMAIL_DEFAULT, DEMO_ENABLED, DEMO_PASSWORD_DEFAULT
 
         if not DEMO_ENABLED or not DEMO_EMAIL_DEFAULT:
             return None
@@ -716,14 +698,10 @@ async def _link_platform_demo_user(
     import datetime
 
     try:
-        logger.debug(
-            f"ensure_demo_users_exist: Auto-linking platform demo user for '{slug_id}'"
-        )
+        logger.debug(f"ensure_demo_users_exist: Auto-linking platform demo user for '{slug_id}'")
         platform_demo = await get_platform_demo_user(mongo_uri, db_name)
         if not platform_demo:
-            logger.warning(
-                f"ensure_demo_users_exist: Platform demo user not found for '{slug_id}'"
-            )
+            logger.warning(f"ensure_demo_users_exist: Platform demo user not found for '{slug_id}'")
             return None
 
         # Check if app demo user already exists for platform demo
@@ -737,13 +715,10 @@ async def _link_platform_demo_user(
         platform_password = platform_demo.get("password", "demo123")
         password_hash = None
         try:
-            password_hash = bcrypt.hashpw(
-                platform_password.encode("utf-8"), bcrypt.gensalt()
-            )
+            password_hash = bcrypt.hashpw(platform_password.encode("utf-8"), bcrypt.gensalt())
         except (ValueError, TypeError, AttributeError) as e:
             logger.error(
-                f"Error hashing password for platform demo user "
-                f"{platform_demo['email']}: {e}",
+                f"Error hashing password for platform demo user " f"{platform_demo['email']}: {e}",
                 exc_info=True,
             )
             return None
@@ -793,9 +768,7 @@ def _validate_demo_user_config(
 
     extra_data = demo_user_config.get("extra_data", {})
     if not isinstance(extra_data, dict):
-        logger.warning(
-            f"Invalid extra_data for demo user config (not a dict): {extra_data}"
-        )
+        logger.warning(f"Invalid extra_data for demo user config (not a dict): {extra_data}")
         extra_data = {}
 
     return {
@@ -825,14 +798,10 @@ async def _resolve_demo_user_email_password(
                 if not password:
                     password = platform_demo["password"]
             else:
-                logger.warning(
-                    f"No email specified and platform demo not available for {slug_id}"
-                )
+                logger.warning(f"No email specified and platform demo not available for {slug_id}")
                 return None, None
         else:
-            logger.warning(
-                f"No email specified and cannot access platform demo for {slug_id}"
-            )
+            logger.warning(f"No email specified and cannot access platform demo for {slug_id}")
             return None, None
 
     # Validate email format
@@ -877,9 +846,7 @@ async def _create_demo_user_from_config(
     try:
         password_hash = bcrypt.hashpw(password.encode("utf-8"), bcrypt.gensalt())
     except (ValueError, TypeError, AttributeError) as e:
-        logger.error(
-            f"Error hashing password for demo user {email}: {e}", exc_info=True
-        )
+        logger.error(f"Error hashing password for demo user {email}: {e}", exc_info=True)
         return None
 
     # Create user document
@@ -945,9 +912,7 @@ async def _create_demo_user_from_config(
 
         user_doc["_id"] = result.inserted_id if not custom_id else custom_id
         user_doc["app_user_id"] = str(user_doc["_id"])
-        logger.info(
-            f"Created demo user {email} for {slug_id} with _id={user_doc['_id']}"
-        )
+        logger.info(f"Created demo user {email} for {slug_id} with _id={user_doc['_id']}")
         return user_doc
     except (
         OperationFailure,
@@ -1030,9 +995,7 @@ async def ensure_demo_users_exist(
     for demo_user_config in demo_users_config:
         try:
             # Validate config structure
-            validated_config, error = _validate_demo_user_config(
-                demo_user_config, slug_id
-            )
+            validated_config, error = _validate_demo_user_config(demo_user_config, slug_id)
             if not validated_config:
                 if error:
                     logger.warning(error)
@@ -1096,9 +1059,7 @@ async def get_or_create_demo_user_for_request(
     slug_id: str,
     db,
     config: Optional[Dict[str, Any]] = None,
-    get_app_config_func: Optional[
-        Callable[[Request, str, Dict], Awaitable[Dict]]
-    ] = None,
+    get_app_config_func: Optional[Callable[[Request, str, Dict], Awaitable[Dict]]] = None,
 ) -> Optional[Dict[str, Any]]:
     """
     Get or create a demo user for the current request context.
@@ -1146,9 +1107,7 @@ async def get_or_create_demo_user_for_request(
                         # Check if app demo user exists
                         # Use getattr to access collection (works with ScopedMongoWrapper and AppDB)
                         collection = getattr(db, collection_name)
-                        app_demo = await collection.find_one(
-                            {"email": DEMO_EMAIL_DEFAULT}
-                        )
+                        app_demo = await collection.find_one({"email": DEMO_EMAIL_DEFAULT})
 
                         if app_demo:
                             app_demo["app_user_id"] = str(app_demo["_id"])
@@ -1158,15 +1117,11 @@ async def get_or_create_demo_user_for_request(
                         try:
                             from ..config import DB_NAME, MONGO_URI
 
-                            await ensure_demo_users_exist(
-                                db, slug_id, config, MONGO_URI, DB_NAME
-                            )
+                            await ensure_demo_users_exist(db, slug_id, config, MONGO_URI, DB_NAME)
                             # Use getattr to access collection (works with
                             # ScopedMongoWrapper and AppDB)
                             collection = getattr(db, collection_name)
-                            app_demo = await collection.find_one(
-                                {"email": DEMO_EMAIL_DEFAULT}
-                            )
+                            app_demo = await collection.find_one({"email": DEMO_EMAIL_DEFAULT})
                             if app_demo:
                                 app_demo["app_user_id"] = str(app_demo["_id"])
                                 return app_demo
@@ -1232,9 +1187,7 @@ async def get_or_create_demo_user(
             f"db_name={'provided' if db_name else 'not provided'})"
         )
 
-        demo_users = await ensure_demo_users_exist(
-            db, slug_id, config, mongo_uri, db_name
-        )
+        demo_users = await ensure_demo_users_exist(db, slug_id, config, mongo_uri, db_name)
 
         if demo_users and len(demo_users) > 0:
             # Return the first demo user (usually the primary one)
@@ -1366,12 +1319,10 @@ async def ensure_demo_users_for_actor(
             return []
 
         try:
-            with open(manifest_path, "r") as f:
+            with open(manifest_path) as f:
                 config = json.load(f)
         except json.JSONDecodeError as e:
-            logger.error(
-                f"Invalid JSON in manifest.json for {slug_id}: {e}", exc_info=True
-            )
+            logger.error(f"Invalid JSON in manifest.json for {slug_id}: {e}", exc_info=True)
             return []
 
         # Ensure demo users exist
@@ -1395,9 +1346,7 @@ async def ensure_demo_users_for_actor(
         KeyError,
         PermissionError,
     ) as e:
-        logger.error(
-            f"Error ensuring demo users for actor {slug_id}: {e}", exc_info=True
-        )
+        logger.error(f"Error ensuring demo users for actor {slug_id}: {e}", exc_info=True)
         return []
 
 
@@ -1425,9 +1374,7 @@ async def sync_app_user_to_casbin(
     try:
         # Check if provider is CasbinAdapter
         if not hasattr(authz_provider, "_enforcer"):
-            logger.debug(
-                "sync_app_user_to_casbin: Provider is not CasbinAdapter, skipping"
-            )
+            logger.debug("sync_app_user_to_casbin: Provider is not CasbinAdapter, skipping")
             return False
 
         enforcer = authz_provider._enforcer
@@ -1448,9 +1395,7 @@ async def sync_app_user_to_casbin(
         # Check if role assignment already exists
         existing_roles = await enforcer.get_roles_for_user(subject)
         if role in existing_roles:
-            logger.debug(
-                f"sync_app_user_to_casbin: User {subject} already has role {role}"
-            )
+            logger.debug(f"sync_app_user_to_casbin: User {subject} already has role {role}")
             return True
 
         # Add grouping policy: user -> role
@@ -1479,15 +1424,11 @@ async def sync_app_user_to_casbin(
         ConnectionError,
         KeyError,
     ) as e:
-        logger.error(
-            f"sync_app_user_to_casbin: Error syncing user to Casbin: {e}", exc_info=True
-        )
+        logger.error(f"sync_app_user_to_casbin: Error syncing user to Casbin: {e}", exc_info=True)
         return False
 
 
-def get_app_user_role(
-    user: Dict[str, Any], config: Optional[Dict[str, Any]] = None
-) -> str:
+def get_app_user_role(user: Dict[str, Any], config: Optional[Dict[str, Any]] = None) -> str:
     """
     Determine Casbin role for app-level user.