mdb-engine 0.1.6__py3-none-any.whl → 0.4.12__py3-none-any.whl

mdb_engine/auth/users.py

@@ -13,8 +13,9 @@ This module is part of MDB_ENGINE - MongoDB Engine.
 import logging
 import os
 import uuid
+from collections.abc import Awaitable, Callable
 from datetime import datetime, timedelta
-from typing import Any, Awaitable, Callable, Dict, List, Optional, Tuple
+from typing import Any
 
 import bcrypt
 import jwt
@@ -22,9 +23,15 @@ from fastapi import Request
 from fastapi.responses import Response
 
 try:
-    from pymongo.errors import (ConnectionFailure, OperationFailure,
-                                ServerSelectionTimeoutError)
+    from bson.errors import InvalidId as BsonInvalidId
+    from pymongo.errors import (
+        ConnectionFailure,
+        OperationFailure,
+        PyMongoError,
+        ServerSelectionTimeoutError,
+    )
 except ImportError:
+    BsonInvalidId = ValueError  # Fallback if bson not available
     ConnectionFailure = Exception
     OperationFailure = Exception
     ServerSelectionTimeoutError = Exception
@@ -43,9 +50,9 @@ def _is_auth_route(request_path: str) -> bool:
 async def _get_app_user_config(
     request: Request,
     slug_id: str,
-    config: Optional[Dict[str, Any]],
-    get_app_config_func: Optional[Callable[[Request, str, Dict], Awaitable[Dict]]],
-) -> Optional[Dict[str, Any]]:
+    config: dict[str, Any] | None,
+    get_app_config_func: Callable[[Request, str, dict], Awaitable[dict]] | None,
+) -> dict[str, Any] | None:
     """Fetch and validate app user config."""
     if config is None:
         if not get_app_config_func:
@@ -66,7 +73,7 @@ async def _get_app_user_config(
     return config
 
 
-def _convert_user_id_to_objectid(user_id: Any) -> Tuple[Any, Optional[str]]:
+def _convert_user_id_to_objectid(user_id: Any) -> tuple[Any, str | None]:
     """
     Convert user_id to ObjectId if valid, otherwise keep as string.
 
@@ -90,18 +97,15 @@ def _convert_user_id_to_objectid(user_id: Any) -> Tuple[Any, Optional[str]]:
         # If it's not a string or ObjectId, try to convert (for backward compatibility)
         try:
             return ObjectId(user_id), None
-        except (TypeError, ValueError) as e:
+        except (TypeError, ValueError, BsonInvalidId) as e:
             return None, f"Invalid user_id format: {user_id}: {e}"
-        except Exception:
-            logger.exception("Unexpected error converting user_id to ObjectId")
-            raise
 
     return user_id, None
 
 
 async def _validate_and_decode_session_token(
     session_token: str, slug_id: str
-) -> Tuple[Optional[Dict[str, Any]], Optional[Exception]]:
+) -> tuple[dict[str, Any] | None, Exception | None]:
     """Validate and decode session token."""
     try:
         from .jwt import decode_jwt_token
@@ -132,9 +136,7 @@ async def _validate_and_decode_session_token(
         return None, e
 
 
-async def _fetch_app_user_from_db(
-    db, collection_name: str, user_id: Any
-) -> Optional[Dict[str, Any]]:
+async def _fetch_app_user_from_db(db, collection_name: str, user_id: Any) -> dict[str, Any] | None:
     """Fetch user from database."""
     # Use getattr for attribute access (works with both AppDB and ScopedMongoWrapper)
     collection = getattr(db, collection_name)
@@ -152,12 +154,10 @@ async def get_app_user(
     request: Request,
     slug_id: str,
     db,
-    config: Optional[Dict[str, Any]] = None,
+    config: dict[str, Any] | None = None,
     allow_demo_fallback: bool = False,
-    get_app_config_func: Optional[
-        Callable[[Request, str, Dict], Awaitable[Dict]]
-    ] = None,
-) -> Optional[Dict[str, Any]]:
+    get_app_config_func: Callable[[Request, str, dict], Awaitable[dict]] | None = None,
+) -> dict[str, Any] | None:
     """
     Get app-level user from session cookie.
 
@@ -233,8 +233,8 @@ async def get_app_user(
 
 
 async def _try_demo_mode(
-    request: Request, slug_id: str, db, config: Dict[str, Any]
-) -> Optional[Dict[str, Any]]:
+    request: Request, slug_id: str, db, config: dict[str, Any]
+) -> dict[str, Any] | None:
     """
     Internal helper: Try to authenticate as demo user if demo mode is enabled.
 
@@ -279,9 +279,7 @@ async def _try_demo_mode(
             f"(MONGO_URI={MONGO_URI}, DB_NAME={DB_NAME})"
         )
 
-        demo_user = await get_or_create_demo_user(
-            db, slug_id, config, MONGO_URI, DB_NAME
-        )
+        demo_user = await get_or_create_demo_user(db, slug_id, config, MONGO_URI, DB_NAME)
 
         if not demo_user:
             logger.warning(
@@ -319,11 +317,9 @@ async def create_app_session(
     request: Request,
     slug_id: str,
     user_id: str,
-    config: Optional[Dict[str, Any]] = None,
-    response: Optional[Response] = None,
-    get_app_config_func: Optional[
-        Callable[[Request, str, Dict], Awaitable[Dict]]
-    ] = None,
+    config: dict[str, Any] | None = None,
+    response: Response | None = None,
+    get_app_config_func: Callable[[Request, str, dict], Awaitable[dict]] | None = None,
 ) -> str:
     """
     Create a app-specific session token and set cookie.
@@ -387,9 +383,7 @@ async def create_app_session(
         cookie_name = f"{session_cookie_name}_{slug_id}"
 
         # Determine secure cookie setting
-        should_use_secure = (
-            request.url.scheme == "https" or os.getenv("G_NOME_ENV") == "production"
-        )
+        should_use_secure = request.url.scheme == "https" or os.getenv("G_NOME_ENV") == "production"
 
         response.set_cookie(
             key=cookie_name,
@@ -407,9 +401,9 @@ async def authenticate_app_user(
     db,
     email: str,
     password: str,
-    store_id: Optional[str] = None,
+    store_id: str | None = None,
     collection_name: str = "users",
-) -> Optional[Dict[str, Any]]:
+) -> dict[str, Any] | None:
     """
     Authenticate a user against app-specific users collection.
 
@@ -436,12 +430,9 @@ async def authenticate_app_user(
                 from bson.objectid import ObjectId
 
                 query["store_id"] = ObjectId(store_id)
-            except (TypeError, ValueError) as e:
+            except (TypeError, ValueError, BsonInvalidId) as e:
                 logger.warning(f"Invalid store_id format: {store_id}: {e}")
                 return None
-            except Exception:
-                logger.exception("Unexpected error converting store_id to ObjectId")
-                raise
 
         # Find user
         # Use getattr to access collection (works with ScopedMongoWrapper and AppDB)
@@ -479,10 +470,12 @@ async def authenticate_app_user(
     except (ValueError, TypeError):
         logger.exception("Validation error authenticating app user")
         return None
-    except Exception:
-        logger.exception("Unexpected error authenticating app user")
-        # Re-raise unexpected errors for debugging
-        raise
+    except PyMongoError:
+        logger.exception("Database error authenticating app user")
+        return None
+    except (AttributeError, KeyError):
+        logger.exception("Attribute access error authenticating app user")
+        return None
 
 
 async def create_app_user(
@@ -490,9 +483,9 @@ async def create_app_user(
     email: str,
     password: str,
     role: str = "user",
-    store_id: Optional[str] = None,
+    store_id: str | None = None,
     collection_name: str = "users",
-) -> Optional[Dict[str, Any]]:
+) -> dict[str, Any] | None:
     """
     Create a new user in app-specific users collection.
 
@@ -513,12 +506,7 @@ async def create_app_user(
         from bson.objectid import ObjectId
 
         # Validate email format
-        if (
-            not email
-            or not isinstance(email, str)
-            or "@" not in email
-            or "." not in email
-        ):
+        if not email or not isinstance(email, str) or "@" not in email or "." not in email:
             logger.warning(f"Invalid email format: {email}")
             return None
 
@@ -545,13 +533,9 @@ async def create_app_user(
         # Always hash password (plain text support removed for security)
         try:
             password_hash = bcrypt.hashpw(password.encode("utf-8"), bcrypt.gensalt())
-        except ValueError:
+        except (ValueError, TypeError, UnicodeEncodeError):
             logger.exception("Error encoding password for hashing")
             return None
-        except Exception:
-            logger.exception("Unexpected error hashing password")
-            # Re-raise unexpected errors
-            raise
 
         # Create user document
         user_doc = {
@@ -573,24 +557,24 @@ async def create_app_user(
 
         return user_doc
 
-    except (ValueError, TypeError):
+    except (ValueError, TypeError, BsonInvalidId):
         logger.exception("Validation error creating app user")
         return None
-    except Exception:
-        logger.exception("Unexpected error creating app user")
-        # Re-raise unexpected errors for debugging
-        raise
+    except PyMongoError:
+        logger.exception("Database error creating app user")
+        return None
+    except (AttributeError, KeyError):
+        logger.exception("Attribute access error creating app user")
+        return None
 
 
 async def get_or_create_anonymous_user(
     request: Request,
     slug_id: str,
     db,
-    config: Optional[Dict[str, Any]] = None,
-    get_app_config_func: Optional[
-        Callable[[Request, str, Dict], Awaitable[Dict]]
-    ] = None,
-) -> Optional[Dict[str, Any]]:
+    config: dict[str, Any] | None = None,
+    get_app_config_func: Callable[[Request, str, dict], Awaitable[dict]] | None = None,
+) -> dict[str, Any] | None:
     """
     Get or create an anonymous user for anonymous_session strategy.
 
@@ -655,9 +639,7 @@ async def get_or_create_anonymous_user(
     return user
 
 
-async def get_platform_demo_user(
-    mongo_uri: str, db_name: str
-) -> Optional[Dict[str, Any]]:
+async def get_platform_demo_user(mongo_uri: str, db_name: str) -> dict[str, Any] | None:
     """
     Get platform demo user information from top-level database.
 
@@ -669,8 +651,7 @@ async def get_platform_demo_user(
         Dict with demo user info (email, password from config, user_id) or None if not available
     """
     try:
-        from ..config import (DEMO_EMAIL_DEFAULT, DEMO_ENABLED,
-                              DEMO_PASSWORD_DEFAULT)
+        from ..config import DEMO_EMAIL_DEFAULT, DEMO_ENABLED, DEMO_PASSWORD_DEFAULT
 
         if not DEMO_ENABLED or not DEMO_EMAIL_DEFAULT:
             return None
@@ -711,19 +692,15 @@ async def get_platform_demo_user(
 
 async def _link_platform_demo_user(
     db, slug_id: str, collection_name: str, mongo_uri: str, db_name: str
-) -> Optional[Dict[str, Any]]:
+) -> dict[str, Any] | None:
     """Link platform demo user to app demo user."""
     import datetime
 
     try:
-        logger.debug(
-            f"ensure_demo_users_exist: Auto-linking platform demo user for '{slug_id}'"
-        )
+        logger.debug(f"ensure_demo_users_exist: Auto-linking platform demo user for '{slug_id}'")
         platform_demo = await get_platform_demo_user(mongo_uri, db_name)
         if not platform_demo:
-            logger.warning(
-                f"ensure_demo_users_exist: Platform demo user not found for '{slug_id}'"
-            )
+            logger.warning(f"ensure_demo_users_exist: Platform demo user not found for '{slug_id}'")
             return None
 
         # Check if app demo user already exists for platform demo
@@ -737,13 +714,10 @@ async def _link_platform_demo_user(
         platform_password = platform_demo.get("password", "demo123")
         password_hash = None
         try:
-            password_hash = bcrypt.hashpw(
-                platform_password.encode("utf-8"), bcrypt.gensalt()
-            )
+            password_hash = bcrypt.hashpw(platform_password.encode("utf-8"), bcrypt.gensalt())
         except (ValueError, TypeError, AttributeError) as e:
             logger.error(
-                f"Error hashing password for platform demo user "
-                f"{platform_demo['email']}: {e}",
+                f"Error hashing password for platform demo user " f"{platform_demo['email']}: {e}",
                 exc_info=True,
             )
             return None
@@ -786,16 +760,14 @@ async def _link_platform_demo_user(
 
 def _validate_demo_user_config(
     demo_user_config: Any, slug_id: str
-) -> Tuple[Optional[Dict[str, Any]], Optional[str]]:
+) -> tuple[dict[str, Any] | None, str | None]:
     """Validate demo user configuration."""
     if not isinstance(demo_user_config, dict):
         return None, f"Invalid demo_user_config entry (not a dict): {demo_user_config}"
 
     extra_data = demo_user_config.get("extra_data", {})
     if not isinstance(extra_data, dict):
-        logger.warning(
-            f"Invalid extra_data for demo user config (not a dict): {extra_data}"
-        )
+        logger.warning(f"Invalid extra_data for demo user config (not a dict): {extra_data}")
         extra_data = {}
 
     return {
@@ -809,12 +781,12 @@ def _validate_demo_user_config(
 
 
 async def _resolve_demo_user_email_password(
-    email: Optional[str],
-    password: Optional[str],
-    mongo_uri: Optional[str],
-    db_name: Optional[str],
+    email: str | None,
+    password: str | None,
+    mongo_uri: str | None,
+    db_name: str | None,
     slug_id: str,
-) -> Tuple[Optional[str], Optional[str]]:
+) -> tuple[str | None, str | None]:
     """Resolve email and password from config or platform demo."""
     # If email not specified, try platform demo
     if not email:
@@ -825,14 +797,10 @@ async def _resolve_demo_user_email_password(
                 if not password:
                     password = platform_demo["password"]
             else:
-                logger.warning(
-                    f"No email specified and platform demo not available for {slug_id}"
-                )
+                logger.warning(f"No email specified and platform demo not available for {slug_id}")
                 return None, None
         else:
-            logger.warning(
-                f"No email specified and cannot access platform demo for {slug_id}"
-            )
+            logger.warning(f"No email specified and cannot access platform demo for {slug_id}")
             return None, None
 
     # Validate email format
@@ -865,11 +833,11 @@ async def _create_demo_user_from_config(
     email: str,
     password: str,
     role: str,
-    extra_data: Dict[str, Any],
+    extra_data: dict[str, Any],
     link_to_platform: bool,
-    mongo_uri: Optional[str],
-    db_name: Optional[str],
-) -> Optional[Dict[str, Any]]:
+    mongo_uri: str | None,
+    db_name: str | None,
+) -> dict[str, Any] | None:
     """Create a demo user from configuration."""
     import datetime
 
@@ -877,9 +845,7 @@ async def _create_demo_user_from_config(
     try:
         password_hash = bcrypt.hashpw(password.encode("utf-8"), bcrypt.gensalt())
     except (ValueError, TypeError, AttributeError) as e:
-        logger.error(
-            f"Error hashing password for demo user {email}: {e}", exc_info=True
-        )
+        logger.error(f"Error hashing password for demo user {email}: {e}", exc_info=True)
         return None
 
     # Create user document
@@ -945,9 +911,7 @@ async def _create_demo_user_from_config(
 
         user_doc["_id"] = result.inserted_id if not custom_id else custom_id
         user_doc["app_user_id"] = str(user_doc["_id"])
-        logger.info(
-            f"Created demo user {email} for {slug_id} with _id={user_doc['_id']}"
-        )
+        logger.info(f"Created demo user {email} for {slug_id} with _id={user_doc['_id']}")
         return user_doc
     except (
         OperationFailure,
@@ -968,10 +932,10 @@ async def _create_demo_user_from_config(
 async def ensure_demo_users_exist(
     db,
     slug_id: str,
-    config: Optional[Dict[str, Any]] = None,
-    mongo_uri: Optional[str] = None,
-    db_name: Optional[str] = None,
-) -> List[Dict[str, Any]]:
+    config: dict[str, Any] | None = None,
+    mongo_uri: str | None = None,
+    db_name: str | None = None,
+) -> list[dict[str, Any]]:
     """
     Intelligently ensure demo users exist for a app based on manifest configuration.
 
@@ -1030,9 +994,7 @@ async def ensure_demo_users_exist(
     for demo_user_config in demo_users_config:
         try:
             # Validate config structure
-            validated_config, error = _validate_demo_user_config(
-                demo_user_config, slug_id
-            )
+            validated_config, error = _validate_demo_user_config(demo_user_config, slug_id)
             if not validated_config:
                 if error:
                     logger.warning(error)
@@ -1095,11 +1057,9 @@ async def get_or_create_demo_user_for_request(
     request: Request,
     slug_id: str,
     db,
-    config: Optional[Dict[str, Any]] = None,
-    get_app_config_func: Optional[
-        Callable[[Request, str, Dict], Awaitable[Dict]]
-    ] = None,
-) -> Optional[Dict[str, Any]]:
+    config: dict[str, Any] | None = None,
+    get_app_config_func: Callable[[Request, str, dict], Awaitable[dict]] | None = None,
+) -> dict[str, Any] | None:
     """
     Get or create a demo user for the current request context.
 
@@ -1146,9 +1106,7 @@ async def get_or_create_demo_user_for_request(
                         # Check if app demo user exists
                         # Use getattr to access collection (works with ScopedMongoWrapper and AppDB)
                         collection = getattr(db, collection_name)
-                        app_demo = await collection.find_one(
-                            {"email": DEMO_EMAIL_DEFAULT}
-                        )
+                        app_demo = await collection.find_one({"email": DEMO_EMAIL_DEFAULT})
 
                         if app_demo:
                             app_demo["app_user_id"] = str(app_demo["_id"])
@@ -1158,15 +1116,11 @@ async def get_or_create_demo_user_for_request(
                         try:
                             from ..config import DB_NAME, MONGO_URI
 
-                            await ensure_demo_users_exist(
-                                db, slug_id, config, MONGO_URI, DB_NAME
-                            )
+                            await ensure_demo_users_exist(db, slug_id, config, MONGO_URI, DB_NAME)
                             # Use getattr to access collection (works with
                             # ScopedMongoWrapper and AppDB)
                             collection = getattr(db, collection_name)
-                            app_demo = await collection.find_one(
-                                {"email": DEMO_EMAIL_DEFAULT}
-                            )
+                            app_demo = await collection.find_one({"email": DEMO_EMAIL_DEFAULT})
                             if app_demo:
                                 app_demo["app_user_id"] = str(app_demo["_id"])
                                 return app_demo
@@ -1195,10 +1149,10 @@ async def get_or_create_demo_user_for_request(
 async def get_or_create_demo_user(
     db,
     slug_id: str,
-    config: Dict[str, Any],
-    mongo_uri: Optional[str] = None,
-    db_name: Optional[str] = None,
-) -> Optional[Dict[str, Any]]:
+    config: dict[str, Any],
+    mongo_uri: str | None = None,
+    db_name: str | None = None,
+) -> dict[str, Any] | None:
     """
     Get or create a demo user for an app.
 
@@ -1232,9 +1186,7 @@ async def get_or_create_demo_user(
             f"db_name={'provided' if db_name else 'not provided'})"
         )
 
-        demo_users = await ensure_demo_users_exist(
-            db, slug_id, config, mongo_uri, db_name
-        )
+        demo_users = await ensure_demo_users_exist(db, slug_id, config, mongo_uri, db_name)
 
         if demo_users and len(demo_users) > 0:
             # Return the first demo user (usually the primary one)
@@ -1299,7 +1251,7 @@ async def get_or_create_demo_user(
 
 async def ensure_demo_users_for_actor(
     db, slug_id: str, mongo_uri: str, db_name: str
-) -> List[Dict[str, Any]]:
+) -> list[dict[str, Any]]:
     """
     Convenience function for actors to ensure demo users exist.
 
@@ -1366,12 +1318,10 @@ async def ensure_demo_users_for_actor(
             return []
 
         try:
-            with open(manifest_path, "r") as f:
+            with open(manifest_path) as f:
                 config = json.load(f)
         except json.JSONDecodeError as e:
-            logger.error(
-                f"Invalid JSON in manifest.json for {slug_id}: {e}", exc_info=True
-            )
+            logger.error(f"Invalid JSON in manifest.json for {slug_id}: {e}", exc_info=True)
             return []
 
         # Ensure demo users exist
@@ -1395,17 +1345,15 @@ async def ensure_demo_users_for_actor(
         KeyError,
         PermissionError,
     ) as e:
-        logger.error(
-            f"Error ensuring demo users for actor {slug_id}: {e}", exc_info=True
-        )
+        logger.error(f"Error ensuring demo users for actor {slug_id}: {e}", exc_info=True)
         return []
 
 
 async def sync_app_user_to_casbin(
-    user: Dict[str, Any],
+    user: dict[str, Any],
     authz_provider,
-    role: Optional[str] = None,
-    app_slug: Optional[str] = None,
+    role: str | None = None,
+    app_slug: str | None = None,
 ) -> bool:
     """
     Sync app-level user to Casbin by assigning a role.
@@ -1425,9 +1373,7 @@ async def sync_app_user_to_casbin(
     try:
         # Check if provider is CasbinAdapter
         if not hasattr(authz_provider, "_enforcer"):
-            logger.debug(
-                "sync_app_user_to_casbin: Provider is not CasbinAdapter, skipping"
-            )
+            logger.debug("sync_app_user_to_casbin: Provider is not CasbinAdapter, skipping")
             return False
 
         enforcer = authz_provider._enforcer
@@ -1448,9 +1394,7 @@ async def sync_app_user_to_casbin(
         # Check if role assignment already exists
         existing_roles = await enforcer.get_roles_for_user(subject)
         if role in existing_roles:
-            logger.debug(
-                f"sync_app_user_to_casbin: User {subject} already has role {role}"
-            )
+            logger.debug(f"sync_app_user_to_casbin: User {subject} already has role {role}")
             return True
 
         # Add grouping policy: user -> role
@@ -1479,15 +1423,11 @@ async def sync_app_user_to_casbin(
         ConnectionError,
         KeyError,
     ) as e:
-        logger.error(
-            f"sync_app_user_to_casbin: Error syncing user to Casbin: {e}", exc_info=True
-        )
+        logger.error(f"sync_app_user_to_casbin: Error syncing user to Casbin: {e}", exc_info=True)
         return False
 
 
-def get_app_user_role(
-    user: Dict[str, Any], config: Optional[Dict[str, Any]] = None
-) -> str:
+def get_app_user_role(user: dict[str, Any], config: dict[str, Any] | None = None) -> str:
     """
     Determine Casbin role for app-level user.