mdb-engine 0.1.6__py3-none-any.whl

mdb_engine/auth/jwt.py

@@ -0,0 +1,225 @@
+"""
+JWT Token Utilities
+
+Provides JWT encoding and decoding utilities with automatic format handling.
+Supports access tokens, refresh tokens, and token pairs.
+
+This module is part of MDB_ENGINE - MongoDB Engine.
+"""
+
+import logging
+import uuid
+from datetime import datetime, timedelta
+from typing import Any, Dict, Optional, Tuple
+
+import jwt
+
+from ..config import ACCESS_TOKEN_TTL as CONFIG_ACCESS_TTL
+from ..config import REFRESH_TOKEN_TTL as CONFIG_REFRESH_TTL
+from ..constants import CURRENT_TOKEN_VERSION
+
+logger = logging.getLogger(__name__)
+
+
+def decode_jwt_token(token: Any, secret_key: str) -> Dict[str, Any]:
+    """
+    Helper function to decode JWT tokens with automatic fallback to bytes format.
+
+    Handles cases where PyJWT might expect bytes instead of strings (version-specific behavior).
+
+    Args:
+        token: JWT token (can be str, bytes, or other)
+        secret_key: Secret key for decoding (str)
+
+    Returns:
+        Decoded JWT payload as dict
+
+    Raises:
+        jwt.ExpiredSignatureError: If token has expired
+        jwt.InvalidTokenError: If token is invalid
+    """
+    # Normalize token to string first
+    if isinstance(token, bytes):
+        token_str = token.decode("utf-8")
+    elif isinstance(token, str):
+        token_str = token
+    else:
+        token_str = str(token)
+
+    # Normalize secret_key to string
+    if isinstance(secret_key, bytes):
+        secret_key_str = secret_key.decode("utf-8")
+    elif isinstance(secret_key, str):
+        secret_key_str = secret_key
+    else:
+        secret_key_str = str(secret_key)
+
+    # Try decoding with string format first (standard PyJWT behavior)
+    try:
+        return jwt.decode(token_str, secret_key_str, algorithms=["HS256"])
+    except jwt.InvalidTokenError as e:
+        # If string format fails with "must be bytes" error, try bytes format
+        error_msg = str(e)
+        if "must be a <class 'bytes'>" in error_msg or (
+            "bytes" in error_msg.lower() and "token" in error_msg.lower()
+        ):
+            logger.debug(f"JWT decode: Retrying with bytes format (error: {e})")
+            # Convert to bytes and try again
+            token_bytes = token_str.encode("utf-8")
+            secret_key_bytes = secret_key_str.encode("utf-8")
+            return jwt.decode(token_bytes, secret_key_bytes, algorithms=["HS256"])
+        else:
+            # Re-raise if it's a different error
+            raise
+
+
+def encode_jwt_token(
+    payload: Dict[str, Any], secret_key: str, expires_in: Optional[int] = None
+) -> str:
+    """
+    Encode a JWT token with enhanced claims.
+
+    Args:
+        payload: Token payload (will be enhanced with standard claims)
+        secret_key: Secret key for signing
+        expires_in: Optional expiration time in seconds (defaults to ACCESS_TOKEN_TTL)
+
+    Returns:
+        Encoded JWT token string
+    """
+    # Normalize secret_key
+    if isinstance(secret_key, bytes):
+        secret_key_str = secret_key.decode("utf-8")
+    elif isinstance(secret_key, str):
+        secret_key_str = secret_key
+    else:
+        secret_key_str = str(secret_key)
+
+    # Create enhanced payload with standard claims
+    now = datetime.utcnow()
+    enhanced_payload = {
+        **payload,
+        "iat": now,  # Issued at
+        "nbf": now,  # Not before
+        "jti": payload.get("jti") or str(uuid.uuid4()),  # JWT ID
+        "version": payload.get("version", CURRENT_TOKEN_VERSION),  # Token version
+    }
+
+    # Add expiration
+    if expires_in is None:
+        expires_in = CONFIG_ACCESS_TTL
+    enhanced_payload["exp"] = now + timedelta(seconds=expires_in)
+
+    # Encode token
+    token = jwt.encode(enhanced_payload, secret_key_str, algorithm="HS256")
+
+    # Ensure token is a string (some PyJWT versions return bytes)
+    if isinstance(token, bytes):
+        token = token.decode("utf-8")
+    elif not isinstance(token, str):
+        token = str(token)
+
+    return token
+
+
+def generate_token_pair(
+    user_data: Dict[str, Any],
+    secret_key: str,
+    device_info: Optional[Dict[str, Any]] = None,
+    access_token_ttl: Optional[int] = None,
+    refresh_token_ttl: Optional[int] = None,
+) -> Tuple[str, str, Dict[str, Any]]:
+    """
+    Generate a pair of access and refresh tokens.
+
+    Args:
+        user_data: User information to include in tokens (email, user_id, etc.)
+        secret_key: Secret key for signing tokens
+        device_info: Optional device information (device_id, user_agent, ip_address)
+        access_token_ttl: Optional access token TTL in seconds (defaults to config)
+        refresh_token_ttl: Optional refresh token TTL in seconds (defaults to config)
+
+    Returns:
+        Tuple of (access_token, refresh_token, token_metadata)
+        token_metadata contains: jti (access), refresh_jti, expires_at, device_id
+    """
+    if access_token_ttl is None:
+        access_token_ttl = CONFIG_ACCESS_TTL
+    if refresh_token_ttl is None:
+        refresh_token_ttl = CONFIG_REFRESH_TTL
+
+    device_id = None
+    if device_info:
+        device_id = device_info.get("device_id") or str(uuid.uuid4())
+    else:
+        device_id = str(uuid.uuid4())
+
+    now = datetime.utcnow()
+
+    # Generate access token
+    access_jti = str(uuid.uuid4())
+    access_payload = {
+        **user_data,
+        "type": "access",
+        "jti": access_jti,
+        "device_id": device_id,
+    }
+    access_token = encode_jwt_token(
+        access_payload, secret_key, expires_in=access_token_ttl
+    )
+
+    # Generate refresh token
+    refresh_jti = str(uuid.uuid4())
+    refresh_payload = {
+        "type": "refresh",
+        "jti": refresh_jti,
+        "user_id": user_data.get("user_id") or user_data.get("email"),
+        "email": user_data.get("email"),
+        "device_id": device_id,
+    }
+    refresh_token = encode_jwt_token(
+        refresh_payload, secret_key, expires_in=refresh_token_ttl
+    )
+
+    # Token metadata
+    token_metadata = {
+        "access_jti": access_jti,
+        "refresh_jti": refresh_jti,
+        "device_id": device_id,
+        "access_expires_at": now + timedelta(seconds=access_token_ttl),
+        "refresh_expires_at": now + timedelta(seconds=refresh_token_ttl),
+        "issued_at": now,
+    }
+
+    return access_token, refresh_token, token_metadata
+
+
+def extract_token_metadata(token: str, secret_key: str) -> Optional[Dict[str, Any]]:
+    """
+    Extract metadata from a token without full validation.
+
+    Useful for getting token info before checking blacklist.
+
+    Args:
+        token: JWT token string
+        secret_key: Secret key for decoding
+
+    Returns:
+        Token metadata dict or None if invalid
+    """
+    try:
+        # Decode without verification to get claims
+        payload = jwt.decode(token, options={"verify_signature": False})
+        return {
+            "jti": payload.get("jti"),
+            "type": payload.get("type"),
+            "user_id": payload.get("user_id") or payload.get("email"),
+            "email": payload.get("email"),
+            "device_id": payload.get("device_id"),
+            "exp": payload.get("exp"),
+            "iat": payload.get("iat"),
+            "version": payload.get("version"),
+        }
+    except (ValueError, TypeError, AttributeError, KeyError) as e:
+        logger.debug(f"Error extracting token metadata: {e}")
+        return None

mdb_engine/auth/middleware.py

@@ -0,0 +1,241 @@
+"""
+Security Middleware
+
+Middleware for enforcing security settings from manifest configuration.
+
+This module is part of MDB_ENGINE - MongoDB Engine.
+"""
+
+import logging
+import os
+import secrets
+from typing import Awaitable, Callable
+
+from fastapi import HTTPException, Request, Response, status
+from fastapi.responses import RedirectResponse
+from starlette.middleware.base import BaseHTTPMiddleware
+
+logger = logging.getLogger(__name__)
+
+
+class SecurityMiddleware(BaseHTTPMiddleware):
+    """
+    Middleware for enforcing security settings from manifest.
+
+    Features:
+    - HTTPS enforcement in production
+    - CSRF token generation and validation
+    - Security headers
+    - Token validation
+    """
+
+    def __init__(
+        self,
+        app,
+        require_https: bool = False,
+        csrf_protection: bool = True,
+        security_headers: bool = True,
+    ):
+        """
+        Initialize security middleware.
+
+        Args:
+            app: FastAPI application
+            require_https: Require HTTPS in production (default: False, auto-detected)
+            csrf_protection: Enable CSRF protection (default: True)
+            security_headers: Add security headers (default: True)
+        """
+        super().__init__(app)
+        self.require_https = require_https
+        self.csrf_protection = csrf_protection
+        self.security_headers = security_headers
+
+    async def dispatch(
+        self, request: Request, call_next: Callable[[Request], Awaitable[Response]]
+    ) -> Response:
+        """
+        Process request through security middleware.
+        """
+        # Check HTTPS requirement
+        if self.require_https:
+            is_production = (
+                os.getenv("G_NOME_ENV") == "production"
+                or os.getenv("ENVIRONMENT") == "production"
+            )
+            if is_production and request.url.scheme != "https":
+                if request.method == "GET":
+                    # Redirect to HTTPS
+                    https_url = str(request.url).replace("http://", "https://", 1)
+                    return RedirectResponse(url=https_url, status_code=301)
+                else:
+                    raise HTTPException(
+                        status_code=status.HTTP_403_FORBIDDEN,
+                        detail="HTTPS required in production",
+                    )
+
+        # Generate CSRF token if not present (for GET requests)
+        if self.csrf_protection and request.method == "GET":
+            csrf_token = request.cookies.get("csrf_token")
+            if not csrf_token:
+                csrf_token = secrets.token_urlsafe(32)
+                # Will be set in response
+
+        # Process request
+        response = await call_next(request)
+
+        # Set security headers
+        if self.security_headers:
+            response.headers["X-Content-Type-Options"] = "nosniff"
+            response.headers["X-Frame-Options"] = "DENY"
+            response.headers["X-XSS-Protection"] = "1; mode=block"
+            response.headers["Referrer-Policy"] = "strict-origin-when-cross-origin"
+
+            # Content Security Policy (basic)
+            if request.url.path.startswith("/api"):
+                response.headers["Content-Security-Policy"] = "default-src 'self'"
+
+        # Set CSRF token cookie if generated
+        if (
+            self.csrf_protection
+            and request.method == "GET"
+            and not request.cookies.get("csrf_token")
+        ):
+            csrf_token = secrets.token_urlsafe(32)
+            is_https = request.url.scheme == "https"
+            is_production = os.getenv("G_NOME_ENV") == "production"
+            response.set_cookie(
+                key="csrf_token",
+                value=csrf_token,
+                httponly=True,
+                secure=is_https or is_production,
+                samesite="lax",
+                max_age=86400,  # 24 hours
+            )
+
+        return response
+
+
+class StaleSessionMiddleware(BaseHTTPMiddleware):
+    """
+    Middleware for cleaning up stale session cookies.
+
+        When get_app_user() detects a stale/invalid session cookie,
+    it sets request.state.clear_stale_session = True. This middleware
+    then removes the cookie from the response.
+    """
+
+    def __init__(self, app, slug_id: str, engine=None):
+        """
+        Initialize stale session middleware.
+
+        Args:
+            app: FastAPI application
+            slug_id: App slug identifier
+            engine: Optional MongoDBEngine instance for getting app config
+        """
+        super().__init__(app)
+        self.slug_id = slug_id
+        self.engine = engine
+
+    async def dispatch(
+        self, request: Request, call_next: Callable[[Request], Awaitable[Response]]
+    ) -> Response:
+        """
+        Process request and clean up stale session cookies if needed.
+
+        This middleware only acts when request.state.clear_stale_session is set to True
+        by get_app_user() when it detects an invalid/stale session cookie.
+        It gracefully handles missing config and only processes requests for apps
+        that use auth.users.
+        """
+        # Process request first
+        response = await call_next(request)
+
+        # Check if we need to clear a stale session cookie
+        # Only act if explicitly flagged - this ensures we don't interfere with
+        # apps that don't use get_app_user()
+        if (
+            hasattr(request.state, "clear_stale_session")
+            and request.state.clear_stale_session
+        ):
+            try:
+                # Get cookie name from app config
+                cookie_name = None
+
+                # Try to get from app state first (set during setup_auth_from_manifest)
+                if hasattr(request.app.state, "auth_config"):
+                    try:
+                        auth_config = request.app.state.auth_config
+                        auth = auth_config.get("auth", {})
+                        users_config = auth.get("users", {})
+                        if users_config.get("enabled", False):
+                            session_cookie_name = users_config.get(
+                                "session_cookie_name", "app_session"
+                            )
+                            cookie_name = f"{session_cookie_name}_{self.slug_id}"
+                    except (AttributeError, KeyError, TypeError):
+                        pass
+
+                # Fallback: get from engine if available
+                if not cookie_name and self.engine:
+                    try:
+                        app_config = self.engine.get_app(self.slug_id)
+                        if app_config:
+                            auth = app_config.get("auth", {})
+                            users_config = auth.get("users", {})
+                            if users_config.get("enabled", False):
+                                session_cookie_name = users_config.get(
+                                    "session_cookie_name", "app_session"
+                                )
+                                cookie_name = f"{session_cookie_name}_{self.slug_id}"
+                    except (AttributeError, KeyError, TypeError, Exception):
+                        pass
+
+                # Final fallback to default naming convention
+                if not cookie_name:
+                    cookie_name = f"app_session_{self.slug_id}"
+
+                # Get cookie settings to match how it was set
+                should_use_secure = (
+                    request.url.scheme == "https"
+                    or os.getenv("G_NOME_ENV") == "production"
+                )
+
+                # Delete the stale cookie
+                response.delete_cookie(
+                    key=cookie_name,
+                    httponly=True,
+                    secure=should_use_secure,
+                    samesite="lax",
+                )
+                logger.debug(
+                    f"Cleared stale session cookie '{cookie_name}' for {self.slug_id}"
+                )
+            except (ValueError, TypeError, AttributeError, RuntimeError) as e:
+                # Don't fail the request if cookie cleanup fails
+                logger.warning(
+                    f"Error clearing stale session cookie for {self.slug_id}: {e}",
+                    exc_info=True,
+                )
+
+        return response
+
+
+def create_security_middleware(config: dict) -> Callable:
+    """
+    Create security middleware from manifest config.
+
+    Args:
+        config: token_management.security config from manifest
+
+    Returns:
+        SecurityMiddleware instance
+    """
+    security = config.get("security", {})
+
+    return SecurityMiddleware(
+        app=None,  # Will be set by FastAPI
+        require_https=security.get("require_https", False),
+        csrf_protection=security.get("csrf_protection", True),
+        security_headers=True,
+    )