mdb-engine 0.2.0__py3-none-any.whl → 0.2.3__py3-none-any.whl

mdb_engine/auth/shared_middleware.py

@@ -32,7 +32,8 @@ Manual usage:
 import fnmatch
 import hashlib
 import logging
-from typing import Any, Callable, Dict, List, Optional
+from collections.abc import Callable
+from typing import Any
 
 import jwt
 from starlette.middleware.base import BaseHTTPMiddleware
@@ -49,7 +50,7 @@ AUTH_HEADER_NAME = "Authorization"
 AUTH_HEADER_PREFIX = "Bearer "
 
 
-def _get_client_ip(request: Request) -> Optional[str]:
+def _get_client_ip(request: Request) -> str | None:
     """Extract client IP address from request, handling proxies."""
     # Check X-Forwarded-For header (behind load balancer/proxy)
     forwarded_for = request.headers.get("x-forwarded-for")
@@ -99,12 +100,12 @@ class SharedAuthMiddleware(BaseHTTPMiddleware):
     def __init__(
         self,
         app: Callable,
-        user_pool: Optional[SharedUserPool],
+        user_pool: SharedUserPool | None,
         app_slug: str,
-        require_role: Optional[str] = None,
-        public_routes: Optional[List[str]] = None,
-        role_hierarchy: Optional[Dict[str, List[str]]] = None,
-        session_binding: Optional[Dict[str, Any]] = None,
+        require_role: str | None = None,
+        public_routes: list[str] | None = None,
+        role_hierarchy: dict[str, list[str]] | None = None,
+        session_binding: dict[str, Any] | None = None,
         cookie_name: str = AUTH_COOKIE_NAME,
         header_name: str = AUTH_HEADER_NAME,
         header_prefix: str = AUTH_HEADER_PREFIX,
@@ -145,7 +146,7 @@ class SharedAuthMiddleware(BaseHTTPMiddleware):
             f"session_binding={bool(self._session_binding)})"
         )
 
-    def get_user_pool(self, request: Request) -> Optional[SharedUserPool]:
+    def get_user_pool(self, request: Request) -> SharedUserPool | None:
         """Get the user pool instance. Override in subclasses for lazy loading."""
         return self._user_pool
 
@@ -219,7 +220,7 @@ class SharedAuthMiddleware(BaseHTTPMiddleware):
         self,
         request: Request,
         token: str,
-    ) -> Optional[str]:
+    ) -> str | None:
         """
         Validate session binding claims in token.
 
@@ -260,7 +261,7 @@ class SharedAuthMiddleware(BaseHTTPMiddleware):
             logger.warning(f"Error validating session binding: {e}")
             return None  # Don't reject for binding check errors
 
-    def _extract_token(self, request: Request) -> Optional[str]:
+    def _extract_token(self, request: Request) -> str | None:
         """Extract JWT token from cookie or header."""
         # Try cookie first
         token = request.cookies.get(self._cookie_name)
@@ -317,7 +318,7 @@ class SharedAuthMiddleware(BaseHTTPMiddleware):
 def create_shared_auth_middleware(
     user_pool: SharedUserPool,
     app_slug: str,
-    manifest_auth: Dict[str, Any],
+    manifest_auth: dict[str, Any],
 ) -> type:
     """
     Factory function to create SharedAuthMiddleware configured from manifest.
@@ -365,7 +366,7 @@ def create_shared_auth_middleware(
 
 def create_shared_auth_middleware_lazy(
     app_slug: str,
-    manifest_auth: Dict[str, Any],
+    manifest_auth: dict[str, Any],
 ) -> type:
     """
     Factory function to create a lazy SharedAuthMiddleware that reads user_pool from app.state.
@@ -441,7 +442,7 @@ def create_shared_auth_middleware_lazy(
             request.state.user_roles = []
 
             # Get user_pool from app.state (set during lifespan)
-            user_pool: Optional[SharedUserPool] = getattr(request.app.state, "user_pool", None)
+            user_pool: SharedUserPool | None = getattr(request.app.state, "user_pool", None)
 
             if user_pool is None:
                 # User pool not initialized yet, skip auth
@@ -498,7 +499,7 @@ def create_shared_auth_middleware_lazy(
 
             return await call_next(request)
 
-        def _extract_token(self, request: Request) -> Optional[str]:
+        def _extract_token(self, request: Request) -> str | None:
             """Extract JWT token from cookie or header."""
             # Try cookie first
             token = request.cookies.get(self._cookie_name)
@@ -555,7 +556,7 @@ def create_shared_auth_middleware_lazy(
             self,
             request: Request,
             token: str,
-        ) -> Optional[str]:
+        ) -> str | None:
             """
             Validate session binding claims in token.
 

mdb_engine/auth/shared_users.py

@@ -45,7 +45,7 @@ import logging
 import os
 import secrets
 from datetime import datetime, timedelta
-from typing import TYPE_CHECKING, Any, Dict, List, Optional
+from typing import TYPE_CHECKING, Any
 
 import bcrypt
 import jwt
@@ -114,8 +114,8 @@ class SharedUserPool:
     def __init__(
         self,
         mongo_db: AsyncIOMotorDatabase,
-        jwt_secret: Optional[str] = None,
-        jwt_public_key: Optional[str] = None,
+        jwt_secret: str | None = None,
+        jwt_public_key: str | None = None,
         jwt_algorithm: str = DEFAULT_JWT_ALGORITHM,
         token_expiry_hours: int = DEFAULT_TOKEN_EXPIRY_HOURS,
         allow_insecure_dev: bool = False,
@@ -285,9 +285,9 @@ class SharedUserPool:
         self,
         email: str,
         password: str,
-        app_roles: Optional[Dict[str, List[str]]] = None,
+        app_roles: dict[str, list[str]] | None = None,
         is_active: bool = True,
-    ) -> Dict[str, Any]:
+    ) -> dict[str, Any]:
         """
         Create a new shared user.
 
@@ -332,10 +332,10 @@ class SharedUserPool:
         self,
         email: str,
         password: str,
-        ip_address: Optional[str] = None,
-        fingerprint: Optional[str] = None,
-        session_binding: Optional[Dict[str, Any]] = None,
-    ) -> Optional[str]:
+        ip_address: str | None = None,
+        fingerprint: str | None = None,
+        session_binding: dict[str, Any] | None = None,
+    ) -> str | None:
         """
         Authenticate user and return JWT token.
 
@@ -390,7 +390,7 @@ class SharedUserPool:
         logger.info(f"User '{email}' authenticated successfully")
         return token
 
-    async def validate_token(self, token: str) -> Optional[Dict[str, Any]]:
+    async def validate_token(self, token: str) -> dict[str, Any] | None:
         """
         Validate JWT token and return user data.
 
@@ -547,7 +547,7 @@ class SharedUserPool:
         )
         logger.info(f"All tokens revoked for user {user_id}: {reason}")
 
-    async def get_user_by_email(self, email: str) -> Optional[Dict[str, Any]]:
+    async def get_user_by_email(self, email: str) -> dict[str, Any] | None:
         """Get user by email."""
         user = await self._collection.find_one({"email": email})
         if user:
@@ -558,7 +558,7 @@ class SharedUserPool:
         self,
         email: str,
         app_slug: str,
-        roles: List[str],
+        roles: list[str],
     ) -> bool:
         """
         Update a user's roles for a specific app.
@@ -638,10 +638,10 @@ class SharedUserPool:
 
     @staticmethod
     def user_has_role(
-        user: Dict[str, Any],
+        user: dict[str, Any],
         app_slug: str,
         required_role: str,
-        role_hierarchy: Optional[Dict[str, List[str]]] = None,
+        role_hierarchy: dict[str, list[str]] | None = None,
     ) -> bool:
         """
         Check if user has a required role for an app.
@@ -673,16 +673,16 @@ class SharedUserPool:
 
     @staticmethod
     def get_user_roles_for_app(
-        user: Dict[str, Any],
+        user: dict[str, Any],
         app_slug: str,
-    ) -> List[str]:
+    ) -> list[str]:
         """Get user's roles for a specific app."""
         return user.get("app_roles", {}).get(app_slug, [])
 
     def _generate_token(
         self,
-        user: Dict[str, Any],
-        extra_claims: Optional[Dict[str, Any]] = None,
+        user: dict[str, Any],
+        extra_claims: dict[str, Any] | None = None,
     ) -> str:
         """
         Generate JWT token for user with unique JTI for revocation support.
@@ -718,7 +718,7 @@ class SharedUserPool:
         return jwt.encode(payload, self._signing_key, algorithm=self._jwt_algorithm)
 
     @staticmethod
-    def _sanitize_user(user: Dict[str, Any]) -> Dict[str, Any]:
+    def _sanitize_user(user: dict[str, Any]) -> dict[str, Any]:
         """Remove sensitive fields from user document."""
         sanitized = dict(user)
         sanitized.pop("password_hash", None)
@@ -727,7 +727,7 @@ class SharedUserPool:
             sanitized["_id"] = str(sanitized["_id"])
         return sanitized
 
-    def get_secure_cookie_config(self, request: "Request") -> Dict[str, Any]:
+    def get_secure_cookie_config(self, request: "Request") -> dict[str, Any]:
         """
         Get secure cookie settings for auth tokens.
 

mdb_engine/auth/token_lifecycle.py

@@ -8,7 +8,7 @@ This module is part of MDB_ENGINE - MongoDB Engine.
 
 import logging
 from datetime import datetime
-from typing import Any, Dict, Optional
+from typing import Any
 
 from ..config import ACCESS_TOKEN_TTL as CONFIG_ACCESS_TTL
 from .jwt import extract_token_metadata
@@ -16,7 +16,7 @@ from .jwt import extract_token_metadata
 logger = logging.getLogger(__name__)
 
 
-def get_token_expiry_time(token: str, secret_key: str) -> Optional[datetime]:
+def get_token_expiry_time(token: str, secret_key: str) -> datetime | None:
     """
     Get the expiration time of a token.
 
@@ -31,7 +31,7 @@ def get_token_expiry_time(token: str, secret_key: str) -> Optional[datetime]:
         metadata = extract_token_metadata(token, secret_key)
         if metadata and metadata.get("exp"):
             exp_timestamp = metadata["exp"]
-            if isinstance(exp_timestamp, (int, float)):
+            if isinstance(exp_timestamp, int | float):
                 return datetime.utcfromtimestamp(exp_timestamp)
         return None
     except (ValueError, TypeError, AttributeError, KeyError) as e:
@@ -40,7 +40,7 @@ def get_token_expiry_time(token: str, secret_key: str) -> Optional[datetime]:
 
 
 def is_token_expiring_soon(
-    token: str, secret_key: str, threshold_seconds: Optional[int] = None
+    token: str, secret_key: str, threshold_seconds: int | None = None
 ) -> bool:
     """
     Check if a token is expiring soon.
@@ -68,9 +68,7 @@ def is_token_expiring_soon(
         return False
 
 
-def should_refresh_token(
-    token: str, secret_key: str, refresh_threshold: Optional[int] = None
-) -> bool:
+def should_refresh_token(token: str, secret_key: str, refresh_threshold: int | None = None) -> bool:
     """
     Determine if a token should be refreshed.
 
@@ -97,7 +95,7 @@ def should_refresh_token(
         return False
 
 
-def get_token_age(token: str, secret_key: str) -> Optional[float]:
+def get_token_age(token: str, secret_key: str) -> float | None:
     """
     Get the age of a token in seconds.
 
@@ -112,7 +110,7 @@ def get_token_age(token: str, secret_key: str) -> Optional[float]:
         metadata = extract_token_metadata(token, secret_key)
         if metadata and metadata.get("iat"):
             iat_timestamp = metadata["iat"]
-            if isinstance(iat_timestamp, (int, float)):
+            if isinstance(iat_timestamp, int | float):
                 issued_at = datetime.utcfromtimestamp(iat_timestamp)
                 age = (datetime.utcnow() - issued_at).total_seconds()
                 return age
@@ -122,7 +120,7 @@ def get_token_age(token: str, secret_key: str) -> Optional[float]:
         return None
 
 
-def get_time_until_expiry(token: str, secret_key: str) -> Optional[float]:
+def get_time_until_expiry(token: str, secret_key: str) -> float | None:
     """
     Get time until token expiry in seconds.
 
@@ -146,7 +144,7 @@ def get_time_until_expiry(token: str, secret_key: str) -> Optional[float]:
 
 
 def validate_token_version(
-    token: str, secret_key: str, required_version: Optional[str] = None
+    token: str, secret_key: str, required_version: str | None = None
 ) -> bool:
     """
     Validate token version compatibility.
@@ -177,7 +175,7 @@ def validate_token_version(
         return False
 
 
-def get_token_info(token: str, secret_key: str) -> Optional[Dict[str, Any]]:
+def get_token_info(token: str, secret_key: str) -> dict[str, Any] | None:
     """
     Get comprehensive token information.
 

mdb_engine/auth/token_store.py

@@ -8,7 +8,6 @@ This module is part of MDB_ENGINE - MongoDB Engine.
 
 import logging
 from datetime import datetime, timedelta
-from typing import Optional
 
 try:
     from pymongo.errors import (
@@ -79,9 +78,9 @@ class TokenBlacklist:
     async def revoke_token(
         self,
         jti: str,
-        user_id: Optional[str] = None,
-        expires_at: Optional[datetime] = None,
-        reason: Optional[str] = None,
+        user_id: str | None = None,
+        expires_at: datetime | None = None,
+        reason: str | None = None,
     ) -> bool:
         """
         Revoke a token by adding it to the blacklist.
@@ -161,7 +160,7 @@ class TokenBlacklist:
             # On error, assume not revoked (fail open for availability)
             return False
 
-    async def revoke_all_user_tokens(self, user_id: str, reason: Optional[str] = None) -> int:
+    async def revoke_all_user_tokens(self, user_id: str, reason: str | None = None) -> int:
         """
         Revoke all tokens for a specific user.
 

mdb_engine/auth/users.py

@@ -13,8 +13,9 @@ This module is part of MDB_ENGINE - MongoDB Engine.
 import logging
 import os
 import uuid
+from collections.abc import Awaitable, Callable
 from datetime import datetime, timedelta
-from typing import Any, Awaitable, Callable, Dict, List, Optional, Tuple
+from typing import Any
 
 import bcrypt
 import jwt
@@ -49,9 +50,9 @@ def _is_auth_route(request_path: str) -> bool:
 async def _get_app_user_config(
     request: Request,
     slug_id: str,
-    config: Optional[Dict[str, Any]],
-    get_app_config_func: Optional[Callable[[Request, str, Dict], Awaitable[Dict]]],
-) -> Optional[Dict[str, Any]]:
+    config: dict[str, Any] | None,
+    get_app_config_func: Callable[[Request, str, dict], Awaitable[dict]] | None,
+) -> dict[str, Any] | None:
     """Fetch and validate app user config."""
     if config is None:
         if not get_app_config_func:
@@ -72,7 +73,7 @@ async def _get_app_user_config(
     return config
 
 
-def _convert_user_id_to_objectid(user_id: Any) -> Tuple[Any, Optional[str]]:
+def _convert_user_id_to_objectid(user_id: Any) -> tuple[Any, str | None]:
     """
     Convert user_id to ObjectId if valid, otherwise keep as string.
 
@@ -104,7 +105,7 @@ def _convert_user_id_to_objectid(user_id: Any) -> Tuple[Any, Optional[str]]:
 
 async def _validate_and_decode_session_token(
     session_token: str, slug_id: str
-) -> Tuple[Optional[Dict[str, Any]], Optional[Exception]]:
+) -> tuple[dict[str, Any] | None, Exception | None]:
     """Validate and decode session token."""
     try:
         from .jwt import decode_jwt_token
@@ -135,9 +136,7 @@ async def _validate_and_decode_session_token(
         return None, e
 
 
-async def _fetch_app_user_from_db(
-    db, collection_name: str, user_id: Any
-) -> Optional[Dict[str, Any]]:
+async def _fetch_app_user_from_db(db, collection_name: str, user_id: Any) -> dict[str, Any] | None:
     """Fetch user from database."""
     # Use getattr for attribute access (works with both AppDB and ScopedMongoWrapper)
     collection = getattr(db, collection_name)
@@ -155,10 +154,10 @@ async def get_app_user(
     request: Request,
     slug_id: str,
     db,
-    config: Optional[Dict[str, Any]] = None,
+    config: dict[str, Any] | None = None,
     allow_demo_fallback: bool = False,
-    get_app_config_func: Optional[Callable[[Request, str, Dict], Awaitable[Dict]]] = None,
-) -> Optional[Dict[str, Any]]:
+    get_app_config_func: Callable[[Request, str, dict], Awaitable[dict]] | None = None,
+) -> dict[str, Any] | None:
     """
     Get app-level user from session cookie.
 
@@ -234,8 +233,8 @@ async def get_app_user(
 
 
 async def _try_demo_mode(
-    request: Request, slug_id: str, db, config: Dict[str, Any]
-) -> Optional[Dict[str, Any]]:
+    request: Request, slug_id: str, db, config: dict[str, Any]
+) -> dict[str, Any] | None:
     """
     Internal helper: Try to authenticate as demo user if demo mode is enabled.
 
@@ -318,9 +317,9 @@ async def create_app_session(
     request: Request,
     slug_id: str,
     user_id: str,
-    config: Optional[Dict[str, Any]] = None,
-    response: Optional[Response] = None,
-    get_app_config_func: Optional[Callable[[Request, str, Dict], Awaitable[Dict]]] = None,
+    config: dict[str, Any] | None = None,
+    response: Response | None = None,
+    get_app_config_func: Callable[[Request, str, dict], Awaitable[dict]] | None = None,
 ) -> str:
     """
     Create a app-specific session token and set cookie.
@@ -402,9 +401,9 @@ async def authenticate_app_user(
     db,
     email: str,
     password: str,
-    store_id: Optional[str] = None,
+    store_id: str | None = None,
     collection_name: str = "users",
-) -> Optional[Dict[str, Any]]:
+) -> dict[str, Any] | None:
     """
     Authenticate a user against app-specific users collection.
 
@@ -484,9 +483,9 @@ async def create_app_user(
     email: str,
     password: str,
     role: str = "user",
-    store_id: Optional[str] = None,
+    store_id: str | None = None,
     collection_name: str = "users",
-) -> Optional[Dict[str, Any]]:
+) -> dict[str, Any] | None:
     """
     Create a new user in app-specific users collection.
 
@@ -573,9 +572,9 @@ async def get_or_create_anonymous_user(
     request: Request,
     slug_id: str,
     db,
-    config: Optional[Dict[str, Any]] = None,
-    get_app_config_func: Optional[Callable[[Request, str, Dict], Awaitable[Dict]]] = None,
-) -> Optional[Dict[str, Any]]:
+    config: dict[str, Any] | None = None,
+    get_app_config_func: Callable[[Request, str, dict], Awaitable[dict]] | None = None,
+) -> dict[str, Any] | None:
     """
     Get or create an anonymous user for anonymous_session strategy.
 
@@ -640,7 +639,7 @@ async def get_or_create_anonymous_user(
     return user
 
 
-async def get_platform_demo_user(mongo_uri: str, db_name: str) -> Optional[Dict[str, Any]]:
+async def get_platform_demo_user(mongo_uri: str, db_name: str) -> dict[str, Any] | None:
     """
     Get platform demo user information from top-level database.
 
@@ -693,7 +692,7 @@ async def get_platform_demo_user(mongo_uri: str, db_name: str) -> Optional[Dict[
 
 async def _link_platform_demo_user(
     db, slug_id: str, collection_name: str, mongo_uri: str, db_name: str
-) -> Optional[Dict[str, Any]]:
+) -> dict[str, Any] | None:
     """Link platform demo user to app demo user."""
     import datetime
 
@@ -761,7 +760,7 @@ async def _link_platform_demo_user(
 
 def _validate_demo_user_config(
     demo_user_config: Any, slug_id: str
-) -> Tuple[Optional[Dict[str, Any]], Optional[str]]:
+) -> tuple[dict[str, Any] | None, str | None]:
     """Validate demo user configuration."""
     if not isinstance(demo_user_config, dict):
         return None, f"Invalid demo_user_config entry (not a dict): {demo_user_config}"
@@ -782,12 +781,12 @@ def _validate_demo_user_config(
 
 
 async def _resolve_demo_user_email_password(
-    email: Optional[str],
-    password: Optional[str],
-    mongo_uri: Optional[str],
-    db_name: Optional[str],
+    email: str | None,
+    password: str | None,
+    mongo_uri: str | None,
+    db_name: str | None,
     slug_id: str,
-) -> Tuple[Optional[str], Optional[str]]:
+) -> tuple[str | None, str | None]:
     """Resolve email and password from config or platform demo."""
     # If email not specified, try platform demo
     if not email:
@@ -834,11 +833,11 @@ async def _create_demo_user_from_config(
     email: str,
     password: str,
     role: str,
-    extra_data: Dict[str, Any],
+    extra_data: dict[str, Any],
     link_to_platform: bool,
-    mongo_uri: Optional[str],
-    db_name: Optional[str],
-) -> Optional[Dict[str, Any]]:
+    mongo_uri: str | None,
+    db_name: str | None,
+) -> dict[str, Any] | None:
     """Create a demo user from configuration."""
     import datetime
 
@@ -933,10 +932,10 @@ async def _create_demo_user_from_config(
 async def ensure_demo_users_exist(
     db,
     slug_id: str,
-    config: Optional[Dict[str, Any]] = None,
-    mongo_uri: Optional[str] = None,
-    db_name: Optional[str] = None,
-) -> List[Dict[str, Any]]:
+    config: dict[str, Any] | None = None,
+    mongo_uri: str | None = None,
+    db_name: str | None = None,
+) -> list[dict[str, Any]]:
     """
     Intelligently ensure demo users exist for a app based on manifest configuration.
 
@@ -1058,9 +1057,9 @@ async def get_or_create_demo_user_for_request(
     request: Request,
     slug_id: str,
     db,
-    config: Optional[Dict[str, Any]] = None,
-    get_app_config_func: Optional[Callable[[Request, str, Dict], Awaitable[Dict]]] = None,
-) -> Optional[Dict[str, Any]]:
+    config: dict[str, Any] | None = None,
+    get_app_config_func: Callable[[Request, str, dict], Awaitable[dict]] | None = None,
+) -> dict[str, Any] | None:
     """
     Get or create a demo user for the current request context.
 
@@ -1150,10 +1149,10 @@ async def get_or_create_demo_user_for_request(
 async def get_or_create_demo_user(
     db,
     slug_id: str,
-    config: Dict[str, Any],
-    mongo_uri: Optional[str] = None,
-    db_name: Optional[str] = None,
-) -> Optional[Dict[str, Any]]:
+    config: dict[str, Any],
+    mongo_uri: str | None = None,
+    db_name: str | None = None,
+) -> dict[str, Any] | None:
     """
     Get or create a demo user for an app.
 
@@ -1252,7 +1251,7 @@ async def get_or_create_demo_user(
 
 async def ensure_demo_users_for_actor(
     db, slug_id: str, mongo_uri: str, db_name: str
-) -> List[Dict[str, Any]]:
+) -> list[dict[str, Any]]:
     """
     Convenience function for actors to ensure demo users exist.
 
@@ -1351,10 +1350,10 @@ async def ensure_demo_users_for_actor(
 
 
 async def sync_app_user_to_casbin(
-    user: Dict[str, Any],
+    user: dict[str, Any],
     authz_provider,
-    role: Optional[str] = None,
-    app_slug: Optional[str] = None,
+    role: str | None = None,
+    app_slug: str | None = None,
 ) -> bool:
     """
     Sync app-level user to Casbin by assigning a role.
@@ -1428,7 +1427,7 @@ async def sync_app_user_to_casbin(
         return False
 
 
-def get_app_user_role(user: Dict[str, Any], config: Optional[Dict[str, Any]] = None) -> str:
+def get_app_user_role(user: dict[str, Any], config: dict[str, Any] | None = None) -> str:
     """
     Determine Casbin role for app-level user.