mpt-fastapi-oauth 0.1.0__tar.gz

mpt_fastapi_oauth-0.1.0/PKG-INFO

@@ -0,0 +1,68 @@
+Metadata-Version: 2.4
+Name: mpt-fastapi-oauth
+Version: 0.1.0
+Summary: Generic OAuth2 authorization-code login for FastAPI, with pluggable user storage and JWT sessions
+Requires-Python: >=3.10
+Description-Content-Type: text/markdown
+Requires-Dist: fastapi>=0.110
+Requires-Dist: httpx>=0.27
+Requires-Dist: python-jose[cryptography]>=3.3
+
+# mpt-fastapi-oauth
+
+`mptauth` - generic OAuth2 (authorization-code) login for FastAPI.
+
+Works against any spec-compliant OAuth2/OIDC provider (Google, GitHub,
+Keycloak, Auth0, or a custom in-house IdP) by configuring its endpoints
+explicitly. After the provider redirect completes, mptauth hands the user's
+profile to a host-supplied `resolve_user` hook (so you control how/where users
+are stored) and issues its own short-lived session JWT.
+
+## Usage
+
+```python
+from fastapi import Depends, FastAPI
+from mptauth import (
+    OAuth2Client,
+    OAuth2ProviderConfig,
+    TokenIssuer,
+    build_current_user_dependency,
+    build_oauth_router,
+)
+
+provider = OAuth2ProviderConfig(
+    client_id="...",
+    client_secret="...",
+    base_url="https://provider.example.com",
+    redirect_uri="https://myapp.example.com/auth/callback",
+    scopes=("openid", "profile", "email"),
+    # authorize_path / token_path / userinfo_path default to the
+    # Django OAuth Toolkit-style "/o/authorize", "/o/token/",
+    # "/api/v1/account/me/" - override them if your provider differs
+)
+client = OAuth2Client(provider)
+issuer = TokenIssuer(secret_key="change-me", expire_minutes=60 * 24)
+
+
+def resolve_user(profile: dict) -> dict:
+    # Map the provider profile to local user claims. Look the user up (or
+    # create it) in your own storage here; mptauth doesn't dictate storage.
+    return {"sub": profile["email"], "name": profile.get("name")}
+
+
+app = FastAPI()
+app.include_router(build_oauth_router(client=client, issuer=issuer, resolve_user=resolve_user))
+
+get_current_user = build_current_user_dependency(issuer)
+
+
+@app.get("/me")
+def me(user: dict = Depends(get_current_user)):
+    return user
+```
+
+This exposes:
+
+- `GET /auth/login` - redirects the browser to the provider's authorize endpoint
+- `GET /auth/callback` - exchanges the code, resolves the user, and returns `{"access_token", "token_type"}`
+- `Depends(get_current_user)` - verifies the session JWT on protected routes

mpt_fastapi_oauth-0.1.0/README.md

@@ -0,0 +1,58 @@
+# mpt-fastapi-oauth
+
+`mptauth` - generic OAuth2 (authorization-code) login for FastAPI.
+
+Works against any spec-compliant OAuth2/OIDC provider (Google, GitHub,
+Keycloak, Auth0, or a custom in-house IdP) by configuring its endpoints
+explicitly. After the provider redirect completes, mptauth hands the user's
+profile to a host-supplied `resolve_user` hook (so you control how/where users
+are stored) and issues its own short-lived session JWT.
+
+## Usage
+
+```python
+from fastapi import Depends, FastAPI
+from mptauth import (
+    OAuth2Client,
+    OAuth2ProviderConfig,
+    TokenIssuer,
+    build_current_user_dependency,
+    build_oauth_router,
+)
+
+provider = OAuth2ProviderConfig(
+    client_id="...",
+    client_secret="...",
+    base_url="https://provider.example.com",
+    redirect_uri="https://myapp.example.com/auth/callback",
+    scopes=("openid", "profile", "email"),
+    # authorize_path / token_path / userinfo_path default to the
+    # Django OAuth Toolkit-style "/o/authorize", "/o/token/",
+    # "/api/v1/account/me/" - override them if your provider differs
+)
+client = OAuth2Client(provider)
+issuer = TokenIssuer(secret_key="change-me", expire_minutes=60 * 24)
+
+
+def resolve_user(profile: dict) -> dict:
+    # Map the provider profile to local user claims. Look the user up (or
+    # create it) in your own storage here; mptauth doesn't dictate storage.
+    return {"sub": profile["email"], "name": profile.get("name")}
+
+
+app = FastAPI()
+app.include_router(build_oauth_router(client=client, issuer=issuer, resolve_user=resolve_user))
+
+get_current_user = build_current_user_dependency(issuer)
+
+
+@app.get("/me")
+def me(user: dict = Depends(get_current_user)):
+    return user
+```
+
+This exposes:
+
+- `GET /auth/login` - redirects the browser to the provider's authorize endpoint
+- `GET /auth/callback` - exchanges the code, resolves the user, and returns `{"access_token", "token_type"}`
+- `Depends(get_current_user)` - verifies the session JWT on protected routes

mpt_fastapi_oauth-0.1.0/mpt_fastapi_oauth.egg-info/PKG-INFO

@@ -0,0 +1,68 @@
+Metadata-Version: 2.4
+Name: mpt-fastapi-oauth
+Version: 0.1.0
+Summary: Generic OAuth2 authorization-code login for FastAPI, with pluggable user storage and JWT sessions
+Requires-Python: >=3.10
+Description-Content-Type: text/markdown
+Requires-Dist: fastapi>=0.110
+Requires-Dist: httpx>=0.27
+Requires-Dist: python-jose[cryptography]>=3.3
+
+# mpt-fastapi-oauth
+
+`mptauth` - generic OAuth2 (authorization-code) login for FastAPI.
+
+Works against any spec-compliant OAuth2/OIDC provider (Google, GitHub,
+Keycloak, Auth0, or a custom in-house IdP) by configuring its endpoints
+explicitly. After the provider redirect completes, mptauth hands the user's
+profile to a host-supplied `resolve_user` hook (so you control how/where users
+are stored) and issues its own short-lived session JWT.
+
+## Usage
+
+```python
+from fastapi import Depends, FastAPI
+from mptauth import (
+    OAuth2Client,
+    OAuth2ProviderConfig,
+    TokenIssuer,
+    build_current_user_dependency,
+    build_oauth_router,
+)
+
+provider = OAuth2ProviderConfig(
+    client_id="...",
+    client_secret="...",
+    base_url="https://provider.example.com",
+    redirect_uri="https://myapp.example.com/auth/callback",
+    scopes=("openid", "profile", "email"),
+    # authorize_path / token_path / userinfo_path default to the
+    # Django OAuth Toolkit-style "/o/authorize", "/o/token/",
+    # "/api/v1/account/me/" - override them if your provider differs
+)
+client = OAuth2Client(provider)
+issuer = TokenIssuer(secret_key="change-me", expire_minutes=60 * 24)
+
+
+def resolve_user(profile: dict) -> dict:
+    # Map the provider profile to local user claims. Look the user up (or
+    # create it) in your own storage here; mptauth doesn't dictate storage.
+    return {"sub": profile["email"], "name": profile.get("name")}
+
+
+app = FastAPI()
+app.include_router(build_oauth_router(client=client, issuer=issuer, resolve_user=resolve_user))
+
+get_current_user = build_current_user_dependency(issuer)
+
+
+@app.get("/me")
+def me(user: dict = Depends(get_current_user)):
+    return user
+```
+
+This exposes:
+
+- `GET /auth/login` - redirects the browser to the provider's authorize endpoint
+- `GET /auth/callback` - exchanges the code, resolves the user, and returns `{"access_token", "token_type"}`
+- `Depends(get_current_user)` - verifies the session JWT on protected routes

mpt_fastapi_oauth-0.1.0/mpt_fastapi_oauth.egg-info/SOURCES.txt

@@ -0,0 +1,13 @@
+README.md
+pyproject.toml
+mpt_fastapi_oauth.egg-info/PKG-INFO
+mpt_fastapi_oauth.egg-info/SOURCES.txt
+mpt_fastapi_oauth.egg-info/dependency_links.txt
+mpt_fastapi_oauth.egg-info/requires.txt
+mpt_fastapi_oauth.egg-info/top_level.txt
+mptauth/__init__.py
+mptauth/client.py
+mptauth/config.py
+mptauth/dependencies.py
+mptauth/router.py
+mptauth/tokens.py

mpt_fastapi_oauth-0.1.0/mpt_fastapi_oauth.egg-info/dependency_links.txt

@@ -0,0 +1 @@
+

mpt_fastapi_oauth-0.1.0/mpt_fastapi_oauth.egg-info/requires.txt

@@ -0,0 +1,3 @@
+fastapi>=0.110
+httpx>=0.27
+python-jose[cryptography]>=3.3

mpt_fastapi_oauth-0.1.0/mpt_fastapi_oauth.egg-info/top_level.txt

@@ -0,0 +1 @@
+mptauth

mpt_fastapi_oauth-0.1.0/mptauth/__init__.py

@@ -0,0 +1,14 @@
+from .client import OAuth2Client
+from .config import OAuth2ProviderConfig
+from .dependencies import build_current_user_dependency
+from .router import UserResolver, build_oauth_router
+from .tokens import TokenIssuer
+
+__all__ = [
+    "OAuth2Client",
+    "OAuth2ProviderConfig",
+    "TokenIssuer",
+    "UserResolver",
+    "build_current_user_dependency",
+    "build_oauth_router",
+]

mpt_fastapi_oauth-0.1.0/mptauth/client.py

@@ -0,0 +1,52 @@
+import secrets
+from urllib.parse import urlencode
+
+import httpx
+
+from .config import OAuth2ProviderConfig
+
+
+class OAuth2Client:
+    """Minimal OAuth2 authorization-code flow client driven by `OAuth2ProviderConfig`."""
+
+    def __init__(self, config: OAuth2ProviderConfig):
+        self.config = config
+
+    def build_authorize_url(self, state: str | None = None) -> tuple[str, str]:
+        """Return `(authorize_url, state)`. Generates a random `state` if none is given."""
+        state = state or secrets.token_urlsafe(24)
+        params = {
+            "response_type": "code",
+            "client_id": self.config.client_id,
+            "redirect_uri": self.config.redirect_uri,
+            "scope": " ".join(self.config.scopes),
+            "state": state,
+        }
+        return f"{self.config.authorize_url}?{urlencode(params)}", state
+
+    async def fetch_token(self, code: str) -> dict:
+        """Exchange an authorization `code` for a token response from the provider."""
+        async with httpx.AsyncClient(verify=self.config.verify_ssl) as http:
+            response = await http.post(
+                self.config.token_url,
+                data={
+                    "grant_type": "authorization_code",
+                    "code": code,
+                    "redirect_uri": self.config.redirect_uri,
+                    "client_id": self.config.client_id,
+                    "client_secret": self.config.client_secret,
+                },
+                headers={"Accept": "application/json"},
+            )
+            response.raise_for_status()
+            return response.json()
+
+    async def fetch_userinfo(self, access_token: str) -> dict:
+        """Fetch the authenticated user's profile from the provider's userinfo endpoint."""
+        async with httpx.AsyncClient(verify=self.config.verify_ssl) as http:
+            response = await http.get(
+                self.config.userinfo_url,
+                headers={"Authorization": f"Bearer {access_token}"},
+            )
+            response.raise_for_status()
+            return response.json()

mpt_fastapi_oauth-0.1.0/mptauth/config.py

@@ -0,0 +1,36 @@
+from dataclasses import dataclass, field
+from typing import Sequence
+
+
+@dataclass(frozen=True)
+class OAuth2ProviderConfig:
+    """Endpoints and credentials for an OAuth2 authorization-code provider.
+
+    Works with any spec-compliant provider (Google, GitHub, Keycloak, Auth0, a
+    custom in-house IdP, ...): the authorize/token/userinfo endpoints are
+    derived as `base_url + path`, so a host app only needs to supply the
+    provider's `base_url` and override the `*_path` fields when the provider
+    doesn't match the (Django OAuth Toolkit-style) defaults below.
+    """
+
+    client_id: str
+    client_secret: str
+    base_url: str
+    redirect_uri: str
+    authorize_path: str = "/o/authorize"
+    token_path: str = "/o/token/"
+    userinfo_path: str = "/api/v1/account/me/"
+    scopes: Sequence[str] = field(default_factory=lambda: ("openid", "profile", "email"))
+    verify_ssl: bool = True
+
+    @property
+    def authorize_url(self) -> str:
+        return self.base_url.rstrip("/") + self.authorize_path
+
+    @property
+    def token_url(self) -> str:
+        return self.base_url.rstrip("/") + self.token_path
+
+    @property
+    def userinfo_url(self) -> str:
+        return self.base_url.rstrip("/") + self.userinfo_path

mpt_fastapi_oauth-0.1.0/mptauth/dependencies.py

@@ -0,0 +1,33 @@
+from typing import Callable, Optional
+
+from fastapi import Depends, HTTPException, status
+from fastapi.security import HTTPAuthorizationCredentials, HTTPBearer
+from jose import JWTError
+
+from .tokens import TokenIssuer
+
+
+def build_current_user_dependency(issuer: TokenIssuer) -> Callable[..., dict]:
+    """Build a `Depends()`-able that decodes the bearer session token issued by `issuer`.
+
+    Returns the decoded JWT payload (whatever claims `resolve_user` placed on it
+    at login time, e.g. `sub`, `email`, `name`).
+    """
+    bearer_scheme = HTTPBearer(auto_error=False)
+
+    def get_current_user(
+        credentials: Optional[HTTPAuthorizationCredentials] = Depends(bearer_scheme),
+    ) -> dict:
+        unauthorized = HTTPException(
+            status_code=status.HTTP_401_UNAUTHORIZED,
+            detail="Could not validate credentials",
+            headers={"WWW-Authenticate": "Bearer"},
+        )
+        if credentials is None:
+            raise unauthorized
+        try:
+            return issuer.decode_access_token(credentials.credentials)
+        except JWTError:
+            raise unauthorized
+
+    return get_current_user

mpt_fastapi_oauth-0.1.0/mptauth/router.py

@@ -0,0 +1,76 @@
+import inspect
+import secrets
+from typing import Awaitable, Callable, Optional, Union
+
+from fastapi import APIRouter, HTTPException, Request, status
+from fastapi.responses import JSONResponse, RedirectResponse
+
+from .client import OAuth2Client
+from .tokens import TokenIssuer
+
+UserResolver = Callable[[dict], Union[dict, Awaitable[dict]]]
+"""Maps a provider userinfo profile to the local user claims stored in the session JWT.
+
+The returned dict must contain a `sub` claim identifying the user. Use this hook
+to look up or create a local user record from the provider's profile - mptauth
+does not dictate how/where users are stored.
+"""
+
+_STATE_COOKIE = "mptauth_state"
+
+
+def build_oauth_router(
+    *,
+    client: OAuth2Client,
+    issuer: TokenIssuer,
+    resolve_user: UserResolver,
+    prefix: str = "/auth",
+    success_redirect: Optional[str] = None,
+) -> APIRouter:
+    """Build login/callback routes implementing the OAuth2 authorization-code flow.
+
+    `GET {prefix}/login` redirects the browser to the provider's authorize endpoint.
+    `GET {prefix}/callback` exchanges the returned code, resolves the local user via
+    `resolve_user`, and issues a session JWT via `issuer`.
+
+    If `success_redirect` is set, the callback redirects there with `?token=...`;
+    otherwise it returns `{"access_token": ..., "token_type": "bearer"}` as JSON.
+    """
+    router = APIRouter(prefix=prefix, tags=["auth"])
+
+    @router.get("/login")
+    def login() -> RedirectResponse:
+        url, state = client.build_authorize_url()
+        response = RedirectResponse(url)
+        response.set_cookie(_STATE_COOKIE, state, httponly=True, max_age=600, samesite="lax")
+        return response
+
+    @router.get("/callback")
+    async def callback(request: Request, code: str, state: str):
+        expected_state = request.cookies.get(_STATE_COOKIE)
+        if not expected_state or not secrets.compare_digest(state, expected_state):
+            raise HTTPException(status.HTTP_400_BAD_REQUEST, "Invalid OAuth state")
+
+        token = await client.fetch_token(code)
+        provider_access_token = token.get("access_token")
+        if not provider_access_token:
+            raise HTTPException(status.HTTP_502_BAD_GATEWAY, "Provider did not return an access token")
+
+        profile = await client.fetch_userinfo(provider_access_token)
+
+        user = resolve_user(profile)
+        if inspect.isawaitable(user):
+            user = await user
+        if "sub" not in user:
+            raise HTTPException(status.HTTP_502_BAD_GATEWAY, "resolve_user must return a 'sub' claim")
+
+        session_token = issuer.create_access_token(user)
+
+        if success_redirect:
+            response = RedirectResponse(f"{success_redirect}?token={session_token}")
+        else:
+            response = JSONResponse({"access_token": session_token, "token_type": "bearer"})
+        response.delete_cookie(_STATE_COOKIE)
+        return response
+
+    return router

mpt_fastapi_oauth-0.1.0/mptauth/tokens.py

@@ -0,0 +1,26 @@
+from datetime import datetime, timedelta, timezone
+from typing import Optional
+
+from jose import jwt
+
+
+class TokenIssuer:
+    """Issues and verifies the host application's own signed session JWTs.
+
+    Kept separate from the OAuth2 provider's tokens: once a user is
+    authenticated via the provider, the app should rely on its own short-lived
+    session token rather than calling the provider on every request.
+    """
+
+    def __init__(self, secret_key: str, algorithm: str = "HS256", expire_minutes: int = 60 * 24):
+        self.secret_key = secret_key
+        self.algorithm = algorithm
+        self.expire_minutes = expire_minutes
+
+    def create_access_token(self, data: dict, expires_delta: Optional[timedelta] = None) -> str:
+        payload = data.copy()
+        payload["exp"] = datetime.now(timezone.utc) + (expires_delta or timedelta(minutes=self.expire_minutes))
+        return jwt.encode(payload, self.secret_key, algorithm=self.algorithm)
+
+    def decode_access_token(self, token: str) -> dict:
+        return jwt.decode(token, self.secret_key, algorithms=[self.algorithm])

mpt_fastapi_oauth-0.1.0/pyproject.toml

@@ -0,0 +1,18 @@
+[project]
+name = "mpt-fastapi-oauth"
+version = "0.1.0"
+description = "Generic OAuth2 authorization-code login for FastAPI, with pluggable user storage and JWT sessions"
+readme = "README.md"
+requires-python = ">=3.10"
+dependencies = [
+    "fastapi>=0.110",
+    "httpx>=0.27",
+    "python-jose[cryptography]>=3.3",
+]
+
+[build-system]
+requires = ["setuptools>=68"]
+build-backend = "setuptools.build_meta"
+
+[tool.setuptools.packages.find]
+include = ["mptauth*"]

mpt_fastapi_oauth-0.1.0/setup.cfg

@@ -0,0 +1,4 @@
+[egg_info]
+tag_build = 
+tag_date = 0
+