nlbone 0.9.7__py3-none-any.whl → 0.11.0__py3-none-any.whl

nlbone/adapters/auth/__init__.py

@@ -1 +1,3 @@
+from .async_auth_service import AsyncAuthService, get_async_auth_service
+from .auth_service import AuthService, get_auth_service
 from .keycloak import KeycloakAuthService

nlbone/adapters/auth/async_auth_service.py

@@ -0,0 +1,110 @@
+from functools import lru_cache
+from typing import Any, Optional, Set
+
+import httpx
+
+from nlbone.config.settings import get_settings
+from nlbone.core.ports.auth import AsyncAuthService as BaseAuthService
+from nlbone.utils.cache import cached
+from nlbone.utils.http import normalize_https_base
+
+
+class AsyncAuthService(BaseAuthService):
+    _client: Optional[httpx.AsyncClient] = None
+
+    def __init__(self):
+        s = get_settings()
+        self.client_id = s.CLIENT_ID or s.KEYCLOAK_CLIENT_ID
+        self.client_secret = s.CLIENT_SECRET.get_secret_value().strip()
+        self._base_url = normalize_https_base(s.AUTH_SERVICE_URL.unicode_string(), enforce_https=False)
+        self._timeout = float(s.HTTP_TIMEOUT_SECONDS)
+
+    @classmethod
+    def get_client(cls) -> httpx.AsyncClient:
+        if cls._client is None or cls._client.is_closed:
+            s = get_settings()
+            cls._client = httpx.AsyncClient(
+                timeout=float(s.HTTP_TIMEOUT_SECONDS),
+                limits=httpx.Limits(
+                    max_keepalive_connections=s.HTTPX_MAX_KEEPALIVE_CONNECTIONS,
+                    max_connections=s.HTTPX_MAX_CONNECTIONS,
+                ),
+            )
+        return cls._client
+
+    @cached(ttl=15 * 60)
+    async def verify_token(self, token: str) -> Optional[dict[str, Any]]:
+        if not token:
+            return None
+
+        url = f"{self._base_url}/introspect"
+        client = self.get_client()
+
+        try:
+            response = await client.post(url, data={"token": token})
+            if response.status_code == 200:
+                data = response.json()
+                if data.get("active") is True:
+                    return data
+        except httpx.RequestError as e:
+            pass
+
+        return None
+
+    async def has_access(self, token: str, permissions: list[str]) -> bool:
+        data = await self.verify_token(token)
+        if not data:
+            return False
+
+        allowed = set(data.get("allowed_permissions", []))
+        required = {f"{self.client_id}#{perm}" for perm in permissions}
+
+        return required.issubset(allowed)
+
+    async def client_has_access(
+        self, token: str, permissions: list[str], allowed_clients: Set[str] | None = None
+    ) -> bool:
+        return await self.has_access(token, permissions)
+
+    async def get_client_id(self, token: str) -> Optional[str]:
+        data = await self.verify_token(token)
+        if data:
+            username = data.get("preferred_username", "")
+            if username.startswith("service-account"):
+                return username
+        return None
+
+    async def is_client_token(self, token: str, allowed_clients: Set[str] | None = None) -> bool:
+        data = await self.verify_token(token)
+        if data:
+            return data.get("preferred_username", "").startswith("service-account")
+        return False
+
+    async def get_client_token(self) -> dict | None:
+        url = f"{self._base_url}/token"
+        client = self.get_client()
+
+        try:
+            result = await client.post(
+                url,
+                data={
+                    "client_id": self.client_id,
+                    "client_secret": self.client_secret,
+                    "grant_type": "client_credentials",
+                },
+            )
+            if result.status_code == 200:
+                return result.json()
+        except httpx.RequestError:
+            pass
+
+        return None
+
+    async def get_permissions(self, token: str) -> list[str]:
+        data = await self.verify_token(token)
+        return data.get("allowed_permissions", []) if data else []
+
+
+@lru_cache(maxsize=1)
+def get_async_auth_service() -> AsyncAuthService:
+    return AsyncAuthService()

nlbone/adapters/auth/async_token_provider.py

@@ -0,0 +1,49 @@
+import asyncio
+import time
+from typing import Optional
+
+from nlbone.core.ports.auth import AsyncAuthService as BaseAuthService
+
+
+class AsyncClientTokenProvider:
+    """
+    Caches Keycloak client-credentials token and refreshes before expiry.
+    """
+
+    def __init__(self, auth: BaseAuthService, *, skew_seconds: int = 30) -> None:
+        self._auth = auth
+        self._skew = skew_seconds
+        self._lock = asyncio.Lock()
+        self._token: Optional[str] = None  # access_token
+        self._expires_at: float = 0.0  # epoch seconds
+
+    def _needs_refresh(self) -> bool:
+        return not self._token or time.time() >= (self._expires_at - self._skew)
+
+    async def get_access_token(self) -> str:
+        """
+        Return a valid access token; refresh asynchronously if needed.
+        """
+        if not self._needs_refresh() and self._token:
+            return self._token
+
+        async with self._lock:
+            if not self._needs_refresh() and self._token:
+                return self._token
+
+            data = await self._auth.get_client_token()
+
+            if not data or "access_token" not in data:
+                raise RuntimeError("Failed to retrieve access_token")
+
+            access_token = data["access_token"]
+            expires_in = int(data.get("expires_in", 15 * 60))
+
+            self._token = access_token
+            self._expires_at = time.time() + max(1, expires_in)
+
+            return self._token
+
+    async def get_auth_header(self) -> str:
+        token = await self.get_access_token()
+        return f"Bearer {token}"

nlbone/adapters/http_clients/pricing/async_pricing_service.py

@@ -0,0 +1,66 @@
+from decimal import Decimal
+from typing import Dict, Literal, Optional
+
+import httpx
+
+from nlbone.adapters.auth.async_token_provider import AsyncClientTokenProvider
+from nlbone.adapters.http_clients import CalculatePriceIn, CalculatePriceOut
+from nlbone.adapters.http_clients.pricing.pricing_service import PricingError
+from nlbone.config.settings import get_settings
+from nlbone.utils.http import normalize_https_base
+
+
+class AsyncPricingService:
+    def __init__(
+        self,
+        token_provider: AsyncClientTokenProvider,
+        base_url: Optional[str] = None,
+        timeout_seconds: Optional[float] = None,
+        client: Optional[httpx.AsyncClient] = None,
+    ) -> None:
+        s = get_settings()
+        self._token_provider = token_provider
+        self._base_url = normalize_https_base(base_url or str(s.PRICING_SERVICE_URL), enforce_https=False)
+        self._timeout = httpx.Timeout(timeout_seconds or float(s.HTTP_TIMEOUT_SECONDS), connect=5.0)
+        self._client = client or httpx.AsyncClient(
+            timeout=self._timeout,
+            verify=True if s.ENV == "prod" else False,
+            limits=httpx.Limits(
+                max_keepalive_connections=s.HTTPX_MAX_KEEPALIVE_CONNECTIONS, max_connections=s.HTTPX_MAX_CONNECTIONS
+            ),
+        )
+
+    async def calculate(
+        self, items: list[CalculatePriceIn], response: Literal["list", "dict"] = "dict"
+    ) -> CalculatePriceOut:
+        payload = {"items": [i.model_dump(mode="json") for i in items]}
+
+        response_obj = await self._client.post(
+            f"{self._base_url}/price/calculate",
+            params={"response": response},
+            headers={"X-Api-Key": get_settings().PRICING_API_SECRET, "X-Client-Id": get_settings().KEYCLOAK_CLIENT_ID},
+            # headers=auth_headers(await self._token_provider.get_access_token()),
+            json=payload,
+        )
+
+        if response_obj.status_code not in (200, 204):
+            raise PricingError(response_obj.status_code, response_obj.text)
+
+        if response_obj.status_code == 204 or not response_obj.content:
+            return CalculatePriceOut.model_validate(root=[])
+
+        return CalculatePriceOut.model_validate(response_obj.json())
+
+    async def exchange_rates(self) -> Dict[str, Decimal]:
+        response_obj = await self._client.get(
+            f"{self._base_url}/variables/key/exchange_rates",
+            headers={"X-Api-Key": get_settings().PRICING_API_SECRET, "X-Client-Id": get_settings().KEYCLOAK_CLIENT_ID},
+            # headers=auth_headers(await self._token_provider.get_access_token()),
+        )
+
+        if response_obj.status_code != 200:
+            raise PricingError(response_obj.status_code, response_obj.text)
+
+        values = response_obj.json().get("values", [])
+
+        return {str(v["key"]): Decimal(str(v["value"])) for v in values}

nlbone/adapters/http_clients/pricing/pricing_service.py

@@ -76,11 +76,11 @@ class DecimalEncoder(json.JSONEncoder):
 
 class PricingService:
     def __init__(
-            self,
-            token_provider: ClientTokenProvider,
-            base_url: Optional[str] = None,
-            timeout_seconds: Optional[float] = None,
-            client: httpx.Client | None = None,
+        self,
+        token_provider: ClientTokenProvider,
+        base_url: Optional[str] = None,
+        timeout_seconds: Optional[float] = None,
+        client: httpx.Client | None = None,
     ) -> None:
         s = get_settings()
         self._base_url = normalize_https_base(base_url or str(s.PRICING_SERVICE_URL), enforce_https=False)
@@ -89,10 +89,7 @@ class PricingService:
         self._token_provider = token_provider
 
     def calculate(self, items: list[CalculatePriceIn], response: Literal["list", "dict"] = "dict") -> CalculatePriceOut:
-        body = json.dumps(
-            {"items": [i.model_dump() for i in items]},
-            cls=DecimalEncoder
-        )
+        body = json.dumps({"items": [i.model_dump() for i in items]}, cls=DecimalEncoder)
         body = json.loads(body)
 
         r = self._client.post(

nlbone/adapters/http_clients/uploadchi/uploadchi.py

@@ -56,7 +56,7 @@ class UploadchiClient(FileServicePort):
         tok = _resolve_token(token)
         files = {"file": (filename, file_bytes)}
         data = (params or {}).copy()
-        r = self._client.post(self._base_url, files=files, data=data, headers=auth_headers(tok))
+        r = self._client.post(f"{self._base_url}/files", files=files, data=data, headers=auth_headers(tok))
         if r.status_code >= 400:
             raise UploadchiError(r.status_code, r.text)
         return r.json()
@@ -66,7 +66,7 @@ class UploadchiClient(FileServicePort):
             raise UploadchiError(detail="token_provider is not provided", status=400)
         tok = _resolve_token(token)
         r = self._client.post(
-            f"{self._base_url}/{file_id}/commit",
+            f"{self._base_url}/files/{file_id}/commit",
             headers=auth_headers(tok or self._token_provider.get_access_token()),
         )
         if r.status_code not in (204, 200):
@@ -77,7 +77,7 @@ class UploadchiClient(FileServicePort):
             raise UploadchiError(detail="token_provider is not provided", status=400)
         tok = _resolve_token(token)
         r = self._client.post(
-            f"{self._base_url}/{file_id}/rollback",
+            f"{self._base_url}/files/{file_id}/rollback",
             headers=auth_headers(tok or self._token_provider.get_access_token()),
         )
         if r.status_code not in (204, 200):
@@ -93,21 +93,21 @@ class UploadchiClient(FileServicePort):
     ) -> dict:
         tok = _resolve_token(token)
         q = build_list_query(limit, offset, filters, sort)
-        r = self._client.get(self._base_url, params=q, headers=auth_headers(tok))
+        r = self._client.get(f"{self._base_url}/files", params=q, headers=auth_headers(tok))
         if r.status_code >= 400:
             raise UploadchiError(r.status_code, r.text)
         return r.json()
 
     def get_file(self, file_id: str, token: str | None = None) -> dict:
         tok = _resolve_token(token)
-        r = self._client.get(f"{self._base_url}/{file_id}", headers=auth_headers(tok))
+        r = self._client.get(f"{self._base_url}/files/{file_id}", headers=auth_headers(tok))
         if r.status_code >= 400:
             raise UploadchiError(r.status_code, r.text)
         return r.json()
 
     def download_file(self, file_id: str, token: str | None = None) -> tuple[bytes, str, str]:
         tok = _resolve_token(token)
-        r = self._client.get(f"{self._base_url}/{file_id}/download", headers=auth_headers(tok))
+        r = self._client.get(f"{self._base_url}/files/{file_id}/download", headers=auth_headers(tok))
         if r.status_code >= 400:
             raise UploadchiError(r.status_code, r.text)
         filename = _filename_from_cd(r.headers.get("content-disposition"), fallback=f"file-{file_id}")
@@ -117,7 +117,7 @@ class UploadchiClient(FileServicePort):
     def delete_file(self, file_id: str, token: str | None = None) -> None:
         tok = _resolve_token(token)
         r = self._client.delete(
-            f"{self._base_url}/{file_id}", headers=auth_headers(tok or self._token_provider.get_access_token())
+            f"{self._base_url}/files/{file_id}", headers=auth_headers(tok or self._token_provider.get_access_token())
         )
         if r.status_code not in (204, 200):
             raise UploadchiError(r.status_code, r.text)

nlbone/adapters/http_clients/uploadchi/uploadchi_async.py

@@ -4,7 +4,7 @@ from typing import Any, AsyncIterator, Optional
 
 import httpx
 
-from nlbone.adapters.auth.token_provider import ClientTokenProvider
+from nlbone.adapters.auth.async_token_provider import AsyncClientTokenProvider
 from nlbone.adapters.http_clients.uploadchi.uploadchi import UploadchiError, _filename_from_cd, _resolve_token
 from nlbone.config.settings import get_settings
 from nlbone.core.ports.files import AsyncFileServicePort
@@ -14,16 +14,21 @@ from nlbone.utils.http import auth_headers, build_list_query
 class UploadchiAsyncClient(AsyncFileServicePort):
     def __init__(
         self,
-        token_provider: ClientTokenProvider | None = None,
+        token_provider: Optional[AsyncClientTokenProvider] = None,
         base_url: Optional[str] = None,
         timeout_seconds: Optional[float] = None,
-        client: httpx.AsyncClient | None = None,
+        client: Optional[httpx.AsyncClient] = None,
     ) -> None:
         s = get_settings()
         self._base_url = base_url or str(s.UPLOADCHI_BASE_URL)
         self._timeout = timeout_seconds or float(s.HTTP_TIMEOUT_SECONDS)
         self._client = client or httpx.AsyncClient(
-            base_url=self._base_url, timeout=self._timeout, follow_redirects=True
+            base_url=self._base_url,
+            timeout=self._timeout,
+            limits=httpx.Limits(
+                max_keepalive_connections=s.HTTPX_MAX_KEEPALIVE_CONNECTIONS, max_connections=s.HTTPX_MAX_CONNECTIONS
+            ),
+            follow_redirects=True,
         )
         self._token_provider = token_provider
 
@@ -36,7 +41,9 @@ class UploadchiAsyncClient(AsyncFileServicePort):
         tok = _resolve_token(token)
         files = {"file": (filename, file_bytes)}
         data = (params or {}).copy()
-        r = await self._client.post("", files=files, data=data, headers=auth_headers(tok))
+        r = await self._client.post(
+            "/files", files=files, data=data, headers=auth_headers(tok or await self._token_provider.get_access_token())
+        )
         if r.status_code >= 400:
             raise UploadchiError(r.status_code, await r.aread())
         return r.json()
@@ -46,7 +53,7 @@ class UploadchiAsyncClient(AsyncFileServicePort):
             raise UploadchiError(detail="token_provider is not provided", status=400)
         tok = _resolve_token(token)
         r = await self._client.post(
-            f"/{file_id}/commit", headers=auth_headers(tok or self._token_provider.get_access_token())
+            f"/files/{file_id}/commit", headers=auth_headers(tok or await self._token_provider.get_access_token())
         )
         if r.status_code not in (204, 200):
             raise UploadchiError(r.status_code, await r.aread())
@@ -56,7 +63,7 @@ class UploadchiAsyncClient(AsyncFileServicePort):
             raise UploadchiError(detail="token_provider is not provided", status=400)
         tok = _resolve_token(token)
         r = await self._client.post(
-            f"/{file_id}/rollback", headers=auth_headers(tok or self._token_provider.get_access_token())
+            f"/files/{file_id}/rollback", headers=auth_headers(tok or await self._token_provider.get_access_token())
         )
         if r.status_code not in (204, 200):
             raise UploadchiError(r.status_code, await r.aread())
@@ -71,21 +78,29 @@ class UploadchiAsyncClient(AsyncFileServicePort):
     ) -> dict:
         tok = _resolve_token(token)
         q = build_list_query(limit, offset, filters, sort)
-        r = await self._client.get("", params=q, headers=auth_headers(tok))
+        r = await self._client.get(
+            "/files", params=q, headers=auth_headers(tok or await self._token_provider.get_access_token())
+        )
         if r.status_code >= 400:
             raise UploadchiError(r.status_code, await r.aread())
         return r.json()
 
     async def get_file(self, file_id: str, token: str | None = None) -> dict:
         tok = _resolve_token(token)
-        r = await self._client.get(f"/{file_id}", headers=auth_headers(tok))
+        r = await self._client.get(
+            f"/files/{file_id}", headers=auth_headers(tok or await self._token_provider.get_access_token())
+        )
         if r.status_code >= 400:
             raise UploadchiError(r.status_code, await r.aread())
         return r.json()
 
     async def download_file(self, file_id: str, token: str | None = None) -> tuple[AsyncIterator[bytes], str, str]:
         tok = _resolve_token(token)
-        r = await self._client.get(f"/{file_id}/download", headers=auth_headers(tok), stream=True)
+        r = await self._client.get(
+            f"/files/{file_id}/download",
+            headers=auth_headers(tok or await self._token_provider.get_access_token()),
+            stream=True,
+        )
         if r.status_code >= 400:
             body = await r.aread()
             raise UploadchiError(r.status_code, body.decode(errors="ignore"))
@@ -103,7 +118,9 @@ class UploadchiAsyncClient(AsyncFileServicePort):
 
     async def delete_file(self, file_id: str, token: str | None = None) -> None:
         tok = _resolve_token(token)
-        r = await self._client.delete(f"/{file_id}", headers=auth_headers(tok))
+        r = await self._client.delete(
+            f"/files/{file_id}", headers=auth_headers(tok or await self._token_provider.get_access_token())
+        )
         if r.status_code not in (204, 200):
             body = await r.aread()
             raise UploadchiError(r.status_code, body.decode(errors="ignore"))

nlbone/config/settings.py

@@ -52,6 +52,8 @@ class Settings(BaseSettings):
     # HTTP / Timeouts
     # ---------------------------
     HTTP_TIMEOUT_SECONDS: float = Field(default=10.0)
+    HTTPX_MAX_KEEPALIVE_CONNECTIONS: int = Field(default=10)
+    HTTPX_MAX_CONNECTIONS: int = Field(default=30)
 
     # ---------------------------
     # Keycloak / Auth
@@ -104,7 +106,7 @@ class Settings(BaseSettings):
     # ---------------------------
     # UPLOADCHI
     # ---------------------------
-    UPLOADCHI_BASE_URL: AnyHttpUrl = Field(default="https://uploadchi.numberland.ir/v1/files")
+    UPLOADCHI_BASE_URL: AnyHttpUrl = Field(default="https://uploadchi.numberland.ir/v1")
     UPLOADCHI_TOKEN: SecretStr = Field(default="")
 
     # ---------------------------

nlbone/container.py

@@ -5,6 +5,8 @@ from typing import Dict, Optional
 from dependency_injector import containers, providers
 from pydantic_settings import BaseSettings
 
+from nlbone.adapters.auth.async_auth_service import AsyncAuthService as AsyncAuthService_IMP
+from nlbone.adapters.auth.async_token_provider import AsyncClientTokenProvider
 from nlbone.adapters.auth.auth_service import AuthService as AuthService_IMP
 from nlbone.adapters.auth.token_provider import ClientTokenProvider
 from nlbone.adapters.cache.async_redis import AsyncRedisCache
@@ -12,9 +14,10 @@ from nlbone.adapters.cache.memory import InMemoryCache
 from nlbone.adapters.cache.redis import RedisCache
 from nlbone.adapters.db.postgres.engine import get_async_session_factory, get_sync_session_factory
 from nlbone.adapters.http_clients import PricingService
+from nlbone.adapters.http_clients.pricing.async_pricing_service import AsyncPricingService
 from nlbone.adapters.http_clients.uploadchi import UploadchiClient
 from nlbone.adapters.http_clients.uploadchi.uploadchi_async import UploadchiAsyncClient
-from nlbone.core.ports.auth import AuthService
+from nlbone.core.ports.auth import AsyncAuthService, AuthService
 from nlbone.core.ports.cache import AsyncCachePort, CachePort
 from nlbone.core.ports.files import AsyncFileServicePort, FileServicePort
 
@@ -31,15 +34,21 @@ class Container(containers.DeclarativeContainer):
     # --- Services ---
     auth: providers.Singleton[AuthService] = providers.Singleton(AuthService_IMP)
     token_provider = providers.Singleton(ClientTokenProvider, auth=auth, skew_seconds=30)
+    async_auth: providers.Singleton[AsyncAuthService] = providers.Singleton(AsyncAuthService_IMP)
+    async_token_provider = providers.Singleton(AsyncClientTokenProvider, auth=async_auth, skew_seconds=30)
+
     file_service: providers.Singleton[FileServicePort] = providers.Singleton(
         UploadchiClient, token_provider=token_provider
     )
     afiles_service: providers.Singleton[AsyncFileServicePort] = providers.Singleton(
-        UploadchiAsyncClient, token_provider=token_provider
+        UploadchiAsyncClient, token_provider=async_token_provider
     )
     pricing_service: providers.Singleton[PricingService] = providers.Singleton(
         PricingService, token_provider=token_provider
     )
+    async_pricing_service: providers.Singleton[AsyncPricingService] = providers.Singleton(
+        AsyncPricingService, token_provider=async_token_provider
+    )
 
     cache: providers.Singleton[CachePort] = providers.Selector(
         config.CACHE_BACKEND,

nlbone/core/ports/auth.py

@@ -9,3 +9,15 @@ class AuthService(Protocol):
     def is_client_token(self, token: str, allowed_clients: set[str] | None = None) -> bool: ...
     def client_has_access(self, token: str, perms: list[str], allowed_clients: set[str] | None = None) -> bool: ...
     def get_permissions(self, token: str) -> list[str]: ...
+
+
+@runtime_checkable
+class AsyncAuthService(Protocol):
+    async def has_access(self, token: str, permissions: list[str]) -> bool: ...
+    async def verify_token(self, token: str) -> dict | None: ...
+    async def get_client_token(self) -> dict | None: ...
+    async def is_client_token(self, token: str, allowed_clients: set[str] | None = None) -> bool: ...
+    async def client_has_access(
+        self, token: str, perms: list[str], allowed_clients: set[str] | None = None
+    ) -> bool: ...
+    async def get_permissions(self, token: str) -> list[str]: ...

nlbone/interfaces/api/dependencies/__init__.py

@@ -1,10 +1,10 @@
-from .async_auth import client_has_access, current_request, current_user_id, has_access, user_authenticated
 from .auth import (  # noqa: F811
     client_has_access,
     current_client_id,
     current_request,
     current_user_id,
     has_access,
+    is_permitted_user,
     user_authenticated,
 )
 from .db import get_async_session, get_session

nlbone/interfaces/api/dependencies/async_auth.py

@@ -1,31 +1,31 @@
 import functools
 
-from nlbone.adapters.auth.auth_service import get_auth_service
-from nlbone.interfaces.api.exceptions import UnauthorizedException
+from nlbone.adapters.auth.async_auth_service import get_async_auth_service
+from nlbone.interfaces.api.exceptions import ForbiddenException, UnauthorizedException
 from nlbone.utils.context import current_request
 
-from .auth import client_has_access_func, client_or_user_has_access_func, user_has_access_func
-
-
-async def current_user_id() -> int:
-    user_id = current_request().state.user_id
-    if user_id is not None:
-        return int(user_id)
-    raise UnauthorizedException()
+from .auth import bypass_authz, current_user_id
 
 
 async def current_client_id() -> str:
     request = current_request()
-    if client_id := get_auth_service().get_client_id(request.state.token):
+    if client_id := await get_async_auth_service().get_client_id(request.state.token):
         return str(client_id)
     raise UnauthorizedException()
 
 
+async def client_has_access_func(*, permissions=None):
+    request = current_request()
+    if not await get_async_auth_service().client_has_access(request.state.token, permissions=permissions):
+        raise ForbiddenException(f"Forbidden {permissions}")
+    return True
+
+
 def client_has_access(*, permissions=None):
     def decorator(func):
         @functools.wraps(func)
         async def wrapper(*args, **kwargs):
-            client_has_access_func(permissions=permissions)
+            await client_has_access_func(permissions=permissions)
             return await func(*args, **kwargs)
 
         return wrapper
@@ -36,18 +36,29 @@ def client_has_access(*, permissions=None):
 def user_authenticated(func):
     @functools.wraps(func)
     async def wrapper(*args, **kwargs):
-        if not await current_user_id():
+        if not current_user_id():
             raise UnauthorizedException()
         return await func(*args, **kwargs)
 
     return wrapper
 
 
+async def user_has_access_func(*, permissions=None):
+    request = current_request()
+    if not current_user_id():
+        raise UnauthorizedException()
+    if bypass_authz():
+        return True
+    if not await get_async_auth_service().has_access(request.state.token, permissions=permissions):
+        raise ForbiddenException(f"Forbidden {permissions}")
+    return True
+
+
 def has_access(*, permissions=None):
     def decorator(func):
         @functools.wraps(func)
         async def wrapper(*args, **kwargs):
-            user_has_access_func(permissions=permissions)
+            await user_has_access_func(permissions=permissions)
             return await func(*args, **kwargs)
 
         return wrapper
@@ -55,13 +66,46 @@ def has_access(*, permissions=None):
     return decorator
 
 
+async def client_or_user_has_access_func(permissions=None, client_permissions=None):
+    if bypass_authz():
+        return True
+    request = current_request()
+    token = getattr(request.state, "token", None)
+    if not token:
+        raise UnauthorizedException()
+    needed = client_permissions or permissions
+    try:
+        await client_has_access_func(permissions=needed)
+    except Exception:
+        await user_has_access_func(permissions=needed)
+
+
 def client_or_user_has_access(*, permissions=None, client_permissions=None):
     def decorator(func):
         @functools.wraps(func)
         async def wrapper(*args, **kwargs):
-            client_or_user_has_access_func(permissions=permissions, client_permissions=client_permissions)
+            await client_or_user_has_access_func(permissions=permissions, client_permissions=client_permissions)
             return await func(*args, **kwargs)
 
         return wrapper
 
     return decorator
+
+
+async def is_permitted_user(permissions=None):
+    async def check_permissions():
+        try:
+            if bypass_authz():
+                return True
+            request = current_request()
+            if not current_user_id():
+                raise UnauthorizedException()
+            if not await get_async_auth_service().has_access(request.state.token, permissions=permissions):
+                raise ForbiddenException(f"Forbidden {permissions}")
+            return True
+        except ForbiddenException:
+            return False
+        except UnauthorizedException:
+            return False
+
+    return check_permissions

nlbone/interfaces/api/dependencies/auth.py

@@ -7,9 +7,9 @@ from nlbone.interfaces.api.exceptions import ForbiddenException, UnauthorizedExc
 from nlbone.utils.context import current_request
 
 
-@functools.lru_cache()
+@functools.lru_cache(maxsize=1)
 def bypass_authz() -> bool:
-    if get_settings().ENV != "prod":
+    if get_settings().ENV not in ("prod", "staging"):
         return True
     return False
 

nlbone/interfaces/api/middleware/authentication.py

@@ -1,21 +1,19 @@
-from typing import Callable, Optional, Union
+from typing import Any, Callable, Optional, Union
 
 from fastapi import Request
 from starlette.middleware.base import BaseHTTPMiddleware
 
-from nlbone.adapters.auth.auth_service import AuthService
 from nlbone.config.settings import get_settings
 from nlbone.core.domain.models import CurrentUserData
+from nlbone.core.ports.auth import AsyncAuthService as BaseAuthService
 
 try:
     from dependency_injector import providers
 
     ProviderType = providers.Provider  # type: ignore
-except Exception:
+except ImportError:
     ProviderType = object
 
-from nlbone.core.ports.auth import AuthService as BaseAuthService
-
 
 def _to_factory(auth: Union[BaseAuthService, Callable[[], BaseAuthService], ProviderType]):
     try:
@@ -25,50 +23,43 @@ def _to_factory(auth: Union[BaseAuthService, Callable[[], BaseAuthService], Prov
             return auth
     except Exception:
         pass
-    if callable(auth) and not hasattr(auth, "verify_token"):
+    if callable(auth):
         return auth
     return lambda: auth
 
 
-def authenticate_admin_user(request, auth_service):
-    token: Optional[str] = None
-    authz = request.headers.get("Authorization")
-    if authz:
+def _extract_token(request: Request) -> Optional[str]:
+    auth_header = request.headers.get("Authorization")
+    if auth_header:
         try:
-            scheme, token = authz.split(" ", 1)
-            if scheme.lower() != "bearer":
-                token = None
+            scheme, token = auth_header.split(" ", 1)
+            if scheme.lower() == "bearer":
+                return token
         except ValueError:
-            token = None
-
-    if token:
-        request.state.token = token
-        try:
-            service: BaseAuthService = auth_service()
-            data = service.verify_token(token)
-            if data:
-                request.state.user_id = data.get("user_id")
-        except Exception:
             pass
 
+    return request.cookies.get("access_token") or request.cookies.get("j_token")
 
-def authenticate_user(request):
-    token = (
-        request.cookies.get("access_token") or request.cookies.get("j_token") or request.headers.get("Authorization")
-    )
-    if request.headers.get("Authorization"):
-        scheme, token = request.headers.get("Authorization").split(" ", 1)
 
-    if token:
-        request.state.token = token
-        try:
-            service: BaseAuthService = AuthService()
-            data = service.verify_token(token)
-            if data:
+async def authenticate_request(request: Request, auth_factory: Callable[[], BaseAuthService]) -> None:
+    token = _extract_token(request)
+    if not token:
+        return
+
+    request.state.token = token
+    try:
+        auth_service = auth_factory()
+        data = await auth_service.verify_token(token)
+
+        if data:
+            request.state.user_id = data.get("sub") or data.get("user_id")
+
+            try:
                 request.state.user = CurrentUserData.from_dict(data)
-                request.state.user_id = data.get("sub")
-        except Exception:
-            pass
+            except Exception:
+                pass
+    except Exception:
+        pass
 
 
 class AuthenticationMiddleware(BaseHTTPMiddleware):
@@ -76,20 +67,25 @@ class AuthenticationMiddleware(BaseHTTPMiddleware):
         super().__init__(app)
         self._get_auth = _to_factory(auth)
 
-    async def dispatch(self, request: Request, call_next):
+    async def dispatch(self, request: Request, call_next: Callable) -> Any:
         request.state.client_id = None
         request.state.user_id = None
         request.state.token = None
         request.state.user = None
-        if request.headers.get("X-Client-Id") and request.headers.get("X-Api-Key"):
-            if request.headers.get("X-Api-Key") == get_settings().PRICING_API_SECRET:
-                request.state.client_id = request.headers.get("X-Client-Id")
+
+        client_id = request.headers.get("X-Client-Id")
+        api_key = request.headers.get("X-Api-Key")
+
+        if client_id and api_key:
+            if api_key == get_settings().PRICING_API_SECRET:
+                request.state.client_id = client_id
                 return await call_next(request)
-        if request.headers.get("X-Client-Id") == "website" and request.headers.get("Authorization"):
-            authenticate_user(request)
-        elif request.cookies.get("access_token") or request.headers.get("Authorization"):
-            authenticate_user(request)
-        elif request.headers.get("Authorization"):
-            authenticate_admin_user(request, auth_service=self._get_auth)
+
+        if (
+            request.headers.get("Authorization")
+            or request.cookies.get("access_token")
+            or request.cookies.get("j_token")
+        ):
+            await authenticate_request(request, self._get_auth)
 
         return await call_next(request)

{nlbone-0.9.7.dist-info → nlbone-0.11.0.dist-info}/METADATA

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: nlbone
-Version: 0.9.7
+Version: 0.11.0
 Summary: Backbone package for interfaces and infrastructure in Python projects
 Author-email: Amir Hosein Kahkbazzadeh <a.khakbazzadeh@gmail.com>
 License: MIT

{nlbone-0.9.7.dist-info → nlbone-0.11.0.dist-info}/RECORD

@@ -1,9 +1,11 @@
 nlbone/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
-nlbone/container.py,sha256=VSc72QBllFzW_3kj5znRkqnmK3WZvez404S13kb9ifw,2748
+nlbone/container.py,sha256=c1frCaCwfV5ImOexyeX2vJYou0ZvuItPlQimtCZZxeA,3403
 nlbone/types.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 nlbone/adapters/__init__.py,sha256=NzUmk4XPyp3GJOw7VSE86xkQMZLtG3MrOoXLeoB551M,41
 nlbone/adapters/snowflake.py,sha256=eC5eXWgkTIJlO5J44VFbD1-MXj8HYs0lCNp37paSfXY,2324
-nlbone/adapters/auth/__init__.py,sha256=hkDHvsFhw_UiOHG9ZSMqjiAhK4wumEforitveSZswVw,42
+nlbone/adapters/auth/__init__.py,sha256=v2yU52Eq0pQQgFLC9BedyyWbu9xp_JCbsmjLGNj8Tvs,171
+nlbone/adapters/auth/async_auth_service.py,sha256=gnz7GqJvoHYJFoIs444jm7XWadQkMYS3S1UMOxoUgdE,3722
+nlbone/adapters/auth/async_token_provider.py,sha256=HVAuInFG483IZzrQ-agqOhiRiu4ix8kynwvcOniYr2E,1567
 nlbone/adapters/auth/auth_service.py,sha256=CYfOX5M19SGsteHOTNiRLFohaVXx5X5NwmKQI2WLjCQ,2621
 nlbone/adapters/auth/keycloak.py,sha256=IhEriaFl5mjIGT6ZUCU9qROd678ARchvWgd4UJ6zH7s,4925
 nlbone/adapters/auth/token_provider.py,sha256=kzjFAaFY8SPnU0Tn6l-YVrhEOAiFV0QE3eit3D7u2VQ,1438
@@ -26,10 +28,11 @@ nlbone/adapters/db/redis/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZ
 nlbone/adapters/db/redis/client.py,sha256=cT9TCigE-ndB-ckcpuh8cTS1AOVKS3rWNG_WYxD0CAM,930
 nlbone/adapters/http_clients/__init__.py,sha256=w-Yr9CLuXMU71N0Ada5HbvP1DB53wqeP6B-i5rALlTo,150
 nlbone/adapters/http_clients/pricing/__init__.py,sha256=ElA9NFcAR9u4cqb_w3PPqKU3xGeyjNLQ8veJ0ql2iz0,81
-nlbone/adapters/http_clients/pricing/pricing_service.py,sha256=EIHxOPEJRGzUKwI3zaFQAawM15xt2Ox3D0Z_mu541_A,3764
+nlbone/adapters/http_clients/pricing/async_pricing_service.py,sha256=6vwVQ8SGTxFMOKhqlri8CQzzL5RgmDHI4icBiUATdXA,2846
+nlbone/adapters/http_clients/pricing/pricing_service.py,sha256=TPDoeryibAXZndXOoREGTQfRh4lm4K45Cv4ng4gpwD4,3710
 nlbone/adapters/http_clients/uploadchi/__init__.py,sha256=uBzEOuVtY22teWW2b36Pitkdk5yVdSqa6xbg22JfTNg,105
-nlbone/adapters/http_clients/uploadchi/uploadchi.py,sha256=erpjOees25FW0nuK1PkYS-oU0h8MeRV9Rhs1cf3gaEs,4881
-nlbone/adapters/http_clients/uploadchi/uploadchi_async.py,sha256=PQbVNeaYde5CmgT3vcnQoI1PGeSs9AxHlPFuB8biOmU,4717
+nlbone/adapters/http_clients/uploadchi/uploadchi.py,sha256=zSvUkDDL1m-OuCD-oJtqxNBghmK9yFWKpXi7t5-11-M,4933
+nlbone/adapters/http_clients/uploadchi/uploadchi_async.py,sha256=onCf2Jm6LskB3vqFTPhM4pgi-zJmmcmBVbo4vOSffwY,5363
 nlbone/adapters/i18n/__init__.py,sha256=fS97TR7HEc7fiDC2ufQKoFOxXDNkGA4njAFIB3EmhLk,426
 nlbone/adapters/i18n/engine.py,sha256=yH_b614oJQ2PgM8qpQ5_Prroi4Jjqb-xPguHCCJm0_0,1305
 nlbone/adapters/i18n/loaders.py,sha256=7td0Cmn0ehjDO2S2qeH31zwl8UyWI7quzedP9PnPhWk,2381
@@ -47,7 +50,7 @@ nlbone/adapters/ticketing/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJW
 nlbone/adapters/ticketing/client.py,sha256=b9U3ouK8sIVq1A_1Z6PgAEaT0_-a3PIP7DvRv-WaoAU,1384
 nlbone/config/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 nlbone/config/logging.py,sha256=Ot6Ctf7EQZlW8YNB-uBdleqI6wixn5fH0Eo6QRgNkQk,4358
-nlbone/config/settings.py,sha256=4OLG9M9wB5H6slNcg61NuNEPoWQsjoA6RvesRYa1C7c,5330
+nlbone/config/settings.py,sha256=oFkBsLX955JJkIZwL5d8b5LjKg6mrL75Db9wYsHHc6Y,5436
 nlbone/core/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 nlbone/core/application/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 nlbone/core/application/base_worker.py,sha256=5brIToSd-vi6tw0ukhHnUZGZhOLq1SQ-NRRy-kp6D24,1193
@@ -60,7 +63,7 @@ nlbone/core/domain/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuF
 nlbone/core/domain/base.py,sha256=dz3gwNnOk048zLghbNNM_Wa0qPXLoRmH5w72fwtXNFM,2592
 nlbone/core/domain/models.py,sha256=HSgICH4_0kPyZKGIawCd6VyJ5w6ZFXkSymBgVu79peI,4131
 nlbone/core/ports/__init__.py,sha256=syJg3fAjQALD5Rjfm9wi9bQpkIvNTWjE9AURBmy587o,132
-nlbone/core/ports/auth.py,sha256=C-GmUqHNx4bAku6KbW_OTpPXCEfurBWWyDi9KxpTi9M,553
+nlbone/core/ports/auth.py,sha256=RhRKFcO5NFfvhKJkHb9anSxpai5w6D1N4Fhy-bGPWV0,1114
 nlbone/core/ports/cache.py,sha256=8pP_z4ta7PNNG8UiSrEF4xMZRm2wLPxISZvdPt7QnxQ,2351
 nlbone/core/ports/event_bus.py,sha256=7iC8WRBg-EmcKJx7AVPkP-r823SLKGuDxGp9WF4q-_U,824
 nlbone/core/ports/files.py,sha256=7Ov2ITYRpPwwDTZGCeNVISg8e3A9l08jbOgpTImgfK8,1863
@@ -80,16 +83,16 @@ nlbone/interfaces/api/additional_filed/field_registry.py,sha256=IhIvzHWOMtKv8iTd
 nlbone/interfaces/api/additional_filed/resolver.py,sha256=jv1TIBBHN4LBIMwHGipcy4iq0uP0r6udyaqvhRzb8Bk,4655
 nlbone/interfaces/api/additional_filed/default_field_rules/__init__.py,sha256=LUSAOO3xRUt5ptlraIx7H-7dSkdr1D-WprmnqXRB16g,48
 nlbone/interfaces/api/additional_filed/default_field_rules/image_field_rules.py,sha256=ecKqPeXZ-YiF14RK9PmK7ln3PCzpCUc18S5zm5IF3fw,339
-nlbone/interfaces/api/dependencies/__init__.py,sha256=rnYRrFVZCfICQrp_PVFlzNg3BeC57yM08wn2DbOHCfk,359
-nlbone/interfaces/api/dependencies/async_auth.py,sha256=TZlFzT-mnPz1WBL0wh3nOlBXDjY-7B0-b4wBT8O6pLM,1890
-nlbone/interfaces/api/dependencies/auth.py,sha256=59oBL3FyRl0mCr0qaRKOCuY5kH5QkZekdbMr8hNOOGQ,3810
+nlbone/interfaces/api/dependencies/__init__.py,sha256=nrmQftdCfKlqSE44R6PkcxtkwCdNpZgI8yLlHyeiACA,274
+nlbone/interfaces/api/dependencies/async_auth.py,sha256=c6PohIprT35konFbHQht0y0MJHBouhKqIK_XFQ9Rcbg,3465
+nlbone/interfaces/api/dependencies/auth.py,sha256=4L-hspOyv9HpaCO-rAi7rk52PlZTgMClEG2LA2tMriM,3836
 nlbone/interfaces/api/dependencies/client_credential.py,sha256=Bo4dYx75Qw0JzTKD9ZfV5EXDEOuwndJk2D-V37K2ePg,1293
 nlbone/interfaces/api/dependencies/db.py,sha256=-UD39J_86UU7ZJs2ZncpdND0yhAG0NeeeALrgSDuuFw,466
 nlbone/interfaces/api/dependencies/uow.py,sha256=QfLEvLYLNWZJQN1k-0q0hBVtUld3D75P4j39q_RjcnE,1181
 nlbone/interfaces/api/middleware/__init__.py,sha256=zbX2vaEAfxRMIYwO2MVY_2O6bqG5H9o7HqGpX14U3Is,158
 nlbone/interfaces/api/middleware/access_log.py,sha256=vIkxxxfy2HcjqqKb8XCfGCcSrivAC8u6ie75FMq5x-U,1032
 nlbone/interfaces/api/middleware/add_request_context.py,sha256=o8mdo-D6fODM9OyHunE5UodkVxsh4F__5tDv8ju8Sxg,1952
-nlbone/interfaces/api/middleware/authentication.py,sha256=dWxA9Aw8eFUqsufT2mHGk6mgehXKdAA9AAEIOk_jZWY,3326
+nlbone/interfaces/api/middleware/authentication.py,sha256=tF5tXUE8Ln14LLx6Hkx5AlTHpOxDwrN0UfkkgvV87ug,2810
 nlbone/interfaces/api/pagination/__init__.py,sha256=pA1uC4rK6eqDI5IkLVxmgO2B6lExnOm8Pje2-hifJZw,431
 nlbone/interfaces/api/pagination/offset_base.py,sha256=pdfNgmP99eFC5qCWyY1JgW8hNhOuEGnmrlvQPGArdj8,4709
 nlbone/interfaces/api/schema/__init__.py,sha256=LAqgynfupeqOQ6u0I5ucrcYnojRMZUg9yW8IjKSQTNI,119
@@ -116,8 +119,8 @@ nlbone/utils/normalize_mobile.py,sha256=sGH4tV9gX-6eVKozviNWJhm1DN1J28Nj-ERldCYk
 nlbone/utils/read_files.py,sha256=mx8dfvtaaARQFRp_U7OOiERg-GT62h09_lpTzIQsVhs,291
 nlbone/utils/redactor.py,sha256=-V4HrHmHwPi3Kez587Ek1uJlgK35qGSrwBOvcbw8Jas,1279
 nlbone/utils/time.py,sha256=DjjyQ9GLsfXoT6NK8RDW2rOlJg3e6sF04Jw6PBUrSvg,1268
-nlbone-0.9.7.dist-info/METADATA,sha256=SAtWlKKfb4Hnfmgr4tRsiryWZSNr7DWjJAbIZOnpfmE,2294
-nlbone-0.9.7.dist-info/WHEEL,sha256=WLgqFyCfm_KASv4WHyYy0P3pM_m7J5L9k2skdKLirC8,87
-nlbone-0.9.7.dist-info/entry_points.txt,sha256=CpIL45t5nbhl1dGQPhfIIDfqqak3teK0SxPGBBr7YCk,59
-nlbone-0.9.7.dist-info/licenses/LICENSE,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
-nlbone-0.9.7.dist-info/RECORD,,
+nlbone-0.11.0.dist-info/METADATA,sha256=tCSglsRxWG-yPYxEmv_M9TMoZqsq_ixuNCgXXK7jJBM,2295
+nlbone-0.11.0.dist-info/WHEEL,sha256=WLgqFyCfm_KASv4WHyYy0P3pM_m7J5L9k2skdKLirC8,87
+nlbone-0.11.0.dist-info/entry_points.txt,sha256=CpIL45t5nbhl1dGQPhfIIDfqqak3teK0SxPGBBr7YCk,59
+nlbone-0.11.0.dist-info/licenses/LICENSE,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
+nlbone-0.11.0.dist-info/RECORD,,