PyPI - nui-lambda-shared-utils - Versions diffs - 1.2.0__tar.gz → 1.2.1__tar.gz - Mend

nui-lambda-shared-utils 1.2.0tar.gz → 1.2.1tar.gz

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (71) hide show

{nui_lambda_shared_utils-1.2.0 → nui_lambda_shared_utils-1.2.1}/PKG-INFO RENAMED Viewed

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: nui-lambda-shared-utils
-Version: 1.2.0
+Version: 1.2.1
 Summary: Enterprise-grade utilities for AWS Lambda functions with Slack, Elasticsearch, and monitoring integrations
 Home-page: https://github.com/nuimarkets/nui-lambda-shared-utils
 Author: NUI Markets

{nui_lambda_shared_utils-1.2.0 → nui_lambda_shared_utils-1.2.1}/nui_lambda_shared_utils/__init__.py RENAMED Viewed

@@ -137,6 +137,7 @@ try:
     from .jwt_auth import (
         validate_jwt,
         require_auth,
+        check_auth,
         get_jwt_public_key,
         JWTValidationError,
         AuthenticationError,
@@ -144,6 +145,7 @@ try:
 except ImportError:
     validate_jwt = None  # type: ignore
     require_auth = None  # type: ignore
+    check_auth = None  # type: ignore
     get_jwt_public_key = None  # type: ignore
     JWTValidationError = None  # type: ignore
     AuthenticationError = None  # type: ignore
@@ -243,6 +245,7 @@ __all__ = [
     # JWT authentication
     "validate_jwt",
     "require_auth",
+    "check_auth",
     "get_jwt_public_key",
     "JWTValidationError",
     "AuthenticationError",

{nui_lambda_shared_utils-1.2.0 → nui_lambda_shared_utils-1.2.1}/nui_lambda_shared_utils/jwt_auth.py RENAMED Viewed

@@ -9,10 +9,12 @@ Install: pip install nui-lambda-shared-utils[jwt]
 import os
 import json
+import re
 import base64
 import time
 import logging
-from typing import TYPE_CHECKING, Optional
+from typing import TYPE_CHECKING, AbstractSet, Any, Dict, Optional, Tuple
+from urllib.parse import unquote
 from .secrets_helper import get_secret
@@ -216,3 +218,60 @@ def require_auth(event: dict, secret_name: Optional[str] = None) -> dict:
         return validate_jwt(token, public_key)
     except JWTValidationError as e:
         raise AuthenticationError(f"Authentication failed: {e}") from e
+def _normalize_path(path: str) -> str:
+    """Normalize a URL path for safe comparison.
+    URL-decodes, collapses duplicate slashes, ensures a single leading slash,
+    and strips any trailing slash (except for root "/").
+    """
+    path = unquote(path)
+    path = re.sub(r"/+", "/", path)
+    return "/" + path.strip("/") if path.strip("/") else "/"
+def check_auth(
+    event: dict,
+    public_paths: AbstractSet[str] = frozenset(),
+    secret_name: Optional[str] = None,
+) -> Tuple[Optional[Dict[str, Any]], Optional[Dict[str, Any]]]:
+    """Check JWT authentication on an API Gateway event, skipping public paths.
+    Combines path normalization, public-path bypass, JWT validation,
+    and a standard JSON:API 401 error response in one call.
+    Args:
+        event: API Gateway Lambda proxy integration event.
+        public_paths: Set of normalized paths that skip auth (e.g. {"/health"}).
+        secret_name: Optional Secrets Manager secret name for the public key.
+    Returns:
+        (claims, None) on success — claims is the decoded JWT dict,
+            or None if the path is public.
+        (None, response) on auth failure — response is a 401 dict
+            ready to return from your Lambda handler.
+    """
+    raw_path = event.get("path") or event.get("rawPath") or ""
+    if _normalize_path(raw_path) in public_paths:
+        return None, None
+    try:
+        claims = require_auth(event, secret_name=secret_name)
+        return claims, None
+    except AuthenticationError as e:
+        log.warning("Authentication failed: %s", e)
+        return None, {
+            "statusCode": 401,
+            "headers": {
+                "Content-Type": "application/json",
+                "Access-Control-Allow-Origin": "*",
+            },
+            "body": json.dumps({
+                "errors": [{
+                    "status": "401",
+                    "title": "Unauthorized",
+                    "detail": "Authentication required",
+                }]
+            }),
+        }

{nui_lambda_shared_utils-1.2.0 → nui_lambda_shared_utils-1.2.1}/tests/test_jwt_auth.py RENAMED Viewed

@@ -15,10 +15,12 @@ import rsa as rsa_lib
 from nui_lambda_shared_utils.jwt_auth import (
     validate_jwt,
     require_auth,
+    check_auth,
     get_jwt_public_key,
     JWTValidationError,
     AuthenticationError,
     _base64url_decode,
+    _normalize_path,
 )
@@ -274,3 +276,113 @@ class TestGetJwtPublicKey:
         with pytest.raises(JWTValidationError, match="Field 'TOKEN_PUBLIC_KEY' not found"):
             get_jwt_public_key(secret_name="test/jwt-key")
+# ---------------------------------------------------------------------------
+# _normalize_path tests
+# ---------------------------------------------------------------------------
+@pytest.mark.unit
+class TestNormalizePath:
+    def test_simple_path(self):
+        assert _normalize_path("/health") == "/health"
+    def test_strips_trailing_slash(self):
+        assert _normalize_path("/health/") == "/health"
+    def test_ensures_leading_slash(self):
+        assert _normalize_path("health") == "/health"
+    def test_collapses_duplicate_slashes(self):
+        assert _normalize_path("//health///check//") == "/health/check"
+    def test_url_decodes(self):
+        assert _normalize_path("/he%61lth") == "/health"
+    def test_root_path(self):
+        assert _normalize_path("/") == "/"
+    def test_empty_string(self):
+        assert _normalize_path("") == "/"
+    def test_full_api_gateway_path(self):
+        assert _normalize_path("/v4/fields/static-lists") == "/v4/fields/static-lists"
+# ---------------------------------------------------------------------------
+# check_auth tests
+# ---------------------------------------------------------------------------
+@pytest.mark.unit
+class TestCheckAuth:
+    def test_public_path_skips_auth(self):
+        """Public paths return (None, None) without checking JWT."""
+        event = {"path": "/health", "headers": {}}
+        claims, error = check_auth(event, public_paths={"/health"})
+        assert claims is None
+        assert error is None
+    def test_public_path_with_trailing_slash(self):
+        """Public path matching normalizes trailing slashes."""
+        event = {"path": "/health/", "headers": {}}
+        claims, error = check_auth(event, public_paths={"/health"})
+        assert claims is None
+        assert error is None
+    def test_non_public_path_without_token_returns_401(self):
+        """Missing auth on protected path returns 401 response."""
+        event = {"path": "/static-lists", "headers": {}}
+        claims, error = check_auth(event, public_paths={"/health"})
+        assert claims is None
+        assert error is not None
+        assert error["statusCode"] == 401
+        body = json.loads(error["body"])
+        assert body["errors"][0]["status"] == "401"
+        assert body["errors"][0]["detail"] == "Authentication required"
+    @pytest.mark.usefixtures("mock_jwt_secret")
+    def test_valid_auth_returns_claims(self, rsa_keypair):
+        """Valid JWT returns (claims, None)."""
+        private_key, _, _ = rsa_keypair
+        token = _sign_jwt(private_key, {"sub": "user1", "exp": time.time() + 3600})
+        event = {"path": "/static-lists", "headers": {"Authorization": f"Bearer {token}"}}
+        with patch.dict("os.environ", {"JWT_PUBLIC_KEY_SECRET": "test/jwt-key"}):
+            claims, error = check_auth(event, public_paths={"/health"})
+        assert error is None
+        assert claims["sub"] == "user1"
+    @pytest.mark.usefixtures("mock_jwt_secret")
+    def test_invalid_token_returns_401(self):
+        """Invalid JWT returns 401 response, not an exception."""
+        event = {"path": "/static-lists", "headers": {"Authorization": "Bearer bad.token.here"}}
+        with patch.dict("os.environ", {"JWT_PUBLIC_KEY_SECRET": "test/jwt-key"}):
+            claims, error = check_auth(event, public_paths={"/health"})
+        assert claims is None
+        assert error["statusCode"] == 401
+    def test_path_traversal_does_not_bypass_auth(self):
+        """Crafted paths like /anything/health don't bypass auth."""
+        event = {"path": "/anything/health", "headers": {}}
+        _, error = check_auth(event, public_paths={"/health"})
+        assert error is not None
+        assert error["statusCode"] == 401
+    def test_uses_rawPath_fallback(self):
+        """Falls back to rawPath when path is missing (API Gateway v2)."""
+        event = {"rawPath": "/health", "headers": {}}
+        claims, error = check_auth(event, public_paths={"/health"})
+        assert claims is None
+        assert error is None
+    def test_empty_public_paths_requires_auth_on_all(self):
+        """Empty public_paths means all paths require auth."""
+        event = {"path": "/health", "headers": {}}
+        _, error = check_auth(event)
+        assert error is not None
+        assert error["statusCode"] == 401