oxutils 0.1.14__py3-none-any.whl → 0.1.15__py3-none-any.whl

oxutils/__init__.py

@@ -10,7 +10,7 @@ This package provides:
 - Permission management
 """
 
-__version__ = "0.1.14"
+__version__ = "0.1.15"
 
 from oxutils.settings import oxi_settings
 from oxutils.conf import UTILS_APPS, AUDIT_MIDDLEWARE

oxutils/jwt/auth.py

@@ -17,6 +17,7 @@ from ninja_jwt.authentication import (
     JWTStatelessUserAuthentication
 )
 from ninja.security import (
+    HttpBearer,
     APIKeyCookie,
     HttpBasicAuth,
 )
@@ -176,6 +177,11 @@ class BasicAuth(HttpBasicAuth):
 
 class BasicNoPasswordAuth(HttpBasicAuth):
     def authenticate(self, request: HttpRequest, username: str, password: str) -> Optional[Any]:
+
+        # check if the middleware have already authenticated the user
+        if request.user.is_authenticated:
+            return request.user
+        
         try:
             user = get_user_model().objects.get(email=username)
             if user and user.is_active:
@@ -185,12 +191,34 @@ class BasicNoPasswordAuth(HttpBasicAuth):
         except Exception as e:
             return None
 
-x_session_token_auth = XSessionTokenAuth()
+
+class JWTPassiveAuth(HttpBearer):
+    def authenticate(self, request: HttpRequest, token: str) -> Optional[Any]:
+        if request.user.is_authenticated:
+            return request.user
+        return None
+
+
+class JWTCookiePassiveAuth(APIKeyCookie):
+    def authenticate(self, request: HttpRequest, key: Optional[str]) -> Optional[Any]:
+        if request.user.is_authenticated:
+            return request.user
+        return None
+
+
+# for development Purpose only
 basic_auth = BasicAuth()
 basic_no_password_auth = BasicNoPasswordAuth()
+
+# used on oxiliere authentication service
+x_session_token_auth = XSessionTokenAuth()
 jwt_auth = JWTAuth()
 jwt_cookie_auth = JWTCookieAuth()
 
+# Production in all oxiliere services
+jwt_passive_auth = JWTPassiveAuth()
+jwt_cookie_passive_auth = JWTCookiePassiveAuth()
+
 
 
 
@@ -202,3 +230,13 @@ def get_auth_handlers(auths: List[AuthBase] = []) -> List[AuthBase]:
         return auths
 
     return [jwt_auth, jwt_cookie_auth]
+
+
+def get_passive_auth_handlers(auths: List[AuthBase] = []) -> List[AuthBase]:
+    """Passive auth handler switcher based on settings.DEBUG"""
+    from django.conf import settings
+
+    if settings.DEBUG:
+        return auths
+    
+    return [jwt_passive_auth, jwt_cookie_passive_auth]

oxutils/jwt/middleware.py

@@ -0,0 +1,404 @@
+from typing import Type, Optional
+import structlog
+
+from django.conf import settings
+from django.contrib.auth import get_user_model
+from django.contrib.auth.models import AbstractBaseUser, AnonymousUser
+from django.core.exceptions import PermissionDenied
+from django.http import HttpRequest
+from django.utils.translation import gettext_lazy as _
+
+from ninja_jwt.exceptions import AuthenticationFailed, InvalidToken, TokenError
+from ninja_jwt.settings import api_settings
+from ninja_jwt.tokens import Token
+from oxutils.constants import ACCESS_TOKEN_COOKIE
+from ninja.utils import check_csrf
+
+
+logger = structlog.get_logger(__name__)
+
+
+
+
+class JWTAuthBaseMiddleware:
+    """
+    Base middleware for JWT authentication.
+    Handles token validation and user authentication.
+    """
+    
+    def __init__(self, get_response):
+        self.get_response = get_response
+        self.user_model = get_user_model()
+
+    def __call__(self, request: HttpRequest):
+        """
+        Process the request through the middleware.
+        """
+        # Process request before view
+        self.process_request(request)
+        
+        # Get response from next middleware/view
+        response = self.get_response(request)
+        
+        return response
+
+    def get_token_from_request(self, request: HttpRequest) -> Optional[str]:
+        """
+        Extract JWT token from request.
+        Must be implemented by subclasses.
+        
+        Returns:
+            Token string if found, None otherwise
+        """
+        raise NotImplementedError(
+            "Subclasses must implement get_token_from_request() method"
+        )
+    
+    def process_request(self, request: HttpRequest):
+        """
+        Process request and validate JWT token if present.
+        Authentication is handled by another service - this only validates token signature and claims.
+        
+        Skips authentication if user is already authenticated by a previous middleware.
+        """
+        # Skip if user is already authenticated by another middleware
+        if hasattr(request, 'user') and request.user.is_authenticated:
+            if settings.DEBUG:
+                logger.debug(
+                    "jwt_auth_skipped",
+                    description="User already authenticated, skipping JWT middleware",
+                    user_id=getattr(request.user, 'id', None),
+                    path=request.path
+                )
+            return
+        
+        try:
+            token = self.get_token_from_request(request)
+        except PermissionDenied as e:
+            # CSRF or other security check failed
+            logger.warning(
+                "security_check_failed",
+                description="Security check failed during token extraction",
+                exception=type(e).__name__,
+                error=str(e),
+                path=request.path,
+                remote_addr=request.META.get('REMOTE_ADDR')
+            )
+            request.user = AnonymousUser()
+            return
+        
+        if token:
+            try:
+                # Only validate token and extract user info (no DB lookup)
+                self.jwt_authenticate(request, token)
+            except (InvalidToken, AuthenticationFailed) as e:
+                # Token invalid - set anonymous user
+                if settings.DEBUG:
+                    logger.debug(
+                        "jwt_validation_failed",
+                        description="JWT validation failed",
+                        exception=type(e).__name__,
+                        path=request.path
+                    )
+                request.user = AnonymousUser()
+        else:
+            # No token provided - anonymous user
+            request.user = AnonymousUser()
+
+    @classmethod
+    def get_validated_token(cls, raw_token) -> Type[Token]:
+        """
+        Validates an encoded JSON web token and returns a validated token wrapper object.
+        Only validates signature and claims - authentication is handled by external service.
+        """
+        messages = []
+        for AuthToken in api_settings.AUTH_TOKEN_CLASSES:
+            try:
+                return AuthToken(raw_token)
+            except TokenError as e:
+                messages.append(
+                    {
+                        "token_class": AuthToken.__name__,
+                        "token_type": AuthToken.token_type,
+                        "message": e.args[0],
+                    }
+                )
+
+        raise InvalidToken(
+            {
+                "detail": _("Given token not valid for any token type"),
+                "messages": messages,
+            }
+        )
+
+    def get_user(self, validated_token) -> AbstractBaseUser:
+        """
+        Returns a stateless user object from the validated token.
+        No database lookup - authentication is handled by external service.
+        """
+        try:
+            user_id = validated_token[api_settings.USER_ID_CLAIM]
+        except KeyError as e:
+            raise InvalidToken(
+                _("Token contained no recognizable user identification")
+            ) from e
+
+        # Validate user_id type and value
+        if not isinstance(user_id, (int, str)) or not user_id:
+            raise InvalidToken(_("Invalid user identification format"))
+        
+        # Additional validation for string user_id
+        if isinstance(user_id, str) and len(user_id) > 255:
+            raise InvalidToken(_("User identification too long"))
+
+        # Return stateless TokenUser (no DB lookup)
+        return api_settings.TOKEN_USER_CLASS(validated_token)
+
+    def jwt_authenticate(self, request: HttpRequest, token: str) -> AbstractBaseUser:
+        """
+        Authenticate user from JWT token and attach to request.
+        """
+        validated_token = self.get_validated_token(token)
+        user = self.get_user(validated_token)
+        request.user = user
+        request.token_user = user # For backward compatibility and request.user can be overridden by other middlewares
+        return user
+    
+
+class JWTHeaderAuthMiddleware(JWTAuthBaseMiddleware):
+    """
+    JWT authentication middleware that extracts token from Authorization header.
+    Stateless authentication without database lookup.
+    """
+    openapi_scheme: str = "bearer"
+    header: str = "Authorization"
+
+
+    def get_token_from_request(self, request: HttpRequest) -> str:
+        """
+        Extract JWT token from Authorization header.
+        Validates scheme and format without logging sensitive data.
+        """
+        headers = request.headers
+        auth_value = headers.get(self.header)
+        if not auth_value:
+            return None
+        
+        parts = auth_value.split(" ")
+        
+        # Validate minimum parts
+        if len(parts) < 2:
+            if settings.DEBUG:
+                logger.warning(
+                    "invalid_authorization_header",
+                    description="Invalid Authorization header format",
+                    remote_addr=request.META.get('REMOTE_ADDR')
+                )
+            return None
+
+        # Validate scheme
+        if parts[0].lower() != self.openapi_scheme:
+            if settings.DEBUG:
+                logger.warning(
+                    "unexpected_auth_scheme",
+                    description="Unexpected auth scheme",
+                    expected_scheme=self.openapi_scheme,
+                    actual_scheme=parts[0],
+                    remote_addr=request.META.get('REMOTE_ADDR')
+                )
+            return None
+
+        token = " ".join(parts[1:])
+        
+        # Basic token format validation (JWT has 3 parts separated by dots)
+        if token.count('.') != 2:
+            if settings.DEBUG:
+                logger.warning(
+                    "invalid_jwt_format",
+                    description="Invalid JWT format",
+                    remote_addr=request.META.get('REMOTE_ADDR')
+                )
+            return None
+        
+        return token
+
+
+class JWTCookieAuthMiddleware(JWTAuthBaseMiddleware):
+    """
+    JWT authentication middleware that extracts token from cookies.
+    Stateless authentication without database lookup.
+    """
+    param_name = ACCESS_TOKEN_COOKIE
+    
+    def get_token_from_request(self, request: HttpRequest) -> Optional[str]:
+        """
+        Extract JWT token from cookies with CSRF protection.
+        
+        CSRF check is required for cookie-based authentication to prevent
+        cross-site request forgery attacks.
+        
+        Override to customize cookie name or CSRF behavior.
+        
+        Raises:
+            PermissionDenied: If CSRF check fails
+        """
+        # CSRF protection for cookie-based auth
+        error_response = check_csrf(request)
+        if error_response:
+            logger.warning(
+                "csrf_check_failed",
+                description="CSRF validation failed for cookie-based JWT auth",
+                path=request.path,
+                remote_addr=request.META.get('REMOTE_ADDR'),
+                cookie_name=self.param_name
+            )
+            raise PermissionDenied("CSRF check failed")
+        
+        return request.COOKIES.get(self.param_name, None)
+
+
+class BasicNoPasswordAuthMiddleware:
+    """
+    DEVELOPMENT ONLY: Basic authentication middleware without password verification.
+    
+    WARNING: This middleware bypasses password authentication and should ONLY be used
+    in development environments. It allows authentication by providing only a username/email
+    in the Authorization header using Basic auth format.
+    
+    This middleware automatically disables itself when settings.DEBUG is False.
+    
+    Usage:
+        Authorization: Basic base64(username:)
+        or
+        Authorization: Basic base64(username:anything)
+    
+    Example:
+        # For user "admin@example.com"
+        # Base64 encode: "admin@example.com:"
+        # Header: Authorization: Basic YWRtaW5AZXhhbXBsZS5jb206
+    
+    IMPORTANT: Remove this middleware before deploying to production!
+    """
+    
+    header = "Authorization"
+    scheme = "basic"
+    
+    def __init__(self, get_response):
+        self.get_response = get_response
+        self.user_model = get_user_model()
+        
+        # Check if in debug mode - disable completely if not
+        self._enabled = settings.DEBUG
+        
+        if self._enabled:
+            # Warning log on initialization
+            logger.warning(
+                "insecure_middleware_loaded",
+                description="BasicNoPasswordAuthMiddleware loaded - THIS IS INSECURE AND FOR DEVELOPMENT ONLY",
+                middleware=self.__class__.__name__
+            )
+        else:
+            # Log that middleware is disabled
+            logger.info(
+                "insecure_middleware_disabled",
+                description="BasicNoPasswordAuthMiddleware disabled in non-DEBUG mode",
+                middleware=self.__class__.__name__
+            )
+    
+    def __call__(self, request: HttpRequest):
+        """
+        Process the request through the middleware.
+        If not in DEBUG mode, simply passes through without any processing.
+        """
+        if not self._enabled:
+            return self.get_response(request)
+        
+        self.process_request(request)
+        return self.get_response(request)
+    
+    def process_request(self, request: HttpRequest):
+        """
+        Process request and authenticate user if Basic auth header is present.
+        Skips if user is already authenticated.
+        Note: This method is only called when DEBUG is True.
+        """
+        # Skip if already authenticated
+        if hasattr(request, 'user') and request.user.is_authenticated:
+            return
+        
+        auth_header = request.headers.get(self.header)
+        if not auth_header:
+            return
+        
+        try:
+            user = self._authenticate(auth_header)
+            if user:
+                request.user = user
+                logger.info(
+                    "dev_auth_success",
+                    description="Development authentication successful",
+                    user_id=user.id,
+                    username=user.email,
+                    path=request.path
+                )
+        except Exception as e:
+            logger.debug(
+                "dev_auth_failed",
+                description="Development authentication failed",
+                error=str(e),
+                path=request.path
+            )
+    
+    def _authenticate(self, auth_header: str) -> Optional[AbstractBaseUser]:
+        """
+        Extract credentials from Basic auth header and authenticate user without password.
+        
+        Args:
+            auth_header: The Authorization header value
+            
+        Returns:
+            User object if found and active, None otherwise
+        """
+        parts = auth_header.split(" ")
+        
+        # Validate scheme
+        if len(parts) != 2 or parts[0].lower() != self.scheme:
+            return None
+        
+        # Decode base64 credentials
+        import base64
+        try:
+            encoded_credentials = parts[1]
+            decoded_bytes = base64.b64decode(encoded_credentials)
+            decoded_credentials = decoded_bytes.decode('utf-8')
+        except Exception:
+            logger.debug("Failed to decode base64 credentials")
+            return None
+        
+        # Split username:password (password is ignored)
+        if ':' in decoded_credentials:
+            username, _ = decoded_credentials.split(':', 1)
+        else:
+            username = decoded_credentials
+        
+        if not username:
+            return None
+        
+        # Find user by email or username
+        try:
+            user = self.user_model.objects.get(email=username)
+        except self.user_model.DoesNotExist:
+            try:
+                # Try by username field if different from email
+                user = self.user_model.objects.get(**{self.user_model.USERNAME_FIELD: username})
+            except (self.user_model.DoesNotExist, AttributeError):
+                logger.debug(f"User not found: {username}")
+                return None
+        
+        # Check if user is active
+        if not user.is_active:
+            logger.debug(f"User {username} is inactive")
+            return None
+        
+        return user
+

oxutils/jwt/models.py

@@ -11,23 +11,49 @@ from .tokens import OrganizationAccessToken
 logger = structlog.get_logger(__name__)
 
 
+class TenantUser:
+    def __init__(
+        self,
+        oxi_id: str | None = None,
+        id: str | None = None,
+        is_owner: bool = False,
+        is_admin: bool = False,
+        status: str | None = None,
+    ):
+        self.oxi_id = oxi_id
+        self.id = id
+        self.is_owner = is_owner
+        self.is_admin = is_admin
+        self.status = status
+
+    def __bool__(self):
+        return self.status == 'active'
+
+    def is_active(self):
+        return self.status == 'active'
+
+
 class TokenTenant:
 
     def __init__(
         self,
         schema_name: str,
-        tenant_id: int,
+        tenant_id: str,
         oxi_id: str,
         subscription_plan: str,
         subscription_status: str,
-        status: str,
+        subscription_end_date: str | None = None,
+        status: str = 'active',
+        user: TenantUser | None = None,
         ):
         self.schema_name = schema_name
         self.id = tenant_id
         self.oxi_id = oxi_id
         self.subscription_plan = subscription_plan
         self.subscription_status = subscription_status
+        self.subscription_end_date = subscription_end_date
         self.status = status
+        self.user = user
 
     def __str__(self):
         return f"{self.schema_name} - {self.oxi_id}"
@@ -44,23 +70,93 @@ class TokenTenant:
     def is_deleted(self):
         return self.status == 'deleted'
 
+    def __bool__(self):
+        return self.status == 'active'
+
+    @property
+    def is_admin_user(self):
+        if self.user:
+            return self.user.is_admin
+        return False
+
+    @property
+    def is_owner_user(self):
+        if self.user:
+            return self.user.is_owner
+        return False
+
+    @property
+    def is_tenant_user(self):
+        if self.user:
+            return self.user.is_active()
+        return False
+
+    def get_tenant_type(self):
+        return self.subscription_status
+
     @classmethod
     def for_token(cls, token):
         try:
             token_obj = OrganizationAccessToken(token=token)
+
+            # set the tenant user
+            if 'tenant_user_id' in token_obj and token_obj.get('tenant_user_id'):
+                user = TenantUser(
+                    oxi_id=token_obj.get('tenant_user_oxi_id'),
+                    id=token_obj.get('tenant_user_id'),
+                    is_owner=token_obj.get('tenant_user_is_owner'),
+                    is_admin=token_obj.get('tenant_user_is_admin'),
+                    status=token_obj.get('tenant_user_status'),
+                )
+            else:
+                user = TenantUser()
+            
             tenant = cls(
                 schema_name=token_obj['schema_name'],
                 tenant_id=token_obj['tenant_id'],
                 oxi_id=token_obj['oxi_id'],
                 subscription_plan=token_obj['subscription_plan'],
                 subscription_status=token_obj['subscription_status'],
+                subscription_end_date=token_obj.get('subscription_end_date'),
                 status=token_obj['status'],
+                user=user,
             )
+            
             return tenant
         except Exception:
             logger.exception('Failed to create TokenTenant from token', token=token)
             return None
 
+    @classmethod
+    def from_db(cls, tenant) -> 'TokenTenant':
+        if not tenant:
+            raise ValueError('Tenant is required')
+
+        if hasattr(tenant, 'user') and tenant.user:
+            user = TenantUser(
+                oxi_id=tenant.user.user.oxi_id,
+                id=tenant.user.id,
+                is_owner=tenant.user.is_owner,
+                is_admin=tenant.user.is_admin,
+                status=tenant.user.status,
+            )
+        else:
+            user = TenantUser()
+            
+        return cls(
+            schema_name=tenant.schema_name,
+            tenant_id=tenant.id,
+            oxi_id=tenant.oxi_id,
+            subscription_plan=tenant.subscription_plan,
+            subscription_status=tenant.subscription_status,
+            subscription_end_date=tenant.subscription_end_date,
+            status=tenant.status,
+            user=user,
+        )
+
+    def __repr__(self):
+        return f"TokenTenant(schema_name='{self.schema_name}', oxi_id='{self.oxi_id}', status='{self.status}')"
+
 
 class TokenUser(DefaultTonkenUser):
     @cached_property

oxutils/jwt/tokens.py

@@ -58,6 +58,14 @@ class OrganizationAccessToken(Token):
         token.payload['subscription_end_date'] = str(tenant.subscription_end_date)
         token.payload['status'] = str(tenant.status)
 
+        # Add tenant user info if available
+        if hasattr(tenant, 'user'):
+            token.payload['tenant_user_oxi_id'] = str(tenant.user.user.oxi_id)
+            token.payload['tenant_user_id'] = str(tenant.user.id)
+            token.payload['tenant_user_is_owner'] = tenant.user.is_owner
+            token.payload['tenant_user_is_admin'] = tenant.user.is_admin
+            token.payload['tenant_user_status'] = str(tenant.user.status)
+
         return token
 
     @property

oxutils/oxiliere/middleware.py

@@ -1,10 +1,13 @@
 from django.conf import settings
+from django.core.exceptions import ObjectDoesNotExist
 from django.db import connection
 from django.http import Http404
 from django.urls import set_urlconf
 from django.utils.module_loading import import_string
 from django.utils.deprecation import MiddlewareMixin
 
+import structlog
+
 from django_tenants.utils import (
     get_public_schema_name,
     get_public_schema_urlconf,
@@ -23,6 +26,9 @@ from oxutils.oxiliere.context import set_current_tenant_schema_name
 
 
 
+logger = structlog.get_logger(__name__)
+
+
 
 class TenantMainMiddleware(MiddlewareMixin):
     TENANT_NOT_FOUND_EXCEPTION = Http404
@@ -44,6 +50,22 @@ class TenantMainMiddleware(MiddlewareMixin):
         """
         return tenant_model.objects.get(oxi_id=oxi_id)
 
+    def get_tenant_user(self, tenant, user, raise_exception=False):
+        """ Get tenant user by tenant and user.
+        """
+        if not tenant or not user:
+            if raise_exception:
+                raise ObjectDoesNotExist("tenant_user_not_found, tenant or user is None")
+            return None
+
+        try:
+            return tenant.users.select_related('user').get(user__pk=user.id)
+        except ObjectDoesNotExist:
+            logger.error("tenant_user_not_found", tenant_id=tenant.id, user_id=user.id)
+            if raise_exception:
+                raise ObjectDoesNotExist("tenant_user_not_found")
+            return None
+
     def process_request(self, request):
         # Connection needs first to be at the public schema, as this is where
         # the tenant metadata is stored.
@@ -51,42 +73,61 @@ class TenantMainMiddleware(MiddlewareMixin):
         connection.set_schema_to_public()
         
         oxi_id = self.get_org_id_from_request(request)
+        tenant_model = connection.tenant_model
 
         # Try to get tenant from cookie token first
         tenant_token = request.COOKIES.get(ORGANIZATION_TOKEN_COOKIE_KEY)
         tenant = None
+        old_tenant = None
         request._should_set_tenant_cookie = False
         
         if tenant_token:
             tenant = TokenTenant.for_token(tenant_token)
             # Verify the token's oxi_id matches the request
             if not is_system_tenant(tenant) and tenant.oxi_id != oxi_id:
+                logger.info("tenant_token_oxi_id_doesnt_match_request_oxi_id", tenant_oxi_id=tenant.oxi_id, request_oxi_id=oxi_id)
+                old_tenant = tenant
                 tenant = None
         
         # If no valid token, fetch from database
         if not tenant:
             if oxi_id: # fetch with oxi_id on tenant
-                tenant_model = connection.tenant_model
                 try:
                     tenant = self.get_tenant(tenant_model, oxi_id)
+                    tenant.user = self.get_tenant_user(tenant, request.user, raise_exception=True)
+
                     # Mark that we need to set the cookie in the response
                     request._should_set_tenant_cookie = True
-                except tenant_model.DoesNotExist:
+
+                    if old_tenant:
+                        logger.info("tenant_changed", old_tenant=old_tenant.oxi_id, new_tenant=tenant.oxi_id)
+                    
+                except ObjectDoesNotExist as ex:
+                    logger.error("tenant_not_found", oxi_id=oxi_id, error=str(ex))
                     default_tenant = self.no_tenant_found(request, oxi_id)
                     return default_tenant
             else: # try to return the system tenant
                 try:
                     from oxutils.oxiliere.caches import get_system_tenant
                     tenant = get_system_tenant()
+                    tenant.user = self.get_tenant_user(tenant, request.user, raise_exception=False)
                     request._should_set_tenant_cookie = True
                 except Exception as e:
+                    logger.error("system_tenant_not_found", error=str(e))
                     from django.http import HttpResponseBadRequest
                     return HttpResponseBadRequest('Missing X-Organization-ID header')
 
         if tenant.is_deleted or not tenant.is_active:
+            logger.error("tenant_is_deleted_or_inactive", oxi_id=oxi_id)
             return self.no_tenant_found(request, oxi_id)
 
-        request.tenant = tenant
+        if tenant and not isinstance(tenant, TokenTenant):
+            request.db_tenant = tenant
+        else:
+            request.db_tenant = None
+
+        request.tenant = TokenTenant.from_db(tenant)
+
         set_current_tenant_schema_name(tenant.schema_name)
         connection.set_tenant(request.tenant)
         self.setup_url_routing(request)
@@ -94,9 +135,9 @@ class TenantMainMiddleware(MiddlewareMixin):
     def process_response(self, request, response):
         """Set the tenant token cookie if needed."""
         if hasattr(request, '_should_set_tenant_cookie') and request._should_set_tenant_cookie:
-            if hasattr(request, 'tenant') and not isinstance(request.tenant, TokenTenant):
+            if hasattr(request, 'db_tenant') and isinstance(request.db_tenant, connection.tenant_model):
                 # Generate token from DB tenant
-                token = OrganizationAccessToken.for_tenant(request.tenant)
+                token = OrganizationAccessToken.for_tenant(request.db_tenant)
                 response.set_cookie(
                     key=ORGANIZATION_TOKEN_COOKIE_KEY,
                     value=str(token),

oxutils/oxiliere/permissions.py

@@ -1,81 +1,95 @@
+import structlog
+
 from ninja_extra.permissions import BasePermission
-from oxutils.oxiliere.utils import get_tenant_user_model
 from oxutils.constants import OXILIERE_SERVICE_TOKEN
 from oxutils.jwt.tokens import OxilierServiceToken
+from oxutils.jwt.models import TokenTenant
+
+
 
+logger = structlog.get_logger(__name__)
 
 
-class TenantPermission(BasePermission):
+
+
+class TenantBasePermission(BasePermission):
     """
     Vérifie que l'utilisateur a accès au tenant actuel.
     L'utilisateur doit être authentifié et avoir un lien avec le tenant.
     """
+    def check_tenant_permission(self, request) -> bool:
+        raise NotImplementedError("Subclasses must implement this method")
+
     def has_permission(self, request, **kwargs):
         if not request.user or not request.user.is_authenticated:
             return False
         
         if not hasattr(request, 'tenant'):
+            logger.warning('tenant_permission', type="tenant_not_found", user=request.user)
+            return False
+
+        if not isinstance(request.tenant, TokenTenant):
+            logger.warning(
+                'tenant_permission', 
+                type="tenant_is_not_token_tenant", 
+                tenant=request.tenant, 
+                user=request.user
+            )
             return False
-        
-        # Vérifier que l'utilisateur a accès à ce tenant
-        return get_tenant_user_model().objects.filter(
-            tenant__pk=request.tenant.pk,
-            user__pk=request.user.pk
-        ).exists()
 
+        return self.check_tenant_permission(request)
 
-class TenantOwnerPermission(BasePermission):
+
+class TenantUserPermission(TenantBasePermission):
     """
-    Vérifie que l'utilisateur est propriétaire (owner) du tenant actuel.
+    Vérifie que l'utilisateur est un membre du tenant actuel.
+    Alias de TenantPermission pour plus de clarté sémantique.
     """
-    def has_permission(self, request, **kwargs):
-        if not request.user or not request.user.is_authenticated:
-            return False
-        
-        if not hasattr(request, 'tenant'):
-            return False
+    def check_tenant_permission(self, request) -> bool:
+        tenant: TokenTenant = request.tenant
+
+        logger.info(
+            'tenant_permission', 
+            type="tenant_user_access_permission", 
+            tenant=tenant, user=request.user, 
+            passed=tenant.is_tenant_user
+        )
         
-        return get_tenant_user_model().objects.filter(
-            tenant__pk=request.tenant.pk,
-            user__pk=request.user.pk,
-            is_owner=True
-        ).exists()
+        return tenant.is_tenant_user
 
 
-class TenantAdminPermission(BasePermission):
+class TenantOwnerPermission(TenantBasePermission):
     """
-    Vérifie que l'utilisateur est admin ou owner du tenant actuel.
+    Vérifie que l'utilisateur est propriétaire (owner) du tenant actuel.
     """
-    def has_permission(self, request, **kwargs):
-        if not request.user or not request.user.is_authenticated:
-            return False
-        
-        if not hasattr(request, 'tenant'):
-            return False
+    def check_tenant_permission(self, request) -> bool:
+        tenant: TokenTenant = request.tenant
+
+        logger.info(
+            'tenant_permission', 
+            type="tenant_user_access_permission", 
+            tenant=tenant, user=request.user, 
+            passed=tenant.is_owner_user
+        )
         
-        return get_tenant_user_model().objects.filter(
-            tenant__pk=request.tenant.pk,
-            user__pk=request.user.pk,
-            is_admin=True
-        ).exists()
+        return tenant.is_owner_user
 
 
-class TenantUserPermission(BasePermission):
+class TenantAdminPermission(TenantBasePermission):
     """
-    Vérifie que l'utilisateur est un membre du tenant actuel.
-    Alias de TenantPermission pour plus de clarté sémantique.
+    Vérifie que l'utilisateur est admin ou owner du tenant actuel.
     """
-    def has_permission(self, request, **kwargs):
-        if not request.user or not request.user.is_authenticated:
-            return False
-        
-        if not hasattr(request, 'tenant'):
-            return False
+    def check_tenant_permission(self, request) -> bool:
+        tenant: TokenTenant = request.tenant
+
+        logger.info(
+            'tenant_permission', 
+            type="tenant_user_access_permission", 
+            tenant=tenant, user=request.user, 
+            passed=tenant.is_admin_user
+        )
         
-        return get_tenant_user_model().objects.filter(
-            tenant__pk=request.tenant.pk,
-            user__pk=request.user.pk
-        ).exists()
+        return tenant.is_admin_user
 
 
 class OxiliereServicePermission(BasePermission):
@@ -95,3 +109,10 @@ class OxiliereServicePermission(BasePermission):
             return True
         except Exception:
             return False
+
+
+
+IsTenantUser = TenantUserPermission()
+IsTenantOwner = TenantOwnerPermission()
+IsTenantAdmin = TenantAdminPermission()
+IsOxiliereService = OxiliereServicePermission()

oxutils/oxiliere/schemas.py

@@ -1,6 +1,9 @@
 from typing import Optional
 from uuid import UUID 
 from ninja import Schema
+from django.conf import settings
+from django.core.exceptions import ImproperlyConfigured
+from django.utils.module_loading import import_string
 from django.db import transaction
 from django.contrib.auth import get_user_model
 from django_tenants.utils import get_tenant_model
@@ -13,6 +16,18 @@ import structlog
 logger = structlog.get_logger(__name__)
 
 
+
+def get_tenant_schema() -> 'TenantSchema':
+    if hasattr(settings, 'OX_TENANT_SCHEMA'):
+        try:
+            return import_string(settings.OX_TENANT_SCHEMA)
+        except ImportError as e:
+            raise ImproperlyConfigured(
+                f"Error: OX_TENANT_SCHEMA import error: {settings.OX_TENANT_SCHEMA}, please check your settings"
+            ) from e
+    return TenantSchema
+
+
 class TenantSchema(Schema):
     name: str
     oxi_id: str
@@ -29,6 +44,22 @@ class TenantOwnerSchema(Schema):
     email: str
 
 
+class UserSchema(Schema):
+    oxi_id: UUID
+    first_name: Optional[str] = None
+    last_name: Optional[str] = None
+    email: str
+    is_active: bool
+    photo: Optional[str] = None
+
+
+class TenantUser(Schema):
+    user: UserSchema
+    is_owner: bool
+    is_admin: bool
+    status: str
+
+
 class CreateTenantSchema(Schema):
     tenant: TenantSchema
     owner: TenantOwnerSchema

{oxutils-0.1.14.dist-info → oxutils-0.1.15.dist-info}/METADATA

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: oxutils
-Version: 0.1.14
+Version: 0.1.15
 Summary: Production-ready utilities for Django applications in the Oxiliere ecosystem
 Keywords: django,utilities,jwt,audit,logging,celery,structlog
 Author: Edimedia Mutoke

{oxutils-0.1.14.dist-info → oxutils-0.1.15.dist-info}/RECORD

@@ -1,4 +1,4 @@
-oxutils/__init__.py,sha256=4VMJ48vLu5PsZMfhvnI84bZ3Bvx7f1p2lQKUz6Boyuc,508
+oxutils/__init__.py,sha256=DvkIn9bebbDFzHSk08CPBnzHDrEdursLTV4nkRrTGTI,508
 oxutils/apps.py,sha256=8pO8eXUZeKYn8fPo0rkoytmHACwDNuTNhdRcpkPTxGM,347
 oxutils/audit/__init__.py,sha256=uonc00G73Xm7RwRHVWD-wBn8lJYNCq3iBgnRGMWAEWs,583
 oxutils/audit/apps.py,sha256=xvnmB5Z6nLV7ejzhSeQbesTkwRoFygoPFob8H5QTHgU,304
@@ -33,9 +33,10 @@ oxutils/enums/invoices.py,sha256=E33QGQeutZUqvlovJY0VGDxWUb0i_kdfhEiir1ARKuQ,201
 oxutils/exceptions.py,sha256=CCjENOD0of6_noif2ajrpfbBLoG16DWa46iB9_uEe3M,3592
 oxutils/functions.py,sha256=4stHj94VebWX0s1XeWshubMD2v8w8QztTWppbkTE_Gg,3246
 oxutils/jwt/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
-oxutils/jwt/auth.py,sha256=h3rm7nSEweMgyzy5HBRwqC1gPvZ-EZuwdJISSvnltXY,6349
-oxutils/jwt/models.py,sha256=Q0zRnWpK0trFoPDv5ZEY2ROCRaNn83W-K8SbrmSg1E8,2122
-oxutils/jwt/tokens.py,sha256=kWgtPl4XxV0xHkjbhd5QteQy8Wv5MsvyLcLVyO-gzuo,1822
+oxutils/jwt/auth.py,sha256=3OACNYR6Mp5J57QUvu0iCuRuYiT5C49urUuCXqspNLA,7437
+oxutils/jwt/middleware.py,sha256=m81lrpl9fJZ5gGHV_ysPxppd8pJklddFHDmxXRUpyvM,14285
+oxutils/jwt/models.py,sha256=SG4qM2Ix7coopfIXUJ2KCkuC2bMAOuBnIwNhB5MVK14,5026
+oxutils/jwt/tokens.py,sha256=l20XgPK-gUJcVwH8cWFSyYhfAQD70iqbzriRJkrPczo,2268
 oxutils/jwt/utils.py,sha256=Wuy-PnCcUw6MpY6z1Isy2vOx-_u1o6LjUfRJgf_cqbY,1202
 oxutils/locale/fr/LC_MESSAGES/django.po,sha256=APXt_8R99seCWjJyS5ELOawvRLvUqqBT32O252BaG5s,7971
 oxutils/logger/__init__.py,sha256=lhPCC8G1aHZTt-FWRqTWptVrqONln-ty9ufVDeOBHYs,183
@@ -66,11 +67,11 @@ oxutils/oxiliere/management/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMp
 oxutils/oxiliere/management/commands/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 oxutils/oxiliere/management/commands/grant_tenant_owners.py,sha256=U0tc-b677kEFA7KC6xah3Ufbg6qYkW21nRikC0FJRQI,774
 oxutils/oxiliere/management/commands/init_oxiliere_system.py,sha256=7ZmKOwL2TOIaPYBpGEoqcw2XslpG1VikUnTJwpu84Lo,4247
-oxutils/oxiliere/middleware.py,sha256=c0C1aalshhYNfe4SBglJkWfUo4Ct-d391GoWP_NhPOw,6412
+oxutils/oxiliere/middleware.py,sha256=opwBbYMIyTMnytLQbQiKpcS5VzLblJci3iFc9r6X5aU,8142
 oxutils/oxiliere/migrations/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 oxutils/oxiliere/models.py,sha256=dN3q-8W2gUcUra49b3R33o0ZNn3stc-pfkoVMAKR4gE,6260
-oxutils/oxiliere/permissions.py,sha256=6lJ_43a0-Z5O0B9cttA2cQFjZTGBucJk7w5rgtfd-lQ,3122
-oxutils/oxiliere/schemas.py,sha256=eV9MzkIpHFHmZFtv8Ck2xaGoVUDJXr-yl7w50U-Tj_8,2260
+oxutils/oxiliere/permissions.py,sha256=Cz1GfwACxPMayQRVwGIMl_PlWM_f2ukP5VHeTlkmDM0,3566
+oxutils/oxiliere/schemas.py,sha256=mjGyYTwQokAlMiZ0gKa5os_9HqFMp4NLaWpYxCb0yc0,3087
 oxutils/oxiliere/settings.py,sha256=ZuKppEyrucWxvvYC2-wLap4RzKfaEfaRdjJnsNZzpuY,440
 oxutils/oxiliere/signals.py,sha256=il6twTzbmv14SxukLx7dLw2QzuNDyVAsIgHmqbYspjw,97
 oxutils/oxiliere/tests.py,sha256=mrbGGRNg5jwbTJtWWa7zSKdDyeB4vmgZCRc2nk6VY-g,60
@@ -118,6 +119,6 @@ oxutils/users/models.py,sha256=RmPwsTbjhnDb0qALQrz_t-ODSj05NfISE9JHxcfv2z4,3178
 oxutils/users/tests.py,sha256=mrbGGRNg5jwbTJtWWa7zSKdDyeB4vmgZCRc2nk6VY-g,60
 oxutils/users/utils.py,sha256=jY-zL8vLT5U3E2FV3DqCvrPORjKLutbkPZTQ-z96dCw,376
 oxutils/utils.py,sha256=6yGX2d1ajU5RqgfqiaS4McYm7ip2KEgADABo3M-yA3U,595
-oxutils-0.1.14.dist-info/WHEEL,sha256=eh7sammvW2TypMMMGKgsM83HyA_3qQ5Lgg3ynoecH3M,79
-oxutils-0.1.14.dist-info/METADATA,sha256=UXHNH7j-hUIfeM_6Ti9VUJTY0BDlUC5k4HmiR3PE7_0,8389
-oxutils-0.1.14.dist-info/RECORD,,
+oxutils-0.1.15.dist-info/WHEEL,sha256=eh7sammvW2TypMMMGKgsM83HyA_3qQ5Lgg3ynoecH3M,79
+oxutils-0.1.15.dist-info/METADATA,sha256=_EDraKohaULS5QhUbtjTRhkka7-cFy-Jny-G-WMZr4E,8389
+oxutils-0.1.15.dist-info/RECORD,,