PyPI - oxutils - Versions diffs - 0.3.2__tar.gz → 0.4.0__tar.gz - Mend

oxutils 0.3.2tar.gz → 0.4.0tar.gz

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (217) hide show

{oxutils-0.3.2 → oxutils-0.4.0}/PKG-INFO RENAMED Viewed

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: oxutils
-Version: 0.3.2
+Version: 0.4.0
 Summary: Production-ready utilities for Django applications in the Oxiliere ecosystem
 Keywords: django,utilities,jwt,audit,logging,celery,structlog
 Author: Edimedia Mutoke

{oxutils-0.3.2 → oxutils-0.4.0}/pyproject.toml RENAMED Viewed

@@ -1,6 +1,6 @@
 [project]
 name = "oxutils"
-version = "0.3.2"
+version = "0.4.0"
 description = "Production-ready utilities for Django applications in the Oxiliere ecosystem"
 readme = "README.md"
 license = "LGPL-3.0-only"

{oxutils-0.3.2 → oxutils-0.4.0}/src/oxutils/__init__.py RENAMED Viewed

@@ -15,7 +15,7 @@ This package provides:
 - Custom exceptions, enums, and type definitions
 """
-__version__ = "0.3.1"
+__version__ = "0.4.0"
 from oxutils.conf import AUDIT_MIDDLEWARE, UTILS_APPS
 from oxutils.settings import oxi_settings

{oxutils-0.3.2 → oxutils-0.4.0}/src/oxutils/auth/invitations/backend.py RENAMED Viewed

@@ -1,10 +1,11 @@
 """
 Invitation backend – service layer for invitation lifecycle management.
 """
-import structlog
 from datetime import timedelta
 from typing import Optional
+import structlog
 from django.conf import settings
 from django.db import transaction
 from django.db.models import QuerySet
@@ -13,15 +14,15 @@ from django.utils.translation import gettext_lazy as _
 from oxutils.auth.invitations.models import (
     BaseInvitation,
-    InvitationStatus,
     InvitationRole,
+    InvitationStatus,
     get_invitation_model,
 )
 from oxutils.auth.invitations.tokens import InvitationTokenGenerator
 from oxutils.auth.signals import (
-    invitation_sent,
     invitation_accepted,
     invitation_rejected,
+    invitation_sent,
 )
 logger = structlog.get_logger(__name__)
@@ -103,9 +104,7 @@ class InvitationBackend:
             user_id=str(user.pk),
             tenant=getattr(invitation.tenant, "oxi_id", str(invitation.tenant)),
         )
-        invitation_accepted.send_robust(
-            sender=self.__class__, invitation=invitation, user=user
-        )
+        invitation_accepted.send_robust(sender=self.__class__, invitation=invitation, user=user)
         return invitation
     def cancel_invitation(self, token: str, cancelled_by):
@@ -134,9 +133,7 @@ class InvitationBackend:
         from allauth.account.models import EmailAddress
         Invitation = get_invitation_model()
-        emails = list(
-            EmailAddress.objects.filter(user=user).values_list("email", flat=True)
-        )
+        emails = list(EmailAddress.objects.filter(user_id=user.pk).values_list("email", flat=True))
         if user.email:
             emails.append(user.email)
@@ -149,7 +146,9 @@ class InvitationBackend:
     def get_tenant_invitations(self, tenant) -> QuerySet:
         """Return all invitations for a tenant."""
         Invitation = get_invitation_model()
-        return Invitation.objects.filter(tenant=tenant).select_related("invited_by", "invitee")
+        return Invitation.objects.filter(tenant_id=tenant.pk).select_related(
+            "invited_by", "invitee"
+        )
     def expire_stale_invitations(self) -> int:
         """Mark all expired pending invitations as EXPIRED. Returns count."""
@@ -185,9 +184,7 @@ class InvitationBackend:
     def _get_pending_invitation(self, token: str):
         Invitation = get_invitation_model()
-        invitation = Invitation.objects.filter(
-            token=token, status=InvitationStatus.PENDING
-        ).first()
+        invitation = Invitation.objects.filter(token=token, status=InvitationStatus.PENDING).first()
         if invitation is None:
             raise ValueError(_("No pending invitation found with this token."))
         return invitation

{oxutils-0.3.2 → oxutils-0.4.0}/src/oxutils/auth/invitations/controllers.py RENAMED Viewed

@@ -1,23 +1,25 @@
 """
 Controllers for the invitations module.
 """
-from typing import List
 from django.http import HttpRequest
 from django.utils.translation import gettext_lazy as _
 from ninja_extra import (
     ControllerBase,
     api_controller,
-    http_delete,
     http_get,
     http_post,
 )
+from ninja_extra.pagination import (
+    PageNumberPaginationExtra,
+    PaginatedResponseSchema,
+    paginate,
+)
 from ninja_extra.permissions import IsAuthenticated
 from ninja_extra.throttling import AnonRateThrottle, UserRateThrottle
 from oxutils.auth.invitations.backend import invitation_backend
 from oxutils.auth.invitations.models import InvitationStatus, get_invitation_model
-from oxutils.auth.signals import invitation_resent
 from oxutils.auth.invitations.schemas import (
     AcceptInvitationSchema,
     CancelInvitationSchema,
@@ -28,6 +30,7 @@ from oxutils.auth.invitations.schemas import (
     ResendInvitationSchema,
     ValidateTokenSchema,
 )
+from oxutils.auth.signals import invitation_resent
 from oxutils.auth.utils import load_user
 from oxutils.exceptions import ExceptionCode
 from oxutils.mixins.schemas import ResponseSchema
@@ -124,31 +127,31 @@ class InvitationController(ControllerBase):
     # ── List user invitations ──────────────────────────────────────
-    @http_get("", response=InvitationListSchema)
+    @http_get("", response=PaginatedResponseSchema[InvitationOutSchema])
+    @paginate(PageNumberPaginationExtra, page_size=20)
     @load_user
     def list_user_invitations(self, request: HttpRequest):
-        """List all pending invitations for the current user."""
-        qs = invitation_backend.get_user_invitations(request.user)
-        invitations = [InvitationOutSchema.from_orm(inv) for inv in qs]
-        return InvitationListSchema(invitations=invitations, total=len(invitations))
+        """List pending invitations for the current user (paginated)."""
+        return invitation_backend.get_user_invitations(request.user)
     # ── List tenant invitations ────────────────────────────────────
-    @http_get("/tenant", response=InvitationListSchema)
+    @http_get("/tenant", response=PaginatedResponseSchema[InvitationOutSchema])
+    @paginate(PageNumberPaginationExtra, page_size=20)
     @load_user
     def list_tenant_invitations(self, request: HttpRequest):
-        """List all invitations for the current tenant."""
+        """List invitations for the current tenant (paginated)."""
         tenant = getattr(request, "tenant", None)
         if tenant is None:
-            return InvitationListSchema(invitations=[], total=0)
+            return get_invitation_model().objects.none()
-        qs = invitation_backend.get_tenant_invitations(tenant)
-        invitations = [InvitationOutSchema.from_orm(inv) for inv in qs]
-        return InvitationListSchema(invitations=invitations, total=len(invitations))
+        return invitation_backend.get_tenant_invitations(tenant)
     # ── Validate token ─────────────────────────────────────────────
-    @http_get("/validate/{token}", response=ValidateTokenSchema, auth=None, throttle=[AnonRateThrottle()])
+    @http_get(
+        "/validate/{token}", response=ValidateTokenSchema, auth=None, throttle=[AnonRateThrottle()]
+    )
     def validate_token(self, request: HttpRequest, token: str):
         """Validate an invitation token (public endpoint – no auth required)."""
         invitation = invitation_backend.validate_token(token)
@@ -235,9 +238,9 @@ class InvitationController(ControllerBase):
         }
         inviter_level = role_hierarchy.get(
-            InvitationRole.OWNER if membership.is_owner else (
-                InvitationRole.ADMIN if membership.is_admin else InvitationRole.MEMBER
-            ),
+            InvitationRole.OWNER
+            if membership.is_owner
+            else (InvitationRole.ADMIN if membership.is_admin else InvitationRole.MEMBER),
             0,
         )
         requested_level = role_hierarchy.get(requested_role, 0)

{oxutils-0.3.2 → oxutils-0.4.0}/src/oxutils/auth/invitations/schemas.py RENAMED Viewed

@@ -1,22 +1,21 @@
 """
 Schemas for the invitations module.
 """
-from datetime import datetime
 from typing import List, Optional
-from uuid import UUID
+from django.utils.translation import gettext_lazy as _
 from ninja import ModelSchema, Schema
 from pydantic import EmailStr, field_validator
-from django.utils.translation import gettext_lazy as _
-from oxutils.auth.invitations.models import BaseInvitation, InvitationRole, InvitationStatus
+from oxutils.auth.invitations.models import BaseInvitation, InvitationRole
 # ── Request schemas ────────────────────────────────────────────────
 class CreateInvitationSchema(Schema):
     email: EmailStr
-    role: str = InvitationRole.MEMBER
+    role: InvitationRole = InvitationRole.MEMBER
     message: str = ""
     @field_validator("email", mode="before")
@@ -28,9 +27,9 @@ class CreateInvitationSchema(Schema):
     @classmethod
     def validate_role(cls, v: str) -> str:
         if v not in InvitationRole.values:
-            raise ValueError(_("Invalid role. Must be one of: {}").format(
-                ", ".join(InvitationRole.values)
-            ))
+            raise ValueError(
+                _("Invalid role. Must be one of: {}").format(", ".join(InvitationRole.values))
+            )
         return v
@@ -48,6 +47,7 @@ class ResendInvitationSchema(Schema):
 # ── Response schemas ───────────────────────────────────────────────
 class InvitationOutSchema(ModelSchema):
     tenant_name: Optional[str] = None
     invited_by_email: Optional[str] = None
@@ -56,8 +56,15 @@ class InvitationOutSchema(ModelSchema):
     class Meta:
         model = BaseInvitation
         fields = [
-            "id", "email", "token", "status", "role",
-            "expires_at", "accepted_at", "created_at", "message",
+            "id",
+            "email",
+            "token",
+            "status",
+            "role",
+            "expires_at",
+            "accepted_at",
+            "created_at",
+            "message",
         ]
     @staticmethod

oxutils-0.4.0/src/oxutils/jwt/models.py ADDED Viewed

@@ -0,0 +1,24 @@
+from uuid import UUID
+from django.utils.functional import cached_property
+from ninja_jwt.models import TokenUser as DefaultTonkenUser
+from ninja_jwt.settings import api_settings
+class TokenUser(DefaultTonkenUser):
+    @cached_property
+    def id(self):
+        return UUID(self.token[api_settings.USER_ID_CLAIM])
+    @property
+    def oxi_id(self):
+        # for compatibility with the User model
+        return self.id
+    @cached_property
+    def token_created_at(self):
+        return self.token.get("cat", None)
+    @cached_property
+    def token_session(self):
+        return self.token.get("session", None)

oxutils-0.4.0/src/oxutils/jwt/tokens.py ADDED Viewed

@@ -0,0 +1,3 @@
+from ninja_jwt.tokens import AccessToken  # noqa: F401 — re-exported for convenience
+__all__ = ["AccessToken"]

oxutils-0.4.0/src/oxutils/oxiliere/cacheops.py ADDED Viewed

@@ -0,0 +1,47 @@
+from cacheops import cached
+from django.db import connection
+# ── Tenant token TTL ──────────────────────────────────────────────
+TENANT_TOKEN_TTL = 3600  # 60 minutes
+def cacheops_prefix(query):
+    if connection.schema_name:
+        return '%s:' % connection.schema_name
+    return 'default:'
+# ── Tenant token cache (cacheops @cached pattern) ──────────────────
+@cached(timeout=TENANT_TOKEN_TTL)
+def get_cached_tenant_token(oxi_id: str, user_id: str):
+    """Return the tenant DB object for *oxi_id* + *user_id*, fetching on miss.
+    The returned tenant has ``.user`` pre-attached (the matching
+    *TenantUser* row).  Cacheops caches the result automatically.
+    Raises ``ObjectDoesNotExist`` when the tenant or tenant-user
+    is not found, so the miss is **not** cached.
+    """
+    from django.core.exceptions import ObjectDoesNotExist
+    from django_tenants.utils import get_tenant_model
+    TenantModel = get_tenant_model()
+    try:
+        tenant = TenantModel.objects.get(oxi_id=oxi_id)
+    except TenantModel.DoesNotExist as ex:
+        raise ObjectDoesNotExist(f"tenant not found: {oxi_id}") from ex
+    try:
+        tenant_user = tenant.users.select_related("user").get(user__pk=user_id)
+    except (ObjectDoesNotExist, ValueError) as ex:
+        raise ObjectDoesNotExist(f"tenant_user not found: {oxi_id}/{user_id}") from ex
+    tenant.user = tenant_user
+    return tenant
+def delete_cached_tenant_token(oxi_id: str, user_id: str) -> None:
+    """Remove the cached tenant (e.g. on tenant-switch or logout)."""
+    get_cached_tenant_token.invalidate(oxi_id, user_id)

{oxutils-0.3.2 → oxutils-0.4.0}/src/oxutils/oxiliere/middleware.py RENAMED Viewed

@@ -14,13 +14,13 @@ from django_tenants.utils import (
     has_multi_type_tenants,
 )
-from oxutils.constants import ORGANIZATION_HEADER_KEY, ORGANIZATION_TOKEN_COOKIE_KEY
-from oxutils.jwt.models import TokenTenant
-from oxutils.jwt.tokens import OrganizationAccessToken
+from oxutils.constants import ORGANIZATION_HEADER_KEY
+from oxutils.oxiliere.cacheops import (
+    delete_cached_tenant_token,
+    get_cached_tenant_token,
+)
 from oxutils.oxiliere.context import set_current_tenant_schema_name
 from oxutils.oxiliere.enums import TenantStatus
-from oxutils.oxiliere.utils import is_system_tenant
-from oxutils.settings import oxi_settings
 logger = structlog.get_logger(__name__)
@@ -69,112 +69,60 @@ class TenantMainMiddleware(MiddlewareMixin):
         connection.set_schema_to_public()
         oxi_id = self.get_org_id_from_request(request)
-        # Try to get tenant from cookie token first
-        tenant_token = request.COOKIES.get(ORGANIZATION_TOKEN_COOKIE_KEY)
         tenant = None
-        old_tenant = None
-        request._should_set_tenant_cookie = False
-        if tenant_token:
-            tenant = TokenTenant.for_token(tenant_token)
-            # Verify the token's oxi_id matches the request
-            if tenant and not is_system_tenant(tenant) and tenant.oxi_id != oxi_id:
-                logger.info(
-                    "tenant_token_oxi_id_doesnt_match_request_oxi_id",
-                    tenant_oxi_id=tenant.oxi_id,
-                    request_oxi_id=oxi_id,
-                )
-                old_tenant = tenant
-                tenant = None
-            if (
-                tenant
-                and hasattr(request, "user")
-                and request.user
-                and tenant.user.oxi_id != request.user.id
-            ):
-                logger.info(
-                    "tenant_user_token_oxi_id_doesnt_match",
-                    tenant_oxi_id=tenant.oxi_id,
-                    user_oxi_id=request.user.id,
-                )
-                old_tenant = tenant
-                tenant = None
-        # If no valid token, fetch from database
-        if not tenant:
-            if oxi_id:  # fetch with oxi_id on tenant
-                try:
-                    tenant = self.get_tenant(oxi_id)
-                    tenant.user = self.get_tenant_user(tenant, request.user, raise_exception=True)
-                    # Mark that we need to set the cookie in the response
-                    request._should_set_tenant_cookie = True
-                    if old_tenant:
-                        logger.info(
-                            "tenant_changed", old_tenant=old_tenant.oxi_id, new_tenant=tenant.oxi_id
-                        )
-                except ObjectDoesNotExist as ex:
-                    logger.error("tenant_not_found", oxi_id=oxi_id, error=str(ex))
-                    default_tenant = self.no_tenant_found(request, oxi_id)
-                    return default_tenant
-            else:  # try to return the system tenant
-                try:
-                    from oxutils.oxiliere.caches import get_system_tenant
-                    tenant = get_system_tenant()
-                    if hasattr(request, "user") and request.user:
-                        tenant.user = self.get_tenant_user(
-                            tenant, request.user, raise_exception=False
-                        )
-                    else:
-                        tenant.user = None
-                    request._should_set_tenant_cookie = True
-                except Exception as e:
-                    logger.error("system_tenant_not_found", error=str(e))
-                    from django.http import HttpResponseBadRequest
-                    return HttpResponseBadRequest("Missing X-Organization-ID header")
+        # ── Normal path: org + user → cache (or DB on miss) ──────────
+        if oxi_id and hasattr(request, "user") and request.user and request.user.is_authenticated:
+            user_id = str(request.user.id)
+            try:
+                tenant = get_cached_tenant_token(oxi_id, user_id)
+            except ObjectDoesNotExist:
+                logger.info("tenant_not_found", oxi_id=oxi_id, user_id=user_id)
+                return self.no_tenant_found(request, oxi_id)
+        elif not oxi_id:
+            # ── No org header → system tenant ────────────────────────
+            try:
+                from oxutils.oxiliere.caches import get_system_tenant
+                tenant = get_system_tenant()
+                if hasattr(request, "user") and request.user:
+                    tenant.user = self.get_tenant_user(
+                        tenant, request.user, raise_exception=False
+                    )
+                else:
+                    tenant.user = None
+            except Exception as e:
+                logger.error("system_tenant_not_found", error=str(e))
+                from django.http import HttpResponseBadRequest
+                return HttpResponseBadRequest("Missing X-Organization-ID header")
+        else:
+            # oxi_id present but no authenticated user
+            return self.no_tenant_found(request, oxi_id)
+        # ── Status guards ─────────────────────────────────────────────
         if tenant.is_deleted or not tenant.is_active:
             logger.error("tenant_is_deleted_or_inactive", oxi_id=oxi_id)
+            if oxi_id and hasattr(request, "user") and request.user and request.user.is_authenticated:
+                delete_cached_tenant_token(oxi_id, str(request.user.id))
             return self.no_tenant_found(request, oxi_id)
-        # Delegate status-specific responses
         status_response = self._handle_tenant_status(request, tenant)
         if status_response is not None:
             return status_response
-        if tenant and isinstance(tenant, TokenTenant):
-            request.db_tenant = None
-            request.tenant = tenant
-        else:
-            request.db_tenant = tenant
-            request.tenant = TokenTenant.from_db(tenant)
+        # ── Attach tenant to request ──────────────────────────────────
+        request.db_tenant = None
+        request.tenant = tenant
         set_current_tenant_schema_name(tenant.schema_name)
         connection.set_tenant(request.tenant)
         self.setup_url_routing(request)
     def process_response(self, request, response):
-        """Set the tenant token cookie if needed."""
-        if hasattr(request, "_should_set_tenant_cookie") and request._should_set_tenant_cookie:
-            if hasattr(request, "db_tenant") and isinstance(request.db_tenant, self.tenant_model):
-                # Generate token from DB tenant
-                token = OrganizationAccessToken.for_tenant(request.db_tenant)
-                response.set_cookie(
-                    key=ORGANIZATION_TOKEN_COOKIE_KEY,
-                    value=str(token),
-                    max_age=60 * oxi_settings.jwt_org_access_token_lifetime,
-                    httponly=True,
-                    secure=getattr(settings, "SESSION_COOKIE_SECURE", False),
-                    samesite="Lax",
-                )
+        """Cache is handled by :func:`get_cached_tenant_token` — nothing to do."""
         return response
     def no_tenant_found(self, request, oxi_id):

oxutils-0.4.0/src/oxutils/oxiliere/permissions.py ADDED Viewed

@@ -0,0 +1,97 @@
+import structlog
+from ninja_extra.permissions import BasePermission
+logger = structlog.get_logger(__name__)
+class TenantBasePermission(BasePermission):
+    """
+    Vérifie que l'utilisateur a accès au tenant actuel.
+    L'utilisateur doit être authentifié et avoir un lien avec le tenant.
+    """
+    def check_tenant_permission(self, request) -> bool:
+        raise NotImplementedError("Subclasses must implement this method")
+    def has_permission(self, request, controller=None, **kwargs):
+        if not request.user or not request.user.is_authenticated:
+            return False
+        if not hasattr(request, "tenant") or not request.tenant:
+            logger.warning("tenant_permission", type="tenant_not_found")
+            return False
+        if not hasattr(request.tenant, "user") or not request.tenant.user:
+            logger.warning(
+                "tenant_permission",
+                type="tenant_user_not_attached",
+                tenant=getattr(request.tenant, "oxi_id", None),
+            )
+            return False
+        return self.check_tenant_permission(request)
+class TenantUserPermission(TenantBasePermission):
+    """
+    Vérifie que l'utilisateur est un membre du tenant actuel.
+    Alias de TenantPermission pour plus de clarté sémantique.
+    """
+    def check_tenant_permission(self, request) -> bool:
+        tenant = request.tenant
+        passed = getattr(tenant.user, "status", None) == "active"
+        logger.info(
+            "tenant_permission",
+            type="tenant_user_access_permission",
+            tenant=tenant.oxi_id,
+            passed=passed,
+        )
+        return passed
+class TenantOwnerPermission(TenantBasePermission):
+    """
+    Vérifie que l'utilisateur est propriétaire (owner) du tenant actuel.
+    """
+    def check_tenant_permission(self, request) -> bool:
+        tenant = request.tenant
+        active = getattr(tenant.user, "status", None) == "active"
+        passed = active and getattr(tenant.user, "is_owner", False)
+        logger.info(
+            "tenant_permission",
+            type="tenant_user_access_permission",
+            tenant=tenant.oxi_id,
+            passed=passed,
+        )
+        return passed
+class TenantAdminPermission(TenantBasePermission):
+    """
+    Vérifie que l'utilisateur est admin ou owner du tenant actuel.
+    """
+    def check_tenant_permission(self, request) -> bool:
+        tenant = request.tenant
+        active = getattr(tenant.user, "status", None) == "active"
+        passed = active and getattr(tenant.user, "is_admin", False)
+        logger.info(
+            "tenant_permission",
+            type="tenant_user_access_permission",
+            tenant=tenant.oxi_id,
+            passed=passed,
+        )
+        return passed
+IsTenantUser = TenantUserPermission()
+IsTenantOwner = TenantOwnerPermission()
+IsTenantAdmin = TenantAdminPermission()

{oxutils-0.3.2 → oxutils-0.4.0}/src/oxutils/settings.py RENAMED Viewed

@@ -29,12 +29,8 @@ class OxUtilsSettings(BaseSettings):
     jwt_verifying_key: Optional[str] = None
     jwt_jwks_url: Optional[str] = None
     jwt_access_token_key: str = Field('access')
-    jwt_org_access_token_key: str = Field('org_access')
-    jwt_service_token_key: str = Field('service')
     jwt_algorithm: Optional[str] = Field('RS256')
     jwt_access_token_lifetime: int = Field(15) # minutes
-    jwt_service_token_lifetime: int = Field(3) # minutes
-    jwt_org_access_token_lifetime: int = Field(60) # minutes
     # AuditLog

oxutils 0.3.2__tar.gz → 0.4.0__tar.gz

oxutils 0.3.2tar.gz → 0.4.0tar.gz