pargo-auth 0.1.4__py3-none-any.whl → 0.1.6__py3-none-any.whl

pargo_auth/__init__.py

@@ -1,6 +1,6 @@
 """PARGO Auth - Shared authentication middleware for PARGO backend services."""
 
-__version__ = "0.1.4"
+__version__ = "0.1.6"
 
 from .middleware import SupabaseAuth, get_current_user, require_auth
 from .models import AuthenticatedUser

pargo_auth/middleware.py

@@ -81,11 +81,11 @@ class SupabaseAuth:
             jwks_client = self._get_jwks_client()
             signing_key = jwks_client.get_signing_key_from_jwt(token)
             
-            # Decode and verify
+            # Decode and verify (support both RS256 and ES256 - Supabase uses ES256)
             payload = jwt.decode(
                 token,
                 signing_key.key,
-                algorithms=["RS256"],
+                algorithms=["ES256", "RS256"],
                 issuer=self.issuer,
                 options={
                     "verify_aud": False,  # Supabase doesn't always set aud

pargo_auth/models.py

@@ -19,3 +19,15 @@ class AuthenticatedUser:
     def supabase_uid(self) -> str:
         """Alias for sub - the Supabase user ID."""
         return self.sub
+    
+    @property
+    def is_anonymous(self) -> bool:
+        """
+        Check if this is an anonymous user (signed in with signInAnonymously).
+        
+        Anonymous users have valid JWTs but no email/provider linked.
+        They can later upgrade to a real account by linking email/Google/Apple.
+        """
+        if self.raw_claims:
+            return self.raw_claims.get("is_anonymous", False)
+        return False

pargo_auth-0.1.6.dist-info/METADATA

@@ -0,0 +1,214 @@
+Metadata-Version: 2.4
+Name: pargo-auth
+Version: 0.1.6
+Summary: Shared authentication middleware for PARGO backend services
+Project-URL: Homepage, https://github.com/pargoorg/pargo-auth
+Project-URL: Repository, https://github.com/pargoorg/pargo-auth
+Author-email: PARGO <dev@pargo.dk>
+License-Expression: MIT
+License-File: LICENSE
+Classifier: Development Status :: 4 - Beta
+Classifier: Framework :: FastAPI
+Classifier: Intended Audience :: Developers
+Classifier: License :: OSI Approved :: MIT License
+Classifier: Programming Language :: Python :: 3
+Classifier: Programming Language :: Python :: 3.10
+Classifier: Programming Language :: Python :: 3.11
+Classifier: Programming Language :: Python :: 3.12
+Requires-Python: >=3.10
+Requires-Dist: cryptography>=41.0.0
+Requires-Dist: fastapi>=0.100.0
+Requires-Dist: httpx>=0.24.0
+Requires-Dist: pyjwt>=2.8.0
+Provides-Extra: dev
+Requires-Dist: pytest-asyncio>=0.21.0; extra == 'dev'
+Requires-Dist: pytest>=7.0.0; extra == 'dev'
+Description-Content-Type: text/markdown
+
+# pargo-auth
+
+Authentication and user management for PARGO. This repo serves two purposes:
+
+1. **PyPI Package** (`pargo-auth`) - JWT verification middleware for FastAPI
+2. **User Service** - API for user profile and settings management
+
+## Architecture
+
+```
+pargo-auth/
+├── src/pargo_auth/          # Library (published to PyPI)
+│   ├── middleware.py        # Supabase JWT verification
+│   ├── models.py            # AuthenticatedUser dataclass
+│   └── exceptions.py        # Auth errors
+├── app/                     # Service (deployed to server)
+│   ├── main.py              # FastAPI application
+│   ├── routes/users.py      # /v1/me endpoints
+│   └── services/            # Database operations
+├── docker/Dockerfile        # Service container
+└── pyproject.toml           # Package configuration
+```
+
+---
+
+## Part 1: PyPI Package
+
+The `pargo-auth` package provides JWT verification for any PARGO backend.
+
+### Installation
+
+```bash
+pip install pargo-auth
+```
+
+### Usage
+
+```python
+from fastapi import Depends
+from pargo_auth import get_current_user, AuthenticatedUser
+
+@app.get("/protected")
+async def protected(user: AuthenticatedUser = Depends(get_current_user)):
+    return {"user_id": user.sub, "email": user.email}
+```
+
+### Configuration
+
+Set environment variables:
+
+```bash
+SUPABASE_URL=https://your-project.supabase.co
+ENV=local  # Skip verification in local dev
+```
+
+### AuthenticatedUser
+
+| Field | Type | Description |
+|-------|------|-------------|
+| `sub` | `str` | Supabase user ID (stable, canonical identity) |
+| `email` | `str \| None` | User's email |
+| `email_verified` | `bool` | Whether email is verified |
+| `supabase_uid` | `str` | Alias for `sub` |
+| `raw_claims` | `dict \| None` | Full JWT payload |
+
+### Optional Auth
+
+For endpoints that work with or without authentication:
+
+```python
+from pargo_auth import SupabaseAuth
+
+auth = SupabaseAuth()
+
+@app.get("/content")
+async def get_content(user: AuthenticatedUser | None = Depends(auth.get_user_optional)):
+    if user:
+        return {"personalized": True, "user": user.sub}
+    return {"personalized": False}
+```
+
+---
+
+## Part 2: User Service
+
+The service manages user data in Hetzner Postgres (`auth` schema).
+
+### Endpoints
+
+| Method | Path | Auth | Description |
+|--------|------|------|-------------|
+| GET | `/v1/me` | Required | Get profile + settings (creates user on first call) |
+| PATCH | `/v1/me` | Required | Update profile |
+| PATCH | `/v1/me/settings` | Required | Update settings |
+| DELETE | `/v1/me` | Required | Soft delete account |
+| GET | `/health` | None | Health check |
+
+### Database Schema
+
+Uses the `auth` schema in Postgres:
+
+- `auth.users` - Core user identity (synced from Supabase JWT)
+- `auth.user_identities` - Login methods (apple, google, email)
+- `auth.user_settings` - App preferences
+- `auth.audit_events` - Security/login event log
+
+### Running Locally
+
+```bash
+# Install dependencies
+pip install -r requirements-service.txt
+pip install -e .
+
+# Set environment
+export SUPABASE_URL=https://your-project.supabase.co
+export DATABASE_URL=postgresql://postgres:password@localhost:5432/pargo_test
+export ENV=local
+
+# Run
+uvicorn app.main:app --reload --port 8040
+```
+
+### Docker
+
+```bash
+docker build -f docker/Dockerfile -t pargo-auth .
+docker run -p 8040:8040 \
+  -e SUPABASE_URL=https://your-project.supabase.co \
+  -e DATABASE_URL=postgresql://... \
+  pargo-auth
+```
+
+### Response Examples
+
+**GET /v1/me**
+
+```json
+{
+  "user": {
+    "id": "550e8400-e29b-41d4-a716-446655440000",
+    "supabase_uid": "846eddd7-f5ae-4d72-8082-accde7da68f2",
+    "email": "user@example.com",
+    "email_verified": true,
+    "display_name": "John Doe",
+    "preferred_lang": "da",
+    "created_at": "2026-02-02T10:00:00Z",
+    "last_login_at": "2026-02-02T12:00:00Z"
+  },
+  "settings": {
+    "push_enabled": true,
+    "email_enabled": true,
+    "map_style": "standard",
+    "settings_json": {}
+  }
+}
+```
+
+---
+
+## Development
+
+### Package Development
+
+```bash
+# Install in editable mode
+pip install -e ".[dev]"
+
+# Run tests
+pytest
+```
+
+### Publishing (automatic)
+
+Push to `main` triggers GitHub Actions:
+1. Bumps version
+2. Publishes to PyPI
+
+---
+
+## Design Decisions
+
+| Decision | Rationale |
+|----------|-----------|
+| `supabase_uid` is canonical ID | JWT `sub` is stable even if email changes |
+| User created on first `/me` call | No separate signup flow needed |
+| Soft delete | GDPR compliance, account recovery possible |
+| Separate settings table | Clean separation, flexible JSONB for future |

pargo_auth-0.1.6.dist-info/RECORD

@@ -0,0 +1,8 @@
+pargo_auth/__init__.py,sha256=B0pqW0WDlIrWYcDEFBhRJSawoV7g9H_BrhSffFqzJeI,454
+pargo_auth/exceptions.py,sha256=Qckee29SlPf8VS21s-1gT8j_gCoYKaJhYKet9DE28WE,879
+pargo_auth/middleware.py,sha256=nxBD5s5Gz4jdsRRudBnU8r8CxG11MzRSiS2DK90kTvM,6841
+pargo_auth/models.py,sha256=UuikVTf96X_4v0-05u_dzW_Tnjeg-G15TD27yznf4nw,976
+pargo_auth-0.1.6.dist-info/METADATA,sha256=CNH73EFgRjqyoTDjEGXTCS7F3jmbkpSDl4ug1y6tUDs,5581
+pargo_auth-0.1.6.dist-info/WHEEL,sha256=WLgqFyCfm_KASv4WHyYy0P3pM_m7J5L9k2skdKLirC8,87
+pargo_auth-0.1.6.dist-info/licenses/LICENSE,sha256=A-E9k545xbWsw-1DRhKLXcePHJ15tKx_bQl12OabqEY,1062
+pargo_auth-0.1.6.dist-info/RECORD,,

pargo_auth-0.1.4.dist-info/METADATA

@@ -1,144 +0,0 @@
-Metadata-Version: 2.4
-Name: pargo-auth
-Version: 0.1.4
-Summary: Shared authentication middleware for PARGO backend services
-Project-URL: Homepage, https://github.com/pargoorg/pargo-auth
-Project-URL: Repository, https://github.com/pargoorg/pargo-auth
-Author-email: PARGO <dev@pargo.dk>
-License-Expression: MIT
-License-File: LICENSE
-Classifier: Development Status :: 4 - Beta
-Classifier: Framework :: FastAPI
-Classifier: Intended Audience :: Developers
-Classifier: License :: OSI Approved :: MIT License
-Classifier: Programming Language :: Python :: 3
-Classifier: Programming Language :: Python :: 3.10
-Classifier: Programming Language :: Python :: 3.11
-Classifier: Programming Language :: Python :: 3.12
-Requires-Python: >=3.10
-Requires-Dist: cryptography>=41.0.0
-Requires-Dist: fastapi>=0.100.0
-Requires-Dist: httpx>=0.24.0
-Requires-Dist: pyjwt>=2.8.0
-Provides-Extra: dev
-Requires-Dist: pytest-asyncio>=0.21.0; extra == 'dev'
-Requires-Dist: pytest>=7.0.0; extra == 'dev'
-Description-Content-Type: text/markdown
-
-# pargo-auth
-
-Shared authentication middleware for PARGO backend services. Verifies Supabase JWTs and provides FastAPI dependencies.
-
-## Installation
-
-```bash
-pip install pargo-auth
-```
-
-## Quick Start
-
-```python
-from fastapi import FastAPI, Depends
-from pargo_auth import get_current_user, AuthenticatedUser
-
-app = FastAPI()
-
-@app.get("/me")
-async def get_me(user: AuthenticatedUser = Depends(get_current_user)):
-    return {
-        "id": user.sub,
-        "email": user.email,
-    }
-```
-
-## Configuration
-
-Set these environment variables:
-
-```bash
-SUPABASE_URL=https://your-project.supabase.co
-ENV=local  # Skip auth verification in local dev
-```
-
-## Usage Patterns
-
-### Basic: Protect individual endpoints
-
-```python
-from pargo_auth import get_current_user, AuthenticatedUser
-
-@app.get("/protected")
-async def protected(user: AuthenticatedUser = Depends(get_current_user)):
-    return {"user_id": user.sub}
-```
-
-### Protect entire router
-
-```python
-from fastapi import APIRouter, Depends
-from pargo_auth import require_auth
-
-router = APIRouter(dependencies=[require_auth()])
-
-@router.get("/data")
-async def get_data():  # Auth already required by router
-    return {"data": "secret"}
-```
-
-### Optional auth (different behavior for logged-in vs anonymous)
-
-```python
-from pargo_auth import SupabaseAuth, AuthenticatedUser
-
-auth = SupabaseAuth()
-
-@app.get("/content")
-async def get_content(user: AuthenticatedUser | None = Depends(auth.get_user_optional)):
-    if user:
-        return {"content": "personalized", "user": user.sub}
-    return {"content": "generic"}
-```
-
-### Custom instance (non-default config)
-
-```python
-from pargo_auth import SupabaseAuth
-
-auth = SupabaseAuth(
-    supabase_url="https://custom.supabase.co",
-    skip_verification_in_dev=False,  # Always verify, even locally
-)
-
-@app.get("/strict")
-async def strict_endpoint(user = Depends(auth.get_user)):
-    return {"user": user.sub}
-```
-
-## AuthenticatedUser
-
-The `AuthenticatedUser` object contains:
-
-| Field | Type | Description |
-|-------|------|-------------|
-| `sub` | `str` | Supabase user ID (stable, use as canonical identity) |
-| `email` | `str \| None` | User's email (if available) |
-| `email_verified` | `bool` | Whether email is verified |
-| `raw_claims` | `dict \| None` | Full JWT payload for custom claims |
-
-## Legacy Support
-
-For backwards compatibility, the middleware also checks for `x-user-id` header if no Bearer token is present. This allows gradual migration from the old auth system.
-
-## Development
-
-```bash
-# Install dev dependencies
-pip install -e ".[dev]"
-
-# Run tests
-pytest
-```
-
-## License
-
-MIT

pargo_auth-0.1.4.dist-info/RECORD

@@ -1,8 +0,0 @@
-pargo_auth/__init__.py,sha256=vchweTgD6p6aKw4AVb62G2lUqvA7ngC7AyePAp2AL-8,454
-pargo_auth/exceptions.py,sha256=Qckee29SlPf8VS21s-1gT8j_gCoYKaJhYKet9DE28WE,879
-pargo_auth/middleware.py,sha256=fCh41HYMfNQbEieVFnUG6uCl-wr0SQ2KahGX297HCYE,6779
-pargo_auth/models.py,sha256=I_mb0PGPy7FHZbMHxs1tR4NekD-cv1Ea4ZSzjStDZo4,548
-pargo_auth-0.1.4.dist-info/METADATA,sha256=diGGOxS-tBKP67ud2AMGWvyrBxImKrtXlPcoAihDktc,3612
-pargo_auth-0.1.4.dist-info/WHEEL,sha256=WLgqFyCfm_KASv4WHyYy0P3pM_m7J5L9k2skdKLirC8,87
-pargo_auth-0.1.4.dist-info/licenses/LICENSE,sha256=A-E9k545xbWsw-1DRhKLXcePHJ15tKx_bQl12OabqEY,1062
-pargo_auth-0.1.4.dist-info/RECORD,,