paskia 0.7.2__py3-none-any.whl → 0.8.0__py3-none-any.whl

paskia/_version.py

@@ -28,7 +28,7 @@ version_tuple: VERSION_TUPLE
 commit_id: COMMIT_ID
 __commit_id__: COMMIT_ID
 
-__version__ = version = '0.7.2'
-__version_tuple__ = version_tuple = (0, 7, 2)
+__version__ = version = '0.8.0'
+__version_tuple__ = version_tuple = (0, 8, 0)
 
 __commit_id__ = commit_id = None

paskia/authsession.py

@@ -11,11 +11,10 @@ independent of any web framework:
 from datetime import datetime, timezone
 from uuid import UUID
 
+from paskia import db
 from paskia.config import SESSION_LIFETIME
 from paskia.db import ResetToken, Session
-from paskia.globals import db, passkey
 from paskia.util import hostutil
-from paskia.util.tokens import create_token, reset_key, session_key
 
 EXPIRES = SESSION_LIFETIME
 
@@ -30,46 +29,10 @@ def reset_expires() -> datetime:
     return datetime.now(timezone.utc) + RESET_LIFETIME
 
 
-def session_expiry(session: Session) -> datetime:
-    """Calculate the expiration timestamp for a session (UTC aware)."""
-    # After migration all renewed timestamps are timezone-aware UTC
-    return session.renewed + EXPIRES
-
-
-async def create_session(
-    user_uuid: UUID,
-    credential_uuid: UUID,
-    *,
-    host: str,
-    ip: str,
-    user_agent: str,
-) -> str:
-    """Create a new session and return a session token."""
-    normalized_host = hostutil.normalize_host(host)
-    if not normalized_host:
-        raise ValueError("Host required for session creation")
-    hostname = normalized_host.split(":")[0]  # Domain names only, IPs aren't supported
-    rp_id = passkey.instance.rp_id
-    if not (hostname == rp_id or hostname.endswith(f".{rp_id}")):
-        raise ValueError(f"Host must be the same as or a subdomain of {rp_id}")
-    token = create_token()
-    now = datetime.now(timezone.utc)
-    await db.instance.create_session(
-        user_uuid=user_uuid,
-        credential_uuid=credential_uuid,
-        key=session_key(token),
-        host=normalized_host,
-        ip=ip,
-        user_agent=user_agent,
-        renewed=now,
-    )
-    return token
-
-
 async def get_reset(token: str) -> ResetToken:
-    """Validate a credential reset token. Returns None if the token is not well formed (i.e. it is another type of token)."""
-    record = await db.instance.get_reset_token(reset_key(token))
-    if record and record.expiry >= datetime.now(timezone.utc):
+    """Validate a credential reset token."""
+    record = db.get_reset_token(token)
+    if record:
         return record
     raise ValueError("This authentication link is no longer valid.")
 
@@ -79,11 +42,11 @@ async def get_session(token: str, host: str | None = None) -> Session:
     host = hostutil.normalize_host(host)
     if not host:
         raise ValueError("Invalid host")
-    session = await db.instance.get_session(session_key(token))
-    if session and session_expiry(session) >= datetime.now(timezone.utc):
+    session = db.get_session(token)
+    if session:
         if session.host is None:
             # First time binding: store exact host:port (or IPv6 form) now.
-            await db.instance.set_session_host(session.key, host)
+            db.set_session_host(session.key, host)
             session.host = host
         elif session.host != host:
             raise ValueError("Session host mismatch")
@@ -93,14 +56,14 @@ async def get_session(token: str, host: str | None = None) -> Session:
 
 async def refresh_session_token(token: str, *, ip: str, user_agent: str):
     """Refresh a session extending its expiry."""
-    session_record = await db.instance.get_session(session_key(token))
+    session_record = db.get_session(token)
     if not session_record:
         raise ValueError("Session not found or expired")
-    updated = await db.instance.update_session(
-        session_key(token),
+    updated = db.update_session(
+        token,
         ip=ip,
         user_agent=user_agent,
-        renewed=datetime.now(timezone.utc),
+        expiry=expires(),
     )
     if not updated:
         raise ValueError("Session not found or expired")
@@ -109,4 +72,4 @@ async def refresh_session_token(token: str, *, ip: str, user_agent: str):
 async def delete_credential(credential_uuid: UUID, auth: str, host: str | None = None):
     """Delete a specific credential for the current user."""
     s = await get_session(auth, host=host)
-    await db.instance.delete_credential(credential_uuid, s.user_uuid)
+    db.delete_credential(credential_uuid, s.user_uuid)

paskia/bootstrap.py

@@ -12,9 +12,9 @@ from datetime import datetime, timezone
 
 import uuid7
 
-from paskia import authsession, globals
+from paskia import authsession, db
 from paskia.db import Org, Permission, Role, User
-from paskia.util import hostutil, passphrase, tokens
+from paskia.util import hostutil, passphrase
 
 
 def _init_logger() -> logging.Logger:
@@ -42,9 +42,9 @@ async def _create_and_log_admin_reset_link(user_uuid, message, session_type) ->
     """Create an admin reset link and log it with the provided message."""
     token = passphrase.generate()
     expiry = authsession.reset_expires()
-    await globals.db.instance.create_reset_token(
+    db.create_reset_token(
         user_uuid=user_uuid,
-        key=tokens.reset_key(token),
+        passphrase=token,
         expiry=expiry,
         token_type=session_type,
     )
@@ -61,25 +61,32 @@ async def bootstrap_system() -> dict:
         dict: Contains information about created entities and reset link
     """
     # Create permission first - will fail if already exists
-    perm0 = Permission(id="auth:admin", display_name="Master Admin")
-    await globals.db.instance.create_permission(perm0)
+    perm0 = Permission(
+        uuid=uuid7.create(), scope="auth:admin", display_name="Master Admin"
+    )
+    db.create_permission(perm0)
+
+    # Create org admin permission - allows managing users within an org
+    perm_org_admin = Permission(
+        uuid=uuid7.create(), scope="auth:org:admin", display_name="Org Admin"
+    )
+    db.create_permission(perm_org_admin)
 
     org = Org(uuid7.create(), "Organization")
-    await globals.db.instance.create_organization(org)
+    db.create_organization(org)
 
-    # After creation, org.permissions now includes the auto-created org admin permission
-    # Allow this org to grant global admin explicitly
-    await globals.db.instance.add_permission_to_organization(str(org.uuid), perm0.id)
+    # Allow this org to grant global admin and org admin permissions
+    db.add_permission_to_organization(str(org.uuid), perm0.scope)
+    db.add_permission_to_organization(str(org.uuid), perm_org_admin.scope)
 
     # Create an Administration role granting both org and global admin
-    # Compose permissions for Administration role: global admin + org admin auto-perm
     role = Role(
         uuid7.create(),
         org.uuid,
         "Administration",
-        permissions=[perm0.id, *org.permissions],
+        permissions=[perm0.scope, perm_org_admin.scope],
     )
-    await globals.db.instance.create_role(role)
+    db.create_role(role)
 
     user = User(
         uuid=uuid7.create(),
@@ -88,7 +95,7 @@ async def bootstrap_system() -> dict:
         created_at=datetime.now(timezone.utc),
         visits=0,
     )
-    await globals.db.instance.create_user(user)
+    db.create_user(user)
 
     # Generate reset link and log it
     reset_link = await _create_and_log_admin_reset_link(
@@ -101,7 +108,11 @@ async def bootstrap_system() -> dict:
         "role": role,
         "permissions": [
             perm0,
-            *[Permission(id=p, display_name="") for p in org.permissions],
+            *[
+                db.get_permission_by_scope(p)
+                for p in org.permissions
+                if db.get_permission_by_scope(p)
+            ],
         ],
         "reset_link": reset_link,
     }
@@ -116,17 +127,13 @@ async def check_admin_credentials() -> bool:
     """
     try:
         # Get permission organizations to find admin users
-        permission_orgs = await globals.db.instance.get_permission_organizations(
-            "auth:admin"
-        )
+        permission_orgs = db.get_permission_organizations("auth:admin")
 
         if not permission_orgs:
             return False
 
         # Get users from the first organization with admin permission
-        org_users = await globals.db.instance.get_organization_users(
-            str(permission_orgs[0].uuid)
-        )
+        org_users = db.get_organization_users(str(permission_orgs[0].uuid))
         admin_users = [user for user, role in org_users if role == "Administration"]
 
         if not admin_users:
@@ -134,9 +141,7 @@ async def check_admin_credentials() -> bool:
 
         # Check first admin user for credentials
         admin_user = admin_users[0]
-        credentials = await globals.db.instance.get_credentials_by_user_uuid(
-            admin_user.uuid
-        )
+        credentials = db.get_credentials_by_user_uuid(admin_user.uuid)
 
         if not credentials:
             # Admin exists but has no credentials, create reset link
@@ -162,7 +167,7 @@ async def bootstrap_if_needed() -> bool:
     """
     try:
         # Check if the admin permission exists - if it does, system is already bootstrapped
-        await globals.db.instance.get_permission("auth:admin")
+        db.get_permission("auth:admin")
         # Permission exists, system is already bootstrapped
         # Check if admin needs credentials (only for already-bootstrapped systems)
         await check_admin_credentials()