paskia 0.7.2__py3-none-any.whl → 0.8.0__py3-none-any.whl

paskia/migrate/sql.py

@@ -0,0 +1,381 @@
+"""
+Legacy SQL database implementation for migration purposes.
+
+This module provides the async SQLAlchemy database layer that was used
+before the JSONL format. It is kept here for migration purposes only.
+
+DO NOT use this module for new code. Use paskia.db instead.
+"""
+
+from contextlib import asynccontextmanager
+from dataclasses import dataclass
+from datetime import datetime, timezone
+from uuid import UUID
+
+from sqlalchemy import (
+    DateTime,
+    ForeignKey,
+    Integer,
+    LargeBinary,
+    String,
+    event,
+    select,
+)
+from sqlalchemy.dialects.sqlite import BLOB
+from sqlalchemy.ext.asyncio import async_sessionmaker, create_async_engine
+from sqlalchemy.orm import DeclarativeBase, Mapped, mapped_column
+
+from paskia.db import (
+    Credential,
+    Org,
+    ResetToken,
+    Role,
+    User,
+)
+
+
+# Local Permission class for SQL schema (uses 'id' not 'uuid' + 'scope')
+@dataclass
+class SqlPermission:
+    """Permission as stored in the old SQL schema with id field."""
+
+    id: str
+    display_name: str
+
+
+DB_PATH_DEFAULT = "sqlite+aiosqlite:///paskia.sqlite"
+
+
+# Local Session class for SQL schema (uses 'renewed' not 'expiry')
+@dataclass
+class _SqlSession:
+    """Session as stored in the old SQL schema with renewed timestamp."""
+
+    key: bytes
+    user_uuid: UUID
+    credential_uuid: UUID
+    host: str
+    ip: str
+    user_agent: str
+    renewed: datetime
+
+
+def _normalize_dt(value: datetime | None) -> datetime | None:
+    if value is None:
+        return None
+    if value.tzinfo is None:
+        return value.replace(tzinfo=timezone.utc)
+    return value.astimezone(timezone.utc)
+
+
+class Base(DeclarativeBase):
+    pass
+
+
+class OrgModel(Base):
+    __tablename__ = "orgs"
+
+    uuid: Mapped[bytes] = mapped_column(LargeBinary(16), primary_key=True)
+    display_name: Mapped[str] = mapped_column(String, nullable=False)
+
+    def as_dataclass(self):
+        # Base Org without permissions/roles (filled by data accessors)
+        return Org(UUID(bytes=self.uuid), self.display_name)
+
+    @staticmethod
+    def from_dataclass(org: Org):
+        return OrgModel(uuid=org.uuid.bytes, display_name=org.display_name)
+
+
+class RoleModel(Base):
+    __tablename__ = "roles"
+
+    uuid: Mapped[bytes] = mapped_column(LargeBinary(16), primary_key=True)
+    org_uuid: Mapped[bytes] = mapped_column(
+        LargeBinary(16), ForeignKey("orgs.uuid", ondelete="CASCADE"), nullable=False
+    )
+    display_name: Mapped[str] = mapped_column(String, nullable=False)
+
+    def as_dataclass(self):
+        # Base Role without permissions (filled by data accessors)
+        return Role(
+            uuid=UUID(bytes=self.uuid),
+            org_uuid=UUID(bytes=self.org_uuid),
+            display_name=self.display_name,
+        )
+
+    @staticmethod
+    def from_dataclass(role: Role):
+        return RoleModel(
+            uuid=role.uuid.bytes,
+            org_uuid=role.org_uuid.bytes,
+            display_name=role.display_name,
+        )
+
+
+class UserModel(Base):
+    __tablename__ = "users"
+
+    uuid: Mapped[bytes] = mapped_column(LargeBinary(16), primary_key=True)
+    display_name: Mapped[str] = mapped_column(String, nullable=False)
+    role_uuid: Mapped[bytes] = mapped_column(
+        LargeBinary(16), ForeignKey("roles.uuid", ondelete="CASCADE"), nullable=False
+    )
+    created_at: Mapped[datetime] = mapped_column(
+        DateTime(timezone=True), default=lambda: datetime.now(timezone.utc)
+    )
+    last_seen: Mapped[datetime | None] = mapped_column(
+        DateTime(timezone=True), nullable=True
+    )
+    visits: Mapped[int] = mapped_column(Integer, nullable=False, default=0)
+
+    def as_dataclass(self) -> User:
+        return User(
+            uuid=UUID(bytes=self.uuid),
+            display_name=self.display_name,
+            role_uuid=UUID(bytes=self.role_uuid),
+            created_at=_normalize_dt(self.created_at) or self.created_at,
+            last_seen=_normalize_dt(self.last_seen) or self.last_seen,
+            visits=self.visits,
+        )
+
+    @staticmethod
+    def from_dataclass(user: User):
+        return UserModel(
+            uuid=user.uuid.bytes,
+            display_name=user.display_name,
+            role_uuid=user.role_uuid.bytes,
+            created_at=user.created_at or datetime.now(timezone.utc),
+            last_seen=user.last_seen,
+            visits=user.visits,
+        )
+
+
+class CredentialModel(Base):
+    __tablename__ = "credentials"
+
+    uuid: Mapped[bytes] = mapped_column(LargeBinary(16), primary_key=True)
+    credential_id: Mapped[bytes] = mapped_column(
+        LargeBinary(64), unique=True, index=True
+    )
+    user_uuid: Mapped[bytes] = mapped_column(
+        LargeBinary(16), ForeignKey("users.uuid", ondelete="CASCADE")
+    )
+    aaguid: Mapped[bytes] = mapped_column(LargeBinary(16), nullable=False)
+    public_key: Mapped[bytes] = mapped_column(BLOB, nullable=False)
+    sign_count: Mapped[int] = mapped_column(Integer, nullable=False)
+    created_at: Mapped[datetime] = mapped_column(
+        DateTime(timezone=True), default=lambda: datetime.now(timezone.utc)
+    )
+    last_used: Mapped[datetime | None] = mapped_column(
+        DateTime(timezone=True), nullable=True
+    )
+    last_verified: Mapped[datetime | None] = mapped_column(
+        DateTime(timezone=True), nullable=True
+    )
+
+    def as_dataclass(self):
+        return Credential(
+            uuid=UUID(bytes=self.uuid),
+            credential_id=self.credential_id,
+            user_uuid=UUID(bytes=self.user_uuid),
+            aaguid=UUID(bytes=self.aaguid),
+            public_key=self.public_key,
+            sign_count=self.sign_count,
+            created_at=_normalize_dt(self.created_at) or self.created_at,
+            last_used=_normalize_dt(self.last_used) or self.last_used,
+            last_verified=_normalize_dt(self.last_verified) or self.last_verified,
+        )
+
+
+class SessionModel(Base):
+    __tablename__ = "sessions"
+
+    key: Mapped[bytes] = mapped_column(LargeBinary(16), primary_key=True)
+    user_uuid: Mapped[bytes] = mapped_column(
+        LargeBinary(16), ForeignKey("users.uuid", ondelete="CASCADE"), nullable=False
+    )
+    credential_uuid: Mapped[bytes] = mapped_column(
+        LargeBinary(16),
+        ForeignKey("credentials.uuid", ondelete="CASCADE"),
+        nullable=False,
+    )
+    host: Mapped[str] = mapped_column(String, nullable=False)
+    ip: Mapped[str] = mapped_column(String(64), nullable=False)
+    user_agent: Mapped[str] = mapped_column(String(512), nullable=False)
+    renewed: Mapped[datetime] = mapped_column(
+        DateTime(timezone=True),
+        default=lambda: datetime.now(timezone.utc),
+        nullable=False,
+    )
+
+    def as_dataclass(self):
+        return _SqlSession(
+            key=self.key,
+            user_uuid=UUID(bytes=self.user_uuid),
+            credential_uuid=UUID(bytes=self.credential_uuid),
+            host=self.host,
+            ip=self.ip,
+            user_agent=self.user_agent,
+            renewed=_normalize_dt(self.renewed) or self.renewed,
+        )
+
+    @staticmethod
+    def from_dataclass(session: _SqlSession):
+        return SessionModel(
+            key=session.key,
+            user_uuid=session.user_uuid.bytes,
+            credential_uuid=session.credential_uuid.bytes,
+            host=session.host,
+            ip=session.ip,
+            user_agent=session.user_agent,
+            renewed=session.renewed,
+        )
+
+
+class ResetTokenModel(Base):
+    __tablename__ = "reset_tokens"
+
+    key: Mapped[bytes] = mapped_column(LargeBinary(16), primary_key=True)
+    user_uuid: Mapped[bytes] = mapped_column(
+        LargeBinary(16), ForeignKey("users.uuid", ondelete="CASCADE"), nullable=False
+    )
+    token_type: Mapped[str] = mapped_column(String, nullable=False)
+    expiry: Mapped[datetime] = mapped_column(DateTime(timezone=True), nullable=False)
+
+    def as_dataclass(self) -> ResetToken:
+        return ResetToken(
+            key=self.key,
+            user_uuid=UUID(bytes=self.user_uuid),
+            token_type=self.token_type,
+            expiry=_normalize_dt(self.expiry) or self.expiry,
+        )
+
+
+class PermissionModel(Base):
+    __tablename__ = "permissions"
+
+    id: Mapped[str] = mapped_column(String(64), primary_key=True)
+    display_name: Mapped[str] = mapped_column(String, nullable=False)
+
+    def as_dataclass(self):
+        return SqlPermission(self.id, self.display_name)
+
+    @staticmethod
+    def from_dataclass(permission: SqlPermission):
+        return PermissionModel(
+            id=permission.id,
+            display_name=permission.display_name,
+        )
+
+
+class OrgPermission(Base):
+    """Permissions each organization is allowed to grant to its roles."""
+
+    __tablename__ = "org_permissions"
+
+    id: Mapped[int] = mapped_column(Integer, primary_key=True)
+    org_uuid: Mapped[bytes] = mapped_column(
+        LargeBinary(16), ForeignKey("orgs.uuid", ondelete="CASCADE")
+    )
+    permission_id: Mapped[str] = mapped_column(
+        String(64), ForeignKey("permissions.id", ondelete="CASCADE")
+    )
+
+
+class RolePermission(Base):
+    """Permissions that each role grants to its members."""
+
+    __tablename__ = "role_permissions"
+
+    id: Mapped[int] = mapped_column(Integer, primary_key=True)
+    role_uuid: Mapped[bytes] = mapped_column(
+        LargeBinary(16), ForeignKey("roles.uuid", ondelete="CASCADE")
+    )
+    permission_id: Mapped[str] = mapped_column(
+        String(64), ForeignKey("permissions.id", ondelete="CASCADE")
+    )
+
+
+class DB:
+    """Legacy SQL database class for migration purposes only."""
+
+    def __init__(self, db_path: str = DB_PATH_DEFAULT):
+        """Initialize with database path."""
+        self.engine = create_async_engine(db_path, echo=False)
+        # Ensure SQLite foreign key enforcement is ON for every new connection
+        if db_path.startswith("sqlite"):
+
+            @event.listens_for(self.engine.sync_engine, "connect")
+            def _fk_on(dbapi_connection, connection_record):
+                try:
+                    cursor = dbapi_connection.cursor()
+                    cursor.execute("PRAGMA foreign_keys=ON;")
+                    cursor.close()
+                except Exception:
+                    pass
+
+        self.async_session_factory = async_sessionmaker(
+            self.engine, expire_on_commit=False
+        )
+
+    @asynccontextmanager
+    async def session(self):
+        """Async context manager that provides a database session with transaction."""
+        async with self.async_session_factory() as session:
+            async with session.begin():
+                yield session
+                await session.flush()
+            await session.commit()
+
+    async def init_db(self) -> None:
+        """Initialize database tables."""
+        async with self.engine.begin() as conn:
+            await conn.run_sync(Base.metadata.create_all)
+
+    async def list_permissions(self) -> list[SqlPermission]:
+        async with self.session() as session:
+            result = await session.execute(select(PermissionModel))
+            return [p.as_dataclass() for p in result.scalars().all()]
+
+    async def list_organizations(self) -> list[Org]:
+        async with self.session() as session:
+            # Load all orgs
+            orgs_result = await session.execute(select(OrgModel))
+            org_models = orgs_result.scalars().all()
+            if not org_models:
+                return []
+
+            # Preload org permissions mapping
+            org_perms_result = await session.execute(select(OrgPermission))
+            org_perms = org_perms_result.scalars().all()
+            perms_by_org: dict[bytes, list[str]] = {}
+            for op in org_perms:
+                perms_by_org.setdefault(op.org_uuid, []).append(op.permission_id)
+
+            # Preload roles
+            roles_result = await session.execute(select(RoleModel))
+            role_models = roles_result.scalars().all()
+
+            # Preload role permissions mapping
+            rp_result = await session.execute(select(RolePermission))
+            rps = rp_result.scalars().all()
+            perms_by_role: dict[bytes, list[str]] = {}
+            for rp in rps:
+                perms_by_role.setdefault(rp.role_uuid, []).append(rp.permission_id)
+
+            # Build org dataclasses with roles and permission IDs
+            roles_by_org: dict[bytes, list[Role]] = {}
+            for rm in role_models:
+                r_dc = rm.as_dataclass()
+                r_dc.permissions = perms_by_role.get(rm.uuid, [])
+                roles_by_org.setdefault(rm.org_uuid, []).append(r_dc)
+
+            orgs: list[Org] = []
+            for om in org_models:
+                o_dc = om.as_dataclass()
+                o_dc.permissions = perms_by_org.get(om.uuid, [])
+                o_dc.roles = roles_by_org.get(om.uuid, [])
+                orgs.append(o_dc)
+
+            return orgs

paskia/util/permutil.py

@@ -3,9 +3,8 @@
 from collections.abc import Sequence
 from fnmatch import fnmatchcase
 
-from paskia.globals import db
+from paskia import db
 from paskia.util.hostutil import normalize_host
-from paskia.util.tokens import session_key
 
 __all__ = ["has_any", "has_all", "session_context"]
 
@@ -17,16 +16,28 @@ def _match(perms: set[str], patterns: Sequence[str]):
     )
 
 
+def _get_effective_scopes(ctx) -> set[str]:
+    """Get effective permission scopes from context.
+
+    Returns scopes from ctx.permissions (filtered by org) if available,
+    otherwise falls back to ctx.role.permissions for backwards compatibility.
+    """
+    if ctx.permissions:
+        return {p.scope for p in ctx.permissions}
+    # Fallback for contexts without effective permissions computed
+    return set(ctx.role.permissions or [])
+
+
 def has_any(ctx, patterns: Sequence[str]) -> bool:
-    return any(_match(ctx.role.permissions, patterns)) if ctx else False
+    return any(_match(_get_effective_scopes(ctx), patterns)) if ctx else False
 
 
 def has_all(ctx, patterns: Sequence[str]) -> bool:
-    return all(_match(ctx.role.permissions, patterns)) if ctx else False
+    return all(_match(_get_effective_scopes(ctx), patterns)) if ctx else False
 
 
 async def session_context(auth: str | None, host: str | None = None):
     if not auth:
         return None
     normalized_host = normalize_host(host) if host else None
-    return await db.instance.get_session_context(session_key(auth), normalized_host)
+    return db.get_session_context(auth, normalized_host)

paskia/util/sessionutil.py

@@ -2,6 +2,7 @@
 
 from datetime import datetime, timezone
 
+from paskia.authsession import EXPIRES
 from paskia.db import SessionContext
 from paskia.util.timeutil import parse_duration
 
@@ -27,11 +28,11 @@ def check_session_age(ctx: SessionContext, max_age: str | None) -> bool:
 
     max_age_delta = parse_duration(max_age)
 
-    # Use credential's last_used time if available, fall back to session renewed
+    # Use credential's last_used time if available, fall back to session renewed time
     if ctx.credential and ctx.credential.last_used:
         auth_time = ctx.credential.last_used
     else:
-        auth_time = ctx.session.renewed
+        auth_time = ctx.session.expiry - EXPIRES
 
     time_since_auth = datetime.now(timezone.utc) - auth_time
     return time_since_auth <= max_age_delta

paskia/util/userinfo.py

@@ -2,10 +2,9 @@
 
 from datetime import timezone
 
-from paskia import aaguid
-from paskia.authsession import session_key
-from paskia.globals import db
-from paskia.util import hostutil, permutil, tokens, useragent
+from paskia import aaguid, db
+from paskia.authsession import EXPIRES
+from paskia.util import hostutil, permutil, useragent
 
 
 def _format_datetime(dt):
@@ -41,20 +40,15 @@ async def format_user_info(
         - Sessions list
         - Permissions
     """
-    u = await db.instance.get_user_by_uuid(user_uuid)
+    u = db.get_user_by_uuid(user_uuid)
     ctx = await permutil.session_context(auth, request_host)
 
     # Fetch and format credentials
-    credential_ids = await db.instance.get_credentials_by_user_uuid(user_uuid)
+    user_credentials = db.get_credentials_by_user_uuid(user_uuid)
     credentials: list[dict] = []
     user_aaguids: set[str] = set()
 
-    for cred_id in credential_ids:
-        try:
-            c = await db.instance.get_credential_by_id(cred_id)
-        except ValueError:
-            continue
-
+    for c in user_credentials:
         aaguid_str = str(c.aaguid)
         user_aaguids.add(aaguid_str)
         credentials.append(
@@ -76,8 +70,6 @@ async def format_user_info(
     role_info = None
     org_info = None
     effective_permissions: list[str] = []
-    is_global_admin = False
-    is_org_admin = False
 
     if ctx:
         role_info = {
@@ -90,27 +82,23 @@ async def format_user_info(
             "display_name": ctx.org.display_name,
             "permissions": ctx.org.permissions,
         }
-        effective_permissions = [p.id for p in (ctx.permissions or [])]
-        is_global_admin = "auth:admin" in (role_info["permissions"] or [])
-        is_org_admin = any(
-            p.startswith("auth:org:") for p in (role_info["permissions"] or [])
-        )
+        effective_permissions = [p.scope for p in (ctx.permissions or [])]
 
     # Format sessions
     normalized_request_host = hostutil.normalize_host(request_host)
-    session_records = await db.instance.list_sessions_for_user(user_uuid)
-    current_session_key = session_key(auth)
+    session_records = db.list_sessions_for_user(user_uuid)
+    current_session_key = auth
     sessions_payload: list[dict] = []
 
     for entry in session_records:
         sessions_payload.append(
             {
-                "id": tokens.encode_session_key(entry.key),
+                "id": entry.key,
                 "credential_uuid": str(entry.credential_uuid),
                 "host": entry.host,
                 "ip": entry.ip,
                 "user_agent": useragent.compact_user_agent(entry.user_agent),
-                "last_renewed": _format_datetime(entry.renewed),
+                "last_renewed": _format_datetime(entry.expiry - EXPIRES),
                 "is_current": entry.key == current_session_key,
                 "is_current_host": bool(
                     normalized_request_host
@@ -132,8 +120,6 @@ async def format_user_info(
         "org": org_info,
         "role": role_info,
         "permissions": effective_permissions,
-        "is_global_admin": is_global_admin,
-        "is_org_admin": is_org_admin,
         "credentials": credentials,
         "aaguid_info": aaguid_info,
         "sessions": sessions_payload,
@@ -150,7 +136,7 @@ async def format_reset_user_info(user_uuid, reset_token) -> dict:
     Returns:
         Dictionary with minimal user info for password reset flow
     """
-    u = await db.instance.get_user_by_uuid(user_uuid)
+    u = db.get_user_by_uuid(user_uuid)
 
     return {
         "authenticated": False,

{paskia-0.7.2.dist-info → paskia-0.8.0.dist-info}/METADATA

@@ -1,17 +1,18 @@
 Metadata-Version: 2.4
 Name: paskia
-Version: 0.7.2
+Version: 0.8.0
 Summary: Passkey Auth made easy: all sites and APIs can be guarded even without any changes on the protected site.
 Project-URL: Homepage, https://git.zi.fi/LeoVasanko/paskia
 Project-URL: Repository, https://github.com/LeoVasanko/paskia
 Author: Leo Vasanko
 Keywords: FastAPI,auth_request,forward_auth
 Requires-Python: >=3.10
-Requires-Dist: aiosqlite>=0.19.0
+Requires-Dist: aiofiles>=25.1.0
 Requires-Dist: base64url>=1.0.0
 Requires-Dist: fastapi[standard]>=0.104.1
+Requires-Dist: jsondiff>=2.2.1
+Requires-Dist: msgspec>=0.20.0
 Requires-Dist: pyjwt>=2.8.0
-Requires-Dist: sqlalchemy[asyncio]>=2.0.0
 Requires-Dist: user-agents>=2.2.0
 Requires-Dist: uuid7-standard>=1.0.0
 Requires-Dist: webauthn>=1.11.1
@@ -22,6 +23,9 @@ Requires-Dist: httpx>=0.27.0; extra == 'dev'
 Requires-Dist: pytest-asyncio>=0.24.0; extra == 'dev'
 Requires-Dist: pytest>=8.0.0; extra == 'dev'
 Requires-Dist: ruff>=0.1.0; extra == 'dev'
+Provides-Extra: migrate
+Requires-Dist: aiosqlite>=0.19.0; extra == 'migrate'
+Requires-Dist: sqlalchemy[asyncio]>=2.0.0; extra == 'migrate'
 Description-Content-Type: text/markdown
 
 # Paskia
@@ -56,16 +60,9 @@ Install [UV](https://docs.astral.sh/uv/getting-started/installation/) and run:
 uvx paskia serve --rp-id example.com
 ```
 
-On the first run it downloads the software and prints a registration link for the Admin. If you are going to be connecting `localhost` directly, for testing, leave out the rp-id.
+On the first run it downloads the software and prints a registration link for the Admin.  The server will start up on [localhost:4401](http://localhost:4401) *for authentication required*, serving for `*.example.com`. If you are going to be connecting `localhost` directly, for testing, leave out the rp-id.
 
-The server will start up on [localhost:4401](http://localhost:4401) "for authentication required", serving for `*.example.com`.
-
-Otherwise you will need a web server such as [Caddy](https://caddyserver.com/) to serve HTTPS on your actual domain names and proxy requests to Paskia and your backend apps.
-
-A quick example without any config file:
-```fish
-sudo caddy reverse-proxy --from example.com --to :4401
-```
+Otherwise you will need a web server such as [Caddy](https://caddyserver.com/) to serve HTTPS on your actual domain names and proxy requests to Paskia and your backend apps (see documentation below).
 
 For a permanent install of `paskia` CLI command, not needing `uvx`:
 
@@ -81,18 +78,17 @@ There is no config file. Pass only the options on CLI:
 paskia serve [options]
 ```
 
-Optional options:
-
-- Listen address (one of):
-    * `[host]:port`: Address and port (default: `localhost:4401`)
-    * `unix:/path.sock`: Unix socket
-- `--rp-id <domain>`: Main domain (required for production)
-- `--rp-name "<text>"`: Name of your company or site (default: same as rp-id)
-- `--origin <url>`: Explicit single site (default: `https://<rp-id>`)
-- `--auth-host <domain>`: Dedicated authentication site (e.g., `auth.example.com`)
+| Option | Description | Default |
+|--------|-------------|---------|
+| Listen address | One of *host***:***port* (default all hosts, port 4401) or **unix:***path***/paskia.socket** (Unix socket) | **localhost:4401** |
+| --rp-id *domain* | Main/top domain | **localhost** |
+| --rp-name *"text"* | Name of your company or site | Same as rp-id |
+| --origin *url* | Explicitly list the domain names served | **https://**_rp-id_ |
+| --auth-host *domain* | Dedicated authentication site (e.g., **auth.example.com**) | **Unspecified:** we use **/auth/** on **every** site under rp-id.|
 
-## Documentation
+## Further Documentation
 
-- `API.md`: Complete HTTP and WebSocket API reference
-- `Caddy.md`: Caddy configuration examples
-- `Headers.md`: HTTP headers passed to protected applications
+- [Caddy configuration](https://git.zi.fi/LeoVasanko/paskia/src/branch/main/docs/Caddy.md)
+- [Trusted Headers for Backend Apps](https://git.zi.fi/LeoVasanko/paskia/src/branch/main/docs/Headers.md)
+- [Frontend integration](https://git.zi.fi/LeoVasanko/paskia/src/branch/main/docs/Integration.md)
+- [Paskia API](https://git.zi.fi/LeoVasanko/paskia/src/branch/main/docs/API.md)