paskia 0.8.0__py3-none-any.whl → 0.8.1__py3-none-any.whl

paskia/_version.py

@@ -28,7 +28,7 @@ version_tuple: VERSION_TUPLE
 commit_id: COMMIT_ID
 __commit_id__: COMMIT_ID
 
-__version__ = version = '0.8.0'
-__version_tuple__ = version_tuple = (0, 8, 0)
+__version__ = version = '0.8.1'
+__version_tuple__ = version_tuple = (0, 8, 1)
 
 __commit_id__ = commit_id = None

paskia/config.py

@@ -22,4 +22,3 @@ class PaskiaConfig:
     host: str | None = None
     port: int | None = None
     uds: str | None = None
-    devmode: bool = False

paskia/db/__init__.py

@@ -166,6 +166,7 @@ __all__ = [
     "remove_permission_from_organization",
     "remove_permission_from_role",
     "rename_permission",
+    "set_session_host",
     "update_credential_sign_count",
     "update_organization_name",
     "update_permission",

paskia/fastapi/__main__.py

@@ -1,16 +1,31 @@
 import argparse
 import asyncio
-import ipaddress
+import json
 import logging
 import os
 from urllib.parse import urlparse
 
 import uvicorn
-
+from fastapi_vue.hostutil import parse_endpoint
+from uvicorn import Config, Server
+
+from paskia import globals as _globals
+from paskia.bootstrap import bootstrap_if_needed
+from paskia.config import PaskiaConfig
+from paskia.fastapi import app as fastapi_app
+from paskia.fastapi import reset as reset_cmd
+from paskia.util import startupbox
 from paskia.util.hostutil import normalize_origin
 
-DEFAULT_HOST = "localhost"
-DEFAULT_SERVE_PORT = 4401
+DEFAULT_PORT = 4401
+
+EPILOG = """\
+Examples:
+  paskia                      # localhost:4401
+  paskia :8080                # All interfaces, port 8080
+  paskia unix:/tmp/paskia.sock
+  paskia reset [user]         # Generate passkey reset link
+"""
 
 
 def is_subdomain(sub: str, domain: str) -> bool:
@@ -34,80 +49,6 @@ def validate_auth_host(auth_host: str, rp_id: str) -> None:
         )
 
 
-def parse_endpoint(
-    value: str | None, default_port: int
-) -> tuple[str | None, int | None, str | None, bool]:
-    """Parse an endpoint using stdlib (urllib.parse, ipaddress).
-
-    Returns (host, port, uds_path). If uds_path is not None, host/port are None.
-
-    Supported forms:
-    - host[:port]
-    - :port (uses default host)
-    - [ipv6][:port] (bracketed for port usage)
-    - ipv6 (unbracketed, no port allowed -> default port)
-    - unix:/path/to/socket.sock
-    - None -> defaults (localhost:4401)
-
-    Notes:
-    - For IPv6 with an explicit port you MUST use brackets (e.g. [::1]:8080)
-    - Unbracketed IPv6 like ::1 implies the default port.
-    """
-    if not value:
-        return DEFAULT_HOST, default_port, None, False
-
-    # Port only (numeric) -> localhost:port
-    if value.isdigit():
-        try:
-            port_only = int(value)
-        except ValueError:  # pragma: no cover (isdigit guards)
-            raise SystemExit(f"Invalid port '{value}'")
-        return DEFAULT_HOST, port_only, None, False
-
-    # Leading colon :port -> bind all interfaces (0.0.0.0 + ::)
-    if value.startswith(":") and value != ":":
-        port_part = value[1:]
-        if not port_part.isdigit():
-            raise SystemExit(f"Invalid port in '{value}'")
-        return None, int(port_part), None, True
-
-    # UNIX domain socket
-    if value.startswith("unix:"):
-        uds_path = value[5:] or None
-        if uds_path is None:
-            raise SystemExit("unix: path must not be empty")
-        return None, None, uds_path, False
-
-    # Unbracketed IPv6 (cannot safely contain a port) -> detect by multiple colons
-    if value.count(":") > 1 and not value.startswith("["):
-        try:
-            ipaddress.IPv6Address(value)
-        except ValueError as e:  # pragma: no cover
-            raise SystemExit(f"Invalid IPv6 address '{value}': {e}")
-        return value, default_port, None, False
-
-    # Use urllib.parse for everything else (host[:port], :port, [ipv6][:port])
-    parsed = urlparse(f"//{value}")  # // prefix lets urlparse treat it as netloc
-    host = parsed.hostname
-    port = parsed.port
-
-    # Host may be None if empty (e.g. ':5500')
-    if not host:
-        host = DEFAULT_HOST
-    if port is None:
-        port = default_port
-
-    # Validate IP literals (optional; hostname passes through)
-    try:
-        # Strip brackets if somehow present (urlparse removes them already)
-        ipaddress.ip_address(host)
-    except ValueError:
-        # Not an IP address -> treat as hostname; no action
-        pass
-
-    return host, port, None, False
-
-
 def add_common_options(p: argparse.ArgumentParser) -> None:
     p.add_argument(
         "--rp-id", default="localhost", help="Relying Party ID (default: localhost)"
@@ -134,45 +75,44 @@ def main():
     logging.basicConfig(level=logging.INFO, format="%(message)s", force=True)
 
     parser = argparse.ArgumentParser(
-        prog="paskia", description="Paskia authentication server"
+        prog="paskia",
+        description="Paskia authentication server",
+        formatter_class=argparse.RawDescriptionHelpFormatter,
+        epilog=EPILOG,
     )
-    sub = parser.add_subparsers(dest="command", required=True)
 
-    # serve subcommand
-    serve = sub.add_parser(
-        "serve", help="Run the server (production style, no auto-reload)"
-    )
-    serve.add_argument(
+    # Primary argument: either host:port or "reset" subcommand
+    parser.add_argument(
         "hostport",
         nargs="?",
         help=(
             "Endpoint (default: localhost:4401). Forms: host[:port] | :port | "
-            "[ipv6][:port] | ipv6 | unix:/path.sock"
-        ),
-    )
-    add_common_options(serve)
-
-    # reset subcommand
-    reset = sub.add_parser(
-        "reset",
-        help=(
-            "Create a credential reset link for a user. Provide part of the display name or UUID. "
-            "If omitted, targets the master admin (first Administration role user in an auth:admin org)."
+            "[ipv6][:port] | ipv6 | unix:/path.sock | 'reset' for credential reset"
         ),
     )
-    reset.add_argument(
-        "query",
+    parser.add_argument(
+        "reset_query",
         nargs="?",
-        help="User UUID (full) or case-insensitive substring of display name. If omitted, master admin is used.",
+        help="For 'reset' command: user UUID or substring of display name",
     )
-    add_common_options(reset)
+    add_common_options(parser)
 
     args = parser.parse_args()
 
-    if args.command == "serve":
-        host, port, uds, all_ifaces = parse_endpoint(args.hostport, DEFAULT_SERVE_PORT)
+    # Detect "reset" subcommand (first positional is "reset")
+    is_reset = args.hostport == "reset"
+
+    if is_reset:
+        endpoints = []
     else:
-        host = port = uds = all_ifaces = None  # type: ignore
+        # Parse endpoint using fastapi_vue.hostutil
+        endpoints = parse_endpoint(args.hostport, DEFAULT_PORT)
+
+    # Extract host/port/uds from first endpoint for config display and site_url
+    ep = endpoints[0] if endpoints else {}
+    host = ep.get("host")
+    port = ep.get("port")
+    uds = ep.get("uds")
 
     # Collect and normalize origins, handle auth_host
     origins = [normalize_origin(o) for o in (getattr(args, "origins", None) or [])]
@@ -193,8 +133,13 @@ def main():
     origins = [x for x in origins if not (x in seen or seen.add(x))]
 
     # Compute site_url and site_path for reset links
-    # Priority: auth_host > first origin with localhost > http://localhost:port
-    if args.auth_host:
+    # Priority: PASKIA_SITE_URL (explicit) > auth_host > first origin with localhost > http://localhost:port
+    explicit_site_url = os.environ.get("PASKIA_SITE_URL")
+    if explicit_site_url:
+        # Explicit site URL from devserver or deployment config
+        site_url = explicit_site_url.rstrip("/")
+        site_path = "/" if args.auth_host else "/auth/"
+    elif args.auth_host:
         site_url = args.auth_host.rstrip("/")
         site_path = "/"
     elif origins:
@@ -215,8 +160,6 @@ def main():
         site_path = "/auth/"
 
     # Build runtime configuration
-    from paskia.config import PaskiaConfig
-
     config = PaskiaConfig(
         rp_id=args.rp_id,
         rp_name=args.rp_name or None,
@@ -230,8 +173,6 @@ def main():
     )
 
     # Export configuration via single JSON env variable for worker processes
-    import json
-
     config_json = {
         "rp_id": config.rp_id,
         "rp_name": config.rp_name,
@@ -243,8 +184,6 @@ def main():
     os.environ["PASKIA_CONFIG"] = json.dumps(config_json)
 
     # Initialize globals (without bootstrap yet)
-    from paskia import globals as _globals  # local import
-
     asyncio.run(
         _globals.init(
             rp_id=config.rp_id,
@@ -255,80 +194,45 @@ def main():
     )
 
     # Print startup configuration
-    from paskia.util import startupbox
-
     startupbox.print_startup_config(config)
 
     # Bootstrap after startup box is printed
-    from paskia.bootstrap import bootstrap_if_needed
-
     asyncio.run(bootstrap_if_needed())
 
-    # Handle recover-admin command (no server start)
-    if args.command == "reset":
-        from paskia.fastapi import reset as reset_cmd  # local import
-
-        exit_code = reset_cmd.run(getattr(args, "query", None))
+    # Handle reset command (no server start)
+    if is_reset:
+        exit_code = reset_cmd.run(args.reset_query)
         raise SystemExit(exit_code)
 
-    if args.command == "serve":
-        run_kwargs: dict = {
-            "log_level": "info",
-        }
-
-        # Dev mode: enable reload when PASKIA_DEVMODE is set
-        devmode = bool(os.environ.get("PASKIA_DEVMODE"))
-        if devmode:
-            # Security: dev mode must run on localhost:4402 to prevent
-            # accidental public exposure of the Vite dev server
-            if host != "localhost" or port != 4402:
-                raise SystemExit(f"Dev mode requires localhost:4402, got {host}:{port}")
-            run_kwargs["reload"] = True
-            run_kwargs["reload_dirs"] = ["paskia"]
-            # Suppress uvicorn startup messages in dev mode
-            run_kwargs["log_level"] = "warning"
-
-        if uds:
-            run_kwargs["uds"] = uds
-        else:
-            if not all_ifaces:
-                run_kwargs["host"] = host
-                run_kwargs["port"] = port
-
-        if all_ifaces and not uds:
-            # Dev mode with all interfaces: use simple single-server approach
-            if devmode:
-                run_kwargs["host"] = "::"
-                run_kwargs["port"] = port
-                uvicorn.run("paskia.fastapi:app", **run_kwargs)
-            else:
-                # Production: run separate servers for IPv4 and IPv6
-                from uvicorn import Config, Server  # noqa: E402 local import
-
-                from paskia.fastapi import (
-                    app as fastapi_app,  # noqa: E402 local import
-                )
-
-                async def serve_both():
-                    servers = []
-                    assert port is not None
-                    for h in ("0.0.0.0", "::"):
-                        try:
-                            cfg = Config(
-                                app=fastapi_app,
-                                host=h,
-                                port=port,
-                                log_level="info",
-                            )
-                            servers.append(Server(cfg))
-                        except Exception as e:  # pragma: no cover
-                            logging.warning(f"Failed to configure server for {h}: {e}")
-                    tasks = [asyncio.create_task(s.serve()) for s in servers]
-                    await asyncio.gather(*tasks)
-
-                asyncio.run(serve_both())
-        else:
-            uvicorn.run("paskia.fastapi:app", **run_kwargs)
+    # Dev mode: enable reload when FASTAPI_VUE_FRONTEND_URL is set
+    devmode = bool(os.environ.get("FASTAPI_VUE_FRONTEND_URL"))
+
+    run_kwargs: dict = {
+        "log_level": "info",
+    }
+
+    if devmode:
+        # Security: dev mode must run on localhost:4402 to prevent
+        # accidental public exposure of the Vite dev server
+        if host != "localhost" or port != 4402:
+            raise SystemExit(f"Dev mode requires localhost:4402, got {host}:{port}")
+        run_kwargs["reload"] = True
+        run_kwargs["reload_dirs"] = ["paskia"]
+        # Suppress uvicorn startup messages in dev mode
+        run_kwargs["log_level"] = "warning"
+
+    if len(endpoints) > 1:
+        # Run separate servers for multiple endpoints (e.g. IPv4 + IPv6)
+        async def serve_all():
+            async with asyncio.TaskGroup() as tg:
+                for ep in endpoints:
+                    tg.create_task(
+                        Server(Config(app=fastapi_app, **run_kwargs, **ep)).serve()
+                    )
+
+        asyncio.run(serve_all())
+    else:
+        uvicorn.run("paskia.fastapi:app", **run_kwargs, **endpoints[0])
 
 
 if __name__ == "__main__":

paskia/fastapi/admin.py

@@ -10,12 +10,12 @@ from paskia.authsession import EXPIRES, reset_expires
 from paskia.fastapi import authz
 from paskia.fastapi.session import AUTH_COOKIE
 from paskia.util import (
-    frontend,
     hostutil,
     passphrase,
     permutil,
     querysafe,
     useragent,
+    vitedev,
 )
 
 app = FastAPI()
@@ -77,7 +77,7 @@ async def general_exception_handler(_request, exc: Exception):  # pragma: no cov
 
 @app.get("/")
 async def adminapp(request: Request, auth=AUTH_COOKIE):
-    return Response(*await frontend.read("/auth/admin/index.html"))
+    return Response(*await vitedev.read("/auth/admin/index.html"))
 
 
 # -------------------- Organizations --------------------

paskia/fastapi/api.py

@@ -23,7 +23,7 @@ from paskia.authsession import (
 from paskia.fastapi import authz, session, user
 from paskia.fastapi.session import AUTH_COOKIE, AUTH_COOKIE_NAME
 from paskia.globals import passkey as global_passkey
-from paskia.util import frontend, hostutil, htmlutil, passphrase, userinfo
+from paskia.util import hostutil, htmlutil, passphrase, userinfo, vitedev
 
 bearer_auth = HTTPBearer(auto_error=True)
 
@@ -180,7 +180,7 @@ async def forward_authentication(
         if wants_html:
             # Browser request - return full-page HTML with metadata
             data_attrs = {"mode": e.mode, **e.metadata}
-            html = (await frontend.read("/int/forward/index.html"))[0]
+            html = (await vitedev.read("/int/forward/index.html"))[0]
             html = htmlutil.patch_html_data_attrs(html, **data_attrs)
             return Response(
                 html, status_code=e.status_code, media_type="text/html; charset=UTF-8"

paskia/fastapi/mainapp.py

@@ -5,11 +5,18 @@ from pathlib import Path
 
 from fastapi import FastAPI, HTTPException, Request, Response
 from fastapi.responses import FileResponse, RedirectResponse
-from fastapi.staticfiles import StaticFiles
+from fastapi_vue import Frontend
 
 from paskia.fastapi import admin, api, auth_host, ws
 from paskia.fastapi.session import AUTH_COOKIE
-from paskia.util import frontend, hostutil, passphrase
+from paskia.util import hostutil, passphrase, vitedev
+
+# Vue Frontend static files
+frontend = Frontend(
+    Path(__file__).with_name("frontend-build"),
+    cached=["/auth/assets/"],
+)
+
 
 # Path to examples/index.html when running from source tree
 _EXAMPLES_DIR = Path(__file__).parent.parent.parent / "examples"
@@ -43,10 +50,11 @@ async def lifespan(app: FastAPI):  # pragma: no cover - startup path
         raise
 
     # Restore info level logging after startup (suppressed during uvicorn init in dev mode)
-    if frontend.is_dev_mode():
+    if frontend.devmode:
         logging.getLogger("uvicorn").setLevel(logging.INFO)
         logging.getLogger("uvicorn.access").setLevel(logging.INFO)
 
+    await frontend.load()
     yield
 
 
@@ -59,19 +67,11 @@ app.mount("/auth/api/admin/", admin.app)
 app.mount("/auth/api/", api.app)
 app.mount("/auth/ws/", ws.app)
 
-# In dev mode (PASKIA_DEVMODE=1), Vite serves assets directly; skip static files mount
-if not frontend.is_dev_mode():
-    app.mount(
-        "/auth/assets/",
-        StaticFiles(directory=frontend.file("auth", "assets")),
-        name="assets",
-    )
-
 
 @app.get("/auth/restricted/")
 async def restricted_view():
     """Serve the restricted/authentication UI for iframe embedding."""
-    return Response(*await frontend.read("/auth/restricted/index.html"))
+    return Response(*await vitedev.read("/auth/restricted/index.html"))
 
 
 # Navigable URLs are defined here. We support both / and /auth/ as the base path
@@ -86,7 +86,7 @@ async def frontapp(request: Request, response: Response, auth=AUTH_COOKIE):
     The frontend handles mode detection (host mode vs full profile) based on settings.
     Access control is handled via APIs.
     """
-    return Response(*await frontend.read("/auth/index.html"))
+    return Response(*await vitedev.read("/auth/index.html"))
 
 
 @app.get("/admin", include_in_schema=False)
@@ -128,4 +128,8 @@ async def token_link(token: str):
     if not passphrase.is_well_formed(token):
         raise HTTPException(status_code=404)
 
-    return Response(*await frontend.read("/int/reset/index.html"))
+    return Response(*await vitedev.read("/int/reset/index.html"))
+
+
+# Final catch-all route for frontend files (keep at end of file)
+frontend.route(app, "/")

{paskia-0.8.0.dist-info → paskia-0.8.1.dist-info}/METADATA

@@ -1,14 +1,15 @@
 Metadata-Version: 2.4
 Name: paskia
-Version: 0.8.0
+Version: 0.8.1
 Summary: Passkey Auth made easy: all sites and APIs can be guarded even without any changes on the protected site.
 Project-URL: Homepage, https://git.zi.fi/LeoVasanko/paskia
 Project-URL: Repository, https://github.com/LeoVasanko/paskia
 Author: Leo Vasanko
 Keywords: FastAPI,auth_request,forward_auth
-Requires-Python: >=3.10
+Requires-Python: >=3.11
 Requires-Dist: aiofiles>=25.1.0
 Requires-Dist: base64url>=1.0.0
+Requires-Dist: fastapi-vue>=0.3.0
 Requires-Dist: fastapi[standard]>=0.104.1
 Requires-Dist: jsondiff>=2.2.1
 Requires-Dist: msgspec>=0.20.0

{paskia-0.8.0.dist-info → paskia-0.8.1.dist-info}/RECORD

@@ -1,25 +1,25 @@
 paskia/__init__.py,sha256=6eopO87IOFA2zfOuqt8Jj8Tdtp93HBMOgUBtTzMRweM,57
-paskia/_version.py,sha256=Rttl-BDadtcW1QzGnNffCWA_Wc9mUKDMOBPZp--Mnsc,704
+paskia/_version.py,sha256=3xUKhXexSTpGjDP__-RnFbAaEHHySzOSJX6zocN6QZU,704
 paskia/authsession.py,sha256=Do0L2b_i3zUKvRcf4p45xeCwu5ZXAwdtEPr5H8y6X7M,2305
 paskia/bootstrap.py,sha256=5p4kAfTeWbcM-JD6gnmKMUilhPSRIH8HyZtnVevt8Co,5764
-paskia/config.py,sha256=U_HGzZab-HEVPuoMXxy2mrpoiZYW4jy_jiWDnhf0wBA,749
+paskia/config.py,sha256=BdGzQ3Ja1enSTHmkDkBDGQk_JluT3VaK3Y7AqB5xMlk,723
 paskia/globals.py,sha256=YQQHDr2nCicgCSWyIKOj_vL33c7uHTCi94cKXk6y2iI,1713
 paskia/remoteauth.py,sha256=peu_fcINwDW8YGzLtbMq7FX7oD05bWwNLmJaMYWaKR0,12481
 paskia/sansio.py,sha256=O4TGgNrHAYtHR2IxRgyrB2P2Zesz7eGq-IMM1RGjvC8,9998
 paskia/aaguid/__init__.py,sha256=Moy67wiJSYulL_whgEEBBKabKEOvlR-NRLyXprDdBO0,1007
 paskia/aaguid/combined_aaguid.json,sha256=CaZ96AiwdAjBnyVZnJ1eolAHxUQMB2H6mDgZkorYg_A,4124722
-paskia/db/__init__.py,sha256=YaolZA23SEbqIKYwlK4mvpCCqNXEoWGsOpK_EEZt5Rg,3983
+paskia/db/__init__.py,sha256=GzOfyLlnxsNj5i0Slhc3csasEDqsKuTgnMHNI57SMqo,4007
 paskia/db/background.py,sha256=Wb8pWmko0CbY48NCfBkxmmPRgPaU5U_wEA4TYNPHBe8,4005
 paskia/db/jsonl.py,sha256=CCl3Tlj73_Ej5NbiZQgEGrGqm6uLQF0bmmupoZ060tU,3913
 paskia/db/operations.py,sha256=aOrvq8YSjRuN_Ahq7nK7iTx4Uw6uBmfnmKisC-v2cwU,41591
 paskia/db/structs.py,sha256=ZWqAJPtixT6B5iHibss3KpDqvgzgPfP-nbSf3NGDQN4,3574
 paskia/fastapi/__init__.py,sha256=NFsTX1qytoyZKiur7RDTa2fxiOWHrop5CAAx8rqK9E0,58
-paskia/fastapi/__main__.py,sha256=YtkTWGLPrrjsgZeGUWoRENAgdqwQSufjHimWKuLZKDg,11322
-paskia/fastapi/admin.py,sha256=sR6pJVBffTmdiiuAtlq7Ar64qnP55dczgUZ5QQwCOIA,36873
-paskia/fastapi/api.py,sha256=lMOTaoX4gBsotjBrP-FEs5-C_NmjGJJaRNFkpbgWhvQ,10654
+paskia/fastapi/__main__.py,sha256=174cDU95640vh0rK_dE4Wu_pi5d273qAXwmOyYIctgg,7875
+paskia/fastapi/admin.py,sha256=4gr09CdGScpubSajXDLxiuJUHkV4hqIINffY3wxaZhs,36871
+paskia/fastapi/api.py,sha256=yzI24hPKsgw-UrvEDphtB25S6NUM-9fyfz_JaQ4_PHI,10652
 paskia/fastapi/auth_host.py,sha256=Y5w9Mz6jyq0hj7SX8LfwebaesUOLGcWzGW9lsmw5WOo,3242
 paskia/fastapi/authz.py,sha256=6s2TGkb3C7qWTXHOaMj613NiqMfztqM5QENuSb2IjO8,3529
-paskia/fastapi/mainapp.py,sha256=Jcoet0U4aQK8YfXQ07NuanjYXu0wPkwKaHQsrlKtBas,4466
+paskia/fastapi/mainapp.py,sha256=nvUlKNzwHQZNhoXFVmGj9Aj2kFjklzdSNzJw8pjnimY,4442
 paskia/fastapi/remote.py,sha256=Qwplai_bK65WqxRA3btV_Psrl_bDF2VHN0Yzh5vwB78,19783
 paskia/fastapi/reset.py,sha256=8rhtqU_L17i_ZrIPPz7cXi_laWfM9_daNSnG2gS93b8,3341
 paskia/fastapi/session.py,sha256=9n0NuK5NtocOb27ahIU2T9eHZUog1Og_i9vvaDf7Wo8,1489
@@ -49,20 +49,7 @@ paskia/frontend-build/int/forward/index.html,sha256=h4qLmAjIlGQ7ZjKV3yDsMD4SpPS2
 paskia/frontend-build/int/reset/index.html,sha256=t21RLLETyTHBnKe95V053_zmfB34Vavp0fp4G5fU7-U,612
 paskia/migrate/__init__.py,sha256=4ZpfZbPBeJHi1Pjtq76bOi8Ev4hFDwZNXIQNuqQ3p5c,9803
 paskia/migrate/sql.py,sha256=qiAQooYVYdFwW-UeMwNnjLOjVAFa1tjHCZFjkkuinp0,12782
-paskia/util/frontend.py,sha256=NbCWi74lb6yqk-2WKJci4km-Kij0yCK1Vq_51yKfY3U,2505
-paskia/util/hostutil.py,sha256=agZWjOawQxHshLGkFX-TxpExP1pjXEWCSrMCnOGajk8,2321
-paskia/util/htmlutil.py,sha256=r0YR3AKIsIg5Gg45N92Lh7UYz2kwF1coreZahzLZIX8,1580
-paskia/util/passphrase.py,sha256=oAfLJwaBvCmXY3CMv8KeAogE9V5SejnTLfXWIiQYCOo,562
-paskia/util/permutil.py,sha256=-pjC54SUXy6G-wET8hXtlEOhsiHY8ukpt_-lVBxu9T0,1388
-paskia/util/pow.py,sha256=u99Phs1DBiv9Ptm8agaA7ZSOnRPtDcpgkLgGzNTcJWo,1395
-paskia/util/querysafe.py,sha256=iHfY2z5MX0Y6gso2oeq-SiHhg97vq35Jp1D16sXY0FE,294
-paskia/util/sessionutil.py,sha256=nhm2OVOrWQ8tskHEBSLrLrZjG6-jQdvbfqGyib2mZ50,1263
-paskia/util/startupbox.py,sha256=SIg26g9EIdkm7uVWiDfAUuXn6Z05EAsYEQni4qkVEWI,2353
-paskia/util/timeutil.py,sha256=1Zf8rXa76oLXDuZrGyuVDNhFjxl-28Z_Xb6pIH06ORk,1258
-paskia/util/useragent.py,sha256=wOeueToxKHdJ91vT5jMVBoIhelNwxD5u7vgWQGSjImA,325
-paskia/util/userinfo.py,sha256=b3dP_EJ94x76UAclq3y1rwvo3hIa65JM6B3mTRoZvJ8,4600
-paskia/util/wordlist.py,sha256=EKwrABkqRO1f59--muegOoluPydPJAHlWJNXwV0IFyA,6069
-paskia-0.8.0.dist-info/METADATA,sha256=XjqoY0zqAImymOSNsiluNfwGNtxHMdWW_9EhdeiTAQM,4227
-paskia-0.8.0.dist-info/WHEEL,sha256=WLgqFyCfm_KASv4WHyYy0P3pM_m7J5L9k2skdKLirC8,87
-paskia-0.8.0.dist-info/entry_points.txt,sha256=vvx6RYetgd61I2ODqQPHqrKHgCfuo08w_T35yDlHenE,93
-paskia-0.8.0.dist-info/RECORD,,
+paskia-0.8.1.dist-info/METADATA,sha256=gRL8oNIcCgmyIHkC5-mAiup9dwEdAgoMbzIbSqo6apE,4261
+paskia-0.8.1.dist-info/WHEEL,sha256=WLgqFyCfm_KASv4WHyYy0P3pM_m7J5L9k2skdKLirC8,87
+paskia-0.8.1.dist-info/entry_points.txt,sha256=vvx6RYetgd61I2ODqQPHqrKHgCfuo08w_T35yDlHenE,93
+paskia-0.8.1.dist-info/RECORD,,

paskia/util/frontend.py

@@ -1,75 +0,0 @@
-import asyncio
-import mimetypes
-import os
-from importlib import resources
-from pathlib import Path
-
-import httpx
-
-__all__ = ["path", "file", "read", "is_dev_mode"]
-
-
-def _get_dev_server() -> str | None:
-    """Get the dev server URL from environment, or None if not in dev mode."""
-    return os.environ.get("PASKIA_DEVMODE") or None
-
-
-def _resolve_static_dir() -> Path:
-    # Try packaged path via importlib.resources (works for wheel/installed).
-    try:  # pragma: no cover - trivial path resolution
-        pkg_dir = resources.files("paskia") / "frontend-build"
-        fs_path = Path(str(pkg_dir))
-        if fs_path.is_dir():
-            return fs_path
-    except Exception:  # pragma: no cover - defensive
-        pass
-    # Fallback for editable/development before build.
-    return Path(__file__).parent.parent / "frontend-build"
-
-
-path: Path = _resolve_static_dir()
-
-
-def file(*parts: str) -> Path:
-    """Return a child path under the static root."""
-    return path.joinpath(*parts)
-
-
-def is_dev_mode() -> bool:
-    """Check if we're running in dev mode (Vite frontend server)."""
-    return bool(_get_dev_server())
-
-
-async def read(filepath: str) -> tuple[bytes, int, dict[str, str]]:
-    """Read file content and return response tuple.
-
-    In dev mode, fetches from the Vite dev server.
-    In production, reads from the static build directory.
-
-    Args:
-        filepath: Path relative to frontend root, e.g. "/auth/index.html"
-
-    Returns:
-        Tuple of (content, status_code, headers) suitable for
-        FastAPI Response(*args) or Sanic raw response.
-    """
-    if is_dev_mode():
-        dev_server = _get_dev_server()
-        async with httpx.AsyncClient() as client:
-            resp = await client.get(f"{dev_server}{filepath}")
-            resp.raise_for_status()
-            mime = resp.headers.get("content-type", "application/octet-stream")
-            # Strip charset suffix if present
-            mime = mime.split(";")[0].strip()
-            return resp.content, resp.status_code, {"content-type": mime}
-    else:
-        # Production: read from static build
-        file_path = path / filepath.lstrip("/")
-        content = await _read_file_async(file_path)
-        mime, _ = mimetypes.guess_type(str(file_path))
-        return content, 200, {"content-type": mime or "application/octet-stream"}
-
-
-async def _read_file_async(file_path: Path) -> bytes:
-    """Read file asynchronously using asyncio.to_thread."""
-    return await asyncio.to_thread(file_path.read_bytes)

paskia/util/hostutil.py

@@ -1,76 +0,0 @@
-"""Utilities for determining the auth UI host and base URLs."""
-
-import json
-import os
-from functools import lru_cache
-from urllib.parse import urlsplit
-
-
-@lru_cache(maxsize=1)
-def _load_config() -> dict:
-    """Load PASKIA_CONFIG JSON."""
-    config_json = os.getenv("PASKIA_CONFIG")
-    if not config_json:
-        return {}
-    return json.loads(config_json)
-
-
-def is_root_mode() -> bool:
-    return _load_config().get("auth_host") is not None
-
-
-def dedicated_auth_host() -> str | None:
-    """Return configured auth_host netloc, or None."""
-    auth_host = _load_config().get("auth_host")
-    if not auth_host:
-        return None
-    from urllib.parse import urlparse
-
-    parsed = urlparse(auth_host if "://" in auth_host else f"//{auth_host}")
-    return parsed.netloc or parsed.path or None
-
-
-def ui_base_path() -> str:
-    return "/" if is_root_mode() else "/auth/"
-
-
-def auth_site_url() -> str:
-    """Return the base URL for the auth site UI (computed at startup)."""
-    cfg = _load_config()
-    return cfg.get("site_url", "https://localhost") + cfg.get("site_path", "/auth/")
-
-
-def reset_link_url(token: str) -> str:
-    """Generate a reset link URL for the given token."""
-    return f"{auth_site_url()}{token}"
-
-
-def normalize_origin(origin: str) -> str:
-    """Normalize an origin URL by adding https:// if no scheme is present."""
-    if "://" not in origin:
-        return f"https://{origin}"
-    return origin
-
-
-def reload_config() -> None:
-    _load_config.cache_clear()
-
-
-def normalize_host(raw_host: str | None) -> str | None:
-    """Normalize a Host header preserving port (exact match required)."""
-    if not raw_host:
-        return None
-    candidate = raw_host.strip()
-    if not candidate:
-        return None
-    # urlsplit to parse (add // for scheme-less); prefer netloc to retain port.
-    parsed = urlsplit(candidate if "//" in candidate else f"//{candidate}")
-    netloc = parsed.netloc or parsed.path or ""
-    # Strip IPv6 brackets around host part but retain port suffix.
-    if netloc.startswith("["):
-        # format: [ipv6]:port or [ipv6]
-        if "]" in netloc:
-            host_part, _, rest = netloc.partition("]")
-            port_part = rest.lstrip(":")
-            netloc = host_part.strip("[]") + (f":{port_part}" if port_part else "")
-    return netloc.lower() or None

paskia/util/htmlutil.py

@@ -1,47 +0,0 @@
-"""Utility functions for HTML manipulation."""
-
-import re
-
-
-def patch_html_data_attrs(html: bytes, **data_attrs: str) -> bytes:
-    """Patch HTML by adding data attributes to the <html> tag.
-
-    If an <html> tag exists, adds data attributes to it.
-    If no <html> tag exists, prepends one with the data attributes.
-
-    Args:
-        html: The HTML content as bytes
-        **data_attrs: Key-value pairs for data attributes (e.g., mode='reauth')
-
-    Returns:
-        Modified HTML as bytes
-
-    Examples:
-        >>> patch_html_data_attrs(b'<html><body>test</body></html>', mode='reauth')
-        b'<html data-mode="reauth"><body>test</body></html>'
-
-        >>> patch_html_data_attrs(b'<body>test</body>', mode='reauth')
-        b'<html data-mode="reauth"><body>test</body>'
-    """
-    if not data_attrs:
-        return html
-
-    html_str = html.decode("utf-8")
-
-    # Build the data attributes string
-    attrs_str = " ".join(f'data-{key}="{value}"' for key, value in data_attrs.items())
-
-    # Check if there's an <html> tag (case-insensitive, may have existing attributes)
-    html_tag_pattern = re.compile(r"<html([^>]*)>", re.IGNORECASE)
-    match = html_tag_pattern.search(html_str)
-
-    if match:
-        # Insert data attributes into existing <html> tag
-        existing_attrs = match.group(1)
-        new_tag = f"<html{existing_attrs} {attrs_str}>"
-        html_str = html_tag_pattern.sub(new_tag, html_str, count=1)
-    else:
-        # Prepend <html> tag with data attributes
-        html_str = f"<html {attrs_str}>" + html_str
-
-    return html_str.encode("utf-8")

paskia/util/passphrase.py

@@ -1,20 +0,0 @@
-import secrets
-
-from paskia.util.wordlist import words
-
-N_WORDS = 5
-N_WORDS_SHORT = 3
-
-wset = set(words)
-
-
-def generate(n=N_WORDS, sep="."):
-    """Generate a password of random words without repeating any word."""
-    wl = words.copy()
-    return sep.join(wl.pop(secrets.randbelow(len(wl))) for i in range(n))
-
-
-def is_well_formed(passphrase: str, n=N_WORDS, sep=".") -> bool:
-    """Check if the passphrase is well-formed according to the regex pattern."""
-    p = passphrase.split(sep)
-    return len(p) == n and all(w in wset for w in passphrase.split("."))

paskia/util/permutil.py

@@ -1,43 +0,0 @@
-"""Minimal permission helpers with '*' wildcard support (no DB expansion)."""
-
-from collections.abc import Sequence
-from fnmatch import fnmatchcase
-
-from paskia import db
-from paskia.util.hostutil import normalize_host
-
-__all__ = ["has_any", "has_all", "session_context"]
-
-
-def _match(perms: set[str], patterns: Sequence[str]):
-    return (
-        any(fnmatchcase(p, pat) for p in perms) if "*" in pat else pat in perms
-        for pat in patterns
-    )
-
-
-def _get_effective_scopes(ctx) -> set[str]:
-    """Get effective permission scopes from context.
-
-    Returns scopes from ctx.permissions (filtered by org) if available,
-    otherwise falls back to ctx.role.permissions for backwards compatibility.
-    """
-    if ctx.permissions:
-        return {p.scope for p in ctx.permissions}
-    # Fallback for contexts without effective permissions computed
-    return set(ctx.role.permissions or [])
-
-
-def has_any(ctx, patterns: Sequence[str]) -> bool:
-    return any(_match(_get_effective_scopes(ctx), patterns)) if ctx else False
-
-
-def has_all(ctx, patterns: Sequence[str]) -> bool:
-    return all(_match(_get_effective_scopes(ctx), patterns)) if ctx else False
-
-
-async def session_context(auth: str | None, host: str | None = None):
-    if not auth:
-        return None
-    normalized_host = normalize_host(host) if host else None
-    return db.get_session_context(auth, normalized_host)

paskia/util/pow.py

@@ -1,45 +0,0 @@
-"""
-Proof of Work utility using PBKDF2-SHA512.
-
-The PoW requires finding nonces where PBKDF2(challenge, nonce) produces
-output with a zero first byte. Each work unit requires finding one such nonce.
-All valid nonces are concatenated into a solution for server verification.
-"""
-
-import hashlib
-import secrets
-
-EASY = 2  # Around 0.25s
-NORMAL = 8  # Around 1s
-HARD = 32  # Around 4s
-
-
-def generate_challenge() -> bytes:
-    """Generate a random 8-byte challenge."""
-    return secrets.token_bytes(8)
-
-
-def verify_pow(challenge: bytes, solution: bytes, work: int = NORMAL) -> None:
-    """Verify a Proof of Work solution.
-
-    Args:
-        challenge: 8-byte server-provided challenge
-        solution: Concatenated 8-byte nonces (8 * work bytes)
-        work: Number of work units expected
-
-    Raises:
-        ValueError: If the solution is invalid
-    """
-    if len(challenge) != 8:
-        raise ValueError("Invalid challenge length")
-
-    if len(solution) != 8 * work:
-        raise ValueError("Invalid solution length")
-
-    # Verify each work unit - check that PBKDF2 output starts with 0x00
-    for i in range(work):
-        nonce = solution[i * 8 : (i + 1) * 8]
-        # Require first byte of PBKDF2-SHA512 to be zero
-        result = hashlib.pbkdf2_hmac("sha512", challenge, nonce, 128, 2)
-        if result[0] or result[1] & 0x07:
-            raise ValueError("Invalid PoW solution")

paskia/util/querysafe.py

@@ -1,11 +0,0 @@
-import re
-
-_SAFE_RE = re.compile(r"^[A-Za-z0-9:._~-]+$")
-
-
-def assert_safe(value: str, *, field: str = "value") -> None:
-    if not isinstance(value, str) or not value or not _SAFE_RE.match(value):
-        raise ValueError(f"{field} must match ^[A-Za-z0-9:._~-]+$")
-
-
-__all__ = ["assert_safe"]

paskia/util/sessionutil.py

@@ -1,38 +0,0 @@
-"""Utility functions for session validation and checking."""
-
-from datetime import datetime, timezone
-
-from paskia.authsession import EXPIRES
-from paskia.db import SessionContext
-from paskia.util.timeutil import parse_duration
-
-
-def check_session_age(ctx: SessionContext, max_age: str | None) -> bool:
-    """Check if a session satisfies the max_age requirement.
-
-    Uses the credential's last_used timestamp to determine authentication age,
-    since session renewal can happen without re-authentication.
-
-    Args:
-        ctx: The session context containing session and credential info
-        max_age: Maximum age string (e.g., "5m", "1h", "30s") or None
-
-    Returns:
-        True if authentication is recent enough or max_age is None, False if too old
-
-    Raises:
-        ValueError: If max_age format is invalid
-    """
-    if not max_age:
-        return True
-
-    max_age_delta = parse_duration(max_age)
-
-    # Use credential's last_used time if available, fall back to session renewed time
-    if ctx.credential and ctx.credential.last_used:
-        auth_time = ctx.credential.last_used
-    else:
-        auth_time = ctx.session.expiry - EXPIRES
-
-    time_since_auth = datetime.now(timezone.utc) - auth_time
-    return time_since_auth <= max_age_delta

paskia/util/startupbox.py

@@ -1,75 +0,0 @@
-"""Startup configuration box formatting utilities."""
-
-import os
-from sys import stderr
-from typing import TYPE_CHECKING
-
-from paskia._version import __version__
-
-if TYPE_CHECKING:
-    from paskia.config import PaskiaConfig
-
-BOX_WIDTH = 60  # Inner width (excluding box chars)
-
-
-def line(text: str = "") -> str:
-    """Format a line inside the box with proper padding, truncating if needed."""
-    if len(text) > BOX_WIDTH:
-        text = text[: BOX_WIDTH - 1] + "…"
-    return f"┃ {text:<{BOX_WIDTH}} ┃\n"
-
-
-def top() -> str:
-    return "┏" + "━" * (BOX_WIDTH + 2) + "┓\n"
-
-
-def bottom() -> str:
-    return "┗" + "━" * (BOX_WIDTH + 2) + "┛\n"
-
-
-def print_startup_config(config: "PaskiaConfig") -> None:
-    """Print server configuration on startup."""
-    lines = [top()]
-    lines.append(line(" ▄▄▄▄▄"))
-    lines.append(line("█     █ Paskia " + __version__))
-    lines.append(line("█     █▄▄▄▄▄▄▄▄▄▄▄▄"))
-    lines.append(line("█     █▀▀▀▀█▀▀█▀▀█    " + config.site_url + config.site_path))
-    lines.append(line(" ▀▀▀▀▀"))
-
-    # Format auth host section
-    if config.auth_host:
-        lines.append(line(f"Auth Host:      {config.auth_host}"))
-
-    # Show frontend URL if in dev mode
-    devmode = os.environ.get("PASKIA_DEVMODE")
-    if devmode:
-        lines.append(line(f"Dev Frontend:   {devmode}"))
-
-    # Format listen address with scheme
-    if config.uds:
-        listen = f"unix:{config.uds}"
-    elif config.host:
-        listen = f"http://{config.host}:{config.port}"
-    else:
-        listen = f"http://0.0.0.0:{config.port} + [::]:{config.port}"
-    lines.append(line(f"Backend:        {listen}"))
-
-    # Relying Party line (omit name if same as id)
-    rp_id = config.rp_id
-    rp_name = config.rp_name
-    if rp_name and rp_name != rp_id:
-        lines.append(line(f"Relying Party:  {rp_id}  ({rp_name})"))
-    else:
-        lines.append(line(f"Relying Party:  {rp_id}"))
-
-    # Format origins section
-    allowed = config.origins
-    if allowed:
-        lines.append(line("Permitted Origins:"))
-        for origin in sorted(allowed):
-            lines.append(line(f"  - {origin}"))
-    else:
-        lines.append(line(f"Origin:         {rp_id} and all subdomains allowed"))
-
-    lines.append(bottom())
-    stderr.write("".join(lines))

paskia/util/timeutil.py

@@ -1,47 +0,0 @@
-"""Utility functions for parsing time durations."""
-
-import re
-from datetime import timedelta
-
-
-def parse_duration(duration_str: str) -> timedelta:
-    """Parse a duration string into a timedelta.
-
-    Supports units: s, m, min, h, d
-    Examples: "30s", "5m", "5min", "2h", "1d"
-
-    Args:
-        duration_str: A string like "30s", "5m", "2h"
-
-    Returns:
-        A timedelta object
-
-    Raises:
-        ValueError: If the format is invalid
-    """
-    duration_str = duration_str.strip().lower()
-
-    # Pattern matches: number + unit
-    # Units: s (seconds), m/min (minutes), h (hours), d (days)
-    pattern = r"^(\d+(?:\.\d+)?)(s|m|min|h|d)$"
-    match = re.match(pattern, duration_str)
-
-    if not match:
-        raise ValueError(
-            f"Invalid duration format: '{duration_str}'. "
-            "Expected format like '30s', '5m', '5min', '2h', or '1d'"
-        )
-
-    value = float(match.group(1))
-    unit = match.group(2)
-
-    if unit == "s":
-        return timedelta(seconds=value)
-    elif unit in ("m", "min"):
-        return timedelta(minutes=value)
-    elif unit == "h":
-        return timedelta(hours=value)
-    elif unit == "d":
-        return timedelta(days=value)
-    else:
-        raise ValueError(f"Unsupported time unit: {unit}")

paskia/util/useragent.py

@@ -1,10 +0,0 @@
-import user_agents
-
-
-def compact_user_agent(ua: str | None) -> str:
-    if not ua:
-        return "-"
-    u = user_agents.parse(ua)
-    ver = u.browser.version_string.split(".")[0]
-    dev = u.device.family if u.device.family not in ["Other", "Mac"] else ""
-    return f"{u.browser.family}/{ver} {u.os.family} {dev}".strip()

paskia/util/userinfo.py

@@ -1,145 +0,0 @@
-"""User information formatting and retrieval logic."""
-
-from datetime import timezone
-
-from paskia import aaguid, db
-from paskia.authsession import EXPIRES
-from paskia.util import hostutil, permutil, useragent
-
-
-def _format_datetime(dt):
-    """Format a datetime object to ISO 8601 string with UTC timezone."""
-    if dt is None:
-        return None
-    if dt.tzinfo:
-        return dt.astimezone(timezone.utc).isoformat().replace("+00:00", "Z")
-    else:
-        return dt.replace(tzinfo=timezone.utc).isoformat().replace("+00:00", "Z")
-
-
-async def format_user_info(
-    *,
-    user_uuid,
-    auth: str,
-    session_record,
-    request_host: str | None,
-) -> dict:
-    """Format complete user information for authenticated users.
-
-    Args:
-        user_uuid: UUID of the user to fetch information for
-        auth: Authentication token
-        session_record: Current session record
-        request_host: Host header from the request
-
-    Returns:
-        Dictionary containing formatted user information including:
-        - User details
-        - Organization and role information
-        - Credentials list
-        - Sessions list
-        - Permissions
-    """
-    u = db.get_user_by_uuid(user_uuid)
-    ctx = await permutil.session_context(auth, request_host)
-
-    # Fetch and format credentials
-    user_credentials = db.get_credentials_by_user_uuid(user_uuid)
-    credentials: list[dict] = []
-    user_aaguids: set[str] = set()
-
-    for c in user_credentials:
-        aaguid_str = str(c.aaguid)
-        user_aaguids.add(aaguid_str)
-        credentials.append(
-            {
-                "credential_uuid": str(c.uuid),
-                "aaguid": aaguid_str,
-                "created_at": _format_datetime(c.created_at),
-                "last_used": _format_datetime(c.last_used),
-                "last_verified": _format_datetime(c.last_verified),
-                "sign_count": c.sign_count,
-                "is_current_session": session_record.credential_uuid == c.uuid,
-            }
-        )
-
-    credentials.sort(key=lambda cred: cred["created_at"])
-    aaguid_info = aaguid.filter(user_aaguids)
-
-    # Format role and org information
-    role_info = None
-    org_info = None
-    effective_permissions: list[str] = []
-
-    if ctx:
-        role_info = {
-            "uuid": str(ctx.role.uuid),
-            "display_name": ctx.role.display_name,
-            "permissions": ctx.role.permissions,
-        }
-        org_info = {
-            "uuid": str(ctx.org.uuid),
-            "display_name": ctx.org.display_name,
-            "permissions": ctx.org.permissions,
-        }
-        effective_permissions = [p.scope for p in (ctx.permissions or [])]
-
-    # Format sessions
-    normalized_request_host = hostutil.normalize_host(request_host)
-    session_records = db.list_sessions_for_user(user_uuid)
-    current_session_key = auth
-    sessions_payload: list[dict] = []
-
-    for entry in session_records:
-        sessions_payload.append(
-            {
-                "id": entry.key,
-                "credential_uuid": str(entry.credential_uuid),
-                "host": entry.host,
-                "ip": entry.ip,
-                "user_agent": useragent.compact_user_agent(entry.user_agent),
-                "last_renewed": _format_datetime(entry.expiry - EXPIRES),
-                "is_current": entry.key == current_session_key,
-                "is_current_host": bool(
-                    normalized_request_host
-                    and entry.host
-                    and entry.host == normalized_request_host
-                ),
-            }
-        )
-
-    return {
-        "authenticated": True,
-        "user": {
-            "user_uuid": str(u.uuid),
-            "user_name": u.display_name,
-            "created_at": _format_datetime(u.created_at),
-            "last_seen": _format_datetime(u.last_seen),
-            "visits": u.visits,
-        },
-        "org": org_info,
-        "role": role_info,
-        "permissions": effective_permissions,
-        "credentials": credentials,
-        "aaguid_info": aaguid_info,
-        "sessions": sessions_payload,
-    }
-
-
-async def format_reset_user_info(user_uuid, reset_token) -> dict:
-    """Format minimal user information for reset token requests.
-
-    Args:
-        user_uuid: UUID of the user
-        reset_token: Reset token record
-
-    Returns:
-        Dictionary with minimal user info for password reset flow
-    """
-    u = db.get_user_by_uuid(user_uuid)
-
-    return {
-        "authenticated": False,
-        "session_type": reset_token.token_type,
-        "user": {"user_uuid": str(u.uuid), "user_name": u.display_name},
-    }

paskia/util/wordlist.py

@@ -1,54 +0,0 @@
-# A custom list of 1024 common 3-6 letter words, with unique 3-prefixes and no prefix words, entropy 2.1b/letter 10b/word
-words: list = """
-able about absent abuse access acid across act adapt add adjust admit adult advice affair afraid again age agree ahead
-aim air aisle alarm album alert alien all almost alone alpha also alter always amazed among amused anchor angle animal
-ankle annual answer any apart appear april arch are argue army around array art ascent ash ask aspect assume asthma atom
-attack audit august aunt author avoid away awful axis baby back bad bag ball bamboo bank bar base battle beach become
-beef before begin behind below bench best better beyond bid bike bind bio birth bitter black bleak blind blood blue
-board body boil bomb bone book border boss bottom bounce bowl box boy brain bread bring brown brush bubble buck budget
-build bulk bundle burden bus but buyer buzz cable cache cage cake call came can car case catch cause cave celery cement
-census cereal change check child choice chunk cigar circle city civil class clean client close club coast code coffee
-coil cold come cool copy core cost cotton couch cover coyote craft cream crime cross cruel cry cube cue cult cup curve
-custom cute cycle dad damage danger daring dash dawn day deal debate decide deer define degree deity delay demand denial
-depth derive design detail device dial dice die differ dim dinner direct dish divert dizzy doctor dog dollar domain
-donate door dose double dove draft dream drive drop drum dry duck dumb dune during dust dutch dwarf eager early east
-echo eco edge edit effort egg eight either elbow elder elite else embark emerge emily employ enable end enemy engine
-enjoy enlist enough enrich ensure entire envy equal era erode error erupt escape essay estate ethics evil evoke exact
-excess exist exotic expect extent eye fabric face fade faith fall family fan far father fault feel female fence fetch
-fever few fiber field figure file find first fish fit fix flat flesh flight float fluid fly foam focus fog foil follow
-food force fossil found fox frame fresh friend frog fruit fuel fun fury future gadget gain galaxy game gap garden gas
-gate gauge gaze genius ghost giant gift giggle ginger girl give glass glide globe glue goal god gold good gospel govern
-gown grant great grid group grunt guard guess guide gulf gun gym habit hair half hammer hand happy hard hat have hawk
-hay hazard head hedge height help hen hero hidden high hill hint hip hire hobby hockey hold home honey hood hope horse
-host hotel hour hover how hub huge human hungry hurt hybrid ice icon idea idle ignore ill image immune impact income
-index infant inhale inject inmate inner input inside into invest iron island issue italy item ivory jacket jaguar james
-jar jazz jeans jelly jewel job joe joke joy judge juice july jump june just kansas kate keep kernel key kick kid kind
-kiss kit kiwi knee knife know labor lady lag lake lamp laptop large later laugh lava law layer lazy leader left legal
-lemon length lesson letter level liar libya lid life light like limit line lion liquid list little live lizard load
-local logic long loop lost loud love low loyal lucky lumber lunch lust luxury lyrics mad magic main major make male
-mammal man map market mass matter maze mccoy meadow media meet melt member men mercy mesh method middle milk mimic mind
-mirror miss mix mobile model mom monkey moon more mother mouse move much muffin mule must mutual myself myth naive name
-napkin narrow nasty nation near neck need nephew nerve nest net never news next nice night noble noise noodle normal
-nose note novel now number nurse nut oak obey object oblige obtain occur ocean odor off often oil okay old olive omit
-once one onion online open opium oppose option orange orbit order organ orient orphan other outer oval oven own oxygen
-oyster ozone pact paddle page pair palace panel paper parade past path pause pave paw pay peace pen people pepper permit
-pet philip phone phrase piano pick piece pig pilot pink pipe pistol pitch pizza place please pluck poem point polar pond
-pool post pot pound powder praise prefer price profit public pull punch pupil purity push put puzzle qatar quasi queen
-quite quoted rabbit race radio rail rally ramp range rapid rare rather raven raw razor real rebel recall red reform
-region reject relief remain rent reopen report result return review reward rhythm rib rich ride rifle right ring riot
-ripple risk ritual river road robot rocket room rose rotate round row royal rubber rude rug rule run rural sad safe sage
-sail salad same santa sauce save say scale scene school scope screen scuba sea second seed self semi sense series settle
-seven shadow she ship shock shrimp shy sick side siege sign silver simple since siren sister six size skate sketch ski
-skull slab sleep slight slogan slush small smile smooth snake sniff snow soap soccer soda soft solid son soon sort south
-space speak sphere spirit split spoil spring spy square state step still story strong stuff style submit such sudden
-suffer sugar suit summer sun supply sure swamp sweet switch sword symbol syntax syria system table tackle tag tail talk
-tank tape target task tattoo taxi team tell ten term test text that theme this three thumb tibet ticket tide tight tilt
-time tiny tip tired tissue title toast today toe toilet token tomato tone tool top torch toss total toward toy trade
-tree trial trophy true try tube tumble tunnel turn twenty twice two type ugly unable uncle under unfair unique unlock
-until unveil update uphold upon upper upset urban urge usage use usual vacuum vague valid van vapor vast vault vein
-velvet vendor very vessel viable video view villa violin virus visit vital vivid vocal voice volume vote voyage wage
-wait wall want war wash water wave way wealth web weird were west wet what when whip wide wife will window wire wish
-wolf woman wonder wood work wrap wreck write wrong xander xbox xerox xray yang yard year yellow yes yin york you zane
-zara zebra zen zero zippo zone zoo zorro zulu
-""".split()
-assert len(words) == 1024  # Exactly 10 bits of entropy per word