paskia 0.8.1__py3-none-any.whl → 0.9.1__py3-none-any.whl

paskia/_version.py

@@ -28,7 +28,7 @@ version_tuple: VERSION_TUPLE
 commit_id: COMMIT_ID
 __commit_id__: COMMIT_ID
 
-__version__ = version = '0.8.1'
-__version_tuple__ = version_tuple = (0, 8, 1)
+__version__ = version = '0.9.1'
+__version_tuple__ = version_tuple = (0, 9, 1)
 
 __commit_id__ = commit_id = None

paskia/aaguid/__init__.py

@@ -10,6 +10,7 @@ This module provides functionality to:
 import json
 from collections.abc import Iterable
 from importlib.resources import files
+from uuid import UUID
 
 __ALL__ = ["AAGUID", "filter"]
 
@@ -18,15 +19,15 @@ AAGUID_FILE = files("paskia") / "aaguid" / "combined_aaguid.json"
 AAGUID: dict[str, dict] = json.loads(AAGUID_FILE.read_text(encoding="utf-8"))
 
 
-def filter(aaguids: Iterable[str]) -> dict[str, dict]:
+def filter(aaguids: Iterable[UUID]) -> dict[str, dict]:
     """
     Get AAGUID information only for the provided set of AAGUIDs.
 
     Args:
-        aaguids: Set of AAGUID strings that the user has credentials for
+        aaguids: Iterable of AAGUIDs (UUIDs) that the user has credentials for
 
     Returns:
-        Dictionary mapping AAGUID to authenticator information for only
+        Dictionary mapping AAGUID string to authenticator information for only
         the AAGUIDs that the user has and that we have data for
     """
-    return {aaguid: AAGUID[aaguid] for aaguid in aaguids if aaguid in AAGUID}
+    return {(s := str(a)): AAGUID[s] for a in aaguids if (s := str(a)) in AAGUID}

paskia/authsession.py

@@ -8,68 +8,40 @@ independent of any web framework:
 - Credential management
 """
 
-from datetime import datetime, timezone
+from datetime import UTC, datetime
+from typing import TYPE_CHECKING
 from uuid import UUID
 
 from paskia import db
-from paskia.config import SESSION_LIFETIME
-from paskia.db import ResetToken, Session
+from paskia.config import RESET_LIFETIME, SESSION_LIFETIME
 from paskia.util import hostutil
 
+if TYPE_CHECKING:
+    from paskia.db import ResetToken
+
 EXPIRES = SESSION_LIFETIME
 
 
 def expires() -> datetime:
-    return datetime.now(timezone.utc) + EXPIRES
+    return datetime.now(UTC) + EXPIRES
 
 
 def reset_expires() -> datetime:
-    from .config import RESET_LIFETIME
-
-    return datetime.now(timezone.utc) + RESET_LIFETIME
+    return datetime.now(UTC) + RESET_LIFETIME
 
 
-async def get_reset(token: str) -> ResetToken:
+def get_reset(token: str) -> "ResetToken":
     """Validate a credential reset token."""
+
     record = db.get_reset_token(token)
     if record:
         return record
     raise ValueError("This authentication link is no longer valid.")
 
 
-async def get_session(token: str, host: str | None = None) -> Session:
-    """Validate a session token and return session data if valid."""
-    host = hostutil.normalize_host(host)
-    if not host:
-        raise ValueError("Invalid host")
-    session = db.get_session(token)
-    if session:
-        if session.host is None:
-            # First time binding: store exact host:port (or IPv6 form) now.
-            db.set_session_host(session.key, host)
-            session.host = host
-        elif session.host != host:
-            raise ValueError("Session host mismatch")
-        return session
-    raise ValueError("Your session has expired. Please sign in again!")
-
-
-async def refresh_session_token(token: str, *, ip: str, user_agent: str):
-    """Refresh a session extending its expiry."""
-    session_record = db.get_session(token)
-    if not session_record:
-        raise ValueError("Session not found or expired")
-    updated = db.update_session(
-        token,
-        ip=ip,
-        user_agent=user_agent,
-        expiry=expires(),
-    )
-    if not updated:
-        raise ValueError("Session not found or expired")
-
-
-async def delete_credential(credential_uuid: UUID, auth: str, host: str | None = None):
+def delete_credential(credential_uuid: UUID, auth: str, host: str | None = None):
     """Delete a specific credential for the current user."""
-    s = await get_session(auth, host=host)
-    db.delete_credential(credential_uuid, s.user_uuid)
+    ctx = db.data().session_ctx(auth, hostutil.normalize_host(host))
+    if not ctx:
+        raise ValueError("Session expired")
+    db.delete_credential(credential_uuid, ctx.user.uuid)

paskia/bootstrap.py

@@ -8,26 +8,11 @@ generating a reset link for initial admin setup.
 
 import asyncio
 import logging
-from datetime import datetime, timezone
 
-import uuid7
-
-from paskia import authsession, db
-from paskia.db import Org, Permission, Role, User
+from paskia import authsession, db, globals
 from paskia.util import hostutil, passphrase
 
-
-def _init_logger() -> logging.Logger:
-    logger = logging.getLogger(__name__)
-    if not logger.handlers and not logging.getLogger().handlers:
-        h = logging.StreamHandler()
-        h.setFormatter(logging.Formatter("%(message)s"))
-        logger.addHandler(h)
-        logger.setLevel(logging.INFO)
-    return logger
-
-
-logger = _init_logger()
+logger = logging.getLogger(__name__)
 
 # Shared log message template for admin reset links
 ADMIN_RESET_MESSAGE = """\
@@ -38,84 +23,25 @@ ADMIN_RESET_MESSAGE = """\
 """
 
 
-async def _create_and_log_admin_reset_link(user_uuid, message, session_type) -> str:
-    """Create an admin reset link and log it with the provided message."""
-    token = passphrase.generate()
-    expiry = authsession.reset_expires()
-    db.create_reset_token(
-        user_uuid=user_uuid,
-        passphrase=token,
-        expiry=expiry,
-        token_type=session_type,
-    )
-    reset_link = hostutil.reset_link_url(token)
+def _log_reset_link(message: str, passphrase: str) -> str:
+    """Log a reset link message and return the URL."""
+    reset_link = hostutil.reset_link_url(passphrase)
     logger.info(ADMIN_RESET_MESSAGE, message, reset_link)
     return reset_link
 
 
-async def bootstrap_system() -> dict:
+async def bootstrap_system() -> None:
     """
     Bootstrap the entire system with default data.
 
-    Returns:
-        dict: Contains information about created entities and reset link
+    Uses db.bootstrap() which performs all operations in a single transaction.
+    The transaction log will show a single "bootstrap" action with all changes.
     """
-    # Create permission first - will fail if already exists
-    perm0 = Permission(
-        uuid=uuid7.create(), scope="auth:admin", display_name="Master Admin"
-    )
-    db.create_permission(perm0)
-
-    # Create org admin permission - allows managing users within an org
-    perm_org_admin = Permission(
-        uuid=uuid7.create(), scope="auth:org:admin", display_name="Org Admin"
-    )
-    db.create_permission(perm_org_admin)
-
-    org = Org(uuid7.create(), "Organization")
-    db.create_organization(org)
-
-    # Allow this org to grant global admin and org admin permissions
-    db.add_permission_to_organization(str(org.uuid), perm0.scope)
-    db.add_permission_to_organization(str(org.uuid), perm_org_admin.scope)
-
-    # Create an Administration role granting both org and global admin
-    role = Role(
-        uuid7.create(),
-        org.uuid,
-        "Administration",
-        permissions=[perm0.scope, perm_org_admin.scope],
-    )
-    db.create_role(role)
-
-    user = User(
-        uuid=uuid7.create(),
-        display_name="Admin",
-        role_uuid=role.uuid,
-        created_at=datetime.now(timezone.utc),
-        visits=0,
-    )
-    db.create_user(user)
-
-    # Generate reset link and log it
-    reset_link = await _create_and_log_admin_reset_link(
-        user.uuid, "✅ Bootstrap completed!", "admin bootstrap"
-    )
-
-    return {
-        "user": user,
-        "org": org,
-        "role": role,
-        "permissions": [
-            perm0,
-            *[
-                db.get_permission_by_scope(p)
-                for p in org.permissions
-                if db.get_permission_by_scope(p)
-            ],
-        ],
-        "reset_link": reset_link,
-    }
+    # Call the single-transaction bootstrap function
+    reset_passphrase = db.bootstrap()
+
+    # Log the reset link (this is separate from the transaction log)
+    _log_reset_link("✅ Bootstrap completed!", reset_passphrase)
 
 
 async def check_admin_credentials() -> bool:
@@ -127,13 +53,15 @@ async def check_admin_credentials() -> bool:
     """
     try:
         # Get permission organizations to find admin users
-        permission_orgs = db.get_permission_organizations("auth:admin")
-
-        if not permission_orgs:
+        p = next(
+            (p for p in db.data().permissions.values() if p.scope == "auth:admin"), None
+        )
+        if not p or not p.orgs:
             return False
 
         # Get users from the first organization with admin permission
-        org_users = db.get_organization_users(str(permission_orgs[0].uuid))
+        first_org_uuid = next(iter(p.orgs))
+        org_users = db.get_organization_users(first_org_uuid)
         admin_users = [user for user, role in org_users if role == "Administration"]
 
         if not admin_users:
@@ -141,15 +69,19 @@ async def check_admin_credentials() -> bool:
 
         # Check first admin user for credentials
         admin_user = admin_users[0]
-        credentials = db.get_credentials_by_user_uuid(admin_user.uuid)
 
-        if not credentials:
+        if not db.get_user_credential_ids(admin_user.uuid):
             # Admin exists but has no credentials, create reset link
-            await _create_and_log_admin_reset_link(
-                admin_user.uuid,
-                "⚠️  Admin user has no credentials!",
-                "admin registration",
+
+            token = passphrase.generate()
+            expiry = authsession.reset_expires()
+            db.create_reset_token(
+                user_uuid=admin_user.uuid,
+                passphrase=token,
+                expiry=expiry,
+                token_type="admin registration",
             )
+            _log_reset_link("⚠️  Admin user has no credentials!", token)
             return True
 
         return False
@@ -165,16 +97,12 @@ async def bootstrap_if_needed() -> bool:
     Returns:
         bool: True if bootstrapping was performed, False if system was already set up
     """
-    try:
-        # Check if the admin permission exists - if it does, system is already bootstrapped
-        db.get_permission("auth:admin")
+    # Check if the admin permission exists - if it does, system is already bootstrapped
+    if any(p.scope == "auth:admin" for p in db.data().permissions.values()):
         # Permission exists, system is already bootstrapped
         # Check if admin needs credentials (only for already-bootstrapped systems)
         await check_admin_credentials()
         return False
-    except Exception:
-        # Permission doesn't exist, need to bootstrap
-        pass
 
     # No admin permission found, need to bootstrap
     # Bootstrap creates the admin user AND the reset link, so no need to check credentials after

paskia/db/__init__.py

@@ -1,24 +1,25 @@
 """
 Database module for WebAuthn passkey authentication.
 
-Read: Access _db._data directly, use build_* to convert to public structs.
-CTX: get_session_context(key) returns SessionContext with effective permissions.
+Read: Access data() directly, use build_* to convert to public structs.
+CTX: data().session_ctx(key) returns SessionContext with effective permissions.
 Write: Functions validate and commit, or raise ValueError.
 
 Usage:
     from paskia import db
 
     # Read (after init)
-    user_data = db._db._data.users[user_uuid]
+    user_data = db.data().users[user_uuid]
     user = db.build_user(user_uuid)
 
     # Context
-    ctx = db.get_session_context(session_key)
+    ctx = db.data().session_ctx(session_key)
 
     # Write
     db.create_user(user)
 """
 
+import paskia.db.operations as operations
 from paskia.db.background import (
     start_background,
     start_cleanup,
@@ -26,59 +27,37 @@ from paskia.db.background import (
     stop_cleanup,
 )
 from paskia.db.operations import (
-    DB,
-    _db,
-    add_permission_to_organization,
+    add_permission_to_org,
     add_permission_to_role,
-    build_credential,
-    build_org,
-    build_permission,
-    build_reset_token,
-    build_role,
-    build_session,
-    build_user,
+    bootstrap,
     cleanup_expired,
     create_credential,
     create_credential_session,
-    create_organization,
+    create_org,
     create_permission,
     create_reset_token,
     create_role,
     create_session,
     create_user,
     delete_credential,
-    delete_organization,
+    delete_org,
     delete_permission,
     delete_reset_token,
     delete_role,
     delete_session,
     delete_sessions_for_user,
     delete_user,
-    get_credential_by_id,
-    get_credentials_by_user_uuid,
-    get_organization,
     get_organization_users,
-    get_permission,
-    get_permission_by_scope,
-    get_permission_organizations,
     get_reset_token,
-    get_role,
-    get_roles_by_organization,
-    get_session,
-    get_session_context,
-    get_user_by_uuid,
+    get_user_credential_ids,
     get_user_organization,
     init,
-    list_organizations,
-    list_permissions,
-    list_sessions_for_user,
     login,
-    remove_permission_from_organization,
+    remove_permission_from_org,
     remove_permission_from_role,
-    rename_permission,
     set_session_host,
     update_credential_sign_count,
-    update_organization_name,
+    update_org_name,
     update_permission,
     update_role_name,
     update_session,
@@ -87,6 +66,7 @@ from paskia.db.operations import (
     update_user_role_in_organization,
 )
 from paskia.db.structs import (
+    DB,
     Credential,
     Org,
     Permission,
@@ -97,6 +77,12 @@ from paskia.db.structs import (
     User,
 )
 
+
+def data() -> DB:
+    """Get the database instance for direct read access."""
+    return operations._db
+
+
 __all__ = [
     # Types
     "Credential",
@@ -109,7 +95,7 @@ __all__ = [
     "SessionContext",
     "User",
     # Instance
-    "_db",
+    "data",
     "init",
     # Background
     "start_background",
@@ -118,44 +104,31 @@ __all__ = [
     "stop_cleanup",
     # Builders
     "build_credential",
-    "build_org",
     "build_permission",
     "build_reset_token",
     "build_role",
     "build_session",
     "build_user",
     # Read ops
-    "get_credential_by_id",
-    "get_credentials_by_user_uuid",
-    "get_organization",
     "get_organization_users",
-    "get_permission",
-    "get_permission_by_scope",
-    "get_permission_organizations",
     "get_reset_token",
-    "get_role",
-    "get_roles_by_organization",
-    "get_session",
-    "get_session_context",
-    "get_user_by_uuid",
+    "get_user_credential_ids",
     "get_user_organization",
-    "list_organizations",
-    "list_permissions",
-    "list_sessions_for_user",
     # Write ops
-    "add_permission_to_organization",
+    "add_permission_to_org",
     "add_permission_to_role",
+    "bootstrap",
     "cleanup_expired",
     "create_credential",
     "create_credential_session",
-    "create_organization",
+    "create_org",
     "create_permission",
     "create_reset_token",
     "create_role",
     "create_session",
     "create_user",
     "delete_credential",
-    "delete_organization",
+    "delete_org",
     "delete_permission",
     "delete_reset_token",
     "delete_role",
@@ -163,12 +136,11 @@ __all__ = [
     "delete_sessions_for_user",
     "delete_user",
     "login",
-    "remove_permission_from_organization",
+    "remove_permission_from_org",
     "remove_permission_from_role",
-    "rename_permission",
     "set_session_host",
     "update_credential_sign_count",
-    "update_organization_name",
+    "update_org_name",
     "update_permission",
     "update_role_name",
     "update_session",

paskia/db/background.py

@@ -6,62 +6,34 @@ Periodically flushes pending changes to disk and cleans up expired items.
 
 import asyncio
 import logging
-from datetime import datetime, timezone
+from datetime import UTC, datetime
 
-from paskia.db.jsonl import flush_changes
+from paskia.db.operations import _store, cleanup_expired
 
-# Flush changes to disk every N seconds
-FLUSH_INTERVAL = 1
-# Cleanup expired items every N seconds (cheap when nothing to remove)
-CLEANUP_INTERVAL = 1
+FLUSH_INTERVAL = 0.1  # Flush to disk
+CLEANUP_INTERVAL = 1  # Expired item cleanup
 
 
 _logger = logging.getLogger(__name__)
 _background_task: asyncio.Task | None = None
 
 
-def cleanup() -> None:
-    """Remove expired sessions and reset tokens from the database."""
-    from paskia.db.operations import _db
-
-    if _db is None or _db._data is None:
-        return
-
-    with _db.transaction("expiry"):
-        current_time = datetime.now(timezone.utc)
-
-        # Clean expired sessions
-        to_delete_sessions = [
-            k for k, s in _db._data.sessions.items() if s.expiry < current_time
-        ]
-        for k in to_delete_sessions:
-            del _db._data.sessions[k]
-
-        # Clean expired reset tokens
-        to_delete_tokens = [
-            k for k, t in _db._data.reset_tokens.items() if t.expiry < current_time
-        ]
-        for k in to_delete_tokens:
-            del _db._data.reset_tokens[k]
-
-
 async def flush() -> None:
     """Write all pending database changes to disk."""
-    from paskia.db.operations import _db
 
-    if _db is None:
-        _logger.warning("flush() called but _db is None")
+    if _store is None:
+        _logger.warning("flush() called but _store is None")
         return
-    await flush_changes(_db.db_path, _db._pending_changes)
+    await _store.flush()
 
 
 async def _background_loop():
     """Background task that periodically flushes changes and cleans up."""
     # Run cleanup immediately on startup to clear old expired items
-    cleanup()
+    cleanup_expired()
     await flush()
 
-    last_cleanup = datetime.now(timezone.utc)
+    last_cleanup = datetime.now(UTC)
 
     while True:
         try:
@@ -69,10 +41,10 @@ async def _background_loop():
             # Flush pending changes to disk
             await flush()
 
-            # Run cleanup less frequently
-            now = datetime.now(timezone.utc)
+            # Run cleanup periodically
+            now = datetime.now(UTC)
             if (now - last_cleanup).total_seconds() >= CLEANUP_INTERVAL:
-                cleanup()
+                cleanup_expired()
                 await flush()  # Flush cleanup changes
                 last_cleanup = now
         except asyncio.CancelledError:
@@ -101,6 +73,14 @@ async def start_background():
                 if loop is not task_loop:
                     _logger.debug("Background task in different event loop, restarting")
                     _background_task = None
+                else:
+                    # Task is running in the same event loop - this is an error
+                    raise RuntimeError(
+                        "Background task is already running. "
+                        "start_background() must not be called multiple times in the same event loop."
+                    )
+            except RuntimeError:
+                raise  # Re-raise RuntimeError from above
             except Exception as e:
                 _logger.debug("Error checking background task loop: %s, restarting", e)
                 _background_task = None