paskia 0.8.1__tar.gz → 0.9.0__tar.gz

{paskia-0.8.1 → paskia-0.9.0}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: paskia
-Version: 0.8.1
+Version: 0.9.0
 Summary: Passkey Auth made easy: all sites and APIs can be guarded even without any changes on the protected site.
 Project-URL: Homepage, https://git.zi.fi/LeoVasanko/paskia
 Project-URL: Repository, https://github.com/LeoVasanko/paskia

{paskia-0.8.1 → paskia-0.9.0}/paskia/_version.py

@@ -28,7 +28,7 @@ version_tuple: VERSION_TUPLE
 commit_id: COMMIT_ID
 __commit_id__: COMMIT_ID
 
-__version__ = version = '0.8.1'
-__version_tuple__ = version_tuple = (0, 8, 1)
+__version__ = version = '0.9.0'
+__version_tuple__ = version_tuple = (0, 9, 0)
 
 __commit_id__ = commit_id = None

{paskia-0.8.1 → paskia-0.9.0}/paskia/authsession.py

@@ -9,13 +9,16 @@ independent of any web framework:
 """
 
 from datetime import datetime, timezone
+from typing import TYPE_CHECKING
 from uuid import UUID
 
 from paskia import db
-from paskia.config import SESSION_LIFETIME
-from paskia.db import ResetToken, Session
+from paskia.config import RESET_LIFETIME, SESSION_LIFETIME
 from paskia.util import hostutil
 
+if TYPE_CHECKING:
+    from paskia.db import ResetToken
+
 EXPIRES = SESSION_LIFETIME
 
 
@@ -24,39 +27,21 @@ def expires() -> datetime:
 
 
 def reset_expires() -> datetime:
-    from .config import RESET_LIFETIME
-
     return datetime.now(timezone.utc) + RESET_LIFETIME
 
 
-async def get_reset(token: str) -> ResetToken:
+def get_reset(token: str) -> "ResetToken":
     """Validate a credential reset token."""
+
     record = db.get_reset_token(token)
     if record:
         return record
     raise ValueError("This authentication link is no longer valid.")
 
 
-async def get_session(token: str, host: str | None = None) -> Session:
-    """Validate a session token and return session data if valid."""
-    host = hostutil.normalize_host(host)
-    if not host:
-        raise ValueError("Invalid host")
-    session = db.get_session(token)
-    if session:
-        if session.host is None:
-            # First time binding: store exact host:port (or IPv6 form) now.
-            db.set_session_host(session.key, host)
-            session.host = host
-        elif session.host != host:
-            raise ValueError("Session host mismatch")
-        return session
-    raise ValueError("Your session has expired. Please sign in again!")
-
-
-async def refresh_session_token(token: str, *, ip: str, user_agent: str):
+def refresh_session_token(token: str, *, ip: str, user_agent: str):
     """Refresh a session extending its expiry."""
-    session_record = db.get_session(token)
+    session_record = db.data().sessions.get(token)
     if not session_record:
         raise ValueError("Session not found or expired")
     updated = db.update_session(
@@ -69,7 +54,9 @@ async def refresh_session_token(token: str, *, ip: str, user_agent: str):
         raise ValueError("Session not found or expired")
 
 
-async def delete_credential(credential_uuid: UUID, auth: str, host: str | None = None):
+def delete_credential(credential_uuid: UUID, auth: str, host: str | None = None):
     """Delete a specific credential for the current user."""
-    s = await get_session(auth, host=host)
-    db.delete_credential(credential_uuid, s.user_uuid)
+    ctx = db.get_session_context(auth, hostutil.normalize_host(host))
+    if not ctx:
+        raise ValueError("Session expired")
+    db.delete_credential(credential_uuid, ctx.user.uuid)

paskia-0.9.0/paskia/bootstrap.py

@@ -0,0 +1,123 @@
+"""
+Bootstrap module for passkey authentication system.
+
+This module handles initial system setup when a new database is created,
+including creating default admin user, organization, permissions, and
+generating a reset link for initial admin setup.
+"""
+
+import asyncio
+import logging
+
+from paskia import authsession, db, globals
+from paskia.util import hostutil, passphrase
+
+logger = logging.getLogger(__name__)
+
+# Shared log message template for admin reset links
+ADMIN_RESET_MESSAGE = """\
+%s
+
+👤 Admin  %s
+   - Use this link to register a Passkey for the admin user!
+"""
+
+
+def _log_reset_link(message: str, passphrase: str) -> str:
+    """Log a reset link message and return the URL."""
+    reset_link = hostutil.reset_link_url(passphrase)
+    logger.info(ADMIN_RESET_MESSAGE, message, reset_link)
+    return reset_link
+
+
+async def bootstrap_system() -> None:
+    """
+    Bootstrap the entire system with default data.
+
+    Uses db.bootstrap() which performs all operations in a single transaction.
+    The transaction log will show a single "bootstrap" action with all changes.
+    """
+    # Call the single-transaction bootstrap function
+    reset_passphrase = db.bootstrap()
+
+    # Log the reset link (this is separate from the transaction log)
+    _log_reset_link("✅ Bootstrap completed!", reset_passphrase)
+
+
+async def check_admin_credentials() -> bool:
+    """
+    Check if the admin user needs credentials and create a reset link if needed.
+
+    Returns:
+        bool: True if a reset link was created, False if admin already has credentials
+    """
+    try:
+        # Get permission organizations to find admin users
+        p = next(
+            (p for p in db.data().permissions.values() if p.scope == "auth:admin"), None
+        )
+        if not p or not p.orgs:
+            return False
+
+        # Get users from the first organization with admin permission
+        first_org_uuid = next(iter(p.orgs))
+        org_users = db.get_organization_users(first_org_uuid)
+        admin_users = [user for user, role in org_users if role == "Administration"]
+
+        if not admin_users:
+            return False
+
+        # Check first admin user for credentials
+        admin_user = admin_users[0]
+
+        if not db.get_user_credential_ids(admin_user.uuid):
+            # Admin exists but has no credentials, create reset link
+
+            token = passphrase.generate()
+            expiry = authsession.reset_expires()
+            db.create_reset_token(
+                user_uuid=admin_user.uuid,
+                passphrase=token,
+                expiry=expiry,
+                token_type="admin registration",
+            )
+            _log_reset_link("⚠️  Admin user has no credentials!", token)
+            return True
+
+        return False
+
+    except Exception:
+        return False
+
+
+async def bootstrap_if_needed() -> bool:
+    """
+    Check if system needs bootstrapping and perform it if necessary.
+
+    Returns:
+        bool: True if bootstrapping was performed, False if system was already set up
+    """
+    # Check if the admin permission exists - if it does, system is already bootstrapped
+    if any(p.scope == "auth:admin" for p in db.data().permissions.values()):
+        # Permission exists, system is already bootstrapped
+        # Check if admin needs credentials (only for already-bootstrapped systems)
+        await check_admin_credentials()
+        return False
+
+    # No admin permission found, need to bootstrap
+    # Bootstrap creates the admin user AND the reset link, so no need to check credentials after
+    await bootstrap_system()
+    return True
+
+
+# CLI interface
+async def main():
+    """Main CLI entry point for bootstrapping."""
+    # Configure logging for CLI usage
+    logging.basicConfig(level=logging.INFO, format="%(message)s", force=True)
+
+    await globals.init()
+
+
+if __name__ == "__main__":
+    asyncio.run(main())

{paskia-0.8.1 → paskia-0.9.0}/paskia/db/__init__.py

@@ -1,7 +1,7 @@
 """
 Database module for WebAuthn passkey authentication.
 
-Read: Access _db._data directly, use build_* to convert to public structs.
+Read: Access data() directly, use build_* to convert to public structs.
 CTX: get_session_context(key) returns SessionContext with effective permissions.
 Write: Functions validate and commit, or raise ValueError.
 
@@ -9,7 +9,7 @@ Usage:
     from paskia import db
 
     # Read (after init)
-    user_data = db._db._data.users[user_uuid]
+    user_data = db.data().users[user_uuid]
     user = db.build_user(user_uuid)
 
     # Context
@@ -19,6 +19,7 @@ Usage:
     db.create_user(user)
 """
 
+import paskia.db.operations as operations
 from paskia.db.background import (
     start_background,
     start_cleanup,
@@ -26,59 +27,38 @@ from paskia.db.background import (
     stop_cleanup,
 )
 from paskia.db.operations import (
-    DB,
-    _db,
-    add_permission_to_organization,
+    add_permission_to_org,
     add_permission_to_role,
-    build_credential,
-    build_org,
-    build_permission,
-    build_reset_token,
-    build_role,
-    build_session,
-    build_user,
+    bootstrap,
     cleanup_expired,
     create_credential,
     create_credential_session,
-    create_organization,
+    create_org,
     create_permission,
     create_reset_token,
     create_role,
     create_session,
     create_user,
     delete_credential,
-    delete_organization,
+    delete_org,
     delete_permission,
     delete_reset_token,
     delete_role,
     delete_session,
     delete_sessions_for_user,
     delete_user,
-    get_credential_by_id,
-    get_credentials_by_user_uuid,
-    get_organization,
     get_organization_users,
-    get_permission,
-    get_permission_by_scope,
-    get_permission_organizations,
     get_reset_token,
-    get_role,
-    get_roles_by_organization,
-    get_session,
     get_session_context,
-    get_user_by_uuid,
+    get_user_credential_ids,
     get_user_organization,
     init,
-    list_organizations,
-    list_permissions,
-    list_sessions_for_user,
     login,
-    remove_permission_from_organization,
+    remove_permission_from_org,
     remove_permission_from_role,
-    rename_permission,
     set_session_host,
     update_credential_sign_count,
-    update_organization_name,
+    update_org_name,
     update_permission,
     update_role_name,
     update_session,
@@ -87,6 +67,7 @@ from paskia.db.operations import (
     update_user_role_in_organization,
 )
 from paskia.db.structs import (
+    DB,
     Credential,
     Org,
     Permission,
@@ -97,6 +78,12 @@ from paskia.db.structs import (
     User,
 )
 
+
+def data() -> DB:
+    """Get the database instance for direct read access."""
+    return operations._db
+
+
 __all__ = [
     # Types
     "Credential",
@@ -109,7 +96,7 @@ __all__ = [
     "SessionContext",
     "User",
     # Instance
-    "_db",
+    "data",
     "init",
     # Background
     "start_background",
@@ -118,44 +105,32 @@ __all__ = [
     "stop_cleanup",
     # Builders
     "build_credential",
-    "build_org",
     "build_permission",
     "build_reset_token",
     "build_role",
     "build_session",
     "build_user",
     # Read ops
-    "get_credential_by_id",
-    "get_credentials_by_user_uuid",
-    "get_organization",
     "get_organization_users",
-    "get_permission",
-    "get_permission_by_scope",
-    "get_permission_organizations",
     "get_reset_token",
-    "get_role",
-    "get_roles_by_organization",
-    "get_session",
     "get_session_context",
-    "get_user_by_uuid",
+    "get_user_credential_ids",
     "get_user_organization",
-    "list_organizations",
-    "list_permissions",
-    "list_sessions_for_user",
     # Write ops
-    "add_permission_to_organization",
+    "add_permission_to_org",
     "add_permission_to_role",
+    "bootstrap",
     "cleanup_expired",
     "create_credential",
     "create_credential_session",
-    "create_organization",
+    "create_org",
     "create_permission",
     "create_reset_token",
     "create_role",
     "create_session",
     "create_user",
     "delete_credential",
-    "delete_organization",
+    "delete_org",
     "delete_permission",
     "delete_reset_token",
     "delete_role",
@@ -163,12 +138,11 @@ __all__ = [
     "delete_sessions_for_user",
     "delete_user",
     "login",
-    "remove_permission_from_organization",
+    "remove_permission_from_org",
     "remove_permission_from_role",
-    "rename_permission",
     "set_session_host",
     "update_credential_sign_count",
-    "update_organization_name",
+    "update_org_name",
     "update_permission",
     "update_role_name",
     "update_session",

{paskia-0.8.1 → paskia-0.9.0}/paskia/db/background.py

@@ -8,57 +8,29 @@ import asyncio
 import logging
 from datetime import datetime, timezone
 
-from paskia.db.jsonl import flush_changes
+from paskia.db.operations import _store, cleanup_expired
 
-# Flush changes to disk every N seconds
-FLUSH_INTERVAL = 1
-# Cleanup expired items every N seconds (cheap when nothing to remove)
-CLEANUP_INTERVAL = 1
+FLUSH_INTERVAL = 0.1  # Flush to disk
+CLEANUP_INTERVAL = 1  # Expired item cleanup
 
 
 _logger = logging.getLogger(__name__)
 _background_task: asyncio.Task | None = None
 
 
-def cleanup() -> None:
-    """Remove expired sessions and reset tokens from the database."""
-    from paskia.db.operations import _db
-
-    if _db is None or _db._data is None:
-        return
-
-    with _db.transaction("expiry"):
-        current_time = datetime.now(timezone.utc)
-
-        # Clean expired sessions
-        to_delete_sessions = [
-            k for k, s in _db._data.sessions.items() if s.expiry < current_time
-        ]
-        for k in to_delete_sessions:
-            del _db._data.sessions[k]
-
-        # Clean expired reset tokens
-        to_delete_tokens = [
-            k for k, t in _db._data.reset_tokens.items() if t.expiry < current_time
-        ]
-        for k in to_delete_tokens:
-            del _db._data.reset_tokens[k]
-
-
 async def flush() -> None:
     """Write all pending database changes to disk."""
-    from paskia.db.operations import _db
 
-    if _db is None:
-        _logger.warning("flush() called but _db is None")
+    if _store is None:
+        _logger.warning("flush() called but _store is None")
         return
-    await flush_changes(_db.db_path, _db._pending_changes)
+    await _store.flush()
 
 
 async def _background_loop():
     """Background task that periodically flushes changes and cleans up."""
     # Run cleanup immediately on startup to clear old expired items
-    cleanup()
+    cleanup_expired()
     await flush()
 
     last_cleanup = datetime.now(timezone.utc)
@@ -69,10 +41,10 @@ async def _background_loop():
             # Flush pending changes to disk
             await flush()
 
-            # Run cleanup less frequently
+            # Run cleanup periodically
             now = datetime.now(timezone.utc)
             if (now - last_cleanup).total_seconds() >= CLEANUP_INTERVAL:
-                cleanup()
+                cleanup_expired()
                 await flush()  # Flush cleanup changes
                 last_cleanup = now
         except asyncio.CancelledError:
@@ -101,6 +73,14 @@ async def start_background():
                 if loop is not task_loop:
                     _logger.debug("Background task in different event loop, restarting")
                     _background_task = None
+                else:
+                    # Task is running in the same event loop - this is an error
+                    raise RuntimeError(
+                        "Background task is already running. "
+                        "start_background() must not be called multiple times in the same event loop."
+                    )
+            except RuntimeError:
+                raise  # Re-raise RuntimeError from above
             except Exception as e:
                 _logger.debug("Error checking background task loop: %s, restarting", e)
                 _background_task = None