paskia 0.8.1__tar.gz → 0.9.1__tar.gz

{paskia-0.8.1 → paskia-0.9.1}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: paskia
-Version: 0.8.1
+Version: 0.9.1
 Summary: Passkey Auth made easy: all sites and APIs can be guarded even without any changes on the protected site.
 Project-URL: Homepage, https://git.zi.fi/LeoVasanko/paskia
 Project-URL: Repository, https://github.com/LeoVasanko/paskia

{paskia-0.8.1 → paskia-0.9.1}/paskia/_version.py

@@ -28,7 +28,7 @@ version_tuple: VERSION_TUPLE
 commit_id: COMMIT_ID
 __commit_id__: COMMIT_ID
 
-__version__ = version = '0.8.1'
-__version_tuple__ = version_tuple = (0, 8, 1)
+__version__ = version = '0.9.1'
+__version_tuple__ = version_tuple = (0, 9, 1)
 
 __commit_id__ = commit_id = None

{paskia-0.8.1 → paskia-0.9.1}/paskia/aaguid/__init__.py

@@ -10,6 +10,7 @@ This module provides functionality to:
 import json
 from collections.abc import Iterable
 from importlib.resources import files
+from uuid import UUID
 
 __ALL__ = ["AAGUID", "filter"]
 
@@ -18,15 +19,15 @@ AAGUID_FILE = files("paskia") / "aaguid" / "combined_aaguid.json"
 AAGUID: dict[str, dict] = json.loads(AAGUID_FILE.read_text(encoding="utf-8"))
 
 
-def filter(aaguids: Iterable[str]) -> dict[str, dict]:
+def filter(aaguids: Iterable[UUID]) -> dict[str, dict]:
     """
     Get AAGUID information only for the provided set of AAGUIDs.
 
     Args:
-        aaguids: Set of AAGUID strings that the user has credentials for
+        aaguids: Iterable of AAGUIDs (UUIDs) that the user has credentials for
 
     Returns:
-        Dictionary mapping AAGUID to authenticator information for only
+        Dictionary mapping AAGUID string to authenticator information for only
         the AAGUIDs that the user has and that we have data for
     """
-    return {aaguid: AAGUID[aaguid] for aaguid in aaguids if aaguid in AAGUID}
+    return {(s := str(a)): AAGUID[s] for a in aaguids if (s := str(a)) in AAGUID}

paskia-0.9.1/paskia/authsession.py

@@ -0,0 +1,47 @@
+"""
+Core session management for WebAuthn authentication.
+
+This module provides generic session management functionality that is
+independent of any web framework:
+- Session creation and validation
+- Token handling and refresh
+- Credential management
+"""
+
+from datetime import UTC, datetime
+from typing import TYPE_CHECKING
+from uuid import UUID
+
+from paskia import db
+from paskia.config import RESET_LIFETIME, SESSION_LIFETIME
+from paskia.util import hostutil
+
+if TYPE_CHECKING:
+    from paskia.db import ResetToken
+
+EXPIRES = SESSION_LIFETIME
+
+
+def expires() -> datetime:
+    return datetime.now(UTC) + EXPIRES
+
+
+def reset_expires() -> datetime:
+    return datetime.now(UTC) + RESET_LIFETIME
+
+
+def get_reset(token: str) -> "ResetToken":
+    """Validate a credential reset token."""
+
+    record = db.get_reset_token(token)
+    if record:
+        return record
+    raise ValueError("This authentication link is no longer valid.")
+
+
+def delete_credential(credential_uuid: UUID, auth: str, host: str | None = None):
+    """Delete a specific credential for the current user."""
+    ctx = db.data().session_ctx(auth, hostutil.normalize_host(host))
+    if not ctx:
+        raise ValueError("Session expired")
+    db.delete_credential(credential_uuid, ctx.user.uuid)

paskia-0.9.1/paskia/bootstrap.py

@@ -0,0 +1,123 @@
+"""
+Bootstrap module for passkey authentication system.
+
+This module handles initial system setup when a new database is created,
+including creating default admin user, organization, permissions, and
+generating a reset link for initial admin setup.
+"""
+
+import asyncio
+import logging
+
+from paskia import authsession, db, globals
+from paskia.util import hostutil, passphrase
+
+logger = logging.getLogger(__name__)
+
+# Shared log message template for admin reset links
+ADMIN_RESET_MESSAGE = """\
+%s
+
+👤 Admin  %s
+   - Use this link to register a Passkey for the admin user!
+"""
+
+
+def _log_reset_link(message: str, passphrase: str) -> str:
+    """Log a reset link message and return the URL."""
+    reset_link = hostutil.reset_link_url(passphrase)
+    logger.info(ADMIN_RESET_MESSAGE, message, reset_link)
+    return reset_link
+
+
+async def bootstrap_system() -> None:
+    """
+    Bootstrap the entire system with default data.
+
+    Uses db.bootstrap() which performs all operations in a single transaction.
+    The transaction log will show a single "bootstrap" action with all changes.
+    """
+    # Call the single-transaction bootstrap function
+    reset_passphrase = db.bootstrap()
+
+    # Log the reset link (this is separate from the transaction log)
+    _log_reset_link("✅ Bootstrap completed!", reset_passphrase)
+
+
+async def check_admin_credentials() -> bool:
+    """
+    Check if the admin user needs credentials and create a reset link if needed.
+
+    Returns:
+        bool: True if a reset link was created, False if admin already has credentials
+    """
+    try:
+        # Get permission organizations to find admin users
+        p = next(
+            (p for p in db.data().permissions.values() if p.scope == "auth:admin"), None
+        )
+        if not p or not p.orgs:
+            return False
+
+        # Get users from the first organization with admin permission
+        first_org_uuid = next(iter(p.orgs))
+        org_users = db.get_organization_users(first_org_uuid)
+        admin_users = [user for user, role in org_users if role == "Administration"]
+
+        if not admin_users:
+            return False
+
+        # Check first admin user for credentials
+        admin_user = admin_users[0]
+
+        if not db.get_user_credential_ids(admin_user.uuid):
+            # Admin exists but has no credentials, create reset link
+
+            token = passphrase.generate()
+            expiry = authsession.reset_expires()
+            db.create_reset_token(
+                user_uuid=admin_user.uuid,
+                passphrase=token,
+                expiry=expiry,
+                token_type="admin registration",
+            )
+            _log_reset_link("⚠️  Admin user has no credentials!", token)
+            return True
+
+        return False
+
+    except Exception:
+        return False
+
+
+async def bootstrap_if_needed() -> bool:
+    """
+    Check if system needs bootstrapping and perform it if necessary.
+
+    Returns:
+        bool: True if bootstrapping was performed, False if system was already set up
+    """
+    # Check if the admin permission exists - if it does, system is already bootstrapped
+    if any(p.scope == "auth:admin" for p in db.data().permissions.values()):
+        # Permission exists, system is already bootstrapped
+        # Check if admin needs credentials (only for already-bootstrapped systems)
+        await check_admin_credentials()
+        return False
+
+    # No admin permission found, need to bootstrap
+    # Bootstrap creates the admin user AND the reset link, so no need to check credentials after
+    await bootstrap_system()
+    return True
+
+
+# CLI interface
+async def main():
+    """Main CLI entry point for bootstrapping."""
+    # Configure logging for CLI usage
+    logging.basicConfig(level=logging.INFO, format="%(message)s", force=True)
+
+    await globals.init()
+
+
+if __name__ == "__main__":
+    asyncio.run(main())

{paskia-0.8.1 → paskia-0.9.1}/paskia/db/__init__.py

@@ -1,24 +1,25 @@
 """
 Database module for WebAuthn passkey authentication.
 
-Read: Access _db._data directly, use build_* to convert to public structs.
-CTX: get_session_context(key) returns SessionContext with effective permissions.
+Read: Access data() directly, use build_* to convert to public structs.
+CTX: data().session_ctx(key) returns SessionContext with effective permissions.
 Write: Functions validate and commit, or raise ValueError.
 
 Usage:
     from paskia import db
 
     # Read (after init)
-    user_data = db._db._data.users[user_uuid]
+    user_data = db.data().users[user_uuid]
     user = db.build_user(user_uuid)
 
     # Context
-    ctx = db.get_session_context(session_key)
+    ctx = db.data().session_ctx(session_key)
 
     # Write
     db.create_user(user)
 """
 
+import paskia.db.operations as operations
 from paskia.db.background import (
     start_background,
     start_cleanup,
@@ -26,59 +27,37 @@ from paskia.db.background import (
     stop_cleanup,
 )
 from paskia.db.operations import (
-    DB,
-    _db,
-    add_permission_to_organization,
+    add_permission_to_org,
     add_permission_to_role,
-    build_credential,
-    build_org,
-    build_permission,
-    build_reset_token,
-    build_role,
-    build_session,
-    build_user,
+    bootstrap,
     cleanup_expired,
     create_credential,
     create_credential_session,
-    create_organization,
+    create_org,
     create_permission,
     create_reset_token,
     create_role,
     create_session,
     create_user,
     delete_credential,
-    delete_organization,
+    delete_org,
     delete_permission,
     delete_reset_token,
     delete_role,
     delete_session,
     delete_sessions_for_user,
     delete_user,
-    get_credential_by_id,
-    get_credentials_by_user_uuid,
-    get_organization,
     get_organization_users,
-    get_permission,
-    get_permission_by_scope,
-    get_permission_organizations,
     get_reset_token,
-    get_role,
-    get_roles_by_organization,
-    get_session,
-    get_session_context,
-    get_user_by_uuid,
+    get_user_credential_ids,
     get_user_organization,
     init,
-    list_organizations,
-    list_permissions,
-    list_sessions_for_user,
     login,
-    remove_permission_from_organization,
+    remove_permission_from_org,
     remove_permission_from_role,
-    rename_permission,
     set_session_host,
     update_credential_sign_count,
-    update_organization_name,
+    update_org_name,
     update_permission,
     update_role_name,
     update_session,
@@ -87,6 +66,7 @@ from paskia.db.operations import (
     update_user_role_in_organization,
 )
 from paskia.db.structs import (
+    DB,
     Credential,
     Org,
     Permission,
@@ -97,6 +77,12 @@ from paskia.db.structs import (
     User,
 )
 
+
+def data() -> DB:
+    """Get the database instance for direct read access."""
+    return operations._db
+
+
 __all__ = [
     # Types
     "Credential",
@@ -109,7 +95,7 @@ __all__ = [
     "SessionContext",
     "User",
     # Instance
-    "_db",
+    "data",
     "init",
     # Background
     "start_background",
@@ -118,44 +104,31 @@ __all__ = [
     "stop_cleanup",
     # Builders
     "build_credential",
-    "build_org",
     "build_permission",
     "build_reset_token",
     "build_role",
     "build_session",
     "build_user",
     # Read ops
-    "get_credential_by_id",
-    "get_credentials_by_user_uuid",
-    "get_organization",
     "get_organization_users",
-    "get_permission",
-    "get_permission_by_scope",
-    "get_permission_organizations",
     "get_reset_token",
-    "get_role",
-    "get_roles_by_organization",
-    "get_session",
-    "get_session_context",
-    "get_user_by_uuid",
+    "get_user_credential_ids",
     "get_user_organization",
-    "list_organizations",
-    "list_permissions",
-    "list_sessions_for_user",
     # Write ops
-    "add_permission_to_organization",
+    "add_permission_to_org",
     "add_permission_to_role",
+    "bootstrap",
     "cleanup_expired",
     "create_credential",
     "create_credential_session",
-    "create_organization",
+    "create_org",
     "create_permission",
     "create_reset_token",
     "create_role",
     "create_session",
     "create_user",
     "delete_credential",
-    "delete_organization",
+    "delete_org",
     "delete_permission",
     "delete_reset_token",
     "delete_role",
@@ -163,12 +136,11 @@ __all__ = [
     "delete_sessions_for_user",
     "delete_user",
     "login",
-    "remove_permission_from_organization",
+    "remove_permission_from_org",
     "remove_permission_from_role",
-    "rename_permission",
     "set_session_host",
     "update_credential_sign_count",
-    "update_organization_name",
+    "update_org_name",
     "update_permission",
     "update_role_name",
     "update_session",

{paskia-0.8.1 → paskia-0.9.1}/paskia/db/background.py

@@ -6,62 +6,34 @@ Periodically flushes pending changes to disk and cleans up expired items.
 
 import asyncio
 import logging
-from datetime import datetime, timezone
+from datetime import UTC, datetime
 
-from paskia.db.jsonl import flush_changes
+from paskia.db.operations import _store, cleanup_expired
 
-# Flush changes to disk every N seconds
-FLUSH_INTERVAL = 1
-# Cleanup expired items every N seconds (cheap when nothing to remove)
-CLEANUP_INTERVAL = 1
+FLUSH_INTERVAL = 0.1  # Flush to disk
+CLEANUP_INTERVAL = 1  # Expired item cleanup
 
 
 _logger = logging.getLogger(__name__)
 _background_task: asyncio.Task | None = None
 
 
-def cleanup() -> None:
-    """Remove expired sessions and reset tokens from the database."""
-    from paskia.db.operations import _db
-
-    if _db is None or _db._data is None:
-        return
-
-    with _db.transaction("expiry"):
-        current_time = datetime.now(timezone.utc)
-
-        # Clean expired sessions
-        to_delete_sessions = [
-            k for k, s in _db._data.sessions.items() if s.expiry < current_time
-        ]
-        for k in to_delete_sessions:
-            del _db._data.sessions[k]
-
-        # Clean expired reset tokens
-        to_delete_tokens = [
-            k for k, t in _db._data.reset_tokens.items() if t.expiry < current_time
-        ]
-        for k in to_delete_tokens:
-            del _db._data.reset_tokens[k]
-
-
 async def flush() -> None:
     """Write all pending database changes to disk."""
-    from paskia.db.operations import _db
 
-    if _db is None:
-        _logger.warning("flush() called but _db is None")
+    if _store is None:
+        _logger.warning("flush() called but _store is None")
         return
-    await flush_changes(_db.db_path, _db._pending_changes)
+    await _store.flush()
 
 
 async def _background_loop():
     """Background task that periodically flushes changes and cleans up."""
     # Run cleanup immediately on startup to clear old expired items
-    cleanup()
+    cleanup_expired()
     await flush()
 
-    last_cleanup = datetime.now(timezone.utc)
+    last_cleanup = datetime.now(UTC)
 
     while True:
         try:
@@ -69,10 +41,10 @@ async def _background_loop():
             # Flush pending changes to disk
             await flush()
 
-            # Run cleanup less frequently
-            now = datetime.now(timezone.utc)
+            # Run cleanup periodically
+            now = datetime.now(UTC)
             if (now - last_cleanup).total_seconds() >= CLEANUP_INTERVAL:
-                cleanup()
+                cleanup_expired()
                 await flush()  # Flush cleanup changes
                 last_cleanup = now
         except asyncio.CancelledError:
@@ -101,6 +73,14 @@ async def start_background():
                 if loop is not task_loop:
                     _logger.debug("Background task in different event loop, restarting")
                     _background_task = None
+                else:
+                    # Task is running in the same event loop - this is an error
+                    raise RuntimeError(
+                        "Background task is already running. "
+                        "start_background() must not be called multiple times in the same event loop."
+                    )
+            except RuntimeError:
+                raise  # Re-raise RuntimeError from above
             except Exception as e:
                 _logger.debug("Error checking background task loop: %s, restarting", e)
                 _background_task = None