paskia 0.9.0__py3-none-any.whl → 0.9.1__py3-none-any.whl

paskia/_version.py

@@ -28,7 +28,7 @@ version_tuple: VERSION_TUPLE
 commit_id: COMMIT_ID
 __commit_id__: COMMIT_ID
 
-__version__ = version = '0.9.0'
-__version_tuple__ = version_tuple = (0, 9, 0)
+__version__ = version = '0.9.1'
+__version_tuple__ = version_tuple = (0, 9, 1)
 
 __commit_id__ = commit_id = None

paskia/aaguid/__init__.py

@@ -10,6 +10,7 @@ This module provides functionality to:
 import json
 from collections.abc import Iterable
 from importlib.resources import files
+from uuid import UUID
 
 __ALL__ = ["AAGUID", "filter"]
 
@@ -18,15 +19,15 @@ AAGUID_FILE = files("paskia") / "aaguid" / "combined_aaguid.json"
 AAGUID: dict[str, dict] = json.loads(AAGUID_FILE.read_text(encoding="utf-8"))
 
 
-def filter(aaguids: Iterable[str]) -> dict[str, dict]:
+def filter(aaguids: Iterable[UUID]) -> dict[str, dict]:
     """
     Get AAGUID information only for the provided set of AAGUIDs.
 
     Args:
-        aaguids: Set of AAGUID strings that the user has credentials for
+        aaguids: Iterable of AAGUIDs (UUIDs) that the user has credentials for
 
     Returns:
-        Dictionary mapping AAGUID to authenticator information for only
+        Dictionary mapping AAGUID string to authenticator information for only
         the AAGUIDs that the user has and that we have data for
     """
-    return {aaguid: AAGUID[aaguid] for aaguid in aaguids if aaguid in AAGUID}
+    return {(s := str(a)): AAGUID[s] for a in aaguids if (s := str(a)) in AAGUID}

paskia/authsession.py

@@ -8,7 +8,7 @@ independent of any web framework:
 - Credential management
 """
 
-from datetime import datetime, timezone
+from datetime import UTC, datetime
 from typing import TYPE_CHECKING
 from uuid import UUID
 
@@ -23,11 +23,11 @@ EXPIRES = SESSION_LIFETIME
 
 
 def expires() -> datetime:
-    return datetime.now(timezone.utc) + EXPIRES
+    return datetime.now(UTC) + EXPIRES
 
 
 def reset_expires() -> datetime:
-    return datetime.now(timezone.utc) + RESET_LIFETIME
+    return datetime.now(UTC) + RESET_LIFETIME
 
 
 def get_reset(token: str) -> "ResetToken":
@@ -39,24 +39,9 @@ def get_reset(token: str) -> "ResetToken":
     raise ValueError("This authentication link is no longer valid.")
 
 
-def refresh_session_token(token: str, *, ip: str, user_agent: str):
-    """Refresh a session extending its expiry."""
-    session_record = db.data().sessions.get(token)
-    if not session_record:
-        raise ValueError("Session not found or expired")
-    updated = db.update_session(
-        token,
-        ip=ip,
-        user_agent=user_agent,
-        expiry=expires(),
-    )
-    if not updated:
-        raise ValueError("Session not found or expired")
-
-
 def delete_credential(credential_uuid: UUID, auth: str, host: str | None = None):
     """Delete a specific credential for the current user."""
-    ctx = db.get_session_context(auth, hostutil.normalize_host(host))
+    ctx = db.data().session_ctx(auth, hostutil.normalize_host(host))
     if not ctx:
         raise ValueError("Session expired")
     db.delete_credential(credential_uuid, ctx.user.uuid)

paskia/db/__init__.py

@@ -2,7 +2,7 @@
 Database module for WebAuthn passkey authentication.
 
 Read: Access data() directly, use build_* to convert to public structs.
-CTX: get_session_context(key) returns SessionContext with effective permissions.
+CTX: data().session_ctx(key) returns SessionContext with effective permissions.
 Write: Functions validate and commit, or raise ValueError.
 
 Usage:
@@ -13,7 +13,7 @@ Usage:
     user = db.build_user(user_uuid)
 
     # Context
-    ctx = db.get_session_context(session_key)
+    ctx = db.data().session_ctx(session_key)
 
     # Write
     db.create_user(user)
@@ -49,7 +49,6 @@ from paskia.db.operations import (
     delete_user,
     get_organization_users,
     get_reset_token,
-    get_session_context,
     get_user_credential_ids,
     get_user_organization,
     init,
@@ -113,7 +112,6 @@ __all__ = [
     # Read ops
     "get_organization_users",
     "get_reset_token",
-    "get_session_context",
     "get_user_credential_ids",
     "get_user_organization",
     # Write ops

paskia/db/background.py

@@ -6,7 +6,7 @@ Periodically flushes pending changes to disk and cleans up expired items.
 
 import asyncio
 import logging
-from datetime import datetime, timezone
+from datetime import UTC, datetime
 
 from paskia.db.operations import _store, cleanup_expired
 
@@ -33,7 +33,7 @@ async def _background_loop():
     cleanup_expired()
     await flush()
 
-    last_cleanup = datetime.now(timezone.utc)
+    last_cleanup = datetime.now(UTC)
 
     while True:
         try:
@@ -42,7 +42,7 @@ async def _background_loop():
             await flush()
 
             # Run cleanup periodically
-            now = datetime.now(timezone.utc)
+            now = datetime.now(UTC)
             if (now - last_cleanup).total_seconds() >= CLEANUP_INTERVAL:
                 cleanup_expired()
                 await flush()  # Flush cleanup changes

paskia/db/jsonl.py

@@ -2,15 +2,11 @@
 JSONL persistence layer for the database.
 """
 
-from __future__ import annotations
-
 import copy
-import json
 import logging
-import sys
 from collections import deque
 from contextlib import contextmanager
-from datetime import datetime, timezone
+from datetime import UTC, datetime
 from pathlib import Path
 from typing import Any
 from uuid import UUID
@@ -19,7 +15,8 @@ import aiofiles
 import jsondiff
 import msgspec
 
-from paskia.db.migrations import apply_migrations
+from paskia.db.logging import log_change
+from paskia.db.migrations import DBVER, apply_all_migrations
 from paskia.db.structs import DB, SessionContext
 
 _logger = logging.getLogger(__name__)
@@ -33,6 +30,7 @@ class _ChangeRecord(msgspec.Struct, omit_defaults=True):
 
     ts: datetime
     a: str  # action - describes the operation (e.g., "migrate", "login", "create_user")
+    v: int  # schema version after this change
     u: str | None = None  # user UUID who performed the action (None for system)
     diff: dict = {}
 
@@ -41,43 +39,6 @@ class _ChangeRecord(msgspec.Struct, omit_defaults=True):
 _change_encoder = msgspec.json.Encoder()
 
 
-async def load_jsonl(db_path: Path) -> dict:
-    """Load data from disk by applying change log.
-
-    Replays all changes from JSONL file using plain dicts (to handle
-    schema evolution).
-
-    Args:
-        db_path: Path to the JSONL database file
-
-    Returns:
-        The final state after applying all changes
-
-    Raises:
-        ValueError: If file doesn't exist or cannot be loaded
-    """
-    if not db_path.exists():
-        raise ValueError(f"Database file not found: {db_path}")
-    data_dict: dict = {}
-    try:
-        # Read entire file at once and split into lines
-        async with aiofiles.open(db_path, "rb") as f:
-            content = await f.read()
-        for line_num, line in enumerate(content.split(b"\n"), 1):
-            line = line.strip()
-            if not line:
-                continue
-            try:
-                change = msgspec.json.decode(line)
-                # Apply the diff to current state (marshal=True for $-prefixed keys)
-                data_dict = jsondiff.patch(data_dict, change["diff"], marshal=True)
-            except Exception as e:
-                raise ValueError(f"Error parsing line {line_num}: {e}")
-    except (OSError, ValueError, msgspec.DecodeError) as e:
-        raise ValueError(f"Failed to load database: {e}")
-    return data_dict
-
-
 def compute_diff(previous: dict, current: dict) -> dict | None:
     """Compute JSON diff between two states.
 
@@ -93,19 +54,20 @@ def compute_diff(previous: dict, current: dict) -> dict | None:
 
 
 def create_change_record(
-    action: str, diff: dict, user: str | None = None
+    action: str, version: int, diff: dict, user: str | None = None
 ) -> _ChangeRecord:
     """Create a change record for persistence."""
     return _ChangeRecord(
-        ts=datetime.now(timezone.utc),
+        ts=datetime.now(UTC),
         a=action,
+        v=version,
         u=user,
         diff=diff,
     )
 
 
 # Actions that are allowed to create a new database file
-_BOOTSTRAP_ACTIONS = frozenset({"bootstrap", "migrate"})
+_BOOTSTRAP_ACTIONS = frozenset({"bootstrap", "migrate:sql"})
 
 
 async def flush_changes(
@@ -166,66 +128,89 @@ class JsonlStore:
         self._current_user: str | None = None
         self._in_transaction: bool = False
         self._transaction_snapshot: dict[str, Any] | None = None
+        self._current_version: int = DBVER  # Schema version for new databases
 
     async def load(self, db_path: str | None = None) -> None:
         """Load data from JSONL change log."""
         if db_path is not None:
             self.db_path = Path(db_path)
-        try:
-            data_dict = await load_jsonl(self.db_path)
-            if data_dict:
-                # Preserve original state before migrations (deep copy for nested dicts)
-                original_dict = copy.deepcopy(data_dict)
+        if not self.db_path.exists():
+            return
 
-                # Apply schema migrations (modifies data_dict in place)
-                migrated = apply_migrations(data_dict)
-
-                decoder = msgspec.json.Decoder(DB)
-                self.db = decoder.decode(msgspec.json.encode(data_dict))
-                self.db._store = self
+        # Replay change log to reconstruct state
+        data_dict: dict = {}
+        try:
+            async with aiofiles.open(self.db_path, "rb") as f:
+                content = await f.read()
+            for line_num, line in enumerate(content.split(b"\n"), 1):
+                line = line.strip()
+                if not line:
+                    continue
+                try:
+                    change = msgspec.json.decode(line)
+                    data_dict = jsondiff.patch(data_dict, change["diff"], marshal=True)
+                    self._current_version = change.get("v", 0)
+                except Exception as e:
+                    raise ValueError(f"Error parsing line {line_num}: {e}")
+        except (OSError, ValueError, msgspec.DecodeError) as e:
+            raise ValueError(f"Failed to load database: {e}")
+
+        if not data_dict:
+            return
+
+        # Set previous state for diffing (will be updated by _queue_change)
+        self._previous_builtins = copy.deepcopy(data_dict)
+
+        # Callback to persist each migration
+        async def persist_migration(
+            action: str, new_version: int, current: dict
+        ) -> None:
+            self._current_version = new_version
+            self._queue_change(action, new_version, current)
+
+        # Apply schema migrations one at a time
+        await apply_all_migrations(data_dict, self._current_version, persist_migration)
+
+        # Decode to msgspec struct
+        decoder = msgspec.json.Decoder(DB)
+        self.db = decoder.decode(msgspec.json.encode(data_dict))
+        self.db._store = self
+
+        # Normalize via msgspec round-trip (handles omit_defaults etc.)
+        # This ensures _previous_builtins matches what msgspec would produce
+        normalized_dict = msgspec.to_builtins(self.db)
+        await persist_migration(
+            "migrate:msgspec", self._current_version, normalized_dict
+        )
+
+    def _queue_change(
+        self, action: str, version: int, current: dict, user: str | None = None
+    ) -> None:
+        """Queue a change record and log it.
 
-                # Update previous state to migrated data FIRST (to avoid transaction hardening reset)
-                self._previous_builtins = data_dict
-
-                # Persist migration by manually computing and queueing the diff
-                if migrated:
-                    diff = compute_diff(original_dict, data_dict)
-                    if diff:
-                        self._pending_changes.append(
-                            create_change_record("migrate", diff, user=None)
-                        )
-                        _logger.info("Queued migration changes for persistence")
-                    await self.flush()
-        except ValueError:
-            if self.db_path.exists():
-                raise
-
-    def _queue_change(self) -> None:
-        current = msgspec.to_builtins(self.db)
+        Args:
+            action: The action name for the change record
+            version: The schema version for the change record
+            current: The current state as a plain dict
+            user: Optional user UUID who performed the action
+        """
         diff = compute_diff(self._previous_builtins, current)
-        if diff:
-            self._pending_changes.append(
-                create_change_record(self._current_action, diff, self._current_user)
-            )
-            self._previous_builtins = current
-            # Log the change with user display name if available
-            user_display = None
-            if self._current_user:
-                try:
-                    user_uuid = UUID(self._current_user)
-                    if user_uuid in self.db.users:
-                        user_display = self.db.users[user_uuid].display_name
-                except (ValueError, KeyError):
-                    user_display = self._current_user
-
-            diff_json = json.dumps(diff, default=str)
-            if user_display:
-                print(
-                    f"{self._current_action} by {user_display}: {diff_json}",
-                    file=sys.stderr,
-                )
-            else:
-                print(f"{self._current_action}: {diff_json}", file=sys.stderr)
+        if not diff:
+            return
+        self._pending_changes.append(create_change_record(action, version, diff, user))
+        self._previous_builtins = copy.deepcopy(current)
+
+        # Log the change with user display name if available
+        user_display = None
+        if user:
+            try:
+                user_uuid = UUID(user)
+                if user_uuid in self.db.users:
+                    user_display = self.db.users[user_uuid].display_name
+            except (ValueError, KeyError):
+                user_display = user
+
+        log_change(action, diff, user_display)
 
     @contextmanager
     def transaction(
@@ -248,19 +233,19 @@ class JsonlStore:
         # Check for out-of-transaction modifications
         current_state = msgspec.to_builtins(self.db)
         if current_state != self._previous_builtins:
-            diff = compute_diff(self._previous_builtins, current_state)
-            diff_json = json.dumps(diff, default=str, indent=2)
-            _logger.error(
-                "Database state modified outside of transaction! "
-                "This indicates a bug where DB changes occurred without a transaction wrapper. "
-                "Resetting to last known state from JSONL file.\n"
-                f"Changes detected:\n{diff_json}"
-            )
-            # Hard reset to last known good state
-            decoder = msgspec.json.Decoder(DB)
-            self.db = decoder.decode(msgspec.json.encode(self._previous_builtins))
-            self.db._store = self
-            current_state = self._previous_builtins.copy()
+            # Allow bootstrap/migrate to create a new database from empty state
+            is_bootstrap = action in _BOOTSTRAP_ACTIONS or action.startswith("migrate:")
+            if is_bootstrap and not self._previous_builtins:
+                pass  # Expected: creating database from scratch
+            else:
+                diff = compute_diff(self._previous_builtins, current_state)
+                diff_json = msgspec.json.encode(diff).decode()
+                _logger.critical(
+                    "Database state modified outside of transaction! "
+                    "This indicates a bug where DB changes occurred without a transaction wrapper.\n"
+                    f"Changes detected:\n{diff_json}"
+                )
+                raise SystemExit(1)
 
         old_action = self._current_action
         old_user = self._current_user
@@ -272,7 +257,10 @@ class JsonlStore:
 
         try:
             yield
-            self._queue_change()
+            current = msgspec.to_builtins(self.db)
+            self._queue_change(
+                self._current_action, self._current_version, current, self._current_user
+            )
         except Exception:
             # Rollback on error: restore from snapshot
             _logger.warning("Transaction '%s' failed, rolling back changes", action)

paskia/db/logging.py

@@ -0,0 +1,233 @@
+"""
+Database change logging with pretty-printed diffs.
+
+Provides a logger for JSONL database changes that formats diffs
+in a human-readable path.notation style with color coding.
+"""
+
+import logging
+import re
+import sys
+from typing import Any
+
+logger = logging.getLogger("paskia.db")
+
+# Pattern to match control characters and bidirectional overrides
+_UNSAFE_CHARS = re.compile(
+    r"[\x00-\x1f\x7f-\x9f"  # C0 and C1 control characters
+    r"\u200e\u200f"  # LRM, RLM
+    r"\u202a-\u202e"  # LRE, RLE, PDF, LRO, RLO
+    r"\u2066-\u2069"  # LRI, RLI, FSI, PDI
+    r"]"
+)
+
+# ANSI color codes (matching FastAPI logging style)
+_RESET = "\033[0m"
+_DIM = "\033[2m"
+_PATH_PREFIX = "\033[1;30m"  # Dark grey for path prefix (like host in access log)
+_PATH_FINAL = "\033[0m"  # Default for final element (like path in access log)
+_REPLACE = "\033[0;33m"  # Yellow for replacements
+_DELETE = "\033[0;31m"  # Red for deletions
+_ADD = "\033[0;32m"  # Green for additions
+_ACTION = "\033[1;34m"  # Bold blue for action name
+_USER = "\033[0;34m"  # Blue for user display
+
+
+def _use_color() -> bool:
+    """Check if we should use color output."""
+    return sys.stderr.isatty()
+
+
+def _format_value(value: Any, use_color: bool, max_len: int = 60) -> str:
+    """Format a value for display, truncating if needed."""
+    if value is None:
+        return "null"
+
+    if isinstance(value, bool):
+        return "true" if value else "false"
+
+    if isinstance(value, (int, float)):
+        return str(value)
+
+    if isinstance(value, str):
+        # Filter out control characters and bidirectional overrides
+        value = _UNSAFE_CHARS.sub("", value)
+        # Truncate long strings
+        if len(value) > max_len:
+            return value[: max_len - 3] + "..."
+        return value
+
+    if isinstance(value, dict):
+        if not value:
+            return "{}"
+        # For small dicts, show inline
+        if len(value) == 1:
+            k, v = next(iter(value.items()))
+            return "{" + f"{k}: {_format_value(v, use_color, max_len=30)}" + "}"
+        return f"{{...{len(value)} keys}}"
+
+    if isinstance(value, list):
+        if not value:
+            return "[]"
+        if len(value) == 1:
+            return "[" + _format_value(value[0], use_color, max_len=30) + "]"
+        return f"[...{len(value)} items]"
+
+    # Fallback for other types
+    text = str(value)
+    if len(text) > max_len:
+        text = text[: max_len - 3] + "..."
+    return text
+
+
+def _format_path(path: list[str], use_color: bool) -> str:
+    """Format a path as dot notation with prefix in dark grey, final in default."""
+    if not path:
+        return ""
+    if not use_color:
+        return ".".join(path)
+    if len(path) == 1:
+        return f"{_PATH_FINAL}{path[0]}{_RESET}"
+    prefix = ".".join(path[:-1])
+    final = path[-1]
+    return f"{_PATH_PREFIX}{prefix}.{_RESET}{_PATH_FINAL}{final}{_RESET}"
+
+
+def _collect_changes(
+    diff: dict, path: list[str], changes: list[tuple[str, list[str], Any, Any | None]]
+) -> None:
+    """
+    Recursively collect changes from a diff into a flat list.
+
+    Each change is a tuple of (change_type, path, new_value, old_value).
+    change_type is one of: 'set', 'replace', 'delete'
+    """
+    if not isinstance(diff, dict):
+        # Leaf value - this is a set operation
+        changes.append(("set", path, diff, None))
+        return
+
+    for key, value in diff.items():
+        if key == "$delete":
+            # $delete contains a list of keys to delete
+            if isinstance(value, list):
+                for deleted_key in value:
+                    changes.append(("delete", path + [str(deleted_key)], None, None))
+            else:
+                changes.append(("delete", path + [str(value)], None, None))
+
+        elif key == "$replace":
+            # $replace contains the new value for this path
+            if isinstance(value, dict):
+                # Replacing with a dict - show each key as a replacement
+                for rkey, rval in value.items():
+                    changes.append(("replace", path + [str(rkey)], rval, None))
+                if not value:
+                    # Empty replacement - clearing the collection
+                    changes.append(("replace", path, {}, None))
+            else:
+                changes.append(("replace", path, value, None))
+
+        elif key.startswith("$"):
+            # Other special operations (future-proofing)
+            changes.append(("set", path, {key: value}, None))
+
+        else:
+            # Regular nested key
+            _collect_changes(value, path + [str(key)], changes)
+
+
+def _format_change_line(
+    change_type: str, path: list[str], value: Any, use_color: bool
+) -> str:
+    """Format a single change as a one-line string."""
+    path_str = _format_path(path, use_color)
+    value_str = _format_value(value, use_color)
+
+    if change_type == "delete":
+        if use_color:
+            return f"  ❌  {path_str}"
+        return f"  - {path_str}"
+
+    if change_type == "replace":
+        if use_color:
+            return f"  {_REPLACE}⟳{_RESET} {path_str} {_DIM}={_RESET} {value_str}"
+        return f"  ~ {path_str} = {value_str}"
+
+    # Default: set/add
+    if use_color:
+        return f"  {_ADD}+{_RESET} {path_str} {_DIM}={_RESET} {value_str}"
+    return f"  + {path_str} = {value_str}"
+
+
+def format_diff(diff: dict) -> list[str]:
+    """
+    Format a JSON diff as human-readable lines.
+
+    Returns a list of formatted lines (without newlines).
+    Single changes return one line, multiple changes return multiple lines.
+    """
+    use_color = _use_color()
+    changes: list[tuple[str, list[str], Any, Any | None]] = []
+    _collect_changes(diff, [], changes)
+
+    if not changes:
+        return []
+
+    # Format each change
+    lines = []
+    for change_type, path, value, _ in changes:
+        lines.append(_format_change_line(change_type, path, value, use_color))
+
+    return lines
+
+
+def format_action_header(action: str, user_display: str | None = None) -> str:
+    """Format the action header line."""
+    use_color = _use_color()
+
+    if use_color:
+        action_str = f"{_ACTION}{action}{_RESET}"
+        if user_display:
+            user_str = f"{_USER}{user_display}{_RESET}"
+            return f"{action_str} by {user_str}"
+        return action_str
+    else:
+        if user_display:
+            return f"{action} by {user_display}"
+        return action
+
+
+def log_change(action: str, diff: dict, user_display: str | None = None) -> None:
+    """
+    Log a database change with pretty-printed diff.
+
+    Args:
+        action: The action name (e.g., "login", "admin:delete_user")
+        diff: The JSON diff dict
+        user_display: Optional display name of the user who performed the action
+    """
+    header = format_action_header(action, user_display)
+    diff_lines = format_diff(diff)
+
+    if not diff_lines:
+        logger.info(header)
+        return
+
+    if len(diff_lines) == 1:
+        # Single change - combine on one line
+        logger.info(f"{header}{diff_lines[0]}")
+    else:
+        # Multiple changes - header on its own line, then changes
+        logger.info(header)
+        for line in diff_lines:
+            logger.info(line)
+
+
+def configure_db_logging() -> None:
+    """Configure the database logger to output to stderr without prefix."""
+    handler = logging.StreamHandler(sys.stderr)
+    handler.setFormatter(logging.Formatter("%(message)s"))
+    logger.addHandler(handler)
+    logger.setLevel(logging.INFO)
+    logger.propagate = False