PyPI - plain.auth - Versions diffs - 0.14.0__tar.gz → 0.16.0__tar.gz - Mend

plain.auth 0.14.0tar.gz → 0.16.0tar.gz

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (23) hide show

plain_auth-0.16.0/PKG-INFO ADDED Viewed

@@ -0,0 +1,183 @@
+Metadata-Version: 2.4
+Name: plain.auth
+Version: 0.16.0
+Summary: Add users to your app and decide what they can access.
+Author-email: Dave Gaeddert <dave.gaeddert@dropseed.dev>
+License-File: LICENSE
+Requires-Python: >=3.11
+Requires-Dist: plain-models<1.0.0
+Requires-Dist: plain-sessions<1.0.0
+Requires-Dist: plain<1.0.0
+Description-Content-Type: text/markdown
+# plain.auth
+**Add users to your app and decide what they can access.**
+- [Overview](#overview)
+- [Authentication setup](#authentication-setup)
+    - [Settings configuration](#settings-configuration)
+    - [Creating a user model](#creating-a-user-model)
+    - [Login views](#login-views)
+- [Checking if a user is logged in](#checking-if-a-user-is-logged-in)
+- [Restricting views](#restricting-views)
+- [Installation](#installation)
+## Overview
+The `plain.auth` package provides user authentication and authorization for Plain applications. Here's a basic example of checking if a user is logged in:
+```python
+# In a view
+if request.user:
+    print(f"Hello, {request.user.email}!")
+else:
+    print("You are not logged in.")
+```
+And restricting a view to logged-in users:
+```python
+from plain.auth.views import AuthViewMixin
+from plain.views import View
+class ProfileView(AuthViewMixin, View):
+    login_required = True
+    def get(self):
+        return f"Welcome, {self.request.user.email}!"
+```
+## Authentication setup
+### Settings configuration
+Configure your authentication settings in `app/settings.py`:
+```python
+INSTALLED_PACKAGES = [
+    # ...
+    "plain.auth",
+    "plain.sessions",
+    "plain.passwords",  # Or another auth method
+]
+MIDDLEWARE = [
+    "plain.sessions.middleware.SessionMiddleware",
+    "plain.auth.middleware.AuthenticationMiddleware",
+]
+AUTH_USER_MODEL = "users.User"
+AUTH_LOGIN_URL = "login"
+```
+### Creating a user model
+Create your own user model using `plain create users` or manually:
+```python
+# app/users/models.py
+from plain import models
+from plain.passwords.models import PasswordField
+class User(models.Model):
+    email = models.EmailField()
+    password = PasswordField()
+    is_admin = models.BooleanField(default=False)
+    created_at = models.DateTimeField(auto_now_add=True)
+    def __str__(self):
+        return self.email
+```
+### Login views
+To log users in, you'll need to pair this package with an authentication method:
+- `plain-passwords` - Username/password authentication
+- `plain-oauth` - OAuth provider authentication
+- `plain-passkeys` (TBD) - WebAuthn/passkey authentication
+- `plain-passlinks` (TBD) - Magic link authentication
+Example with password authentication:
+```python
+# app/urls.py
+from plain.auth.views import LogoutView
+from plain.urls import path
+from plain.passwords.views import PasswordLoginView
+class LoginView(PasswordLoginView):
+    template_name = "login.html"
+urlpatterns = [
+    path("logout/", LogoutView, name="logout"),
+    path("login/", LoginView, name="login"),
+]
+```
+## Checking if a user is logged in
+A `request.user` will either be `None` or point to an instance of your `AUTH_USER_MODEL`.
+In templates:
+```html
+{% if request.user %}
+    <p>Hello, {{ request.user.email }}!</p>
+{% else %}
+    <p>You are not logged in.</p>
+{% endif %}
+```
+In Python code:
+```python
+if request.user:
+    print(f"Hello, {request.user.email}!")
+else:
+    print("You are not logged in.")
+```
+## Restricting views
+Use the [`AuthViewMixin`](./views.py#AuthViewMixin) to restrict views to logged-in users, admin users, or custom logic:
+```python
+from plain.auth.views import AuthViewMixin
+from plain.exceptions import PermissionDenied
+from plain.views import View
+class LoggedInView(AuthViewMixin, View):
+    login_required = True
+class AdminOnlyView(AuthViewMixin, View):
+    login_required = True
+    admin_required = True
+class CustomPermissionView(AuthViewMixin, View):
+    def check_auth(self):
+        super().check_auth()
+        if not self.request.user.is_special:
+            raise PermissionDenied("You're not special!")
+```
+The [`AuthViewMixin`](./views.py#AuthViewMixin) provides:
+- `login_required` - Requires a logged-in user
+- `admin_required` - Requires `user.is_admin` to be True
+- `check_auth()` - Override for custom authorization logic
+## Installation
+Install the `plain.auth` package from [PyPI](https://pypi.org/project/plain.auth/):
+```bash
+uv add plain.auth
+```

plain_auth-0.16.0/plain/auth/CHANGELOG.md ADDED Viewed

@@ -0,0 +1,43 @@
+# plain-auth changelog
+## [0.16.0](https://github.com/dropseed/plain/releases/plain-auth@0.16.0) (2025-08-19)
+### What's changed
+- Removed automatic CSRF token rotation on login as part of CSRF system refactor using Sec-Fetch-Site headers ([9551508](https://github.com/dropseed/plain/commit/955150800c))
+- Updated README with improved documentation, examples, and better package description ([4ebecd1](https://github.com/dropseed/plain/commit/4ebecd1856))
+### Upgrade instructions
+- No changes required
+## [0.15.0](https://github.com/dropseed/plain/releases/plain-auth@0.15.0) (2025-07-22)
+### What's changed
+- Replaced `pk` field references with `id` field references in session management ([4b8fa6a](https://github.com/dropseed/plain/commit/4b8fa6aef1))
+- Simplified user ID handling in sessions by using direct integer storage instead of field serialization ([4b8fa6a](https://github.com/dropseed/plain/commit/4b8fa6aef1))
+### Upgrade instructions
+- No changes required
+## [0.14.0](https://github.com/dropseed/plain/releases/plain-auth@0.14.0) (2025-07-18)
+### What's changed
+- Added OpenTelemetry tracing support with automatic user ID attribute setting in auth middleware ([b0224d0](https://github.com/dropseed/plain/commit/b0224d0418))
+### Upgrade instructions
+- No changes required
+## [0.13.0](https://github.com/dropseed/plain/releases/plain-auth@0.13.0) (2025-06-23)
+### What's changed
+- Added `login_client` and `logout_client` helpers to `plain.auth.test` for easily logging users in and out of the Django test client ([eb8a023](https://github.com/dropseed/plain/commit/eb8a023)).
+### Upgrade instructions
+- No changes required

plain_auth-0.16.0/plain/auth/README.md ADDED Viewed

@@ -0,0 +1,171 @@
+# plain.auth
+**Add users to your app and decide what they can access.**
+- [Overview](#overview)
+- [Authentication setup](#authentication-setup)
+    - [Settings configuration](#settings-configuration)
+    - [Creating a user model](#creating-a-user-model)
+    - [Login views](#login-views)
+- [Checking if a user is logged in](#checking-if-a-user-is-logged-in)
+- [Restricting views](#restricting-views)
+- [Installation](#installation)
+## Overview
+The `plain.auth` package provides user authentication and authorization for Plain applications. Here's a basic example of checking if a user is logged in:
+```python
+# In a view
+if request.user:
+    print(f"Hello, {request.user.email}!")
+else:
+    print("You are not logged in.")
+```
+And restricting a view to logged-in users:
+```python
+from plain.auth.views import AuthViewMixin
+from plain.views import View
+class ProfileView(AuthViewMixin, View):
+    login_required = True
+    def get(self):
+        return f"Welcome, {self.request.user.email}!"
+```
+## Authentication setup
+### Settings configuration
+Configure your authentication settings in `app/settings.py`:
+```python
+INSTALLED_PACKAGES = [
+    # ...
+    "plain.auth",
+    "plain.sessions",
+    "plain.passwords",  # Or another auth method
+]
+MIDDLEWARE = [
+    "plain.sessions.middleware.SessionMiddleware",
+    "plain.auth.middleware.AuthenticationMiddleware",
+]
+AUTH_USER_MODEL = "users.User"
+AUTH_LOGIN_URL = "login"
+```
+### Creating a user model
+Create your own user model using `plain create users` or manually:
+```python
+# app/users/models.py
+from plain import models
+from plain.passwords.models import PasswordField
+class User(models.Model):
+    email = models.EmailField()
+    password = PasswordField()
+    is_admin = models.BooleanField(default=False)
+    created_at = models.DateTimeField(auto_now_add=True)
+    def __str__(self):
+        return self.email
+```
+### Login views
+To log users in, you'll need to pair this package with an authentication method:
+- `plain-passwords` - Username/password authentication
+- `plain-oauth` - OAuth provider authentication
+- `plain-passkeys` (TBD) - WebAuthn/passkey authentication
+- `plain-passlinks` (TBD) - Magic link authentication
+Example with password authentication:
+```python
+# app/urls.py
+from plain.auth.views import LogoutView
+from plain.urls import path
+from plain.passwords.views import PasswordLoginView
+class LoginView(PasswordLoginView):
+    template_name = "login.html"
+urlpatterns = [
+    path("logout/", LogoutView, name="logout"),
+    path("login/", LoginView, name="login"),
+]
+```
+## Checking if a user is logged in
+A `request.user` will either be `None` or point to an instance of your `AUTH_USER_MODEL`.
+In templates:
+```html
+{% if request.user %}
+    <p>Hello, {{ request.user.email }}!</p>
+{% else %}
+    <p>You are not logged in.</p>
+{% endif %}
+```
+In Python code:
+```python
+if request.user:
+    print(f"Hello, {request.user.email}!")
+else:
+    print("You are not logged in.")
+```
+## Restricting views
+Use the [`AuthViewMixin`](./views.py#AuthViewMixin) to restrict views to logged-in users, admin users, or custom logic:
+```python
+from plain.auth.views import AuthViewMixin
+from plain.exceptions import PermissionDenied
+from plain.views import View
+class LoggedInView(AuthViewMixin, View):
+    login_required = True
+class AdminOnlyView(AuthViewMixin, View):
+    login_required = True
+    admin_required = True
+class CustomPermissionView(AuthViewMixin, View):
+    def check_auth(self):
+        super().check_auth()
+        if not self.request.user.is_special:
+            raise PermissionDenied("You're not special!")
+```
+The [`AuthViewMixin`](./views.py#AuthViewMixin) provides:
+- `login_required` - Requires a logged-in user
+- `admin_required` - Requires `user.is_admin` to be True
+- `check_auth()` - Override for custom authorization logic
+## Installation
+Install the `plain.auth` package from [PyPI](https://pypi.org/project/plain.auth/):
+```bash
+uv add plain.auth
+```

{plain_auth-0.14.0 → plain_auth-0.16.0}/plain/auth/sessions.py RENAMED Viewed

@@ -1,4 +1,3 @@
-from plain.csrf.middleware import rotate_token
 from plain.exceptions import ImproperlyConfigured
 from plain.models import models_registry
 from plain.runtime import settings
@@ -8,12 +7,6 @@ USER_ID_SESSION_KEY = "_auth_user_id"
 USER_HASH_SESSION_KEY = "_auth_user_hash"
-def _get_user_id_from_session(request):
-    # This value in the session is always serialized to a string, so we need
-    # to convert it back to Python whenever we access it.
-    return get_user_model()._meta.pk.to_python(request.session[USER_ID_SESSION_KEY])
 def get_session_auth_hash(user):
     """
     Return an HMAC of the password field.
@@ -62,7 +55,7 @@ def login(request, user):
         session_auth_hash = ""
     if USER_ID_SESSION_KEY in request.session:
-        if _get_user_id_from_session(request) != user.pk:
+        if int(request.session[USER_ID_SESSION_KEY]) != user.id:
             # To avoid reusing another user's session, create a new, empty
             # session if the existing session corresponds to a different
             # authenticated user.
@@ -78,11 +71,10 @@ def login(request, user):
         # typically done after user login to prevent session fixation attacks.
         request.session.cycle_key()
-    request.session[USER_ID_SESSION_KEY] = user._meta.pk.value_to_string(user)
+    request.session[USER_ID_SESSION_KEY] = user.id
     request.session[USER_HASH_SESSION_KEY] = session_auth_hash
     if hasattr(request, "user"):
         request.user = user
-    rotate_token(request)
 def logout(request):
@@ -121,11 +113,9 @@ def get_user(request):
     if USER_ID_SESSION_KEY not in request.session:
         return None
-    user_id = _get_user_id_from_session(request)
     UserModel = get_user_model()
     try:
-        user = UserModel._default_manager.get(pk=user_id)
+        user = UserModel._default_manager.get(id=request.session[USER_ID_SESSION_KEY])
     except UserModel.DoesNotExist:
         return None

{plain_auth-0.14.0 → plain_auth-0.16.0}/pyproject.toml RENAMED Viewed

@@ -1,7 +1,7 @@
 [project]
 name = "plain.auth"
-version = "0.14.0"
-description = "User authentication and authorization for Plain."
+version = "0.16.0"
+description = "Add users to your app and decide what they can access."
 authors = [{name = "Dave Gaeddert", email = "dave.gaeddert@dropseed.dev"}]
 readme = "README.md"
 requires-python = ">=3.11"

{plain_auth-0.14.0 → plain_auth-0.16.0}/tests/app/users/migrations/0001_initial.py RENAMED Viewed

@@ -13,7 +13,7 @@ class Migration(migrations.Migration):
         migrations.CreateModel(
             name="User",
             fields=[
-                ("id", models.BigAutoField(auto_created=True, primary_key=True)),
+                ("id", models.PrimaryKeyField()),
                 ("username", models.CharField(max_length=255)),
                 ("is_admin", models.BooleanField(default=False)),
             ],

plain_auth-0.14.0/PKG-INFO DELETED Viewed

@@ -1,128 +0,0 @@
-Metadata-Version: 2.4
-Name: plain.auth
-Version: 0.14.0
-Summary: User authentication and authorization for Plain.
-Author-email: Dave Gaeddert <dave.gaeddert@dropseed.dev>
-License-File: LICENSE
-Requires-Python: >=3.11
-Requires-Dist: plain-models<1.0.0
-Requires-Dist: plain-sessions<1.0.0
-Requires-Dist: plain<1.0.0
-Description-Content-Type: text/markdown
-# plain.auth
-Add users to your app and define which views they can access.
-To log a user in, you'll want to pair this package with:
-- `plain-passwords`
-- `plain-oauth`
-- `plain-passkeys` (TBD)
-- `plain-passlinks` (TBD)
-## Installation
-```python
-# app/settings.py
-INSTALLED_PACKAGES = [
-    # ...
-    "plain.auth",
-    "plain.sessions",
-    "plain.passwords",
-]
-MIDDLEWARE = [
-    "plain.sessions.middleware.SessionMiddleware",
-    "plain.auth.middleware.AuthenticationMiddleware",
-]
-AUTH_USER_MODEL = "users.User"
-AUTH_LOGIN_URL = "login"
-```
-Create your own user model (`plain create users`).
-```python
-# app/users/models.py
-from plain import models
-from plain.passwords.models import PasswordField
-class User(models.Model):
-    email = models.EmailField()
-    password = PasswordField()
-    is_admin = models.BooleanField(default=False)
-    created_at = models.DateTimeField(auto_now_add=True)
-    def __str__(self):
-        return self.email
-```
-Define your URL/view where users can log in.
-```python
-# app/urls.py
-from plain.auth.views import LoginView, LogoutView
-from plain.urls import include, path
-from plain.passwords.views import PasswordLoginView
-class LoginView(PasswordLoginView):
-    template_name = "login.html"
-urlpatterns = [
-    path("logout/", LogoutView, name="logout"),
-    path("login/", LoginView, name="login"),
-]
-```
-## Checking if a user is logged in
-A `request.user` will either be `None` or point to an instance of a your `AUTH_USER_MODEL`.
-So in templates you can do:
-```html
-{% if request.user %}
-    <p>Hello, {{ request.user.email }}!</p>
-{% else %}
-    <p>You are not logged in.</p>
-{% endif %}
-```
-Or in Python:
-```python
-if request.user:
-    print(f"Hello, {request.user.email}!")
-else:
-    print("You are not logged in.")
-```
-## Restricting views
-Use the `AuthViewMixin` to restrict views to logged in users, admin users, or custom logic.
-```python
-from plain.auth.views import AuthViewMixin
-from plain.exceptions import PermissionDenied
-from plain.views import View
-class LoggedInView(AuthViewMixin, View):
-    login_required = True
-class AdminOnlyView(AuthViewMixin, View):
-    login_required = True
-    admin_required = True
-class CustomPermissionView(AuthViewMixin, View):
-    def check_auth(self):
-        super().check_auth()
-        if not self.request.user.is_special:
-            raise PermissionDenied("You're not special!")
-```

plain_auth-0.14.0/plain/auth/CHANGELOG.md DELETED Viewed

@@ -1,21 +0,0 @@
-# plain-auth changelog
-## [0.14.0](https://github.com/dropseed/plain/releases/plain-auth@0.14.0) (2025-07-18)
-### What's changed
-- Added OpenTelemetry tracing support with automatic user ID attribute setting in auth middleware ([b0224d0](https://github.com/dropseed/plain/commit/b0224d0418))
-### Upgrade instructions
-- No changes required
-## [0.13.0](https://github.com/dropseed/plain/releases/plain-auth@0.13.0) (2025-06-23)
-### What's changed
-- Added `login_client` and `logout_client` helpers to `plain.auth.test` for easily logging users in and out of the Django test client ([eb8a023](https://github.com/dropseed/plain/commit/eb8a023)).
-### Upgrade instructions
-- No changes required

plain_auth-0.14.0/plain/auth/README.md DELETED Viewed

@@ -1,116 +0,0 @@
-# plain.auth
-Add users to your app and define which views they can access.
-To log a user in, you'll want to pair this package with:
-- `plain-passwords`
-- `plain-oauth`
-- `plain-passkeys` (TBD)
-- `plain-passlinks` (TBD)
-## Installation
-```python
-# app/settings.py
-INSTALLED_PACKAGES = [
-    # ...
-    "plain.auth",
-    "plain.sessions",
-    "plain.passwords",
-]
-MIDDLEWARE = [
-    "plain.sessions.middleware.SessionMiddleware",
-    "plain.auth.middleware.AuthenticationMiddleware",
-]
-AUTH_USER_MODEL = "users.User"
-AUTH_LOGIN_URL = "login"
-```
-Create your own user model (`plain create users`).
-```python
-# app/users/models.py
-from plain import models
-from plain.passwords.models import PasswordField
-class User(models.Model):
-    email = models.EmailField()
-    password = PasswordField()
-    is_admin = models.BooleanField(default=False)
-    created_at = models.DateTimeField(auto_now_add=True)
-    def __str__(self):
-        return self.email
-```
-Define your URL/view where users can log in.
-```python
-# app/urls.py
-from plain.auth.views import LoginView, LogoutView
-from plain.urls import include, path
-from plain.passwords.views import PasswordLoginView
-class LoginView(PasswordLoginView):
-    template_name = "login.html"
-urlpatterns = [
-    path("logout/", LogoutView, name="logout"),
-    path("login/", LoginView, name="login"),
-]
-```
-## Checking if a user is logged in
-A `request.user` will either be `None` or point to an instance of a your `AUTH_USER_MODEL`.
-So in templates you can do:
-```html
-{% if request.user %}
-    <p>Hello, {{ request.user.email }}!</p>
-{% else %}
-    <p>You are not logged in.</p>
-{% endif %}
-```
-Or in Python:
-```python
-if request.user:
-    print(f"Hello, {request.user.email}!")
-else:
-    print("You are not logged in.")
-```
-## Restricting views
-Use the `AuthViewMixin` to restrict views to logged in users, admin users, or custom logic.
-```python
-from plain.auth.views import AuthViewMixin
-from plain.exceptions import PermissionDenied
-from plain.views import View
-class LoggedInView(AuthViewMixin, View):
-    login_required = True
-class AdminOnlyView(AuthViewMixin, View):
-    login_required = True
-    admin_required = True
-class CustomPermissionView(AuthViewMixin, View):
-    def check_auth(self):
-        super().check_auth()
-        if not self.request.user.is_special:
-            raise PermissionDenied("You're not special!")
-```