PyPI - regstack - Versions diffs - 0.5.0__tar.gz → 0.5.6__tar.gz - Mend

regstack 0.5.0tar.gz → 0.5.6tar.gz

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (239) hide show

{regstack-0.5.0 → regstack-0.5.6}/.github/workflows/publish.yml RENAMED Viewed

@@ -61,4 +61,9 @@ jobs:
         with:
           name: dist
           path: dist/
-      - uses: pypa/gh-action-pypi-publish@release/v1
+      # Pinned to a commit SHA, not the mutable `release/v1` branch — the
+      # publish job has `id-token: write`, so a tag/branch swap in the
+      # action repo would let an attacker push a malicious wheel under our
+      # OIDC identity. Update by resolving the latest SHA on `release/v1`
+      # and bumping the trailing comment to match.
+      - uses: pypa/gh-action-pypi-publish@cef221092ed1bacb1cc03d23a2d87d1d172e277b  # release/v1

{regstack-0.5.0 → regstack-0.5.6}/CHANGELOG.md RENAMED Viewed

@@ -5,6 +5,87 @@ authoritative copy lives at
 [`docs/changelog.md`](docs/changelog.md) and is rendered into the
 Sphinx docs.
+## 0.5.6 — 2026-05-13
+Eleven days of security-review remediation, supply-chain hardening,
+a full `mypy --strict` cleanup pass, and the per-route rate-limits
+feature rolled up into a single release.
+**Per-route IP rate limits.** Opt-in via the new `rate_limit` extra
+(or a host-supplied `slowapi.Limiter`) plus any of the new
+`RegStackConfig.*_rate_limit` fields (`login_rate_limit`,
+`register_rate_limit`, `forgot_password_rate_limit`,
+`reset_password_rate_limit`, `verify_rate_limit`,
+`resend_verification_rate_limit`, `change_password_rate_limit`,
+`change_email_rate_limit`, `confirm_email_change_rate_limit`,
+`delete_account_rate_limit`). Each accepts a slowapi-syntax string
+(`"5/minute"`, `"5/minute;20/hour"`). Empty / unset means no limit
+on that route — `LockoutService` still defends `/login` against
+credential stuffing per-account. When `*_rate_limit` strings are
+configured but neither a `rate_limiter=` argument is passed nor
+the `rate_limit` extra is installed, `RegStack.router` raises
+`RuntimeError` on first access — failing closed beats silently
+disabling the protection. Hosts remain responsible for
+`app.state.limiter` and `app.add_exception_handler(RateLimitExceeded, ...)`;
+slowapi owns the 429 response shape. The previously-reserved
+`login_max_per_minute` / `login_max_per_hour` fields are kept for
+back-compat but unwired.
+**Security fixes.**
+- JWT 401 detail now returns a static `"Invalid or expired token."`;
+  no longer leaks the pyjwt failure reason (signature mismatch /
+  expired / malformed / audience mismatch).
+- OAuth sign-in now honours `allow_registration=False`. Previously,
+  `/register` respected the flag but the OAuth `_resolve_user`
+  "brand-new account" branch did not, creating accounts even when
+  self-service signup was disabled.
+- Admin `DELETE /admin/users/{id}` now cascades `oauth_identities`,
+  matching the user-initiated `DELETE /account` path. Previously
+  left orphan rows that blocked re-registration of the same Google
+  subject.
+- `POST /phone/start` and `DELETE /phone` now return 400 (not crash
+  with HTTP 500) for OAuth-only users who have no `hashed_password`.
+**Breaking change — hook contracts.** `mfa_login_started` and
+`phone_setup_started` no longer include the raw OTP code in their
+kwargs. Hooks are best-effort observability and are the documented
+integration surface for analytics / logging / Slack notifications,
+so a plaintext OTP in `**kwargs` is a leak waiting to happen.
+Hosts that subscribed to either event to take over SMS delivery
+should migrate to a custom `SmsService` subclass — the supported
+delivery override.
+**Dependency floors raised for CVEs.**
+- `pyjwt>=2.12.1` for CVE-2026-32597 (`crit` header bypass, CVSS 7.5).
+- `cryptography>=46.0.7` added explicitly to the `oauth` extra for
+  CVE-2026-26007 (ECC subgroup attack on the JWKS code path, CVSS
+  8.2) plus CVE-2026-34073 and CVE-2026-39892.
+- `python-multipart>=0.0.26` for CVE-2026-40347 (DoS via oversized
+  multipart preamble).
+**Supply chain.** `pypa/gh-action-pypi-publish` in `publish.yml`
+pinned to a commit SHA instead of the mutable `release/v1` branch.
+The publish job holds `id-token: write`, so a tag/branch swap
+upstream would let an attacker push a malicious wheel under our
+OIDC identity.
+**Removed.** `PasswordHasher.needs_rehash` — called pwdlib's
+non-existent `check_needs_rehash` and would `AttributeError` if
+anyone invoked it. No callers in src or tests. If you were planning
+to use it, call `pwdlib.PasswordHash.verify_and_update` directly.
+**Internal.** 72 `mypy --strict` errors cleared across 35 files;
+`inv lint` is now green end-to-end. Mongo
+`BlacklistRepo.purge_expired` added (protocol parity with SQL).
+`KNOWN_EVENTS` reconciled — 7 previously-undeclared events added
+(`verification_requested`, `email_change_requested`, `email_changed`,
+`phone_setup_started`, `mfa_login_started`, `mfa_enabled`,
+`mfa_disabled`). `user_logged_out` now actually fires from
+`routers/logout.py` (was listed in `KNOWN_EVENTS` but no router
+emitted it).
 ## 0.3.0 — 2026-04-30
 **OAuth — Sign in with Google.** Opt-in via the new `oauth` extra

{regstack-0.5.0 → regstack-0.5.6}/PKG-INFO RENAMED Viewed

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: regstack
-Version: 0.5.0
+Version: 0.5.6
 Summary: Embeddable user registration, login, and account management for FastAPI apps. SQLite / Postgres / MongoDB.
 Project-URL: Homepage, https://github.com/jdrumgoole/regstack
 Project-URL: Repository, https://github.com/jdrumgoole/regstack
@@ -27,8 +27,8 @@ Requires-Dist: jinja2>=3.1
 Requires-Dist: pwdlib[argon2]>=0.2.1
 Requires-Dist: pydantic-settings>=2.2
 Requires-Dist: pydantic>=2.6
-Requires-Dist: pyjwt>=2.8
-Requires-Dist: python-multipart>=0.0.9
+Requires-Dist: pyjwt>=2.12.1
+Requires-Dist: python-multipart>=0.0.26
 Requires-Dist: pywebview>=5.0
 Requires-Dist: sqlalchemy[asyncio]>=2.0
 Requires-Dist: tomlkit>=0.13
@@ -36,10 +36,11 @@ Requires-Dist: uvicorn[standard]>=0.29
 Provides-Extra: dev
 Requires-Dist: anyio>=4.3; extra == 'dev'
 Requires-Dist: asyncpg>=0.29; extra == 'dev'
+Requires-Dist: cryptography>=46.0.7; extra == 'dev'
 Requires-Dist: httpx>=0.27; extra == 'dev'
 Requires-Dist: invoke>=2.2; extra == 'dev'
 Requires-Dist: mypy>=1.10; extra == 'dev'
-Requires-Dist: pyjwt[crypto]>=2.8; extra == 'dev'
+Requires-Dist: pyjwt[crypto]>=2.12.1; extra == 'dev'
 Requires-Dist: pymongo>=4.9; extra == 'dev'
 Requires-Dist: pytest-asyncio>=0.23; extra == 'dev'
 Requires-Dist: pytest-cov>=5.0; extra == 'dev'
@@ -47,6 +48,7 @@ Requires-Dist: pytest-playwright>=0.5; extra == 'dev'
 Requires-Dist: pytest-xdist>=3.5; extra == 'dev'
 Requires-Dist: pytest>=8.0; extra == 'dev'
 Requires-Dist: ruff>=0.4; extra == 'dev'
+Requires-Dist: slowapi>=0.1.9; extra == 'dev'
 Requires-Dist: uvicorn[standard]>=0.29; extra == 'dev'
 Provides-Extra: docs
 Requires-Dist: furo>=2024.1; extra == 'docs'
@@ -58,9 +60,12 @@ Requires-Dist: sphinx>=7.3; extra == 'docs'
 Provides-Extra: mongo
 Requires-Dist: pymongo>=4.9; extra == 'mongo'
 Provides-Extra: oauth
-Requires-Dist: pyjwt[crypto]>=2.8; extra == 'oauth'
+Requires-Dist: cryptography>=46.0.7; extra == 'oauth'
+Requires-Dist: pyjwt[crypto]>=2.12.1; extra == 'oauth'
 Provides-Extra: postgres
 Requires-Dist: asyncpg>=0.29; extra == 'postgres'
+Provides-Extra: rate-limit
+Requires-Dist: slowapi>=0.1.9; extra == 'rate-limit'
 Provides-Extra: ses
 Requires-Dist: aioboto3>=12.3; extra == 'ses'
 Provides-Extra: sns

{regstack-0.5.0 → regstack-0.5.6}/docs/architecture.md RENAMED Viewed

@@ -54,9 +54,13 @@ multi-tenant deployments where a single FastAPI app serves multiple
 The backend is auto-built from `config.database_url` if not supplied
 explicitly. URL scheme decides:
-- `sqlite+aiosqlite://` → SQLAlchemy backend in SQLite mode.
-- `postgresql+asyncpg://` → SQLAlchemy backend in Postgres mode.
-- `mongodb://` / `mongodb+srv://` → Mongo backend.
+- `sqlite+aiosqlite:///PATH` → SQLAlchemy backend in SQLite mode.
+  `PATH` is `./dbname.db` for a relative file, `/var/lib/app/dbname.db`
+  for an absolute file, or `:memory:` for an ephemeral in-process DB.
+- `postgresql+asyncpg://<username>:<password>@dbhost.example.com:5432/dbname`
+  → SQLAlchemy backend in Postgres mode.
+- `mongodb://<username>:<password>@dbhost.example.com:27017/dbname`
+  (or `mongodb+srv://…`) → Mongo backend.
 The façade exposes:

{regstack-0.5.0 → regstack-0.5.6}/docs/changelog.md RENAMED Viewed

@@ -3,6 +3,127 @@
 All notable changes to this project are documented here. Versions follow
 [Semantic Versioning](https://semver.org/) once `1.0.0` ships.
+## 0.5.6 — 2026-05-13
+A rollup release that consolidates 11 days of security-review
+remediation, supply-chain hardening, a full `mypy --strict` pass,
+and the per-route rate-limits feature.
+### Added
+- **Per-route IP rate limits.** Opt-in via the new `rate_limit` extra
+  (or a host-supplied `slowapi.Limiter`) plus any of the new
+  `RegStackConfig.*_rate_limit` fields (`login_rate_limit`,
+  `register_rate_limit`, `forgot_password_rate_limit`,
+  `reset_password_rate_limit`, `verify_rate_limit`,
+  `resend_verification_rate_limit`, `change_password_rate_limit`,
+  `change_email_rate_limit`, `confirm_email_change_rate_limit`,
+  `delete_account_rate_limit`). Each accepts a slowapi-syntax string
+  (`"5/minute"`, `"5/minute;20/hour"`).
+- New constructor argument `RegStack(rate_limiter=...)`. When at
+  least one `*_rate_limit` field is set, regstack expects either
+  this argument or the `rate_limit` extra; failure to provide one
+  raises `RuntimeError` on first access to `regstack.router` —
+  failing closed beats silently disabling the protection. Hosts
+  remain responsible for `app.state.limiter` and the
+  `RateLimitExceeded` exception handler; slowapi owns the 429
+  response shape.
+- **`user_logged_out` hook now fires.** The event was listed in
+  `KNOWN_EVENTS` since M1 but no router ever emitted it.
+  `routers/logout.py` now fires `user_logged_out` (with a `user=`
+  kwarg) immediately after the bearer token is revoked.
+### Changed (security)
+- **JWT 401 responses no longer leak the pyjwt error reason.**
+  Replaced `f"Invalid token: {exc}"` with the static `"Invalid or
+  expired token."`. The pyjwt error text disclosed *why* a token was
+  rejected (signature mismatch, expired, malformed, audience
+  mismatch) — useful signal for an attacker probing the auth
+  surface.
+- **OAuth sign-in honours `allow_registration=False`.** `/register`
+  already did; the OAuth `_resolve_user` "brand-new account" branch
+  did not, so an operator who disabled self-service signup still got
+  accounts created via "Sign in with Google". The OAuth callback now
+  redirects with `?error=registration_disabled` if no existing
+  account matches and registration is disabled.
+- **Admin `DELETE /admin/users/{id}` now cascades
+  `oauth_identities`.** Matches the user-initiated `DELETE
+  /account` flow; previously left orphan rows that blocked the
+  Google subject from re-registering.
+- **`POST /phone/start` and `DELETE /phone` guard against OAuth-only
+  users.** Both endpoints previously crashed with HTTP 500 for
+  users with `hashed_password=None`. Both now return 400 with a
+  message pointing to forgot-password (which doubles as a "set
+  initial password" path).
+### Changed (BREAKING — hook contracts)
+- **`mfa_login_started` and `phone_setup_started` no longer include
+  the raw OTP code in their kwargs.** Hooks are best-effort
+  observability and are the documented integration surface for
+  analytics / logging / Slack notifications, so a plaintext OTP in
+  `**kwargs` is a leak waiting to happen — a host adding
+  `logger.info(kw)` to a hook handler is enough to put OTPs in a
+  log stream. Hosts that subscribed to either event to take over
+  SMS delivery should migrate to a custom `SmsService` subclass
+  (the supported delivery override). The other kwargs (`user`,
+  `phone`) remain.
+### Changed (deps)
+- `pyjwt>=2.12.1` (was `>=2.8`). Picks up CVE-2026-32597 (`crit`
+  header bypass, CVSS 7.5).
+- `cryptography>=46.0.7` added explicitly to the `oauth` extra
+  (was pulled transitively, unbounded). Picks up CVE-2026-26007
+  (ECC subgroup attack on the JWKS code path, CVSS 8.2) plus
+  CVE-2026-34073 and CVE-2026-39892.
+- `python-multipart>=0.0.26` (was `>=0.0.9`). Picks up
+  CVE-2026-40347 (DoS via oversized multipart preamble).
+- `pypa/gh-action-pypi-publish` in `publish.yml` pinned to a commit
+  SHA instead of the mutable `release/v1` branch. The publish job
+  holds `id-token: write`, so a tag/branch swap upstream would let
+  an attacker push a malicious wheel under our OIDC identity.
+### Removed
+- `PasswordHasher.needs_rehash` — called pwdlib's non-existent
+  `check_needs_rehash` and would `AttributeError` if anyone invoked
+  it. No callers in src or tests. If you were planning to use it,
+  call `pwdlib.PasswordHash.verify_and_update` directly.
+### Internal
+- 72 `mypy --strict` errors cleared across 35 files. `inv lint` is
+  green end-to-end (ruff + mypy). Still local-only — not yet a CI
+  gate.
+- Mongo `BlacklistRepo.purge_expired` added (was missing from the
+  Mongo impl; SQL impl already had it). Mongo's TTL index still
+  reaps automatically; the explicit `delete_many` is for protocol
+  parity and for tests that can't wait for the 60-second TTL
+  monitor.
+- `KNOWN_EVENTS` reconciled with reality: 7 previously-undeclared
+  events added (`verification_requested`, `email_change_requested`,
+  `email_changed`, `phone_setup_started`, `mfa_login_started`,
+  `mfa_enabled`, `mfa_disabled`).
+- `routers/_helpers.require_password_set` factored out of
+  `routers/account.py` and reused in `routers/phone.py`.
+- `AsyncDatabase[MongoDoc]` / `AsyncMongoClient[MongoDoc]`
+  parameterized across the Mongo backend so pymongo's typed stubs
+  are satisfied.
+### Notes
+- `LockoutService` (per-account, sliding-window failure counter) is
+  unchanged and continues to defend `/login` against
+  credential-stuffing against a single account. Per-route IP limits
+  are orthogonal: they defend each endpoint against a single source
+  IP spamming requests across many accounts.
+- The previously-reserved `login_max_per_minute` /
+  `login_max_per_hour` config fields are kept for back-compat but
+  no longer have any effect. Switch to the per-route fields when
+  you next touch your config.
 ## 0.5.0 — 2026-05-02
 ### Added

{regstack-0.5.0 → regstack-0.5.6}/docs/configuration.md RENAMED Viewed

@@ -85,9 +85,10 @@ regstack picks a backend at construction time from the URL scheme of
   - Notes
 * - SQLite
-  - `sqlite+aiosqlite:///./dbname.db`
+  - Relative file: `sqlite+aiosqlite:///./dbname.db`
   - Default. Bundled in the base install — no extras needed.
-    `:memory:` works too (per-test).
+    See [SQLite URL forms](#sqlite-url-forms) below for absolute-path
+    and in-memory variants.
 * - Postgres
   - `postgresql+asyncpg://<username>:<password>@dbhost.example.com:5432/dbname`
   - Requires the `postgres` extra (pulls in `asyncpg`). The driver is
@@ -103,6 +104,41 @@ The active backend exposes the same five repository protocols on
 ``RegStack.users``, ``.pending``, ``.blacklist``, ``.attempts``,
 ``.mfa_codes``. Routers / hooks never branch on backend kind.
+### SQLite URL forms
+SQLite is the default backend and the only one whose URL points at a
+file rather than a network host. The shape is always:
+```
+sqlite+aiosqlite:///PATH
+```
+…where the prefix is fixed and `PATH` is whatever you want SQLAlchemy
+to open. Three useful values for `PATH`:
+| `PATH` | Resolves to | When to use it |
+|---|---|---|
+| `./dbname.db` | `dbname.db` in the process working directory | Local dev and the bundled `examples/` apps. |
+| `/var/lib/app/dbname.db` | the absolute file at that path | Production. Point it at the host's persistent volume. |
+| `:memory:` | per-process in-memory DB | Per-test fixtures only — contents vanish at process exit. |
+So the three full URLs are:
+```bash
+sqlite+aiosqlite:///./dbname.db
+sqlite+aiosqlite:////var/lib/app/dbname.db
+sqlite+aiosqlite:///:memory:
+```
+The absolute form looks like it has four slashes, but it's the same
+three-slash prefix as the others — the fourth slash is the leading
+`/` of the absolute path. This is the single most common SQLite-URL
+paper-cut.
+Both file forms create the file on first connection, so a fresh
+checkout running `uv run regstack init && uv run uvicorn …` works
+with no `mkdir` or `touch` step.
 ## JWT
 ```{list-table}

{regstack-0.5.0 → regstack-0.5.6}/docs/quickstart.md RENAMED Viewed

@@ -91,9 +91,14 @@ app.include_router(regstack.router, prefix=config.api_prefix)
 `RegStack` picks the right backend automatically from the URL scheme of
 `config.database_url`:
-- `sqlite+aiosqlite://` → SQLite via SQLAlchemy
-- `postgresql+asyncpg://` → Postgres via SQLAlchemy
-- `mongodb://` (or `mongodb+srv://`) → MongoDB
+- `sqlite+aiosqlite:///PATH` → SQLite via SQLAlchemy. `PATH` is the
+  filename (e.g. `./dbname.db`) or the literal `:memory:`. See
+  [SQLite URL forms](configuration.md#sqlite-url-forms) for the
+  absolute-path variant.
+- `postgresql+asyncpg://<username>:<password>@dbhost.example.com:5432/dbname`
+  → Postgres via SQLAlchemy
+- `mongodb://<username>:<password>@dbhost.example.com:27017/dbname`
+  (or `mongodb+srv://…`) → MongoDB
 `install_schema()` is idempotent. On SQL backends it runs Alembic
 migrations to head; on MongoDB it ensures the indexes exist. Calling

{regstack-0.5.0 → regstack-0.5.6}/docs/security.md RENAMED Viewed

@@ -104,6 +104,51 @@ visible to logged-out users only.
   failures.
 - Disabled in tests via `rate_limit_disabled=True`.
+## Per-route IP rate limits
+Lockout defends each *account* against credential-stuffing. It does
+nothing for an IP that hammers `/forgot-password`, `/register`, or
+`/verify` against many accounts. For that, regstack supports
+slowapi-backed per-route IP rate limits:
+- Opt in by installing the `rate_limit` extra (`pip install
+  regstack[rate_limit]`) **or** by passing a host-built
+  `slowapi.Limiter` to `RegStack(rate_limiter=...)`. Hosts already
+  using slowapi should pass their own Limiter so it shares state
+  with the rest of the app.
+- Set any of the `*_rate_limit` config fields to a slowapi-syntax
+  string. Each empty / unset field means "no limit on this route":
+  ```toml
+  login_rate_limit = "30/minute;200/hour"
+  register_rate_limit = "10/minute;50/hour"
+  forgot_password_rate_limit = "5/minute;20/hour"
+  reset_password_rate_limit = "5/minute;20/hour"
+  verify_rate_limit = "10/minute;60/hour"
+  resend_verification_rate_limit = "5/minute;30/hour"
+  change_password_rate_limit = "5/minute;20/hour"
+  ```
+- Hosts still own slowapi's app-level wiring:
+  ```python
+  from slowapi import Limiter, _rate_limit_exceeded_handler
+  from slowapi.errors import RateLimitExceeded
+  from slowapi.util import get_remote_address
+  limiter = Limiter(key_func=get_remote_address)
+  app.state.limiter = limiter
+  app.add_exception_handler(RateLimitExceeded, _rate_limit_exceeded_handler)
+  rs = RegStack(config=cfg, rate_limiter=limiter)
+  app.include_router(rs.router, prefix="/api/auth")
+  ```
+- Failing closed: if `*_rate_limit` is set but neither a Limiter
+  nor the extra is available, `regstack.router` raises
+  `RuntimeError` on first access. We never silently disable a
+  configured protection.
 ## Email verification (durable, hashed token)
 - Random 32-byte URL-safe token, SHA-256 hashed in
@@ -267,9 +312,11 @@ avoids that:
 - **Content Security Policy headers.** regstack's SSR layer is
   CSP-friendly but the host emits the `Content-Security-Policy`
   response header.
-- **Rate-limiting beyond the per-account login lockout.** A future
-  milestone may add a `slowapi`-style middleware; for now host-level
-  rate limits are the right place to push back broad attack traffic.
+- **Rate-limiting beyond the per-account login lockout.** Per-route
+  IP limits ship as the optional `rate_limit` extra (see *Per-route
+  IP rate limits* above). Host-level rate limiting (nginx, Cloudfront,
+  …) is still the right place to push back broad attack traffic that
+  isn't worth letting hit Python at all.
 - **Backups, MongoDB user permissions, network-level isolation** between
   the app and the database.

{regstack-0.5.0 → regstack-0.5.6}/pyproject.toml RENAMED Viewed

@@ -1,6 +1,6 @@
 [project]
 name = "regstack"
-version = "0.5.0"
+version = "0.5.6"
 description = "Embeddable user registration, login, and account management for FastAPI apps. SQLite / Postgres / MongoDB."
 readme = "README.md"
 requires-python = ">=3.11"
@@ -21,11 +21,14 @@ dependencies = [
     "pydantic>=2.6",
     "pydantic-settings>=2.2",
     "pwdlib[argon2]>=0.2.1",
-    "pyjwt>=2.8",
+    # pyjwt>=2.12.1 includes the fix for CVE-2026-32597 (`crit` header bypass).
+    "pyjwt>=2.12.1",
     "jinja2>=3.1",
     "click>=8.1",
     "dnspython>=2.6",
-    "python-multipart>=0.0.9",
+    # python-multipart>=0.0.26 picks up CVE-2026-40347 (DoS via oversized
+    # multipart preamble).
+    "python-multipart>=0.0.26",
     "email-validator>=2.1",
     "aiosmtplib>=3.0",
     # SQL stack — bundled by default because SQLite is the default backend.
@@ -45,7 +48,15 @@ mongo = ["pymongo>=4.9"]
 ses = ["aioboto3>=12.3"]
 sns = ["aioboto3>=12.3"]
 twilio = ["twilio>=9.0"]
-oauth = ["pyjwt[crypto]>=2.8"]
+# cryptography>=46.0.7 picks up CVE-2026-26007 (ECC subgroup attack on the
+# JWKS code path) plus CVE-2026-34073 and CVE-2026-39892.
+oauth = ["pyjwt[crypto]>=2.12.1", "cryptography>=46.0.7"]
+# Per-route rate limiting on the auth router. The limiter itself can be
+# host-supplied (so hosts that already use slowapi share the same Limiter
+# state), otherwise regstack constructs an in-memory one.
+rate_limit = [
+    "slowapi>=0.1.9",
+]
 docs = [
     "sphinx>=7.3",
     "myst-parser>=3.0",
@@ -69,9 +80,12 @@ dev = [
     "pymongo>=4.9",
     "asyncpg>=0.29",
     # OAuth provider tests need the crypto bits to verify ID tokens.
-    "pyjwt[crypto]>=2.8",
+    "pyjwt[crypto]>=2.12.1",
+    "cryptography>=46.0.7",
     # E2E tests for the OAuth setup wizard (drives the SPA in headless Chromium).
     "pytest-playwright>=0.5",
+    # Rate-limit tests exercise the slowapi integration.
+    "slowapi>=0.1.9",
 ]
 [project.scripts]

regstack 0.5.0__tar.gz → 0.5.6__tar.gz

regstack 0.5.0tar.gz → 0.5.6tar.gz