PyPI - regstack - Versions diffs - 0.8.1__tar.gz → 0.8.3__tar.gz - Mend

regstack 0.8.1tar.gz → 0.8.3tar.gz

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (185) hide show

{regstack-0.8.1 → regstack-0.8.3}/CHANGELOG.md RENAMED Viewed

@@ -7,6 +7,61 @@ Sphinx docs.
 ## Unreleased
+## 0.8.3 — 2026-06-12
+Closes out the 2026-05-15 → 2026-05-22 daily security-review series,
+fixes `was_new_account` on the OAuth exchange (new migration `0003`),
+and stops the test suite leaking MongoDB databases.
+**Fixed: Google JWKS fetch now has a timeout.** `PyJWKClient` was
+constructed without a `timeout`, so the synchronous `urllib` fetch
+(offloaded to `asyncio.to_thread`) could pin a worker thread
+indefinitely during a Google JWKS outage and, under sustained load,
+exhaust the bounded asyncio thread pool. Added a 5-second
+`JWKS_FETCH_TIMEOUT_SECONDS`. (Daily security review 2026-05-22 · W-1.)
+**Fixed: Google OAuth token-exchange error no longer logs the full
+provider response body at WARNING.** On a non-200 token exchange the
+provider's response body is now logged at DEBUG; the raised
+`OAuthTokenExchangeError` (which the router logs at WARNING) carries only
+`HTTP <status>`. (Daily security review 2026-05-22 · I-3.)
+**Fixed: `/oauth/exchange` now reports `was_new_account` accurately.**
+The field was hardcoded `False`; the callback computed whether it created
+a brand-new account but had nowhere to persist it. Added
+`oauth_states.result_was_new` (migration `0003`) which the callback sets
+and the exchange endpoint reads. (Daily security review 2026-05-22 · I-1.)
+**Documented: `phone_number` exposure in the admin user listing.**
+`docs/security.md` now spells out that `UserPublic.phone_number` is
+returned in plaintext on `GET /admin/users` (regulated PII in some
+jurisdictions) and that hosts wanting to mask/omit it should wrap the
+admin listing in their own response model. (Daily security review
+2026-05-21 · I-2.)
+**Fixed: `FrozenClock` now defaults to the far future (2125-01-01).**
+MongoDB's TTL monitor uses real wall-clock time, so the old 2025-01-01
+default meant every TTL-indexed test row was born already-expired and
+could be reaped mid-test when a ~60s TTL sweep landed — a rare,
+mongo-only parallel flake. A far-future pin keeps the reaper out of
+reach while staying deterministic.
+**Fixed: test runs no longer leak MongoDB databases.** Tests using the
+`make_client` factory bypassed the only fixture that dropped the
+per-test database, leaking one `regstack_test_*` DB per test per run.
+A teardown fixture wired into `config` now drops the DB on every path,
+a run-token-scoped `pytest_sessionfinish` sweep catches anything a
+crashed worker leaves behind, and `inv clean-test-dbs` purges leftovers
+from hard-killed runs.
+**Triaged: CVE-2026-2978 / CVE-2026-2979 not applicable.** Flagged for
+monitoring in the 2026-05-22 review; published NVD details show both
+affect the third-party "FastApiAdmin" project, not the `fastapi`
+library. regstack has no `fastapi-admin` dependency and no fastapi-core
+advisories affect versions ≥ 0.120.0 (our floor). Triage note recorded
+beside the floor in `pyproject.toml`. (Daily security review
+2026-05-22 · I-2.)
 ## 0.8.0 — 2026-05-19
 `regstack ses setup` guided wizard, plus two security fixes from

{regstack-0.8.1 → regstack-0.8.3}/PKG-INFO RENAMED Viewed

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: regstack
-Version: 0.8.1
+Version: 0.8.3
 Summary: Embeddable user registration, login, and account management for FastAPI apps. SQLite / Postgres / MongoDB.
 Project-URL: Homepage, https://github.com/jdrumgoole/regstack
 Project-URL: Repository, https://github.com/jdrumgoole/regstack

{regstack-0.8.1 → regstack-0.8.3}/pyproject.toml RENAMED Viewed

@@ -1,6 +1,6 @@
 [project]
 name = "regstack"
-version = "0.8.1"
+version = "0.8.3"
 description = "Embeddable user registration, login, and account management for FastAPI apps. SQLite / Postgres / MongoDB."
 readme = "README.md"
 requires-python = ">=3.11"
@@ -19,6 +19,9 @@ classifiers = [
 dependencies = [
     # fastapi>=0.120.0 picks up CVE-2025-62727 (Starlette DoS via large
     # request bodies after multipart processing).
+    # CVE-2026-2978 / CVE-2026-2979 (flagged for monitoring in the
+    # 2026-05-22 security review, I-2) affect the third-party
+    # "FastApiAdmin" project, not fastapi itself — no floor bump needed.
     "fastapi>=0.120.0",
     "pydantic>=2.6",
     "pydantic-settings>=2.2",

{regstack-0.8.1 → regstack-0.8.3}/src/regstack/auth/clock.py RENAMED Viewed

@@ -42,14 +42,23 @@ class FrozenClock:
     """
     def __init__(self, start: datetime | None = None) -> None:
-        """Pin the clock at ``start`` (default 2025-01-01 UTC).
+        """Pin the clock at ``start`` (default 2125-01-01 UTC).
+        The default is deliberately ~100 years in the *future*. MongoDB's
+        TTL monitor deletes documents by comparing their ``expires_at``
+        against real wall-clock time on a ~60s cycle — it knows nothing
+        about this injected clock. A frozen "now" in the past would give
+        every TTL-indexed test row (oauth_states, pending_registrations,
+        mfa_codes, login_attempts, blacklist) an already-elapsed
+        ``expires_at``, and any test straddling a TTL sweep would have
+        its rows reaped mid-flight. A far-future pin keeps the reaper
+        permanently out of reach while staying deterministic.
         Args:
             start: The initial timestamp. Should be tz-aware. Defaults
-                to ``2025-01-01T00:00:00Z`` so test datetimes are
-                memorable.
+                to ``2125-01-01T00:00:00Z``.
         """
-        self._now = start or datetime(2025, 1, 1, tzinfo=UTC)
+        self._now = start or datetime(2125, 1, 1, tzinfo=UTC)
     def now(self) -> datetime:
         """Return the currently-pinned timestamp."""

{regstack-0.8.1 → regstack-0.8.3}/src/regstack/backends/mongo/repositories/oauth_state_repo.py RENAMED Viewed

@@ -31,8 +31,9 @@ class MongoOAuthStateRepo:
         token: str,
         *,
         new_expires_at: datetime | None = None,
+        was_new: bool = False,
     ) -> None:
-        updates: dict[str, Any] = {"result_token": token}
+        updates: dict[str, Any] = {"result_token": token, "result_was_new": was_new}
         if new_expires_at is not None:
             updates["expires_at"] = new_expires_at
         await self._collection.update_one(

{regstack-0.8.1 → regstack-0.8.3}/src/regstack/backends/protocols.py RENAMED Viewed

@@ -295,6 +295,7 @@ class OAuthStateRepoProtocol(Protocol):
         token: str,
         *,
         new_expires_at: datetime | None = None,
+        was_new: bool = False,
     ) -> None:
         """Stash the session JWT after a successful callback so the
         SPA can pick it up via :meth:`consume`.
@@ -305,6 +306,10 @@ class OAuthStateRepoProtocol(Protocol):
         ``oauth.state_ttl_seconds`` (covering the round-trip with
         the provider) to ``oauth.completion_ttl_seconds`` (covering
         only the SPA's exchange call after the callback lands).
+        ``was_new`` records whether the callback created a brand-new
+        account, so the exchange response can report
+        ``was_new_account`` accurately.
         """
         ...

regstack-0.8.3/src/regstack/backends/sql/migrations/versions/0003_oauth_state_result_was_new.py ADDED Viewed

@@ -0,0 +1,44 @@
+"""Add oauth_states.result_was_new.
+Revision ID: 0003
+Revises: 0002
+Create Date: 2026-06-04
+The OAuth callback computes whether it created a brand-new account
+(vs. signing an existing one in) but had nowhere to persist it, so the
+``POST /oauth/exchange`` response always reported
+``was_new_account=False``. This adds the column the callback writes and
+the exchange endpoint reads (Security review 2026-05-22 · I-1).
+The column is NOT NULL with a ``False`` server default so the in-flight
+state rows that exist at migration time (if any) get a sensible value
+without a backfill. ``batch_alter_table`` keeps the ADD COLUMN safe on
+SQLite.
+"""
+from __future__ import annotations
+import sqlalchemy as sa
+from alembic import op
+revision: str = "0003"
+down_revision: str | None = "0002"
+branch_labels: tuple[str, ...] | None = None
+depends_on: str | None = None
+def upgrade() -> None:
+    with op.batch_alter_table("oauth_states") as batch_op:
+        batch_op.add_column(
+            sa.Column(
+                "result_was_new",
+                sa.Boolean(),
+                nullable=False,
+                server_default=sa.false(),
+            )
+        )
+def downgrade() -> None:
+    with op.batch_alter_table("oauth_states") as batch_op:
+        batch_op.drop_column("result_was_new")

{regstack-0.8.1 → regstack-0.8.3}/src/regstack/backends/sql/repositories/oauth_state_repo.py RENAMED Viewed

@@ -34,6 +34,7 @@ class SqlOAuthStateRepo:
             "created_at": state.created_at,
             "expires_at": state.expires_at,
             "result_token": state.result_token,
+            "result_was_new": state.result_was_new,
         }
         async with self._engine.begin() as conn:
             await conn.execute(self._t.insert().values(values))
@@ -50,8 +51,9 @@ class SqlOAuthStateRepo:
         token: str,
         *,
         new_expires_at: datetime | None = None,
+        was_new: bool = False,
     ) -> None:
-        values: dict[str, Any] = {"result_token": token}
+        values: dict[str, Any] = {"result_token": token, "result_was_new": was_new}
         if new_expires_at is not None:
             values["expires_at"] = new_expires_at
         stmt = update(self._t).where(self._t.c.id == state_id).values(**values)

{regstack-0.8.1 → regstack-0.8.3}/src/regstack/backends/sql/schema.py RENAMED Viewed

@@ -162,6 +162,7 @@ def _oauth_states(table_name: str) -> Table:
         Column("created_at", UtcDateTime(), nullable=False),
         Column("expires_at", UtcDateTime(), nullable=False),
         Column("result_token", Text, nullable=True),
+        Column("result_was_new", Boolean, nullable=False, default=False),
         Index("ix_oauth_states_expires_at", "expires_at"),
         CheckConstraint("mode IN ('signin', 'link')", name="mode_valid"),
     )

{regstack-0.8.1 → regstack-0.8.3}/src/regstack/cli/_results.py RENAMED Viewed

@@ -15,6 +15,7 @@ class CheckResult:
     ok: bool
     detail: str
     skipped: bool = False
+    warn: bool = False
     @classmethod
     def passed(cls, name: str, detail: str) -> CheckResult:
@@ -27,3 +28,11 @@ class CheckResult:
     @classmethod
     def skip(cls, name: str, detail: str) -> CheckResult:
         return cls(name=name, ok=True, detail=detail, skipped=True)
+    @classmethod
+    def warned(cls, name: str, detail: str) -> CheckResult:
+        """An advisory finding: not a hard failure (``ok=True`` so it
+        doesn't fail the command), but surfaced distinctly so operators
+        notice it. Used for things outside regstack's control that the
+        operator should act on — e.g. an out-of-date database server."""
+        return cls(name=name, ok=True, detail=detail, warn=True)

{regstack-0.8.1 → regstack-0.8.3}/src/regstack/cli/doctor.py RENAMED Viewed

@@ -49,14 +49,23 @@ def doctor(config_path_in: Path | None, check_dns: bool, test_recipient: str | N
         _run(toml_path=toml_path, check_dns=check_dns, test_recipient=test_recipient)
     )
     failed = sum(1 for r in results if not r.ok)
+    warned = sum(1 for r in results if r.warn)
     for r in results:
-        symbol = click.style("✔", fg="green") if r.ok else click.style("✘", fg="red")
+        if r.warn:
+            symbol = click.style("⚠", fg="yellow")
+        elif r.ok:
+            symbol = click.style("✔", fg="green")
+        else:
+            symbol = click.style("✘", fg="red")
         click.echo(f"{symbol} {r.name}: {r.detail}")
+    if warned:
+        click.echo(click.style(f"\n{warned} advisory warning(s).", fg="yellow"), err=True)
     if failed:
-        click.echo(click.style(f"\n{failed} check(s) failed.", fg="red"), err=True)
+        click.echo(click.style(f"{failed} check(s) failed.", fg="red"), err=True)
     # Clamp to 0/1 so a shell `regstack doctor && deploy` is predictable;
-    # the failure count appears on the stderr line above for operators
-    # who want it. (Review #4.)
+    # advisory warnings (e.g. an out-of-date DB server) do NOT fail the
+    # command — they're surfaced but exit 0. The failure count appears on
+    # the stderr line above for operators who want it. (Review #4.)
     sys.exit(1 if failed else 0)
@@ -79,6 +88,9 @@ async def _run(
     out.append(await _check_backend(config))
     out.append(await _check_schema(config))
+    mongo_version = await _check_mongo_server_version(config)
+    if mongo_version is not None:
+        out.append(mongo_version)
     out.append(_check_email_factory(config))
     if check_dns:
@@ -156,6 +168,109 @@ async def _check_schema(config: RegStackConfig) -> CheckResult:
         await backend.aclose()
+# CVE-2025-14847 ("MongoBleed", CVSS 8.7): an unauthenticated network
+# attacker can leak server memory via crafted zlib-compressed messages.
+# The pymongo driver is not the vulnerable component — the server binary
+# is. Patched server releases by LTS track. Keyed (major, minor) →
+# minimum safe (major, minor, patch). See docs/security-reports/2026-05-20.md.
+_MONGO_PATCHED_BASELINE: dict[tuple[int, int], tuple[int, int, int]] = {
+    (8, 2): (8, 2, 3),
+    (8, 0): (8, 0, 17),
+    (7, 0): (7, 0, 28),
+    (6, 0): (6, 0, 27),
+    (5, 0): (5, 0, 32),
+    (4, 4): (4, 4, 30),
+}
+# The newest LTS track we have a baseline for. A server on a track newer
+# than this (e.g. 8.3+, 9.x) post-dates the advisory and is treated as safe.
+_MONGO_NEWEST_KNOWN_TRACK = max(_MONGO_PATCHED_BASELINE)
+# The oldest LTS track the advisory lists. Anything below it (3.6, 4.0,
+# 4.2, …) is EOL and below every patched release — warn.
+_MONGO_OLDEST_KNOWN_TRACK = min(_MONGO_PATCHED_BASELINE)
+def _parse_mongo_version(version: str) -> tuple[int, int, int] | None:
+    """Parse a MongoDB version string like ``"7.0.5"`` into ``(7, 0, 5)``.
+    Tolerates a release-candidate / pre-release suffix (``"8.0.0-rc1"``)
+    by splitting on the first ``-``. Returns ``None`` if the leading
+    three dotted components aren't all integers.
+    """
+    core = version.split("-", 1)[0]
+    parts = core.split(".")
+    if len(parts) < 3:
+        return None
+    try:
+        return (int(parts[0]), int(parts[1]), int(parts[2]))
+    except ValueError:
+        return None
+def _assess_mongo_server_version(version: str) -> tuple[bool, str]:
+    """Decide whether ``version`` is safe against CVE-2025-14847.
+    Returns ``(ok, detail)``. ``ok`` is False only when the server is on
+    a known-affected LTS track *below* its patched baseline — that's the
+    case worth a WARNING. Newer-than-advisory and patched servers return
+    True; an unrecognised/older track returns True with a "verify
+    manually" note rather than crying wolf on every odd build string.
+    """
+    parsed = _parse_mongo_version(version)
+    if parsed is None:
+        return True, f"server {version} (could not parse version; verify against CVE-2025-14847)"
+    track = (parsed[0], parsed[1])
+    baseline = _MONGO_PATCHED_BASELINE.get(track)
+    if baseline is not None:
+        if parsed < baseline:
+            patched = ".".join(str(n) for n in baseline)
+            return False, (
+                f"server {version} is vulnerable to CVE-2025-14847 (MongoBleed); "
+                f"upgrade to ≥ {patched}, or disable zlib compression in mongod.conf"
+            )
+        return True, f"server {version} (≥ {'.'.join(str(n) for n in baseline)}, patched)"
+    if track > _MONGO_NEWEST_KNOWN_TRACK:
+        return True, f"server {version} (newer than CVE-2025-14847 advisory tracks)"
+    if track < _MONGO_OLDEST_KNOWN_TRACK:
+        return False, (
+            f"server {version} is end-of-life and below every CVE-2025-14847 "
+            "patched release; upgrade to a supported, patched MongoDB version"
+        )
+    return True, (
+        f"server {version} on an unrecognised release track; verify against CVE-2025-14847 manually"
+    )
+async def _check_mongo_server_version(config: RegStackConfig) -> CheckResult | None:
+    """Advisory check: warn if the MongoDB *server* is below the
+    CVE-2025-14847 patched baseline. Returns None for non-Mongo backends
+    (the check doesn't apply).
+    """
+    from regstack.backends.base import BackendKind
+    backend = build_backend(config)
+    try:
+        if backend.kind is not BackendKind.MONGO:
+            return None
+        from regstack.backends.mongo import MongoBackend
+        assert isinstance(backend, MongoBackend)
+        info = await backend.database.command("buildInfo")
+        version = str(info.get("version", ""))
+        if not version:
+            return CheckResult.warned(
+                "mongo server", "buildInfo returned no version; verify against CVE-2025-14847"
+            )
+        ok, detail = _assess_mongo_server_version(version)
+        if ok:
+            return CheckResult.passed("mongo server", detail)
+        return CheckResult.warned("mongo server", detail)
+    except Exception as exc:
+        return CheckResult.warned("mongo server", f"version check failed: {exc}")
+    finally:
+        await backend.aclose()
 def _check_email_factory(config: RegStackConfig) -> CheckResult:
     try:
         service = build_email_service(config.email)

{regstack-0.8.1 → regstack-0.8.3}/src/regstack/config/schema.py RENAMED Viewed

@@ -98,11 +98,15 @@ class SmsConfig(BaseModel):
     twilio_account_sid: str | None = None
     twilio_auth_token: SecretStr | None = None
-    log_bodies: bool = True
-    """When True (default), the ``null`` backend logs the SMS body
-    (including the 6-digit code) at INFO. Set to False to silence
-    code logging in shared environments. Other backends ignore this
-    flag — they never log message bodies."""
+    log_bodies: bool = False
+    """When True, the ``null`` backend logs the SMS body (including the
+    6-digit MFA code) at INFO. Defaults to False so a misconfigured
+    deployment can't leak codes into shared logs — symmetric with
+    ``email.log_bodies``. Set it True for local dev when you want to
+    read the code out of stdout (the bundled examples instead surface
+    it via an ``mfa_login_started`` hook, so they don't need this).
+    Other backends ignore this flag — they never log message bodies.
+    (Security review 2026-05-19.)"""
 class OAuthConfig(BaseModel):

{regstack-0.8.1 → regstack-0.8.3}/src/regstack/models/oauth_state.py RENAMED Viewed

@@ -77,6 +77,13 @@ class OAuthState(BaseModel):
     ``id`` for this value via ``POST /oauth/exchange``; the row is
     deleted on exchange."""
+    result_was_new: bool = False
+    """Whether the callback created a brand-new account (vs. signing in
+    an existing one). Set alongside ``result_token`` so the
+    ``POST /oauth/exchange`` response can surface ``was_new_account``
+    accurately — the callback computes this but had no field to persist
+    it on before (Security review 2026-05-22 · I-1)."""
     def to_mongo(self) -> dict[str, Any]:
         data = self.model_dump(by_alias=True, exclude_none=True)
         return data

{regstack-0.8.1 → regstack-0.8.3}/src/regstack/oauth/providers/google.py RENAMED Viewed

@@ -16,6 +16,8 @@ installed and turns ``enable_oauth`` on.
 from __future__ import annotations
+import asyncio
+import logging
 from typing import TYPE_CHECKING, Any
 from urllib.parse import urlencode
@@ -29,6 +31,8 @@ from regstack.oauth.errors import OAuthIdTokenError, OAuthTokenExchangeError
 if TYPE_CHECKING:
     from collections.abc import Iterable
+log = logging.getLogger("regstack.oauth.google")
 GOOGLE_ISSUER = "https://accounts.google.com"
 GOOGLE_AUTH_URL = "https://accounts.google.com/o/oauth2/v2/auth"
 GOOGLE_TOKEN_URL = "https://oauth2.googleapis.com/token"
@@ -36,6 +40,13 @@ GOOGLE_JWKS_URL = "https://www.googleapis.com/oauth2/v3/certs"
 DEFAULT_SCOPES: tuple[str, ...] = ("openid", "email", "profile")
+# Bound the synchronous JWKS fetch so a slow or unreachable Google JWKS
+# endpoint can't pin a worker thread indefinitely. The fetch is offloaded
+# to `asyncio.to_thread`, but `urllib` defaults to no timeout — under a
+# sustained JWKS outage that would let cache-miss requests exhaust the
+# bounded asyncio thread pool. (Security review 2026-05-22 · W-1.)
+JWKS_FETCH_TIMEOUT_SECONDS = 5
 class GoogleProvider(OAuthProvider):
     """OIDC provider for Google.
@@ -79,7 +90,9 @@ class GoogleProvider(OAuthProvider):
         self._owns_http = http is None
         self._issuer = issuer
         self._scopes = tuple(scopes)
-        self._jwks_client = PyJWKClient(jwks_url, cache_keys=True)
+        self._jwks_client = PyJWKClient(
+            jwks_url, cache_keys=True, timeout=JWKS_FETCH_TIMEOUT_SECONDS
+        )
     @property
     def name(self) -> str:
@@ -140,8 +153,18 @@ class GoogleProvider(OAuthProvider):
             if self._owns_http and client is not self._http:
                 await client.aclose()
         if response.status_code != 200:
+            # Keep the provider's response body at DEBUG only. It doesn't
+            # carry our client secret or the auth code, but Google's error
+            # bodies are verbose and there's no reason to put them in
+            # production WARNING logs — the status code is the actionable
+            # signal. (Security review 2026-05-22 · I-3.)
+            log.debug(
+                "google token exchange response body (HTTP %s): %s",
+                response.status_code,
+                response.text,
+            )
             raise OAuthTokenExchangeError(
-                f"google token exchange failed: {response.status_code} {response.text}"
+                f"google token exchange failed: HTTP {response.status_code}"
             )
         body: dict[str, Any] = response.json()
         try:
@@ -162,7 +185,14 @@ class GoogleProvider(OAuthProvider):
         expected_nonce: str,
     ) -> OAuthUserInfo:
         try:
-            signing_key = self._jwks_client.get_signing_key_from_jwt(id_token).key
+            # PyJWKClient's fetch is synchronous urllib; on a cache miss it
+            # would block the event loop for the round-trip to Google's JWKS
+            # endpoint. Push it to a worker thread so concurrent requests
+            # aren't stalled. (Security review 2026-05-20 · I-2.)
+            signing_key_obj = await asyncio.to_thread(
+                self._jwks_client.get_signing_key_from_jwt, id_token
+            )
+            signing_key = signing_key_obj.key
         except Exception as exc:  # PyJWKClient raises a grab-bag — collapse to ours
             raise OAuthIdTokenError(f"jwks lookup failed: {exc}") from exc
         try:

{regstack-0.8.1 → regstack-0.8.3}/src/regstack/routers/oauth.py RENAMED Viewed

@@ -168,7 +168,7 @@ def build_oauth_router(rs: RegStack) -> APIRouter:
         if _is_mfa_pending_token(state.result_token):
             return ExchangeResponse(
                 redirect_to=state.redirect_to,
-                was_new_account=False,
+                was_new_account=state.result_was_new,
                 expires_in=rs.config.mfa_pending_token_ttl_seconds,
                 mfa_required=True,
                 mfa_pending_token=state.result_token,
@@ -176,7 +176,7 @@ def build_oauth_router(rs: RegStack) -> APIRouter:
         return ExchangeResponse(
             access_token=state.result_token,
             redirect_to=state.redirect_to,
-            was_new_account=False,
+            was_new_account=state.result_was_new,
             expires_in=rs.config.jwt_ttl_seconds,
         )
@@ -361,6 +361,7 @@ def build_oauth_router(rs: RegStack) -> APIRouter:
                 pending_token,
                 new_expires_at=rs.clock.now()
                 + timedelta(seconds=rs.config.mfa_pending_token_ttl_seconds),
+                was_new=was_new,
             )
         else:
             # Mint the session JWT, stash it on the state row for the
@@ -376,6 +377,7 @@ def build_oauth_router(rs: RegStack) -> APIRouter:
                 token,
                 new_expires_at=rs.clock.now()
                 + timedelta(seconds=rs.config.oauth.completion_ttl_seconds),
+                was_new=was_new,
             )
         await rs.hooks.fire(

{regstack-0.8.1 → regstack-0.8.3}/src/regstack/sms/null.py RENAMED Viewed

@@ -10,14 +10,15 @@ log = logging.getLogger("regstack.sms.null")
 class NullSmsService(SmsService):
     """Default backend. Records messages in ``self.outbox`` so tests and dev
     runs can inspect them without contacting a real SMS gateway. Logs each
-    send at INFO so the demo can grep the code out of stdout.
+    send at INFO.
-    ``log_bodies`` (default True) controls whether the message body
-    (containing the 6-digit code) is included in the log line. Operators
-    in shared environments who want call-only audit lines can flip it off.
+    ``log_bodies`` (default False) controls whether the message body
+    (containing the 6-digit code) is included in the log line. It defaults
+    off so a misconfigured deployment can't leak codes into shared logs;
+    flip it on for local dev when you want to read the code out of stdout.
     """
-    def __init__(self, *, log_bodies: bool = True) -> None:
+    def __init__(self, *, log_bodies: bool = False) -> None:
         self.outbox: list[SmsMessage] = []
         self._log_bodies = log_bodies