simple-auth-server 0.1.0__tar.gz

simple_auth_server-0.1.0/PKG-INFO

@@ -0,0 +1,7 @@
+Metadata-Version: 2.4
+Name: simple-auth-server
+Version: 0.1.0
+Summary: Server-side auth primitives (OTP, sessions, Google OAuth) with Redis
+Requires-Python: >=3.11
+Requires-Dist: httpx>=0.27.0
+Requires-Dist: redis>=5.0.0

simple_auth_server-0.1.0/pyproject.toml

@@ -0,0 +1,16 @@
+[project]
+name = "simple-auth-server"
+version = "0.1.0"
+description = "Server-side auth primitives (OTP, sessions, Google OAuth) with Redis"
+requires-python = ">=3.11"
+dependencies = [
+  "httpx>=0.27.0",
+  "redis>=5.0.0",
+]
+
+[build-system]
+requires = ["setuptools>=69.0.0"]
+build-backend = "setuptools.build_meta"
+
+[tool.setuptools.packages.find]
+where = ["src"]

simple_auth_server-0.1.0/setup.cfg

@@ -0,0 +1,4 @@
+[egg_info]
+tag_build = 
+tag_date = 0
+

simple_auth_server-0.1.0/src/simple_auth_server/__init__.py

@@ -0,0 +1,20 @@
+from .config import SimpleAuthServerConfig, SimpleAuthProvidersConfig, OtpConfig, RedisConfig
+from .otp import OtpError, OtpService
+from .redis_client import create_redis_client, with_key_prefix
+from .session import AuthSessionService
+from .oauth_google import GoogleOAuthService, GoogleOAuthConfig
+
+__all__ = [
+    "SimpleAuthServerConfig",
+    "SimpleAuthProvidersConfig",
+    "OtpConfig",
+    "RedisConfig",
+    "OtpError",
+    "OtpService",
+    "create_redis_client",
+    "with_key_prefix",
+    "AuthSessionService",
+    "GoogleOAuthService",
+    "GoogleOAuthConfig",
+]
+

simple_auth_server-0.1.0/src/simple_auth_server/config.py

@@ -0,0 +1,43 @@
+from __future__ import annotations
+
+from dataclasses import dataclass
+from typing import Literal, Optional
+
+
+Env = Literal["production", "development", "test"]
+
+
+@dataclass(frozen=True)
+class RedisConfig:
+    url: Optional[str] = None
+    key_prefix: Optional[str] = None
+
+
+@dataclass(frozen=True)
+class OtpRateLimitConfig:
+    window_seconds: int = 60
+    max_requests: int = 3
+
+
+@dataclass(frozen=True)
+class OtpConfig:
+    code_length: int = 6
+    ttl_seconds: int = 300
+    max_attempts: int = 5
+    rate_limit: OtpRateLimitConfig = OtpRateLimitConfig()
+    bypass_code: Optional[str] = None
+
+
+@dataclass(frozen=True)
+class SimpleAuthProvidersConfig:
+    email_otp_enabled: bool = True
+    phone_otp_enabled: bool = True
+    google_enabled: bool = False
+
+
+@dataclass(frozen=True)
+class SimpleAuthServerConfig:
+    env: Env
+    redis: RedisConfig = RedisConfig()
+    otp: OtpConfig = OtpConfig()
+    providers: SimpleAuthProvidersConfig = SimpleAuthProvidersConfig()

simple_auth_server-0.1.0/src/simple_auth_server/oauth_google.py

@@ -0,0 +1,72 @@
+from __future__ import annotations
+
+from dataclasses import dataclass
+from typing import Any, Optional
+
+import httpx
+
+
+@dataclass(frozen=True)
+class GoogleOAuthConfig:
+    client_id: str
+    client_secret: str
+    redirect_uri: Optional[str] = None
+
+
+@dataclass(frozen=True)
+class GoogleOAuthUserInfo:
+    sub: str
+    email: str
+    email_verified: bool
+    first_name: Optional[str]
+    last_name: Optional[str]
+    raw: dict[str, Any]
+
+
+class GoogleOAuthService:
+    def __init__(self, config: GoogleOAuthConfig, http_client: Optional[httpx.AsyncClient] = None) -> None:
+        self._config = config
+        self._http = http_client or httpx.AsyncClient(timeout=10.0)
+
+    async def exchange_auth_code(self, auth_code: str) -> dict[str, Any]:
+        token_payload = {
+            "code": auth_code,
+            "client_id": self._config.client_id,
+            "client_secret": self._config.client_secret,
+            "grant_type": "authorization_code",
+        }
+        if self._config.redirect_uri:
+            token_payload["redirect_uri"] = self._config.redirect_uri
+
+        token_resp = await self._http.post("https://oauth2.googleapis.com/token", data=token_payload)
+        token_resp.raise_for_status()
+        tokens = token_resp.json()
+
+        access_token = tokens.get("access_token")
+        if not access_token:
+            raise ValueError("Missing access_token")
+
+        userinfo_resp = await self._http.get(
+            "https://www.googleapis.com/oauth2/v3/userinfo",
+            headers={"Authorization": f"Bearer {access_token}"},
+        )
+        userinfo_resp.raise_for_status()
+        user = userinfo_resp.json()
+
+        return {
+            "user": {
+                "sub": user.get("sub"),
+                "email": user.get("email"),
+                "emailVerified": bool(user.get("email_verified", False)),
+                "firstName": user.get("given_name"),
+                "lastName": user.get("family_name"),
+                "raw": user,
+            },
+            "refreshToken": tokens.get("refresh_token"),
+            "accessToken": access_token,
+            "idToken": tokens.get("id_token"),
+            "expiresIn": tokens.get("expires_in"),
+            "tokenType": tokens.get("token_type"),
+            "scope": tokens.get("scope"),
+        }
+

simple_auth_server-0.1.0/src/simple_auth_server/otp.py

@@ -0,0 +1,171 @@
+from __future__ import annotations
+
+import json
+import hmac
+import re
+import secrets
+import time
+from typing import Literal, Optional, TypedDict
+
+from .config import Env, OtpConfig
+from .redis_client import RedisLike
+
+
+OtpType = Literal["email", "phone"]
+
+
+class OtpError(TypedDict):
+    code: Literal["RATE_LIMITED", "INVALID_CODE", "EXPIRED", "MAX_ATTEMPTS", "NOT_FOUND"]
+    message: str
+    retry_after_seconds: Optional[int]
+    attempts_remaining: Optional[int]
+
+
+class _StoredOtp(TypedDict):
+    code: str
+    attempts: int
+    createdAt: int
+
+
+_EMAIL_PREFIX = "otp:email:"
+_PHONE_PREFIX = "otp:phone:"
+_RATE_PREFIX = "rate:otp:"
+
+
+def _normalize_email(email: str) -> str:
+    return email.strip().lower()
+
+
+def _normalize_phone(phone: str) -> str:
+    # Keep + and digits only
+    return re.sub(r"[^\d+]", "", phone)
+
+
+def _generate_random_code(length: int) -> str:
+    # Leading zeros allowed
+    length = max(1, int(length))
+    max_value = 10**length
+    return str(secrets.randbelow(max_value)).zfill(length)
+
+
+def _bypass_enabled(env: Env, bypass_code: Optional[str]) -> bool:
+    return env != "production" and bool(bypass_code)
+
+
+async def _check_rate_limit(
+    redis: RedisLike, key: str, window_seconds: int, max_requests: int
+) -> tuple[bool, Optional[int]]:
+    count = await redis.incr(key)
+    if count == 1:
+        await redis.expire(key, window_seconds)
+
+    if count > max_requests:
+        ttl = await redis.ttl(key)
+        return False, max(ttl, 1)
+
+    return True, None
+
+
+class OtpService:
+    def __init__(self, redis: RedisLike, env: Env, config: OtpConfig = OtpConfig()) -> None:
+        self._redis = redis
+        self._env = env
+        self._config = config
+
+    async def generate_email_otp(self, email: str) -> tuple[bool, str | OtpError]:
+        return await self._generate("email", _normalize_email(email))
+
+    async def verify_email_otp(self, email: str, code: str) -> tuple[bool, None | OtpError]:
+        return await self._verify("email", _normalize_email(email), code)
+
+    async def generate_phone_otp(self, phone: str) -> tuple[bool, str | OtpError]:
+        return await self._generate("phone", _normalize_phone(phone))
+
+    async def verify_phone_otp(self, phone: str, code: str) -> tuple[bool, None | OtpError]:
+        return await self._verify("phone", _normalize_phone(phone), code)
+
+    async def _generate(self, otp_type: OtpType, identifier: str) -> tuple[bool, str | OtpError]:
+        allowed, retry_after = await _check_rate_limit(
+            self._redis,
+            f"{_RATE_PREFIX}{otp_type}:{identifier}",
+            self._config.rate_limit.window_seconds,
+            self._config.rate_limit.max_requests,
+        )
+
+        if not allowed:
+            return False, {
+                "code": "RATE_LIMITED",
+                "message": "Too many OTP requests. Please wait before trying again.",
+                "retry_after_seconds": retry_after,
+                "attempts_remaining": None,
+            }
+
+        code = (
+            self._config.bypass_code
+            if _bypass_enabled(self._env, self._config.bypass_code)
+            else _generate_random_code(self._config.code_length)
+        )
+
+        stored: _StoredOtp = {"code": code, "attempts": 0, "createdAt": int(time.time() * 1000)}
+        key = f"{_EMAIL_PREFIX if otp_type == 'email' else _PHONE_PREFIX}{identifier}"
+        await self._redis.setex(key, self._config.ttl_seconds, json.dumps(stored))
+        return True, code
+
+    async def _verify(self, otp_type: OtpType, identifier: str, code: str) -> tuple[bool, None | OtpError]:
+        key = f"{_EMAIL_PREFIX if otp_type == 'email' else _PHONE_PREFIX}{identifier}"
+        raw = await self._redis.get(key)
+        if raw is None:
+            return False, {
+                "code": "NOT_FOUND",
+                "message": "No OTP found. Please request a new code.",
+                "retry_after_seconds": None,
+                "attempts_remaining": None,
+            }
+
+        try:
+            parsed: _StoredOtp = json.loads(raw)
+        except Exception:
+            await self._redis.delete(key)
+            return False, {
+                "code": "NOT_FOUND",
+                "message": "No OTP found. Please request a new code.",
+                "retry_after_seconds": None,
+                "attempts_remaining": None,
+            }
+
+        attempts = int(parsed.get("attempts", 0))
+        if attempts >= self._config.max_attempts:
+            await self._redis.delete(key)
+            return False, {
+                "code": "MAX_ATTEMPTS",
+                "message": "Maximum verification attempts exceeded. Please request a new code.",
+                "retry_after_seconds": None,
+                "attempts_remaining": None,
+            }
+
+        ttl = await self._redis.ttl(key)
+        if ttl <= 0:
+            await self._redis.delete(key)
+            return False, {
+                "code": "NOT_FOUND",
+                "message": "No OTP found. Please request a new code.",
+                "retry_after_seconds": None,
+                "attempts_remaining": None,
+            }
+
+        # Increment attempts on every verification attempt.
+        updated = {**parsed, "attempts": attempts + 1}
+        await self._redis.setex(key, ttl, json.dumps(updated))
+
+        stored_code = parsed.get("code", "")
+        if not isinstance(stored_code, str) or not hmac.compare_digest(stored_code, code):
+            remaining = self._config.max_attempts - updated["attempts"]
+            return False, {
+                "code": "INVALID_CODE",
+                "message": "Invalid code. Please try again.",
+                "retry_after_seconds": None,
+                "attempts_remaining": remaining,
+            }
+
+        await self._redis.delete(key)
+        return True, None

simple_auth_server-0.1.0/src/simple_auth_server/redis_client.py

@@ -0,0 +1,55 @@
+from __future__ import annotations
+
+from dataclasses import dataclass
+from typing import Awaitable, Callable, Optional, Protocol
+
+import redis.asyncio as redis
+
+
+def get_default_redis_url() -> str:
+    return "redis://localhost:6379"
+
+
+class RedisLike(Protocol):
+    async def get(self, key: str) -> Optional[str]: ...
+    async def setex(self, key: str, time: int, value: str) -> object: ...
+    async def delete(self, key: str) -> int: ...
+    async def incr(self, key: str) -> int: ...
+    async def expire(self, key: str, time: int) -> bool: ...
+    async def ttl(self, key: str) -> int: ...
+
+
+def create_redis_client(url: Optional[str] = None) -> redis.Redis:
+    return redis.from_url(url or get_default_redis_url(), decode_responses=True)
+
+
+@dataclass(frozen=True)
+class _KeyPrefixRedis:
+    redis: RedisLike
+    prefix: str
+
+    def _k(self, key: str) -> str:
+        return f"{self.prefix}{key}"
+
+    async def get(self, key: str) -> Optional[str]:
+        return await self.redis.get(self._k(key))
+
+    async def setex(self, key: str, time: int, value: str) -> object:
+        return await self.redis.setex(self._k(key), time, value)
+
+    async def delete(self, key: str) -> int:
+        return await self.redis.delete(self._k(key))
+
+    async def incr(self, key: str) -> int:
+        return await self.redis.incr(self._k(key))
+
+    async def expire(self, key: str, time: int) -> bool:
+        return await self.redis.expire(self._k(key), time)
+
+    async def ttl(self, key: str) -> int:
+        return await self.redis.ttl(self._k(key))
+
+
+def with_key_prefix(redis_client: RedisLike, key_prefix: str) -> RedisLike:
+    prefix = key_prefix if key_prefix.endswith(":") else f"{key_prefix}:"
+    return _KeyPrefixRedis(redis=redis_client, prefix=prefix)

simple_auth_server-0.1.0/src/simple_auth_server/session.py

@@ -0,0 +1,89 @@
+from __future__ import annotations
+
+import json
+import re
+import time
+from typing import Optional, TypedDict
+
+from .redis_client import RedisLike
+
+
+_SESSION_PREFIX = "auth_session:"
+_DEFAULT_TTL_SECONDS = 24 * 60 * 60
+_SESSION_ID_RE = re.compile(r"^[0-9a-f]{64}$")
+
+
+class AuthSession(TypedDict):
+    email: str
+    emailVerified: bool
+    phoneNumber: Optional[str]
+    phoneVerified: bool
+    createdAt: int
+    expiresAt: int
+
+
+def _generate_session_id() -> str:
+    # 32 bytes hex
+    import secrets
+
+    return secrets.token_hex(32)
+
+def _normalize_session_id(session_id: str) -> str:
+    return session_id.strip().lower()
+
+def _is_valid_session_id(session_id: str) -> bool:
+    return bool(_SESSION_ID_RE.fullmatch(session_id))
+
+
+class AuthSessionService:
+    def __init__(
+        self,
+        redis: RedisLike,
+        session_ttl_seconds: int = _DEFAULT_TTL_SECONDS,
+        key_prefix: str = _SESSION_PREFIX,
+    ) -> None:
+        self._redis = redis
+        self._ttl_seconds = session_ttl_seconds
+        self._key_prefix = key_prefix
+
+    async def create_session(self, email: str) -> str:
+        session_id = _generate_session_id()
+        now_ms = int(time.time() * 1000)
+        session: AuthSession = {
+            "email": email.strip().lower(),
+            "emailVerified": False,
+            "phoneNumber": None,
+            "phoneVerified": False,
+            "createdAt": now_ms,
+            "expiresAt": now_ms + self._ttl_seconds * 1000,
+        }
+        await self._redis.setex(f"{self._key_prefix}{session_id}", self._ttl_seconds, json.dumps(session))
+        return session_id
+
+    async def get_session(self, session_id: str) -> Optional[AuthSession]:
+        normalized = _normalize_session_id(session_id)
+        if not _is_valid_session_id(normalized):
+            return None
+
+        key = f"{self._key_prefix}{normalized}"
+        raw = await self._redis.get(key)
+        if raw is None:
+            return None
+        try:
+            parsed: AuthSession = json.loads(raw)
+        except Exception:
+            await self._redis.delete(key)
+            return None
+
+        if int(time.time() * 1000) > int(parsed.get("expiresAt", 0)):
+            await self._redis.delete(key)
+            return None
+
+        return parsed
+
+    async def delete_session(self, session_id: str) -> None:
+        normalized = _normalize_session_id(session_id)
+        if not _is_valid_session_id(normalized):
+            return
+
+        await self._redis.delete(f"{self._key_prefix}{normalized}")

simple_auth_server-0.1.0/src/simple_auth_server.egg-info/PKG-INFO

@@ -0,0 +1,7 @@
+Metadata-Version: 2.4
+Name: simple-auth-server
+Version: 0.1.0
+Summary: Server-side auth primitives (OTP, sessions, Google OAuth) with Redis
+Requires-Python: >=3.11
+Requires-Dist: httpx>=0.27.0
+Requires-Dist: redis>=5.0.0

simple_auth_server-0.1.0/src/simple_auth_server.egg-info/SOURCES.txt

@@ -0,0 +1,12 @@
+pyproject.toml
+src/simple_auth_server/__init__.py
+src/simple_auth_server/config.py
+src/simple_auth_server/oauth_google.py
+src/simple_auth_server/otp.py
+src/simple_auth_server/redis_client.py
+src/simple_auth_server/session.py
+src/simple_auth_server.egg-info/PKG-INFO
+src/simple_auth_server.egg-info/SOURCES.txt
+src/simple_auth_server.egg-info/dependency_links.txt
+src/simple_auth_server.egg-info/requires.txt
+src/simple_auth_server.egg-info/top_level.txt

simple_auth_server-0.1.0/src/simple_auth_server.egg-info/dependency_links.txt

@@ -0,0 +1 @@
+

simple_auth_server-0.1.0/src/simple_auth_server.egg-info/requires.txt

@@ -0,0 +1,2 @@
+httpx>=0.27.0
+redis>=5.0.0

simple_auth_server-0.1.0/src/simple_auth_server.egg-info/top_level.txt

@@ -0,0 +1 @@
+simple_auth_server