simple-module-auth 0.0.17__tar.gz → 0.0.18__tar.gz

{simple_module_auth-0.0.17 → simple_module_auth-0.0.18}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: simple_module_auth
-Version: 0.0.17
+Version: 0.0.18
 Summary: Session-cookie authentication primitives — middleware, login/logout, redirect helpers for simple_module
 Project-URL: Homepage, https://github.com/antosubash/simple_module_python
 Project-URL: Repository, https://github.com/antosubash/simple_module_python
@@ -22,8 +22,8 @@ Classifier: Topic :: Software Development :: Libraries :: Application Frameworks
 Classifier: Typing :: Typed
 Requires-Python: >=3.12
 Requires-Dist: itsdangerous>=2.2
-Requires-Dist: simple-module-core==0.0.17
-Requires-Dist: simple-module-db==0.0.17
+Requires-Dist: simple-module-core==0.0.18
+Requires-Dist: simple-module-db==0.0.18
 Description-Content-Type: text/markdown
 
 # simple_module_auth

{simple_module_auth-0.0.17 → simple_module_auth-0.0.18}/auth/middleware.py

@@ -47,7 +47,9 @@ class AuthMiddleware:
             return
 
         path: str = scope["path"]
-        auth_state = scope["app"].state.auth
+        method: str = scope.get("method", "GET")
+        app_state = scope["app"].state
+        auth_state = app_state.auth
         provider = auth_state.auth_provider
 
         if provider is None:
@@ -58,6 +60,14 @@ class AuthMiddleware:
             any(path.startswith(p) for p in _FRAMEWORK_PUBLIC_PREFIXES)
             or path in _FRAMEWORK_PUBLIC_EXACT
         )
+        # Module-contributed public routes (register_public_routes hook). Method
+        # -aware, so a GET read route can be exempted without opening sibling
+        # POST/PATCH mutations under the same prefix.
+        if not is_public:
+            public_routes = getattr(app_state, "public_routes", None)
+            is_public = public_routes is not None and public_routes.matches(method, path)
+        # Legacy provider-declared paths (prefix-only, method-agnostic). Kept for
+        # back-compat with AuthProvider implementations.
         if not is_public:
             prefix_paths, exact_paths = provider.get_public_paths()
             is_public = any(path.startswith(p) for p in prefix_paths) or path in exact_paths

{simple_module_auth-0.0.17 → simple_module_auth-0.0.18}/pyproject.toml

@@ -1,6 +1,6 @@
 [project]
 name = "simple_module_auth"
-version = "0.0.17"
+version = "0.0.18"
 description = "Session-cookie authentication primitives — middleware, login/logout, redirect helpers for simple_module"
 readme = "README.md"
 license = "MIT"
@@ -22,8 +22,8 @@ classifiers = [
 ]
 dependencies = [
     "itsdangerous>=2.2",
-    "simple_module_core==0.0.17",
-    "simple_module_db==0.0.17",
+    "simple_module_core==0.0.18",
+    "simple_module_db==0.0.18",
 ]
 
 [project.entry-points.simple_module]

{simple_module_auth-0.0.17 → simple_module_auth-0.0.18}/tests/test_auth_middleware.py

@@ -44,15 +44,16 @@ class _StubProvider:
         return auth.startswith("Bearer ")
 
 
-def _build_app(provider, *, principal_resolvers=None):
+def _build_app(provider, *, principal_resolvers=None, public_routes=None):
     app = FastAPI()
     app.state.auth = AuthState(
         auth_provider=provider,
         principal_resolvers=list(principal_resolvers or []),
     )
+    if public_routes is not None:
+        app.state.public_routes = public_routes
 
-    @app.get("/{path:path}")
-    async def catch_all(request: Request, path: str = ""):
+    async def _handler(request: Request, path: str = ""):
         user = getattr(request.state, "user", None)
         return JSONResponse(
             {
@@ -60,6 +61,8 @@ def _build_app(provider, *, principal_resolvers=None):
             }
         )
 
+    app.add_api_route("/{path:path}", _handler, methods=["GET", "POST", "PATCH"])
+
     app.add_middleware(AuthMiddleware)
     app.add_middleware(SessionMiddleware, secret_key=SECRET)
     return app
@@ -129,6 +132,47 @@ async def test_root_is_public(unauthenticated_app):
     assert resp.status_code == 200
 
 
+async def test_registry_public_route_skips_auth():
+    """A module-contributed public route lets an unauthenticated GET through."""
+    from simple_module_core.public_routes import PublicRouteRegistry
+
+    registry = PublicRouteRegistry()
+    registry.add_prefix("/api/gis/stac")
+    app = _build_app(_StubProvider(user=None), public_routes=registry)
+
+    transport = httpx.ASGITransport(app=app)
+    async with httpx.AsyncClient(transport=transport, base_url="http://test") as c:
+        resp = await c.get("/api/gis/stac/collections")
+    assert resp.status_code == 200
+    assert resp.json()["user"] is None
+
+
+async def test_registry_method_scoping_gates_other_verbs():
+    """A GET-scoped public rule exempts GET but still gates PATCH on the same path."""
+    from simple_module_core.public_routes import PublicRouteRegistry
+
+    registry = PublicRouteRegistry()
+    registry.add_regex(r"/api/gis/datasets/[^/]+/tilejson$", methods={"GET"})
+    app = _build_app(_StubProvider(user=None), public_routes=registry)
+
+    transport = httpx.ASGITransport(app=app)
+    async with httpx.AsyncClient(transport=transport, base_url="http://test") as c:
+        ok = await c.get("/api/gis/datasets/42/tilejson")
+        gated = await c.patch("/api/gis/datasets/42/tilejson")
+    assert ok.status_code == 200
+    assert gated.status_code == 401
+
+
+async def test_no_registry_falls_back_to_provider_paths(unauthenticated_app):
+    """Apps built without a public-routes registry still honor provider paths."""
+    transport = httpx.ASGITransport(app=unauthenticated_app)
+    async with httpx.AsyncClient(transport=transport, base_url="http://test") as c:
+        public = await c.get("/stub/public/data")
+        gated = await c.get("/api/protected")
+    assert public.status_code == 200
+    assert gated.status_code == 401
+
+
 async def test_resolver_chain_fallback():
     """When provider returns None, fall through to principal resolvers."""