simple-module-auth 0.0.1__tar.gz

simple_module_auth-0.0.1/.gitignore

@@ -0,0 +1,59 @@
+# Python
+__pycache__/
+*.py[cod]
+*.egg-info/
+dist/
+build/
+.venv/
+*.egg
+
+# UV
+uv.lock
+
+# Node
+node_modules/
+
+# IDE
+.idea/
+.vscode/
+*.swp
+*.swo
+
+# Environment
+.env
+
+# Database
+*.db
+*.sqlite3
+
+# Module-managed runtime state (e.g. uploaded dataset files,
+# default storage_dir for SM_DATASETS_STORAGE_DIR).
+var/
+
+# file_storage filesystem backend default root (override via SM_FILE_STORAGE_FS_ROOT_PATH).
+uploads/
+
+# Vite
+host/static/dist/
+
+# Auto-generated frontend module manifest (regenerated by the host at boot
+# or via `make gen-pages`).
+host/client_app/modules.manifest.json
+host/client_app/modules.generated.ts
+host/client_app/modules.generated.css
+
+# Worktrees
+.worktrees/
+
+# Performance profiles
+.memray/
+.benchmarks/
+
+# OS
+.DS_Store
+Thumbs.db
+
+.playwright-cli/*
+.playwright-mcp/*
+host/client_app/.playwright-cli/*
+.superpowers/

simple_module_auth-0.0.1/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2026 Anto Subash
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

simple_module_auth-0.0.1/PKG-INFO

@@ -0,0 +1,71 @@
+Metadata-Version: 2.4
+Name: simple_module_auth
+Version: 0.0.1
+Summary: Session-cookie authentication primitives — middleware, login/logout, redirect helpers for simple_module
+Project-URL: Homepage, https://github.com/antosubash/simple_module_python
+Project-URL: Repository, https://github.com/antosubash/simple_module_python
+Project-URL: Issues, https://github.com/antosubash/simple_module_python/issues
+Project-URL: Changelog, https://github.com/antosubash/simple_module_python/blob/main/CHANGELOG.md
+Author-email: Anto Subash <antosubash@live.com>
+License-Expression: MIT
+License-File: LICENSE
+Keywords: authentication,cookie,fastapi,session,simple-module
+Classifier: Development Status :: 3 - Alpha
+Classifier: Framework :: FastAPI
+Classifier: Intended Audience :: Developers
+Classifier: License :: OSI Approved :: MIT License
+Classifier: Operating System :: OS Independent
+Classifier: Programming Language :: Python :: 3
+Classifier: Programming Language :: Python :: 3.12
+Classifier: Topic :: Internet :: WWW/HTTP
+Classifier: Topic :: Software Development :: Libraries :: Application Frameworks
+Classifier: Typing :: Typed
+Requires-Python: >=3.12
+Requires-Dist: itsdangerous>=2.2
+Requires-Dist: simple-module-core==0.0.1
+Requires-Dist: simple-module-db==0.0.1
+Description-Content-Type: text/markdown
+
+# simple_module_auth
+
+Session-cookie authentication primitives for [simple_module](https://github.com/antosubash/simple_module_python) apps. Provides the `SessionMiddleware` wiring, login/logout helpers, and login-redirect handling used by the `simple_module_users` module.
+
+**Heads up:** for most apps you don't install this directly — `simple_module_users` pulls it in and builds the email+password auth flow on top of these primitives.
+
+## Install
+
+```bash
+pip install simple_module_auth
+```
+
+## What it provides
+
+- Starlette `SessionMiddleware` configuration reading `SM_SECRET_KEY` and `SM_SESSION_COOKIE_*` env vars.
+- `current_user_id` FastAPI dependency reading the signed session cookie.
+- Redirect-to-login helpers for unauthenticated requests on Inertia routes.
+- Login-required decorator / dependency for protecting routes without pulling in the heavier `simple_module_users` package.
+
+## Usage
+
+```python
+from fastapi import APIRouter, Depends
+from simple_module_auth import require_login
+
+router = APIRouter()
+
+
+@router.get("/me")
+async def me(user_id: int = Depends(require_login)):
+    return {"user_id": user_id}
+```
+
+Routes that need more than just "logged in" (e.g. role/permission checks) should use `simple_module_permissions` instead.
+
+## Depends on
+
+- `simple_module_core`, `simple_module_db`
+- `itsdangerous`
+
+## License
+
+MIT — see [LICENSE](https://github.com/antosubash/simple_module_python/blob/main/LICENSE).

simple_module_auth-0.0.1/README.md

@@ -0,0 +1,43 @@
+# simple_module_auth
+
+Session-cookie authentication primitives for [simple_module](https://github.com/antosubash/simple_module_python) apps. Provides the `SessionMiddleware` wiring, login/logout helpers, and login-redirect handling used by the `simple_module_users` module.
+
+**Heads up:** for most apps you don't install this directly — `simple_module_users` pulls it in and builds the email+password auth flow on top of these primitives.
+
+## Install
+
+```bash
+pip install simple_module_auth
+```
+
+## What it provides
+
+- Starlette `SessionMiddleware` configuration reading `SM_SECRET_KEY` and `SM_SESSION_COOKIE_*` env vars.
+- `current_user_id` FastAPI dependency reading the signed session cookie.
+- Redirect-to-login helpers for unauthenticated requests on Inertia routes.
+- Login-required decorator / dependency for protecting routes without pulling in the heavier `simple_module_users` package.
+
+## Usage
+
+```python
+from fastapi import APIRouter, Depends
+from simple_module_auth import require_login
+
+router = APIRouter()
+
+
+@router.get("/me")
+async def me(user_id: int = Depends(require_login)):
+    return {"user_id": user_id}
+```
+
+Routes that need more than just "logged in" (e.g. role/permission checks) should use `simple_module_permissions` instead.
+
+## Depends on
+
+- `simple_module_core`, `simple_module_db`
+- `itsdangerous`
+
+## License
+
+MIT — see [LICENSE](https://github.com/antosubash/simple_module_python/blob/main/LICENSE).

simple_module_auth-0.0.1/auth/__init__.py

@@ -0,0 +1 @@
+"""Auth module — shared contracts (UserContext, deps)."""

simple_module_auth-0.0.1/auth/contracts/__init__.py

@@ -0,0 +1,5 @@
+"""Auth contracts — public types for other modules."""
+
+from auth.contracts.schemas import UserContext
+
+__all__ = ["UserContext"]

simple_module_auth-0.0.1/auth/contracts/schemas.py

@@ -0,0 +1,75 @@
+"""Auth data types shared with other modules."""
+
+from __future__ import annotations
+
+from dataclasses import dataclass, field
+from typing import TYPE_CHECKING, Any
+
+if TYPE_CHECKING:
+    # Runtime import would be circular: auth -> users -> auth.
+    # Only imported for type-hints, never at runtime.
+    from users.models import User
+
+
+@dataclass
+class UserContext:
+    """Authenticated user information for downstream handlers."""
+
+    id: str
+    email: str
+    name: str
+    roles: list[str] = field(default_factory=list)
+    tenant_id: str | None = None
+
+    @classmethod
+    def from_user(cls, user: User | Any) -> UserContext:
+        """Build a UserContext from a users.models.User with eagerly-loaded roles.
+
+        Duck-typed to avoid importing users.models at runtime — any object
+        exposing .id, .email, .full_name, .roles[*].name, .tenant_id works.
+        The caller is responsible for eager-loading roles (selectinload).
+        """
+        return cls(
+            id=str(user.id),
+            email=user.email,
+            name=user.full_name or user.email,
+            roles=[r.name for r in user.roles],
+            tenant_id=user.tenant_id,
+        )
+
+    def to_session_dict(self) -> dict[str, Any]:
+        """Serialize to a JSON-safe dict for the signed session cookie.
+
+        The inverse of :meth:`from_session_dict`. Adding a new field to
+        ``UserContext`` requires updating both methods here — not the
+        AuthMiddleware cache helper, which stays schema-agnostic."""
+        return {
+            "id": self.id,
+            "email": self.email,
+            "name": self.name,
+            "roles": list(self.roles),
+            "tenant_id": self.tenant_id,
+        }
+
+    @classmethod
+    def from_session_dict(cls, payload: Any) -> UserContext | None:
+        """Rebuild from :meth:`to_session_dict` output. Returns ``None`` on any
+        shape mismatch so callers can fall through to a fresh DB load."""
+        if not isinstance(payload, dict):
+            return None
+        try:
+            return cls(
+                id=str(payload["id"]),
+                email=str(payload["email"]),
+                name=str(payload["name"]),
+                roles=list(payload.get("roles") or []),
+                tenant_id=payload.get("tenant_id"),
+            )
+        except (KeyError, TypeError, ValueError):
+            return None
+
+    def has_role(self, role: str) -> bool:
+        return role in self.roles
+
+    def has_any_role(self, roles: list[str]) -> bool:
+        return bool(set(self.roles) & set(roles))

simple_module_auth-0.0.1/auth/deps.py

@@ -0,0 +1,60 @@
+"""FastAPI auth dependencies — get_current_user, require_permission."""
+
+from __future__ import annotations
+
+from typing import Annotated
+
+from fastapi import Depends, HTTPException, Request
+from simple_module_hosting.i18n_deps import TranslatorDep
+
+from auth.contracts.schemas import UserContext
+
+_ADMIN_ROLE = "admin"
+
+
+async def get_current_user(request: Request, t: TranslatorDep) -> UserContext:
+    """Extract the authenticated user from request state.
+
+    The auth middleware must set ``request.state.user`` before this runs.
+    """
+    user = getattr(request.state, "user", None)
+    if user is None:
+        raise HTTPException(status_code=401, detail=t.t("auth.errors.not_authenticated"))
+    return user
+
+
+CurrentUser = Annotated[UserContext, Depends(get_current_user)]
+
+
+def require_permission(*permissions: str):
+    """Create a dependency that checks if the user has required permissions.
+
+    Usage::
+
+        @router.post("/", dependencies=[Depends(require_permission("products.create"))])
+        async def create_product(...): ...
+    """
+
+    async def check(
+        request: Request,
+        t: TranslatorDep,
+        user: UserContext = Depends(get_current_user),
+    ):
+        # Admin role bypasses permission checks
+        if _ADMIN_ROLE in user.roles:
+            return
+
+        # Get permission registry from app state
+        perm_registry = request.app.state.sm.permissions
+        user_perms = perm_registry.get_permissions_for_roles(user.roles)
+
+        if not any(p in user_perms for p in permissions):
+            raise HTTPException(
+                status_code=403,
+                detail=t.t(
+                    "auth.errors.missing_permission",
+                    permissions=", ".join(permissions),
+                ),
+            )
+
+    return Depends(check)

simple_module_auth-0.0.1/auth/locales/en.json

@@ -0,0 +1,6 @@
+{
+  "errors": {
+    "not_authenticated": "Not authenticated",
+    "missing_permission": "Missing required permission: {permissions}"
+  }
+}

simple_module_auth-0.0.1/auth/locales/es.json

@@ -0,0 +1,6 @@
+{
+  "errors": {
+    "not_authenticated": "No autenticado",
+    "missing_permission": "Falta el permiso requerido: {permissions}"
+  }
+}

simple_module_auth-0.0.1/auth/module.py

@@ -0,0 +1,26 @@
+"""Auth module — shared contracts (UserContext, deps).
+
+Intentionally minimal: this module owns the PUBLIC interface (UserContext,
+get_current_user, CurrentUser, require_permission) that every other module
+imports. Keeping it stable prevents churn when auth internals change.
+
+All authentication logic (middleware, login, signup, OAuth) lives in the
+users module.
+"""
+
+from __future__ import annotations
+
+import importlib.resources
+from pathlib import Path
+
+from simple_module_core.module import ModuleBase, ModuleMeta
+
+
+class AuthModule(ModuleBase):
+    meta = ModuleMeta(
+        name="Auth",
+        route_prefix="/auth",
+    )
+
+    def locale_dirs(self) -> dict[str, Path]:
+        return {"auth": Path(str(importlib.resources.files(__package__) / "locales"))}

simple_module_auth-0.0.1/package.json

@@ -0,0 +1,16 @@
+{
+  "name": "@simple-module-py/auth",
+  "version": "0.1.0",
+  "private": true,
+  "description": "Frontend assets for the Auth module",
+  "peerDependencies": {
+    "react": "^19.0.0",
+    "react-dom": "^19.0.0",
+    "@inertiajs/react": "^2.0.0",
+    "@simple-module-py/ui": "*"
+  },
+  "devDependencies": {
+    "@simple-module-py/tsconfig": "*"
+  },
+  "dependencies": {}
+}

simple_module_auth-0.0.1/pyproject.toml

@@ -0,0 +1,52 @@
+[project]
+name = "simple_module_auth"
+version = "0.0.1"
+description = "Session-cookie authentication primitives — middleware, login/logout, redirect helpers for simple_module"
+readme = "README.md"
+license = "MIT"
+license-files = ["LICENSE"]
+requires-python = ">=3.12"
+authors = [{ name = "Anto Subash", email = "antosubash@live.com" }]
+keywords = ["simple-module", "fastapi", "authentication", "session", "cookie"]
+classifiers = [
+    "Development Status :: 3 - Alpha",
+    "Framework :: FastAPI",
+    "Intended Audience :: Developers",
+    "License :: OSI Approved :: MIT License",
+    "Operating System :: OS Independent",
+    "Programming Language :: Python :: 3",
+    "Programming Language :: Python :: 3.12",
+    "Topic :: Internet :: WWW/HTTP",
+    "Topic :: Software Development :: Libraries :: Application Frameworks",
+    "Typing :: Typed",
+]
+dependencies = [
+    "itsdangerous>=2.2",
+    "simple_module_core==0.0.1",
+    "simple_module_db==0.0.1",
+]
+
+[project.entry-points.simple_module]
+auth = "auth.module:AuthModule"
+
+[project.urls]
+Homepage = "https://github.com/antosubash/simple_module_python"
+Repository = "https://github.com/antosubash/simple_module_python"
+Issues = "https://github.com/antosubash/simple_module_python/issues"
+Changelog = "https://github.com/antosubash/simple_module_python/blob/main/CHANGELOG.md"
+
+[build-system]
+requires = ["hatchling"]
+build-backend = "hatchling.build"
+
+[tool.hatch.build.targets.wheel]
+packages = ["auth"]
+
+# Ship the module-root package.json inside the wheel so the host can
+# discover JS deps via importlib.resources after a pip install.
+[tool.hatch.build.targets.wheel.force-include]
+"package.json" = "auth/package.json"
+
+[tool.uv.sources]
+simple_module_core = { workspace = true }
+simple_module_db = { workspace = true }

simple_module_auth-0.0.1/tests/test_deps.py

@@ -0,0 +1,100 @@
+"""Tests for auth FastAPI dependencies (get_current_user, require_permission)."""
+
+from __future__ import annotations
+
+import importlib.resources
+from pathlib import Path
+from types import SimpleNamespace
+from unittest.mock import MagicMock
+
+import pytest
+from auth.contracts.schemas import UserContext
+from auth.deps import get_current_user, require_permission
+from fastapi import HTTPException
+from simple_module_core.i18n import I18nRegistry, Translator
+
+
+def _translator() -> Translator:
+    """Build a Translator loaded with the auth module's ``en.json`` locale.
+
+    This exercises the real message templates so assertions on rendered
+    detail strings remain meaningful.
+    """
+    locales = Path(str(importlib.resources.files("auth") / "locales"))
+    registry = I18nRegistry(default_locale="en", supported_locales=["en"])
+    registry.add_source("auth", locales)
+    registry.load()
+    return Translator(registry, locale="en", default_locale="en")
+
+
+class TestGetCurrentUser:
+    async def test_raises_401_when_no_user(self):
+        """get_current_user raises 401 when request.state has no user."""
+        request = MagicMock()
+        del request.state.user
+
+        with pytest.raises(HTTPException) as exc_info:
+            await get_current_user(request, _translator())
+        assert exc_info.value.status_code == 401
+
+    async def test_returns_user_when_present(self):
+        """get_current_user returns the user from request.state."""
+        user = UserContext(id="u1", email="u@test.com", name="User", roles=["user"])
+        request = MagicMock()
+        request.state.user = user
+
+        result = await get_current_user(request, _translator())
+        assert result.id == "u1"
+
+
+class TestRequirePermission:
+    async def test_raises_403_when_missing_permission(self, app):
+        """The require_permission check raises 403 when user lacks permissions."""
+        dep = require_permission("products.delete")
+        check_fn = dep.dependency
+
+        request = MagicMock()
+        request.app.state.sm = SimpleNamespace(permissions=app.state.sm.permissions)
+
+        user = UserContext(id="u1", email="u@test.com", name="User", roles=["viewer"])
+
+        with pytest.raises(HTTPException) as exc_info:
+            await check_fn(request, _translator(), user)
+        assert exc_info.value.status_code == 403
+
+    async def test_admin_bypasses_permission_check(self, app):
+        """The require_permission check allows admin users through."""
+        dep = require_permission("products.delete")
+        check_fn = dep.dependency
+
+        request = MagicMock()
+        request.app.state.sm = SimpleNamespace(permissions=app.state.sm.permissions)
+
+        admin_user = UserContext(id="a1", email="admin@test.com", name="Admin", roles=["admin"])
+        await check_fn(request, _translator(), admin_user)
+
+
+class TestRequirePermissionAdvanced:
+    async def test_multiple_permissions_any_match(self, app):
+        """User with any of the required permissions should pass."""
+        dep = require_permission("products.view", "products.edit")
+        check_fn = dep.dependency
+
+        request = MagicMock()
+        request.app.state.sm = SimpleNamespace(permissions=app.state.sm.permissions)
+
+        admin = UserContext(id="a1", email="a@t.com", name="Admin", roles=["admin"])
+        await check_fn(request, _translator(), admin)
+
+    async def test_non_admin_without_permission_fails(self, app):
+        dep = require_permission("products.delete")
+        check_fn = dep.dependency
+
+        request = MagicMock()
+        request.app.state.sm = SimpleNamespace(permissions=app.state.sm.permissions)
+
+        user = UserContext(id="u1", email="u@t.com", name="User", roles=["user"])
+        with pytest.raises(HTTPException) as exc_info:
+            await check_fn(request, _translator(), user)
+        assert exc_info.value.status_code == 403
+        assert "products.delete" in str(exc_info.value.detail)

simple_module_auth-0.0.1/tests/test_module.py

@@ -0,0 +1,31 @@
+"""Tests for AuthModule: meta-only after Keycloak removal."""
+
+from __future__ import annotations
+
+from auth.module import AuthModule
+from simple_module_core.menu import MenuRegistry
+
+
+class TestAuthModuleRegistration:
+    async def test_auth_module_has_correct_meta(self):
+        mod = AuthModule()
+        assert mod.meta.name == "Auth"
+        assert mod.meta.route_prefix == "/auth"
+
+    async def test_auth_module_registers_no_menu_items(self):
+        """AuthModule is now meta-only — it registers no menu items."""
+        mod = AuthModule()
+        reg = MenuRegistry()
+        mod.register_menu_items(reg)
+        assert len(reg.all_items) == 0
+
+    async def test_auth_module_has_no_routes(self):
+        """AuthModule no longer registers any routes — it's contracts-only."""
+        from fastapi import APIRouter
+
+        mod = AuthModule()
+        api_router = APIRouter()
+        view_router = APIRouter()
+        mod.register_routes(api_router, view_router)
+        assert len(api_router.routes) == 0
+        assert len(view_router.routes) == 0

simple_module_auth-0.0.1/tests/test_user_context.py

@@ -0,0 +1,95 @@
+"""Tests for the UserContext value object (construction, roles, tenant)."""
+
+from __future__ import annotations
+
+from auth.contracts.schemas import UserContext
+
+
+class TestUserContextFromUser:
+    async def test_from_user_basic(self):
+        """from_user correctly maps id, email, name, roles, and tenant_id."""
+        import uuid
+        from types import SimpleNamespace
+
+        role_a = SimpleNamespace(name="admin")
+        role_b = SimpleNamespace(name="editor")
+        fake_user = SimpleNamespace(
+            id=uuid.UUID("aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa"),
+            email="charlie@example.com",
+            full_name="Charlie Brown",
+            roles=[role_a, role_b],
+            tenant_id="tenant-42",
+        )
+        ctx = UserContext.from_user(fake_user)
+        assert ctx.id == "aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa"
+        assert ctx.email == "charlie@example.com"
+        assert ctx.name == "Charlie Brown"
+        assert ctx.roles == ["admin", "editor"]
+        assert ctx.tenant_id == "tenant-42"
+
+    async def test_from_user_name_fallback_to_email(self):
+        """When full_name is None, ctx.name falls back to the user's email."""
+        import uuid
+        from types import SimpleNamespace
+
+        fake_user = SimpleNamespace(
+            id=uuid.uuid4(),
+            email="dana@example.com",
+            full_name=None,
+            roles=[],
+            tenant_id=None,
+        )
+        ctx = UserContext.from_user(fake_user)
+        assert ctx.name == "dana@example.com"
+        assert ctx.tenant_id is None
+
+    async def test_from_user_no_roles(self):
+        """from_user with empty roles produces an empty list."""
+        import uuid
+        from types import SimpleNamespace
+
+        fake_user = SimpleNamespace(
+            id=uuid.uuid4(),
+            email="eve@example.com",
+            full_name="Eve",
+            roles=[],
+            tenant_id=None,
+        )
+        ctx = UserContext.from_user(fake_user)
+        assert ctx.roles == []
+
+
+class TestUserContextRoles:
+    async def test_has_role(self):
+        ctx = UserContext(id="1", email="a@b.com", name="A", roles=["admin", "user"])
+        assert ctx.has_role("admin") is True
+        assert ctx.has_role("superadmin") is False
+
+    async def test_has_any_role(self):
+        ctx = UserContext(id="1", email="a@b.com", name="A", roles=["editor"])
+        assert ctx.has_any_role(["admin", "editor"]) is True
+        assert ctx.has_any_role(["admin", "superadmin"]) is False
+
+    async def test_has_any_role_empty_user_roles(self):
+        ctx = UserContext(id="1", email="a@b.com", name="A", roles=[])
+        assert ctx.has_any_role(["admin"]) is False
+
+    async def test_has_any_role_empty_check_list(self):
+        ctx = UserContext(id="1", email="a@b.com", name="A", roles=["admin"])
+        assert ctx.has_any_role([]) is False
+
+    async def test_has_role_case_sensitive(self):
+        ctx = UserContext(id="1", email="a@b.com", name="A", roles=["Admin"])
+        assert ctx.has_role("admin") is False
+        assert ctx.has_role("Admin") is True
+
+
+class TestUserContextDefaults:
+    async def test_tenant_id_default_is_none(self):
+        """Direct construction without tenant_id should default to None."""
+        ctx = UserContext(id="1", email="a@b.com", name="A")
+        assert ctx.tenant_id is None
+
+    async def test_roles_default_is_empty_list(self):
+        ctx = UserContext(id="1", email="a@b.com", name="A")
+        assert ctx.roles == []