simple-module-users 0.0.15__tar.gz → 0.0.17__tar.gz

{simple_module_users-0.0.15 → simple_module_users-0.0.17}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: simple_module_users
-Version: 0.0.15
+Version: 0.0.17
 Summary: Email + password user management, admin invites, RBAC-ready — replaces Keycloak for simple_module apps
 Project-URL: Homepage, https://github.com/antosubash/simple_module_python
 Project-URL: Repository, https://github.com/antosubash/simple_module_python
@@ -24,11 +24,11 @@ Requires-Python: >=3.12
 Requires-Dist: aiosmtplib>=3.0
 Requires-Dist: cachetools>=5.3
 Requires-Dist: fastapi-users[oauth,sqlalchemy]<16,>=15
-Requires-Dist: simple-module-auth==0.0.15
-Requires-Dist: simple-module-core==0.0.15
-Requires-Dist: simple-module-db==0.0.15
-Requires-Dist: simple-module-hosting==0.0.15
-Requires-Dist: simple-module-settings==0.0.15
+Requires-Dist: simple-module-auth==0.0.17
+Requires-Dist: simple-module-core==0.0.17
+Requires-Dist: simple-module-db==0.0.17
+Requires-Dist: simple-module-hosting==0.0.17
+Requires-Dist: simple-module-settings==0.0.17
 Requires-Dist: typer>=0.12
 Description-Content-Type: text/markdown
 

{simple_module_users-0.0.15 → simple_module_users-0.0.17}/pyproject.toml

@@ -1,6 +1,6 @@
 [project]
 name = "simple_module_users"
-version = "0.0.15"
+version = "0.0.17"
 description = "Email + password user management, admin invites, RBAC-ready — replaces Keycloak for simple_module apps"
 readme = "README.md"
 license = "MIT"
@@ -21,11 +21,11 @@ classifiers = [
     "Typing :: Typed",
 ]
 dependencies = [
-    "simple_module_core==0.0.15",
-    "simple_module_db==0.0.15",
-    "simple_module_hosting==0.0.15",
-    "simple_module_settings==0.0.15",
-    "simple_module_auth==0.0.15",
+    "simple_module_core==0.0.17",
+    "simple_module_db==0.0.17",
+    "simple_module_hosting==0.0.17",
+    "simple_module_settings==0.0.17",
+    "simple_module_auth==0.0.17",
     # Pinned to a narrow range: `deps.py` relies on mutating CookieTransport
     # fields after construction (see reconfigure_cookie_transport in backend.py).
     # Bumping the major version requires re-checking those field names.

{simple_module_users-0.0.15 → simple_module_users-0.0.17}/tests/_middleware_support.py

@@ -9,35 +9,34 @@ parameters.
 
 from __future__ import annotations
 
-import json
 import uuid
-from base64 import b64encode
 from types import SimpleNamespace
 from typing import Any
 
 import pytest
+from auth.middleware import AuthMiddleware
 from fastapi import FastAPI, Request
-from itsdangerous import TimestampSigner
+from simple_module_test import forge_session_cookie
 from starlette.middleware.sessions import SessionMiddleware
 from starlette.responses import JSONResponse
 from users.constants import ADMIN_ROLE_ID, USER_ROLE_ID
-from users.middleware import AuthMiddleware
 
 SECRET_KEY = "test-secret-key-for-session-middleware"
 
 
-def _sign_session(data: dict[str, Any], secret: str = SECRET_KEY) -> str:
-    """Encode and sign a session dict exactly as Starlette's SessionMiddleware does."""
-    raw = b64encode(json.dumps(data).encode()).decode()
-    return TimestampSigner(secret).sign(raw).decode("utf-8")
-
-
 def _session_cookie(data: dict[str, Any]) -> dict[str, str]:
-    return {"session": _sign_session(data)}
+    return {"session": forge_session_cookie(SECRET_KEY, data)}
+
 
+async def _build_app(db_state, inner_handler=None, *, principal_resolvers=None):
+    """Build a minimal ASGI app with AuthMiddleware + SessionMiddleware.
 
-async def _build_app(db_state, inner_handler=None):
-    """Build a minimal ASGI app with AuthMiddleware + SessionMiddleware."""
+    ``principal_resolvers`` (optional) is a list of resolvers seeded onto
+    ``app.state.auth.principal_resolvers`` before the middleware runs.
+    Defaults to an empty registry — matches a production app where no
+    downstream module has registered anything.
+    """
+    from auth.state import AuthState
 
     async def _default_handler(request: Request):
         user = getattr(request.state, "user", None)
@@ -62,6 +61,12 @@ async def _build_app(db_state, inner_handler=None):
 
     app = FastAPI()
     app.state.sm = SimpleNamespace(db=db_state)
+    from users.provider import UsersAuthProvider
+
+    app.state.auth = AuthState(
+        auth_provider=UsersAuthProvider(),
+        principal_resolvers=list(principal_resolvers or []),
+    )
 
     @app.get("/{path:path}")
     async def _catch_all(request: Request, path: str = ""):

{simple_module_users-0.0.15 → simple_module_users-0.0.17}/tests/test_api_admin.py

@@ -46,11 +46,10 @@ class TestAdminList:
     @pytest.mark.anyio
     async def test_list_without_auth_is_rejected(self, anon_client):
         resp = await anon_client.get("/api/users/admin", follow_redirects=False)
-        # AuthMiddleware redirects unauthenticated non-public API paths to
-        # /users/login. Preserving the 302 here so a regression to 401 or
-        # pass-through is caught.
-        assert resp.status_code == 302
-        assert resp.headers["location"].endswith("/users/login")
+        # AuthMiddleware returns 401 JSON for unauthenticated /api/* paths
+        # (view routes still get a 302 redirect to /users/login).
+        assert resp.status_code == 401
+        assert resp.json() == {"detail": "Not authenticated"}
 
     @pytest.mark.anyio
     async def test_list_as_admin_returns_200(self, admin_client, users_db):
@@ -128,8 +127,8 @@ class TestAdminInvite:
             json={"email": "hacker@example.com"},
             follow_redirects=False,
         )
-        assert resp.status_code == 302
-        assert resp.headers["location"].endswith("/users/login")
+        assert resp.status_code == 401
+        assert resp.json() == {"detail": "Not authenticated"}
 
 
 # ---------------------------------------------------------------------------
@@ -205,8 +204,8 @@ class TestAdminSetRoles:
             json={"role_names": ["admin"]},
             follow_redirects=False,
         )
-        assert resp.status_code == 302
-        assert resp.headers["location"].endswith("/users/login")
+        assert resp.status_code == 401
+        assert resp.json() == {"detail": "Not authenticated"}
 
     @pytest.mark.anyio
     async def test_set_roles_nonexistent_returns_404(self, admin_client):

simple_module_users-0.0.17/tests/test_token_api.py

@@ -0,0 +1,191 @@
+"""Tests for bearer token endpoints: /api/users/auth/token*.
+
+Covers: login via email+password, refresh rotation, revoke, and error paths.
+"""
+
+from __future__ import annotations
+
+import uuid
+
+import pytest
+from fastapi_users.password import PasswordHelper
+from users.models import User
+
+_pw = PasswordHelper()
+
+
+def _hash(plain: str) -> str:
+    return _pw.hash(plain)
+
+
+async def _seed_user(session, email="api@example.com", password="SecurePass1!"):
+    """Create a verified, active user for token tests."""
+    user = User(
+        id=uuid.uuid4(),
+        email=email,
+        hashed_password=_hash(password),
+        is_active=True,
+        is_superuser=False,
+        is_verified=True,
+    )
+    session.add(user)
+    await session.commit()
+    await session.refresh(user)
+    return user
+
+
+# ---------------------------------------------------------------------------
+# POST /api/users/auth/token — login
+# ---------------------------------------------------------------------------
+
+
+class TestTokenLogin:
+    @pytest.mark.anyio
+    async def test_invalid_email_returns_401(self, anon_client):
+        resp = await anon_client.post(
+            "/api/users/auth/token",
+            json={"email": "nobody@example.com", "password": "whatever"},
+        )
+        assert resp.status_code == 401
+        assert resp.json()["detail"] == "Invalid credentials"
+
+    @pytest.mark.anyio
+    async def test_wrong_password_returns_401(self, anon_client, users_db):
+        await _seed_user(users_db)
+        resp = await anon_client.post(
+            "/api/users/auth/token",
+            json={"email": "api@example.com", "password": "WRONG"},
+        )
+        assert resp.status_code == 401
+        assert resp.json()["detail"] == "Invalid credentials"
+
+    @pytest.mark.anyio
+    async def test_inactive_user_returns_401(self, anon_client, users_db):
+        user = await _seed_user(users_db, email="inactive@example.com")
+        user.is_active = False
+        await users_db.commit()
+
+        resp = await anon_client.post(
+            "/api/users/auth/token",
+            json={"email": "inactive@example.com", "password": "SecurePass1!"},
+        )
+        assert resp.status_code == 401
+
+    @pytest.mark.anyio
+    async def test_valid_credentials_returns_token_pair(self, anon_client, users_db):
+        await _seed_user(users_db)
+        resp = await anon_client.post(
+            "/api/users/auth/token",
+            json={"email": "api@example.com", "password": "SecurePass1!"},
+        )
+        assert resp.status_code == 200
+        body = resp.json()
+        assert body["token_type"] == "bearer"
+        assert body["access_token"]
+        assert body["refresh_token"]
+        assert body["expires_in"] > 0
+
+
+# ---------------------------------------------------------------------------
+# POST /api/users/auth/token/refresh
+# ---------------------------------------------------------------------------
+
+
+class TestTokenRefresh:
+    @pytest.mark.anyio
+    async def test_invalid_uuid_returns_401(self, anon_client):
+        resp = await anon_client.post(
+            "/api/users/auth/token/refresh",
+            json={"refresh_token": "not-a-uuid"},
+        )
+        assert resp.status_code == 401
+        assert resp.json()["detail"] == "Invalid refresh token"
+
+    @pytest.mark.anyio
+    async def test_nonexistent_token_returns_401(self, anon_client):
+        resp = await anon_client.post(
+            "/api/users/auth/token/refresh",
+            json={"refresh_token": str(uuid.uuid4())},
+        )
+        assert resp.status_code == 401
+        assert resp.json()["detail"] == "Invalid or expired refresh token"
+
+    @pytest.mark.anyio
+    async def test_valid_refresh_rotates_tokens(self, anon_client, users_db):
+        """Login, then refresh — old refresh revoked, new pair returned."""
+        await _seed_user(users_db)
+        login = await anon_client.post(
+            "/api/users/auth/token",
+            json={"email": "api@example.com", "password": "SecurePass1!"},
+        )
+        assert login.status_code == 200
+        old_refresh = login.json()["refresh_token"]
+
+        refresh_resp = await anon_client.post(
+            "/api/users/auth/token/refresh",
+            json={"refresh_token": old_refresh},
+        )
+        assert refresh_resp.status_code == 200
+        new_body = refresh_resp.json()
+        assert new_body["access_token"]
+        assert new_body["refresh_token"] != old_refresh
+
+        # Old refresh token should now be revoked
+        reuse = await anon_client.post(
+            "/api/users/auth/token/refresh",
+            json={"refresh_token": old_refresh},
+        )
+        assert reuse.status_code == 401
+
+
+# ---------------------------------------------------------------------------
+# DELETE /api/users/auth/token — revoke
+# ---------------------------------------------------------------------------
+
+
+class TestTokenRevoke:
+    @pytest.mark.anyio
+    async def test_invalid_format_returns_400(self, anon_client):
+        resp = await anon_client.request(
+            "DELETE",
+            "/api/users/auth/token",
+            json={"refresh_token": "garbage"},
+        )
+        assert resp.status_code == 400
+        assert resp.json()["detail"] == "Invalid token format"
+
+    @pytest.mark.anyio
+    async def test_nonexistent_token_returns_ok(self, anon_client):
+        """Revoking a non-existent token is idempotent — still returns ok."""
+        resp = await anon_client.request(
+            "DELETE",
+            "/api/users/auth/token",
+            json={"refresh_token": str(uuid.uuid4())},
+        )
+        assert resp.status_code == 200
+        assert resp.json()["status"] == "ok"
+
+    @pytest.mark.anyio
+    async def test_revoke_makes_refresh_unusable(self, anon_client, users_db):
+        """After revoking, the refresh token can no longer be used."""
+        await _seed_user(users_db)
+        login = await anon_client.post(
+            "/api/users/auth/token",
+            json={"email": "api@example.com", "password": "SecurePass1!"},
+        )
+        rt = login.json()["refresh_token"]
+
+        # Revoke
+        revoke_resp = await anon_client.request(
+            "DELETE",
+            "/api/users/auth/token",
+            json={"refresh_token": rt},
+        )
+        assert revoke_resp.status_code == 200
+
+        # Attempt refresh — should fail
+        refresh_resp = await anon_client.post(
+            "/api/users/auth/token/refresh",
+            json={"refresh_token": rt},
+        )
+        assert refresh_resp.status_code == 401

simple_module_users-0.0.17/tests/test_users_middleware_resolvers.py

@@ -0,0 +1,190 @@
+"""AuthMiddleware tests for the principal-resolver chain.
+
+Covers ``app.state.auth.principal_resolvers`` consultation order, error
+isolation, the session-short-circuit precedence, and the /api/* vs view-path
+unauthenticated split (401 JSON vs 302 redirect).
+
+Helpers + fixtures live in ``_middleware_support`` alongside the broader
+middleware tests in ``test_users_middleware`` and the PUBLIC_PATHS suite in
+``test_users_middleware_public_paths``.
+"""
+
+from __future__ import annotations
+
+import httpx
+import pytest
+from _middleware_support import _build_app, _session_cookie
+from fastapi import Request
+from starlette.responses import JSONResponse
+
+
+def _ctx(uid: str = "11111111-1111-1111-1111-111111111111", **overrides):
+    """Build a UserContext for resolver tests."""
+    from auth.contracts.schemas import UserContext
+
+    fields = {
+        "id": uid,
+        "email": "pat@example.com",
+        "name": "PAT User",
+        "roles": ["user"],
+        "tenant_id": None,
+    }
+    fields.update(overrides)
+    return UserContext(**fields)
+
+
+@pytest.mark.anyio
+async def test_resolver_returning_context_authenticates_request(db_state):
+    """A registered resolver that returns a UserContext authenticates the request."""
+
+    async def stub_resolver(request):
+        return _ctx()
+
+    app = await _build_app(db_state, principal_resolvers=[stub_resolver])
+    transport = httpx.ASGITransport(app=app)
+    async with httpx.AsyncClient(transport=transport, base_url="http://testserver") as client:
+        resp = await client.get("/dashboard")
+
+    assert resp.status_code == 200
+    data = resp.json()
+    assert data["user"]["email"] == "pat@example.com"
+
+
+@pytest.mark.anyio
+async def test_resolver_first_non_none_wins(db_state):
+    """The first resolver returning a context wins; later resolvers are not consulted."""
+    second_called = False
+
+    async def first_none(request):
+        return None
+
+    async def second_returns(request):
+        nonlocal second_called
+        second_called = True
+        return _ctx(email="second@example.com")
+
+    async def third_should_not_run(request):
+        raise AssertionError("third resolver should not run after a match")
+
+    app = await _build_app(
+        db_state,
+        principal_resolvers=[first_none, second_returns, third_should_not_run],
+    )
+    transport = httpx.ASGITransport(app=app)
+    async with httpx.AsyncClient(transport=transport, base_url="http://testserver") as client:
+        resp = await client.get("/dashboard")
+
+    assert resp.status_code == 200
+    assert resp.json()["user"]["email"] == "second@example.com"
+    assert second_called
+
+
+@pytest.mark.anyio
+async def test_all_resolvers_return_none_falls_through_to_redirect(db_state):
+    """When every resolver returns None for a view route → 302 to /users/login."""
+
+    async def none_resolver(request):
+        return None
+
+    app = await _build_app(db_state, principal_resolvers=[none_resolver])
+    transport = httpx.ASGITransport(app=app)
+    async with httpx.AsyncClient(transport=transport, base_url="http://testserver") as client:
+        resp = await client.get("/dashboard", follow_redirects=False)
+
+    assert resp.status_code == 302
+    assert resp.headers["location"] == "/users/login"
+
+
+@pytest.mark.anyio
+async def test_resolver_raising_does_not_crash_middleware(db_state, caplog):
+    """A resolver that raises is logged and the chain continues to the next."""
+    import logging
+
+    async def boom(request):
+        raise RuntimeError("resolver kaboom")
+
+    async def fallback(request):
+        return _ctx(email="fallback@example.com")
+
+    app = await _build_app(db_state, principal_resolvers=[boom, fallback])
+    transport = httpx.ASGITransport(app=app)
+    with caplog.at_level(logging.ERROR, logger="users.middleware"):
+        async with httpx.AsyncClient(transport=transport, base_url="http://testserver") as client:
+            resp = await client.get("/dashboard")
+
+    assert resp.status_code == 200
+    assert resp.json()["user"]["email"] == "fallback@example.com"
+    assert any("resolver" in rec.message.lower() for rec in caplog.records)
+
+
+@pytest.mark.anyio
+async def test_api_path_unauthenticated_returns_401_json(db_state):
+    """Unauthenticated /api/private should return 401 JSON, not a 302 redirect."""
+    app = await _build_app(db_state)
+    transport = httpx.ASGITransport(app=app)
+    async with httpx.AsyncClient(transport=transport, base_url="http://testserver") as client:
+        resp = await client.get("/api/private-thing", follow_redirects=False)
+
+    assert resp.status_code == 401
+    assert resp.headers["content-type"].startswith("application/json")
+    assert resp.json() == {"detail": "Not authenticated"}
+
+
+@pytest.mark.anyio
+async def test_view_path_unauthenticated_still_redirects(db_state):
+    """View routes (non-/api/*) keep the existing 302-to-login behavior."""
+    app = await _build_app(db_state)
+    transport = httpx.ASGITransport(app=app)
+    async with httpx.AsyncClient(transport=transport, base_url="http://testserver") as client:
+        resp = await client.get("/dashboard", follow_redirects=False)
+
+    assert resp.status_code == 302
+    assert resp.headers["location"] == "/users/login"
+
+
+@pytest.mark.anyio
+async def test_session_wins_over_resolver(db_state, mw_active_user):
+    """A valid session cookie short-circuits — the resolver chain is not consulted."""
+    resolver_called = False
+
+    async def should_not_run(request):
+        nonlocal resolver_called
+        resolver_called = True
+        return _ctx(email="should-not-win@example.com")
+
+    app = await _build_app(db_state, principal_resolvers=[should_not_run])
+    transport = httpx.ASGITransport(app=app)
+    cookies = _session_cookie({"user_id": str(mw_active_user.id)})
+    async with httpx.AsyncClient(
+        transport=transport, base_url="http://testserver", cookies=cookies
+    ) as client:
+        resp = await client.get("/dashboard")
+
+    assert resp.status_code == 200
+    assert resp.json()["user"]["email"] == "middleware-test@example.com"
+    assert resolver_called is False
+
+
+@pytest.mark.anyio
+async def test_resolver_does_not_write_session(db_state):
+    """Resolver-authenticated requests must not persist anything to the session."""
+    captured = {}
+
+    async def capture(request: Request):
+        captured["session"] = dict(request.session)
+        user = getattr(request.state, "user", None)
+        return JSONResponse({"authenticated": user is not None})
+
+    async def stub_resolver(request):
+        return _ctx()
+
+    app = await _build_app(db_state, capture, principal_resolvers=[stub_resolver])
+    transport = httpx.ASGITransport(app=app)
+    async with httpx.AsyncClient(transport=transport, base_url="http://testserver") as client:
+        resp = await client.get("/dashboard")
+
+    assert resp.status_code == 200
+    assert resp.json() == {"authenticated": True}
+    # Session must not contain a user_id, user_ctx, or anything resolver-added.
+    assert "user_id" not in captured["session"]
+    assert "user_ctx" not in captured["session"]

simple_module_users-0.0.17/tests/test_users_provider.py

@@ -0,0 +1,46 @@
+"""Tests for UsersAuthProvider."""
+
+from __future__ import annotations
+
+from auth.contracts.provider import AuthProvider
+from users.provider import UsersAuthProvider
+
+
+def test_users_provider_satisfies_protocol():
+    provider = UsersAuthProvider()
+    assert isinstance(provider, AuthProvider)
+
+
+def test_login_url():
+    provider = UsersAuthProvider()
+    assert provider.get_login_url(None) == "/users/login"
+
+
+def test_logout_url():
+    provider = UsersAuthProvider()
+    assert provider.get_logout_url(None) == "/users/logout"
+
+
+def test_public_paths():
+    provider = UsersAuthProvider()
+    prefixes, _exact = provider.get_public_paths()
+    assert "/users/login" in prefixes
+    assert "/api/users/auth/" in prefixes
+
+
+def test_is_bearer_request_true():
+    from unittest.mock import MagicMock
+
+    request = MagicMock()
+    request.headers = {"authorization": "Bearer abc123"}
+    provider = UsersAuthProvider()
+    assert provider.is_bearer_request(request) is True
+
+
+def test_is_bearer_request_false():
+    from unittest.mock import MagicMock
+
+    request = MagicMock()
+    request.headers = {}
+    provider = UsersAuthProvider()
+    assert provider.is_bearer_request(request) is False

{simple_module_users-0.0.15 → simple_module_users-0.0.17}/tests/test_views.py

@@ -112,6 +112,15 @@ class TestLoginPage:
             {"label": "User", "email": "user@example.com", "password": "UserPass1!"},
         ]
 
+    @pytest.mark.anyio
+    async def test_login_redirect_url_is_dashboard_when_installed(self, anon_client):
+        """Regression for #173: with Dashboard installed, prop stays /dashboard/."""
+        resp = await anon_client.get(
+            "/users/login",
+            headers={"X-Inertia": "true", "X-Inertia-Version": "1.0"},
+        )
+        assert resp.json()["props"]["login_redirect_url"] == "/dashboard/"
+
 
 class TestRegisterPage:
     @pytest.mark.anyio
@@ -241,3 +250,28 @@ async def test_roles_payload_returns_id_name_dicts(users_app):
     names = [item["name"] for item in payload]
     assert "admin" in names
     assert "user" in names
+
+
+@pytest.mark.anyio
+async def test_login_redirect_fallback_without_dashboard(users_app):
+    """Regression for #173: without Dashboard, redirect falls back to
+    the first sibling module view_prefix, not ``/`` (which may 404)."""
+    sm = users_app.state.sm
+    original = sm.modules
+    no_dash = tuple(m for m in original if m.meta.name != "Dashboard")
+    assert len(no_dash) < len(original), "test setup: Dashboard should exist"
+
+    settings = users_app.state.users.settings
+    settings.login_redirect_url = "/dashboard/"
+    object.__setattr__(sm, "modules", no_dash)
+    try:
+        from users.module import UsersModule
+
+        mod = UsersModule()
+        await mod.on_startup(users_app)
+        url = settings.login_redirect_url
+        assert url != "/", "must not fall back to / (may 404)"
+        assert url.startswith("/"), "must be an absolute path"
+        assert url.endswith("/"), "must have trailing slash"
+    finally:
+        object.__setattr__(sm, "modules", original)

{simple_module_users-0.0.15 → simple_module_users-0.0.17}/users/auth_local/api.py

@@ -117,12 +117,22 @@ async def login(
 # ── Mount fastapi-users stock routers ────────────────────────────────────────
 
 # The stock auth router (login + logout) is mounted at /auth-inner so its
-# logout and other endpoints remain accessible. Our wrapper at /auth/login
-# shadows the stock login endpoint. Logout is exposed via /auth-inner/logout.
+# endpoints remain accessible. Our wrappers at /auth/login and /auth/logout
+# shadow the stock endpoints to also manage the session cookie.
 auth_inner = fastapi_users.get_auth_router(auth_backend, requires_verification=True)
 router.include_router(auth_inner, prefix="/auth-inner")
 
 
+@router.post("/auth/logout", status_code=204)
+async def api_logout(request: Request):
+    """API logout — clears both the access-token cookie and the session."""
+    request.session.clear()
+    cookie_name = request.app.state.users.settings.cookie_name
+    response = Response(status_code=204)
+    response.delete_cookie(cookie_name, path="/")
+    return response
+
+
 # ── Accept-invite (verify + set password + login, one shot) ─────────────────