simple-module-users 0.0.16__tar.gz → 0.0.17__tar.gz

{simple_module_users-0.0.16 → simple_module_users-0.0.17}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: simple_module_users
-Version: 0.0.16
+Version: 0.0.17
 Summary: Email + password user management, admin invites, RBAC-ready — replaces Keycloak for simple_module apps
 Project-URL: Homepage, https://github.com/antosubash/simple_module_python
 Project-URL: Repository, https://github.com/antosubash/simple_module_python
@@ -24,11 +24,11 @@ Requires-Python: >=3.12
 Requires-Dist: aiosmtplib>=3.0
 Requires-Dist: cachetools>=5.3
 Requires-Dist: fastapi-users[oauth,sqlalchemy]<16,>=15
-Requires-Dist: simple-module-auth==0.0.16
-Requires-Dist: simple-module-core==0.0.16
-Requires-Dist: simple-module-db==0.0.16
-Requires-Dist: simple-module-hosting==0.0.16
-Requires-Dist: simple-module-settings==0.0.16
+Requires-Dist: simple-module-auth==0.0.17
+Requires-Dist: simple-module-core==0.0.17
+Requires-Dist: simple-module-db==0.0.17
+Requires-Dist: simple-module-hosting==0.0.17
+Requires-Dist: simple-module-settings==0.0.17
 Requires-Dist: typer>=0.12
 Description-Content-Type: text/markdown
 

{simple_module_users-0.0.16 → simple_module_users-0.0.17}/pyproject.toml

@@ -1,6 +1,6 @@
 [project]
 name = "simple_module_users"
-version = "0.0.16"
+version = "0.0.17"
 description = "Email + password user management, admin invites, RBAC-ready — replaces Keycloak for simple_module apps"
 readme = "README.md"
 license = "MIT"
@@ -21,11 +21,11 @@ classifiers = [
     "Typing :: Typed",
 ]
 dependencies = [
-    "simple_module_core==0.0.16",
-    "simple_module_db==0.0.16",
-    "simple_module_hosting==0.0.16",
-    "simple_module_settings==0.0.16",
-    "simple_module_auth==0.0.16",
+    "simple_module_core==0.0.17",
+    "simple_module_db==0.0.17",
+    "simple_module_hosting==0.0.17",
+    "simple_module_settings==0.0.17",
+    "simple_module_auth==0.0.17",
     # Pinned to a narrow range: `deps.py` relies on mutating CookieTransport
     # fields after construction (see reconfigure_cookie_transport in backend.py).
     # Bumping the major version requires re-checking those field names.

{simple_module_users-0.0.16 → simple_module_users-0.0.17}/tests/_middleware_support.py

@@ -14,12 +14,12 @@ from types import SimpleNamespace
 from typing import Any
 
 import pytest
+from auth.middleware import AuthMiddleware
 from fastapi import FastAPI, Request
 from simple_module_test import forge_session_cookie
 from starlette.middleware.sessions import SessionMiddleware
 from starlette.responses import JSONResponse
 from users.constants import ADMIN_ROLE_ID, USER_ROLE_ID
-from users.middleware import AuthMiddleware
 
 SECRET_KEY = "test-secret-key-for-session-middleware"
 
@@ -61,7 +61,10 @@ async def _build_app(db_state, inner_handler=None, *, principal_resolvers=None):
 
     app = FastAPI()
     app.state.sm = SimpleNamespace(db=db_state)
+    from users.provider import UsersAuthProvider
+
     app.state.auth = AuthState(
+        auth_provider=UsersAuthProvider(),
         principal_resolvers=list(principal_resolvers or []),
     )
 

simple_module_users-0.0.17/tests/test_token_api.py

@@ -0,0 +1,191 @@
+"""Tests for bearer token endpoints: /api/users/auth/token*.
+
+Covers: login via email+password, refresh rotation, revoke, and error paths.
+"""
+
+from __future__ import annotations
+
+import uuid
+
+import pytest
+from fastapi_users.password import PasswordHelper
+from users.models import User
+
+_pw = PasswordHelper()
+
+
+def _hash(plain: str) -> str:
+    return _pw.hash(plain)
+
+
+async def _seed_user(session, email="api@example.com", password="SecurePass1!"):
+    """Create a verified, active user for token tests."""
+    user = User(
+        id=uuid.uuid4(),
+        email=email,
+        hashed_password=_hash(password),
+        is_active=True,
+        is_superuser=False,
+        is_verified=True,
+    )
+    session.add(user)
+    await session.commit()
+    await session.refresh(user)
+    return user
+
+
+# ---------------------------------------------------------------------------
+# POST /api/users/auth/token — login
+# ---------------------------------------------------------------------------
+
+
+class TestTokenLogin:
+    @pytest.mark.anyio
+    async def test_invalid_email_returns_401(self, anon_client):
+        resp = await anon_client.post(
+            "/api/users/auth/token",
+            json={"email": "nobody@example.com", "password": "whatever"},
+        )
+        assert resp.status_code == 401
+        assert resp.json()["detail"] == "Invalid credentials"
+
+    @pytest.mark.anyio
+    async def test_wrong_password_returns_401(self, anon_client, users_db):
+        await _seed_user(users_db)
+        resp = await anon_client.post(
+            "/api/users/auth/token",
+            json={"email": "api@example.com", "password": "WRONG"},
+        )
+        assert resp.status_code == 401
+        assert resp.json()["detail"] == "Invalid credentials"
+
+    @pytest.mark.anyio
+    async def test_inactive_user_returns_401(self, anon_client, users_db):
+        user = await _seed_user(users_db, email="inactive@example.com")
+        user.is_active = False
+        await users_db.commit()
+
+        resp = await anon_client.post(
+            "/api/users/auth/token",
+            json={"email": "inactive@example.com", "password": "SecurePass1!"},
+        )
+        assert resp.status_code == 401
+
+    @pytest.mark.anyio
+    async def test_valid_credentials_returns_token_pair(self, anon_client, users_db):
+        await _seed_user(users_db)
+        resp = await anon_client.post(
+            "/api/users/auth/token",
+            json={"email": "api@example.com", "password": "SecurePass1!"},
+        )
+        assert resp.status_code == 200
+        body = resp.json()
+        assert body["token_type"] == "bearer"
+        assert body["access_token"]
+        assert body["refresh_token"]
+        assert body["expires_in"] > 0
+
+
+# ---------------------------------------------------------------------------
+# POST /api/users/auth/token/refresh
+# ---------------------------------------------------------------------------
+
+
+class TestTokenRefresh:
+    @pytest.mark.anyio
+    async def test_invalid_uuid_returns_401(self, anon_client):
+        resp = await anon_client.post(
+            "/api/users/auth/token/refresh",
+            json={"refresh_token": "not-a-uuid"},
+        )
+        assert resp.status_code == 401
+        assert resp.json()["detail"] == "Invalid refresh token"
+
+    @pytest.mark.anyio
+    async def test_nonexistent_token_returns_401(self, anon_client):
+        resp = await anon_client.post(
+            "/api/users/auth/token/refresh",
+            json={"refresh_token": str(uuid.uuid4())},
+        )
+        assert resp.status_code == 401
+        assert resp.json()["detail"] == "Invalid or expired refresh token"
+
+    @pytest.mark.anyio
+    async def test_valid_refresh_rotates_tokens(self, anon_client, users_db):
+        """Login, then refresh — old refresh revoked, new pair returned."""
+        await _seed_user(users_db)
+        login = await anon_client.post(
+            "/api/users/auth/token",
+            json={"email": "api@example.com", "password": "SecurePass1!"},
+        )
+        assert login.status_code == 200
+        old_refresh = login.json()["refresh_token"]
+
+        refresh_resp = await anon_client.post(
+            "/api/users/auth/token/refresh",
+            json={"refresh_token": old_refresh},
+        )
+        assert refresh_resp.status_code == 200
+        new_body = refresh_resp.json()
+        assert new_body["access_token"]
+        assert new_body["refresh_token"] != old_refresh
+
+        # Old refresh token should now be revoked
+        reuse = await anon_client.post(
+            "/api/users/auth/token/refresh",
+            json={"refresh_token": old_refresh},
+        )
+        assert reuse.status_code == 401
+
+
+# ---------------------------------------------------------------------------
+# DELETE /api/users/auth/token — revoke
+# ---------------------------------------------------------------------------
+
+
+class TestTokenRevoke:
+    @pytest.mark.anyio
+    async def test_invalid_format_returns_400(self, anon_client):
+        resp = await anon_client.request(
+            "DELETE",
+            "/api/users/auth/token",
+            json={"refresh_token": "garbage"},
+        )
+        assert resp.status_code == 400
+        assert resp.json()["detail"] == "Invalid token format"
+
+    @pytest.mark.anyio
+    async def test_nonexistent_token_returns_ok(self, anon_client):
+        """Revoking a non-existent token is idempotent — still returns ok."""
+        resp = await anon_client.request(
+            "DELETE",
+            "/api/users/auth/token",
+            json={"refresh_token": str(uuid.uuid4())},
+        )
+        assert resp.status_code == 200
+        assert resp.json()["status"] == "ok"
+
+    @pytest.mark.anyio
+    async def test_revoke_makes_refresh_unusable(self, anon_client, users_db):
+        """After revoking, the refresh token can no longer be used."""
+        await _seed_user(users_db)
+        login = await anon_client.post(
+            "/api/users/auth/token",
+            json={"email": "api@example.com", "password": "SecurePass1!"},
+        )
+        rt = login.json()["refresh_token"]
+
+        # Revoke
+        revoke_resp = await anon_client.request(
+            "DELETE",
+            "/api/users/auth/token",
+            json={"refresh_token": rt},
+        )
+        assert revoke_resp.status_code == 200
+
+        # Attempt refresh — should fail
+        refresh_resp = await anon_client.post(
+            "/api/users/auth/token/refresh",
+            json={"refresh_token": rt},
+        )
+        assert refresh_resp.status_code == 401

simple_module_users-0.0.17/tests/test_users_provider.py

@@ -0,0 +1,46 @@
+"""Tests for UsersAuthProvider."""
+
+from __future__ import annotations
+
+from auth.contracts.provider import AuthProvider
+from users.provider import UsersAuthProvider
+
+
+def test_users_provider_satisfies_protocol():
+    provider = UsersAuthProvider()
+    assert isinstance(provider, AuthProvider)
+
+
+def test_login_url():
+    provider = UsersAuthProvider()
+    assert provider.get_login_url(None) == "/users/login"
+
+
+def test_logout_url():
+    provider = UsersAuthProvider()
+    assert provider.get_logout_url(None) == "/users/logout"
+
+
+def test_public_paths():
+    provider = UsersAuthProvider()
+    prefixes, _exact = provider.get_public_paths()
+    assert "/users/login" in prefixes
+    assert "/api/users/auth/" in prefixes
+
+
+def test_is_bearer_request_true():
+    from unittest.mock import MagicMock
+
+    request = MagicMock()
+    request.headers = {"authorization": "Bearer abc123"}
+    provider = UsersAuthProvider()
+    assert provider.is_bearer_request(request) is True
+
+
+def test_is_bearer_request_false():
+    from unittest.mock import MagicMock
+
+    request = MagicMock()
+    request.headers = {}
+    provider = UsersAuthProvider()
+    assert provider.is_bearer_request(request) is False

{simple_module_users-0.0.16 → simple_module_users-0.0.17}/users/auth_local/api.py

@@ -117,12 +117,22 @@ async def login(
 # ── Mount fastapi-users stock routers ────────────────────────────────────────
 
 # The stock auth router (login + logout) is mounted at /auth-inner so its
-# logout and other endpoints remain accessible. Our wrapper at /auth/login
-# shadows the stock login endpoint. Logout is exposed via /auth-inner/logout.
+# endpoints remain accessible. Our wrappers at /auth/login and /auth/logout
+# shadow the stock endpoints to also manage the session cookie.
 auth_inner = fastapi_users.get_auth_router(auth_backend, requires_verification=True)
 router.include_router(auth_inner, prefix="/auth-inner")
 
 
+@router.post("/auth/logout", status_code=204)
+async def api_logout(request: Request):
+    """API logout — clears both the access-token cookie and the session."""
+    request.session.clear()
+    cookie_name = request.app.state.users.settings.cookie_name
+    response = Response(status_code=204)
+    response.delete_cookie(cookie_name, path="/")
+    return response
+
+
 # ── Accept-invite (verify + set password + login, one shot) ─────────────────
 
 

simple_module_users-0.0.17/users/auth_local/token_api.py

@@ -0,0 +1,159 @@
+"""Bearer token endpoints for mobile/API clients.
+
+Provides email+password → access_token + refresh_token, refresh, and revoke
+flows for clients that cannot use browser cookies (mobile apps, CLI tools,
+third-party API consumers).
+"""
+
+from __future__ import annotations
+
+import uuid as uuid_mod
+from datetime import UTC, datetime, timedelta
+
+from fastapi import APIRouter, Depends, HTTPException, Request
+from simple_module_db.deps import get_db
+from sqlalchemy import select
+from sqlalchemy.ext.asyncio import AsyncSession
+from sqlmodel import SQLModel
+
+from users.models import User
+from users.models.refresh_token import RefreshToken
+
+# Pre-computed bcrypt hash used when a login attempt targets a non-existent
+# user. Running verify against this takes the same time as a real check,
+# preventing timing-based email enumeration.
+_DUMMY_HASH = "$2b$12$LJ3m4ys3Lg/PFgWCZxEzR.ZVxFMz3yeqHEhSYmiJ9gJOPG7W3Cq2G"
+
+router = APIRouter(prefix="/auth", tags=["users-token"])
+
+
+class TokenRequest(SQLModel):
+    """Email + password login for bearer-token auth."""
+
+    email: str
+    password: str
+
+
+class TokenResponse(SQLModel):
+    """Access + refresh token pair returned on successful auth."""
+
+    access_token: str
+    refresh_token: str
+    token_type: str = "bearer"
+    expires_in: int
+
+
+class RefreshRequest(SQLModel):
+    """Body for refresh and revoke endpoints."""
+
+    refresh_token: str
+
+
+@router.post("/token", response_model=TokenResponse)
+async def token_login(
+    body: TokenRequest,
+    request: Request,
+    db: AsyncSession = Depends(get_db),
+):
+    """Exchange email + password for an access/refresh token pair."""
+    from fastapi_users.password import PasswordHelper
+
+    helper = PasswordHelper()
+
+    stmt = select(User).where(User.email == body.email)
+    user = (await db.execute(stmt)).scalar_one_or_none()
+    if user is None or not user.is_active or user.disabled_at is not None:
+        # Constant-time: run bcrypt on a dummy hash to prevent timing-based
+        # email enumeration (existing user + wrong password takes ~50ms for
+        # bcrypt; missing user would be instant without this).
+        helper.verify_and_update(body.password, _DUMMY_HASH)
+        raise HTTPException(status_code=401, detail="Invalid credentials")
+
+    verified, _ = helper.verify_and_update(body.password, user.hashed_password)
+    if not verified:
+        raise HTTPException(status_code=401, detail="Invalid credentials")
+
+    settings = request.app.state.users.settings
+    return await _create_token_pair(db, user.id, settings)
+
+
+@router.post("/token/refresh", response_model=TokenResponse)
+async def token_refresh(
+    body: RefreshRequest,
+    request: Request,
+    db: AsyncSession = Depends(get_db),
+):
+    """Rotate a refresh token into a new access/refresh pair."""
+    try:
+        token_uuid = uuid_mod.UUID(body.refresh_token)
+    except (ValueError, TypeError):
+        raise HTTPException(status_code=401, detail="Invalid refresh token") from None
+
+    now = datetime.now(UTC)
+    stmt = select(RefreshToken).where(
+        RefreshToken.token == token_uuid,
+        RefreshToken.revoked_at.is_(None),  # type: ignore[union-attr]
+        RefreshToken.expires_at > now,
+    )
+    rt = (await db.execute(stmt)).scalar_one_or_none()
+    if rt is None:
+        raise HTTPException(status_code=401, detail="Invalid or expired refresh token")
+
+    rt.revoked_at = now
+    await db.flush()
+
+    settings = request.app.state.users.settings
+    return await _create_token_pair(db, rt.user_id, settings)
+
+
+@router.delete("/token")
+async def token_revoke(
+    body: RefreshRequest,
+    db: AsyncSession = Depends(get_db),
+):
+    """Revoke a refresh token (idempotent)."""
+    try:
+        token_uuid = uuid_mod.UUID(body.refresh_token)
+    except (ValueError, TypeError):
+        raise HTTPException(status_code=400, detail="Invalid token format") from None
+
+    stmt = select(RefreshToken).where(RefreshToken.token == token_uuid)
+    rt = (await db.execute(stmt)).scalar_one_or_none()
+    if rt and rt.revoked_at is None:
+        rt.revoked_at = datetime.now(UTC)
+        await db.flush()
+    return {"status": "ok"}
+
+
+async def _create_token_pair(
+    db: AsyncSession,
+    user_id: uuid_mod.UUID,
+    settings,
+) -> TokenResponse:
+    """Mint a new access token + refresh token pair and persist both."""
+    from users.models import UserAccessToken
+
+    now = datetime.now(UTC)
+
+    access_token = UserAccessToken(
+        token=str(uuid_mod.uuid4()),
+        user_id=user_id,
+        created_at=now,
+    )
+    db.add(access_token)
+
+    refresh = RefreshToken(
+        token=uuid_mod.uuid4(),
+        user_id=user_id,
+        created_at=now,
+        expires_at=now + timedelta(seconds=settings.refresh_token_lifetime_seconds),
+    )
+    db.add(refresh)
+    await db.flush()
+
+    return TokenResponse(
+        access_token=access_token.token,
+        refresh_token=str(refresh.token),
+        token_type="bearer",
+        expires_in=settings.bearer_token_lifetime_seconds,
+    )

simple_module_users-0.0.17/users/middleware.py

@@ -0,0 +1,10 @@
+"""Backwards-compatibility re-export.
+
+The canonical AuthMiddleware now lives in ``auth.middleware``. This shim
+exists only to avoid breaking imports in downstream apps that referenced
+``users.middleware.AuthMiddleware`` directly.
+"""
+
+from auth.middleware import AuthMiddleware
+
+__all__ = ["AuthMiddleware"]

{simple_module_users-0.0.16 → simple_module_users-0.0.17}/users/models/__init__.py

@@ -10,6 +10,7 @@ from fastapi_users_db_sqlalchemy.access_token import SQLAlchemyAccessTokenDataba
 from users.models._base import Base
 from users.models.access_token import UserAccessToken
 from users.models.oauth_account import OAuthAccount
+from users.models.refresh_token import RefreshToken
 from users.models.role import Role
 from users.models.user import User
 from users.models.user_role import UserRole
@@ -17,6 +18,7 @@ from users.models.user_role import UserRole
 __all__ = [
     "Base",
     "OAuthAccount",
+    "RefreshToken",
     "Role",
     "SQLAlchemyAccessTokenDatabase",
     "SQLAlchemyUserDatabase",

simple_module_users-0.0.17/users/models/refresh_token.py

@@ -0,0 +1,22 @@
+"""Refresh token for mobile/API bearer auth."""
+
+from __future__ import annotations
+
+import uuid as uuid_mod
+from datetime import UTC, datetime
+
+from sqlmodel import Field
+
+from users.models._base import Base
+
+
+class RefreshToken(Base, table=True):  # ty: ignore[unsupported-base]
+    """Opaque refresh token exchanged for a new access + refresh pair."""
+
+    __tablename__ = "users_refresh_token"
+
+    token: uuid_mod.UUID = Field(default_factory=uuid_mod.uuid4, primary_key=True)
+    user_id: uuid_mod.UUID = Field(foreign_key="users_user.id", index=True)
+    created_at: datetime = Field(default_factory=lambda: datetime.now(UTC))
+    expires_at: datetime
+    revoked_at: datetime | None = None

{simple_module_users-0.0.16 → simple_module_users-0.0.17}/users/module.py

@@ -39,12 +39,11 @@ class UsersModule(ModuleBase):
         view_prefix="/users",
         depends_on=[_MODULE_DEPENDENCY_AUTH],
     )
+    _is_auth_provider = True
 
     def register_settings(self, app: FastAPI) -> None:
         import importlib
 
-        from auth.contracts.schemas import UserContext
-
         from users.settings import UsersSettings
         from users.state import UsersState
 
@@ -58,15 +57,9 @@ class UsersModule(ModuleBase):
 
         register_module_settings(app, "users", UsersSettings, lambda s: UsersState(settings=s))
 
-        def serialize_principal(user: UserContext) -> dict:
-            return {
-                "id": user.id,
-                "name": user.name,
-                "email": user.email,
-                "roles": user.roles,
-            }
+        from users.provider import UsersAuthProvider
 
-        app.state.principal_serializer = serialize_principal
+        app.state.auth.auth_provider = UsersAuthProvider()
 
     def register_permissions(self, registry: PermissionRegistry) -> None:
         registry.add_group(
@@ -113,6 +106,7 @@ class UsersModule(ModuleBase):
         from users.admin.api import admin_router
         from users.admin.views import router as admin_views
         from users.auth_local import api as auth_local_api
+        from users.auth_local.token_api import router as token_router
         from users.auth_local.views import router as auth_views
         from users.contracts.schemas import UserCreate, UserRead
         from users.deps import fastapi_users
@@ -127,6 +121,7 @@ class UsersModule(ModuleBase):
         settings = UsersSettings()
 
         api_router.include_router(auth_local_api.router)
+        api_router.include_router(token_router)
         api_router.include_router(admin_router)
         # Throughput-wrap the stock fastapi-users routers; ``require_signup_enabled``
         # gates /register at request time so ``allow_signup`` is hot-reloadable.
@@ -156,11 +151,6 @@ class UsersModule(ModuleBase):
         view_router.include_router(auth_views)
         view_router.include_router(admin_views)
 
-    def register_middleware(self, app: FastAPI) -> None:
-        from users.middleware import AuthMiddleware
-
-        app.add_middleware(AuthMiddleware)
-
     async def on_startup(self, app: FastAPI) -> None:
         """Build the mailer, rate limiter, and apply production cookie params."""
         import asyncio