simple-module-users 0.0.16__tar.gz → 0.0.18__tar.gz

{simple_module_users-0.0.16 → simple_module_users-0.0.18}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: simple_module_users
-Version: 0.0.16
+Version: 0.0.18
 Summary: Email + password user management, admin invites, RBAC-ready — replaces Keycloak for simple_module apps
 Project-URL: Homepage, https://github.com/antosubash/simple_module_python
 Project-URL: Repository, https://github.com/antosubash/simple_module_python
@@ -24,11 +24,11 @@ Requires-Python: >=3.12
 Requires-Dist: aiosmtplib>=3.0
 Requires-Dist: cachetools>=5.3
 Requires-Dist: fastapi-users[oauth,sqlalchemy]<16,>=15
-Requires-Dist: simple-module-auth==0.0.16
-Requires-Dist: simple-module-core==0.0.16
-Requires-Dist: simple-module-db==0.0.16
-Requires-Dist: simple-module-hosting==0.0.16
-Requires-Dist: simple-module-settings==0.0.16
+Requires-Dist: simple-module-auth==0.0.18
+Requires-Dist: simple-module-core==0.0.18
+Requires-Dist: simple-module-db==0.0.18
+Requires-Dist: simple-module-hosting==0.0.18
+Requires-Dist: simple-module-settings==0.0.18
 Requires-Dist: typer>=0.12
 Description-Content-Type: text/markdown
 
@@ -84,6 +84,37 @@ async def profile(user: CurrentUser):
 - `simple_module_core`, `simple_module_db`, `simple_module_hosting`, `simple_module_auth`
 - `fastapi-users[sqlalchemy]>=15,<16`, `aiosmtplib`, `cachetools`, `typer`
 
+## Social sign-in (Google, GitHub, Microsoft, OIDC)
+
+OAuth providers are configured in the admin UI at **/settings/modules → Users**
+(no environment variables). Each provider activates once its client id **and**
+secret are set; the secret is masked in the UI. Changes apply live — no restart.
+
+**Microsoft (Entra ID).** Register an app in the Entra admin center and set the
+redirect URI to `<base-url>/api/users/auth/microsoft/callback`. Configure under
+the **Microsoft OAuth** group:
+
+- `oauth_microsoft_client_id`, `oauth_microsoft_client_secret`
+- `oauth_microsoft_tenant` — `common` (any work/school or personal account,
+  the default), `organizations` (work/school only), or your tenant GUID to
+  restrict sign-in to one tenant.
+
+Each provider's callback URL is `<base-url>/api/users/auth/<provider>/callback`
+(`google`, `github`, `microsoft`, `oidc`).
+
+> **Note:** for Microsoft *guest/external* accounts the identity email comes
+> from the Graph `userPrincipalName`, which may not be a plain email
+> (e.g. `user_ext.com#EXT#@tenant.onmicrosoft.com`). For tenant members it is
+> the user's email.
+
+### Migrating from `SM_USERS_OAUTH_*` env vars
+
+Earlier versions read provider credentials from `SM_USERS_OAUTH_*` environment
+variables. These are no longer read at runtime. Migrate existing values into the
+settings store once with:
+
+    uv run smpy settings import-from-env
+
 ## License
 
 MIT — see [LICENSE](https://github.com/antosubash/simple_module_python/blob/main/LICENSE).

{simple_module_users-0.0.16 → simple_module_users-0.0.18}/README.md

@@ -50,6 +50,37 @@ async def profile(user: CurrentUser):
 - `simple_module_core`, `simple_module_db`, `simple_module_hosting`, `simple_module_auth`
 - `fastapi-users[sqlalchemy]>=15,<16`, `aiosmtplib`, `cachetools`, `typer`
 
+## Social sign-in (Google, GitHub, Microsoft, OIDC)
+
+OAuth providers are configured in the admin UI at **/settings/modules → Users**
+(no environment variables). Each provider activates once its client id **and**
+secret are set; the secret is masked in the UI. Changes apply live — no restart.
+
+**Microsoft (Entra ID).** Register an app in the Entra admin center and set the
+redirect URI to `<base-url>/api/users/auth/microsoft/callback`. Configure under
+the **Microsoft OAuth** group:
+
+- `oauth_microsoft_client_id`, `oauth_microsoft_client_secret`
+- `oauth_microsoft_tenant` — `common` (any work/school or personal account,
+  the default), `organizations` (work/school only), or your tenant GUID to
+  restrict sign-in to one tenant.
+
+Each provider's callback URL is `<base-url>/api/users/auth/<provider>/callback`
+(`google`, `github`, `microsoft`, `oidc`).
+
+> **Note:** for Microsoft *guest/external* accounts the identity email comes
+> from the Graph `userPrincipalName`, which may not be a plain email
+> (e.g. `user_ext.com#EXT#@tenant.onmicrosoft.com`). For tenant members it is
+> the user's email.
+
+### Migrating from `SM_USERS_OAUTH_*` env vars
+
+Earlier versions read provider credentials from `SM_USERS_OAUTH_*` environment
+variables. These are no longer read at runtime. Migrate existing values into the
+settings store once with:
+
+    uv run smpy settings import-from-env
+
 ## License
 
 MIT — see [LICENSE](https://github.com/antosubash/simple_module_python/blob/main/LICENSE).

{simple_module_users-0.0.16 → simple_module_users-0.0.18}/pyproject.toml

@@ -1,6 +1,6 @@
 [project]
 name = "simple_module_users"
-version = "0.0.16"
+version = "0.0.18"
 description = "Email + password user management, admin invites, RBAC-ready — replaces Keycloak for simple_module apps"
 readme = "README.md"
 license = "MIT"
@@ -21,11 +21,11 @@ classifiers = [
     "Typing :: Typed",
 ]
 dependencies = [
-    "simple_module_core==0.0.16",
-    "simple_module_db==0.0.16",
-    "simple_module_hosting==0.0.16",
-    "simple_module_settings==0.0.16",
-    "simple_module_auth==0.0.16",
+    "simple_module_core==0.0.18",
+    "simple_module_db==0.0.18",
+    "simple_module_hosting==0.0.18",
+    "simple_module_settings==0.0.18",
+    "simple_module_auth==0.0.18",
     # Pinned to a narrow range: `deps.py` relies on mutating CookieTransport
     # fields after construction (see reconfigure_cookie_transport in backend.py).
     # Bumping the major version requires re-checking those field names.

{simple_module_users-0.0.16 → simple_module_users-0.0.18}/tests/_middleware_support.py

@@ -14,12 +14,12 @@ from types import SimpleNamespace
 from typing import Any
 
 import pytest
+from auth.middleware import AuthMiddleware
 from fastapi import FastAPI, Request
 from simple_module_test import forge_session_cookie
 from starlette.middleware.sessions import SessionMiddleware
 from starlette.responses import JSONResponse
 from users.constants import ADMIN_ROLE_ID, USER_ROLE_ID
-from users.middleware import AuthMiddleware
 
 SECRET_KEY = "test-secret-key-for-session-middleware"
 
@@ -61,7 +61,10 @@ async def _build_app(db_state, inner_handler=None, *, principal_resolvers=None):
 
     app = FastAPI()
     app.state.sm = SimpleNamespace(db=db_state)
+    from users.provider import UsersAuthProvider
+
     app.state.auth = AuthState(
+        auth_provider=UsersAuthProvider(),
         principal_resolvers=list(principal_resolvers or []),
     )
 

{simple_module_users-0.0.16 → simple_module_users-0.0.18}/tests/test_oauth.py

@@ -1,16 +1,18 @@
-"""Unit + integration tests for the OAuth/OIDC plumbing.
+"""Unit tests for the OAuth/OIDC plumbing.
 
 Provider client construction and the /authorize+/callback ASGI flow are not
 covered here because both depend on real httpx-oauth clients that hit the
 network (token exchange, profile fetch). Those are best validated in a manual
 QA pass against a dev IdP. What this file *does* cover:
 
-- ``enabled_provider_names`` correctly reflects settings.
-- ``build_clients`` instantiates the Google + GitHub clients when configured.
+- ``build_clients`` / ``build_client_map`` instantiate clients when configured.
 - ``OAuthAccount`` persists and FK-cascades on user delete.
 - ``UserManager.oauth_callback`` (the find-or-create core fastapi-users helper
   the route delegates to) creates a fresh user + linked OAuthAccount, and
   associates by email when the user already exists.
+
+HTTP dispatcher and live-reload (``SettingsReloaded``) integration tests live
+in ``test_oauth_routes.py``.
 """
 
 from __future__ import annotations
@@ -21,7 +23,7 @@ import pytest
 from fastapi_users.password import PasswordHelper
 from sqlalchemy import select
 from users.models import OAuthAccount, User
-from users.oauth import build_clients, enabled_provider_names
+from users.oauth import build_client_map, build_clients
 from users.settings import UsersSettings
 
 _pw = PasswordHelper()
@@ -32,38 +34,64 @@ _pw = PasswordHelper()
 # ---------------------------------------------------------------------------
 
 
-def test_enabled_provider_names_empty_by_default():
-    assert enabled_provider_names(UsersSettings()) == []
+def test_microsoft_settings_defaults():
+    s = UsersSettings()
+    assert s.oauth_microsoft_client_id == ""
+    assert s.oauth_microsoft_client_secret == ""
+    assert s.oauth_microsoft_tenant == "common"
+
+
+def test_oauth_fields_carry_group_metadata_for_settings_ui():
+    fields = UsersSettings.model_fields
+    assert fields["oauth_google_client_id"].json_schema_extra == {"group": "Google OAuth"}
+    assert fields["oauth_github_client_id"].json_schema_extra == {"group": "GitHub OAuth"}
+    assert fields["oauth_oidc_discovery_url"].json_schema_extra == {"group": "OIDC"}
+    assert fields["oauth_microsoft_client_secret"].json_schema_extra == {"group": "Microsoft OAuth"}
+
+
+# ---------------------------------------------------------------------------
+# build_clients (no-network providers only)
+# ---------------------------------------------------------------------------
 
 
-def test_enabled_provider_names_lists_configured_providers():
+def test_build_clients_includes_microsoft():
     s = UsersSettings(
-        oauth_google_client_id="g-id",
-        oauth_google_client_secret="g-secret",
-        oauth_github_client_id="gh-id",
-        oauth_github_client_secret="gh-secret",
+        oauth_microsoft_client_id="ms-id",
+        oauth_microsoft_client_secret="ms-secret",
     )
-    names = [p["name"] for p in enabled_provider_names(s)]
-    assert names == ["google", "github"]
+    providers = build_clients(s)
+    assert [p.name for p in providers] == ["microsoft"]
+    assert providers[0].display_name == "Microsoft"
+    assert providers[0].client.client_id == "ms-id"
 
 
-def test_enabled_provider_names_skips_provider_missing_secret():
-    s = UsersSettings(oauth_google_client_id="g-id")  # no secret
-    assert enabled_provider_names(s) == []
+def test_build_clients_skips_microsoft_without_secret():
+    s = UsersSettings(oauth_microsoft_client_id="ms-id")  # no secret
+    assert [p.name for p in build_clients(s)] == []
 
 
-def test_enabled_provider_names_oidc_requires_discovery_url():
+@pytest.mark.anyio
+async def test_microsoft_authorize_url_carries_tenant():
     s = UsersSettings(
-        oauth_oidc_client_id="x",
-        oauth_oidc_client_secret="y",
-        # discovery_url unset → not registered
+        oauth_microsoft_client_id="ms-id",
+        oauth_microsoft_client_secret="ms-secret",
+        oauth_microsoft_tenant="my-tenant-guid",
     )
-    assert enabled_provider_names(s) == []
+    client = build_client_map(s)["microsoft"].client
+    url = await client.get_authorization_url("http://testserver/cb", "state123")
+    assert "my-tenant-guid" in url
 
 
-# ---------------------------------------------------------------------------
-# build_clients (no-network providers only)
-# ---------------------------------------------------------------------------
+def test_build_client_map_keys_by_name():
+    s = UsersSettings(
+        oauth_google_client_id="g-id",
+        oauth_google_client_secret="g-secret",
+        oauth_microsoft_client_id="ms-id",
+        oauth_microsoft_client_secret="ms-secret",
+    )
+    m = build_client_map(s)
+    assert set(m) == {"google", "microsoft"}
+    assert m["microsoft"].name == "microsoft"
 
 
 def test_build_clients_google_and_github():
@@ -187,3 +215,15 @@ async def test_oauth_callback_links_to_existing_email(users_app, users_db):
         assert names == ["github"]
     finally:
         await session.__aexit__(None, None, None)
+
+
+# ---------------------------------------------------------------------------
+# UsersState defaults
+# ---------------------------------------------------------------------------
+
+
+def test_users_state_defaults_empty_oauth_clients():
+    from users.state import UsersState
+
+    state = UsersState(settings=UsersSettings())
+    assert state.oauth_clients == {}

simple_module_users-0.0.18/tests/test_oauth_routes.py

@@ -0,0 +1,105 @@
+"""OAuth HTTP dispatcher + live-reload tests.
+
+Exercises the running app: the provider-agnostic ``/auth/{provider}/{login,callback}``
+dispatcher (resolution, 404, state CSRF) and the ``SettingsReloaded`` hot-reload of the
+provider cache. Provider construction and the account model are unit-tested in
+``test_oauth.py``.
+"""
+
+from __future__ import annotations
+
+import pytest
+
+# ---------------------------------------------------------------------------
+# Provider-agnostic dispatcher (request-time client resolution)
+# ---------------------------------------------------------------------------
+
+
+@pytest.mark.anyio
+async def test_oauth_login_redirects_for_configured_provider(users_app, anon_client):
+    from httpx_oauth.clients.microsoft import MicrosoftGraphOAuth2
+    from users.oauth import OAuthProvider
+
+    users_app.state.users.oauth_clients["microsoft"] = OAuthProvider(
+        "microsoft", "Microsoft", MicrosoftGraphOAuth2("ms-id", "ms-secret")
+    )
+    resp = await anon_client.get("/api/users/auth/microsoft/login", follow_redirects=False)
+    assert resp.status_code == 302
+    assert "login.microsoftonline.com" in resp.headers["location"]
+
+
+@pytest.mark.anyio
+async def test_oauth_login_404_for_unknown_provider(anon_client):
+    resp = await anon_client.get("/api/users/auth/nope/login", follow_redirects=False)
+    assert resp.status_code == 404
+
+
+@pytest.mark.anyio
+async def test_oauth_callback_rejects_bad_state(users_app, anon_client):
+    from httpx_oauth.clients.microsoft import MicrosoftGraphOAuth2
+    from users.oauth import OAuthProvider
+
+    users_app.state.users.oauth_clients["microsoft"] = OAuthProvider(
+        "microsoft", "Microsoft", MicrosoftGraphOAuth2("ms-id", "ms-secret")
+    )
+    resp = await anon_client.get(
+        "/api/users/auth/microsoft/callback?code=abc&state=bad", follow_redirects=False
+    )
+    assert resp.status_code == 400
+
+
+# ---------------------------------------------------------------------------
+# Live cache rebuild on SettingsReloaded
+# ---------------------------------------------------------------------------
+
+
+@pytest.mark.anyio
+async def test_settings_reload_adds_provider_to_cache(users_app):
+    from settings.contracts.events import SettingsReloaded
+
+    assert users_app.state.users.oauth_clients == {}
+    assert users_app.state.users.oauth_providers == []
+
+    users_app.state.users.settings = users_app.state.users.settings.model_copy(
+        update={"oauth_microsoft_client_id": "ms-id", "oauth_microsoft_client_secret": "ms-secret"}
+    )
+    await users_app.state.sm.event_bus.publish(
+        SettingsReloaded(package="users", changed=("oauth_microsoft_client_id",))
+    )
+
+    assert "microsoft" in users_app.state.users.oauth_clients
+    buttons = users_app.state.users.oauth_providers
+    assert {"name": "microsoft", "display_name": "Microsoft"} in buttons
+
+
+@pytest.mark.anyio
+async def test_settings_reload_removes_cleared_provider(users_app):
+    from settings.contracts.events import SettingsReloaded
+
+    users_app.state.users.settings = users_app.state.users.settings.model_copy(
+        update={"oauth_microsoft_client_id": "ms-id", "oauth_microsoft_client_secret": "ms-secret"}
+    )
+    await users_app.state.sm.event_bus.publish(
+        SettingsReloaded(package="users", changed=("oauth_microsoft_client_id",))
+    )
+    assert "microsoft" in users_app.state.users.oauth_clients
+
+    users_app.state.users.settings = users_app.state.users.settings.model_copy(
+        update={"oauth_microsoft_client_id": "", "oauth_microsoft_client_secret": ""}
+    )
+    await users_app.state.sm.event_bus.publish(
+        SettingsReloaded(package="users", changed=("oauth_microsoft_client_id",))
+    )
+    assert "microsoft" not in users_app.state.users.oauth_clients
+
+
+@pytest.mark.anyio
+async def test_settings_reload_ignores_other_packages(users_app):
+    from settings.contracts.events import SettingsReloaded
+
+    sentinel = object()
+    users_app.state.users.oauth_clients["microsoft"] = sentinel
+    await users_app.state.sm.event_bus.publish(
+        SettingsReloaded(package="background_tasks", changed=("broker_url",))
+    )
+    assert users_app.state.users.oauth_clients["microsoft"] is sentinel

simple_module_users-0.0.18/tests/test_token_api.py

@@ -0,0 +1,191 @@
+"""Tests for bearer token endpoints: /api/users/auth/token*.
+
+Covers: login via email+password, refresh rotation, revoke, and error paths.
+"""
+
+from __future__ import annotations
+
+import uuid
+
+import pytest
+from fastapi_users.password import PasswordHelper
+from users.models import User
+
+_pw = PasswordHelper()
+
+
+def _hash(plain: str) -> str:
+    return _pw.hash(plain)
+
+
+async def _seed_user(session, email="api@example.com", password="SecurePass1!"):
+    """Create a verified, active user for token tests."""
+    user = User(
+        id=uuid.uuid4(),
+        email=email,
+        hashed_password=_hash(password),
+        is_active=True,
+        is_superuser=False,
+        is_verified=True,
+    )
+    session.add(user)
+    await session.commit()
+    await session.refresh(user)
+    return user
+
+
+# ---------------------------------------------------------------------------
+# POST /api/users/auth/token — login
+# ---------------------------------------------------------------------------
+
+
+class TestTokenLogin:
+    @pytest.mark.anyio
+    async def test_invalid_email_returns_401(self, anon_client):
+        resp = await anon_client.post(
+            "/api/users/auth/token",
+            json={"email": "nobody@example.com", "password": "whatever"},
+        )
+        assert resp.status_code == 401
+        assert resp.json()["detail"] == "Invalid credentials"
+
+    @pytest.mark.anyio
+    async def test_wrong_password_returns_401(self, anon_client, users_db):
+        await _seed_user(users_db)
+        resp = await anon_client.post(
+            "/api/users/auth/token",
+            json={"email": "api@example.com", "password": "WRONG"},
+        )
+        assert resp.status_code == 401
+        assert resp.json()["detail"] == "Invalid credentials"
+
+    @pytest.mark.anyio
+    async def test_inactive_user_returns_401(self, anon_client, users_db):
+        user = await _seed_user(users_db, email="inactive@example.com")
+        user.is_active = False
+        await users_db.commit()
+
+        resp = await anon_client.post(
+            "/api/users/auth/token",
+            json={"email": "inactive@example.com", "password": "SecurePass1!"},
+        )
+        assert resp.status_code == 401
+
+    @pytest.mark.anyio
+    async def test_valid_credentials_returns_token_pair(self, anon_client, users_db):
+        await _seed_user(users_db)
+        resp = await anon_client.post(
+            "/api/users/auth/token",
+            json={"email": "api@example.com", "password": "SecurePass1!"},
+        )
+        assert resp.status_code == 200
+        body = resp.json()
+        assert body["token_type"] == "bearer"
+        assert body["access_token"]
+        assert body["refresh_token"]
+        assert body["expires_in"] > 0
+
+
+# ---------------------------------------------------------------------------
+# POST /api/users/auth/token/refresh
+# ---------------------------------------------------------------------------
+
+
+class TestTokenRefresh:
+    @pytest.mark.anyio
+    async def test_invalid_uuid_returns_401(self, anon_client):
+        resp = await anon_client.post(
+            "/api/users/auth/token/refresh",
+            json={"refresh_token": "not-a-uuid"},
+        )
+        assert resp.status_code == 401
+        assert resp.json()["detail"] == "Invalid refresh token"
+
+    @pytest.mark.anyio
+    async def test_nonexistent_token_returns_401(self, anon_client):
+        resp = await anon_client.post(
+            "/api/users/auth/token/refresh",
+            json={"refresh_token": str(uuid.uuid4())},
+        )
+        assert resp.status_code == 401
+        assert resp.json()["detail"] == "Invalid or expired refresh token"
+
+    @pytest.mark.anyio
+    async def test_valid_refresh_rotates_tokens(self, anon_client, users_db):
+        """Login, then refresh — old refresh revoked, new pair returned."""
+        await _seed_user(users_db)
+        login = await anon_client.post(
+            "/api/users/auth/token",
+            json={"email": "api@example.com", "password": "SecurePass1!"},
+        )
+        assert login.status_code == 200
+        old_refresh = login.json()["refresh_token"]
+
+        refresh_resp = await anon_client.post(
+            "/api/users/auth/token/refresh",
+            json={"refresh_token": old_refresh},
+        )
+        assert refresh_resp.status_code == 200
+        new_body = refresh_resp.json()
+        assert new_body["access_token"]
+        assert new_body["refresh_token"] != old_refresh
+
+        # Old refresh token should now be revoked
+        reuse = await anon_client.post(
+            "/api/users/auth/token/refresh",
+            json={"refresh_token": old_refresh},
+        )
+        assert reuse.status_code == 401
+
+
+# ---------------------------------------------------------------------------
+# DELETE /api/users/auth/token — revoke
+# ---------------------------------------------------------------------------
+
+
+class TestTokenRevoke:
+    @pytest.mark.anyio
+    async def test_invalid_format_returns_400(self, anon_client):
+        resp = await anon_client.request(
+            "DELETE",
+            "/api/users/auth/token",
+            json={"refresh_token": "garbage"},
+        )
+        assert resp.status_code == 400
+        assert resp.json()["detail"] == "Invalid token format"
+
+    @pytest.mark.anyio
+    async def test_nonexistent_token_returns_ok(self, anon_client):
+        """Revoking a non-existent token is idempotent — still returns ok."""
+        resp = await anon_client.request(
+            "DELETE",
+            "/api/users/auth/token",
+            json={"refresh_token": str(uuid.uuid4())},
+        )
+        assert resp.status_code == 200
+        assert resp.json()["status"] == "ok"
+
+    @pytest.mark.anyio
+    async def test_revoke_makes_refresh_unusable(self, anon_client, users_db):
+        """After revoking, the refresh token can no longer be used."""
+        await _seed_user(users_db)
+        login = await anon_client.post(
+            "/api/users/auth/token",
+            json={"email": "api@example.com", "password": "SecurePass1!"},
+        )
+        rt = login.json()["refresh_token"]
+
+        # Revoke
+        revoke_resp = await anon_client.request(
+            "DELETE",
+            "/api/users/auth/token",
+            json={"refresh_token": rt},
+        )
+        assert revoke_resp.status_code == 200
+
+        # Attempt refresh — should fail
+        refresh_resp = await anon_client.post(
+            "/api/users/auth/token/refresh",
+            json={"refresh_token": rt},
+        )
+        assert refresh_resp.status_code == 401

simple_module_users-0.0.18/tests/test_users_provider.py

@@ -0,0 +1,46 @@
+"""Tests for UsersAuthProvider."""
+
+from __future__ import annotations
+
+from auth.contracts.provider import AuthProvider
+from users.provider import UsersAuthProvider
+
+
+def test_users_provider_satisfies_protocol():
+    provider = UsersAuthProvider()
+    assert isinstance(provider, AuthProvider)
+
+
+def test_login_url():
+    provider = UsersAuthProvider()
+    assert provider.get_login_url(None) == "/users/login"
+
+
+def test_logout_url():
+    provider = UsersAuthProvider()
+    assert provider.get_logout_url(None) == "/users/logout"
+
+
+def test_public_paths():
+    provider = UsersAuthProvider()
+    prefixes, _exact = provider.get_public_paths()
+    assert "/users/login" in prefixes
+    assert "/api/users/auth/" in prefixes
+
+
+def test_is_bearer_request_true():
+    from unittest.mock import MagicMock
+
+    request = MagicMock()
+    request.headers = {"authorization": "Bearer abc123"}
+    provider = UsersAuthProvider()
+    assert provider.is_bearer_request(request) is True
+
+
+def test_is_bearer_request_false():
+    from unittest.mock import MagicMock
+
+    request = MagicMock()
+    request.headers = {}
+    provider = UsersAuthProvider()
+    assert provider.is_bearer_request(request) is False

{simple_module_users-0.0.16 → simple_module_users-0.0.18}/users/auth_local/api.py

@@ -117,12 +117,22 @@ async def login(
 # ── Mount fastapi-users stock routers ────────────────────────────────────────
 
 # The stock auth router (login + logout) is mounted at /auth-inner so its
-# logout and other endpoints remain accessible. Our wrapper at /auth/login
-# shadows the stock login endpoint. Logout is exposed via /auth-inner/logout.
+# endpoints remain accessible. Our wrappers at /auth/login and /auth/logout
+# shadow the stock endpoints to also manage the session cookie.
 auth_inner = fastapi_users.get_auth_router(auth_backend, requires_verification=True)
 router.include_router(auth_inner, prefix="/auth-inner")
 
 
+@router.post("/auth/logout", status_code=204)
+async def api_logout(request: Request):
+    """API logout — clears both the access-token cookie and the session."""
+    request.session.clear()
+    cookie_name = request.app.state.users.settings.cookie_name
+    response = Response(status_code=204)
+    response.delete_cookie(cookie_name, path="/")
+    return response
+
+
 # ── Accept-invite (verify + set password + login, one shot) ─────────────────