simple-module-users 0.0.17__tar.gz → 0.0.19__tar.gz

{simple_module_users-0.0.17 → simple_module_users-0.0.19}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: simple_module_users
-Version: 0.0.17
+Version: 0.0.19
 Summary: Email + password user management, admin invites, RBAC-ready — replaces Keycloak for simple_module apps
 Project-URL: Homepage, https://github.com/antosubash/simple_module_python
 Project-URL: Repository, https://github.com/antosubash/simple_module_python
@@ -24,11 +24,11 @@ Requires-Python: >=3.12
 Requires-Dist: aiosmtplib>=3.0
 Requires-Dist: cachetools>=5.3
 Requires-Dist: fastapi-users[oauth,sqlalchemy]<16,>=15
-Requires-Dist: simple-module-auth==0.0.17
-Requires-Dist: simple-module-core==0.0.17
-Requires-Dist: simple-module-db==0.0.17
-Requires-Dist: simple-module-hosting==0.0.17
-Requires-Dist: simple-module-settings==0.0.17
+Requires-Dist: simple-module-auth==0.0.19
+Requires-Dist: simple-module-core==0.0.19
+Requires-Dist: simple-module-db==0.0.19
+Requires-Dist: simple-module-hosting==0.0.19
+Requires-Dist: simple-module-settings==0.0.19
 Requires-Dist: typer>=0.12
 Description-Content-Type: text/markdown
 
@@ -72,7 +72,7 @@ SM_USERS_BOOTSTRAP_PASSWORD=change-me
 Program:
 
 ```python
-from users.deps import CurrentUser    # type: ignore[import-not-found]
+from auth.deps import CurrentUser    # type: ignore[import-not-found]
 
 @router.get("/profile")
 async def profile(user: CurrentUser):
@@ -81,8 +81,39 @@ async def profile(user: CurrentUser):
 
 ## Depends on
 
-- `simple_module_core`, `simple_module_db`, `simple_module_hosting`, `simple_module_auth`
-- `fastapi-users[sqlalchemy]>=15,<16`, `aiosmtplib`, `cachetools`, `typer`
+- `simple_module_core`, `simple_module_db`, `simple_module_hosting`, `simple_module_settings`, `simple_module_auth`
+- `fastapi-users[sqlalchemy,oauth]>=15,<16`, `aiosmtplib`, `cachetools`, `typer`
+
+## Social sign-in (Google, GitHub, Microsoft, OIDC)
+
+OAuth providers are configured in the admin UI at **/settings/modules → Users**
+(no environment variables). Each provider activates once its client id **and**
+secret are set; the secret is masked in the UI. Changes apply live — no restart.
+
+**Microsoft (Entra ID).** Register an app in the Entra admin center and set the
+redirect URI to `<base-url>/api/users/auth/microsoft/callback`. Configure under
+the **Microsoft OAuth** group:
+
+- `oauth_microsoft_client_id`, `oauth_microsoft_client_secret`
+- `oauth_microsoft_tenant` — `common` (any work/school or personal account,
+  the default), `organizations` (work/school only), or your tenant GUID to
+  restrict sign-in to one tenant.
+
+Each provider's callback URL is `<base-url>/api/users/auth/<provider>/callback`
+(`google`, `github`, `microsoft`, `oidc`).
+
+> **Note:** for Microsoft *guest/external* accounts the identity email comes
+> from the Graph `userPrincipalName`, which may not be a plain email
+> (e.g. `user_ext.com#EXT#@tenant.onmicrosoft.com`). For tenant members it is
+> the user's email.
+
+### Migrating from `SM_USERS_OAUTH_*` env vars
+
+Earlier versions read provider credentials from `SM_USERS_OAUTH_*` environment
+variables. These are no longer read at runtime. Migrate existing values into the
+settings store once with:
+
+    uv run smpy settings import-from-env
 
 ## License
 

simple_module_users-0.0.19/README.md

@@ -0,0 +1,86 @@
+# simple_module_users
+
+Email+password user management for [simple_module](https://github.com/antosubash/simple_module_python) apps. Replaces Keycloak/Auth0 for the common case: local accounts, admin invites, password reset, optional public signup. Built on `fastapi-users`.
+
+## Install
+
+```bash
+pip install simple_module_users
+```
+
+Pre-wired into any app scaffolded with `smpy new`.
+
+## What it provides
+
+- Email + password registration, login, logout, password reset.
+- Admin invite flow — admin enters an email, recipient clicks a link, sets a password, is logged in.
+- Public signup toggle (`SM_USERS_ALLOW_SIGNUP`, default `false`).
+- Bootstrap admin via env vars (`SM_USERS_BOOTSTRAP_EMAIL` + `SM_USERS_BOOTSTRAP_PASSWORD`) — idempotent, only creates if the users table is empty.
+- `smpy users create-admin` CLI for ad-hoc admin creation.
+- Inertia pages for login/register/invite-accept/admin-invite.
+- Console mailer (logs to stdout) or SMTP mailer (`SM_USERS_MAILER=smtp`).
+
+## Usage
+
+CLI:
+
+```bash
+uv run smpy users create-admin --email admin@example.com --password 'change-me'
+```
+
+Bootstrap-on-boot (`.env`):
+
+```
+SM_USERS_BOOTSTRAP_EMAIL=admin@example.com
+SM_USERS_BOOTSTRAP_PASSWORD=change-me
+```
+
+Program:
+
+```python
+from auth.deps import CurrentUser    # type: ignore[import-not-found]
+
+@router.get("/profile")
+async def profile(user: CurrentUser):
+    return {"email": user.email}
+```
+
+## Depends on
+
+- `simple_module_core`, `simple_module_db`, `simple_module_hosting`, `simple_module_settings`, `simple_module_auth`
+- `fastapi-users[sqlalchemy,oauth]>=15,<16`, `aiosmtplib`, `cachetools`, `typer`
+
+## Social sign-in (Google, GitHub, Microsoft, OIDC)
+
+OAuth providers are configured in the admin UI at **/settings/modules → Users**
+(no environment variables). Each provider activates once its client id **and**
+secret are set; the secret is masked in the UI. Changes apply live — no restart.
+
+**Microsoft (Entra ID).** Register an app in the Entra admin center and set the
+redirect URI to `<base-url>/api/users/auth/microsoft/callback`. Configure under
+the **Microsoft OAuth** group:
+
+- `oauth_microsoft_client_id`, `oauth_microsoft_client_secret`
+- `oauth_microsoft_tenant` — `common` (any work/school or personal account,
+  the default), `organizations` (work/school only), or your tenant GUID to
+  restrict sign-in to one tenant.
+
+Each provider's callback URL is `<base-url>/api/users/auth/<provider>/callback`
+(`google`, `github`, `microsoft`, `oidc`).
+
+> **Note:** for Microsoft *guest/external* accounts the identity email comes
+> from the Graph `userPrincipalName`, which may not be a plain email
+> (e.g. `user_ext.com#EXT#@tenant.onmicrosoft.com`). For tenant members it is
+> the user's email.
+
+### Migrating from `SM_USERS_OAUTH_*` env vars
+
+Earlier versions read provider credentials from `SM_USERS_OAUTH_*` environment
+variables. These are no longer read at runtime. Migrate existing values into the
+settings store once with:
+
+    uv run smpy settings import-from-env
+
+## License
+
+MIT — see [LICENSE](https://github.com/antosubash/simple_module_python/blob/main/LICENSE).

{simple_module_users-0.0.17 → simple_module_users-0.0.19}/pyproject.toml

@@ -1,6 +1,6 @@
 [project]
 name = "simple_module_users"
-version = "0.0.17"
+version = "0.0.19"
 description = "Email + password user management, admin invites, RBAC-ready — replaces Keycloak for simple_module apps"
 readme = "README.md"
 license = "MIT"
@@ -21,11 +21,11 @@ classifiers = [
     "Typing :: Typed",
 ]
 dependencies = [
-    "simple_module_core==0.0.17",
-    "simple_module_db==0.0.17",
-    "simple_module_hosting==0.0.17",
-    "simple_module_settings==0.0.17",
-    "simple_module_auth==0.0.17",
+    "simple_module_core==0.0.19",
+    "simple_module_db==0.0.19",
+    "simple_module_hosting==0.0.19",
+    "simple_module_settings==0.0.19",
+    "simple_module_auth==0.0.19",
     # Pinned to a narrow range: `deps.py` relies on mutating CookieTransport
     # fields after construction (see reconfigure_cookie_transport in backend.py).
     # Bumping the major version requires re-checking those field names.

{simple_module_users-0.0.17 → simple_module_users-0.0.19}/tests/test_oauth.py

@@ -1,16 +1,18 @@
-"""Unit + integration tests for the OAuth/OIDC plumbing.
+"""Unit tests for the OAuth/OIDC plumbing.
 
 Provider client construction and the /authorize+/callback ASGI flow are not
 covered here because both depend on real httpx-oauth clients that hit the
 network (token exchange, profile fetch). Those are best validated in a manual
 QA pass against a dev IdP. What this file *does* cover:
 
-- ``enabled_provider_names`` correctly reflects settings.
-- ``build_clients`` instantiates the Google + GitHub clients when configured.
+- ``build_clients`` / ``build_client_map`` instantiate clients when configured.
 - ``OAuthAccount`` persists and FK-cascades on user delete.
 - ``UserManager.oauth_callback`` (the find-or-create core fastapi-users helper
   the route delegates to) creates a fresh user + linked OAuthAccount, and
   associates by email when the user already exists.
+
+HTTP dispatcher and live-reload (``SettingsReloaded``) integration tests live
+in ``test_oauth_routes.py``.
 """
 
 from __future__ import annotations
@@ -21,7 +23,7 @@ import pytest
 from fastapi_users.password import PasswordHelper
 from sqlalchemy import select
 from users.models import OAuthAccount, User
-from users.oauth import build_clients, enabled_provider_names
+from users.oauth import build_client_map, build_clients
 from users.settings import UsersSettings
 
 _pw = PasswordHelper()
@@ -32,38 +34,64 @@ _pw = PasswordHelper()
 # ---------------------------------------------------------------------------
 
 
-def test_enabled_provider_names_empty_by_default():
-    assert enabled_provider_names(UsersSettings()) == []
+def test_microsoft_settings_defaults():
+    s = UsersSettings()
+    assert s.oauth_microsoft_client_id == ""
+    assert s.oauth_microsoft_client_secret == ""
+    assert s.oauth_microsoft_tenant == "common"
+
+
+def test_oauth_fields_carry_group_metadata_for_settings_ui():
+    fields = UsersSettings.model_fields
+    assert fields["oauth_google_client_id"].json_schema_extra == {"group": "Google OAuth"}
+    assert fields["oauth_github_client_id"].json_schema_extra == {"group": "GitHub OAuth"}
+    assert fields["oauth_oidc_discovery_url"].json_schema_extra == {"group": "OIDC"}
+    assert fields["oauth_microsoft_client_secret"].json_schema_extra == {"group": "Microsoft OAuth"}
+
+
+# ---------------------------------------------------------------------------
+# build_clients (no-network providers only)
+# ---------------------------------------------------------------------------
 
 
-def test_enabled_provider_names_lists_configured_providers():
+def test_build_clients_includes_microsoft():
     s = UsersSettings(
-        oauth_google_client_id="g-id",
-        oauth_google_client_secret="g-secret",
-        oauth_github_client_id="gh-id",
-        oauth_github_client_secret="gh-secret",
+        oauth_microsoft_client_id="ms-id",
+        oauth_microsoft_client_secret="ms-secret",
     )
-    names = [p["name"] for p in enabled_provider_names(s)]
-    assert names == ["google", "github"]
+    providers = build_clients(s)
+    assert [p.name for p in providers] == ["microsoft"]
+    assert providers[0].display_name == "Microsoft"
+    assert providers[0].client.client_id == "ms-id"
 
 
-def test_enabled_provider_names_skips_provider_missing_secret():
-    s = UsersSettings(oauth_google_client_id="g-id")  # no secret
-    assert enabled_provider_names(s) == []
+def test_build_clients_skips_microsoft_without_secret():
+    s = UsersSettings(oauth_microsoft_client_id="ms-id")  # no secret
+    assert [p.name for p in build_clients(s)] == []
 
 
-def test_enabled_provider_names_oidc_requires_discovery_url():
+@pytest.mark.anyio
+async def test_microsoft_authorize_url_carries_tenant():
     s = UsersSettings(
-        oauth_oidc_client_id="x",
-        oauth_oidc_client_secret="y",
-        # discovery_url unset → not registered
+        oauth_microsoft_client_id="ms-id",
+        oauth_microsoft_client_secret="ms-secret",
+        oauth_microsoft_tenant="my-tenant-guid",
     )
-    assert enabled_provider_names(s) == []
+    client = build_client_map(s)["microsoft"].client
+    url = await client.get_authorization_url("http://testserver/cb", "state123")
+    assert "my-tenant-guid" in url
 
 
-# ---------------------------------------------------------------------------
-# build_clients (no-network providers only)
-# ---------------------------------------------------------------------------
+def test_build_client_map_keys_by_name():
+    s = UsersSettings(
+        oauth_google_client_id="g-id",
+        oauth_google_client_secret="g-secret",
+        oauth_microsoft_client_id="ms-id",
+        oauth_microsoft_client_secret="ms-secret",
+    )
+    m = build_client_map(s)
+    assert set(m) == {"google", "microsoft"}
+    assert m["microsoft"].name == "microsoft"
 
 
 def test_build_clients_google_and_github():
@@ -187,3 +215,15 @@ async def test_oauth_callback_links_to_existing_email(users_app, users_db):
         assert names == ["github"]
     finally:
         await session.__aexit__(None, None, None)
+
+
+# ---------------------------------------------------------------------------
+# UsersState defaults
+# ---------------------------------------------------------------------------
+
+
+def test_users_state_defaults_empty_oauth_clients():
+    from users.state import UsersState
+
+    state = UsersState(settings=UsersSettings())
+    assert state.oauth_clients == {}

simple_module_users-0.0.19/tests/test_oauth_routes.py

@@ -0,0 +1,105 @@
+"""OAuth HTTP dispatcher + live-reload tests.
+
+Exercises the running app: the provider-agnostic ``/auth/{provider}/{login,callback}``
+dispatcher (resolution, 404, state CSRF) and the ``SettingsReloaded`` hot-reload of the
+provider cache. Provider construction and the account model are unit-tested in
+``test_oauth.py``.
+"""
+
+from __future__ import annotations
+
+import pytest
+
+# ---------------------------------------------------------------------------
+# Provider-agnostic dispatcher (request-time client resolution)
+# ---------------------------------------------------------------------------
+
+
+@pytest.mark.anyio
+async def test_oauth_login_redirects_for_configured_provider(users_app, anon_client):
+    from httpx_oauth.clients.microsoft import MicrosoftGraphOAuth2
+    from users.oauth import OAuthProvider
+
+    users_app.state.users.oauth_clients["microsoft"] = OAuthProvider(
+        "microsoft", "Microsoft", MicrosoftGraphOAuth2("ms-id", "ms-secret")
+    )
+    resp = await anon_client.get("/api/users/auth/microsoft/login", follow_redirects=False)
+    assert resp.status_code == 302
+    assert "login.microsoftonline.com" in resp.headers["location"]
+
+
+@pytest.mark.anyio
+async def test_oauth_login_404_for_unknown_provider(anon_client):
+    resp = await anon_client.get("/api/users/auth/nope/login", follow_redirects=False)
+    assert resp.status_code == 404
+
+
+@pytest.mark.anyio
+async def test_oauth_callback_rejects_bad_state(users_app, anon_client):
+    from httpx_oauth.clients.microsoft import MicrosoftGraphOAuth2
+    from users.oauth import OAuthProvider
+
+    users_app.state.users.oauth_clients["microsoft"] = OAuthProvider(
+        "microsoft", "Microsoft", MicrosoftGraphOAuth2("ms-id", "ms-secret")
+    )
+    resp = await anon_client.get(
+        "/api/users/auth/microsoft/callback?code=abc&state=bad", follow_redirects=False
+    )
+    assert resp.status_code == 400
+
+
+# ---------------------------------------------------------------------------
+# Live cache rebuild on SettingsReloaded
+# ---------------------------------------------------------------------------
+
+
+@pytest.mark.anyio
+async def test_settings_reload_adds_provider_to_cache(users_app):
+    from settings.contracts.events import SettingsReloaded
+
+    assert users_app.state.users.oauth_clients == {}
+    assert users_app.state.users.oauth_providers == []
+
+    users_app.state.users.settings = users_app.state.users.settings.model_copy(
+        update={"oauth_microsoft_client_id": "ms-id", "oauth_microsoft_client_secret": "ms-secret"}
+    )
+    await users_app.state.sm.event_bus.publish(
+        SettingsReloaded(package="users", changed=("oauth_microsoft_client_id",))
+    )
+
+    assert "microsoft" in users_app.state.users.oauth_clients
+    buttons = users_app.state.users.oauth_providers
+    assert {"name": "microsoft", "display_name": "Microsoft"} in buttons
+
+
+@pytest.mark.anyio
+async def test_settings_reload_removes_cleared_provider(users_app):
+    from settings.contracts.events import SettingsReloaded
+
+    users_app.state.users.settings = users_app.state.users.settings.model_copy(
+        update={"oauth_microsoft_client_id": "ms-id", "oauth_microsoft_client_secret": "ms-secret"}
+    )
+    await users_app.state.sm.event_bus.publish(
+        SettingsReloaded(package="users", changed=("oauth_microsoft_client_id",))
+    )
+    assert "microsoft" in users_app.state.users.oauth_clients
+
+    users_app.state.users.settings = users_app.state.users.settings.model_copy(
+        update={"oauth_microsoft_client_id": "", "oauth_microsoft_client_secret": ""}
+    )
+    await users_app.state.sm.event_bus.publish(
+        SettingsReloaded(package="users", changed=("oauth_microsoft_client_id",))
+    )
+    assert "microsoft" not in users_app.state.users.oauth_clients
+
+
+@pytest.mark.anyio
+async def test_settings_reload_ignores_other_packages(users_app):
+    from settings.contracts.events import SettingsReloaded
+
+    sentinel = object()
+    users_app.state.users.oauth_clients["microsoft"] = sentinel
+    await users_app.state.sm.event_bus.publish(
+        SettingsReloaded(package="background_tasks", changed=("broker_url",))
+    )
+    assert users_app.state.users.oauth_clients["microsoft"] is sentinel

{simple_module_users-0.0.17 → simple_module_users-0.0.19}/users/module.py

@@ -18,6 +18,7 @@ from users.constants import (
 
 if TYPE_CHECKING:
     from fastapi import FastAPI
+    from simple_module_core.events import EventBus
 
 _MODULE_DEPENDENCY_AUTH = "Auth"
 
@@ -61,6 +62,30 @@ class UsersModule(ModuleBase):
 
         app.state.auth.auth_provider = UsersAuthProvider()
 
+    def register_event_handlers(self, bus: EventBus, app: FastAPI | None = None) -> None:
+        """Rebuild the OAuth client cache when the users settings reload.
+
+        Routes mount at construction (before DB hydration), so the cache is the
+        single source of truth at request time. Rebuilding it here lets an admin
+        add/remove a provider via the settings UI without a restart.
+        """
+        if app is None:
+            return
+
+        import importlib
+
+        settings_reloaded = importlib.import_module("settings.contracts.events").SettingsReloaded
+        from users.oauth.providers import build_client_map, provider_buttons
+
+        async def _rebuild_oauth_clients(event: settings_reloaded) -> None:
+            if event.package != "users":
+                return
+            state = app.state.users
+            state.oauth_clients = build_client_map(state.settings)
+            state.oauth_providers = provider_buttons(state.oauth_clients)
+
+        bus.subscribe(settings_reloaded, _rebuild_oauth_clients)
+
     def register_permissions(self, registry: PermissionRegistry) -> None:
         registry.add_group(
             "Users",
@@ -111,14 +136,6 @@ class UsersModule(ModuleBase):
         from users.contracts.schemas import UserCreate, UserRead
         from users.deps import fastapi_users
         from users.oauth.api import register_oauth_routes
-        from users.settings import UsersSettings
-
-        # Consumed only by ``register_oauth_routes`` → ``build_clients`` at
-        # registration time, which reads class-attribute defaults captured by
-        # ``env_str()`` at import. Request-time readers of mutable fields
-        # (e.g. ``login_redirect_url``) must go through
-        # ``request.app.state.users.settings``, not this instance.
-        settings = UsersSettings()
 
         api_router.include_router(auth_local_api.router)
         api_router.include_router(token_router)
@@ -146,7 +163,7 @@ class UsersModule(ModuleBase):
                 Depends(auth_local_api.enforce_auth_throughput_limit),
             ],
         )
-        register_oauth_routes(api_router, settings)
+        register_oauth_routes(api_router)
 
         view_router.include_router(auth_views)
         view_router.include_router(admin_views)
@@ -160,7 +177,7 @@ class UsersModule(ModuleBase):
         from users.bootstrap import bootstrap_admin_from_env
         from users.deps import auth_backend
         from users.mailer import build_mailer
-        from users.oauth.providers import enabled_provider_names
+        from users.oauth.providers import build_client_map, provider_buttons
         from users.roles_cache import refresh_roles_cache
 
         state = app.state.users
@@ -175,7 +192,8 @@ class UsersModule(ModuleBase):
             max_attempts=s.auth_rate_limit_attempts,
             window_seconds=s.auth_rate_limit_window_seconds,
         )
-        state.oauth_providers = enabled_provider_names(s)
+        state.oauth_clients = build_client_map(s)
+        state.oauth_providers = provider_buttons(state.oauth_clients)
 
         # Auto-fall-back when the default ``/dashboard/`` target is
         # unreachable because the Dashboard module isn't installed (e.g.

simple_module_users-0.0.19/users/oauth/__init__.py

@@ -0,0 +1,5 @@
+"""OAuth feature — public surface re-exported for backward compatibility."""
+
+from users.oauth.providers import OAuthProvider, build_client_map, build_clients, provider_buttons
+
+__all__ = ["OAuthProvider", "build_client_map", "build_clients", "provider_buttons"]

{simple_module_users-0.0.17 → simple_module_users-0.0.19}/users/oauth/api.py

@@ -1,21 +1,22 @@
-"""OAuth/OIDC login routes — one pair (``/login``, ``/callback``) per provider.
+"""OAuth/OIDC login routes — a single provider-agnostic dispatcher.
+
+One pair of routes (``/auth/{provider}/login`` + ``/auth/{provider}/callback``)
+serves every provider. The client is resolved per request from
+``app.state.users.oauth_clients`` — the cache built in ``UsersModule.on_startup``
+from hydrated DB settings and rebuilt on ``SettingsReloaded``. Routes mount
+unconditionally at construction (before settings hydrate), so providers
+configured through the settings UI work and take effect without a restart.
 
 Why a custom handler rather than ``fastapi_users.get_oauth_router``: the stock
-router's ``/callback`` returns a 204 No Content with the auth cookie set. That
-works for SPA flows that redirect on a successful AJAX response, but Inertia
-expects the user's browser to land on a real page. Here ``/callback`` returns
-a 303 redirect to ``settings.login_redirect_url`` instead, with the same
-cookie attached.
-
-Find-or-create + email-association logic still goes through
-``UserManager.oauth_callback`` — we don't reimplement it, only the transport
-around it. State CSRF uses Starlette's signed session cookie (already mounted
-by the framework) instead of fastapi-users' separate JWT-state cookie.
+``/callback`` returns 204; Inertia needs the browser to land on a real page, so
+``/callback`` returns a 303 redirect to ``login_redirect_url`` with the auth
+cookie attached. Find-or-create + email-association go through
+``UserManager.oauth_callback``. State CSRF uses Starlette's signed session
+cookie.
 """
 
 from __future__ import annotations
 
-import logging
 import secrets
 from typing import TYPE_CHECKING
 
@@ -24,40 +25,51 @@ from fastapi_users import exceptions as fu_exceptions
 from starlette.responses import RedirectResponse
 
 from users.deps import auth_backend, get_user_manager
-from users.oauth.providers import OAuthProvider, build_clients
 
 if TYPE_CHECKING:
     from users.manager import UserManager
-    from users.settings import UsersSettings
-
-logger = logging.getLogger(__name__)
+    from users.oauth.providers import OAuthProvider
 
 _SESSION_STATE_KEY_FMT = "oauth_state:{provider}"
+_CALLBACK_ROUTE_NAME = "users_oauth_callback"
+
+
+def _resolve_provider(request: Request, provider: str) -> OAuthProvider:
+    """Return the configured provider by name, or raise 404."""
+    found = request.app.state.users.oauth_clients.get(provider)
+    if found is None:
+        raise HTTPException(
+            status_code=status.HTTP_404_NOT_FOUND, detail="OAUTH_PROVIDER_NOT_FOUND"
+        )
+    return found
 
 
-def _build_provider_router(provider: OAuthProvider) -> APIRouter:
-    """Mount /login + /callback for one provider."""
-    router = APIRouter()
-    state_key = _SESSION_STATE_KEY_FMT.format(provider=provider.name)
+def register_oauth_routes(api_router: APIRouter) -> None:
+    """Mount the provider-agnostic OAuth dispatcher under ``/auth``."""
+    router = APIRouter(prefix="/auth", tags=["users-auth"])
 
-    @router.get("/login")
-    async def begin(request: Request) -> RedirectResponse:
+    @router.get("/{provider}/login")
+    async def begin(request: Request, provider: str) -> RedirectResponse:
         """Generate a state nonce, stash it in the session, redirect to the IdP."""
+        provider_obj = _resolve_provider(request, provider)
         state = secrets.token_urlsafe(32)
-        request.session[state_key] = state
-        callback_url = str(request.url_for(f"oauth_{provider.name}_callback"))
-        authorization_url = await provider.client.get_authorization_url(callback_url, state)
+        request.session[_SESSION_STATE_KEY_FMT.format(provider=provider)] = state
+        callback_url = str(request.url_for(_CALLBACK_ROUTE_NAME, provider=provider))
+        authorization_url = await provider_obj.client.get_authorization_url(callback_url, state)
         return RedirectResponse(authorization_url, status_code=302)
 
-    @router.get("/callback", name=f"oauth_{provider.name}_callback")
+    @router.get("/{provider}/callback", name=_CALLBACK_ROUTE_NAME)
     async def callback(
         request: Request,
+        provider: str,
         code: str | None = None,
         state: str | None = None,
         user_manager: UserManager = Depends(get_user_manager),
         strategy=Depends(auth_backend.get_strategy),
     ) -> RedirectResponse:
         """Verify state, exchange code, find-or-create user, set cookie, redirect."""
+        provider_obj = _resolve_provider(request, provider)
+        state_key = _SESSION_STATE_KEY_FMT.format(provider=provider)
         expected_state = request.session.pop(state_key, None)
         if not state or not expected_state or not secrets.compare_digest(state, expected_state):
             raise HTTPException(
@@ -68,15 +80,15 @@ def _build_provider_router(provider: OAuthProvider) -> APIRouter:
                 status_code=status.HTTP_400_BAD_REQUEST, detail="OAUTH_MISSING_CODE"
             )
 
-        callback_url = str(request.url_for(f"oauth_{provider.name}_callback"))
-        token = await provider.client.get_access_token(code, callback_url)
-        account_id, account_email = await provider.client.get_id_email(token["access_token"])
+        callback_url = str(request.url_for(_CALLBACK_ROUTE_NAME, provider=provider))
+        token = await provider_obj.client.get_access_token(code, callback_url)
+        account_id, account_email = await provider_obj.client.get_id_email(token["access_token"])
         if account_email is None:
             raise HTTPException(status_code=status.HTTP_400_BAD_REQUEST, detail="OAUTH_NO_EMAIL")
 
         try:
             user = await user_manager.oauth_callback(
-                provider.name,
+                provider,
                 token["access_token"],
                 account_id,
                 account_email,
@@ -87,9 +99,6 @@ def _build_provider_router(provider: OAuthProvider) -> APIRouter:
                 is_verified_by_default=True,
             )
         except fu_exceptions.UserAlreadyExists:
-            # Email exists but associate_by_email=False would forbid linking.
-            # We always pass True above, so this branch only fires if the
-            # provider returns ambiguous data.
             raise HTTPException(
                 status_code=status.HTTP_400_BAD_REQUEST,
                 detail="OAUTH_USER_ALREADY_EXISTS",
@@ -100,14 +109,9 @@ def _build_provider_router(provider: OAuthProvider) -> APIRouter:
                 status_code=status.HTTP_400_BAD_REQUEST, detail="LOGIN_BAD_CREDENTIALS"
             )
 
-        # Set the auth cookie via the existing backend, then bridge the
-        # session in on_after_login (sets session["user_id"] for AuthMiddleware).
         login_response = await auth_backend.login(strategy, user)
         await user_manager.on_after_login(user, request, login_response)
 
-        # Read login_redirect_url lazily: ``UsersModule.on_startup`` may
-        # mutate it (e.g. dashboard-fallback) after this router is mounted,
-        # and admins can change it at runtime via the settings UI.
         redirect_url = request.app.state.users.settings.login_redirect_url
         redirect = RedirectResponse(redirect_url, status_code=303)
         for key, value in login_response.headers.items():
@@ -115,21 +119,4 @@ def _build_provider_router(provider: OAuthProvider) -> APIRouter:
                 redirect.raw_headers.append((b"set-cookie", value.encode("latin-1")))
         return redirect
 
-    return router
-
-
-def register_oauth_routes(api_router: APIRouter, settings: UsersSettings) -> None:
-    """Mount /auth/<provider>/{login,callback} for every configured provider."""
-    providers = build_clients(settings)
-    for provider in providers:
-        api_router.include_router(
-            _build_provider_router(provider),
-            prefix=f"/auth/{provider.name}",
-            tags=["users-auth"],
-        )
-    if providers:
-        logger.info(
-            "Registered %d OAuth provider(s): %s",
-            len(providers),
-            ", ".join(p.name for p in providers),
-        )
+    api_router.include_router(router)

{simple_module_users-0.0.17 → simple_module_users-0.0.19}/users/oauth/providers.py

@@ -30,28 +30,6 @@ class OAuthProvider(NamedTuple):
     client: BaseOAuth2
 
 
-def enabled_provider_names(settings: UsersSettings) -> list[dict[str, str]]:
-    """Return ``[{"name": ..., "display_name": ...}]`` for configured providers.
-
-    Cheap settings-only check used by the login page to render social-login
-    buttons. Does not construct clients or hit the network — that would be
-    wasteful per page render and would fail-open if discovery is briefly
-    unreachable.
-    """
-    out: list[dict[str, str]] = []
-    if settings.oauth_google_client_id and settings.oauth_google_client_secret:
-        out.append({"name": "google", "display_name": "Google"})
-    if settings.oauth_github_client_id and settings.oauth_github_client_secret:
-        out.append({"name": "github", "display_name": "GitHub"})
-    if (
-        settings.oauth_oidc_client_id
-        and settings.oauth_oidc_client_secret
-        and settings.oauth_oidc_discovery_url
-    ):
-        out.append({"name": "oidc", "display_name": settings.oauth_oidc_display_name or "OIDC"})
-    return out
-
-
 def build_clients(settings: UsersSettings) -> list[OAuthProvider]:
     """Return one entry per provider that has both id and secret configured.
 
@@ -89,6 +67,22 @@ def build_clients(settings: UsersSettings) -> list[OAuthProvider]:
             )
         )
 
+    if settings.oauth_microsoft_client_id and settings.oauth_microsoft_client_secret:
+        from httpx_oauth.clients.microsoft import MicrosoftGraphOAuth2
+
+        out.append(
+            OAuthProvider(
+                "microsoft",
+                "Microsoft",
+                MicrosoftGraphOAuth2(
+                    settings.oauth_microsoft_client_id,
+                    settings.oauth_microsoft_client_secret,
+                    tenant=settings.oauth_microsoft_tenant or "common",
+                    name="microsoft",
+                ),
+            )
+        )
+
     if (
         settings.oauth_oidc_client_id
         and settings.oauth_oidc_client_secret
@@ -118,3 +112,13 @@ def build_clients(settings: UsersSettings) -> list[OAuthProvider]:
             )
 
     return out
+
+
+def build_client_map(settings: UsersSettings) -> dict[str, OAuthProvider]:
+    """Configured providers keyed by name for O(1) request-time lookup."""
+    return {p.name: p for p in build_clients(settings)}
+
+
+def provider_buttons(clients: dict[str, OAuthProvider]) -> list[dict[str, str]]:
+    """Login-button descriptors derived from a built client map."""
+    return [{"name": p.name, "display_name": p.display_name} for p in clients.values()]

{simple_module_users-0.0.17 → simple_module_users-0.0.19}/users/settings.py

@@ -88,20 +88,33 @@ class UsersSettings(BaseSettings):
     bootstrap_user_email: str = ""
     bootstrap_user_password: str = ""
 
-    # OAuth / OIDC providers. Each provider is enabled by setting both client
-    # id and secret; missing credentials = provider not registered. Resolved
-    # at module-import time (env_str) because client secrets shouldn't ride
-    # in the DB-backed settings table that admins can read via the UI.
-    oauth_google_client_id: str = env_str("SM_USERS_OAUTH_GOOGLE_CLIENT_ID", "")
-    oauth_google_client_secret: str = env_str("SM_USERS_OAUTH_GOOGLE_CLIENT_SECRET", "")
-    oauth_github_client_id: str = env_str("SM_USERS_OAUTH_GITHUB_CLIENT_ID", "")
-    oauth_github_client_secret: str = env_str("SM_USERS_OAUTH_GITHUB_CLIENT_SECRET", "")
-    # Generic OIDC — works with any provider that exposes a discovery URL
-    # (Keycloak, Authentik, Auth0, Zitadel, Entra ID, ...).
-    oauth_oidc_client_id: str = env_str("SM_USERS_OAUTH_OIDC_CLIENT_ID", "")
-    oauth_oidc_client_secret: str = env_str("SM_USERS_OAUTH_OIDC_CLIENT_SECRET", "")
-    oauth_oidc_discovery_url: str = env_str("SM_USERS_OAUTH_OIDC_DISCOVERY_URL", "")
-    oauth_oidc_display_name: str = env_str("SM_USERS_OAUTH_OIDC_DISPLAY_NAME", "OIDC")
+    # OAuth / OIDC providers — configured via the admin settings UI
+    # (/settings/modules → Users). Credentials live in the DB-backed settings
+    # store and hydrate after boot; secret fields are masked in the UI (the
+    # same treatment the SMTP password gets). Provider changes apply live via
+    # the SettingsReloaded event — no restart (see users/module.py).
+    oauth_google_client_id: str = Field(default="", json_schema_extra={"group": "Google OAuth"})
+    oauth_google_client_secret: str = Field(default="", json_schema_extra={"group": "Google OAuth"})
+    oauth_github_client_id: str = Field(default="", json_schema_extra={"group": "GitHub OAuth"})
+    oauth_github_client_secret: str = Field(default="", json_schema_extra={"group": "GitHub OAuth"})
+    # Generic OIDC — any provider that exposes a discovery URL
+    # (Keycloak, Authentik, Auth0, Zitadel, ...).
+    oauth_oidc_client_id: str = Field(default="", json_schema_extra={"group": "OIDC"})
+    oauth_oidc_client_secret: str = Field(default="", json_schema_extra={"group": "OIDC"})
+    oauth_oidc_discovery_url: str = Field(default="", json_schema_extra={"group": "OIDC"})
+    oauth_oidc_display_name: str = Field(default="OIDC", json_schema_extra={"group": "OIDC"})
+    # Microsoft Entra ID / Microsoft accounts. tenant: "common" (any work/school
+    # or personal account), "organizations" (work/school only), or a tenant GUID
+    # to restrict sign-in to a single Entra tenant.
+    oauth_microsoft_client_id: str = Field(
+        default="", json_schema_extra={"group": "Microsoft OAuth"}
+    )
+    oauth_microsoft_client_secret: str = Field(
+        default="", json_schema_extra={"group": "Microsoft OAuth"}
+    )
+    oauth_microsoft_tenant: str = Field(
+        default="common", json_schema_extra={"group": "Microsoft OAuth"}
+    )
 
     @model_validator(mode="after")
     def _forbid_placeholder_token_secrets_in_production(self) -> UsersSettings:

{simple_module_users-0.0.17 → simple_module_users-0.0.19}/users/state.py

@@ -18,6 +18,7 @@ from typing import TYPE_CHECKING
 if TYPE_CHECKING:
     from users.auth_local.rate_limit import LoginRateLimiter, ThroughputLimiter
     from users.mailer import Mailer
+    from users.oauth.providers import OAuthProvider
     from users.roles_cache import RoleSummary
     from users.settings import UsersSettings
 
@@ -32,3 +33,4 @@ class UsersState:
     auth_throughput_limiter: ThroughputLimiter | None = None
     roles_cache: list[RoleSummary] = field(default_factory=list)
     oauth_providers: list[dict[str, str]] = field(default_factory=list)
+    oauth_clients: dict[str, OAuthProvider] = field(default_factory=dict)

simple_module_users-0.0.17/README.md

@@ -1,55 +0,0 @@
-# simple_module_users
-
-Email+password user management for [simple_module](https://github.com/antosubash/simple_module_python) apps. Replaces Keycloak/Auth0 for the common case: local accounts, admin invites, password reset, optional public signup. Built on `fastapi-users`.
-
-## Install
-
-```bash
-pip install simple_module_users
-```
-
-Pre-wired into any app scaffolded with `smpy new`.
-
-## What it provides
-
-- Email + password registration, login, logout, password reset.
-- Admin invite flow — admin enters an email, recipient clicks a link, sets a password, is logged in.
-- Public signup toggle (`SM_USERS_ALLOW_SIGNUP`, default `false`).
-- Bootstrap admin via env vars (`SM_USERS_BOOTSTRAP_EMAIL` + `SM_USERS_BOOTSTRAP_PASSWORD`) — idempotent, only creates if the users table is empty.
-- `smpy users create-admin` CLI for ad-hoc admin creation.
-- Inertia pages for login/register/invite-accept/admin-invite.
-- Console mailer (logs to stdout) or SMTP mailer (`SM_USERS_MAILER=smtp`).
-
-## Usage
-
-CLI:
-
-```bash
-uv run smpy users create-admin --email admin@example.com --password 'change-me'
-```
-
-Bootstrap-on-boot (`.env`):
-
-```
-SM_USERS_BOOTSTRAP_EMAIL=admin@example.com
-SM_USERS_BOOTSTRAP_PASSWORD=change-me
-```
-
-Program:
-
-```python
-from users.deps import CurrentUser    # type: ignore[import-not-found]
-
-@router.get("/profile")
-async def profile(user: CurrentUser):
-    return {"email": user.email}
-```
-
-## Depends on
-
-- `simple_module_core`, `simple_module_db`, `simple_module_hosting`, `simple_module_auth`
-- `fastapi-users[sqlalchemy]>=15,<16`, `aiosmtplib`, `cachetools`, `typer`
-
-## License
-
-MIT — see [LICENSE](https://github.com/antosubash/simple_module_python/blob/main/LICENSE).

simple_module_users-0.0.17/users/oauth/__init__.py

@@ -1,5 +0,0 @@
-"""OAuth feature — public surface re-exported for backward compatibility."""
-
-from users.oauth.providers import OAuthProvider, build_clients, enabled_provider_names
-
-__all__ = ["OAuthProvider", "build_clients", "enabled_provider_names"]