simple-module-users 0.0.19__tar.gz → 0.0.20__tar.gz

{simple_module_users-0.0.19 → simple_module_users-0.0.20}/.gitignore

@@ -61,3 +61,4 @@ Thumbs.db
 .playwright-mcp/*
 host/client_app/.playwright-cli/*
 .superpowers/
+.qa/

{simple_module_users-0.0.19 → simple_module_users-0.0.20}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: simple_module_users
-Version: 0.0.19
+Version: 0.0.20
 Summary: Email + password user management, admin invites, RBAC-ready — replaces Keycloak for simple_module apps
 Project-URL: Homepage, https://github.com/antosubash/simple_module_python
 Project-URL: Repository, https://github.com/antosubash/simple_module_python
@@ -24,11 +24,11 @@ Requires-Python: >=3.12
 Requires-Dist: aiosmtplib>=3.0
 Requires-Dist: cachetools>=5.3
 Requires-Dist: fastapi-users[oauth,sqlalchemy]<16,>=15
-Requires-Dist: simple-module-auth==0.0.19
-Requires-Dist: simple-module-core==0.0.19
-Requires-Dist: simple-module-db==0.0.19
-Requires-Dist: simple-module-hosting==0.0.19
-Requires-Dist: simple-module-settings==0.0.19
+Requires-Dist: simple-module-auth==0.0.20
+Requires-Dist: simple-module-core==0.0.20
+Requires-Dist: simple-module-db==0.0.20
+Requires-Dist: simple-module-hosting==0.0.20
+Requires-Dist: simple-module-settings==0.0.20
 Requires-Dist: typer>=0.12
 Description-Content-Type: text/markdown
 

{simple_module_users-0.0.19 → simple_module_users-0.0.20}/pyproject.toml

@@ -1,6 +1,6 @@
 [project]
 name = "simple_module_users"
-version = "0.0.19"
+version = "0.0.20"
 description = "Email + password user management, admin invites, RBAC-ready — replaces Keycloak for simple_module apps"
 readme = "README.md"
 license = "MIT"
@@ -21,11 +21,11 @@ classifiers = [
     "Typing :: Typed",
 ]
 dependencies = [
-    "simple_module_core==0.0.19",
-    "simple_module_db==0.0.19",
-    "simple_module_hosting==0.0.19",
-    "simple_module_settings==0.0.19",
-    "simple_module_auth==0.0.19",
+    "simple_module_core==0.0.20",
+    "simple_module_db==0.0.20",
+    "simple_module_hosting==0.0.20",
+    "simple_module_settings==0.0.20",
+    "simple_module_auth==0.0.20",
     # Pinned to a narrow range: `deps.py` relies on mutating CookieTransport
     # fields after construction (see reconfigure_cookie_transport in backend.py).
     # Bumping the major version requires re-checking those field names.

simple_module_users-0.0.20/tests/test_api_admin_crud.py

@@ -0,0 +1,163 @@
+"""Admin REST CRUD tests: create / update / delete."""
+
+from __future__ import annotations
+
+import uuid
+
+import pytest
+from sqlalchemy import select
+from test_api_admin import _make_user
+from users.models import User, UserRole
+
+# ---------------------------------------------------------------------------
+# Admin create
+# ---------------------------------------------------------------------------
+
+
+class TestAdminCreate:
+    @pytest.mark.anyio
+    async def test_create_returns_201(self, admin_client):
+        resp = await admin_client.post(
+            "/api/users/admin",
+            json={
+                "email": "newuser@example.com",
+                "password": "SecurePass1!",
+                "full_name": "New User",
+                "role_names": ["user"],
+            },
+        )
+        assert resp.status_code == 201
+        body = resp.json()
+        assert body["email"] == "newuser@example.com"
+        assert body["is_active"] is True
+        assert body["is_verified"] is True
+        assert body["roles"] == ["user"]
+
+    @pytest.mark.anyio
+    async def test_create_duplicate_returns_409(self, admin_client, users_db):
+        await _make_user(users_db, email="taken@example.com")
+        resp = await admin_client.post(
+            "/api/users/admin",
+            json={"email": "taken@example.com", "password": "SecurePass1!"},
+        )
+        assert resp.status_code == 409
+        assert "already exists" in resp.json()["detail"]
+
+    @pytest.mark.anyio
+    async def test_create_weak_password_returns_400(self, admin_client):
+        resp = await admin_client.post(
+            "/api/users/admin",
+            json={"email": "weakpw@example.com", "password": "short"},
+        )
+        assert resp.status_code == 400
+        assert "8 characters" in resp.json()["detail"]
+
+    @pytest.mark.anyio
+    async def test_create_without_auth_is_rejected(self, anon_client):
+        resp = await anon_client.post(
+            "/api/users/admin",
+            json={"email": "hacker@example.com", "password": "SecurePass1!"},
+            follow_redirects=False,
+        )
+        assert resp.status_code == 401
+        assert resp.json() == {"detail": "Not authenticated"}
+
+
+# ---------------------------------------------------------------------------
+# Admin update details
+# ---------------------------------------------------------------------------
+
+
+class TestAdminUpdate:
+    @pytest.mark.anyio
+    async def test_update_changes_email_and_name(self, admin_client, users_db):
+        user = await _make_user(users_db, email="before@example.com")
+        resp = await admin_client.patch(
+            f"/api/users/admin/{user.id}",
+            json={"email": "after@example.com", "full_name": "After Name"},
+        )
+        assert resp.status_code == 200
+        body = resp.json()
+        assert body["email"] == "after@example.com"
+        assert body["full_name"] == "After Name"
+
+    @pytest.mark.anyio
+    async def test_update_duplicate_email_returns_409(self, admin_client, users_db):
+        await _make_user(users_db, email="exists@example.com")
+        target = await _make_user(users_db, email="target@example.com")
+        resp = await admin_client.patch(
+            f"/api/users/admin/{target.id}",
+            json={"email": "exists@example.com"},
+        )
+        assert resp.status_code == 409
+
+    @pytest.mark.anyio
+    async def test_update_nonexistent_returns_404(self, admin_client):
+        resp = await admin_client.patch(
+            f"/api/users/admin/{uuid.uuid4()}",
+            json={"email": "ghost@example.com"},
+        )
+        assert resp.status_code == 404
+
+    @pytest.mark.anyio
+    async def test_update_without_auth_is_rejected(self, anon_client):
+        resp = await anon_client.patch(
+            f"/api/users/admin/{uuid.uuid4()}",
+            json={"email": "x@example.com"},
+            follow_redirects=False,
+        )
+        assert resp.status_code == 401
+
+
+# ---------------------------------------------------------------------------
+# Admin delete
+# ---------------------------------------------------------------------------
+
+
+class TestAdminDelete:
+    @pytest.mark.anyio
+    async def test_delete_returns_204(self, admin_client, users_db):
+        user = await _make_user(users_db, email="deleteme@example.com")
+        resp = await admin_client.delete(f"/api/users/admin/{user.id}")
+        assert resp.status_code == 204
+
+    @pytest.mark.anyio
+    async def test_delete_user_with_role_returns_204(self, admin_client, users_db):
+        """Regression: deleting a user that HAS a role must not 500.
+
+        The delete runs in the request session, which eager-loads the user's
+        ``roles`` relationship. Bulk-deleting the ``users_user_role`` rows the
+        ORM is tracking raised ``StaleDataError`` on flush. The roleless
+        ``test_delete_returns_204`` never exercised this path."""
+        user = await _make_user(users_db, email="hasrole@example.com", role_names=["admin"])
+        resp = await admin_client.delete(f"/api/users/admin/{user.id}")
+        assert resp.status_code == 204
+        # The role association row is gone too (no orphan).
+        rows = (
+            (await users_db.execute(select(UserRole).where(UserRole.user_id == user.id)))
+            .scalars()
+            .all()
+        )
+        assert rows == []
+
+    @pytest.mark.anyio
+    async def test_delete_nonexistent_returns_404(self, admin_client):
+        resp = await admin_client.delete(f"/api/users/admin/{uuid.uuid4()}")
+        assert resp.status_code == 404
+
+    @pytest.mark.anyio
+    async def test_delete_self_returns_400(self, admin_client, users_app):
+        async with users_app.state.sm.db.session_factory() as session:
+            admin = (
+                await session.execute(select(User).where(User.email == "admin@example.com"))
+            ).scalar_one()
+        resp = await admin_client.delete(f"/api/users/admin/{admin.id}")
+        assert resp.status_code == 400
+
+    @pytest.mark.anyio
+    async def test_delete_without_auth_is_rejected(self, anon_client):
+        resp = await anon_client.delete(
+            f"/api/users/admin/{uuid.uuid4()}",
+            follow_redirects=False,
+        )
+        assert resp.status_code == 401

{simple_module_users-0.0.19 → simple_module_users-0.0.20}/tests/test_negative_authz.py

@@ -27,6 +27,13 @@ _PROTECTED_ENDPOINTS: tuple[tuple[str, str, dict | None], ...] = (
     ("PUT", f"/api/users/admin/{_FAKE_ID}/roles", {"role_names": []}),
     ("PATCH", f"/api/users/admin/{_FAKE_ID}/verify", None),
     ("POST", f"/api/users/admin/{_FAKE_ID}/reset-password-link", None),
+    (
+        "POST",
+        "/api/users/admin",
+        {"email": "x@y.test", "password": "SecurePass1!", "role_names": []},
+    ),
+    ("PATCH", f"/api/users/admin/{_FAKE_ID}", {"email": "x@y.test"}),
+    ("DELETE", f"/api/users/admin/{_FAKE_ID}", None),
     # permissions — root GET lists registered groups (PERM_VIEW)
     ("GET", "/api/permissions/", None),
     ("GET", f"/api/permissions/roles/{_FAKE_ID}", None),

simple_module_users-0.0.20/tests/test_service_admin_crud.py

@@ -0,0 +1,172 @@
+"""UserService write-op tests: create / update / delete."""
+
+from __future__ import annotations
+
+import uuid
+
+import pytest
+from test_service_admin import _build_service
+
+# ---------------------------------------------------------------------------
+# create_user
+# ---------------------------------------------------------------------------
+
+
+@pytest.mark.anyio
+async def test_create_user_active_verified_with_roles(users_app):
+    """create_user makes an active+verified user and assigns roles."""
+    async with users_app.state.sm.db.session_factory() as session:
+        svc = _build_service(session, users_app)
+        user = await svc.create_user(
+            email="created@example.com",
+            password="SecurePass1!",
+            full_name="Created User",
+            role_names=["user"],
+            created_by="admin-id",
+        )
+        assert user.is_active is True
+        assert user.is_verified is True
+        assert user.email == "created@example.com"
+        assert user.full_name == "Created User"
+        assert [r.name for r in user.roles] == ["user"]
+
+
+@pytest.mark.anyio
+async def test_create_user_weak_password_rejected(users_app):
+    from fastapi_users import exceptions as fa_exc
+
+    async with users_app.state.sm.db.session_factory() as session:
+        svc = _build_service(session, users_app)
+        with pytest.raises(fa_exc.InvalidPasswordException):
+            await svc.create_user(
+                email="weak@example.com",
+                password="short",
+                full_name=None,
+                role_names=[],
+                created_by=None,
+            )
+
+
+@pytest.mark.anyio
+async def test_create_user_duplicate_email_rejected(users_app):
+    from fastapi_users import exceptions as fa_exc
+
+    async with users_app.state.sm.db.session_factory() as session:
+        svc = _build_service(session, users_app)
+        await svc.create_user(
+            email="dup@example.com",
+            password="SecurePass1!",
+            full_name=None,
+            role_names=[],
+            created_by=None,
+        )
+        await session.flush()
+        with pytest.raises(fa_exc.UserAlreadyExists):
+            await svc.create_user(
+                email="dup@example.com",
+                password="SecurePass1!",
+                full_name=None,
+                role_names=[],
+                created_by=None,
+            )
+
+
+# ---------------------------------------------------------------------------
+# update_details
+# ---------------------------------------------------------------------------
+
+
+@pytest.mark.anyio
+async def test_update_details_changes_email_and_name(users_app):
+    from test_api_admin import _make_user
+
+    async with users_app.state.sm.db.session_factory() as session:
+        user = await _make_user(session, email="old@example.com")
+        svc = _build_service(session, users_app)
+        updated = await svc.update_details(user.id, email="new@example.com", full_name="New Name")
+        assert updated.email == "new@example.com"
+        assert updated.full_name == "New Name"
+
+
+@pytest.mark.anyio
+async def test_update_details_duplicate_email_rejected(users_app):
+    from test_api_admin import _make_user
+    from users.exceptions import EmailAlreadyExistsError
+
+    async with users_app.state.sm.db.session_factory() as session:
+        await _make_user(session, email="a@example.com")
+        target = await _make_user(session, email="b@example.com")
+        svc = _build_service(session, users_app)
+        with pytest.raises(EmailAlreadyExistsError):
+            await svc.update_details(target.id, email="a@example.com", full_name=None)
+
+
+@pytest.mark.anyio
+async def test_update_details_same_email_is_allowed(users_app):
+    from test_api_admin import _make_user
+
+    async with users_app.state.sm.db.session_factory() as session:
+        user = await _make_user(session, email="keep@example.com")
+        svc = _build_service(session, users_app)
+        updated = await svc.update_details(user.id, email="keep@example.com", full_name="Renamed")
+        assert updated.email == "keep@example.com"
+        assert updated.full_name == "Renamed"
+
+
+# ---------------------------------------------------------------------------
+# delete_user
+# ---------------------------------------------------------------------------
+
+
+@pytest.mark.anyio
+async def test_delete_user_removes_user_and_all_child_rows(users_app):
+    from datetime import UTC, datetime, timedelta
+
+    from sqlalchemy import select
+    from test_api_admin import _make_user
+    from users.models import (
+        OAuthAccount,
+        RefreshToken,
+        User,
+        UserAccessToken,
+        UserRole,
+    )
+
+    async with users_app.state.sm.db.session_factory() as session:
+        user = await _make_user(session, email="todelete@example.com", role_names=["admin"])
+        session.add(UserAccessToken(token=f"tok-{user.id.hex}", user_id=user.id))
+        session.add(
+            OAuthAccount(
+                user_id=user.id,
+                oauth_name="google",
+                access_token="x",
+                account_id="acct-1",
+                account_email="todelete@example.com",
+            )
+        )
+        session.add(RefreshToken(user_id=user.id, expires_at=datetime.now(UTC) + timedelta(days=1)))
+        await session.flush()
+
+        svc = _build_service(session, users_app)
+        await svc.delete_user(user.id)
+
+        assert (
+            await session.execute(select(User).where(User.id == user.id))
+        ).scalar_one_or_none() is None
+        for model in (UserRole, UserAccessToken, OAuthAccount, RefreshToken):
+            rows = (
+                (await session.execute(select(model).where(model.user_id == user.id)))
+                .scalars()
+                .all()
+            )
+            assert rows == [], f"{model.__name__} rows not cleaned up"
+
+
+@pytest.mark.anyio
+async def test_delete_user_nonexistent_raises(users_app):
+    from users.exceptions import UserNotFoundError
+
+    async with users_app.state.sm.db.session_factory() as session:
+        svc = _build_service(session, users_app)
+        with pytest.raises(UserNotFoundError):
+            await svc.delete_user(uuid.uuid4())

{simple_module_users-0.0.19 → simple_module_users-0.0.20}/tests/test_views_admin.py

@@ -126,3 +126,26 @@ class TestHasPermissionsModuleFlag:
         assert resp.status_code == 200
         props = resp.json()["props"]
         assert props["has_permissions_module"] is False
+
+
+# ---------------------------------------------------------------------------
+# Admin create page
+# ---------------------------------------------------------------------------
+
+
+class TestAdminCreatePage:
+    @pytest.mark.anyio
+    async def test_create_page_renders_with_roles(self, admin_client):
+        resp = await admin_client.get(
+            "/users/admin/create",
+            headers={"X-Inertia": "true", "Accept": "application/json"},
+        )
+        assert resp.status_code == 200
+        data = resp.json()
+        assert data["component"] == "Users/Users/Create"
+        assert "roles" in data["props"]
+
+    @pytest.mark.anyio
+    async def test_create_page_requires_auth(self, anon_client):
+        resp = await anon_client.get("/users/admin/create", follow_redirects=False)
+        assert resp.status_code == 302

{simple_module_users-0.0.19 → simple_module_users-0.0.20}/users/admin/api.py

@@ -4,22 +4,31 @@ from __future__ import annotations
 
 import uuid
 
-from fastapi import APIRouter, Depends, HTTPException, Request
+from fastapi import APIRouter, Depends, HTTPException, Request, Response
 from fastapi import status as http_status
+from fastapi_users import exceptions as fa_exceptions
 from simple_module_core.events import EventBus
 from simple_module_hosting.permissions import RequiresPermission
 
 from users.admin.service import UserService
 from users.constants import PERM_USERS_MANAGE, sanitize_list_filters
-from users.contracts.events import RoleAssigned, UserDisabled, UserInvited
+from users.contracts.events import (
+    RoleAssigned,
+    UserCreated,
+    UserDeleted,
+    UserDisabled,
+    UserInvited,
+)
 from users.contracts.schemas import (
     PasswordResetLink,
     RoleAssignment,
+    UserAdminCreate,
+    UserDetailsUpdate,
     UserInvite,
     UserListItem,
 )
 from users.deps import get_event_bus, get_mailer, get_user_service
-from users.exceptions import UserNotFoundError
+from users.exceptions import EmailAlreadyExistsError, UserNotFoundError
 
 admin_router = APIRouter(
     prefix="/admin",
@@ -84,6 +93,80 @@ async def admin_invite_user(
     return service.to_list_item(user)
 
 
+@admin_router.post(
+    "",
+    response_model=UserListItem,
+    status_code=http_status.HTTP_201_CREATED,
+)
+async def admin_create_user(
+    data: UserAdminCreate,
+    request: Request,
+    bus: EventBus = Depends(get_event_bus),
+    service: UserService = Depends(get_user_service),
+):
+    """Create an active+verified user with an admin-set password."""
+    creator = getattr(request.state, "user", None)
+    created_by = str(creator.id) if creator else None
+    try:
+        user = await service.create_user(
+            data.email,
+            data.password,
+            data.full_name,
+            data.role_names,
+            created_by=created_by,
+        )
+    except fa_exceptions.UserAlreadyExists:
+        raise HTTPException(
+            status_code=409,
+            detail="A user with this email already exists.",
+        ) from None
+    except fa_exceptions.InvalidPasswordException as exc:
+        raise HTTPException(status_code=400, detail=exc.reason) from None
+    await bus.publish(UserCreated(user_id=user.id, email=user.email, created_by=created_by))
+    return service.to_list_item(user)
+
+
+@admin_router.patch("/{user_id}", response_model=UserListItem)
+async def admin_update_user(
+    user_id: uuid.UUID,
+    data: UserDetailsUpdate,
+    service: UserService = Depends(get_user_service),
+):
+    """Update a user's email and full name."""
+    try:
+        user = await service.update_details(user_id, data.email, data.full_name)
+    except UserNotFoundError:
+        raise HTTPException(status_code=404, detail="User not found") from None
+    except EmailAlreadyExistsError:
+        raise HTTPException(
+            status_code=409,
+            detail="A user with this email already exists.",
+        ) from None
+    return service.to_list_item(user)
+
+
+@admin_router.delete("/{user_id}", status_code=http_status.HTTP_204_NO_CONTENT)
+async def admin_delete_user(
+    user_id: uuid.UUID,
+    request: Request,
+    bus: EventBus = Depends(get_event_bus),
+    service: UserService = Depends(get_user_service),
+):
+    """Hard-delete a user. An admin cannot delete their own account."""
+    actor = getattr(request.state, "user", None)
+    if actor is not None and str(user_id) == actor.id:
+        raise HTTPException(
+            status_code=400,
+            detail="You cannot delete your own account.",
+        )
+    try:
+        await service.delete_user(user_id)
+    except UserNotFoundError:
+        raise HTTPException(status_code=404, detail="User not found") from None
+    await bus.publish(UserDeleted(user_id=user_id))
+    return Response(status_code=http_status.HTTP_204_NO_CONTENT)
+
+
 @admin_router.patch("/{user_id}/disable", response_model=UserListItem)
 async def admin_disable_user(
     user_id: uuid.UUID,