simple-module-users 0.0.1__py3-none-any.whl

users/pages/Users/Index.tsx

@@ -0,0 +1,296 @@
+import { Link, router, usePage } from '@inertiajs/react';
+import { PageShell } from '@simple-module-py/ui/components/PageShell';
+import { Badge } from '@simple-module-py/ui/components/ui/badge';
+import { Button } from '@simple-module-py/ui/components/ui/button';
+import { Card } from '@simple-module-py/ui/components/ui/card';
+import { Input } from '@simple-module-py/ui/components/ui/input';
+import {
+  Table,
+  TableBody,
+  TableCell,
+  TableHead,
+  TableHeader,
+  TableRow,
+} from '@simple-module-py/ui/components/ui/table';
+import { Tabs, TabsContent, TabsList, TabsTrigger } from '@simple-module-py/ui/components/ui/tabs';
+import { AuthenticatedLayout } from '@simple-module-py/ui/layouts/AuthenticatedLayout';
+import { ArrowDown, ArrowUp, Pencil, Plus, Search, ShieldCheck, Users } from 'lucide-react';
+import { useCallback, useEffect, useMemo, useState } from 'react';
+import { type Filters, IndexFilters } from '../../components/IndexFilters';
+import { type RoleItem, RolesTab } from '../../components/RolesTab';
+
+interface UserListItem {
+  id: string;
+  email: string;
+  full_name: string | null;
+  is_active: boolean;
+  is_verified: boolean;
+  last_login_at: string | null;
+  created_at: string | null;
+  roles: string[];
+}
+
+interface Pagination {
+  page: number;
+  per_page: number;
+  total: number;
+}
+
+interface Props {
+  users: UserListItem[];
+  pagination: Pagination;
+  query: string;
+  roles: RoleItem[];
+  filters: Filters;
+}
+
+const DEFAULT_FILTERS: Filters = {
+  status: 'all',
+  role: '',
+  verified: 'all',
+  sort: 'email',
+  order: 'asc',
+};
+
+function SortIcon({ col, filters }: { col: Filters['sort']; filters: Filters }) {
+  if (filters.sort !== col) return null;
+  return filters.order === 'asc' ? (
+    <ArrowUp className="inline-block ml-1 size-3" />
+  ) : (
+    <ArrowDown className="inline-block ml-1 size-3" />
+  );
+}
+
+function Index() {
+  const {
+    users,
+    pagination,
+    query: initialQuery,
+    roles,
+    filters: serverFilters,
+  } = usePage<{ props: Props }>().props as unknown as Props;
+
+  const filters: Filters = useMemo(
+    () => ({ ...DEFAULT_FILTERS, ...serverFilters }),
+    [serverFilters],
+  );
+  const [search, setSearch] = useState(initialQuery ?? '');
+
+  const navigate = useCallback(
+    (next: Partial<{ page: number; q: string } & Filters>) => {
+      const params: Record<string, string> = {};
+      const q = next.q ?? search;
+      const status = next.status ?? filters.status;
+      const role = next.role ?? filters.role;
+      const verified = next.verified ?? filters.verified;
+      const sort = next.sort ?? filters.sort;
+      const order = next.order ?? filters.order;
+      const page = next.page ?? 1;
+      if (q) params.q = q;
+      if (status !== 'all') params.status = status;
+      if (role) params.role = role;
+      if (verified !== 'all') params.verified = verified;
+      if (sort !== 'email') params.sort = sort;
+      if (order !== 'asc') params.order = order;
+      if (page > 1) params.page = String(page);
+      router.get('/users/admin', params, { preserveState: true, preserveScroll: true });
+    },
+    [search, filters],
+  );
+
+  const toggleSort = (col: Filters['sort']) => {
+    if (filters.sort === col) {
+      navigate({ order: filters.order === 'asc' ? 'desc' : 'asc' });
+    } else {
+      navigate({ sort: col, order: 'asc' });
+    }
+  };
+
+  useEffect(() => {
+    if (search === (initialQuery ?? '')) return;
+    const timeout = setTimeout(() => navigate({ q: search }), 300);
+    return () => clearTimeout(timeout);
+  }, [search, initialQuery, navigate]);
+
+  const totalPages = Math.ceil(pagination.total / pagination.per_page);
+
+  return (
+    <PageShell title="Users & Roles" description="Manage user accounts, roles, and permissions.">
+      <Tabs defaultValue="users" className="space-y-4">
+        <TabsList>
+          <TabsTrigger value="users">
+            <Users className="size-4" />
+            Users
+            <Badge variant="secondary" className="ml-1">
+              {pagination.total}
+            </Badge>
+          </TabsTrigger>
+          <TabsTrigger value="roles">
+            <ShieldCheck className="size-4" />
+            Roles
+            <Badge variant="secondary" className="ml-1">
+              {roles.length}
+            </Badge>
+          </TabsTrigger>
+        </TabsList>
+
+        <TabsContent value="users">
+          <div className="mb-4 flex flex-wrap items-center justify-between gap-4">
+            <div className="relative max-w-sm flex-1">
+              <Search className="absolute left-3 top-1/2 -translate-y-1/2 size-4 text-muted-foreground" />
+              <Input
+                placeholder="Search by email or name…"
+                value={search}
+                onChange={(e) => setSearch(e.target.value)}
+                className="pl-9"
+              />
+            </div>
+            <IndexFilters
+              filters={filters}
+              roles={roles.map((r) => r.name)}
+              onChange={(next) => navigate(next)}
+            />
+            <Button asChild>
+              <Link href="/users/admin/invite">
+                <Plus />
+                Invite user
+              </Link>
+            </Button>
+          </div>
+
+          <Card>
+            <Table>
+              <TableHeader>
+                <TableRow>
+                  <TableHead>
+                    <button
+                      type="button"
+                      className="flex items-center gap-0.5 hover:text-foreground"
+                      onClick={() => toggleSort('email')}
+                    >
+                      Email
+                      <SortIcon col="email" filters={filters} />
+                    </button>
+                  </TableHead>
+                  <TableHead className="hidden md:table-cell">Name</TableHead>
+                  <TableHead className="hidden sm:table-cell">Roles</TableHead>
+                  <TableHead className="hidden sm:table-cell">Status</TableHead>
+                  <TableHead className="hidden lg:table-cell">
+                    <button
+                      type="button"
+                      className="flex items-center gap-0.5 hover:text-foreground"
+                      onClick={() => toggleSort('last_login_at')}
+                    >
+                      Last login
+                      <SortIcon col="last_login_at" filters={filters} />
+                    </button>
+                  </TableHead>
+                  <TableHead className="hidden lg:table-cell">
+                    <button
+                      type="button"
+                      className="flex items-center gap-0.5 hover:text-foreground"
+                      onClick={() => toggleSort('created_at')}
+                    >
+                      Created
+                      <SortIcon col="created_at" filters={filters} />
+                    </button>
+                  </TableHead>
+                  <TableHead className="text-right">Actions</TableHead>
+                </TableRow>
+              </TableHeader>
+              <TableBody>
+                {users.map((user) => (
+                  <TableRow key={user.id}>
+                    <TableCell>
+                      <div>
+                        <span className="font-medium">{user.email}</span>
+                        {!user.is_verified && (
+                          <Badge variant="outline" className="ml-2 text-xs">
+                            unverified
+                          </Badge>
+                        )}
+                      </div>
+                    </TableCell>
+                    <TableCell className="hidden md:table-cell text-muted-foreground text-sm">
+                      {user.full_name || '—'}
+                    </TableCell>
+                    <TableCell className="hidden sm:table-cell">
+                      <div className="flex flex-wrap gap-1">
+                        {user.roles.length > 0 ? (
+                          user.roles.map((r) => (
+                            <Badge key={r} variant="secondary">
+                              {r}
+                            </Badge>
+                          ))
+                        ) : (
+                          <span className="text-muted-foreground text-sm">—</span>
+                        )}
+                      </div>
+                    </TableCell>
+                    <TableCell className="hidden sm:table-cell">
+                      <Badge variant={user.is_active ? 'secondary' : 'destructive'}>
+                        {user.is_active ? 'Active' : 'Disabled'}
+                      </Badge>
+                    </TableCell>
+                    <TableCell className="hidden lg:table-cell text-sm text-muted-foreground">
+                      {user.last_login_at ? new Date(user.last_login_at).toLocaleDateString() : '—'}
+                    </TableCell>
+                    <TableCell className="hidden lg:table-cell text-sm text-muted-foreground">
+                      {user.created_at ? new Date(user.created_at).toLocaleDateString() : '—'}
+                    </TableCell>
+                    <TableCell className="text-right">
+                      <Button asChild variant="ghost" size="icon-sm">
+                        <Link href={`/users/admin/${user.id}`}>
+                          <Pencil />
+                        </Link>
+                      </Button>
+                    </TableCell>
+                  </TableRow>
+                ))}
+                {users.length === 0 && (
+                  <TableRow>
+                    <TableCell colSpan={7} className="h-32 text-center">
+                      <div className="flex flex-col items-center gap-2 text-muted-foreground">
+                        <Users className="size-8" />
+                        <p>{search ? `No users match "${search}"` : 'No users yet'}</p>
+                      </div>
+                    </TableCell>
+                  </TableRow>
+                )}
+              </TableBody>
+            </Table>
+          </Card>
+
+          {totalPages > 1 && (
+            <div className="mt-4 flex items-center justify-center gap-2">
+              <Button
+                variant="outline"
+                size="sm"
+                disabled={pagination.page <= 1}
+                onClick={() => navigate({ page: pagination.page - 1 })}
+              >
+                Previous
+              </Button>
+              <span className="text-sm text-muted-foreground">
+                Page {pagination.page} of {totalPages}
+              </span>
+              <Button
+                variant="outline"
+                size="sm"
+                disabled={pagination.page >= totalPages}
+                onClick={() => navigate({ page: pagination.page + 1 })}
+              >
+                Next
+              </Button>
+            </div>
+          )}
+        </TabsContent>
+
+        <RolesTab roles={roles} />
+      </Tabs>
+    </PageShell>
+  );
+}
+
+Index.layout = (page: React.ReactNode) => <AuthenticatedLayout>{page}</AuthenticatedLayout>;
+export default Index;

users/pages/Users/Invite.tsx

@@ -0,0 +1,135 @@
+import { Link, router, usePage } from '@inertiajs/react';
+import { PageShell } from '@simple-module-py/ui/components/PageShell';
+import { Button } from '@simple-module-py/ui/components/ui/button';
+import { Card, CardContent } from '@simple-module-py/ui/components/ui/card';
+import { Checkbox } from '@simple-module-py/ui/components/ui/checkbox';
+import { Input } from '@simple-module-py/ui/components/ui/input';
+import { Label } from '@simple-module-py/ui/components/ui/label';
+import { AuthenticatedLayout } from '@simple-module-py/ui/layouts/AuthenticatedLayout';
+import { useState } from 'react';
+import { toast } from 'sonner';
+
+interface Role {
+  id: string;
+  name: string;
+}
+
+interface Props {
+  roles: Role[];
+}
+
+function Invite() {
+  const { roles } = usePage<{ props: Props }>().props as unknown as Props;
+
+  const [email, setEmail] = useState('');
+  const [fullName, setFullName] = useState('');
+  const [selectedRoles, setSelectedRoles] = useState<string[]>([]);
+  const [error, setError] = useState<string | null>(null);
+  const [loading, setLoading] = useState(false);
+
+  const toggleRole = (roleName: string) => {
+    setSelectedRoles((prev) =>
+      prev.includes(roleName) ? prev.filter((r) => r !== roleName) : [...prev, roleName],
+    );
+  };
+
+  const handleSubmit = (e: React.FormEvent) => {
+    e.preventDefault();
+    setError(null);
+    setLoading(true);
+    fetch('/api/users/admin/invite', {
+      method: 'POST',
+      headers: { 'Content-Type': 'application/json' },
+      body: JSON.stringify({ email, full_name: fullName || null, role_names: selectedRoles }),
+    })
+      .then(async (res) => {
+        if (res.ok) {
+          toast.success('Invite sent');
+          router.visit('/users/admin');
+        } else {
+          const data = await res.json().catch(() => ({}));
+          setError(typeof data?.detail === 'string' ? data.detail : 'Failed to send invite');
+        }
+      })
+      .catch(() => setError('An error occurred. Please try again.'))
+      .finally(() => setLoading(false));
+  };
+
+  return (
+    <PageShell
+      title="Invite user"
+      description="Send an invitation email to a new user"
+      actions={
+        <Button asChild variant="outline">
+          <Link href="/users/admin">Back to Users</Link>
+        </Button>
+      }
+    >
+      <Card className="max-w-xl">
+        <CardContent className="pt-6">
+          <form onSubmit={handleSubmit} className="space-y-5">
+            <div className="space-y-2">
+              <Label htmlFor="email">
+                Email <span className="text-destructive">*</span>
+              </Label>
+              <Input
+                id="email"
+                type="email"
+                value={email}
+                onChange={(e) => setEmail(e.target.value)}
+                placeholder="user@example.com"
+                required
+                autoComplete="off"
+              />
+            </div>
+
+            <div className="space-y-2">
+              <Label htmlFor="full_name">Full name</Label>
+              <Input
+                id="full_name"
+                type="text"
+                value={fullName}
+                onChange={(e) => setFullName(e.target.value)}
+                placeholder="Optional"
+              />
+            </div>
+
+            {roles.length > 0 && (
+              <div className="space-y-2">
+                <Label>Roles</Label>
+                <div className="flex flex-col gap-2">
+                  {roles.map((role) => (
+                    <div key={role.id} className="flex items-center gap-2">
+                      <Checkbox
+                        id={`role-${role.id}`}
+                        checked={selectedRoles.includes(role.name)}
+                        onCheckedChange={() => toggleRole(role.name)}
+                      />
+                      <Label htmlFor={`role-${role.id}`} className="cursor-pointer font-normal">
+                        {role.name}
+                      </Label>
+                    </div>
+                  ))}
+                </div>
+              </div>
+            )}
+
+            {error && <p className="text-sm text-destructive">{error}</p>}
+
+            <div className="pt-2 flex gap-3">
+              <Button type="submit" disabled={loading}>
+                {loading ? 'Sending…' : 'Send invite'}
+              </Button>
+              <Button asChild variant="outline">
+                <Link href="/users/admin">Cancel</Link>
+              </Button>
+            </div>
+          </form>
+        </CardContent>
+      </Card>
+    </PageShell>
+  );
+}
+
+Invite.layout = (page: React.ReactNode) => <AuthenticatedLayout>{page}</AuthenticatedLayout>;
+export default Invite;

users/pages/VerifyEmail.tsx

@@ -0,0 +1,110 @@
+import { usePage } from '@inertiajs/react';
+import { Button } from '@simple-module-py/ui/components/ui/button';
+import {
+  Card,
+  CardContent,
+  CardDescription,
+  CardHeader,
+  CardTitle,
+} from '@simple-module-py/ui/components/ui/card';
+import { AuthCardShell } from '@simple-module-py/ui/layouts/AuthCardShell';
+import { useEffect, useState } from 'react';
+
+interface Props {
+  token: string;
+}
+
+type VerifyStatus = 'pending' | 'success' | 'already_verified' | 'error';
+
+function VerifyEmail() {
+  const { token: initialToken } = usePage<{ props: Props }>().props as unknown as Props;
+  const urlToken =
+    typeof window !== 'undefined'
+      ? (new URLSearchParams(window.location.search).get('token') ?? '')
+      : '';
+  const token = urlToken || initialToken;
+
+  const [status, setStatus] = useState<VerifyStatus>('pending');
+  const [errorMsg, setErrorMsg] = useState('');
+
+  useEffect(() => {
+    if (!token) {
+      setStatus('error');
+      setErrorMsg('No verification token found in this link.');
+      return;
+    }
+
+    fetch('/api/users/auth/verify', {
+      method: 'POST',
+      headers: { 'Content-Type': 'application/json' },
+      body: JSON.stringify({ token }),
+    })
+      .then(async (res) => {
+        if (res.status === 200 || res.status === 204) {
+          setStatus('success');
+        } else {
+          const data = await res.json().catch(() => ({}));
+          const detail = typeof data?.detail === 'string' ? data.detail : '';
+          if (detail === 'VERIFY_USER_ALREADY_VERIFIED') {
+            setStatus('already_verified');
+          } else {
+            setStatus('error');
+            setErrorMsg('Verification link expired or invalid. Please request a new one.');
+          }
+        }
+      })
+      .catch(() => {
+        setStatus('error');
+        setErrorMsg('An error occurred. Please try again.');
+      });
+  }, [token]);
+
+  const content = {
+    pending: {
+      title: 'Verifying your email…',
+      description: 'Please wait while we verify your email address.',
+      body: null,
+    },
+    success: {
+      title: 'Email verified!',
+      description: 'Your account is now active. You can sign in.',
+      body: (
+        <a href="/users/login">
+          <Button className="w-full">Sign in</Button>
+        </a>
+      ),
+    },
+    already_verified: {
+      title: 'Already verified',
+      description: 'This account is already verified — you can log in.',
+      body: (
+        <a href="/users/login">
+          <Button className="w-full">Sign in</Button>
+        </a>
+      ),
+    },
+    error: {
+      title: 'Verification failed',
+      description: errorMsg || 'Verification link expired or invalid.',
+      body: (
+        <a href="/users/login" className="text-sm text-primary hover:underline">
+          Back to sign in
+        </a>
+      ),
+    },
+  }[status];
+
+  return (
+    <AuthCardShell>
+      <Card className="w-full max-w-sm">
+        <CardHeader>
+          <CardTitle>{content.title}</CardTitle>
+          <CardDescription>{content.description}</CardDescription>
+        </CardHeader>
+        {content.body && <CardContent>{content.body}</CardContent>}
+      </Card>
+    </AuthCardShell>
+  );
+}
+
+export default VerifyEmail;

users/rate_limit.py

@@ -0,0 +1,59 @@
+"""In-process rate limiters — TTL caches, no Redis.
+
+Note: counters live in the worker process, so a multi-worker deployment (e.g.
+``uvicorn --workers 4``) has independent counters per worker. Effective
+thresholds scale with worker count. Swap for a Redis-backed store when you
+deploy behind more than a single worker.
+"""
+
+from __future__ import annotations
+
+from cachetools import TTLCache
+
+
+class LoginRateLimiter:
+    """Per-key failure counter with a cooldown window after N failures."""
+
+    def __init__(
+        self,
+        max_failures: int = 5,
+        window_seconds: int = 300,
+        cooldown_seconds: int = 900,
+    ) -> None:
+        self._fails: TTLCache = TTLCache(maxsize=10_000, ttl=window_seconds)
+        self._locks: TTLCache = TTLCache(maxsize=10_000, ttl=cooldown_seconds)
+        self._max = max_failures
+
+    def is_locked(self, key: str) -> bool:
+        return key in self._locks
+
+    def record_failure(self, key: str) -> None:
+        count = self._fails.get(key, 0) + 1
+        self._fails[key] = count
+        if count >= self._max:
+            self._locks[key] = True
+            self._fails.pop(key, None)
+
+    def reset(self, key: str) -> None:
+        self._fails.pop(key, None)
+        self._locks.pop(key, None)
+
+
+class ThroughputLimiter:
+    """N requests per rolling window per key — counts every attempt.
+
+    Used to dampen enumeration and email-spam on endpoints like
+    ``/forgot-password`` and ``/register`` where a failure-based lockout
+    (``LoginRateLimiter``) isn't the right shape — the attacker is after the
+    side-effect itself, not a correct credential.
+    """
+
+    def __init__(self, max_attempts: int = 10, window_seconds: int = 300) -> None:
+        self._hits: TTLCache = TTLCache(maxsize=10_000, ttl=window_seconds)
+        self._max = max_attempts
+
+    def check_and_record(self, key: str) -> bool:
+        """Return True if this attempt is within budget; False if throttled."""
+        count = self._hits.get(key, 0) + 1
+        self._hits[key] = count
+        return count <= self._max

users/roles_cache.py

@@ -0,0 +1,58 @@
+"""Cached list of roles for admin-page rendering.
+
+Roles are seed data — created by the ``e3ce9754e6dc_seed_users_roles``
+migration and only mutated by hand. Caching on ``app.state`` lets admin views
+build Inertia payloads without a per-request ``SELECT * FROM users_role``.
+
+The cache stores detached :class:`RoleSummary` values (not ORM objects, which
+would blow up on attribute access after their session closes). Each view is
+responsible for shaping them into whatever the page needs.
+
+Refresh entry points:
+
+* ``UsersModule.on_startup`` — initial population.
+* ``refresh_roles_cache(app)`` — callable after any future role-management
+  code paths that add/remove roles.
+"""
+
+from __future__ import annotations
+
+from dataclasses import dataclass
+from typing import TYPE_CHECKING
+
+from sqlalchemy import select
+
+from users.models import Role
+
+if TYPE_CHECKING:
+    from fastapi import FastAPI
+
+
+@dataclass(frozen=True, slots=True)
+class RoleSummary:
+    """Minimal role projection safe to hold across request boundaries."""
+
+    id: str
+    name: str
+
+
+async def refresh_roles_cache(app: FastAPI) -> list[RoleSummary]:
+    """Reload the roles list from the DB into ``app.state.users.roles_cache``."""
+    async with app.state.sm.db.session_factory() as db:
+        result = await db.execute(select(Role).order_by(Role.name))
+        cached = [RoleSummary(id=str(r.id), name=r.name) for r in result.scalars().all()]
+    app.state.users.roles_cache = cached
+    return cached
+
+
+async def get_roles_cache(app: FastAPI) -> list[RoleSummary]:
+    """Return the cached roles list, populating it from the DB on first miss.
+
+    The cache is pre-warmed in ``UsersModule.on_startup``. The lazy fallback
+    covers scenarios where startup ran before the ``users_role`` table had any
+    rows. Once populated, subsequent calls are O(1) attribute reads.
+    """
+    cached = app.state.users.roles_cache
+    if cached:
+        return cached
+    return await refresh_roles_cache(app)