simple-module-users 0.0.1__tar.gz

simple_module_users-0.0.1/.gitignore

@@ -0,0 +1,59 @@
+# Python
+__pycache__/
+*.py[cod]
+*.egg-info/
+dist/
+build/
+.venv/
+*.egg
+
+# UV
+uv.lock
+
+# Node
+node_modules/
+
+# IDE
+.idea/
+.vscode/
+*.swp
+*.swo
+
+# Environment
+.env
+
+# Database
+*.db
+*.sqlite3
+
+# Module-managed runtime state (e.g. uploaded dataset files,
+# default storage_dir for SM_DATASETS_STORAGE_DIR).
+var/
+
+# file_storage filesystem backend default root (override via SM_FILE_STORAGE_FS_ROOT_PATH).
+uploads/
+
+# Vite
+host/static/dist/
+
+# Auto-generated frontend module manifest (regenerated by the host at boot
+# or via `make gen-pages`).
+host/client_app/modules.manifest.json
+host/client_app/modules.generated.ts
+host/client_app/modules.generated.css
+
+# Worktrees
+.worktrees/
+
+# Performance profiles
+.memray/
+.benchmarks/
+
+# OS
+.DS_Store
+Thumbs.db
+
+.playwright-cli/*
+.playwright-mcp/*
+host/client_app/.playwright-cli/*
+.superpowers/

simple_module_users-0.0.1/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2026 Anto Subash
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

simple_module_users-0.0.1/PKG-INFO

@@ -0,0 +1,88 @@
+Metadata-Version: 2.4
+Name: simple_module_users
+Version: 0.0.1
+Summary: Email + password user management, admin invites, RBAC-ready — replaces Keycloak for simple_module apps
+Project-URL: Homepage, https://github.com/antosubash/simple_module_python
+Project-URL: Repository, https://github.com/antosubash/simple_module_python
+Project-URL: Issues, https://github.com/antosubash/simple_module_python/issues
+Project-URL: Changelog, https://github.com/antosubash/simple_module_python/blob/main/CHANGELOG.md
+Author-email: Anto Subash <antosubash@live.com>
+License-Expression: MIT
+License-File: LICENSE
+Keywords: admin,authentication,fastapi-users,simple-module,users
+Classifier: Development Status :: 3 - Alpha
+Classifier: Framework :: FastAPI
+Classifier: Intended Audience :: Developers
+Classifier: License :: OSI Approved :: MIT License
+Classifier: Operating System :: OS Independent
+Classifier: Programming Language :: Python :: 3
+Classifier: Programming Language :: Python :: 3.12
+Classifier: Topic :: Internet :: WWW/HTTP
+Classifier: Topic :: Software Development :: Libraries :: Application Frameworks
+Classifier: Typing :: Typed
+Requires-Python: >=3.12
+Requires-Dist: aiosmtplib>=3.0
+Requires-Dist: cachetools>=5.3
+Requires-Dist: fastapi-users[sqlalchemy]<16,>=15
+Requires-Dist: simple-module-auth==0.0.1
+Requires-Dist: simple-module-core==0.0.1
+Requires-Dist: simple-module-db==0.0.1
+Requires-Dist: simple-module-hosting==0.0.1
+Requires-Dist: typer>=0.12
+Description-Content-Type: text/markdown
+
+# simple_module_users
+
+Email+password user management for [simple_module](https://github.com/antosubash/simple_module_python) apps. Replaces Keycloak/Auth0 for the common case: local accounts, admin invites, password reset, optional public signup. Built on `fastapi-users`.
+
+## Install
+
+```bash
+pip install simple_module_users
+```
+
+Pre-wired into any app scaffolded with `simple-module new`.
+
+## What it provides
+
+- Email + password registration, login, logout, password reset.
+- Admin invite flow — admin enters an email, recipient clicks a link, sets a password, is logged in.
+- Public signup toggle (`SM_USERS_ALLOW_SIGNUP`, default `false`).
+- Bootstrap admin via env vars (`SM_USERS_BOOTSTRAP_EMAIL` + `SM_USERS_BOOTSTRAP_PASSWORD`) — idempotent, only creates if the users table is empty.
+- `sm-users create-admin` CLI for ad-hoc admin creation.
+- Inertia pages for login/register/invite-accept/admin-invite.
+- Console mailer (logs to stdout) or SMTP mailer (`SM_USERS_MAILER=smtp`).
+
+## Usage
+
+CLI:
+
+```bash
+uv run sm-users create-admin --email admin@example.com --password 'change-me'
+```
+
+Bootstrap-on-boot (`.env`):
+
+```
+SM_USERS_BOOTSTRAP_EMAIL=admin@example.com
+SM_USERS_BOOTSTRAP_PASSWORD=change-me
+```
+
+Program:
+
+```python
+from users.deps import CurrentUser    # type: ignore[import-not-found]
+
+@router.get("/profile")
+async def profile(user: CurrentUser):
+    return {"email": user.email}
+```
+
+## Depends on
+
+- `simple_module_core`, `simple_module_db`, `simple_module_hosting`, `simple_module_auth`
+- `fastapi-users[sqlalchemy]>=15,<16`, `aiosmtplib`, `cachetools`, `typer`
+
+## License
+
+MIT — see [LICENSE](https://github.com/antosubash/simple_module_python/blob/main/LICENSE).

simple_module_users-0.0.1/README.md

@@ -0,0 +1,55 @@
+# simple_module_users
+
+Email+password user management for [simple_module](https://github.com/antosubash/simple_module_python) apps. Replaces Keycloak/Auth0 for the common case: local accounts, admin invites, password reset, optional public signup. Built on `fastapi-users`.
+
+## Install
+
+```bash
+pip install simple_module_users
+```
+
+Pre-wired into any app scaffolded with `simple-module new`.
+
+## What it provides
+
+- Email + password registration, login, logout, password reset.
+- Admin invite flow — admin enters an email, recipient clicks a link, sets a password, is logged in.
+- Public signup toggle (`SM_USERS_ALLOW_SIGNUP`, default `false`).
+- Bootstrap admin via env vars (`SM_USERS_BOOTSTRAP_EMAIL` + `SM_USERS_BOOTSTRAP_PASSWORD`) — idempotent, only creates if the users table is empty.
+- `sm-users create-admin` CLI for ad-hoc admin creation.
+- Inertia pages for login/register/invite-accept/admin-invite.
+- Console mailer (logs to stdout) or SMTP mailer (`SM_USERS_MAILER=smtp`).
+
+## Usage
+
+CLI:
+
+```bash
+uv run sm-users create-admin --email admin@example.com --password 'change-me'
+```
+
+Bootstrap-on-boot (`.env`):
+
+```
+SM_USERS_BOOTSTRAP_EMAIL=admin@example.com
+SM_USERS_BOOTSTRAP_PASSWORD=change-me
+```
+
+Program:
+
+```python
+from users.deps import CurrentUser    # type: ignore[import-not-found]
+
+@router.get("/profile")
+async def profile(user: CurrentUser):
+    return {"email": user.email}
+```
+
+## Depends on
+
+- `simple_module_core`, `simple_module_db`, `simple_module_hosting`, `simple_module_auth`
+- `fastapi-users[sqlalchemy]>=15,<16`, `aiosmtplib`, `cachetools`, `typer`
+
+## License
+
+MIT — see [LICENSE](https://github.com/antosubash/simple_module_python/blob/main/LICENSE).

simple_module_users-0.0.1/package.json

@@ -0,0 +1,16 @@
+{
+  "name": "@simple-module-py/users",
+  "version": "0.1.0",
+  "private": true,
+  "description": "Frontend assets for the Users module",
+  "peerDependencies": {
+    "react": "^19.0.0",
+    "react-dom": "^19.0.0",
+    "@inertiajs/react": "^2.0.0",
+    "@simple-module-py/ui": "*"
+  },
+  "devDependencies": {
+    "@simple-module-py/tsconfig": "*"
+  },
+  "dependencies": {}
+}

simple_module_users-0.0.1/pyproject.toml

@@ -0,0 +1,63 @@
+[project]
+name = "simple_module_users"
+version = "0.0.1"
+description = "Email + password user management, admin invites, RBAC-ready — replaces Keycloak for simple_module apps"
+readme = "README.md"
+license = "MIT"
+license-files = ["LICENSE"]
+requires-python = ">=3.12"
+authors = [{ name = "Anto Subash", email = "antosubash@live.com" }]
+keywords = ["simple-module", "users", "authentication", "fastapi-users", "admin"]
+classifiers = [
+    "Development Status :: 3 - Alpha",
+    "Framework :: FastAPI",
+    "Intended Audience :: Developers",
+    "License :: OSI Approved :: MIT License",
+    "Operating System :: OS Independent",
+    "Programming Language :: Python :: 3",
+    "Programming Language :: Python :: 3.12",
+    "Topic :: Internet :: WWW/HTTP",
+    "Topic :: Software Development :: Libraries :: Application Frameworks",
+    "Typing :: Typed",
+]
+dependencies = [
+    "simple_module_core==0.0.1",
+    "simple_module_db==0.0.1",
+    "simple_module_hosting==0.0.1",
+    "simple_module_auth==0.0.1",             # workspace module — contracts
+    # Pinned to a narrow range: `deps.py` relies on mutating CookieTransport
+    # fields after construction (see reconfigure_cookie_transport in backend.py).
+    # Bumping the major version requires re-checking those field names.
+    "fastapi-users[sqlalchemy]>=15,<16",
+    "aiosmtplib>=3.0",
+    "cachetools>=5.3",
+    "typer>=0.12",
+]
+
+[project.entry-points.simple_module]
+users = "users.module:UsersModule"
+
+[project.scripts]
+sm-users = "users.cli:app"
+
+[project.urls]
+Homepage = "https://github.com/antosubash/simple_module_python"
+Repository = "https://github.com/antosubash/simple_module_python"
+Issues = "https://github.com/antosubash/simple_module_python/issues"
+Changelog = "https://github.com/antosubash/simple_module_python/blob/main/CHANGELOG.md"
+
+[build-system]
+requires = ["hatchling"]
+build-backend = "hatchling.build"
+
+[tool.hatch.build.targets.wheel]
+packages = ["users"]
+
+[tool.hatch.build.targets.wheel.force-include]
+"package.json" = "users/package.json"
+
+[tool.uv.sources]
+simple_module_core = { workspace = true }
+simple_module_db = { workspace = true }
+simple_module_hosting = { workspace = true }
+simple_module_auth = { workspace = true }

simple_module_users-0.0.1/tests/_middleware_support.py

@@ -0,0 +1,109 @@
+"""Helpers + fixtures for the users.middleware unit tests.
+
+Registered as a pytest plugin via ``pytest_plugins = ["_middleware_support"]``
+in conftest.py — that way the fixtures (``_mw_seed_roles``, ``mw_active_user``)
+are auto-discovered by pytest without needing imports in the test files,
+which avoids F811 warnings where fixture names appear as test-function
+parameters.
+"""
+
+from __future__ import annotations
+
+import json
+import uuid
+from base64 import b64encode
+from types import SimpleNamespace
+from typing import Any
+
+import pytest
+from fastapi import FastAPI, Request
+from itsdangerous import TimestampSigner
+from starlette.middleware.sessions import SessionMiddleware
+from starlette.responses import JSONResponse
+from users.constants import ADMIN_ROLE_ID, USER_ROLE_ID
+from users.middleware import AuthMiddleware
+
+SECRET_KEY = "test-secret-key-for-session-middleware"
+
+
+def _sign_session(data: dict[str, Any], secret: str = SECRET_KEY) -> str:
+    """Encode and sign a session dict exactly as Starlette's SessionMiddleware does."""
+    raw = b64encode(json.dumps(data).encode()).decode()
+    return TimestampSigner(secret).sign(raw).decode("utf-8")
+
+
+def _session_cookie(data: dict[str, Any]) -> dict[str, str]:
+    return {"session": _sign_session(data)}
+
+
+async def _build_app(db_state, inner_handler=None):
+    """Build a minimal ASGI app with AuthMiddleware + SessionMiddleware."""
+
+    async def _default_handler(request: Request):
+        user = getattr(request.state, "user", None)
+        return JSONResponse(
+            {
+                "path": request.url.path,
+                "user": (
+                    {
+                        "id": user.id,
+                        "email": user.email,
+                        "name": user.name,
+                        "roles": user.roles,
+                        "tenant_id": user.tenant_id,
+                    }
+                    if user is not None
+                    else None
+                ),
+            }
+        )
+
+    handler = inner_handler or _default_handler
+
+    app = FastAPI()
+    app.state.sm = SimpleNamespace(db=db_state)
+
+    @app.get("/{path:path}")
+    async def _catch_all(request: Request, path: str = ""):
+        return await handler(request)
+
+    # Middleware is applied in reverse order: SessionMiddleware outermost.
+    app.add_middleware(AuthMiddleware)
+    app.add_middleware(SessionMiddleware, secret_key=SECRET_KEY)
+    return app
+
+
+@pytest.fixture
+async def _mw_seed_roles(db_session):
+    """Insert the standard admin/user roles for middleware tests."""
+    from users.models import Role
+
+    db_session.add_all(
+        [
+            Role(id=ADMIN_ROLE_ID, name="admin", description="Administrator"),
+            Role(id=USER_ROLE_ID, name="user", description="Standard user"),
+        ]
+    )
+    await db_session.commit()
+
+
+@pytest.fixture
+async def mw_active_user(db_session, _mw_seed_roles):
+    """Active user with the 'admin' role — used by the middleware tests."""
+    from users.models import User, UserRole
+
+    user_id = uuid.uuid4()
+    user = User(
+        id=user_id,
+        email="middleware-test@example.com",
+        hashed_password="hashed",
+        is_active=True,
+        is_superuser=False,
+        is_verified=True,
+        full_name="Middleware Tester",
+        tenant_id="acme",
+    )
+    link = UserRole(user_id=user_id, role_id=ADMIN_ROLE_ID)
+    db_session.add_all([user, link])
+    await db_session.commit()
+    return user

simple_module_users-0.0.1/tests/conftest.py

@@ -0,0 +1,236 @@
+"""Shared fixtures for users module API tests.
+
+The ``users_app`` fixture builds a full FastAPI app via ``create_app`` but
+with an in-memory SQLite database, seeded roles, and test-friendly settings
+(ConsoleMailer, signup disabled by default, short secrets).
+
+The ``anon_client`` gives a plain httpx client.
+The ``admin_client`` gives a client with a signed local-user session cookie
+carrying a real admin User row (written into the in-memory DB).
+"""
+
+from __future__ import annotations
+
+import os
+from collections.abc import AsyncGenerator
+
+import httpx
+import pytest
+from simple_module_hosting.settings import Settings
+from simple_module_testing import forge_session_cookie
+from sqlalchemy.ext.asyncio import AsyncSession
+from users.constants import ADMIN_ROLE_ID, USER_ROLE_ID
+
+
+@pytest.fixture(autouse=True)
+def _isolate_users_env(monkeypatch):
+    """Scrub stale ``SM_USERS_*`` env vars from the shell/.env.
+
+    After the env→DB migration ``UsersSettings()`` no longer reads these
+    values, so this is belt-and-braces: it keeps old shell exports from
+    muddying any ``SM_ENVIRONMENT`` checks or from being misread during
+    developer spelunking.
+    """
+    for key in list(os.environ):
+        if key.startswith("SM_USERS_"):
+            monkeypatch.delenv(key, raising=False)
+
+
+# ---------------------------------------------------------------------------
+# Settings helpers
+# ---------------------------------------------------------------------------
+
+
+def _users_overrides(allow_signup: bool = False) -> dict[str, tuple[str, str]]:
+    """Values seeded into the ``SettingsStore`` before the app lifespan runs."""
+    return {
+        "allow_signup": (str(allow_signup).lower(), "bool"),
+        "mailer": ("console", "string"),
+        "base_url": ("http://testserver", "string"),
+        "cookie_secure": ("false", "bool"),
+        # 32+ bytes to clear pyjwt's InsecureKeyLengthWarning for HMAC-SHA256.
+        "reset_password_token_secret": ("test-reset-secret-32-bytes-xxxxx", "string"),
+        "verification_token_secret": ("test-verify-secret-32-bytes-xxxxx", "string"),
+        "login_rate_limit_failures": ("5", "int"),
+        "login_rate_limit_window_seconds": ("300", "int"),
+        "login_rate_limit_cooldown_seconds": ("900", "int"),
+    }
+
+
+# ---------------------------------------------------------------------------
+# Full-app fixture
+# ---------------------------------------------------------------------------
+
+
+async def _setup_app_db(application) -> None:
+    """Create all tables and stamp alembic version so migration check passes."""
+
+    from simple_module_db.base import all_module_bases
+    from simple_module_hosting.migrations import resolve_head_revision
+    from sqlalchemy import text
+
+    head = resolve_head_revision()
+
+    async with application.state.sm.db.engine.begin() as conn:
+
+        def _create(sync_conn):
+            for base in all_module_bases:
+                base.metadata.create_all(sync_conn)
+
+        await conn.run_sync(_create)
+
+        if head:
+            await conn.execute(
+                text(
+                    "CREATE TABLE IF NOT EXISTS alembic_version "
+                    "(version_num VARCHAR(32) NOT NULL PRIMARY KEY)"
+                )
+            )
+            await conn.execute(text("DELETE FROM alembic_version"))
+            await conn.execute(
+                text("INSERT INTO alembic_version (version_num) VALUES (:v)"),
+                {"v": head},
+            )
+
+
+async def _seed_roles(application) -> None:
+    """Insert admin/user Role rows with deterministic UUIDs if missing."""
+    from sqlalchemy import select
+    from users.models import Role
+
+    async with application.state.sm.db.session_factory() as session:
+        existing = set((await session.execute(select(Role.name))).scalars().all())
+        if "admin" not in existing:
+            session.add(Role(id=ADMIN_ROLE_ID, name="admin", description="Administrator"))
+        if "user" not in existing:
+            session.add(Role(id=USER_ROLE_ID, name="user", description="Standard user"))
+        await session.commit()
+
+
+async def _seed_users_settings(application, *, allow_signup: bool) -> None:
+    """Write the test UsersSettings overrides to the DB before hydrate runs.
+
+    Hydrate fires inside the lifespan ``__aenter__``, so this needs to land
+    between table creation and lifespan entry.
+    """
+    from settings.service import SettingService
+    from settings.store import SettingsStore
+
+    async with application.state.sm.db.session_factory() as session:
+        store = SettingsStore(SettingService(session))
+        for field, (raw, vtype) in _users_overrides(allow_signup=allow_signup).items():
+            await store.set_override("users", field, raw, vtype)
+        await session.commit()
+
+
+async def _build_users_app(monkeypatch, *, allow_signup: bool):
+    """Build a test FastAPI app with DB created, settings seeded, lifespan started."""
+    from simple_module_hosting.app_builder import create_app
+
+    settings = Settings(
+        database_url="sqlite+aiosqlite:///:memory:",
+        environment="testing",
+        secret_key="test-secret-key",
+        multi_tenant=False,
+    )
+    application = create_app(settings)
+    await _setup_app_db(application)
+    await _seed_users_settings(application, allow_signup=allow_signup)
+
+    ctx = application.router.lifespan_context(application)
+    await ctx.__aenter__()
+    await _seed_roles(application)
+    return application, ctx
+
+
+@pytest.fixture
+async def users_app(monkeypatch):
+    """Full FastAPI app with in-memory DB, seeded roles, users module active."""
+    application, ctx = await _build_users_app(monkeypatch, allow_signup=False)
+    yield application
+    await ctx.__aexit__(None, None, None)
+
+
+@pytest.fixture
+async def users_app_signup(monkeypatch):
+    """Like users_app but with allow_signup=True."""
+    application, ctx = await _build_users_app(monkeypatch, allow_signup=True)
+    yield application
+    await ctx.__aexit__(None, None, None)
+
+
+# ---------------------------------------------------------------------------
+# Client fixtures
+# ---------------------------------------------------------------------------
+
+
+@pytest.fixture
+async def anon_client(users_app) -> AsyncGenerator[httpx.AsyncClient, None]:
+    """Unauthenticated client against users_app."""
+    transport = httpx.ASGITransport(app=users_app)
+    async with httpx.AsyncClient(
+        transport=transport,
+        base_url="http://testserver",
+    ) as c:
+        yield c
+
+
+@pytest.fixture
+async def anon_client_signup(users_app_signup) -> AsyncGenerator[httpx.AsyncClient, None]:
+    """Unauthenticated client against users_app_signup (signup enabled)."""
+    transport = httpx.ASGITransport(app=users_app_signup)
+    async with httpx.AsyncClient(
+        transport=transport,
+        base_url="http://testserver",
+    ) as c:
+        yield c
+
+
+async def _make_admin_user(app):
+    """Seed an admin User + Role into app's DB and return the User row."""
+    from users.bootstrap import create_admin
+    from users.models import User
+
+    async with app.state.sm.db.session_factory() as session:
+        result = await create_admin(
+            session,
+            email="admin@example.com",
+            password="AdminPass1!",
+            full_name="Test Admin",
+        )
+    user: User = result.user
+    return user
+
+
+@pytest.fixture
+async def admin_client(users_app) -> AsyncGenerator[httpx.AsyncClient, None]:
+    """Client with a signed local-user session cookie (admin role)."""
+    user = await _make_admin_user(users_app)
+    cookie = forge_session_cookie(
+        str(users_app.state.sm.settings.secret_key),
+        {"user_id": str(user.id)},
+    )
+    transport = httpx.ASGITransport(app=users_app)
+    async with httpx.AsyncClient(
+        transport=transport,
+        base_url="http://testserver",
+        cookies={"session": cookie},
+    ) as c:
+        yield c
+
+
+# ---------------------------------------------------------------------------
+# DB session fixture scoped to users_app
+# ---------------------------------------------------------------------------
+
+
+@pytest.fixture
+async def users_db(users_app) -> AsyncGenerator[AsyncSession, None]:
+    """Session against the users_app in-memory DB."""
+    async with users_app.state.sm.db.session_factory() as session:
+        yield session
+
+
+# Fixtures consumed by the users.middleware unit tests live in
+# _middleware_support.py (imported as a pytest plugin below).
+pytest_plugins = ["_middleware_support"]