PyPI - supython - Versions diffs - 0.1.1__tar.gz → 0.1.3__tar.gz - Mend

supython 0.1.1tar.gz → 0.1.3tar.gz

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (252) hide show

{supython-0.1.1 → supython-0.1.3}/CHANGELOG.md RENAMED Viewed

@@ -31,7 +31,7 @@ Each entry links the relevant `PROJECT.md` section and decision-log row
 ---
-## [0.1.0] — 2026-05-08
+## [0.1.0] — 2026-05-09
 The first public release. Everything currently on `main` collapses
 into this single ZeroVer entry — auth, storage, functions, realtime,
@@ -200,5 +200,5 @@ v0.1–v0.7 plus a v1.1.x admin track; see §19 decision log
 ---
-[Unreleased]: https://github.com/Tkeby/supython/compare/v0.1.0...HEAD
 [0.1.0]: https://github.com/Tkeby/supython/releases/tag/v0.1.0

{supython-0.1.1 → supython-0.1.3}/PKG-INFO RENAMED Viewed

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: supython
-Version: 0.1.1
+Version: 0.1.3
 Summary: A lightweight Postgres-first BaaS framework for Python
 Project-URL: Homepage, https://github.com/Tkeby/supython
 Project-URL: Repository, https://github.com/Tkeby/supython
@@ -58,10 +58,10 @@ Description-Content-Type: text/markdown
 # supython
-> A lightweight, Postgres-first BaaS framework for Python. **v0.1.0 release**
+> A lightweight, Postgres-first BaaS framework for Python. **v0.1.2 release**
-supython is the inverse of Django: **the database owns the schema, Python owns
-the things SQL is bad at**. It leans on [PostgREST](https://postgrest.org)
+**the database owns the schema, Python owns the things SQL is bad at**.
+It leans on [PostgREST](https://postgrest.org)
 for auto-generated REST APIs and on Postgres' own RLS for authorization,
 while a small FastAPI service in Python handles auth, JWT issuance, realtime,
 storage, functions, workers, and an optional admin control plane.
@@ -69,7 +69,7 @@ storage, functions, workers, and an optional admin control plane.
 supython is for a specific person with a specific problem:
 > A developer who wants to build a CRUD-heavy web app (most apps are), who thinks in SQL, who wants Postgres to own authorization, and who wants auth + storage + custom logic without assembling the integration themselves.
-Shipped [v0.1.0]:
+Shipped [v0.1.2]:
 **Core platform**
 - **Email/password auth** — signup, login, refresh-token rotation with **reuse detection**
@@ -88,14 +88,14 @@ Shipped [v0.1.0]:
 **Realtime**
 - **WebSocket Realtime** — `postgres_changes`, `broadcast`, `presence` with per-subscriber RLS filtering
-- **Phoenix Channels wire format** — unmodified `supabase-js` / `supabase-py` SDKs connect
+- **Phoenix Channels wire format**
 - **Generic trigger** — `realtime.enable('public.todos')` opts any table in
 - **Two-browser chat demo** — `examples/chat.html` (zero build step)
 **Jobs & cron**
 - **Job queue** — Postgres-backed (`SELECT FOR UPDATE SKIP LOCKED`), idempotent enqueue, retry with backoff
 - **Cron scheduling** — `pg_cron` (primary) or in-process `croniter` fallback
-- **Generic hooks** — `@app.on_signup` / `@app.on_login` lifecycle hooks
+- **Generic hooks** — `@app.on_signup` / `@app.on_login` lifecycle hooks; `@app.claims_provider` for custom JWT claims
 - **`supython worker run`** — long-running worker with graceful SIGTERM drain
 **Operations & security**
@@ -106,7 +106,7 @@ Shipped [v0.1.0]:
 - **Secret rotation** — JWT keys, symmetric secrets, Postgres passwords; all with zero-downtime runbooks
 - **Multi-arch Docker image** — `linux/amd64` + `linux/arm64`, non-root user, `tini` PID 1, ~64 MB
-**Admin control plane** (shipped in v0.1.0)
+**Admin control plane** (shipped in v0.1.2)
 - **Vue 3 + Vite SPA** at `/admin` — no runtime Node deps; pre-built static bundle in the wheel
 - **Database surface** — schema browser, table data with role switcher, SQL workspace (read-only default + write toggle), RLS policy editor with dry-run, migrations panel
 - **Auth surface** — user search, ban/unban/force-logout, refresh-token inspector, audit log, email template editing
@@ -159,7 +159,7 @@ cp .env.example .env
 # the value PostgREST will use (docker-compose.yml injects it via env).
 #
 # The scaffold creates:
-#   manage.py         — Django-style CLI entrypoint (sets SUPYTHON_SETTINGS_MODULE)
+#   manage.py         — Optional CLI entrypoint (sets SUPYTHON_SETTINGS_MODULE)
 #   myapp/settings.py — declare EXTENSIONS, EXTRA_ROUTERS, EXTRA_MIDDLEWARE
 #   myapp/jobs.py     — example @job seed (register your background jobs here)
 #   myapp/hooks.py    — example @on("signup") seed (lifecycle hooks)
@@ -219,8 +219,7 @@ including filtering, sorting, refresh, and isolation between users.
 ## Realtime quickstart
 supython ships a WebSocket engine that speaks the **Phoenix Channels 5-tuple
-protocol** used by every official Supabase SDK.  Unmodified `supabase-js` and
-`supabase-py` clients connect without any shim.
+protocol**.
 ### 1. Opt a table into realtime
@@ -419,6 +418,37 @@ SMTP_PASSWORD`.
 **OAuth** — add `GOOGLE_CLIENT_ID`, `GOOGLE_CLIENT_SECRET` (and/or GitHub
 equivalents) to `.env`. Providers without credentials are silently disabled.
+### Custom JWT claims
+Register a `claims_provider` to inject application-specific claims into every
+access token minted by the auth endpoints. Each provider is an async callable
+`(user, conn) -> dict` whose return value is merged into the token payload —
+on signup, password login, refresh, magic-link, OTP, and OAuth callbacks.
+```python
+from supython.app import app
+@app.claims_provider
+async def add_org(user, conn):
+    org_id = await conn.fetchval(
+        "select org_id from public.memberships where user_id = $1", user.id
+    )
+    return {"org_id": str(org_id)} if org_id else {}
+```
+Notes:
+- Reserved JWT claims (`sub`, `email`, `role`, `aud`, `iat`, `exp`, `jti`)
+  cannot be overridden — they are filtered out automatically.
+- Providers run on the **service-role** connection used by the auth flow, so
+  they can read tables that RLS would block during issuance. Treat the
+  function as privileged code (same posture as a Postgres `security definer`
+  routine — sanitize any user-supplied input).
+- A provider that raises aborts issuance: a missing claim is a silent authz
+  bug, not a missing welcome email.
+- Refresh re-collects claims, so a token rotated via `/auth/v1/refresh`
+  reflects current state.
 ### Auth hardening settings (`.env`)
 | Variable | Default | Purpose |
@@ -444,7 +474,7 @@ need to edit SQL.
 ```
  supython/
- ├── manage.py                       # Django-style entrypoint (sets SUPYTHON_SETTINGS_MODULE)
+ ├── manage.py                       # optional cli entrypoint (sets SUPYTHON_SETTINGS_MODULE)
  ├── docker-compose.yml              # Postgres + PostgREST (dev stack)
  ├── docker-compose.prod.yml         # hardened single-host production stack
  ├── docker-compose.test.yml         # dedicated test Postgres on port 54323
@@ -521,7 +551,7 @@ need to edit SQL.
      ├── app.py                      # FastAPI factory
      ├── cli.py                      # typer: up, dev, keygen, admin, worker, test, …
      ├── extensions.py               # eager-import dotted module paths at boot
-     ├── settings_module.py          # Django-style user settings (EXTENSIONS, EXTRA_ROUTERS, …)
+     ├── settings_module.py          # user settings (EXTENSIONS, EXTRA_ROUTERS, …)
      ├── health.py                   # /livez, /readyz, /health endpoints
      ├── logging_config.py           # structured JSON log setup
      ├── security_headers.py         # HSTS, CSP, etc.
@@ -570,7 +600,7 @@ need to edit SQL.
 ## Plugins & extensions
-supython uses a Django-style settings module to declare your app's extensions:
+supython uses a settings module to declare your app's extensions:
 ```python
 # <name>/settings.py — scaffolded by `supython init`
@@ -669,7 +699,7 @@ supython test reset                               # stop test DB + delete volume
    `auth.uid()` returns the user's id inside RLS policies.
 4. RLS policies on `public.todos` use `auth.uid()` to scope every query.
-This is exactly the model Supabase uses, in ~400 lines of Python.
 ## Docker image
@@ -731,7 +761,7 @@ unit tests always run in isolation.
 **CI:** runners with Docker run `supython test up && supython test run`;
 runners without Docker run `pytest tests/unit` for a meaningful subset.
-## Roadmap [shipped v0.1.0]
+## Roadmap [shipped v0.1.2]
 - ✅ Email/password auth, PostgREST contract, RLS demo
 - ✅ OAuth, password reset, magic link, OTP, reuse detection, email backend, test suite
@@ -742,12 +772,12 @@ runners without Docker run `pytest tests/unit` for a meaningful subset.
 - ✅ Production observable: structured JSON logs, `/livez`/`/readyz`/`/health`, security headers, input size guards, audit log completeness, OAuth PKCE, secret rotation runbooks
 - ✅ (partial) Multi-arch Docker images, admin control plane (Vue 3 SPA — database, auth, storage, functions, realtime, jobs, backups, log tail), CI buildx workflow; benchmarks + security audit pass + dependency budget CI remaining
 - *(deferred)* — Realtime v2 over logical replication
-- v0.1.0 Release — final sweep, tag, publish wheel, production deployment with no patches
-- ✅ **TypeScript SDK** — `@supython/sdk` wrapping `@supabase/postgrest-js` + `@supabase/realtime-js`
+- v0.1.2 Release — final sweep, tag, publish wheel, production deployment with no patches
+- ✅ **TypeScript SDK** — `@supython/sdk` wrapping `@supabase/postgrest-js` + `@supabase/realtime-js`
-### Post v0.1.0
+### Post v0.1.2
-- **v1.1+** — Admin control plane polish (backend + frontend shipped in v0.1.0; tests + remaining DoD items deferred)
+- **v1.1+** — Admin control plane polish (backend + frontend shipped in v0.1.2; tests + remaining DoD items deferred)
 - **Realtime v2** — logical replication (demand-driven; swap when trigger overhead or >8KB payload data warrants it)
 - **Prometheus `/metrics`** + **OpenTelemetry** — optional extras

{supython-0.1.1 → supython-0.1.3}/README.md RENAMED Viewed

@@ -1,9 +1,9 @@
 # supython
-> A lightweight, Postgres-first BaaS framework for Python. **v0.1.0 release**
+> A lightweight, Postgres-first BaaS framework for Python. **v0.1.2 release**
-supython is the inverse of Django: **the database owns the schema, Python owns
-the things SQL is bad at**. It leans on [PostgREST](https://postgrest.org)
+**the database owns the schema, Python owns the things SQL is bad at**.
+It leans on [PostgREST](https://postgrest.org)
 for auto-generated REST APIs and on Postgres' own RLS for authorization,
 while a small FastAPI service in Python handles auth, JWT issuance, realtime,
 storage, functions, workers, and an optional admin control plane.
@@ -11,7 +11,7 @@ storage, functions, workers, and an optional admin control plane.
 supython is for a specific person with a specific problem:
 > A developer who wants to build a CRUD-heavy web app (most apps are), who thinks in SQL, who wants Postgres to own authorization, and who wants auth + storage + custom logic without assembling the integration themselves.
-Shipped [v0.1.0]:
+Shipped [v0.1.2]:
 **Core platform**
 - **Email/password auth** — signup, login, refresh-token rotation with **reuse detection**
@@ -30,14 +30,14 @@ Shipped [v0.1.0]:
 **Realtime**
 - **WebSocket Realtime** — `postgres_changes`, `broadcast`, `presence` with per-subscriber RLS filtering
-- **Phoenix Channels wire format** — unmodified `supabase-js` / `supabase-py` SDKs connect
+- **Phoenix Channels wire format**
 - **Generic trigger** — `realtime.enable('public.todos')` opts any table in
 - **Two-browser chat demo** — `examples/chat.html` (zero build step)
 **Jobs & cron**
 - **Job queue** — Postgres-backed (`SELECT FOR UPDATE SKIP LOCKED`), idempotent enqueue, retry with backoff
 - **Cron scheduling** — `pg_cron` (primary) or in-process `croniter` fallback
-- **Generic hooks** — `@app.on_signup` / `@app.on_login` lifecycle hooks
+- **Generic hooks** — `@app.on_signup` / `@app.on_login` lifecycle hooks; `@app.claims_provider` for custom JWT claims
 - **`supython worker run`** — long-running worker with graceful SIGTERM drain
 **Operations & security**
@@ -48,7 +48,7 @@ Shipped [v0.1.0]:
 - **Secret rotation** — JWT keys, symmetric secrets, Postgres passwords; all with zero-downtime runbooks
 - **Multi-arch Docker image** — `linux/amd64` + `linux/arm64`, non-root user, `tini` PID 1, ~64 MB
-**Admin control plane** (shipped in v0.1.0)
+**Admin control plane** (shipped in v0.1.2)
 - **Vue 3 + Vite SPA** at `/admin` — no runtime Node deps; pre-built static bundle in the wheel
 - **Database surface** — schema browser, table data with role switcher, SQL workspace (read-only default + write toggle), RLS policy editor with dry-run, migrations panel
 - **Auth surface** — user search, ban/unban/force-logout, refresh-token inspector, audit log, email template editing
@@ -101,7 +101,7 @@ cp .env.example .env
 # the value PostgREST will use (docker-compose.yml injects it via env).
 #
 # The scaffold creates:
-#   manage.py         — Django-style CLI entrypoint (sets SUPYTHON_SETTINGS_MODULE)
+#   manage.py         — Optional CLI entrypoint (sets SUPYTHON_SETTINGS_MODULE)
 #   myapp/settings.py — declare EXTENSIONS, EXTRA_ROUTERS, EXTRA_MIDDLEWARE
 #   myapp/jobs.py     — example @job seed (register your background jobs here)
 #   myapp/hooks.py    — example @on("signup") seed (lifecycle hooks)
@@ -161,8 +161,7 @@ including filtering, sorting, refresh, and isolation between users.
 ## Realtime quickstart
 supython ships a WebSocket engine that speaks the **Phoenix Channels 5-tuple
-protocol** used by every official Supabase SDK.  Unmodified `supabase-js` and
-`supabase-py` clients connect without any shim.
+protocol**.
 ### 1. Opt a table into realtime
@@ -361,6 +360,37 @@ SMTP_PASSWORD`.
 **OAuth** — add `GOOGLE_CLIENT_ID`, `GOOGLE_CLIENT_SECRET` (and/or GitHub
 equivalents) to `.env`. Providers without credentials are silently disabled.
+### Custom JWT claims
+Register a `claims_provider` to inject application-specific claims into every
+access token minted by the auth endpoints. Each provider is an async callable
+`(user, conn) -> dict` whose return value is merged into the token payload —
+on signup, password login, refresh, magic-link, OTP, and OAuth callbacks.
+```python
+from supython.app import app
+@app.claims_provider
+async def add_org(user, conn):
+    org_id = await conn.fetchval(
+        "select org_id from public.memberships where user_id = $1", user.id
+    )
+    return {"org_id": str(org_id)} if org_id else {}
+```
+Notes:
+- Reserved JWT claims (`sub`, `email`, `role`, `aud`, `iat`, `exp`, `jti`)
+  cannot be overridden — they are filtered out automatically.
+- Providers run on the **service-role** connection used by the auth flow, so
+  they can read tables that RLS would block during issuance. Treat the
+  function as privileged code (same posture as a Postgres `security definer`
+  routine — sanitize any user-supplied input).
+- A provider that raises aborts issuance: a missing claim is a silent authz
+  bug, not a missing welcome email.
+- Refresh re-collects claims, so a token rotated via `/auth/v1/refresh`
+  reflects current state.
 ### Auth hardening settings (`.env`)
 | Variable | Default | Purpose |
@@ -386,7 +416,7 @@ need to edit SQL.
 ```
  supython/
- ├── manage.py                       # Django-style entrypoint (sets SUPYTHON_SETTINGS_MODULE)
+ ├── manage.py                       # optional cli entrypoint (sets SUPYTHON_SETTINGS_MODULE)
  ├── docker-compose.yml              # Postgres + PostgREST (dev stack)
  ├── docker-compose.prod.yml         # hardened single-host production stack
  ├── docker-compose.test.yml         # dedicated test Postgres on port 54323
@@ -463,7 +493,7 @@ need to edit SQL.
      ├── app.py                      # FastAPI factory
      ├── cli.py                      # typer: up, dev, keygen, admin, worker, test, …
      ├── extensions.py               # eager-import dotted module paths at boot
-     ├── settings_module.py          # Django-style user settings (EXTENSIONS, EXTRA_ROUTERS, …)
+     ├── settings_module.py          # user settings (EXTENSIONS, EXTRA_ROUTERS, …)
      ├── health.py                   # /livez, /readyz, /health endpoints
      ├── logging_config.py           # structured JSON log setup
      ├── security_headers.py         # HSTS, CSP, etc.
@@ -512,7 +542,7 @@ need to edit SQL.
 ## Plugins & extensions
-supython uses a Django-style settings module to declare your app's extensions:
+supython uses a settings module to declare your app's extensions:
 ```python
 # <name>/settings.py — scaffolded by `supython init`
@@ -611,7 +641,7 @@ supython test reset                               # stop test DB + delete volume
    `auth.uid()` returns the user's id inside RLS policies.
 4. RLS policies on `public.todos` use `auth.uid()` to scope every query.
-This is exactly the model Supabase uses, in ~400 lines of Python.
 ## Docker image
@@ -673,7 +703,7 @@ unit tests always run in isolation.
 **CI:** runners with Docker run `supython test up && supython test run`;
 runners without Docker run `pytest tests/unit` for a meaningful subset.
-## Roadmap [shipped v0.1.0]
+## Roadmap [shipped v0.1.2]
 - ✅ Email/password auth, PostgREST contract, RLS demo
 - ✅ OAuth, password reset, magic link, OTP, reuse detection, email backend, test suite
@@ -684,12 +714,12 @@ runners without Docker run `pytest tests/unit` for a meaningful subset.
 - ✅ Production observable: structured JSON logs, `/livez`/`/readyz`/`/health`, security headers, input size guards, audit log completeness, OAuth PKCE, secret rotation runbooks
 - ✅ (partial) Multi-arch Docker images, admin control plane (Vue 3 SPA — database, auth, storage, functions, realtime, jobs, backups, log tail), CI buildx workflow; benchmarks + security audit pass + dependency budget CI remaining
 - *(deferred)* — Realtime v2 over logical replication
-- v0.1.0 Release — final sweep, tag, publish wheel, production deployment with no patches
-- ✅ **TypeScript SDK** — `@supython/sdk` wrapping `@supabase/postgrest-js` + `@supabase/realtime-js`
+- v0.1.2 Release — final sweep, tag, publish wheel, production deployment with no patches
+- ✅ **TypeScript SDK** — `@supython/sdk` wrapping `@supabase/postgrest-js` + `@supabase/realtime-js`
-### Post v0.1.0
+### Post v0.1.2
-- **v1.1+** — Admin control plane polish (backend + frontend shipped in v0.1.0; tests + remaining DoD items deferred)
+- **v1.1+** — Admin control plane polish (backend + frontend shipped in v0.1.2; tests + remaining DoD items deferred)
 - **Realtime v2** — logical replication (demand-driven; swap when trigger overhead or >8KB payload data warrants it)
 - **Prometheus `/metrics`** + **OpenTelemetry** — optional extras

{supython-0.1.1 → supython-0.1.3}/pyproject.toml RENAMED Viewed

@@ -4,7 +4,7 @@ build-backend = "hatchling.build"
 [project]
 name = "supython"
-version = "0.1.1"
+version = "0.1.3"
 description = "A lightweight Postgres-first BaaS framework for Python"
 readme = "README.md"
 requires-python = ">=3.11"

{supython-0.1.1 → supython-0.1.3}/src/supython/app.py RENAMED Viewed

@@ -11,6 +11,7 @@ from fastapi.middleware.cors import CORSMiddleware
 from . import __version__, db, jwks
 from .admin import router as admin_api_router
 from .admin import spa as admin_spa
+from .auth import claims as auth_claims
 from .auth.router import router as auth_router
 from .extensions import load_extensions
 from .settings_module import UserSettings, load_user_settings
@@ -155,6 +156,7 @@ def create_app() -> FastAPI:
     app.on_signup = _make_hook_decorator("signup")
     app.on_login = _make_hook_decorator("login")
     app.on_logout = _make_hook_decorator("logout")
+    app.claims_provider = auth_claims.register
     return app

supython-0.1.3/src/supython/auth/claims.py ADDED Viewed

@@ -0,0 +1,72 @@
+"""Custom-claim providers for access-token issuance.
+Library users register an async callable via ``@app.claims_provider`` (or
+``claims.register``) and the auth service invokes it inside ``_issue_pair``
+just before minting the JWT. Each provider returns a ``dict`` that is
+merged into the access token's payload.
+Contract (intentionally narrower than ``hooks.fire``):
+- Providers run on the **service-role** connection used by the auth flow,
+  so they can read tables that RLS would block during issuance (e.g. a
+  ``user_roles`` lookup keyed by a brand-new user). Treat the function as
+  privileged — same posture as a Postgres ``security definer`` routine.
+- A provider raising propagates: a missing claim is a silent authz bug,
+  not a missing welcome email. ``hooks.fire`` swallows on purpose;
+  ``collect`` does not.
+- Reserved JWT claims (``sub``, ``email``, ``role``, ``aud``, ``iat``,
+  ``exp``, ``jti``) cannot be overridden — they are filtered out of every
+  provider's return value so a misbehaving provider can't mint a token
+  that contradicts its own header or expiry.
+"""
+import logging
+from collections.abc import Awaitable, Callable
+from typing import Any
+import asyncpg
+from .schemas import UserResponse
+logger = logging.getLogger(__name__)
+ClaimsProvider = Callable[[UserResponse, asyncpg.Connection], Awaitable[dict[str, Any]]]
+_RESERVED: frozenset[str] = frozenset(
+    {"sub", "email", "role", "aud", "iat", "exp", "jti"}
+)
+_providers: list[ClaimsProvider] = []
+def register(fn: ClaimsProvider) -> ClaimsProvider:
+    """Register *fn* as a claims provider. Usable as a decorator."""
+    _providers.append(fn)
+    return fn
+async def collect(user: UserResponse, conn: asyncpg.Connection) -> dict[str, Any]:
+    """Run every registered provider and return the merged claim dict.
+    Providers run in registration order; later providers win on key
+    collisions. Reserved JWT claims are stripped from each return value
+    before merging.
+    """
+    merged: dict[str, Any] = {}
+    for fn in _providers:
+        out = await fn(user, conn)
+        if not out:
+            continue
+        for key in _RESERVED.intersection(out):
+            logger.warning(
+                "claims provider %r returned reserved claim %r; dropping",
+                getattr(fn, "__qualname__", fn),
+                key,
+            )
+        merged.update({k: v for k, v in out.items() if k not in _RESERVED})
+    return merged
+def reset() -> None:
+    """Clear all registered providers. Test-only."""
+    _providers.clear()

{supython-0.1.1 → supython-0.1.3}/src/supython/auth/service.py RENAMED Viewed

@@ -14,6 +14,7 @@ from itsdangerous import BadSignature, URLSafeTimedSerializer
 from .. import mail, passwords, tokens
 from ..mailer import EmailMessage
 from ..settings import get_settings
+from . import claims
 from .schemas import UserResponse
 logger = logging.getLogger(__name__)
@@ -63,7 +64,10 @@ async def _audit_log(
 async def _issue_pair(
     conn: asyncpg.Connection, user: UserResponse
 ) -> tuple[str, str, int]:
-    access, ttl = tokens.issue_access_token(user.id, user.email)
+    extra = await claims.collect(user, conn)
+    access, ttl = tokens.issue_access_token(
+        user.id, user.email, extra_claims=extra or None
+    )
     refresh = tokens.issue_refresh_token()
     await conn.execute(
         "insert into auth.refresh_tokens (user_id, token) values ($1, $2)",
@@ -273,7 +277,10 @@ async def refresh_grant(
             new_refresh,
             refresh_token,
         )
-    access, ttl = tokens.issue_access_token(user.id, user.email)
+    extra = await claims.collect(user, conn)
+    access, ttl = tokens.issue_access_token(
+        user.id, user.email, extra_claims=extra or None
+    )
     return user, access, new_refresh, ttl