svc-infra 0.1.506__py3-none-any.whl → 0.1.654__py3-none-any.whl

svc_infra/api/fastapi/apf_payments/setup.py

@@ -0,0 +1,73 @@
+from __future__ import annotations
+
+import logging
+from typing import Iterable, Optional
+
+from fastapi import FastAPI
+
+from svc_infra.apf_payments.provider.registry import get_provider_registry
+from svc_infra.api.fastapi.apf_payments.router import build_payments_routers
+
+logger = logging.getLogger(__name__)
+
+
+def _maybe_register_default_providers(
+    register_defaults: bool, adapters: Optional[Iterable[object]]
+):
+    reg = get_provider_registry()
+    if register_defaults:
+        # Try Stripe by default; silently skip if not configured
+        try:
+            from svc_infra.apf_payments.provider.stripe import StripeAdapter
+
+            reg.register(StripeAdapter())
+        except Exception:
+            pass
+        try:
+            from svc_infra.apf_payments.provider.aiydan import AiydanAdapter
+
+            reg.register(AiydanAdapter())
+        except Exception:
+            pass
+    if adapters:
+        for a in adapters:
+            reg.register(a)  # must implement ProviderAdapter protocol (name, create_intent, etc.)
+
+
+def add_payments(
+    app: FastAPI,
+    *,
+    prefix: str = "/payments",
+    register_default_providers: bool = True,
+    adapters: Optional[Iterable[object]] = None,
+    include_in_docs: bool | None = None,  # None = keep your env-based default visibility
+) -> None:
+    """
+    One-call payments installer.
+
+    - Registers provider adapters (defaults + any provided).
+    - Mounts all Payments routers (user/protected/service/public) under `prefix`.
+    - Reuses your OpenAPI defaults (security + responses) via DualAPIRouter factories.
+    """
+    _maybe_register_default_providers(register_default_providers, adapters)
+
+    for r in build_payments_routers(prefix=prefix):
+        app.include_router(
+            r, include_in_schema=True if include_in_docs is None else bool(include_in_docs)
+        )
+
+    # Store the startup function to be called by lifespan if needed
+    async def _payments_startup_check():
+        try:
+            reg = get_provider_registry()
+            adapter = reg.get()  # default provider
+            # Try a cheap call (Stripe: read account or key balance; we just access .name)
+            _ = adapter.name
+        except Exception as e:
+            # Log loud; don't crash the whole app by default
+            logger.warning(f"[payments] Provider adapter not ready: {e}")
+
+    # Add to app state for potential lifespan usage
+    if not hasattr(app.state, "startup_events"):
+        app.state.startup_events = []
+    app.state.startup_events.append(_payments_startup_check)

svc_infra/api/fastapi/auth/add.py

@@ -11,8 +11,9 @@ from svc_infra.api.fastapi.auth.mfa.router import mfa_router
 from svc_infra.api.fastapi.auth.routers.account import account_router
 from svc_infra.api.fastapi.auth.routers.apikey_router import apikey_router
 from svc_infra.api.fastapi.auth.routers.oauth_router import oauth_router_with_backend
+from svc_infra.api.fastapi.auth.routers.session_router import build_session_router
 from svc_infra.api.fastapi.db.sql.users import get_fastapi_users
-from svc_infra.api.fastapi.paths.prefix import AUTH_PREFIX, OAUTH_PREFIX, USER_PREFIX
+from svc_infra.api.fastapi.paths.prefix import AUTH_PREFIX, USER_PREFIX
 from svc_infra.app.env import CURRENT_ENVIRONMENT, DEV_ENV, LOCAL_ENV
 from svc_infra.db.sql.apikey import bind_apikey_model
 
@@ -72,6 +73,15 @@ def install_user_routers(
         include_in_schema=include_in_docs,
         dependencies=[Depends(login_client_gaurd)],
     )
+    # Session/device listing & revocation endpoints (AuthSession model)
+    # Mounted under the user prefix so final paths become /{user_prefix}/sessions/... (e.g., /users/sessions/me)
+    # The router itself has a /sessions prefix.
+    app.include_router(
+        build_session_router(),
+        prefix=user_prefix,
+        tags=["Session Management"],
+        include_in_schema=include_in_docs,
+    )
     app.include_router(
         register_router,
         prefix=user_prefix,
@@ -114,7 +124,7 @@ def setup_oauth_authentication(
     user_model,
     auth_backend,
     settings_obj,
-    oauth_prefix: str,
+    auth_prefix: str,
     post_login_redirect: str | None,
     provider_account_model=None,
     auth_policy: AuthPolicy,
@@ -138,7 +148,7 @@ def setup_oauth_authentication(
     # Install oauth prefix routers
     install_oauth_routers(
         app,
-        oauth_prefix=oauth_prefix,
+        oauth_prefix=auth_prefix + "/oauth",
         oauth_router_instance=oauth_router_instance,
         include_in_docs=include_in_docs,
     )
@@ -221,7 +231,7 @@ def install_oauth_routers(
     )
 
 
-def add_auth(
+def add_auth_users(
     app: FastAPI,
     *,
     user_model,
@@ -230,7 +240,6 @@ def add_auth(
     schema_update,
     post_login_redirect: str | None = None,
     auth_prefix: str = AUTH_PREFIX,
-    oauth_prefix: str = OAUTH_PREFIX,
     user_prefix: str = USER_PREFIX,
     enable_password: bool = True,
     enable_oauth: bool = True,
@@ -308,7 +317,7 @@ def add_auth(
             user_model=user_model,
             auth_backend=auth_backend,
             settings_obj=settings_obj,
-            oauth_prefix=oauth_prefix,
+            auth_prefix=auth_prefix,
             post_login_redirect=post_login_redirect,
             provider_account_model=provider_account_model,
             auth_policy=policy,

svc_infra/api/fastapi/auth/gaurd.py

@@ -1,5 +1,6 @@
 from __future__ import annotations
 
+import hashlib
 from datetime import datetime, timezone
 
 from fastapi import APIRouter, Depends, Form, HTTPException, Request, status
@@ -11,6 +12,7 @@ from fastapi_users.password import PasswordHelper
 from svc_infra.api.fastapi.auth._cookies import compute_cookie_params
 from svc_infra.api.fastapi.auth.policy import AuthPolicy, DefaultAuthPolicy
 from svc_infra.api.fastapi.auth.settings import get_auth_settings
+from svc_infra.api.fastapi.db.sql.session import SqlSessionDep
 from svc_infra.api.fastapi.dual.public import public_router
 
 _pwd = PasswordHelper()
@@ -65,9 +67,12 @@ def auth_session_router(
     router = public_router()
     policy = auth_policy or DefaultAuthPolicy(get_auth_settings())
 
+    from svc_infra.security.lockout import get_lockout_status, record_attempt
+
     @router.post("/login", name="auth:jwt.login")
     async def login(
         request: Request,
+        session: SqlSessionDep,
         username: str = Form(...),
         password: str = Form(...),
         scope: str = Form(""),
@@ -75,26 +80,76 @@ def auth_session_router(
         client_secret: str | None = Form(None),
         user_manager=Depends(fapi.get_user_manager),
     ):
-        # 1) lookup user (normalize email)
         strategy = auth_backend.get_strategy()
-
         email = username.strip().lower()
+        # Compute IP hash for lockout correlation
+        client_ip = getattr(request.client, "host", None)
+        ip_hash = hashlib.sha256(client_ip.encode()).hexdigest() if client_ip else None
+
+        # Pre-check lockout by IP to avoid enumeration
+        try:
+            status_lo = await get_lockout_status(session, user_id=None, ip_hash=ip_hash)
+            if status_lo.locked and status_lo.next_allowed_at:
+                retry = int(
+                    (status_lo.next_allowed_at - datetime.now(timezone.utc)).total_seconds()
+                )
+                raise HTTPException(
+                    status_code=429,
+                    detail="account_locked",
+                    headers={"Retry-After": str(max(0, retry))},
+                )
+        except Exception:
+            pass
+
+        # Lookup user
         user = await user_manager.user_db.get_by_email(email)
         if not user:
             _, _ = _pwd.verify_and_update(password, _DUMMY_BCRYPT)
+            try:
+                await record_attempt(session, user_id=None, ip_hash=ip_hash, success=False)
+            except Exception:
+                pass
             raise HTTPException(400, "LOGIN_BAD_CREDENTIALS")
 
-        # 2) verify status + password
+        # Status checks
         if not getattr(user, "is_active", True):
             raise HTTPException(401, "account_disabled")
 
         hashed = getattr(user, "hashed_password", None) or getattr(user, "password_hash", None)
         if not hashed:
-            # No password set (likely OAuth-only account)
+            try:
+                await record_attempt(
+                    session, user_id=getattr(user, "id", None), ip_hash=ip_hash, success=False
+                )
+            except Exception:
+                pass
             raise HTTPException(400, "LOGIN_BAD_CREDENTIALS")
 
+        # Check lockout for this user + IP before verifying password
+        try:
+            status_user = await get_lockout_status(
+                session, user_id=getattr(user, "id", None), ip_hash=ip_hash
+            )
+            if status_user.locked and status_user.next_allowed_at:
+                retry = int(
+                    (status_user.next_allowed_at - datetime.now(timezone.utc)).total_seconds()
+                )
+                raise HTTPException(
+                    status_code=429,
+                    detail="account_locked",
+                    headers={"Retry-After": str(max(0, retry))},
+                )
+        except Exception:
+            pass
+
         ok, new_hash = _pwd.verify_and_update(password, hashed)
         if not ok:
+            try:
+                await record_attempt(
+                    session, user_id=getattr(user, "id", None), ip_hash=ip_hash, success=False
+                )
+            except Exception:
+                pass
             raise HTTPException(400, "LOGIN_BAD_CREDENTIALS")
 
         # If the hash needs upgrading, persist it (optional but recommended)
@@ -106,7 +161,6 @@ def auth_session_router(
             try:
                 await user_manager.user_db.update(user)
             except Exception:
-                # don't block login if updating hash fails; log if you have logging here
                 pass
 
         if getattr(user, "is_verified") is False:
@@ -130,6 +184,14 @@ def auth_session_router(
             # don’t block login if this write fails
             pass
 
+        # Record successful attempt (for audit)
+        try:
+            await record_attempt(
+                session, user_id=getattr(user, "id", None), ip_hash=ip_hash, success=True
+            )
+        except Exception:
+            pass
+
         # 5) mint token and set cookie
         token = await strategy.write_token(user)
         st = get_auth_settings()

svc_infra/api/fastapi/auth/mfa/router.py

@@ -17,6 +17,15 @@ from svc_infra.api.fastapi.dual.protected import user_router
 from svc_infra.api.fastapi.dual.public import public_router
 from svc_infra.api.fastapi.dual.router import DualAPIRouter
 
+from ...paths.auth import (
+    MFA_CONFIRM_PATH,
+    MFA_DISABLE_PATH,
+    MFA_REGENERATE_RECOVERY_PATH,
+    MFA_SEND_CODE_PATH,
+    MFA_START_PATH,
+    MFA_STATUS_PATH,
+    MFA_VERIFY_PATH,
+)
 from .models import (
     EMAIL_OTP_STORE,
     ConfirmSetupIn,
@@ -45,8 +54,8 @@ def mfa_router(
     get_strategy,  # from get_fastapi_users()
     fapi: FastAPIUsers,
 ) -> APIRouter:
-    u = user_router(prefix="/mfa")
-    p = public_router(prefix="/mfa")
+    u = user_router()
+    p = public_router()
 
     # Resolve current user via cookie OR bearer, using fastapi-users v10 strategy.read_token(..., user_manager)
     async def _get_user_and_session(
@@ -77,7 +86,7 @@ def mfa_router(
         return db_user, session
 
     @u.post(
-        "/start",
+        MFA_START_PATH,
         response_model=StartSetupOut,
     )
     async def start_setup(user_sess=Depends(_get_user_and_session)):
@@ -107,7 +116,7 @@ def mfa_router(
         return StartSetupOut(otpauth_url=uri, secret=secret, qr_svg=_qr_svg_from_uri(uri))
 
     @u.post(
-        "/confirm",
+        MFA_CONFIRM_PATH,
         response_model=RecoveryCodesOut,
     )
     async def confirm_setup(
@@ -138,7 +147,7 @@ def mfa_router(
         return RecoveryCodesOut(codes=codes)
 
     @u.post(
-        "/disable",
+        MFA_DISABLE_PATH,
         status_code=status.HTTP_204_NO_CONTENT,
     )
     async def disable_mfa(
@@ -170,7 +179,7 @@ def mfa_router(
         await session.commit()
         return JSONResponse(status_code=204, content={})
 
-    @p.post("/verify")
+    @p.post(MFA_VERIFY_PATH)
     async def verify_mfa(
         request: Request,
         session: SqlSessionDep,
@@ -244,7 +253,7 @@ def mfa_router(
         return resp
 
     @p.post(
-        "/send_code",
+        MFA_SEND_CODE_PATH,
         response_model=SendEmailCodeOut,
         description="Sends a 6-digit email OTP tied to the `pre_token`. Returns a resend cooldown.",
     )
@@ -302,7 +311,7 @@ def mfa_router(
         return SendEmailCodeOut(sent=True, cooldown_seconds=cooldown)
 
     @u.get(
-        "/status",
+        MFA_STATUS_PATH,
         response_model=MFAStatusOut,
     )
     async def mfa_status(user_sess=Depends(_get_user_and_session)):
@@ -340,7 +349,7 @@ def mfa_router(
         )
 
     @u.post(
-        "/recovery/regenerate",
+        MFA_REGENERATE_RECOVERY_PATH,
         response_model=RecoveryCodesOut,
     )
     async def regenerate_recovery_codes(user_sess=Depends(_get_user_and_session)):

svc_infra/api/fastapi/auth/routers/account.py

@@ -6,6 +6,7 @@ from svc_infra.api.fastapi.auth.mfa.models import DisableAccountIn
 from svc_infra.api.fastapi.auth.security import Identity
 from svc_infra.api.fastapi.db.sql.session import SqlSessionDep
 from svc_infra.api.fastapi.dual.protected import user_router
+from svc_infra.api.fastapi.paths.user import DELETE_ACCOUNT_PATH, DISABLE_ACCOUNT_PATH
 
 
 # ---------- Router ----------
@@ -13,7 +14,7 @@ def account_router(*, user_model: type) -> APIRouter:
     r = user_router()
 
     @r.patch(
-        "/status",
+        DISABLE_ACCOUNT_PATH,
         response_model=dict,
         description="Get account status (active/disabled)",
     )
@@ -29,7 +30,7 @@ def account_router(*, user_model: type) -> APIRouter:
         return {"ok": True, "status": "disabled"}
 
     @r.delete(
-        "/delete",
+        DELETE_ACCOUNT_PATH,
         status_code=204,
         description="Delete account (soft by default, hard if specified)",
     )

svc_infra/api/fastapi/auth/routers/apikey_router.py

@@ -12,6 +12,12 @@ from svc_infra.api.fastapi.auth.security import Identity
 from svc_infra.api.fastapi.db.sql.session import SqlSessionDep
 from svc_infra.api.fastapi.dual.protected import user_router
 from svc_infra.api.fastapi.openapi.responses import CONFLICT, NOT_FOUND
+from svc_infra.api.fastapi.paths.auth import (
+    CREATE_KEY_PATH,
+    DELETE_KEY_PATH,
+    LIST_KEYS_PATH,
+    REVOKE_KEY_PATH,
+)
 from svc_infra.db.sql.apikey import get_apikey_model
 
 
@@ -39,11 +45,11 @@ def _to_uuid(val):
 
 
 def apikey_router():
-    r = user_router(prefix="/keys")
+    r = user_router()
     ApiKey = get_apikey_model()
 
     @r.post(
-        "",
+        CREATE_KEY_PATH,
         response_model=ApiKeyOut,
         status_code=201,
         responses={409: CONFLICT},
@@ -87,7 +93,7 @@ def apikey_router():
         )
 
     @r.get(
-        "",
+        LIST_KEYS_PATH,
         response_model=list[ApiKeyOut],
         description="List API keys. Non-superusers see only their own keys.",
     )
@@ -112,7 +118,7 @@ def apikey_router():
         ]
 
     @r.post(
-        "/{key_id}/revoke",
+        REVOKE_KEY_PATH,
         status_code=204,
         responses={404: NOT_FOUND},
         description="Revoke an API key",
@@ -131,7 +137,7 @@ def apikey_router():
         return  # 204
 
     @r.delete(
-        "/{key_id}",
+        DELETE_KEY_PATH,
         status_code=204,
         responses={404: NOT_FOUND},
         description="Delete an API key. If the key is active, you must first revoke it or pass force=true.",

svc_infra/api/fastapi/auth/routers/oauth_router.py

@@ -23,6 +23,13 @@ from svc_infra.api.fastapi.auth.policy import AuthPolicy, DefaultAuthPolicy
 from svc_infra.api.fastapi.auth.settings import get_auth_settings, parse_redirect_allow_hosts
 from svc_infra.api.fastapi.db.sql.session import SqlSessionDep
 from svc_infra.api.fastapi.dual.public import public_router
+from svc_infra.api.fastapi.paths.auth import (
+    OAUTH_CALLBACK_PATH,
+    OAUTH_LOGIN_PATH,
+    OAUTH_REFRESH_PATH,
+)
+from svc_infra.security.models import RefreshToken
+from svc_infra.security.session import issue_session_and_refresh, rotate_session_refresh
 
 
 def _gen_pkce_pair() -> tuple[str, str]:
@@ -461,9 +468,13 @@ async def _validate_and_decode_jwt_token(raw_token: str) -> str:
 
 
 async def _set_cookie_on_response(
-    resp: Response, auth_backend: AuthenticationBackend, user: Any
+    resp: Response,
+    auth_backend: AuthenticationBackend,
+    user: Any,
+    *,
+    refresh_raw: str,
 ) -> None:
-    """Set authentication cookie on response."""
+    """Set authentication (JWT) and refresh cookies on response."""
     st = get_auth_settings()
     strategy = auth_backend.get_strategy()
     jwt_token = await strategy.write_token(user)
@@ -472,6 +483,7 @@ async def _set_cookie_on_response(
     if same_site_lit == "none" and not bool(st.session_cookie_secure):
         raise HTTPException(500, "session_cookie_samesite=None requires session_cookie_secure=True")
 
+    # Access/Auth cookie (short-lived JWT)
     resp.set_cookie(
         key=_cookie_name(st),
         value=jwt_token,
@@ -483,6 +495,18 @@ async def _set_cookie_on_response(
         path="/",
     )
 
+    # Refresh cookie (opaque token, longer lived)
+    resp.set_cookie(
+        key=getattr(st, "session_cookie_name", "svc_session"),
+        value=refresh_raw,
+        max_age=60 * 60 * 24 * 7,  # 7 days default
+        httponly=True,
+        secure=bool(st.session_cookie_secure),
+        samesite=same_site_lit,
+        domain=_cookie_domain(st),
+        path="/",
+    )
+
 
 def _clean_oauth_session_state(request: Request, provider: str) -> None:
     """Clean up transient OAuth session state."""
@@ -538,7 +562,7 @@ def _create_oauth_router(
     router = public_router()
 
     @router.get(
-        "/{provider}/login",
+        OAUTH_LOGIN_PATH,
         description="Login with OAuth provider",
     )
     async def oauth_login(request: Request, provider: str):
@@ -571,7 +595,7 @@ def _create_oauth_router(
         )
 
     @router.get(
-        "/{provider}/callback",
+        OAUTH_CALLBACK_PATH,
         name="oauth_callback",
         responses={302: {"description": "Redirect to app (or MFA redirect)."}},
         description="OAuth callback endpoint.",
@@ -636,9 +660,18 @@ def _create_oauth_router(
         user.last_login = datetime.now(timezone.utc)
         await session.commit()
 
-        # Create response with auth cookie
+        # Create session + initial refresh token
+        raw_refresh, _rt = await issue_session_and_refresh(
+            session,
+            user_id=user.id,
+            tenant_id=getattr(user, "tenant_id", None),
+            user_agent=str(request.headers.get("user-agent", ""))[:512],
+            ip_hash=None,
+        )
+
+        # Create response with auth + refresh cookies
         resp = RedirectResponse(url=redirect_url, status_code=status.HTTP_302_FOUND)
-        await _set_cookie_on_response(resp, auth_backend, user)
+        await _set_cookie_on_response(resp, auth_backend, user, refresh_raw=raw_refresh)
 
         # Clean up session state
         _clean_oauth_session_state(request, provider)
@@ -653,7 +686,7 @@ def _create_oauth_router(
         return resp
 
     @router.post(
-        "/refresh",
+        OAUTH_REFRESH_PATH,
         status_code=status.HTTP_204_NO_CONTENT,
         responses={204: {"description": "Cookie refreshed"}},
         description="Refresh authentication token.",
@@ -662,44 +695,55 @@ def _create_oauth_router(
         """Refresh authentication token."""
         st = get_auth_settings()
 
-        # Read and validate cookie
-        name = _cookie_name(st)
-        raw = request.cookies.get(name)
-        if not raw:
+        # Read and validate auth JWT cookie
+        name_auth = _cookie_name(st)
+        raw_auth = request.cookies.get(name_auth)
+        if not raw_auth:
             raise HTTPException(401, "missing_token")
 
-        # Validate and decode JWT token
-        user_id = await _validate_and_decode_jwt_token(raw)
+        # Validate and decode JWT token to get user id
+        user_id = await _validate_and_decode_jwt_token(raw_auth)
 
         # Load user
         user = await session.get(user_model, user_id)
         if not user:
             raise HTTPException(401, "invalid_token")
 
-        # Handle MFA if required
-        if await policy.should_require_mfa(user):
-            pre = await get_mfa_pre_jwt_writer().write(user)
-            redirect_url = str(getattr(st, "post_login_redirect", "/"))
-            allow_hosts = parse_redirect_allow_hosts(getattr(st, "redirect_allow_hosts_raw", None))
-            require_https = bool(getattr(st, "session_cookie_secure", False))
-            _validate_redirect(redirect_url, allow_hosts, require_https=require_https)
-
-            nxt = request.query_params.get("next")
-            if nxt:
-                try:
-                    _validate_redirect(nxt, allow_hosts, require_https=require_https)
-                    redirect_url = nxt
-                except HTTPException:
-                    pass
-
-            qs = urlencode({"mfa": "required", "pre_token": pre})
-            return RedirectResponse(url=f"{redirect_url}?{qs}", status_code=status.HTTP_302_FOUND)
-
-        # Create response with new token
-        resp = Response(status_code=204)
-        await _set_cookie_on_response(resp, auth_backend, user)
-
-        # Optional: notify policy hook
+        # Obtain refresh cookie
+        refresh_cookie_name = getattr(st, "session_cookie_name", "svc_session")
+        raw_refresh = request.cookies.get(refresh_cookie_name)
+        if not raw_refresh:
+            raise HTTPException(401, "missing_refresh_token")
+
+        # Lookup refresh token row by hash
+        from sqlalchemy import select
+
+        from svc_infra.security.models import hash_refresh_token
+
+        token_hash = hash_refresh_token(raw_refresh)
+        found: RefreshToken | None = (
+            (
+                await session.execute(
+                    select(RefreshToken).where(RefreshToken.token_hash == token_hash)
+                )
+            )
+            .scalars()
+            .first()
+        )
+        if (
+            not found
+            or found.revoked_at
+            or (found.expires_at and found.expires_at < datetime.now(timezone.utc))
+        ):
+            raise HTTPException(401, "invalid_refresh_token")
+
+        # Rotate refresh token
+        new_raw, _new_rt = await rotate_session_refresh(session, current=found)
+
+        # Write response (204) with new cookies
+        resp = Response(status_code=status.HTTP_204_NO_CONTENT)
+        await _set_cookie_on_response(resp, auth_backend, user, refresh_raw=new_raw)
+        # Policy hook: trigger after successful rotation; suppress hook errors
         if hasattr(policy, "on_token_refresh"):
             try:
                 await policy.on_token_refresh(user)
@@ -708,4 +752,5 @@ def _create_oauth_router(
 
         return resp
 
+    # Return router at end of factory
     return router