svc-infra 0.1.589__py3-none-any.whl → 0.1.706__py3-none-any.whl

svc_infra/api/fastapi/auth/security.py

@@ -1,7 +1,7 @@
 from __future__ import annotations
 
 from datetime import datetime, timezone
-from typing import Annotated, Any, Callable, Optional
+from typing import Annotated, Any, Callable, Optional, cast
 
 from fastapi import Depends, HTTPException, Request
 from fastapi.security import APIKeyCookie, APIKeyHeader, OAuth2PasswordBearer
@@ -16,8 +16,12 @@ from svc_infra.db.sql.apikey import get_apikey_model
 
 # ---------- OpenAPI security schemes (appear in docs) ----------
 auth_login_path = USER_PREFIX + LOGIN_PATH
-oauth2_scheme_optional = OAuth2PasswordBearer(tokenUrl=auth_login_path, auto_error=False)
-cookie_auth_optional = APIKeyCookie(name=get_auth_settings().auth_cookie_name, auto_error=False)
+oauth2_scheme_optional = OAuth2PasswordBearer(
+    tokenUrl=auth_login_path, auto_error=False
+)
+cookie_auth_optional = APIKeyCookie(
+    name=get_auth_settings().auth_cookie_name, auto_error=False
+)
 api_key_header = APIKeyHeader(name="X-API-Key", auto_error=False)
 
 
@@ -26,7 +30,12 @@ class Principal:
     """Unified identity: user via JWT/cookie or service via API key."""
 
     def __init__(
-        self, *, user=None, scopes: list[str] | None = None, via: str = "jwt", api_key=None
+        self,
+        *,
+        user=None,
+        scopes: list[str] | None = None,
+        via: str = "jwt",
+        api_key=None,
     ):
         self.user = user
         self.scopes = scopes or []
@@ -51,7 +60,11 @@ async def resolve_api_key(
     apikey = None
     if prefix:
         apikey = (
-            (await session.execute(select(ApiKey).where(ApiKey.key_prefix == prefix)))
+            (
+                await session.execute(
+                    select(ApiKey).where(ApiKey.key_prefix == prefix)  # type: ignore[attr-defined]
+                )
+            )
             .scalars()
             .first()
         )
@@ -69,7 +82,9 @@ async def resolve_api_key(
 
     apikey.mark_used()
     await session.flush()
-    return Principal(user=apikey.user, scopes=apikey.scopes, via="api_key", api_key=apikey)
+    return Principal(
+        user=apikey.user, scopes=apikey.scopes, via="api_key", api_key=apikey
+    )
 
 
 async def resolve_bearer_or_cookie_principal(
@@ -77,7 +92,11 @@ async def resolve_bearer_or_cookie_principal(
 ) -> Optional[Principal]:
     st = get_auth_settings()
     raw_auth = (request.headers.get("authorization") or "").strip()
-    token = raw_auth.split(" ", 1)[1].strip() if raw_auth.lower().startswith("bearer ") else ""
+    token = (
+        raw_auth.split(" ", 1)[1].strip()
+        if raw_auth.lower().startswith("bearer ")
+        else ""
+    )
     if not token:
         token = (request.cookies.get(st.auth_cookie_name) or "").strip()
     if not token:
@@ -89,7 +108,7 @@ async def resolve_bearer_or_cookie_principal(
     from fastapi_users.manager import BaseUserManager, UUIDIDMixin
     from fastapi_users_db_sqlalchemy import SQLAlchemyUserDatabase
 
-    user_db = SQLAlchemyUserDatabase(session, UserModel)
+    user_db: Any = SQLAlchemyUserDatabase(session, UserModel)
 
     class _ShimManager(UUIDIDMixin, BaseUserManager[Any, Any]):
         reset_password_token_secret = "unused"
@@ -107,7 +126,7 @@ async def resolve_bearer_or_cookie_principal(
     if not user:
         return None
 
-    db_user = await session.get(UserModel, user.id)
+    db_user = await cast(Any, session).get(UserModel, user.id)
     if not db_user:
         return None
     if not getattr(db_user, "is_active", True):
@@ -154,7 +173,9 @@ AllowIdentity = Depends(_optional_principal)  # same, but optional
 # ---------- DX: small guard factories ----------
 def RequireRoles(*roles: str, resolver: Callable[[Any], list[str]] | None = None):
     async def _guard(p: Identity):
-        have = set((resolver(p.user) if resolver else getattr(p.user, "roles", []) or []))
+        have = set(
+            (resolver(p.user) if resolver else getattr(p.user, "roles", []) or [])
+        )
         if not set(roles).issubset(have):
             raise HTTPException(403, "forbidden")
         return p

svc_infra/api/fastapi/auth/sender.py

@@ -20,7 +20,9 @@ class ConsoleSender:
 
 
 class SMTPSender:
-    def __init__(self, host: str, port: int, username: str, password: str, from_addr: str) -> None:
+    def __init__(
+        self, host: str, port: int, username: str, password: str, from_addr: str
+    ) -> None:
         self.host = host
         self.port = port
         self.username = username
@@ -59,4 +61,9 @@ def get_sender() -> Sender:
     if not configured:
         return ConsoleSender()
 
+    # At this point, all values must be set
+    assert host is not None
+    assert user is not None
+    assert pw is not None
+    assert frm is not None
     return SMTPSender(host, st.smtp_port, user, pw, frm)

svc_infra/api/fastapi/auth/settings.py

@@ -18,6 +18,8 @@ class OIDCProvider(BaseModel):
 class JWTSettings(BaseModel):
     secret: SecretStr
     lifetime_seconds: int = 60 * 60 * 24 * 7
+    # Optional older secrets accepted for verification during rotation window
+    old_secrets: List[SecretStr] = Field(default_factory=list)
 
 
 class PasswordClient(BaseModel):

svc_infra/api/fastapi/auth/state.py

@@ -19,7 +19,9 @@ def set_auth_state(
 
 def get_auth_state() -> tuple[type, Callable[[], Any], str]:
     if _UserModel is None or _GetStrategy is None:
-        raise RuntimeError("Auth state not initialized; call set_auth_state() in add_auth_users().")
+        raise RuntimeError(
+            "Auth state not initialized; call set_auth_state() in add_auth_users()."
+        )
     return _UserModel, _GetStrategy, _AuthPrefix
 
 

svc_infra/api/fastapi/auth/ws_security.py

@@ -0,0 +1,275 @@
+"""WebSocket authentication primitives.
+
+This module provides lightweight JWT-based authentication for WebSocket endpoints.
+Unlike HTTP auth which requires DB access, WS auth uses JWT claims only, making it
+suitable for high-frequency real-time connections.
+
+Usage:
+    from svc_infra.api.fastapi.auth.ws_security import WSIdentity
+
+    @router.websocket("/ws")
+    async def ws_handler(websocket: WebSocket, user: WSIdentity):
+        # user.id, user.email, user.scopes available from JWT claims
+        await websocket.accept()
+        ...
+
+For router-level dependencies (protects all endpoints):
+    from svc_infra.api.fastapi.auth.ws_security import RequireWSIdentity
+
+    router = DualAPIRouter(dependencies=[RequireWSIdentity])
+"""
+
+from __future__ import annotations
+
+from dataclasses import dataclass, field
+from typing import Annotated, Any, cast
+
+import jwt
+from fastapi import Depends, WebSocket, WebSocketException, status
+
+from svc_infra.api.fastapi.auth.settings import get_auth_settings
+
+
+# ---------- WSPrincipal ----------
+@dataclass
+class WSPrincipal:
+    """Lightweight principal for WebSocket connections.
+
+    Unlike the HTTP `Principal` which loads the full user from DB,
+    `WSPrincipal` contains only JWT claims. This makes it suitable
+    for high-frequency real-time connections without DB overhead.
+
+    Attributes:
+        id: User ID from JWT 'sub' claim (typically UUID string)
+        email: User email from JWT 'email' claim (if present)
+        scopes: List of scopes/permissions from JWT 'scopes' claim
+        claims: Full JWT payload for custom claim access
+        via: Authentication method ('query', 'header', 'subprotocol')
+    """
+
+    id: str
+    email: str | None = None
+    scopes: list[str] = field(default_factory=list)
+    claims: dict = field(default_factory=dict)
+    via: str = "query"  # 'query' | 'header' | 'subprotocol'
+
+
+# ---------- Token extraction ----------
+def _extract_token(websocket: WebSocket) -> tuple[str | None, str]:
+    """Extract JWT token from WebSocket connection.
+
+    Tries extraction in order:
+    1. Query parameter: ?token=xxx
+    2. Authorization header: Bearer xxx
+    3. Sec-WebSocket-Protocol header (for browser clients that can't set headers)
+
+    Returns:
+        Tuple of (token, source) where source is 'query', 'header', or 'subprotocol'
+    """
+    # 1. Query parameter (most common for WebSocket)
+    token = websocket.query_params.get("token")
+    if token:
+        return token.strip(), "query"
+
+    # 2. Authorization header
+    auth_header = websocket.headers.get("authorization", "")
+    if auth_header.lower().startswith("bearer "):
+        token = auth_header.split(" ", 1)[1].strip()
+        if token:
+            return token, "header"
+
+    # 3. Sec-WebSocket-Protocol (browser workaround)
+    # Some clients send token as: Sec-WebSocket-Protocol: bearer, <token>
+    protocol = websocket.headers.get("sec-websocket-protocol", "")
+    if protocol:
+        parts = [p.strip() for p in protocol.split(",")]
+        # Look for token after 'bearer' protocol
+        for i, part in enumerate(parts):
+            if part.lower() == "bearer" and i + 1 < len(parts):
+                return parts[i + 1], "subprotocol"
+
+    return None, ""
+
+
+def _decode_jwt(token: str) -> dict:
+    """Decode and validate JWT token.
+
+    Uses the same JWT settings as HTTP auth (AUTH_JWT__SECRET).
+    Supports key rotation via old_secrets.
+
+    Returns:
+        JWT payload dict
+
+    Raises:
+        WebSocketException: If token is invalid or expired
+    """
+    settings = get_auth_settings()
+
+    if not settings.jwt:
+        raise WebSocketException(
+            code=status.WS_1008_POLICY_VIOLATION,
+            reason="JWT not configured",
+        )
+
+    secret = settings.jwt.secret.get_secret_value()
+    old_secrets = [s.get_secret_value() for s in (settings.jwt.old_secrets or [])]
+    all_secrets = [secret] + old_secrets
+
+    last_error: Exception | None = None
+
+    for s in all_secrets:
+        try:
+            payload = jwt.decode(
+                token,
+                s,
+                algorithms=["HS256"],
+                options={"require": ["sub", "exp"]},
+            )
+            return cast(dict[Any, Any], payload)
+        except jwt.ExpiredSignatureError:
+            raise WebSocketException(
+                code=status.WS_1008_POLICY_VIOLATION,
+                reason="Token expired",
+            )
+        except jwt.InvalidTokenError as e:
+            last_error = e
+            continue
+
+    # None of the secrets worked
+    raise WebSocketException(
+        code=status.WS_1008_POLICY_VIOLATION,
+        reason=f"Invalid token: {last_error}",
+    )
+
+
+# ---------- Resolvers ----------
+async def resolve_ws_bearer_principal(websocket: WebSocket) -> WSPrincipal | None:
+    """Extract and validate JWT from WebSocket, returning WSPrincipal or None.
+
+    This is the optional resolver - returns None if no token present.
+    Use `_ws_current_principal` for required authentication.
+
+    Token sources (in order):
+        1. Query parameter: ?token=xxx
+        2. Authorization header: Bearer xxx
+        3. Sec-WebSocket-Protocol: bearer, xxx
+    """
+    token, source = _extract_token(websocket)
+    if not token:
+        return None
+
+    payload = _decode_jwt(token)
+
+    return WSPrincipal(
+        id=str(payload.get("sub", "")),
+        email=payload.get("email"),
+        scopes=payload.get("scopes", []) or payload.get("scope", "").split(),
+        claims=payload,
+        via=source,
+    )
+
+
+async def _ws_current_principal(
+    websocket: WebSocket,
+    principal: WSPrincipal | None = Depends(resolve_ws_bearer_principal),
+) -> WSPrincipal:
+    """Require authenticated WebSocket connection.
+
+    Use this as a dependency to require authentication.
+    Closes connection with 1008 (Policy Violation) if no valid token.
+    """
+    if not principal:
+        raise WebSocketException(
+            code=status.WS_1008_POLICY_VIOLATION,
+            reason="Missing or invalid authentication",
+        )
+    return principal
+
+
+async def _ws_optional_principal(
+    websocket: WebSocket,
+    principal: WSPrincipal | None = Depends(resolve_ws_bearer_principal),
+) -> WSPrincipal | None:
+    """Optional WebSocket authentication.
+
+    Returns None if no token present, WSPrincipal if valid token.
+    """
+    return principal
+
+
+# ---------- DX: types for endpoint params ----------
+WSIdentity = Annotated[WSPrincipal, Depends(_ws_current_principal)]
+"""Annotated type for required WebSocket authentication.
+
+Usage:
+    @router.websocket("/ws")
+    async def handler(websocket: WebSocket, user: WSIdentity):
+        # user.id, user.email, user.scopes available
+        ...
+"""
+
+OptionalWSIdentity = Annotated[WSPrincipal | None, Depends(_ws_optional_principal)]
+"""Annotated type for optional WebSocket authentication.
+
+Usage:
+    @router.websocket("/ws")
+    async def handler(websocket: WebSocket, user: OptionalWSIdentity):
+        if user:
+            # authenticated
+        else:
+            # anonymous
+        ...
+"""
+
+
+# ---------- DX: constants for router-level dependencies ----------
+RequireWSIdentity = Depends(_ws_current_principal)
+"""Router-level dependency for required WebSocket authentication.
+
+Usage:
+    router = DualAPIRouter(dependencies=[RequireWSIdentity])
+"""
+
+AllowWSIdentity = Depends(_ws_optional_principal)
+"""Router-level dependency for optional WebSocket authentication.
+
+Usage:
+    router = DualAPIRouter(dependencies=[AllowWSIdentity])
+"""
+
+
+# ---------- DX: guard factories ----------
+def RequireWSScopes(*needed: str):
+    """Require specific scopes for WebSocket connection.
+
+    Usage:
+        router = DualAPIRouter(dependencies=[RequireWSScopes("chat:read", "chat:write")])
+    """
+
+    async def _guard(principal: WSIdentity) -> WSPrincipal:
+        if not set(needed).issubset(set(principal.scopes or [])):
+            raise WebSocketException(
+                code=status.WS_1008_POLICY_VIOLATION,
+                reason="Insufficient scope",
+            )
+        return principal
+
+    return Depends(_guard)
+
+
+def RequireWSAnyScope(*candidates: str):
+    """Require at least one of the specified scopes.
+
+    Usage:
+        router = DualAPIRouter(dependencies=[RequireWSAnyScope("admin", "moderator")])
+    """
+
+    async def _guard(principal: WSIdentity) -> WSPrincipal:
+        if not set(principal.scopes or []) & set(candidates):
+            raise WebSocketException(
+                code=status.WS_1008_POLICY_VIOLATION,
+                reason="Insufficient scope",
+            )
+        return principal
+
+    return Depends(_guard)

svc_infra/api/fastapi/billing/router.py

@@ -0,0 +1,73 @@
+from __future__ import annotations
+
+from datetime import datetime, timezone
+from typing import Annotated, Optional
+
+from fastapi import APIRouter, Depends, Response, status
+
+from svc_infra.api.fastapi.db.sql.session import SqlSessionDep
+from svc_infra.api.fastapi.middleware.idempotency import require_idempotency_key
+from svc_infra.api.fastapi.tenancy.context import TenantId
+from svc_infra.billing.async_service import AsyncBillingService
+from svc_infra.billing.schemas import (
+    UsageAckOut,
+    UsageAggregateRow,
+    UsageAggregatesOut,
+    UsageIn,
+)
+
+router = APIRouter(prefix="/_billing", tags=["Billing"])
+
+
+def get_service(tenant_id: TenantId, session: SqlSessionDep) -> AsyncBillingService:
+    return AsyncBillingService(session=session, tenant_id=tenant_id)
+
+
+@router.post(
+    "/usage",
+    name="billing_record_usage",
+    status_code=status.HTTP_202_ACCEPTED,
+    response_model=UsageAckOut,
+    dependencies=[Depends(require_idempotency_key)],
+)
+async def record_usage(
+    data: UsageIn,
+    svc: Annotated[AsyncBillingService, Depends(get_service)],
+    response: Response,
+):
+    at = data.at or datetime.now(tz=timezone.utc)
+    evt_id = await svc.record_usage(
+        metric=data.metric,
+        amount=int(data.amount),
+        at=at,
+        idempotency_key=data.idempotency_key,
+        metadata=data.metadata,
+    )
+    # For 202, no Location header is required, but we can surface the id in the body
+    return UsageAckOut(id=evt_id, accepted=True)
+
+
+@router.get(
+    "/usage",
+    name="billing_list_aggregates",
+    response_model=UsageAggregatesOut,
+)
+async def list_aggregates(
+    metric: str,
+    date_from: Optional[datetime] = None,
+    date_to: Optional[datetime] = None,
+    svc: Annotated[AsyncBillingService, Depends(get_service)] = None,  # type: ignore[assignment]
+):
+    rows = await svc.list_daily_aggregates(
+        metric=metric, date_from=date_from, date_to=date_to
+    )
+    items = [
+        UsageAggregateRow(
+            period_start=r.period_start,
+            granularity=r.granularity,
+            metric=r.metric,
+            total=int(r.total),
+        )
+        for r in rows
+    ]
+    return UsageAggregatesOut(items=items, next_cursor=None)

svc_infra/api/fastapi/billing/setup.py

@@ -0,0 +1,19 @@
+from __future__ import annotations
+
+from fastapi import FastAPI
+
+from .router import router as billing_router
+
+
+def add_billing(app: FastAPI, *, prefix: str = "/_billing") -> None:
+    # Mount under the chosen prefix; default is /_billing
+    if prefix and prefix != "/_billing":
+        # If a custom prefix is desired, clone router with new prefix
+        from fastapi import APIRouter
+
+        custom = APIRouter(prefix=prefix, tags=["Billing"])
+        for route in billing_router.routes:
+            custom.routes.append(route)
+        app.include_router(custom)
+    else:
+        app.include_router(billing_router)

svc_infra/api/fastapi/cache/add.py

@@ -1,3 +1,5 @@
+from contextlib import asynccontextmanager
+
 from fastapi import FastAPI
 
 from svc_infra.cache.backend import shutdown_cache
@@ -5,10 +7,12 @@ from svc_infra.cache.decorators import init_cache
 
 
 def setup_caching(app: FastAPI) -> None:
-    @app.on_event("startup")
-    async def _startup():
+    @asynccontextmanager
+    async def lifespan(_app: FastAPI):
         init_cache()
+        try:
+            yield
+        finally:
+            await shutdown_cache()
 
-    @app.on_event("shutdown")
-    async def _shutdown():
-        await shutdown_cache()
+    app.router.lifespan_context = lifespan

svc_infra/api/fastapi/db/__init__.py

@@ -1,4 +1,8 @@
-from svc_infra.api.fastapi.db.nosql import add_mongo_db, add_mongo_health, add_mongo_resources
+from svc_infra.api.fastapi.db.nosql import (
+    add_mongo_db,
+    add_mongo_health,
+    add_mongo_resources,
+)
 from svc_infra.api.fastapi.db.sql import add_sql_db, add_sql_health, add_sql_resources
 
 __all__ = [

svc_infra/api/fastapi/db/http.py

@@ -25,7 +25,9 @@ class OrderParams(BaseModel):
 
 
 def dep_order(
-    order_by: Optional[str] = Query(None, description="Comma-separated fields; '-' for DESC"),
+    order_by: Optional[str] = Query(
+        None, description="Comma-separated fields; '-' for DESC"
+    ),
 ) -> OrderParams:
     return OrderParams(order_by=order_by)
 

svc_infra/api/fastapi/db/nosql/__init__.py

@@ -1,4 +1,42 @@
-from .mongo.add import add_mongo_db, add_mongo_health, add_mongo_resources
+from __future__ import annotations
+
+from collections.abc import Sequence
+from typing import TYPE_CHECKING
+
+if TYPE_CHECKING:
+    from fastapi import FastAPI
+
+    from svc_infra.db.nosql.resource import NoSqlResource
+
+
+def _missing_mongo_dependency() -> ModuleNotFoundError:
+    return ModuleNotFoundError(
+        "MongoDB support is an optional dependency. Install pymongo (and motor) to use "
+        "Mongo helpers like add_mongo_db/add_mongo_health/add_mongo_resources."
+    )
+
+
+try:
+    from .mongo.add import add_mongo_db, add_mongo_health, add_mongo_resources
+except ModuleNotFoundError as exc:
+    mongo_import_error = exc
+
+    # NOTE: pymongo provides `bson`, which can be absent in minimal installs/CI.
+    # We keep imports working for non-mongo users/tests by providing stubs.
+    def add_mongo_db(app: FastAPI, *, dsn_env: str = "MONGO_URL") -> None:
+        raise _missing_mongo_dependency() from mongo_import_error
+
+    def add_mongo_health(
+        app: FastAPI,
+        *,
+        prefix: str = "/_mongo/health",
+        include_in_schema: bool = False,
+    ) -> None:
+        raise _missing_mongo_dependency() from mongo_import_error
+
+    def add_mongo_resources(app: FastAPI, resources: Sequence[NoSqlResource]) -> None:
+        raise _missing_mongo_dependency() from mongo_import_error
+
 
 __all__ = [
     # MongoDB