svc-infra 0.1.589__py3-none-any.whl → 0.1.706__py3-none-any.whl

svc_infra/db/sql/templates/models_schemas/auth/models.py.tmpl

@@ -129,62 +129,13 @@ for _ix in make_unique_sql_indexes(
     # Registered with Table metadata (alembic/autogenerate will pick them up)
     pass
 
-# ------------------------------ Model: ProviderAccount -------------------------
-
-class ProviderAccount(ModelBase):
-    """
-    Links a local user to an external identity provider account.
-
-    - (provider, provider_account_id) is unique
-    - Optionally stores tokens for later API calls (refresh_token encrypted at rest)
-    """
-    __tablename__ = "provider_accounts"
-
-    id: Mapped[uuid.UUID] = mapped_column(GUID(), primary_key=True, default=uuid.uuid4)
-
-    user_id: Mapped[uuid.UUID] = mapped_column(
-        GUID(), ForeignKey("${auth_table_name}.id", ondelete="CASCADE"), nullable=False
-    )
-    user: Mapped["${AuthEntity}"] = relationship(
-        back_populates="provider_accounts",
-        lazy="selectin",
-    )
-
-    provider: Mapped[str] = mapped_column(String(50), nullable=False)               # "google"|"github"|"linkedin"|"microsoft"|...
-    provider_account_id: Mapped[str] = mapped_column(String(255), nullable=False)   # sub/oid (OIDC) or id (github/linkedin)
-
-    # Optional token material
-    access_token: Mapped[Optional[str]] = mapped_column(Text, nullable=True)
-
-    # Store encrypted refresh_token in the same column name for DB compatibility.
-    _refresh_token: Mapped[Optional[str]] = mapped_column("refresh_token", Text, nullable=True)
-
-    @property
-    def refresh_token(self) -> Optional[str]:
-        return _decrypt(self._refresh_token)
-
-    @refresh_token.setter
-    def refresh_token(self, value: Optional[str]) -> None:
-        self._refresh_token = _encrypt(value)
-
-    expires_at: Mapped[Optional[datetime]] = mapped_column(DateTime(timezone=True), nullable=True)
-    raw_claims: Mapped[Optional[dict]] = mapped_column(MutableDict.as_mutable(JSON), nullable=True)
-
-    created_at = mapped_column(
-        DateTime(timezone=True), server_default=text("CURRENT_TIMESTAMP"), nullable=False
-    )
-    updated_at = mapped_column(
-        DateTime(timezone=True), server_default=text("CURRENT_TIMESTAMP"),
-        onupdate=text("CURRENT_TIMESTAMP"), nullable=False
-    )
-
-    __table_args__ = (
-        UniqueConstraint("provider", "provider_account_id", name="uq_provider_account"),
-        Index("ix_provider_accounts_user_id", "user_id"),
-    )
-
-    def __repr__(self) -> str:
-        return f"<ProviderAccount provider={self.provider!r} provider_account_id={self.provider_account_id!r} user_id={self.user_id}>"
+# NOTE: ProviderAccount model is imported from svc_infra.security.oauth_models
+# It's an opt-in OAuth model that links users to providers (Google, GitHub, etc.)
+# The relationship 'provider_accounts' is defined above in the ${AuthEntity} class.
+# To enable OAuth in your project:
+#   1. Set ALEMBIC_ENABLE_OAUTH=true in your .env
+#   2. Pass provider_account_model=ProviderAccount to add_auth_users()
+#   3. Import: from svc_infra.security.oauth_models import ProviderAccount
 
 # --- Auth service factory ------------------------------------------------------
 

svc_infra/db/sql/templates/models_schemas/auth/schemas.py.tmpl

@@ -18,7 +18,7 @@ class Timestamped(BaseModel):
 
 class ProviderAccountBase(BaseModel):
     model_config = ConfigDict(from_attributes=True)
-    provider: str = Field(..., examples=["google", "github", "linkedin", "microsoft"])
+    provider: str = Field(..., json_schema_extra={"examples": ["google", "github", "linkedin", "microsoft"]})
     provider_account_id: str
 
 class ProviderAccountRead(ProviderAccountBase, Timestamped):

svc_infra/db/sql/templates/setup/env_async.py.tmpl

@@ -6,13 +6,10 @@ from typing import List, Tuple
 import sys, pathlib, importlib, pkgutil, traceback
 
 from alembic import context
+from sqlalchemy import MetaData
 from sqlalchemy.engine import make_url, URL
-from sqlalchemy.ext.asyncio import create_async_engine
 
-from svc_infra.db.sql.utils import (
-    get_database_url_from_env,
-    _ensure_ssl_default_async as _ensure_ssl_default,
-)
+from svc_infra.db.sql.utils import get_database_url_from_env
 
 try:
     from svc_infra.db.sql.types import GUID as _GUID  # type: ignore
@@ -105,7 +102,6 @@ def _coerce_to_async(u: URL) -> URL:
 
 u = make_url(effective_url)
 u = _coerce_to_async(u)
-u = _ensure_ssl_default(u)
 config.set_main_option("sqlalchemy.url", u.render_as_string(hide_password=False))
 
 # feature flags
@@ -131,15 +127,16 @@ def _collect_metadata() -> list[object]:
 
     def _maybe_add(obj: object) -> None:
         md = getattr(obj, "metadata", None) or obj
-        if hasattr(md, "tables") and getattr(md, "tables"):
+        # Strict check: must be actual MetaData instance
+        if isinstance(md, MetaData) and md.tables:
             found.append(md)
 
     def _scan_module_objects(mod: object) -> None:
         try:
             for val in vars(mod).values():
-                md = getattr(val, "metadata", None) or None
-                if md is not None and hasattr(md, "tables") and getattr(md, "tables"):
-                    found.append(md)
+                # Strict check: must be actual MetaData instance
+                if isinstance(val, MetaData) and val.tables:
+                    found.append(val)
         except Exception:
             pass
 
@@ -177,8 +174,16 @@ def _collect_metadata() -> list[object]:
                 if name not in pkgs:
                     pkgs.append(name)
 
+    # Only attempt bare 'models' import if it is discoverable to avoid noisy tracebacks
     if "models" not in pkgs:
-        pkgs.append("models")
+        try:
+            spec = getattr(importlib, "util", None)
+            if spec is not None and getattr(spec, "find_spec", None) is not None:
+                if spec.find_spec("models") is not None:
+                    pkgs.append("models")
+        except Exception:
+            # Best-effort; if discovery fails, skip adding bare 'models'
+            pass
 
     def _import_and_collect(modname: str):
         try:
@@ -221,6 +226,21 @@ def _collect_metadata() -> list[object]:
     except Exception:
         _note("ModelBase import", False, traceback.format_exc())
 
+    # Core security models (AuthSession, RefreshToken, etc.)
+    try:
+        import svc_infra.security.models  # noqa: F401
+        _note("svc_infra.security.models", True, None)
+    except Exception:
+        _note("svc_infra.security.models", False, traceback.format_exc())
+
+    # OAuth models (opt-in via environment variable)
+    if os.getenv("ALEMBIC_ENABLE_OAUTH", "").lower() in {"1", "true", "yes"}:
+        try:
+            import svc_infra.security.oauth_models  # noqa: F401
+            _note("svc_infra.security.oauth_models", True, None)
+        except Exception:
+            _note("svc_infra.security.oauth_models", False, traceback.format_exc())
+
     try:
         from svc_infra.db.sql.apikey import try_autobind_apikey_model
         try_autobind_apikey_model(require_env=False)
@@ -352,7 +372,9 @@ def _do_run_migrations(connection):
 
 async def run_migrations_online() -> None:
     url = config.get_main_option("sqlalchemy.url")
-    engine = create_async_engine(url)
+    # Use build_engine to ensure proper driver-specific handling (e.g., asyncpg SSL)
+    from svc_infra.db.sql.utils import build_engine
+    engine = build_engine(url)
     async with engine.connect() as connection:
         await connection.run_sync(_do_run_migrations)
     await engine.dispose()

svc_infra/db/sql/templates/setup/env_sync.py.tmpl

@@ -6,11 +6,10 @@ from typing import List, Tuple
 import sys, pathlib, importlib, pkgutil, traceback
 
 from alembic import context
+from sqlalchemy import MetaData
 from sqlalchemy.engine import make_url, URL
 
 from svc_infra.db.sql.utils import (
-    _coerce_sync_driver,
-    _ensure_ssl_default,
     get_database_url_from_env,
     build_engine,
 )
@@ -103,7 +102,6 @@ if not effective_url:
 
 u = make_url(effective_url)
 u = _coerce_sync_driver(u)
-u = _ensure_ssl_default(u)
 config.set_main_option("sqlalchemy.url", u.render_as_string(hide_password=False))
 
 
@@ -142,14 +140,16 @@ def _collect_metadata() -> list[object]:
 
     def _maybe_add(obj: object) -> None:
         md = getattr(obj, "metadata", None) or obj
-        if hasattr(md, "tables") and getattr(md, "tables"):
+        # Strict check: must be actual MetaData instance
+        if isinstance(md, MetaData) and md.tables:
             found.append(md)
 
     def _scan_module_objects(mod: object) -> None:
         try:
             for val in vars(mod).values():
                 md = getattr(val, "metadata", None) or None
-                if md is not None and hasattr(md, "tables") and getattr(md, "tables"):
+                # Only add if it's a SQLAlchemy MetaData object (has tables dict, not a callable/generator)
+                if md is not None and hasattr(md, "tables") and isinstance(getattr(md, "tables", None), dict):
                     found.append(md)
         except Exception:
             pass
@@ -191,9 +191,16 @@ def _collect_metadata() -> list[object]:
                 if name not in pkgs:
                     pkgs.append(name)
 
-    # Always also try a bare 'models'
+    # Only attempt a bare 'models' import if discoverable to avoid noisy tracebacks
     if "models" not in pkgs:
-        pkgs.append("models")
+        try:
+            spec = getattr(importlib, "util", None)
+            if spec is not None and getattr(spec, "find_spec", None) is not None:
+                if spec.find_spec("models") is not None:
+                    pkgs.append("models")
+        except Exception:
+            # If discovery fails, skip adding bare 'models'
+            pass
 
     def _import_and_collect(modname: str):
         try:
@@ -239,6 +246,21 @@ def _collect_metadata() -> list[object]:
     except Exception:
         _note("ModelBase import", False, traceback.format_exc())
 
+    # Core security models (AuthSession, RefreshToken, etc.)
+    try:
+        import svc_infra.security.models  # noqa: F401
+        _note("svc_infra.security.models", True, None)
+    except Exception:
+        _note("svc_infra.security.models", False, traceback.format_exc())
+
+    # OAuth models (opt-in via environment variable)
+    if os.getenv("ALEMBIC_ENABLE_OAUTH", "").lower() in {"1", "true", "yes"}:
+        try:
+            import svc_infra.security.oauth_models  # noqa: F401
+            _note("svc_infra.security.oauth_models", True, None)
+        except Exception:
+            _note("svc_infra.security.oauth_models", False, traceback.format_exc())
+
     # Optional: autobind API key model
     try:
         from svc_infra.db.sql.apikey import try_autobind_apikey_model

svc_infra/db/sql/tenant.py

@@ -0,0 +1,88 @@
+from __future__ import annotations
+
+from typing import Any, Sequence
+
+from sqlalchemy.ext.asyncio import AsyncSession
+
+from .service import SqlService
+
+
+class TenantSqlService(SqlService):
+    """
+    SQL service wrapper that automatically scopes operations to a tenant.
+
+    - Adds a where filter (model.tenant_field == tenant_id) for list/get/update/delete/search/count.
+    - On create, if the model has the tenant field and it's not set in data, injects tenant_id.
+    """
+
+    def __init__(self, repo, *, tenant_id: str, tenant_field: str = "tenant_id"):
+        super().__init__(repo)
+        self.tenant_id = tenant_id
+        self.tenant_field = tenant_field
+
+    def _where(self) -> Sequence[Any]:
+        model = self.repo.model
+        col = getattr(model, self.tenant_field, None)
+        if col is None:
+            return []
+        return [col == self.tenant_id]
+
+    async def list(
+        self, session: AsyncSession, *, limit: int, offset: int, order_by=None
+    ):
+        return await self.repo.list(
+            session, limit=limit, offset=offset, order_by=order_by, where=self._where()
+        )
+
+    async def count(self, session: AsyncSession) -> int:
+        return await self.repo.count(session, where=self._where())
+
+    async def get(self, session: AsyncSession, id_value: Any):
+        return await self.repo.get(session, id_value, where=self._where())
+
+    async def create(self, session: AsyncSession, data: dict[str, Any]):
+        data = await self.pre_create(data)
+        # inject tenant_id if model supports it and value missing
+        if (
+            self.tenant_field in self.repo._model_columns()
+            and self.tenant_field not in data
+        ):
+            data[self.tenant_field] = self.tenant_id
+        return await self.repo.create(session, data)
+
+    async def update(self, session: AsyncSession, id_value: Any, data: dict[str, Any]):
+        data = await self.pre_update(data)
+        return await self.repo.update(session, id_value, data, where=self._where())
+
+    async def delete(self, session: AsyncSession, id_value: Any) -> bool:
+        return await self.repo.delete(session, id_value, where=self._where())
+
+    async def search(
+        self,
+        session: AsyncSession,
+        *,
+        q: str,
+        fields: Sequence[str],
+        limit: int,
+        offset: int,
+        order_by=None,
+    ):
+        return await self.repo.search(
+            session,
+            q=q,
+            fields=fields,
+            limit=limit,
+            offset=offset,
+            order_by=order_by,
+            where=self._where(),
+        )
+
+    async def count_filtered(
+        self, session: AsyncSession, *, q: str, fields: Sequence[str]
+    ) -> int:
+        return await self.repo.count_filtered(
+            session, q=q, fields=fields, where=self._where()
+        )
+
+
+__all__ = ["TenantSqlService"]

svc_infra/db/sql/uniq_hooks.py

@@ -73,7 +73,9 @@ def dedupe_sql_service(
 
         return clauses
 
-    async def _precheck(session, data: Dict[str, Any], *, exclude_id: Any | None) -> None:
+    async def _precheck(
+        session, data: Dict[str, Any], *, exclude_id: Any | None
+    ) -> None:
         # Check CI specs first to catch the broadest conflicts, then CS.
         for ci, spec_list in ((True, unique_ci), (False, unique_cs)):
             for spec in spec_list:
@@ -97,7 +99,9 @@ def dedupe_sql_service(
                 return await self.repo.create(session, data)
             except IntegrityError as e:
                 # Race fallback: let DB constraint be the last line of defense.
-                raise HTTPException(status_code=409, detail="Record already exists.") from e
+                raise HTTPException(
+                    status_code=409, detail="Record already exists."
+                ) from e
 
         async def update(self, session, id_value, data):
             data = await self.pre_update(data)
@@ -105,6 +109,8 @@ def dedupe_sql_service(
             try:
                 return await self.repo.update(session, id_value, data)
             except IntegrityError as e:
-                raise HTTPException(status_code=409, detail="Record already exists.") from e
+                raise HTTPException(
+                    status_code=409, detail="Record already exists."
+                ) from e
 
     return _Svc(repo, pre_create=pre_create, pre_update=pre_update)