svc-infra 0.1.589__py3-none-any.whl → 0.1.706__py3-none-any.whl

svc_infra/api/fastapi/apf_payments/setup.py

@@ -1,13 +1,15 @@
 from __future__ import annotations
 
 import logging
-from typing import Iterable, Optional
+from typing import TYPE_CHECKING, Iterable, Optional, cast
 
 from fastapi import FastAPI
 
 from svc_infra.apf_payments.provider.registry import get_provider_registry
 from svc_infra.api.fastapi.apf_payments.router import build_payments_routers
-from svc_infra.api.fastapi.docs.scoped import add_prefixed_docs
+
+if TYPE_CHECKING:
+    from svc_infra.apf_payments.provider.base import ProviderAdapter
 
 logger = logging.getLogger(__name__)
 
@@ -24,9 +26,17 @@ def _maybe_register_default_providers(
             reg.register(StripeAdapter())
         except Exception:
             pass
+        try:
+            from svc_infra.apf_payments.provider.aiydan import AiydanAdapter
+
+            reg.register(AiydanAdapter())
+        except Exception:
+            pass
     if adapters:
         for a in adapters:
-            reg.register(a)  # must implement ProviderAdapter protocol (name, create_intent, etc.)
+            reg.register(
+                cast("ProviderAdapter", a)
+            )  # must implement ProviderAdapter protocol
 
 
 def add_payments(
@@ -35,7 +45,8 @@ def add_payments(
     prefix: str = "/payments",
     register_default_providers: bool = True,
     adapters: Optional[Iterable[object]] = None,
-    include_in_docs: bool | None = None,  # None = keep your env-based default visibility
+    include_in_docs: bool
+    | None = None,  # None = keep your env-based default visibility
 ) -> None:
     """
     One-call payments installer.
@@ -45,14 +56,16 @@ def add_payments(
     - Reuses your OpenAPI defaults (security + responses) via DualAPIRouter factories.
     """
     _maybe_register_default_providers(register_default_providers, adapters)
-    add_prefixed_docs(app, prefix=prefix, title="Payments")
 
     for r in build_payments_routers(prefix=prefix):
         app.include_router(
-            r, include_in_schema=True if include_in_docs is None else bool(include_in_docs)
+            r,
+            include_in_schema=True
+            if include_in_docs is None
+            else bool(include_in_docs),
         )
 
-    @app.on_event("startup")
+    # Store the startup function to be called by lifespan if needed
     async def _payments_startup_check():
         try:
             reg = get_provider_registry()
@@ -60,5 +73,10 @@ def add_payments(
             # Try a cheap call (Stripe: read account or key balance; we just access .name)
             _ = adapter.name
         except Exception as e:
-            # Log loud; don’t crash the whole app by default
+            # Log loud; don't crash the whole app by default
             logger.warning(f"[payments] Provider adapter not ready: {e}")
+
+    # Add to app state for potential lifespan usage
+    if not hasattr(app.state, "startup_events"):
+        app.state.startup_events = []
+    app.state.startup_events.append(_payments_startup_check)

svc_infra/api/fastapi/auth/__init__.py

@@ -0,0 +1,65 @@
+"""Authentication module for svc-infra.
+
+Provides user authentication, authorization, and security primitives.
+
+Key exports:
+- add_auth_users: Add authentication routes to FastAPI app
+- Identity, OptionalIdentity: Annotated dependencies for auth
+- RequireUser, RequireRoles, RequireScopes: Authorization guards
+- Principal: Unified identity (user via JWT/cookie or service via API key)
+- AuthSettings, get_auth_settings: Auth configuration
+"""
+
+from __future__ import annotations
+
+from typing import TYPE_CHECKING
+
+# These imports are safe (no circular dependency)
+from .policy import AuthPolicy, DefaultAuthPolicy
+from .security import (
+    Identity,
+    OptionalIdentity,
+    Principal,
+    RequireAnyScope,
+    RequireIdentity,
+    RequireRoles,
+    RequireScopes,
+    RequireService,
+    RequireUser,
+)
+from .settings import AuthSettings, get_auth_settings, JWTSettings, OIDCProvider
+
+if TYPE_CHECKING:
+    from .add import add_auth_users as add_auth_users
+
+__all__ = [
+    # Main setup
+    "add_auth_users",
+    # Identity/Auth guards
+    "Identity",
+    "OptionalIdentity",
+    "Principal",
+    "RequireIdentity",
+    "RequireUser",
+    "RequireService",
+    "RequireRoles",
+    "RequireScopes",
+    "RequireAnyScope",
+    # Policy
+    "AuthPolicy",
+    "DefaultAuthPolicy",
+    # Settings
+    "AuthSettings",
+    "get_auth_settings",
+    "JWTSettings",
+    "OIDCProvider",
+]
+
+
+def __getattr__(name: str):
+    """Lazy import for add_auth_users to avoid circular import."""
+    if name == "add_auth_users":
+        from .add import add_auth_users
+
+        return add_auth_users
+    raise AttributeError(f"module {__name__!r} has no attribute {name!r}")

svc_infra/api/fastapi/auth/_cookies.py

@@ -16,7 +16,9 @@ def _is_local_host(host: str) -> bool:
 
 def _is_https(request: Request) -> bool:
     proto = (
-        (request.headers.get("x-forwarded-proto") or request.url.scheme or "").split(",")[0].strip()
+        (request.headers.get("x-forwarded-proto") or request.url.scheme or "")
+        .split(",")[0]
+        .strip()
     )
     return proto.lower() == "https"
 
@@ -31,7 +33,9 @@ def compute_cookie_params(request: Request, *, name: str) -> dict:
 
     explicit_secure = getattr(st, "session_cookie_secure", None)
     secure = (
-        bool(explicit_secure) if explicit_secure is not None else (_is_https(request) or IS_PROD)
+        bool(explicit_secure)
+        if explicit_secure is not None
+        else (_is_https(request) or IS_PROD)
     )
 
     samesite = str(getattr(st, "session_cookie_samesite", "lax")).lower()

svc_infra/api/fastapi/auth/add.py

@@ -11,12 +11,12 @@ from svc_infra.api.fastapi.auth.mfa.router import mfa_router
 from svc_infra.api.fastapi.auth.routers.account import account_router
 from svc_infra.api.fastapi.auth.routers.apikey_router import apikey_router
 from svc_infra.api.fastapi.auth.routers.oauth_router import oauth_router_with_backend
+from svc_infra.api.fastapi.auth.routers.session_router import build_session_router
 from svc_infra.api.fastapi.db.sql.users import get_fastapi_users
 from svc_infra.api.fastapi.paths.prefix import AUTH_PREFIX, USER_PREFIX
-from svc_infra.app.env import CURRENT_ENVIRONMENT, DEV_ENV, LOCAL_ENV
+from svc_infra.app.env import CURRENT_ENVIRONMENT, DEV_ENV, LOCAL_ENV, require_secret
 from svc_infra.db.sql.apikey import bind_apikey_model
 
-from ..docs.scoped import add_prefixed_docs
 from .policy import AuthPolicy, DefaultAuthPolicy
 from .providers import providers_from_settings
 from .settings import get_auth_settings
@@ -73,6 +73,15 @@ def install_user_routers(
         include_in_schema=include_in_docs,
         dependencies=[Depends(login_client_gaurd)],
     )
+    # Session/device listing & revocation endpoints (AuthSession model)
+    # Mounted under the user prefix so final paths become /{user_prefix}/sessions/... (e.g., /users/sessions/me)
+    # The router itself has a /sessions prefix.
+    app.include_router(
+        build_session_router(),
+        prefix=user_prefix,
+        tags=["Session Management"],
+        include_in_schema=include_in_docs,
+    )
     app.include_router(
         register_router,
         prefix=user_prefix,
@@ -126,12 +135,14 @@ def setup_oauth_authentication(
     if not providers:
         return
 
+    redirect_url = (
+        post_login_redirect or getattr(settings_obj, "post_login_redirect", None) or "/"
+    )
     oauth_router_instance = oauth_router_with_backend(
         user_model=user_model,
         auth_backend=auth_backend,
         providers=providers,
-        post_login_redirect=post_login_redirect
-        or getattr(settings_obj, "post_login_redirect", "/"),
+        post_login_redirect=redirect_url,
         provider_account_model=provider_account_model,
         auth_policy=auth_policy,
     )
@@ -257,19 +268,24 @@ def add_auth_users(
     )
 
     # Make the boot-time strategy and model available to resolvers
-    set_auth_state(user_model=user_model, get_strategy=get_strategy, auth_prefix=auth_prefix)
+    set_auth_state(
+        user_model=user_model, get_strategy=get_strategy, auth_prefix=auth_prefix
+    )
 
     settings_obj = get_auth_settings()
     policy = auth_policy or DefaultAuthPolicy(settings_obj)
     include_in_docs = CURRENT_ENVIRONMENT in (LOCAL_ENV, DEV_ENV)
 
-    if not any(m.cls.__name__ == "SessionMiddleware" for m in app.user_middleware):
+    if not any(m.cls.__name__ == "SessionMiddleware" for m in app.user_middleware):  # type: ignore[attr-defined]
         jwt_block = getattr(settings_obj, "jwt", None)
-        secret = (
-            jwt_block.secret.get_secret_value()
-            if jwt_block and getattr(jwt_block, "secret", None)
-            else "svc-dev-secret-change-me"
-        )
+        if jwt_block and getattr(jwt_block, "secret", None):
+            secret = jwt_block.secret.get_secret_value()
+        else:
+            secret = require_secret(
+                None,
+                "JWT_SECRET (via auth settings jwt.secret for SessionMiddleware)",
+                dev_default="dev-only-session-jwt-secret-not-for-production",
+            )
         same_site_lit = cast(
             Literal["lax", "strict", "none"],
             str(getattr(settings_obj, "session_cookie_samesite", "lax")).lower(),
@@ -283,9 +299,6 @@ def add_auth_users(
             https_only=bool(getattr(settings_obj, "session_cookie_secure", False)),
         )
 
-    add_prefixed_docs(app, prefix=user_prefix, title="Users")
-    add_prefixed_docs(app, prefix=auth_prefix, title="Auth")
-
     if enable_password:
         setup_password_authentication(
             app,

svc_infra/api/fastapi/auth/gaurd.py

@@ -1,16 +1,20 @@
 from __future__ import annotations
 
+import hashlib
 from datetime import datetime, timezone
+from typing import Any
 
 from fastapi import APIRouter, Depends, Form, HTTPException, Request, status
 from fastapi.responses import JSONResponse
 from fastapi_users import FastAPIUsers
-from fastapi_users.authentication import AuthenticationBackend
+from fastapi_users.authentication import AuthenticationBackend, Strategy
 from fastapi_users.password import PasswordHelper
+from starlette.datastructures import FormData
 
 from svc_infra.api.fastapi.auth._cookies import compute_cookie_params
 from svc_infra.api.fastapi.auth.policy import AuthPolicy, DefaultAuthPolicy
 from svc_infra.api.fastapi.auth.settings import get_auth_settings
+from svc_infra.api.fastapi.db.sql.session import SqlSessionDep
 from svc_infra.api.fastapi.dual.public import public_router
 
 _pwd = PasswordHelper()
@@ -29,28 +33,38 @@ async def login_client_gaurd(request: Request):
 
     # only enforce on the login endpoint (form-encoded)
     if request.method.upper() == "POST" and request.url.path.endswith("/login"):
+        form: FormData | dict[str, Any]
         try:
             form = await request.form()
         except Exception:
             form = {}
 
-        client_id = (form.get("client_id") or "").strip()
-        client_secret = (form.get("client_secret") or "").strip()
+        client_id_raw = form.get("client_id")
+        client_secret_raw = form.get("client_secret")
+        client_id = client_id_raw.strip() if isinstance(client_id_raw, str) else ""
+        client_secret = (
+            client_secret_raw.strip() if isinstance(client_secret_raw, str) else ""
+        )
         if not client_id or not client_secret:
             raise HTTPException(
-                status_code=status.HTTP_401_UNAUTHORIZED, detail="client_credentials_required"
+                status_code=status.HTTP_401_UNAUTHORIZED,
+                detail="client_credentials_required",
             )
 
         # validate against configured clients
         ok = False
         for pc in getattr(st, "password_clients", []) or []:
-            if pc.client_id == client_id and pc.client_secret.get_secret_value() == client_secret:
+            if (
+                pc.client_id == client_id
+                and pc.client_secret.get_secret_value() == client_secret
+            ):
                 ok = True
                 break
 
         if not ok:
             raise HTTPException(
-                status_code=status.HTTP_401_UNAUTHORIZED, detail="invalid_client_credentials"
+                status_code=status.HTTP_401_UNAUTHORIZED,
+                detail="invalid_client_credentials",
             )
 
 
@@ -65,36 +79,103 @@ def auth_session_router(
     router = public_router()
     policy = auth_policy or DefaultAuthPolicy(get_auth_settings())
 
+    from svc_infra.security.lockout import get_lockout_status, record_attempt
+
     @router.post("/login", name="auth:jwt.login")
     async def login(
         request: Request,
+        session: SqlSessionDep,
         username: str = Form(...),
         password: str = Form(...),
         scope: str = Form(""),
         client_id: str | None = Form(None),
         client_secret: str | None = Form(None),
+        strategy: Strategy[Any, Any] = Depends(auth_backend.get_strategy),
         user_manager=Depends(fapi.get_user_manager),
     ):
-        # 1) lookup user (normalize email)
-        strategy = auth_backend.get_strategy()
-
         email = username.strip().lower()
+        # Compute IP hash for lockout correlation
+        client_ip = getattr(request.client, "host", None)
+        ip_hash = hashlib.sha256(client_ip.encode()).hexdigest() if client_ip else None
+
+        # Pre-check lockout by IP to avoid enumeration
+        try:
+            status_lo = await get_lockout_status(session, user_id=None, ip_hash=ip_hash)
+            if status_lo.locked and status_lo.next_allowed_at:
+                retry = int(
+                    (
+                        status_lo.next_allowed_at - datetime.now(timezone.utc)
+                    ).total_seconds()
+                )
+                raise HTTPException(
+                    status_code=429,
+                    detail="account_locked",
+                    headers={"Retry-After": str(max(0, retry))},
+                )
+        except Exception:
+            pass
+
+        # Lookup user
         user = await user_manager.user_db.get_by_email(email)
         if not user:
             _, _ = _pwd.verify_and_update(password, _DUMMY_BCRYPT)
+            try:
+                await record_attempt(
+                    session, user_id=None, ip_hash=ip_hash, success=False
+                )
+            except Exception:
+                pass
             raise HTTPException(400, "LOGIN_BAD_CREDENTIALS")
 
-        # 2) verify status + password
+        # Status checks
         if not getattr(user, "is_active", True):
             raise HTTPException(401, "account_disabled")
 
-        hashed = getattr(user, "hashed_password", None) or getattr(user, "password_hash", None)
+        hashed = getattr(user, "hashed_password", None) or getattr(
+            user, "password_hash", None
+        )
         if not hashed:
-            # No password set (likely OAuth-only account)
+            try:
+                await record_attempt(
+                    session,
+                    user_id=getattr(user, "id", None),
+                    ip_hash=ip_hash,
+                    success=False,
+                )
+            except Exception:
+                pass
             raise HTTPException(400, "LOGIN_BAD_CREDENTIALS")
 
+        # Check lockout for this user + IP before verifying password
+        try:
+            status_user = await get_lockout_status(
+                session, user_id=getattr(user, "id", None), ip_hash=ip_hash
+            )
+            if status_user.locked and status_user.next_allowed_at:
+                retry = int(
+                    (
+                        status_user.next_allowed_at - datetime.now(timezone.utc)
+                    ).total_seconds()
+                )
+                raise HTTPException(
+                    status_code=429,
+                    detail="account_locked",
+                    headers={"Retry-After": str(max(0, retry))},
+                )
+        except Exception:
+            pass
+
         ok, new_hash = _pwd.verify_and_update(password, hashed)
         if not ok:
+            try:
+                await record_attempt(
+                    session,
+                    user_id=getattr(user, "id", None),
+                    ip_hash=ip_hash,
+                    success=False,
+                )
+            except Exception:
+                pass
             raise HTTPException(400, "LOGIN_BAD_CREDENTIALS")
 
         # If the hash needs upgrading, persist it (optional but recommended)
@@ -106,7 +187,6 @@ def auth_session_router(
             try:
                 await user_manager.user_db.update(user)
             except Exception:
-                # don't block login if updating hash fails; log if you have logging here
                 pass
 
         if getattr(user, "is_verified") is False:
@@ -130,6 +210,17 @@ def auth_session_router(
             # don’t block login if this write fails
             pass
 
+        # Record successful attempt (for audit)
+        try:
+            await record_attempt(
+                session,
+                user_id=getattr(user, "id", None),
+                ip_hash=ip_hash,
+                success=True,
+            )
+        except Exception:
+            pass
+
         # 5) mint token and set cookie
         token = await strategy.write_token(user)
         st = get_auth_settings()

svc_infra/api/fastapi/auth/mfa/models.py

@@ -4,7 +4,9 @@ from typing import Optional
 from pydantic import BaseModel
 
 # --- Email OTP store (replace with Redis in prod) ---
-EMAIL_OTP_STORE: dict[str, dict] = {}  # key = uid (or jti), value={hash,exp,attempts,next_send}
+EMAIL_OTP_STORE: dict[
+    str, dict
+] = {}  # key = uid (or jti), value={hash,exp,attempts,next_send}
 
 
 class StartSetupOut(BaseModel):

svc_infra/api/fastapi/auth/mfa/pre_auth.py

@@ -1,18 +1,22 @@
 from datetime import datetime, timezone
 
 from svc_infra.api.fastapi.auth.settings import get_auth_settings
+from svc_infra.app.env import require_secret
 
 
 def get_mfa_pre_jwt_writer():
     st = get_auth_settings()
     jwt_block = getattr(st, "jwt", None)
 
-    # Force to plain string
-    secret = (
-        jwt_block.secret.get_secret_value()
-        if jwt_block and getattr(jwt_block, "secret", None)
-        else "svc-dev-secret-change-me"
-    )
+    # Force to plain string - use require_secret to ensure it's set in production
+    if jwt_block and getattr(jwt_block, "secret", None):
+        secret = jwt_block.secret.get_secret_value()
+    else:
+        secret = require_secret(
+            None,
+            "JWT_SECRET (via auth settings jwt.secret for MFA)",
+            dev_default="dev-only-mfa-jwt-secret-not-for-production",
+        )
     secret = str(secret)
 
     lifetime = int(getattr(st, "mfa_pre_token_lifetime_seconds", 300))

svc_infra/api/fastapi/auth/mfa/router.py

@@ -1,6 +1,7 @@
 from __future__ import annotations
 
 from datetime import datetime, timezone
+from typing import Any, cast
 
 import pyotp
 from fastapi import APIRouter, Body, Depends, HTTPException, Request, status
@@ -79,7 +80,7 @@ def mfa_router(
             raise HTTPException(401, "Invalid token")
 
         # IMPORTANT: rehydrate into *your* session
-        db_user = await session.get(user_model, user.id)
+        db_user = await cast(Any, session).get(user_model, user.id)
         if not db_user:
             raise HTTPException(401, "Invalid token")
 
@@ -113,7 +114,9 @@ def mfa_router(
         # )).scalar_one()
         # assert fresh_secret == secret
 
-        return StartSetupOut(otpauth_url=uri, secret=secret, qr_svg=_qr_svg_from_uri(uri))
+        return StartSetupOut(
+            otpauth_url=uri, secret=secret, qr_svg=_qr_svg_from_uri(uri)
+        )
 
     @u.post(
         MFA_CONFIRM_PATH,
@@ -126,7 +129,7 @@ def mfa_router(
 
         # RELOAD from DB to avoid stale state
         user = (
-            await session.execute(select(user_model).where(user_model.id == user.id))
+            await session.execute(select(user_model).where(user_model.id == user.id))  # type: ignore[attr-defined]
         ).scalar_one()
 
         if not getattr(user, "mfa_secret", None):
@@ -198,7 +201,7 @@ def mfa_router(
             raise HTTPException(401, "Invalid pre-auth token")
 
         # 2) load user
-        user = await session.get(user_model, uid)
+        user = await cast(Any, session).get(user_model, uid)
         if not user:
             raise HTTPException(401, "Invalid pre-auth token")
 
@@ -206,7 +209,9 @@ def mfa_router(
         if not getattr(user, "is_active", True):
             raise HTTPException(401, "account_disabled")
 
-        if (not getattr(user, "mfa_enabled", False)) or (not getattr(user, "mfa_secret", None)):
+        if (not getattr(user, "mfa_enabled", False)) or (
+            not getattr(user, "mfa_secret", None)
+        ):
             raise HTTPException(401, "MFA not enabled")
 
         # 3) verify TOTP or fallback
@@ -248,7 +253,9 @@ def mfa_router(
         # 4) mint normal JWT and set cookie
         token = await strategy.write_token(user)
         resp = JSONResponse({"access_token": token, "token_type": "bearer"})
-        cp = compute_cookie_params(request, name=st.auth_cookie_name)  # <-- pass Request here
+        cp = compute_cookie_params(
+            request, name=st.auth_cookie_name
+        )  # <-- pass Request here
         resp.set_cookie(**cp, value=token)
         return resp
 
@@ -271,7 +278,7 @@ def mfa_router(
             raise HTTPException(401, "Invalid pre-auth token")
 
         # 1b) Load user to get their email
-        user = await session.get(user_model, uid)
+        user = await cast(Any, session).get(user_model, uid)
         if not user or not getattr(user, "email", None):
             # (optionally also check user.mfa_enabled here)
             raise HTTPException(401, "Invalid pre-auth token")
@@ -326,7 +333,7 @@ def mfa_router(
         # Email OTP is always offered in your flow at verify-time
         methods.append("email")
 
-        def _mask(email: str) -> str:
+        def _mask(email: str) -> str | None:
             if not email or "@" not in email:
                 return None
             name, domain = email.split("@", 1)

svc_infra/api/fastapi/auth/mfa/security.py

@@ -5,8 +5,7 @@ from fastapi import Body, Depends, HTTPException, Query
 from svc_infra.api.fastapi.auth.security import Identity
 from svc_infra.api.fastapi.db.sql.session import SqlSessionDep
 
-from .models import MFAProof
-from .verify import verify_mfa_for_user
+from .verify import MFAProof, verify_mfa_for_user
 
 
 def RequireMFAIfEnabled(body_field: str = "mfa"):

svc_infra/api/fastapi/auth/mfa/utils.py

@@ -29,7 +29,8 @@ def _gen_recovery_codes(n: int, length: int) -> list[str]:
 def _gen_numeric_code(n: int = 6) -> str:
     import random
 
-    return "".join(str(random.randrange(10)) for _ in range(n))
+    code = "".join(str(random.randrange(10)) for _ in range(n))
+    return code
 
 
 def _hash(s: str) -> str:

svc_infra/api/fastapi/auth/mfa/verify.py

@@ -73,11 +73,18 @@ async def verify_mfa_for_user(
             now = _now_utc_ts()
             if rec:
                 attempts_left = rec.get("attempts_left")
-                if now <= rec["exp"] and attempts_left and attempts_left > 0 and rec["hash"] == dig:
+                if (
+                    now <= rec["exp"]
+                    and attempts_left
+                    and attempts_left > 0
+                    and rec["hash"] == dig
+                ):
                     EMAIL_OTP_STORE.pop(uid, None)  # burn on success
                     return MFAResult(ok=True, method="email", attempts_left=None)
                 # decrement on failure
                 rec["attempts_left"] = max(0, (attempts_left or 0) - 1)
-                return MFAResult(ok=False, method="email", attempts_left=rec["attempts_left"])
+                return MFAResult(
+                    ok=False, method="email", attempts_left=rec["attempts_left"]
+                )
 
     return MFAResult(ok=False, method="none", attempts_left=None)

svc_infra/api/fastapi/auth/policy.py

@@ -4,7 +4,6 @@ from typing import Any, Protocol
 
 
 class AuthPolicy(Protocol):
-
     async def should_require_mfa(self, user: Any) -> bool:
         pass
 

svc_infra/api/fastapi/auth/providers.py

@@ -64,7 +64,9 @@ def providers_from_settings(settings: Any) -> Dict[str, Dict[str, Any]]:
         }
 
     # LinkedIn (non-OIDC)
-    if getattr(settings, "li_client_id", None) and getattr(settings, "li_client_secret", None):
+    if getattr(settings, "li_client_id", None) and getattr(
+        settings, "li_client_secret", None
+    ):
         reg["linkedin"] = {
             "kind": "linkedin",
             "authorize_url": "https://www.linkedin.com/oauth/v2/authorization",