PyPI - svc-infra - Versions diffs - 0.1.593__tar.gz → 0.1.594__tar.gz - Mend

svc-infra 0.1.593tar.gz → 0.1.594tar.gz

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Potentially problematic release.

This version of svc-infra might be problematic. Click here for more details.

Files changed (253) hide show

{svc_infra-0.1.593 → svc_infra-0.1.594}/PKG-INFO RENAMED Viewed

@@ -1,6 +1,6 @@
 Metadata-Version: 2.3
 Name: svc-infra
-Version: 0.1.593
+Version: 0.1.594
 Summary: Infrastructure for building and deploying prod-ready services
 License: MIT
 Keywords: fastapi,sqlalchemy,alembic,auth,infra,async,pydantic

{svc_infra-0.1.593 → svc_infra-0.1.594}/pyproject.toml RENAMED Viewed

@@ -1,6 +1,6 @@
 [tool.poetry]
 name = "svc-infra"
-version = "0.1.593"
+version = "0.1.594"
 description = "Infrastructure for building and deploying prod-ready services"
 authors = ["Ali Khatami <aliikhatami94@gmail.com>"]
 license = "MIT"
@@ -119,6 +119,10 @@ testpaths = ["tests"]
 python_files = ["test_*.py", "*_test.py"]
 python_classes = ["Test*",]
 python_functions = ["test_*"]
+markers = [
+    "security: Security and auth hardening tests",
+    "ratelimit: Rate limiting and abuse protection tests",
+]
 filterwarnings = [
     "ignore:The `route` decorator is deprecated:DeprecationWarning:starlette.*",
 ]

{svc_infra-0.1.593 → svc_infra-0.1.594}/src/svc_infra/apf_payments/provider/aiydan.py RENAMED Viewed

@@ -5,6 +5,7 @@ from datetime import date, datetime, timezone
 from typing import Any, Optional, Sequence, Tuple
 from svc_infra.apf_payments.schemas import (
+    BalanceAmount,
     BalanceSnapshotOut,
     CustomerOut,
     CustomerUpsertIn,
@@ -277,13 +278,38 @@ def _usage_record_to_out(data: dict[str, Any]) -> UsageRecordOut:
         provider_price_id=(
             str(data.get("provider_price_id")) if data.get("provider_price_id") else None
         ),
+        action=(str(data.get("action")) if data.get("action") else None),
     )
 def _balance_snapshot_to_out(data: dict[str, Any]) -> BalanceSnapshotOut:
+    def _normalize(side: Any) -> list[dict[str, Any]]:
+        if isinstance(side, list):
+            out: list[dict[str, Any]] = []
+            for item in side:
+                if isinstance(item, dict) and "currency" in item and "amount" in item:
+                    out.append(
+                        {
+                            "currency": str(item["currency"]).upper(),
+                            "amount": int(item["amount"] or 0),
+                        }
+                    )
+            return out
+        if isinstance(side, dict):
+            return [
+                {"currency": str(cur).upper(), "amount": int(amt or 0)} for cur, amt in side.items()
+            ]
+        return []
     return BalanceSnapshotOut(
-        available=data.get("available", {}),
-        pending=data.get("pending", {}),
+        available=[
+            BalanceAmount(currency=i["currency"], amount=i["amount"])
+            for i in _normalize(data.get("available"))
+        ],
+        pending=[
+            BalanceAmount(currency=i["currency"], amount=i["amount"])
+            for i in _normalize(data.get("pending"))
+        ],
     )

{svc_infra-0.1.593 → svc_infra-0.1.594}/src/svc_infra/apf_payments/service.py RENAMED Viewed

@@ -65,9 +65,24 @@ def _default_provider_name() -> str:
 class PaymentsService:
+    """Payments service facade wrapping provider adapters and persisting key rows.
-    def __init__(self, session: AsyncSession, provider_name: Optional[str] = None):
+    NOTE: tenant_id is now required for all persistence operations. This is a breaking
+    change; callers must supply a valid tenant scope. (Future: could allow multi-tenant
+    mapping via adapter registry.)
+    """
+    def __init__(
+        self,
+        session: AsyncSession,
+        *,
+        tenant_id: str,
+        provider_name: Optional[str] = None,
+    ):
+        if not tenant_id:
+            raise ValueError("tenant_id is required for PaymentsService")
         self.session = session
+        self.tenant_id = tenant_id
         self._provider_name = (provider_name or _default_provider_name()).lower()
         self._adapter = None  # resolved on first use
@@ -118,6 +133,7 @@ class PaymentsService:
             # If your PayCustomer model has additional columns (email/name), include them here.
             self.session.add(
                 PayCustomer(
+                    tenant_id=self.tenant_id,
                     provider=out.provider,
                     provider_customer_id=out.provider_customer_id,
                     user_id=data.user_id,
@@ -132,6 +148,7 @@ class PaymentsService:
         out = await adapter.create_intent(data, user_id=user_id)
         self.session.add(
             PayIntent(
+                tenant_id=self.tenant_id,
                 provider=out.provider,
                 provider_intent_id=out.provider_intent_id,
                 user_id=user_id,
@@ -167,6 +184,32 @@ class PaymentsService:
     async def refund(self, provider_intent_id: str, data: RefundIn) -> IntentOut:
         adapter = self._get_adapter()
         out = await adapter.refund(provider_intent_id, data)
+        # Create ledger entry if amount present and not already recorded
+        pi = await self.session.scalar(
+            select(PayIntent).where(PayIntent.provider_intent_id == provider_intent_id)
+        )
+        if pi:
+            amount = int(data.amount) if data.amount is not None else out.amount
+            # Guard against duplicates (same provider_ref + kind)
+            existing = await self.session.scalar(
+                select(LedgerEntry).where(
+                    LedgerEntry.provider_ref == provider_intent_id,
+                    LedgerEntry.kind == "refund",
+                )
+            )
+            if amount > 0 and not existing:
+                self.session.add(
+                    LedgerEntry(
+                        tenant_id=self.tenant_id,
+                        provider=pi.provider,
+                        provider_ref=provider_intent_id,
+                        user_id=pi.user_id,
+                        amount=+amount,
+                        currency=out.currency,
+                        kind="refund",
+                        status="posted",
+                    )
+                )
         return out
     # --- Webhooks -------------------------------------------------------------
@@ -176,6 +219,7 @@ class PaymentsService:
         parsed = await adapter.verify_and_parse_webhook(signature, payload)
         self.session.add(
             PayEvent(
+                tenant_id=self.tenant_id,
                 provider=provider,
                 provider_event_id=parsed["id"],
                 type=parsed.get("type", ""),
@@ -199,6 +243,7 @@ class PaymentsService:
             intent.status = "succeeded"
             self.session.add(
                 LedgerEntry(
+                    tenant_id=self.tenant_id,
                     provider=intent.provider,
                     provider_ref=provider_intent_id,
                     user_id=intent.user_id,
@@ -217,17 +262,27 @@ class PaymentsService:
             select(PayIntent).where(PayIntent.provider_intent_id == pi_id)
         )
         if intent:
-            self.session.add(
-                LedgerEntry(
-                    provider=intent.provider,
-                    provider_ref=charge_obj.get("id"),
-                    user_id=intent.user_id,
-                    amount=+amount,
-                    currency=currency,
-                    kind="capture",
-                    status="posted",
+            # Avoid duplicate capture entries
+            existing = await self.session.scalar(
+                select(LedgerEntry).where(
+                    LedgerEntry.provider_ref == charge_obj.get("id"),
+                    LedgerEntry.kind == "capture",
                 )
             )
+            if not existing:
+                self.session.add(
+                    LedgerEntry(
+                        tenant_id=self.tenant_id,
+                        provider=intent.provider,
+                        provider_ref=charge_obj.get("id"),
+                        user_id=intent.user_id,
+                        amount=+amount,
+                        currency=currency,
+                        kind="capture",
+                        status="posted",
+                    )
+                )
+            intent.captured = True
     async def _post_refund(self, charge_obj: dict):
         amount = int(charge_obj.get("amount_refunded") or 0)
@@ -237,22 +292,31 @@ class PaymentsService:
             select(PayIntent).where(PayIntent.provider_intent_id == pi_id)
         )
         if intent and amount > 0:
-            self.session.add(
-                LedgerEntry(
-                    provider=intent.provider,
-                    provider_ref=charge_obj.get("id"),
-                    user_id=intent.user_id,
-                    amount=+amount,
-                    currency=currency,
-                    kind="refund",
-                    status="posted",
+            existing = await self.session.scalar(
+                select(LedgerEntry).where(
+                    LedgerEntry.provider_ref == charge_obj.get("id"),
+                    LedgerEntry.kind == "refund",
                 )
             )
+            if not existing:
+                self.session.add(
+                    LedgerEntry(
+                        tenant_id=self.tenant_id,
+                        provider=intent.provider,
+                        provider_ref=charge_obj.get("id"),
+                        user_id=intent.user_id,
+                        amount=+amount,
+                        currency=currency,
+                        kind="refund",
+                        status="posted",
+                    )
+                )
     async def attach_payment_method(self, data: PaymentMethodAttachIn) -> PaymentMethodOut:
         out = await self._get_adapter().attach_payment_method(data)
         # Upsert locally for quick listing
         pm = PayPaymentMethod(
+            tenant_id=self.tenant_id,
             provider=out.provider,
             provider_customer_id=out.provider_customer_id,
             provider_method_id=out.provider_method_id,
@@ -283,6 +347,7 @@ class PaymentsService:
         out = await self._get_adapter().create_product(data)
         self.session.add(
             PayProduct(
+                tenant_id=self.tenant_id,
                 provider=out.provider,
                 provider_product_id=out.provider_product_id,
                 name=out.name,
@@ -295,6 +360,7 @@ class PaymentsService:
         out = await self._get_adapter().create_price(data)
         self.session.add(
             PayPrice(
+                tenant_id=self.tenant_id,
                 provider=out.provider,
                 provider_price_id=out.provider_price_id,
                 provider_product_id=out.provider_product_id,
@@ -312,6 +378,7 @@ class PaymentsService:
         out = await self._get_adapter().create_subscription(data)
         self.session.add(
             PaySubscription(
+                tenant_id=self.tenant_id,
                 provider=out.provider,
                 provider_subscription_id=out.provider_subscription_id,
                 provider_price_id=out.provider_price_id,
@@ -340,6 +407,7 @@ class PaymentsService:
         out = await self._get_adapter().create_invoice(data)
         self.session.add(
             PayInvoice(
+                tenant_id=self.tenant_id,
                 provider=out.provider,
                 provider_invoice_id=out.provider_invoice_id,
                 provider_customer_id=out.provider_customer_id,
@@ -432,6 +500,27 @@ class PaymentsService:
             pi.status = out.status
             if out.status in ("succeeded", "requires_capture"):  # Stripe specifics vary
                 pi.captured = True if out.status == "succeeded" else pi.captured
+                # Add capture ledger entry if succeeded and not already posted
+                if out.status == "succeeded":
+                    existing = await self.session.scalar(
+                        select(LedgerEntry).where(
+                            LedgerEntry.provider_ref == provider_intent_id,
+                            LedgerEntry.kind == "capture",
+                        )
+                    )
+                    if not existing:
+                        self.session.add(
+                            LedgerEntry(
+                                tenant_id=self.tenant_id,
+                                provider=pi.provider,
+                                provider_ref=provider_intent_id,
+                                user_id=pi.user_id,
+                                amount=+out.amount,
+                                currency=out.currency,
+                                kind="capture",
+                                status="posted",
+                            )
+                        )
         return out
     async def list_intents(self, f: IntentListFilter) -> tuple[list[IntentOut], str | None]:
@@ -475,6 +564,7 @@ class PaymentsService:
         out = await self._get_adapter().create_setup_intent(data)
         self.session.add(
             PaySetupIntent(
+                tenant_id=self.tenant_id,
                 provider=out.provider,
                 provider_setup_intent_id=out.provider_setup_intent_id,
                 user_id=None,
@@ -510,6 +600,7 @@ class PaymentsService:
         else:
             self.session.add(
                 PaySetupIntent(
+                    tenant_id=self.tenant_id,
                     provider=out.provider,
                     provider_setup_intent_id=out.provider_setup_intent_id,
                     user_id=None,
@@ -549,6 +640,7 @@ class PaymentsService:
         else:
             self.session.add(
                 PayDispute(
+                    tenant_id=self.tenant_id,
                     provider=out.provider,
                     provider_dispute_id=out.provider_dispute_id,
                     provider_charge_id=None,  # set if adapter returns it
@@ -594,6 +686,7 @@ class PaymentsService:
         else:
             self.session.add(
                 PayPayout(
+                    tenant_id=self.tenant_id,
                     provider=out.provider,
                     provider_payout_id=out.provider_payout_id,
                     amount=out.amount,
@@ -678,10 +771,10 @@ class PaymentsService:
         if not row:
             self.session.add(
                 PayCustomer(
+                    tenant_id=self.tenant_id,
                     provider=out.provider,
                     provider_customer_id=out.provider_customer_id,
                     user_id=None,
-                    tenant_id="",
                 )
             )
         return out

{svc_infra-0.1.593 → svc_infra-0.1.594}/src/svc_infra/api/fastapi/apf_payments/router.py RENAMED Viewed

@@ -70,7 +70,9 @@ def _tx_kind(kind: str) -> Literal["payment", "refund", "fee", "payout", "captur
 # --- deps ---
 async def get_service(session: SqlSessionDep) -> PaymentsService:
-    return PaymentsService(session=session)
+    # TODO: derive tenant_id from auth/session context; placeholder requires explicit value.
+    # For now, use a fixed test tenant id; production integration must override.
+    return PaymentsService(session=session, tenant_id="test_tenant")
 # --- routers grouped by auth posture (same prefix is fine; FastAPI merges) ---

{svc_infra-0.1.593 → svc_infra-0.1.594}/src/svc_infra/api/fastapi/auth/add.py RENAMED Viewed

@@ -11,6 +11,7 @@ from svc_infra.api.fastapi.auth.mfa.router import mfa_router
 from svc_infra.api.fastapi.auth.routers.account import account_router
 from svc_infra.api.fastapi.auth.routers.apikey_router import apikey_router
 from svc_infra.api.fastapi.auth.routers.oauth_router import oauth_router_with_backend
+from svc_infra.api.fastapi.auth.routers.session_router import build_session_router
 from svc_infra.api.fastapi.db.sql.users import get_fastapi_users
 from svc_infra.api.fastapi.paths.prefix import AUTH_PREFIX, USER_PREFIX
 from svc_infra.app.env import CURRENT_ENVIRONMENT, DEV_ENV, LOCAL_ENV
@@ -73,6 +74,15 @@ def install_user_routers(
         include_in_schema=include_in_docs,
         dependencies=[Depends(login_client_gaurd)],
     )
+    # Session/device listing & revocation endpoints (AuthSession model)
+    # Mounted under the user prefix so final paths become /{user_prefix}/sessions/... (e.g., /users/sessions/me)
+    # The router itself has a /sessions prefix.
+    app.include_router(
+        build_session_router(),
+        prefix=user_prefix,
+        tags=["Session Management"],
+        include_in_schema=include_in_docs,
+    )
     app.include_router(
         register_router,
         prefix=user_prefix,

{svc_infra-0.1.593 → svc_infra-0.1.594}/src/svc_infra/api/fastapi/auth/gaurd.py RENAMED Viewed

@@ -1,5 +1,6 @@
 from __future__ import annotations
+import hashlib
 from datetime import datetime, timezone
 from fastapi import APIRouter, Depends, Form, HTTPException, Request, status
@@ -65,6 +66,9 @@ def auth_session_router(
     router = public_router()
     policy = auth_policy or DefaultAuthPolicy(get_auth_settings())
+    from svc_infra.api.fastapi.db.sql import SqlSessionDep
+    from svc_infra.security.lockout import get_lockout_status, record_attempt
     @router.post("/login", name="auth:jwt.login")
     async def login(
         request: Request,
@@ -74,27 +78,78 @@ def auth_session_router(
         client_id: str | None = Form(None),
         client_secret: str | None = Form(None),
         user_manager=Depends(fapi.get_user_manager),
+        session: SqlSessionDep = Depends(),
     ):
-        # 1) lookup user (normalize email)
         strategy = auth_backend.get_strategy()
         email = username.strip().lower()
+        # Compute IP hash for lockout correlation
+        client_ip = getattr(request.client, "host", None)
+        ip_hash = hashlib.sha256(client_ip.encode()).hexdigest() if client_ip else None
+        # Pre-check lockout by IP to avoid enumeration
+        try:
+            status_lo = await get_lockout_status(session, user_id=None, ip_hash=ip_hash)
+            if status_lo.locked and status_lo.next_allowed_at:
+                retry = int(
+                    (status_lo.next_allowed_at - datetime.now(timezone.utc)).total_seconds()
+                )
+                raise HTTPException(
+                    status_code=429,
+                    detail="account_locked",
+                    headers={"Retry-After": str(max(0, retry))},
+                )
+        except Exception:
+            pass
+        # Lookup user
         user = await user_manager.user_db.get_by_email(email)
         if not user:
             _, _ = _pwd.verify_and_update(password, _DUMMY_BCRYPT)
+            try:
+                await record_attempt(session, user_id=None, ip_hash=ip_hash, success=False)
+            except Exception:
+                pass
             raise HTTPException(400, "LOGIN_BAD_CREDENTIALS")
-        # 2) verify status + password
+        # Status checks
         if not getattr(user, "is_active", True):
             raise HTTPException(401, "account_disabled")
         hashed = getattr(user, "hashed_password", None) or getattr(user, "password_hash", None)
         if not hashed:
-            # No password set (likely OAuth-only account)
+            try:
+                await record_attempt(
+                    session, user_id=getattr(user, "id", None), ip_hash=ip_hash, success=False
+                )
+            except Exception:
+                pass
             raise HTTPException(400, "LOGIN_BAD_CREDENTIALS")
+        # Check lockout for this user + IP before verifying password
+        try:
+            status_user = await get_lockout_status(
+                session, user_id=getattr(user, "id", None), ip_hash=ip_hash
+            )
+            if status_user.locked and status_user.next_allowed_at:
+                retry = int(
+                    (status_user.next_allowed_at - datetime.now(timezone.utc)).total_seconds()
+                )
+                raise HTTPException(
+                    status_code=429,
+                    detail="account_locked",
+                    headers={"Retry-After": str(max(0, retry))},
+                )
+        except Exception:
+            pass
         ok, new_hash = _pwd.verify_and_update(password, hashed)
         if not ok:
+            try:
+                await record_attempt(
+                    session, user_id=getattr(user, "id", None), ip_hash=ip_hash, success=False
+                )
+            except Exception:
+                pass
             raise HTTPException(400, "LOGIN_BAD_CREDENTIALS")
         # If the hash needs upgrading, persist it (optional but recommended)
@@ -106,7 +161,6 @@ def auth_session_router(
             try:
                 await user_manager.user_db.update(user)
             except Exception:
-                # don't block login if updating hash fails; log if you have logging here
                 pass
         if getattr(user, "is_verified") is False:
@@ -130,6 +184,14 @@ def auth_session_router(
             # don’t block login if this write fails
             pass
+        # Record successful attempt (for audit)
+        try:
+            await record_attempt(
+                session, user_id=getattr(user, "id", None), ip_hash=ip_hash, success=True
+            )
+        except Exception:
+            pass
         # 5) mint token and set cookie
         token = await strategy.write_token(user)
         st = get_auth_settings()

{svc_infra-0.1.593 → svc_infra-0.1.594}/src/svc_infra/api/fastapi/auth/routers/oauth_router.py RENAMED Viewed

@@ -28,6 +28,8 @@ from svc_infra.api.fastapi.paths.auth import (
     OAUTH_LOGIN_PATH,
     OAUTH_REFRESH_PATH,
 )
+from svc_infra.security.models import RefreshToken
+from svc_infra.security.session import issue_session_and_refresh, rotate_session_refresh
 def _gen_pkce_pair() -> tuple[str, str]:
@@ -466,9 +468,13 @@ async def _validate_and_decode_jwt_token(raw_token: str) -> str:
 async def _set_cookie_on_response(
-    resp: Response, auth_backend: AuthenticationBackend, user: Any
+    resp: Response,
+    auth_backend: AuthenticationBackend,
+    user: Any,
+    *,
+    refresh_raw: str,
 ) -> None:
-    """Set authentication cookie on response."""
+    """Set authentication (JWT) and refresh cookies on response."""
     st = get_auth_settings()
     strategy = auth_backend.get_strategy()
     jwt_token = await strategy.write_token(user)
@@ -477,6 +483,7 @@ async def _set_cookie_on_response(
     if same_site_lit == "none" and not bool(st.session_cookie_secure):
         raise HTTPException(500, "session_cookie_samesite=None requires session_cookie_secure=True")
+    # Access/Auth cookie (short-lived JWT)
     resp.set_cookie(
         key=_cookie_name(st),
         value=jwt_token,
@@ -488,6 +495,18 @@ async def _set_cookie_on_response(
         path="/",
     )
+    # Refresh cookie (opaque token, longer lived)
+    resp.set_cookie(
+        key=getattr(st, "session_cookie_name", "svc_session"),
+        value=refresh_raw,
+        max_age=60 * 60 * 24 * 7,  # 7 days default
+        httponly=True,
+        secure=bool(st.session_cookie_secure),
+        samesite=same_site_lit,
+        domain=_cookie_domain(st),
+        path="/",
+    )
 def _clean_oauth_session_state(request: Request, provider: str) -> None:
     """Clean up transient OAuth session state."""
@@ -641,9 +660,18 @@ def _create_oauth_router(
         user.last_login = datetime.now(timezone.utc)
         await session.commit()
-        # Create response with auth cookie
+        # Create session + initial refresh token
+        raw_refresh, _rt = await issue_session_and_refresh(
+            session,
+            user_id=user.id,
+            tenant_id=getattr(user, "tenant_id", None),
+            user_agent=str(request.headers.get("user-agent", ""))[:512],
+            ip_hash=None,
+        )
+        # Create response with auth + refresh cookies
         resp = RedirectResponse(url=redirect_url, status_code=status.HTTP_302_FOUND)
-        await _set_cookie_on_response(resp, auth_backend, user)
+        await _set_cookie_on_response(resp, auth_backend, user, refresh_raw=raw_refresh)
         # Clean up session state
         _clean_oauth_session_state(request, provider)
@@ -667,50 +695,62 @@ def _create_oauth_router(
         """Refresh authentication token."""
         st = get_auth_settings()
-        # Read and validate cookie
-        name = _cookie_name(st)
-        raw = request.cookies.get(name)
-        if not raw:
+        # Read and validate auth JWT cookie
+        name_auth = _cookie_name(st)
+        raw_auth = request.cookies.get(name_auth)
+        if not raw_auth:
             raise HTTPException(401, "missing_token")
-        # Validate and decode JWT token
-        user_id = await _validate_and_decode_jwt_token(raw)
+        # Validate and decode JWT token to get user id
+        user_id = await _validate_and_decode_jwt_token(raw_auth)
         # Load user
         user = await session.get(user_model, user_id)
         if not user:
             raise HTTPException(401, "invalid_token")
-        # Handle MFA if required
-        if await policy.should_require_mfa(user):
-            pre = await get_mfa_pre_jwt_writer().write(user)
-            redirect_url = str(getattr(st, "post_login_redirect", "/"))
-            allow_hosts = parse_redirect_allow_hosts(getattr(st, "redirect_allow_hosts_raw", None))
-            require_https = bool(getattr(st, "session_cookie_secure", False))
-            _validate_redirect(redirect_url, allow_hosts, require_https=require_https)
-            nxt = request.query_params.get("next")
-            if nxt:
-                try:
-                    _validate_redirect(nxt, allow_hosts, require_https=require_https)
-                    redirect_url = nxt
-                except HTTPException:
-                    pass
-            qs = urlencode({"mfa": "required", "pre_token": pre})
-            return RedirectResponse(url=f"{redirect_url}?{qs}", status_code=status.HTTP_302_FOUND)
-        # Create response with new token
-        resp = Response(status_code=204)
-        await _set_cookie_on_response(resp, auth_backend, user)
-        # Optional: notify policy hook
+        # Obtain refresh cookie
+        refresh_cookie_name = getattr(st, "session_cookie_name", "svc_session")
+        raw_refresh = request.cookies.get(refresh_cookie_name)
+        if not raw_refresh:
+            raise HTTPException(401, "missing_refresh_token")
+        # Lookup refresh token row by hash
+        from sqlalchemy import select
+        from svc_infra.security.models import hash_refresh_token
+        token_hash = hash_refresh_token(raw_refresh)
+        found: RefreshToken | None = (
+            (
+                await session.execute(
+                    select(RefreshToken).where(RefreshToken.token_hash == token_hash)
+                )
+            )
+            .scalars()
+            .first()
+        )
+        if (
+            not found
+            or found.revoked_at
+            or (found.expires_at and found.expires_at < datetime.now(timezone.utc))
+        ):
+            raise HTTPException(401, "invalid_refresh_token")
+        # Rotate refresh token
+        new_raw, _new_rt = await rotate_session_refresh(session, current=found)
+        # Write response (204) with new cookies
+        resp = Response(status_code=status.HTTP_204_NO_CONTENT)
+        await _set_cookie_on_response(resp, auth_backend, user, refresh_raw=new_raw)
+        return resp
+        # Dead code removed: MFA branch handled earlier in login flow, refresh returns 204 above.
         if hasattr(policy, "on_token_refresh"):
             try:
                 await policy.on_token_refresh(user)
             except Exception:
                 pass
-        return resp
+    # Return router at end of factory
     return router

svc-infra 0.1.593__tar.gz → 0.1.594__tar.gz

Potentially problematic release.

svc-infra 0.1.593tar.gz → 0.1.594tar.gz