svc-infra 0.1.595__py3-none-any.whl → 0.1.706__py3-none-any.whl

svc_infra/api/fastapi/auth/gaurd.py

@@ -2,16 +2,19 @@ from __future__ import annotations
 
 import hashlib
 from datetime import datetime, timezone
+from typing import Any
 
 from fastapi import APIRouter, Depends, Form, HTTPException, Request, status
 from fastapi.responses import JSONResponse
 from fastapi_users import FastAPIUsers
-from fastapi_users.authentication import AuthenticationBackend
+from fastapi_users.authentication import AuthenticationBackend, Strategy
 from fastapi_users.password import PasswordHelper
+from starlette.datastructures import FormData
 
 from svc_infra.api.fastapi.auth._cookies import compute_cookie_params
 from svc_infra.api.fastapi.auth.policy import AuthPolicy, DefaultAuthPolicy
 from svc_infra.api.fastapi.auth.settings import get_auth_settings
+from svc_infra.api.fastapi.db.sql.session import SqlSessionDep
 from svc_infra.api.fastapi.dual.public import public_router
 
 _pwd = PasswordHelper()
@@ -30,28 +33,38 @@ async def login_client_gaurd(request: Request):
 
     # only enforce on the login endpoint (form-encoded)
     if request.method.upper() == "POST" and request.url.path.endswith("/login"):
+        form: FormData | dict[str, Any]
         try:
             form = await request.form()
         except Exception:
             form = {}
 
-        client_id = (form.get("client_id") or "").strip()
-        client_secret = (form.get("client_secret") or "").strip()
+        client_id_raw = form.get("client_id")
+        client_secret_raw = form.get("client_secret")
+        client_id = client_id_raw.strip() if isinstance(client_id_raw, str) else ""
+        client_secret = (
+            client_secret_raw.strip() if isinstance(client_secret_raw, str) else ""
+        )
         if not client_id or not client_secret:
             raise HTTPException(
-                status_code=status.HTTP_401_UNAUTHORIZED, detail="client_credentials_required"
+                status_code=status.HTTP_401_UNAUTHORIZED,
+                detail="client_credentials_required",
             )
 
         # validate against configured clients
         ok = False
         for pc in getattr(st, "password_clients", []) or []:
-            if pc.client_id == client_id and pc.client_secret.get_secret_value() == client_secret:
+            if (
+                pc.client_id == client_id
+                and pc.client_secret.get_secret_value() == client_secret
+            ):
                 ok = True
                 break
 
         if not ok:
             raise HTTPException(
-                status_code=status.HTTP_401_UNAUTHORIZED, detail="invalid_client_credentials"
+                status_code=status.HTTP_401_UNAUTHORIZED,
+                detail="invalid_client_credentials",
             )
 
 
@@ -66,21 +79,20 @@ def auth_session_router(
     router = public_router()
     policy = auth_policy or DefaultAuthPolicy(get_auth_settings())
 
-    from svc_infra.api.fastapi.db.sql import SqlSessionDep
     from svc_infra.security.lockout import get_lockout_status, record_attempt
 
     @router.post("/login", name="auth:jwt.login")
     async def login(
         request: Request,
+        session: SqlSessionDep,
         username: str = Form(...),
         password: str = Form(...),
         scope: str = Form(""),
         client_id: str | None = Form(None),
         client_secret: str | None = Form(None),
+        strategy: Strategy[Any, Any] = Depends(auth_backend.get_strategy),
         user_manager=Depends(fapi.get_user_manager),
-        session: SqlSessionDep = Depends(),
     ):
-        strategy = auth_backend.get_strategy()
         email = username.strip().lower()
         # Compute IP hash for lockout correlation
         client_ip = getattr(request.client, "host", None)
@@ -91,7 +103,9 @@ def auth_session_router(
             status_lo = await get_lockout_status(session, user_id=None, ip_hash=ip_hash)
             if status_lo.locked and status_lo.next_allowed_at:
                 retry = int(
-                    (status_lo.next_allowed_at - datetime.now(timezone.utc)).total_seconds()
+                    (
+                        status_lo.next_allowed_at - datetime.now(timezone.utc)
+                    ).total_seconds()
                 )
                 raise HTTPException(
                     status_code=429,
@@ -106,7 +120,9 @@ def auth_session_router(
         if not user:
             _, _ = _pwd.verify_and_update(password, _DUMMY_BCRYPT)
             try:
-                await record_attempt(session, user_id=None, ip_hash=ip_hash, success=False)
+                await record_attempt(
+                    session, user_id=None, ip_hash=ip_hash, success=False
+                )
             except Exception:
                 pass
             raise HTTPException(400, "LOGIN_BAD_CREDENTIALS")
@@ -115,11 +131,16 @@ def auth_session_router(
         if not getattr(user, "is_active", True):
             raise HTTPException(401, "account_disabled")
 
-        hashed = getattr(user, "hashed_password", None) or getattr(user, "password_hash", None)
+        hashed = getattr(user, "hashed_password", None) or getattr(
+            user, "password_hash", None
+        )
         if not hashed:
             try:
                 await record_attempt(
-                    session, user_id=getattr(user, "id", None), ip_hash=ip_hash, success=False
+                    session,
+                    user_id=getattr(user, "id", None),
+                    ip_hash=ip_hash,
+                    success=False,
                 )
             except Exception:
                 pass
@@ -132,7 +153,9 @@ def auth_session_router(
             )
             if status_user.locked and status_user.next_allowed_at:
                 retry = int(
-                    (status_user.next_allowed_at - datetime.now(timezone.utc)).total_seconds()
+                    (
+                        status_user.next_allowed_at - datetime.now(timezone.utc)
+                    ).total_seconds()
                 )
                 raise HTTPException(
                     status_code=429,
@@ -146,7 +169,10 @@ def auth_session_router(
         if not ok:
             try:
                 await record_attempt(
-                    session, user_id=getattr(user, "id", None), ip_hash=ip_hash, success=False
+                    session,
+                    user_id=getattr(user, "id", None),
+                    ip_hash=ip_hash,
+                    success=False,
                 )
             except Exception:
                 pass
@@ -187,7 +213,10 @@ def auth_session_router(
         # Record successful attempt (for audit)
         try:
             await record_attempt(
-                session, user_id=getattr(user, "id", None), ip_hash=ip_hash, success=True
+                session,
+                user_id=getattr(user, "id", None),
+                ip_hash=ip_hash,
+                success=True,
             )
         except Exception:
             pass

svc_infra/api/fastapi/auth/mfa/models.py

@@ -4,7 +4,9 @@ from typing import Optional
 from pydantic import BaseModel
 
 # --- Email OTP store (replace with Redis in prod) ---
-EMAIL_OTP_STORE: dict[str, dict] = {}  # key = uid (or jti), value={hash,exp,attempts,next_send}
+EMAIL_OTP_STORE: dict[
+    str, dict
+] = {}  # key = uid (or jti), value={hash,exp,attempts,next_send}
 
 
 class StartSetupOut(BaseModel):

svc_infra/api/fastapi/auth/mfa/pre_auth.py

@@ -1,18 +1,22 @@
 from datetime import datetime, timezone
 
 from svc_infra.api.fastapi.auth.settings import get_auth_settings
+from svc_infra.app.env import require_secret
 
 
 def get_mfa_pre_jwt_writer():
     st = get_auth_settings()
     jwt_block = getattr(st, "jwt", None)
 
-    # Force to plain string
-    secret = (
-        jwt_block.secret.get_secret_value()
-        if jwt_block and getattr(jwt_block, "secret", None)
-        else "svc-dev-secret-change-me"
-    )
+    # Force to plain string - use require_secret to ensure it's set in production
+    if jwt_block and getattr(jwt_block, "secret", None):
+        secret = jwt_block.secret.get_secret_value()
+    else:
+        secret = require_secret(
+            None,
+            "JWT_SECRET (via auth settings jwt.secret for MFA)",
+            dev_default="dev-only-mfa-jwt-secret-not-for-production",
+        )
     secret = str(secret)
 
     lifetime = int(getattr(st, "mfa_pre_token_lifetime_seconds", 300))

svc_infra/api/fastapi/auth/mfa/router.py

@@ -1,6 +1,7 @@
 from __future__ import annotations
 
 from datetime import datetime, timezone
+from typing import Any, cast
 
 import pyotp
 from fastapi import APIRouter, Body, Depends, HTTPException, Request, status
@@ -79,7 +80,7 @@ def mfa_router(
             raise HTTPException(401, "Invalid token")
 
         # IMPORTANT: rehydrate into *your* session
-        db_user = await session.get(user_model, user.id)
+        db_user = await cast(Any, session).get(user_model, user.id)
         if not db_user:
             raise HTTPException(401, "Invalid token")
 
@@ -113,7 +114,9 @@ def mfa_router(
         # )).scalar_one()
         # assert fresh_secret == secret
 
-        return StartSetupOut(otpauth_url=uri, secret=secret, qr_svg=_qr_svg_from_uri(uri))
+        return StartSetupOut(
+            otpauth_url=uri, secret=secret, qr_svg=_qr_svg_from_uri(uri)
+        )
 
     @u.post(
         MFA_CONFIRM_PATH,
@@ -126,7 +129,7 @@ def mfa_router(
 
         # RELOAD from DB to avoid stale state
         user = (
-            await session.execute(select(user_model).where(user_model.id == user.id))
+            await session.execute(select(user_model).where(user_model.id == user.id))  # type: ignore[attr-defined]
         ).scalar_one()
 
         if not getattr(user, "mfa_secret", None):
@@ -198,7 +201,7 @@ def mfa_router(
             raise HTTPException(401, "Invalid pre-auth token")
 
         # 2) load user
-        user = await session.get(user_model, uid)
+        user = await cast(Any, session).get(user_model, uid)
         if not user:
             raise HTTPException(401, "Invalid pre-auth token")
 
@@ -206,7 +209,9 @@ def mfa_router(
         if not getattr(user, "is_active", True):
             raise HTTPException(401, "account_disabled")
 
-        if (not getattr(user, "mfa_enabled", False)) or (not getattr(user, "mfa_secret", None)):
+        if (not getattr(user, "mfa_enabled", False)) or (
+            not getattr(user, "mfa_secret", None)
+        ):
             raise HTTPException(401, "MFA not enabled")
 
         # 3) verify TOTP or fallback
@@ -248,7 +253,9 @@ def mfa_router(
         # 4) mint normal JWT and set cookie
         token = await strategy.write_token(user)
         resp = JSONResponse({"access_token": token, "token_type": "bearer"})
-        cp = compute_cookie_params(request, name=st.auth_cookie_name)  # <-- pass Request here
+        cp = compute_cookie_params(
+            request, name=st.auth_cookie_name
+        )  # <-- pass Request here
         resp.set_cookie(**cp, value=token)
         return resp
 
@@ -271,7 +278,7 @@ def mfa_router(
             raise HTTPException(401, "Invalid pre-auth token")
 
         # 1b) Load user to get their email
-        user = await session.get(user_model, uid)
+        user = await cast(Any, session).get(user_model, uid)
         if not user or not getattr(user, "email", None):
             # (optionally also check user.mfa_enabled here)
             raise HTTPException(401, "Invalid pre-auth token")
@@ -326,7 +333,7 @@ def mfa_router(
         # Email OTP is always offered in your flow at verify-time
         methods.append("email")
 
-        def _mask(email: str) -> str:
+        def _mask(email: str) -> str | None:
             if not email or "@" not in email:
                 return None
             name, domain = email.split("@", 1)

svc_infra/api/fastapi/auth/mfa/security.py

@@ -5,8 +5,7 @@ from fastapi import Body, Depends, HTTPException, Query
 from svc_infra.api.fastapi.auth.security import Identity
 from svc_infra.api.fastapi.db.sql.session import SqlSessionDep
 
-from .models import MFAProof
-from .verify import verify_mfa_for_user
+from .verify import MFAProof, verify_mfa_for_user
 
 
 def RequireMFAIfEnabled(body_field: str = "mfa"):

svc_infra/api/fastapi/auth/mfa/utils.py

@@ -29,7 +29,8 @@ def _gen_recovery_codes(n: int, length: int) -> list[str]:
 def _gen_numeric_code(n: int = 6) -> str:
     import random
 
-    return "".join(str(random.randrange(10)) for _ in range(n))
+    code = "".join(str(random.randrange(10)) for _ in range(n))
+    return code
 
 
 def _hash(s: str) -> str:

svc_infra/api/fastapi/auth/mfa/verify.py

@@ -73,11 +73,18 @@ async def verify_mfa_for_user(
             now = _now_utc_ts()
             if rec:
                 attempts_left = rec.get("attempts_left")
-                if now <= rec["exp"] and attempts_left and attempts_left > 0 and rec["hash"] == dig:
+                if (
+                    now <= rec["exp"]
+                    and attempts_left
+                    and attempts_left > 0
+                    and rec["hash"] == dig
+                ):
                     EMAIL_OTP_STORE.pop(uid, None)  # burn on success
                     return MFAResult(ok=True, method="email", attempts_left=None)
                 # decrement on failure
                 rec["attempts_left"] = max(0, (attempts_left or 0) - 1)
-                return MFAResult(ok=False, method="email", attempts_left=rec["attempts_left"])
+                return MFAResult(
+                    ok=False, method="email", attempts_left=rec["attempts_left"]
+                )
 
     return MFAResult(ok=False, method="none", attempts_left=None)

svc_infra/api/fastapi/auth/policy.py

@@ -4,7 +4,6 @@ from typing import Any, Protocol
 
 
 class AuthPolicy(Protocol):
-
     async def should_require_mfa(self, user: Any) -> bool:
         pass
 

svc_infra/api/fastapi/auth/providers.py

@@ -64,7 +64,9 @@ def providers_from_settings(settings: Any) -> Dict[str, Dict[str, Any]]:
         }
 
     # LinkedIn (non-OIDC)
-    if getattr(settings, "li_client_id", None) and getattr(settings, "li_client_secret", None):
+    if getattr(settings, "li_client_id", None) and getattr(
+        settings, "li_client_secret", None
+    ):
         reg["linkedin"] = {
             "kind": "linkedin",
             "authorize_url": "https://www.linkedin.com/oauth/v2/authorization",

svc_infra/api/fastapi/auth/routers/apikey_router.py

@@ -1,7 +1,7 @@
 from __future__ import annotations
 
 from datetime import datetime, timedelta, timezone
-from typing import List, Optional
+from typing import Any, List, Optional, cast
 from uuid import UUID
 
 from fastapi import HTTPException, Query
@@ -62,7 +62,7 @@ def apikey_router():
         if owner_id != caller_id and not getattr(p.user, "is_superuser", False):
             raise HTTPException(403, "forbidden")
 
-        plaintext, prefix, hashed = ApiKey.make_secret()
+        plaintext, prefix, hashed = ApiKey.make_secret()  # type: ignore[attr-defined]
         expires = (
             (datetime.now(timezone.utc) + timedelta(hours=payload.ttl_hours))
             if payload.ttl_hours
@@ -98,9 +98,9 @@ def apikey_router():
         description="List API keys. Non-superusers see only their own keys.",
     )
     async def list_keys(sess: SqlSessionDep, p: Identity):
-        q = select(ApiKey)
+        q: Any = select(ApiKey)
         if not getattr(p.user, "is_superuser", False):
-            q = q.where(ApiKey.user_id == p.user.id)
+            q = q.where(ApiKey.user_id == p.user.id)  # type: ignore[attr-defined]
         rows = (await sess.execute(q)).scalars().all()
         return [
             ApiKeyOut(
@@ -124,7 +124,7 @@ def apikey_router():
         description="Revoke an API key",
     )
     async def revoke_key(key_id: str, sess: SqlSessionDep, p: Identity):
-        row = await sess.get(ApiKey, key_id)
+        row = await cast(Any, sess).get(ApiKey, key_id)
         if not row:
             raise HTTPException(404, "not_found")
 
@@ -148,7 +148,7 @@ def apikey_router():
         p: Identity,
         force: bool = Query(False, description="Allow deleting an active key if True"),
     ):
-        row = await sess.get(ApiKey, key_id)
+        row = await cast(Any, sess).get(ApiKey, key_id)
         if not row:
             return  # 204