svc-infra 0.1.706__py3-none-any.whl → 1.1.0__py3-none-any.whl

svc_infra/api/fastapi/auth/_cookies.py

@@ -1,7 +1,5 @@
 from __future__ import annotations
 
-from typing import Optional
-
 from starlette.requests import Request
 
 from svc_infra.app.env import IS_PROD
@@ -16,9 +14,7 @@ def _is_local_host(host: str) -> bool:
 
 def _is_https(request: Request) -> bool:
     proto = (
-        (request.headers.get("x-forwarded-proto") or request.url.scheme or "")
-        .split(",")[0]
-        .strip()
+        (request.headers.get("x-forwarded-proto") or request.url.scheme or "").split(",")[0].strip()
     )
     return proto.lower() == "https"
 
@@ -27,15 +23,13 @@ def compute_cookie_params(request: Request, *, name: str) -> dict:
     st = get_auth_settings()
     cfg_domain = (getattr(st, "session_cookie_domain", "") or "").strip()
 
-    domain: Optional[str] = None
+    domain: str | None = None
     if cfg_domain and not _is_local_host(cfg_domain):
         domain = cfg_domain
 
     explicit_secure = getattr(st, "session_cookie_secure", None)
     secure = (
-        bool(explicit_secure)
-        if explicit_secure is not None
-        else (_is_https(request) or IS_PROD)
+        bool(explicit_secure) if explicit_secure is not None else (_is_https(request) or IS_PROD)
     )
 
     samesite = str(getattr(st, "session_cookie_samesite", "lax")).lower()

svc_infra/api/fastapi/auth/add.py

@@ -135,9 +135,7 @@ def setup_oauth_authentication(
     if not providers:
         return
 
-    redirect_url = (
-        post_login_redirect or getattr(settings_obj, "post_login_redirect", None) or "/"
-    )
+    redirect_url = post_login_redirect or getattr(settings_obj, "post_login_redirect", None) or "/"
     oauth_router_instance = oauth_router_with_backend(
         user_model=user_model,
         auth_backend=auth_backend,
@@ -253,7 +251,7 @@ def add_auth_users(
     (
         fapi,
         auth_backend,
-        auth_router,
+        _auth_router,
         users_router,
         get_strategy,
         register_router,
@@ -268,9 +266,7 @@ def add_auth_users(
     )
 
     # Make the boot-time strategy and model available to resolvers
-    set_auth_state(
-        user_model=user_model, get_strategy=get_strategy, auth_prefix=auth_prefix
-    )
+    set_auth_state(user_model=user_model, get_strategy=get_strategy, auth_prefix=auth_prefix)
 
     settings_obj = get_auth_settings()
     policy = auth_policy or DefaultAuthPolicy(settings_obj)
@@ -287,7 +283,7 @@ def add_auth_users(
                 dev_default="dev-only-session-jwt-secret-not-for-production",
             )
         same_site_lit = cast(
-            Literal["lax", "strict", "none"],
+            "Literal['lax', 'strict', 'none']",
             str(getattr(settings_obj, "session_cookie_samesite", "lax")).lower(),
         )
         app.add_middleware(

svc_infra/api/fastapi/auth/gaurd.py

@@ -1,7 +1,7 @@
 from __future__ import annotations
 
 import hashlib
-from datetime import datetime, timezone
+from datetime import UTC, datetime
 from typing import Any
 
 from fastapi import APIRouter, Depends, Form, HTTPException, Request, status
@@ -42,9 +42,7 @@ async def login_client_gaurd(request: Request):
         client_id_raw = form.get("client_id")
         client_secret_raw = form.get("client_secret")
         client_id = client_id_raw.strip() if isinstance(client_id_raw, str) else ""
-        client_secret = (
-            client_secret_raw.strip() if isinstance(client_secret_raw, str) else ""
-        )
+        client_secret = client_secret_raw.strip() if isinstance(client_secret_raw, str) else ""
         if not client_id or not client_secret:
             raise HTTPException(
                 status_code=status.HTTP_401_UNAUTHORIZED,
@@ -54,10 +52,7 @@ async def login_client_gaurd(request: Request):
         # validate against configured clients
         ok = False
         for pc in getattr(st, "password_clients", []) or []:
-            if (
-                pc.client_id == client_id
-                and pc.client_secret.get_secret_value() == client_secret
-            ):
+            if pc.client_id == client_id and pc.client_secret.get_secret_value() == client_secret:
                 ok = True
                 break
 
@@ -102,11 +97,7 @@ def auth_session_router(
         try:
             status_lo = await get_lockout_status(session, user_id=None, ip_hash=ip_hash)
             if status_lo.locked and status_lo.next_allowed_at:
-                retry = int(
-                    (
-                        status_lo.next_allowed_at - datetime.now(timezone.utc)
-                    ).total_seconds()
-                )
+                retry = int((status_lo.next_allowed_at - datetime.now(UTC)).total_seconds())
                 raise HTTPException(
                     status_code=429,
                     detail="account_locked",
@@ -120,9 +111,7 @@ def auth_session_router(
         if not user:
             _, _ = _pwd.verify_and_update(password, _DUMMY_BCRYPT)
             try:
-                await record_attempt(
-                    session, user_id=None, ip_hash=ip_hash, success=False
-                )
+                await record_attempt(session, user_id=None, ip_hash=ip_hash, success=False)
             except Exception:
                 pass
             raise HTTPException(400, "LOGIN_BAD_CREDENTIALS")
@@ -131,9 +120,7 @@ def auth_session_router(
         if not getattr(user, "is_active", True):
             raise HTTPException(401, "account_disabled")
 
-        hashed = getattr(user, "hashed_password", None) or getattr(
-            user, "password_hash", None
-        )
+        hashed = getattr(user, "hashed_password", None) or getattr(user, "password_hash", None)
         if not hashed:
             try:
                 await record_attempt(
@@ -152,11 +139,7 @@ def auth_session_router(
                 session, user_id=getattr(user, "id", None), ip_hash=ip_hash
             )
             if status_user.locked and status_user.next_allowed_at:
-                retry = int(
-                    (
-                        status_user.next_allowed_at - datetime.now(timezone.utc)
-                    ).total_seconds()
-                )
+                retry = int((status_user.next_allowed_at - datetime.now(UTC)).total_seconds())
                 raise HTTPException(
                     status_code=429,
                     detail="account_locked",
@@ -189,7 +172,7 @@ def auth_session_router(
             except Exception:
                 pass
 
-        if getattr(user, "is_verified") is False:
+        if user.is_verified is False:
             raise HTTPException(400, "LOGIN_USER_NOT_VERIFIED")
 
         # 3) MFA policy check (user flag, tenant/global, etc.)
@@ -204,7 +187,7 @@ def auth_session_router(
 
         # 4) record last_login for password logins that do NOT require MFA
         try:
-            user.last_login = datetime.now(timezone.utc)
+            user.last_login = datetime.now(UTC)
             await user_manager.user_db.update(user, {"last_login": user.last_login})
         except Exception:
             # don’t block login if this write fails

svc_infra/api/fastapi/auth/mfa/models.py

@@ -1,12 +1,9 @@
 from datetime import datetime
-from typing import Optional
 
 from pydantic import BaseModel
 
 # --- Email OTP store (replace with Redis in prod) ---
-EMAIL_OTP_STORE: dict[
-    str, dict
-] = {}  # key = uid (or jti), value={hash,exp,attempts,next_send}
+EMAIL_OTP_STORE: dict[str, dict] = {}  # key = uid (or jti), value={hash,exp,attempts,next_send}
 
 
 class StartSetupOut(BaseModel):
@@ -56,9 +53,9 @@ class MFAProof(BaseModel):
 
 
 class DisableAccountIn(BaseModel):
-    reason: Optional[str] = None
-    mfa: Optional[MFAProof] = None
+    reason: str | None = None
+    mfa: MFAProof | None = None
 
 
 class DeleteAccountIn(BaseModel):
-    mfa: Optional[MFAProof] = None
+    mfa: MFAProof | None = None

svc_infra/api/fastapi/auth/mfa/pre_auth.py

@@ -1,4 +1,4 @@
-from datetime import datetime, timezone
+from datetime import UTC, datetime
 
 from svc_infra.api.fastapi.auth.settings import get_auth_settings
 from svc_infra.app.env import require_secret
@@ -29,9 +29,9 @@ def get_mfa_pre_jwt_writer():
         async def write(self, user):
             from fastapi_users.jwt import generate_jwt
 
-            now = datetime.now(timezone.utc)
+            now = datetime.now(UTC)
             payload = {
-                "sub": str(getattr(user, "id")),
+                "sub": str(user.id),
                 "aud": ["fastapi-users:mfa"],
                 "iat": int(now.timestamp()),
                 "exp": int(now.timestamp()) + self.lifetime,

svc_infra/api/fastapi/auth/mfa/router.py

@@ -1,6 +1,6 @@
 from __future__ import annotations
 
-from datetime import datetime, timezone
+from datetime import UTC, datetime
 from typing import Any, cast
 
 import pyotp
@@ -80,7 +80,7 @@ def mfa_router(
             raise HTTPException(401, "Invalid token")
 
         # IMPORTANT: rehydrate into *your* session
-        db_user = await cast(Any, session).get(user_model, user.id)
+        db_user = await cast("Any", session).get(user_model, user.id)
         if not db_user:
             raise HTTPException(401, "Invalid token")
 
@@ -114,9 +114,7 @@ def mfa_router(
         # )).scalar_one()
         # assert fresh_secret == secret
 
-        return StartSetupOut(
-            otpauth_url=uri, secret=secret, qr_svg=_qr_svg_from_uri(uri)
-        )
+        return StartSetupOut(otpauth_url=uri, secret=secret, qr_svg=_qr_svg_from_uri(uri))
 
     @u.post(
         MFA_CONFIRM_PATH,
@@ -144,7 +142,7 @@ def mfa_router(
 
         user.mfa_recovery = [_hash(c) for c in codes]
         user.mfa_enabled = True
-        user.mfa_confirmed_at = datetime.now(timezone.utc)
+        user.mfa_confirmed_at = datetime.now(UTC)
         await session.commit()
 
         return RecoveryCodesOut(codes=codes)
@@ -201,7 +199,7 @@ def mfa_router(
             raise HTTPException(401, "Invalid pre-auth token")
 
         # 2) load user
-        user = await cast(Any, session).get(user_model, uid)
+        user = await cast("Any", session).get(user_model, uid)
         if not user:
             raise HTTPException(401, "Invalid pre-auth token")
 
@@ -209,9 +207,7 @@ def mfa_router(
         if not getattr(user, "is_active", True):
             raise HTTPException(401, "account_disabled")
 
-        if (not getattr(user, "mfa_enabled", False)) or (
-            not getattr(user, "mfa_secret", None)
-        ):
+        if (not getattr(user, "mfa_enabled", False)) or (not getattr(user, "mfa_secret", None)):
             raise HTTPException(401, "MFA not enabled")
 
         # 3) verify TOTP or fallback
@@ -247,15 +243,13 @@ def mfa_router(
             raise HTTPException(400, "Invalid code")
 
         # NEW: set last_login on successful MFA
-        user.last_login = datetime.now(timezone.utc)
+        user.last_login = datetime.now(UTC)
         await session.commit()
 
         # 4) mint normal JWT and set cookie
         token = await strategy.write_token(user)
         resp = JSONResponse({"access_token": token, "token_type": "bearer"})
-        cp = compute_cookie_params(
-            request, name=st.auth_cookie_name
-        )  # <-- pass Request here
+        cp = compute_cookie_params(request, name=st.auth_cookie_name)  # <-- pass Request here
         resp.set_cookie(**cp, value=token)
         return resp
 
@@ -278,7 +272,7 @@ def mfa_router(
             raise HTTPException(401, "Invalid pre-auth token")
 
         # 1b) Load user to get their email
-        user = await cast(Any, session).get(user_model, uid)
+        user = await cast("Any", session).get(user_model, uid)
         if not user or not getattr(user, "email", None):
             # (optionally also check user.mfa_enabled here)
             raise HTTPException(401, "Invalid pre-auth token")

svc_infra/api/fastapi/auth/mfa/security.py

@@ -1,5 +1,3 @@
-from typing import Optional
-
 from fastapi import Body, Depends, HTTPException, Query
 
 from svc_infra.api.fastapi.auth.security import Identity
@@ -12,9 +10,9 @@ def RequireMFAIfEnabled(body_field: str = "mfa"):
     async def _dep(
         p: Identity,
         sess: SqlSessionDep,
-        mfa: Optional[MFAProof] = Body(None, embed=True, alias=body_field),
-        mfa_code: Optional[str] = Query(None, alias="mfa_code"),
-        mfa_pre_token: Optional[str] = Query(None, alias="mfa_pre_token"),
+        mfa: MFAProof | None = Body(None, embed=True, alias=body_field),
+        mfa_code: str | None = Query(None, alias="mfa_code"),
+        mfa_pre_token: str | None = Query(None, alias="mfa_pre_token"),
     ):
         proof = mfa or (
             MFAProof(code=mfa_code, pre_token=mfa_pre_token)

svc_infra/api/fastapi/auth/mfa/utils.py

@@ -1,6 +1,7 @@
 import base64
 import hashlib
 import os
+from datetime import UTC
 
 import pyotp
 
@@ -38,6 +39,6 @@ def _hash(s: str) -> str:
 
 
 def _now_utc_ts() -> int:
-    from datetime import datetime, timezone
+    from datetime import datetime
 
-    return int(datetime.now(timezone.utc).timestamp())
+    return int(datetime.now(UTC).timestamp())

svc_infra/api/fastapi/auth/mfa/verify.py

@@ -73,18 +73,11 @@ async def verify_mfa_for_user(
             now = _now_utc_ts()
             if rec:
                 attempts_left = rec.get("attempts_left")
-                if (
-                    now <= rec["exp"]
-                    and attempts_left
-                    and attempts_left > 0
-                    and rec["hash"] == dig
-                ):
+                if now <= rec["exp"] and attempts_left and attempts_left > 0 and rec["hash"] == dig:
                     EMAIL_OTP_STORE.pop(uid, None)  # burn on success
                     return MFAResult(ok=True, method="email", attempts_left=None)
                 # decrement on failure
                 rec["attempts_left"] = max(0, (attempts_left or 0) - 1)
-                return MFAResult(
-                    ok=False, method="email", attempts_left=rec["attempts_left"]
-                )
+                return MFAResult(ok=False, method="email", attempts_left=rec["attempts_left"])
 
     return MFAResult(ok=False, method="none", attempts_left=None)

svc_infra/api/fastapi/auth/providers.py

@@ -1,7 +1,7 @@
-from typing import Any, Dict
+from typing import Any
 
 
-def providers_from_settings(settings: Any) -> Dict[str, Dict[str, Any]]:
+def providers_from_settings(settings: Any) -> dict[str, dict[str, Any]]:
     """
     Returns a registry of providers:
       {
@@ -20,7 +20,7 @@ def providers_from_settings(settings: Any) -> Dict[str, Dict[str, Any]]:
         }
       }
     """
-    reg: Dict[str, Dict[str, Any]] = {}
+    reg: dict[str, dict[str, Any]] = {}
 
     # Google (OIDC)
     if getattr(settings, "google_client_id", None) and getattr(
@@ -64,9 +64,7 @@ def providers_from_settings(settings: Any) -> Dict[str, Dict[str, Any]]:
         }
 
     # LinkedIn (non-OIDC)
-    if getattr(settings, "li_client_id", None) and getattr(
-        settings, "li_client_secret", None
-    ):
+    if getattr(settings, "li_client_id", None) and getattr(settings, "li_client_secret", None):
         reg["linkedin"] = {
             "kind": "linkedin",
             "authorize_url": "https://www.linkedin.com/oauth/v2/authorization",

svc_infra/api/fastapi/auth/routers/apikey_router.py

@@ -1,7 +1,7 @@
 from __future__ import annotations
 
-from datetime import datetime, timedelta, timezone
-from typing import Any, List, Optional, cast
+from datetime import UTC, datetime, timedelta
+from typing import Any, cast
 from uuid import UUID
 
 from fastapi import HTTPException, Query
@@ -23,21 +23,21 @@ from svc_infra.db.sql.apikey import get_apikey_model
 
 class ApiKeyCreateIn(BaseModel):
     name: str
-    user_id: Optional[str] = None
-    scopes: List[str] = Field(default_factory=list)
-    ttl_hours: Optional[int] = 24 * 365  # default 1y
+    user_id: str | None = None
+    scopes: list[str] = Field(default_factory=list)
+    ttl_hours: int | None = 24 * 365  # default 1y
 
 
 class ApiKeyOut(BaseModel):
     id: str
     name: str
-    user_id: Optional[str]
-    key: Optional[str] = None
+    user_id: str | None
+    key: str | None = None
     key_prefix: str
-    scopes: List[str]
+    scopes: list[str]
     active: bool
-    expires_at: Optional[datetime]
-    last_used_at: Optional[datetime]
+    expires_at: datetime | None
+    last_used_at: datetime | None
 
 
 def _to_uuid(val):
@@ -56,7 +56,7 @@ def apikey_router():
         description="Create a new API key. The plaintext key is shown only once, at creation time.",
     )
     async def create_key(sess: SqlSessionDep, payload: ApiKeyCreateIn, p: Identity):
-        caller_id: UUID = getattr(p.user, "id")
+        caller_id: UUID = p.user.id
         owner_id: UUID = _to_uuid(payload.user_id) if payload.user_id else caller_id
 
         if owner_id != caller_id and not getattr(p.user, "is_superuser", False):
@@ -64,9 +64,7 @@ def apikey_router():
 
         plaintext, prefix, hashed = ApiKey.make_secret()  # type: ignore[attr-defined]
         expires = (
-            (datetime.now(timezone.utc) + timedelta(hours=payload.ttl_hours))
-            if payload.ttl_hours
-            else None
+            (datetime.now(UTC) + timedelta(hours=payload.ttl_hours)) if payload.ttl_hours else None
         )
 
         row = ApiKey(
@@ -124,11 +122,11 @@ def apikey_router():
         description="Revoke an API key",
     )
     async def revoke_key(key_id: str, sess: SqlSessionDep, p: Identity):
-        row = await cast(Any, sess).get(ApiKey, key_id)
+        row = await cast("Any", sess).get(ApiKey, key_id)
         if not row:
             raise HTTPException(404, "not_found")
 
-        caller_id: UUID = getattr(p.user, "id")
+        caller_id: UUID = p.user.id
         if not (getattr(p.user, "is_superuser", False) or row.user_id == caller_id):
             raise HTTPException(403, "forbidden")
 
@@ -148,11 +146,11 @@ def apikey_router():
         p: Identity,
         force: bool = Query(False, description="Allow deleting an active key if True"),
     ):
-        row = await cast(Any, sess).get(ApiKey, key_id)
+        row = await cast("Any", sess).get(ApiKey, key_id)
         if not row:
             return  # 204
 
-        caller_id: UUID = getattr(p.user, "id")
+        caller_id: UUID = p.user.id
         if not (getattr(p.user, "is_superuser", False) or row.user_id == caller_id):
             raise HTTPException(403, "forbidden")