sweatstack 0.60.0__py3-none-any.whl → 0.62.0__py3-none-any.whl

sweatstack/fastapi/token_stores.py

@@ -0,0 +1,238 @@
+"""Token store implementations for development use.
+
+WARNING: These implementations are for LOCAL DEVELOPMENT ONLY.
+Do not use in production. Implement your own TokenStore with proper
+database infrastructure, encryption, and monitoring.
+"""
+
+from __future__ import annotations
+
+import logging
+import sqlite3
+import threading
+from datetime import datetime
+from pathlib import Path
+
+from .models import StoredTokens, TokenStore
+
+logger = logging.getLogger(__name__)
+
+
+class SQLiteTokenStore(TokenStore):
+    """SQLite-based TokenStore for local development.
+
+    WARNING: This implementation is for LOCAL DEVELOPMENT ONLY.
+    Do not use in production. For production, implement your own
+    TokenStore with proper database infrastructure, encryption,
+    and monitoring.
+
+    Features:
+        - File-based storage (no external database required)
+        - Thread-safe with connection-per-thread pattern
+        - Auto-creates table on first use
+
+    Args:
+        db_path: Path to SQLite database file. Defaults to "sweatstack_tokens.db"
+            in current directory.
+    """
+
+    def __init__(self, db_path: str | Path = "sweatstack_tokens.db"):
+        self.db_path = str(db_path)
+        self._local = threading.local()
+
+        logger.warning(
+            "SQLiteTokenStore is for LOCAL DEVELOPMENT ONLY. "
+            "Do not use in production. Implement a proper TokenStore "
+            "with your production database."
+        )
+
+        self._init_db()
+
+    def _get_connection(self) -> sqlite3.Connection:
+        """Get thread-local database connection."""
+        if not hasattr(self._local, "connection"):
+            self._local.connection = sqlite3.connect(
+                self.db_path,
+                check_same_thread=False,
+            )
+            self._local.connection.row_factory = sqlite3.Row
+        return self._local.connection
+
+    def _init_db(self) -> None:
+        """Create tokens table if it doesn't exist."""
+        conn = self._get_connection()
+        conn.execute("""
+            CREATE TABLE IF NOT EXISTS sweatstack_tokens (
+                user_id TEXT PRIMARY KEY,
+                access_token TEXT NOT NULL,
+                refresh_token TEXT NOT NULL,
+                expires_at TEXT NOT NULL
+            )
+        """)
+        conn.commit()
+
+    def save(self, tokens: StoredTokens) -> None:
+        """Save or update tokens for a user."""
+        conn = self._get_connection()
+        conn.execute(
+            """
+            INSERT INTO sweatstack_tokens (user_id, access_token, refresh_token, expires_at)
+            VALUES (?, ?, ?, ?)
+            ON CONFLICT(user_id) DO UPDATE SET
+                access_token = excluded.access_token,
+                refresh_token = excluded.refresh_token,
+                expires_at = excluded.expires_at
+            """,
+            (
+                tokens.user_id,
+                tokens.access_token,
+                tokens.refresh_token,
+                tokens.expires_at.isoformat(),
+            ),
+        )
+        conn.commit()
+
+    def load(self, user_id: str) -> StoredTokens | None:
+        """Load tokens for a user. Returns None if not found."""
+        conn = self._get_connection()
+        row = conn.execute(
+            "SELECT * FROM sweatstack_tokens WHERE user_id = ?",
+            (user_id,),
+        ).fetchone()
+
+        if row:
+            return StoredTokens(
+                user_id=row["user_id"],
+                access_token=row["access_token"],
+                refresh_token=row["refresh_token"],
+                expires_at=datetime.fromisoformat(row["expires_at"]),
+            )
+        return None
+
+    def delete(self, user_id: str) -> None:
+        """Delete tokens for a user. Idempotent."""
+        conn = self._get_connection()
+        conn.execute(
+            "DELETE FROM sweatstack_tokens WHERE user_id = ?",
+            (user_id,),
+        )
+        conn.commit()
+
+
+class EncryptedSQLiteTokenStore(TokenStore):
+    """Encrypted SQLite TokenStore for local development.
+
+    WARNING: This implementation is for LOCAL DEVELOPMENT ONLY.
+    Do not use in production. This demonstrates the encryption pattern -
+    adapt it for your production database.
+
+    Encrypts access_token and refresh_token using Fernet (AES-128-CBC + HMAC).
+    user_id and expires_at are stored unencrypted for queries.
+
+    Args:
+        encryption_key: Fernet key for encryption. Generate with:
+            python -c "from cryptography.fernet import Fernet; print(Fernet.generate_key().decode())"
+        db_path: Path to SQLite database file.
+    """
+
+    def __init__(
+        self,
+        encryption_key: str | bytes,
+        db_path: str | Path = "sweatstack_tokens_encrypted.db",
+    ):
+        # Import here so cryptography is optional for basic usage
+        from cryptography.fernet import Fernet
+
+        self.db_path = str(db_path)
+        self._local = threading.local()
+
+        if isinstance(encryption_key, str):
+            encryption_key = encryption_key.encode()
+        self._fernet = Fernet(encryption_key)
+
+        logger.warning(
+            "EncryptedSQLiteTokenStore is for LOCAL DEVELOPMENT ONLY. "
+            "Do not use in production. This demonstrates the encryption "
+            "pattern - implement with your production database."
+        )
+
+        self._init_db()
+
+    def _get_connection(self) -> sqlite3.Connection:
+        """Get thread-local database connection."""
+        if not hasattr(self._local, "connection"):
+            self._local.connection = sqlite3.connect(
+                self.db_path,
+                check_same_thread=False,
+            )
+            self._local.connection.row_factory = sqlite3.Row
+        return self._local.connection
+
+    def _init_db(self) -> None:
+        """Create tokens table if it doesn't exist."""
+        conn = self._get_connection()
+        conn.execute("""
+            CREATE TABLE IF NOT EXISTS sweatstack_tokens (
+                user_id TEXT PRIMARY KEY,
+                access_token_encrypted TEXT NOT NULL,
+                refresh_token_encrypted TEXT NOT NULL,
+                expires_at TEXT NOT NULL
+            )
+        """)
+        conn.commit()
+
+    def _encrypt(self, value: str) -> str:
+        """Encrypt a string value."""
+        return self._fernet.encrypt(value.encode()).decode()
+
+    def _decrypt(self, value: str) -> str:
+        """Decrypt a string value."""
+        return self._fernet.decrypt(value.encode()).decode()
+
+    def save(self, tokens: StoredTokens) -> None:
+        """Save or update tokens for a user."""
+        conn = self._get_connection()
+        conn.execute(
+            """
+            INSERT INTO sweatstack_tokens
+                (user_id, access_token_encrypted, refresh_token_encrypted, expires_at)
+            VALUES (?, ?, ?, ?)
+            ON CONFLICT(user_id) DO UPDATE SET
+                access_token_encrypted = excluded.access_token_encrypted,
+                refresh_token_encrypted = excluded.refresh_token_encrypted,
+                expires_at = excluded.expires_at
+            """,
+            (
+                tokens.user_id,
+                self._encrypt(tokens.access_token),
+                self._encrypt(tokens.refresh_token),
+                tokens.expires_at.isoformat(),
+            ),
+        )
+        conn.commit()
+
+    def load(self, user_id: str) -> StoredTokens | None:
+        """Load tokens for a user. Returns None if not found."""
+        conn = self._get_connection()
+        row = conn.execute(
+            "SELECT * FROM sweatstack_tokens WHERE user_id = ?",
+            (user_id,),
+        ).fetchone()
+
+        if row:
+            return StoredTokens(
+                user_id=row["user_id"],
+                access_token=self._decrypt(row["access_token_encrypted"]),
+                refresh_token=self._decrypt(row["refresh_token_encrypted"]),
+                expires_at=datetime.fromisoformat(row["expires_at"]),
+            )
+        return None
+
+    def delete(self, user_id: str) -> None:
+        """Delete tokens for a user. Idempotent."""
+        conn = self._get_connection()
+        conn.execute(
+            "DELETE FROM sweatstack_tokens WHERE user_id = ?",
+            (user_id,),
+        )
+        conn.commit()

sweatstack/fastapi/webhooks.py

@@ -0,0 +1,201 @@
+"""Webhook handling for the FastAPI plugin."""
+
+from __future__ import annotations
+
+import hashlib
+import hmac
+import json
+import time
+from dataclasses import dataclass
+from datetime import datetime
+from typing import Annotated
+
+from fastapi import Depends, HTTPException, Request
+
+from .config import get_config
+
+
+# ---------------------------------------------------------------------------
+# Exceptions
+# ---------------------------------------------------------------------------
+
+
+class WebhookError(Exception):
+    """Base class for webhook-related errors."""
+
+    pass
+
+
+class WebhookVerificationError(WebhookError):
+    """Raised when webhook signature verification fails."""
+
+    pass
+
+
+class WebhookTokenStoreError(WebhookError):
+    """Raised when TokenStore is required but not configured."""
+
+    pass
+
+
+class WebhookUserNotFoundError(WebhookError):
+    """Raised when no stored tokens exist for the webhook's user_id."""
+
+    pass
+
+
+class WebhookTokenRefreshError(WebhookError):
+    """Raised when token refresh fails in webhook context."""
+
+    pass
+
+
+# ---------------------------------------------------------------------------
+# Webhook payload model
+# ---------------------------------------------------------------------------
+
+
+@dataclass(frozen=True, slots=True)
+class WebhookPayloadModel:
+    """Verified webhook payload data.
+
+    Attributes:
+        user_id: The SweatStack user ID this webhook relates to.
+        event_type: The type of event (e.g., "activity_created").
+        resource_id: The ID of the affected resource.
+        timestamp: When the event occurred.
+    """
+
+    user_id: str
+    event_type: str
+    resource_id: str
+    timestamp: datetime
+
+
+# ---------------------------------------------------------------------------
+# Signature verification
+# ---------------------------------------------------------------------------
+
+TIMESTAMP_TOLERANCE = 300  # 5 minutes
+
+
+def verify_signature(
+    payload: bytes,
+    signature_header: str,
+    secret: str,
+) -> None:
+    """Verify webhook signature.
+
+    SweatStack uses HMAC-SHA256 signatures. The signature header format is:
+    t={timestamp},v1={signature}
+
+    The signed payload is: {timestamp}.{raw_json_body}
+
+    Args:
+        payload: The raw request body bytes.
+        signature_header: The X-Sweatstack-Signature header value.
+        secret: The webhook secret.
+
+    Raises:
+        WebhookVerificationError: If signature is invalid or timestamp too old.
+    """
+    try:
+        parts = dict(p.split("=", 1) for p in signature_header.split(","))
+        timestamp = int(parts["t"])
+        signature = parts["v1"]
+    except (KeyError, ValueError) as e:
+        raise WebhookVerificationError("Invalid signature header format") from e
+
+    # Check timestamp to prevent replay attacks
+    if abs(time.time() - timestamp) > TIMESTAMP_TOLERANCE:
+        raise WebhookVerificationError("Timestamp outside tolerance window")
+
+    # Compute expected signature
+    signed_payload = f"{timestamp}.".encode() + payload
+    expected = hmac.new(
+        secret.encode(),
+        signed_payload,
+        hashlib.sha256,
+    ).hexdigest()
+
+    # Constant-time comparison to prevent timing attacks
+    if not hmac.compare_digest(expected, signature):
+        raise WebhookVerificationError("Invalid signature")
+
+
+# ---------------------------------------------------------------------------
+# FastAPI dependencies
+# ---------------------------------------------------------------------------
+
+
+async def _detect_webhook_context(request: Request) -> WebhookPayloadModel | None:
+    """Detect if this is a webhook request and return verified payload.
+
+    This dependency is cached per-request by FastAPI. It's used by both
+    WebhookPayload (which requires it) and AuthenticatedUser (which uses it
+    to detect webhook context for token loading).
+
+    Returns:
+        WebhookPayloadModel if this is a verified webhook request, None otherwise.
+
+    Raises:
+        WebhookVerificationError: If signature header is present but invalid.
+    """
+    signature = request.headers.get("X-Sweatstack-Signature")
+    if not signature:
+        return None  # Not a webhook request - fast path
+
+    config = get_config()
+
+    if not config.webhook_secret:
+        raise WebhookVerificationError(
+            "Webhook received but webhook_secret not configured. "
+            "Add webhook_secret to configure() to enable webhook handling."
+        )
+
+    body = await request.body()
+    secret = (
+        config.webhook_secret.get_secret_value()
+        if hasattr(config.webhook_secret, "get_secret_value")
+        else config.webhook_secret
+    )
+    verify_signature(body, signature, secret)
+
+    try:
+        data = json.loads(body)
+        return WebhookPayloadModel(
+            user_id=data["user_id"],
+            event_type=data["event_type"],
+            resource_id=data["resource_id"],
+            timestamp=datetime.fromisoformat(data["timestamp"]),
+        )
+    except (json.JSONDecodeError, KeyError, ValueError) as e:
+        raise WebhookVerificationError(f"Invalid webhook payload: {e}") from e
+
+
+async def _require_webhook_payload(
+    webhook_context: Annotated[WebhookPayloadModel | None, Depends(_detect_webhook_context)],
+) -> WebhookPayloadModel:
+    """Dependency that requires a verified webhook payload.
+
+    Raises:
+        HTTPException: If request is not a valid webhook.
+    """
+    if webhook_context is None:
+        raise HTTPException(status_code=400, detail="Missing or invalid webhook signature")
+    return webhook_context
+
+
+# Public type alias for use in endpoint signatures
+WebhookPayload = Annotated[WebhookPayloadModel, Depends(_require_webhook_payload)]
+"""Dependency that returns a verified webhook payload.
+
+The signature is verified before your handler runs. If verification fails,
+a 400 response is returned automatically.
+
+Example:
+    @app.post("/webhooks/sweatstack")
+    def handle_webhook(payload: WebhookPayload):
+        print(f"Event: {payload.event_type} for user {payload.user_id}")
+        return {"status": "received"}
+"""

{sweatstack-0.60.0.dist-info → sweatstack-0.62.0.dist-info}/METADATA

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: sweatstack
-Version: 0.60.0
+Version: 0.62.0
 Summary: The official Python client for SweatStack
 Author-email: Aart Goossens <aart@gssns.io>
 Requires-Python: >=3.9

{sweatstack-0.60.0.dist-info → sweatstack-0.62.0.dist-info}/RECORD

@@ -11,12 +11,15 @@ sweatstack/streamlit.py,sha256=wnabWhife9eMAdkECPjRKkzE82KZoi_H8YzucZl_m9s,19604
 sweatstack/sweatshell.py,sha256=MYLNcWbOdceqKJ3S0Pe8dwHXEeYsGJNjQoYUXpMTftA,333
 sweatstack/utils.py,sha256=AwHRdC1ziOZ5o9RBIB21Uxm-DoClVRAJSVvgsmSmvps,1801
 sweatstack/Sweat Stack examples/Getting started.ipynb,sha256=k2hiSffWecoQ0VxjdpDcgFzBXDQiYEebhnAYlu8cgX8,6335204
-sweatstack/fastapi/__init__.py,sha256=4_a6oqapT8Pv0sdt6OmuTA_vo4qFSiyXjN5WMLnl0rs,971
-sweatstack/fastapi/config.py,sha256=9u_XXGpX2XdOJO8G2sL_Cx4L_hYUzktozS2MkIs7Fwk,6304
-sweatstack/fastapi/dependencies.py,sha256=K9nuSV5Vduu4hoN94B8rj6UKtUBu9uKtSwEmECDG9vM,5060
-sweatstack/fastapi/routes.py,sha256=ZyaowLYXlOM6a74Cog5uSzPKHNTBvOpIBruaJVzhKjE,5339
+sweatstack/fastapi/__init__.py,sha256=BteLHro6KCVknIgNAp6OS5ZJRWmIXHS4iXOLOSyN2Mc,3216
+sweatstack/fastapi/config.py,sha256=nNiZOeAXbipK4l2mxaPfaLwz2Ml-Eu7n-G46yGlvjA4,8764
+sweatstack/fastapi/dependencies.py,sha256=8kfKqe-js1G7LLe2AR8xpChtoCKrDG3-F0VkZyXMlIo,12620
+sweatstack/fastapi/models.py,sha256=vBImNywlKiw-10ZODRAHZSrWG3Xfla8uuXA0Y-p0Opc,5499
+sweatstack/fastapi/routes.py,sha256=qNRSod_ZWziFptInplmwmrOe5ZwpJbL7kE5LHWJIxC8,13106
 sweatstack/fastapi/session.py,sha256=BtRPCmIEaToJPwFyZ0fqWGlmnDHuWKy8nri9dJrPXaA,2717
-sweatstack-0.60.0.dist-info/METADATA,sha256=XJq9khIsRFJDUVGLB9Vv_qwRutrIHlU4QwHRsLQKdeU,994
-sweatstack-0.60.0.dist-info/WHEEL,sha256=WLgqFyCfm_KASv4WHyYy0P3pM_m7J5L9k2skdKLirC8,87
-sweatstack-0.60.0.dist-info/entry_points.txt,sha256=kCzOUQI3dqbTpEYqtgYDeiKFaqaA7BMlV6D24BMzCFU,208
-sweatstack-0.60.0.dist-info/RECORD,,
+sweatstack/fastapi/token_stores.py,sha256=-waq0CQLszIp-2uLwWgkMz8IbsmUC7xopvM2F12sbMo,8207
+sweatstack/fastapi/webhooks.py,sha256=ShRQRkarJ3vuEkT1lkl1-_oQbPQTLNkgQ2E6Mm4UepU,6066
+sweatstack-0.62.0.dist-info/METADATA,sha256=SqQNBCJZibHU6qQaQi1ij-OLHAWt082zfxPrXSFiJY4,994
+sweatstack-0.62.0.dist-info/WHEEL,sha256=WLgqFyCfm_KASv4WHyYy0P3pM_m7J5L9k2skdKLirC8,87
+sweatstack-0.62.0.dist-info/entry_points.txt,sha256=kCzOUQI3dqbTpEYqtgYDeiKFaqaA7BMlV6D24BMzCFU,208
+sweatstack-0.62.0.dist-info/RECORD,,