the37lab-authlib 0.1.1751371611__py3-none-any.whl → 0.1.1768813136__py3-none-any.whl

the37lab_authlib/db.py

@@ -1,15 +1,28 @@
 import psycopg2
 from psycopg2.extras import RealDictCursor
+from psycopg2 import pool
 from contextlib import contextmanager
 from .models import UUIDGenerator, IntegerGenerator
 
 class Database:
-    def __init__(self, dsn, id_type='uuid'):
+    def __init__(self, dsn, id_type='uuid', min_conn=1, max_conn=10):
         self.dsn = dsn
         self.id_generator = UUIDGenerator() if id_type == 'uuid' else IntegerGenerator()
         self.id_type = id_type
+        self.min_conn = min_conn
+        self.max_conn = max_conn
+        self._pool = None
+        self._init_pool()
         self._init_db()
 
+    def _init_pool(self):
+        self._pool = pool.ThreadedConnectionPool(
+            self.min_conn,
+            self.max_conn,
+            self.dsn,
+            cursor_factory=RealDictCursor
+        )
+
     def _init_db(self):
         with self.get_connection() as conn:
             with conn.cursor() as cur:
@@ -47,6 +60,31 @@ class Database:
                         expires_at TIMESTAMP,
                         last_used_at TIMESTAMP
                     );
+
+                    CREATE TABLE IF NOT EXISTS groups (
+                        id {self._get_id_type()} PRIMARY KEY,
+                        name VARCHAR(255) UNIQUE NOT NULL,
+                        description TEXT,
+                        created_at TIMESTAMP NOT NULL
+                    );
+
+                    CREATE TABLE IF NOT EXISTS group_users (
+                        group_id {self._get_id_type()} REFERENCES groups(id),
+                        user_id {self._get_id_type()} REFERENCES users(id),
+                        PRIMARY KEY (group_id, user_id)
+                    );
+
+                    CREATE TABLE IF NOT EXISTS group_groups (
+                        group_id {self._get_id_type()} REFERENCES groups(id),
+                        child_group_id {self._get_id_type()} REFERENCES groups(id),
+                        PRIMARY KEY (group_id, child_group_id)
+                    );
+
+                    CREATE TABLE IF NOT EXISTS group_roles (
+                        group_id {self._get_id_type()} REFERENCES groups(id),
+                        role_id {self._get_id_type()} REFERENCES roles(id),
+                        PRIMARY KEY (group_id, role_id)
+                    );
                 """)
 
     def _get_id_type(self):
@@ -54,7 +92,7 @@ class Database:
 
     @contextmanager
     def get_connection(self):
-        conn = psycopg2.connect(self.dsn, cursor_factory=RealDictCursor)
+        conn = self._pool.getconn()
         try:
             yield conn
             conn.commit()
@@ -62,7 +100,7 @@ class Database:
             conn.rollback()
             raise
         finally:
-            conn.close()
+            self._pool.putconn(conn)
 
     @contextmanager
     def get_cursor(self):
@@ -71,4 +109,8 @@ class Database:
                 yield cur
 
     def get_id_generator(self):
-        return self.id_generator 
+        return self.id_generator
+
+    def close(self):
+        if self._pool:
+            self._pool.closeall()

the37lab_authlib/decorators.py

@@ -20,8 +20,12 @@ def require_auth(roles=None):
                 decorated_func = auth_decorator(f)
                 
                 # Check roles if specified
-                if roles and not any(role in user['roles'] for role in roles):
-                    raise AuthError('Insufficient permissions', 403)
+                if roles:
+                    user_roles = set(user.get('roles', []))
+                    expanded_user_roles = current_app.auth_manager._expand_roles(user_roles)
+                    required_roles = set(roles)
+                    if not expanded_user_roles.intersection(required_roles):
+                        raise AuthError('Insufficient permissions', 403)
                     
                 # Now execute the function
                 return decorated_func(*args, **kwargs)

the37lab_authlib-0.1.1768813136.dist-info/METADATA

@@ -0,0 +1,19 @@
+Metadata-Version: 2.4
+Name: the37lab_authlib
+Version: 0.1.1768813136
+Summary: Python SDK for the Authlib
+Author-email: the37lab <info@the37lab.com>
+Classifier: Programming Language :: Python :: 3
+Classifier: Operating System :: OS Independent
+Requires-Python: >=3.9
+Description-Content-Type: text/markdown
+Requires-Dist: flask
+Requires-Dist: psycopg2-binary
+Requires-Dist: pyjwt
+Requires-Dist: python-dotenv
+Requires-Dist: requests
+Requires-Dist: authlib
+Requires-Dist: bcrypt
+Requires-Dist: msal
+Requires-Dist: slack-sdk
+Requires-Dist: cachetools

the37lab_authlib-0.1.1768813136.dist-info/RECORD

@@ -0,0 +1,11 @@
+the37lab_authlib/__init__.py,sha256=cFVTWL-0YIMqwOMVy1P8mOt_bQODJp-L9bfp2QQ8CTo,132
+the37lab_authlib/_git_version.txt,sha256=CrWzycLKyBIHzUIn0w-HoMZUmfbnfTWW7M19s8MxG_8,103
+the37lab_authlib/auth.py,sha256=q0bL86C8dL5eFTqyvhjPjHoANZgE_-L5mp5UWuHkB50,90655
+the37lab_authlib/db.py,sha256=-supyzQGL7ej-Vhl3ViFMIlBUVkvZe_-Wg4RuIh9ijU,4359
+the37lab_authlib/decorators.py,sha256=9tfAPP7eMCPXUEDpiLOs1Fya_bstX6cYM2cn35tCNio,1534
+the37lab_authlib/exceptions.py,sha256=mdplK5sKNtagPAzSGq5NGsrQ4r-k03DKJBKx6myWwZc,317
+the37lab_authlib/models.py,sha256=-PlvQlHGIsSdrH0H9Cdh_vTPlltGV8G1Z1mmGQvAg9Y,3422
+the37lab_authlib-0.1.1768813136.dist-info/METADATA,sha256=d9eWR-MisU1GICD_5bJ9SjcXwljI5SzeZqWC27wfhpI,548
+the37lab_authlib-0.1.1768813136.dist-info/WHEEL,sha256=_zCd3N1l69ArxyTb8rzEoP9TpbYXkqRFSNOD5OuxnTs,91
+the37lab_authlib-0.1.1768813136.dist-info/top_level.txt,sha256=6Jmxw4UeLrhfJXgRKbXWY4OhxRSaMs0dKKhNCGWWSwc,17
+the37lab_authlib-0.1.1768813136.dist-info/RECORD,,

the37lab_authlib-0.1.1751371611.dist-info/METADATA

@@ -1,250 +0,0 @@
-Metadata-Version: 2.4
-Name: the37lab_authlib
-Version: 0.1.1751371611
-Summary: Python SDK for the Authlib
-Author-email: the37lab <info@the37lab.com>
-Classifier: Programming Language :: Python :: 3
-Classifier: Operating System :: OS Independent
-Requires-Python: >=3.9
-Description-Content-Type: text/markdown
-Requires-Dist: flask
-Requires-Dist: psycopg2-binary
-Requires-Dist: pyjwt
-Requires-Dist: python-dotenv
-Requires-Dist: requests
-Requires-Dist: authlib
-Requires-Dist: bcrypt
-
-# AuthLib
-
-A Python authentication library that provides JWT, OAuth2, and API token authentication with PostgreSQL backend. This library is designed for seamless integration with Flask applications and provides a robust set of endpoints and utilities for user management, authentication, and API token handling.
-
-## Table of Contents
-- [AuthLib](#authlib)
-  - [Table of Contents](#table-of-contents)
-  - [Installation](#installation)
-  - [Quick Start](#quick-start)
-  - [Configuration](#configuration)
-    - [Required Parameters](#required-parameters)
-    - [Optional Parameters](#optional-parameters)
-      - [Example `oauth_config`:](#example-oauth_config)
-  - [API Endpoints](#api-endpoints)
-    - [Authentication](#authentication)
-    - [User Management](#user-management)
-    - [API Tokens](#api-tokens)
-  - [Authentication Flow](#authentication-flow)
-  - [User Object](#user-object)
-  - [Token Management](#token-management)
-  - [Development](#development)
-    - [Setup](#setup)
-    - [Database Setup](#database-setup)
-    - [Running Tests](#running-tests)
-  - [API Token Override for Testing](#api-token-override-for-testing)
-    - [Usage](#usage)
-    - [Warning](#warning)
-  - [User Override for Testing](#user-override-for-testing)
-    - [Usage](#usage-1)
-    - [Warning](#warning-1)
-
-## Installation
-
-```bash
-pip install -e .
-```
-
-## Quick Start
-
-```python
-from flask import Flask
-from authlib import AuthManager
-
-app = Flask(__name__)
-
-# Option 1: Explicit configuration
-auth = AuthManager(
-    app=app,
-    db_dsn="postgresql://user:pass@localhost/dbname",
-    jwt_secret="your-secret-key",
-    oauth_config={
-        "google": {
-            "client_id": "your-client-id",
-            "client_secret": "your-client-secret"
-        }
-    }
-)
-
-# Option 2: Use environment variables with a prefix (e.g., AMPA_)
-# This will load:
-#   AMPA_DATABASE_URL, AMPA_JWT_SECRET, AMPA_GOOGLE_CLIENT_ID, AMPA_GOOGLE_CLIENT_SECRET
-# auth = AuthManager(app=app, environment_prefix="AMPA")
-
-@app.route("/protected")
-@auth.require_auth(roles=["admin"])
-def protected_route():
-    return "Protected content"
-
-@app.route("/public")
-@auth.public_endpoint
-def custom_public_route():
-    return "Public content"
-```
-
-`AuthManager`'s blueprint now registers a global error handler for
-`AuthError` and authenticates requests for all of its routes by default.
-Authenticated users are made available as `flask.g.requesting_user`.
-Only the login, OAuth, token refresh, registration and role listing
-endpoints are exempt from this check. Additional routes can be marked as
-public using the `@auth.public_endpoint` decorator or
-`auth.add_public_endpoint("auth.some_endpoint")`.
-
-## Configuration
-
-### Required Parameters
-- `app`: Flask application instance
-- `db_dsn`: PostgreSQL connection string
-- `jwt_secret`: Secret key for JWT signing
-
-### Optional Parameters
-- `oauth_config`: Dictionary of OAuth provider configurations (see below)
-- `token_expiry`: JWT token expiry time in seconds (default: 3600)
-- `refresh_token_expiry`: Refresh token expiry time in seconds (default: 2592000)
-- `environment_prefix`: If set, loads all configuration from environment variables with this prefix (e.g., `AMPA_DATABASE_URL`, `AMPA_JWT_SECRET`, `AMPA_GOOGLE_CLIENT_ID`, `AMPA_GOOGLE_CLIENT_SECRET`). Overrides other config if set.
-
-#### Example `oauth_config`:
-```python
-{
-    "google": {
-        "client_id": "...",
-        "client_secret": "..."
-    },
-    "github": {
-        "client_id": "...",
-        "client_secret": "..."
-    }
-}
-```
-
-## API Endpoints
-
-### Authentication
-- `POST /api/v1/users/login` - Login with username/password
-  - **Request:** `{ "username": "string", "password": "string" }`
-  - **Response:** `{ "token": "jwt", "refresh_token": "jwt", "user": { ... } }`
-- `POST /api/v1/users/login/oauth` - Get OAuth redirect URL
-  - **Request:** `{ "provider": "google|github|..." }`
-  - **Response:** `{ "redirect_url": "string" }`
-- `GET /api/v1/users/login/oauth2callback` - OAuth callback
-  - **Query Params:** `code`, `state`, `provider`
-  - **Response:** `{ "token": "jwt", "refresh_token": "jwt", "user": { ... } }`
-- `POST /api/v1/users/token-refresh` - Refresh JWT token
-  - **Request:** `{ "refresh_token": "jwt" }`
-  - **Response:** `{ "token": "jwt", "refresh_token": "jwt" }`
-
-### User Management
-- `POST /api/v1/users/register` - Register new user
-  - **Request:** `{ "username": "string", "password": "string", "email": "string", ... }`
-  - **Response:** `{ "user": { ... }, "token": "jwt", "refresh_token": "jwt" }`
-- `GET /api/v1/users/login/profile` - Get user profile
-  - **Auth:** Bearer JWT
-  - **Response:** `{ "user": { ... } }`
-- `GET /api/v1/users/roles` - Get available roles
-  - **Response:** `[ "admin", "user", ... ]`
-
-### API Tokens
-- `POST /api/v1/users/{user}/api-tokens` - Create API token
-  - **Request:** `{ "name": "string", "scopes": [ ... ] }`
-  - **Response:** `{ "token": "string", "id": "uuid", ... }`
-- `GET /api/v1/users/{user}/api-tokens` - List API tokens
-  - **Response:** `[ { "id": "uuid", "name": "string", ... } ]`
-- `DELETE /api/v1/users/{user}/api-tokens/{token_id}` - Delete API token
-  - **Response:** `{ "success": true }`
-
-## Authentication Flow
-
-1. **Login:**
-   - User submits credentials to `/api/v1/users/login`.
-   - Receives JWT and refresh token.
-2. **Token Refresh:**
-   - Use `/api/v1/users/token-refresh` with refresh token to get new JWT.
-3. **OAuth:**
-   - Get redirect URL from `/api/v1/users/login/oauth`.
-   - Complete OAuth flow via `/api/v1/users/login/oauth2callback`.
-4. **Protected Routes:**
-   - All routes inside the provided blueprint are authenticated by default.
-     The authenticated user can be accessed via `g.requesting_user`.
-     Use `@auth.require_auth()` to protect custom routes in your application.
-
-## User Object
-
-The user object returned by the API typically includes:
-```json
-{
-  "id": "uuid",
-  "username": "string",
-  "email": "string",
-  "roles": ["user", "admin"],
-  "created_at": "timestamp",
-  "last_login": "timestamp"
-}
-```
-
-## Token Management
-- **JWT:** Used for authenticating API requests. Include in `Authorization: Bearer <token>` header.
-- **Refresh Token:** Used to obtain new JWTs without re-authenticating.
-- **API Tokens:** Long-lived tokens for programmatic access, managed per user.
-
-## Development
-
-### Setup
-1. Clone the repository
-2. Create virtual environment:
-```bash
-python -m venv venv
-venv\Scripts\activate
-```
-3. Install dependencies:
-```bash
-pip install -e ".[dev]"
-```
-
-### Database Setup
-```bash
-createdb authlib
-python -m authlib.cli db init
-```
-
-### Running Tests
-```bash
-pytest
-```
-
-## API Token Override for Testing
-
-For testing purposes, you can bypass the database and provide a static mapping of API tokens to usernames using the `api_tokens` argument to `AuthManager` or the `{PREFIX}API_TOKENS` environment variable.
-
-### Usage
-
-- **Constructor argument:**
-  ```python
-  AuthManager(api_tokens={"token1": "user1", "token2": "user2"})
-  ```
-- **Environment variable:**
-  Set `{PREFIX}API_TOKENS` to a comma-separated list of `token:username` pairs, e.g.:
-  ```
-  export MYAPP_API_TOKENS="token1:user1,token2:user2"
-  ```
-  Replace `MYAPP` with your environment prefix.
-
-**Warning:** This method is intended only for testing and development. Do not use this approach in production environments.
-
-## User Override for Testing
-
-For testing purposes, you can force all authentication to return a specific user by setting the `{PREFIX}USER_OVERRIDE` environment variable:
-
-```bash
-export MYAPP_USER_OVERRIDE="testuser"
-```
-
-If set, all requests will be authenticated as the specified user, regardless of any tokens or credentials provided. This cannot be combined with `api_tokens` or `db_dsn`.
-
-**Warning:** This method is intended only for testing and development. Do not use this approach in production environments.

the37lab_authlib-0.1.1751371611.dist-info/RECORD

@@ -1,10 +0,0 @@
-the37lab_authlib/__init__.py,sha256=cFVTWL-0YIMqwOMVy1P8mOt_bQODJp-L9bfp2QQ8CTo,132
-the37lab_authlib/auth.py,sha256=NKQ-k2QDB4ddw6QKO76RL5WeRpX2gNcpVr6VSHX2yrc,23358
-the37lab_authlib/db.py,sha256=fTXxnfju0lmbFGPVbXpTMeDmJMeBgURVZTndyxyRyCc,2734
-the37lab_authlib/decorators.py,sha256=L-gJUUwDUT2JXTptQ6XEey1LkI5RprbqzEfArWI7F8Y,1305
-the37lab_authlib/exceptions.py,sha256=mdplK5sKNtagPAzSGq5NGsrQ4r-k03DKJBKx6myWwZc,317
-the37lab_authlib/models.py,sha256=-PlvQlHGIsSdrH0H9Cdh_vTPlltGV8G1Z1mmGQvAg9Y,3422
-the37lab_authlib-0.1.1751371611.dist-info/METADATA,sha256=J3mleZGwizcERDRBfrFnBW-21tTRh4nzfmWR575z3Bk,8319
-the37lab_authlib-0.1.1751371611.dist-info/WHEEL,sha256=_zCd3N1l69ArxyTb8rzEoP9TpbYXkqRFSNOD5OuxnTs,91
-the37lab_authlib-0.1.1751371611.dist-info/top_level.txt,sha256=6Jmxw4UeLrhfJXgRKbXWY4OhxRSaMs0dKKhNCGWWSwc,17
-the37lab_authlib-0.1.1751371611.dist-info/RECORD,,