the37lab-authlib 0.1.1756367559__tar.gz → 0.1.1756730814__tar.gz

{the37lab_authlib-0.1.1756367559 → the37lab_authlib-0.1.1756730814}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: the37lab_authlib
-Version: 0.1.1756367559
+Version: 0.1.1756730814
 Summary: Python SDK for the Authlib
 Author-email: the37lab <info@the37lab.com>
 Classifier: Programming Language :: Python :: 3

{the37lab_authlib-0.1.1756367559 → the37lab_authlib-0.1.1756730814}/pyproject.toml

@@ -4,7 +4,7 @@ build-backend = "setuptools.build_meta"
 
 [project]
 name = "the37lab_authlib"
-version = "0.1.1756367559"
+version = "0.1.1756730814"
 description = "Python SDK for the Authlib"
 authors = [{name = "the37lab", email = "info@the37lab.com"}]
 dependencies = ["flask", "psycopg2-binary", "pyjwt", "python-dotenv", "requests", "authlib", "bcrypt"]

{the37lab_authlib-0.1.1756367559 → the37lab_authlib-0.1.1756730814}/src/the37lab_authlib/auth.py

@@ -12,13 +12,25 @@ import logging
 import os
 from functools import wraps
 from isodate import parse_duration
+import threading
+import time
+import msal
 
 logging.basicConfig(level=logging.DEBUG)
 logger = logging.getLogger(__name__)
 
 class AuthManager:
-    def __init__(self, app=None, db_dsn=None, jwt_secret=None, oauth_config=None, id_type='integer', environment_prefix=None, api_tokens=None):
+    def __init__(self, app=None, db_dsn=None, jwt_secret=None, oauth_config=None, id_type='integer', environment_prefix=None, api_tokens=None, cache_ttl=10, allow_oauth_auto_create=False):
         self.user_override = None
+        self._user_cache = {}
+        self._cache_ttl = cache_ttl or 10  # 10 seconds
+        self._last_used_updates = {}  # Track pending updates
+        self._update_lock = threading.Lock()
+        self._update_thread = None
+        self._shutdown_event = threading.Event()
+        # OAuth user creation policy (can be controlled by env)
+        self.allow_oauth_auto_create = allow_oauth_auto_create
+
         if environment_prefix:
             prefix = environment_prefix.upper() + '_'
             db_dsn = os.getenv(f'{prefix}DATABASE_URL')
@@ -31,6 +43,10 @@ class AuthManager:
                     'client_id': google_client_id,
                     'client_secret': google_client_secret
                 }
+            # Allow control via prefixed env var (defaults to True)
+            auto_create_env = os.getenv(f'{prefix}OAUTH_ALLOW_AUTO_CREATE')
+            if auto_create_env is not None:
+                self.allow_oauth_auto_create = auto_create_env.lower() in ['1', 'true', 'yes']
             api_tokens_env = os.getenv(f'{prefix}API_TOKENS')
             if api_tokens_env:
                 api_tokens = {}
@@ -65,6 +81,9 @@ class AuthManager:
         
         if app:
             self.init_app(app)
+        
+        # Start the background update thread
+        self._start_update_thread()
 
     def _extract_token_from_header(self):
         auth = request.authorization
@@ -96,17 +115,34 @@ class AuthManager:
             }
         try:
             parsed = ApiToken.parse_token(api_token)
+            
+            # Check cache first
+            cache_key = f"api_token_{parsed['id']}"
+            current_time = datetime.utcnow()
+            
+            if cache_key in self._user_cache:
+                cached_data, cache_time = self._user_cache[cache_key]
+                if (current_time - cache_time).total_seconds() < self._cache_ttl:
+                    logger.debug(f"Returning cached API token data for ID: {parsed['id']}")
+                    return cached_data.copy()  # Return a copy to avoid modifying cache
+            
+            # Cache miss or expired, fetch from database
             with self.db.get_cursor() as cur:
                 # First get the API token record
                 cur.execute("""
-                    SELECT t.*, u.* FROM api_tokens t
+                    SELECT t.*, u.*, r.name as role_name FROM api_tokens t
                     JOIN users u ON t.user_id = u.id
+                    LEFT JOIN user_roles ur ON ur.user_id = u.id
+                    LEFT JOIN roles r ON ur.role_id = r.id
                     WHERE t.id = %s
                 """, (parsed['id'],))
-                result = cur.fetchone()
-                if not result:
+                results = cur.fetchall()
+                if not results:
                     raise AuthError('Invalid API token')
 
+                # Get the first row for token/user data (all rows will have same token/user data)
+                result = results[0]
+                
                 # Verify the nonce
                 if not bcrypt.checkpw(parsed['nonce'].encode('utf-8'), result['token'].encode('utf-8')):
                     raise AuthError('Invalid API token')
@@ -115,29 +151,28 @@ class AuthManager:
                 if result['expires_at'] and result['expires_at'] < datetime.utcnow():
                     raise AuthError('API token has expired')
 
-                # Update last used timestamp
-                cur.execute("""
-                    UPDATE api_tokens 
-                    SET last_used_at = %s
-                    WHERE id = %s
-                """, (datetime.utcnow(), parsed['id']))
+                # Schedule last used timestamp update (asynchronous with 10s delay)
+                self._schedule_last_used_update(parsed['id'])
 
-                # Fetch roles
-                cur.execute("""
-                    SELECT r.name FROM roles r
-                    JOIN user_roles ur ON ur.role_id = r.id
-                    WHERE ur.user_id = %s
-                """, (result['user_id'],))
-                roles = [row['name'] for row in cur.fetchall()]
+                # Extract roles from results
+                roles = [row['role_name'] for row in results if row['role_name'] is not None]
 
                 # Construct user object
-                return {
+                user_data = {
                     'id': result['user_id'],
                     'username': result['username'],
                     'email': result['email'],
                     'real_name': result['real_name'],
                     'roles': roles
                 }
+
+            # Cache the result
+            self._user_cache[cache_key] = (user_data.copy(), current_time)
+            
+            # Clean up expired cache entries
+            self._cleanup_cache()
+            
+            return user_data
         except ValueError:
             raise AuthError('Invalid token format')
 
@@ -270,14 +305,30 @@ class AuthManager:
             
             if not code or not provider:
                 raise AuthError('Invalid OAuth callback', 400)
-
-            user_info = self._get_oauth_user_info(provider, code)
-            token = self._create_token(user_info)
-            refresh_token = self._create_refresh_token(user_info)
-            
-            # Redirect to frontend with tokens
+            from urllib.parse import urlencode
             frontend_url = os.getenv('FRONTEND_URL', 'http://localhost:5173')
-            return redirect(f"{frontend_url}/oauth-callback?token={token}&refresh_token={refresh_token}")
+            
+            #if provider == 'microsoft':
+            #    client = msal.ConfidentialClientApplication(
+            #        self.oauth_config[provider]['client_id'], client_credential=self.oauth_config[provider]['client_secret'], authority=f"https://login.microsoftonline.com/common"
+            #    )
+            #    result = client.acquire_token_by_authorization_code(code, scopes=["email"], redirect_uri=self.get_redirect_uri())
+            #    code = result['access_token']
+            
+            try:
+                user_info = self._get_oauth_user_info(provider, code)
+                token = self._create_token(user_info)
+                refresh_token = self._create_refresh_token(user_info)
+                # Redirect to frontend with tokens
+                return redirect(f"{frontend_url}/oauth-callback?" + urlencode({'token': token, 'refresh_token': refresh_token}))
+            except AuthError as e:
+                # Surface error to frontend for user-friendly messaging
+                params = {
+                    'error': str(e.message) if hasattr(e, 'message') else str(e),
+                    'status': getattr(e, 'status_code', 500),
+                    'provider': provider,
+                }
+                return redirect(f"{frontend_url}/oauth-callback?" + urlencode(params))
 
         @bp.route('/login/profile')
         def profile():
@@ -441,21 +492,42 @@ class AuthManager:
             logger.debug(f"Token payload: {payload}")
             user_id = int(payload['sub'])  # Convert string ID back to integer
             
+            # Check cache first
+            cache_key = f"user_{user_id}"
+            current_time = datetime.utcnow()
+            
+            if cache_key in self._user_cache:
+                cached_data, cache_time = self._user_cache[cache_key]
+                if (current_time - cache_time).total_seconds() < self._cache_ttl:
+                    logger.debug(f"Returning cached user data for ID: {user_id}")
+                    return cached_data.copy()  # Return a copy to avoid modifying cache
+            
+            # Cache miss or expired, fetch from database
             with self.db.get_cursor() as cur:
-                cur.execute("SELECT * FROM users WHERE id = %s", (user_id,))
-                user = cur.fetchone()
-                if not user:
-                    logger.error(f"User not found for ID: {user_id}")
-                    raise AuthError('User not found', 404)
-                # Fetch roles
                 cur.execute("""
-                    SELECT r.name FROM roles r
-                    JOIN user_roles ur ON ur.role_id = r.id
-                    WHERE ur.user_id = %s
+                    SELECT u.*, r.name as role_name FROM users u
+                    LEFT JOIN user_roles ur ON ur.user_id = u.id
+                    LEFT JOIN roles r ON ur.role_id = r.id
+                    WHERE u.id = %s
                 """, (user_id,))
-                roles = [row['name'] for row in cur.fetchall()]
+                results = cur.fetchall()
+                if not results:
+                    logger.error(f"User not found for ID: {user_id}")
+                    raise AuthError('User not found', 404)
+                
+                # Get the first row for user data (all rows will have same user data)
+                user = results[0]
+                
+                # Extract roles from results
+                roles = [row['role_name'] for row in results if row['role_name'] is not None]
                 user['roles'] = roles
 
+            # Cache the result
+            self._user_cache[cache_key] = (user.copy(), current_time)
+            
+            # Clean up expired cache entries
+            self._cleanup_cache()
+            
             return user
         except jwt.InvalidTokenError as e:
             logger.error(f"Invalid token error: {str(e)}")
@@ -464,6 +536,78 @@ class AuthManager:
             logger.error(f"Unexpected error during token validation: {str(e)}")
             raise AuthError(str(e), 500)
 
+    def _cleanup_cache(self):
+        """Remove expired cache entries."""
+        current_time = datetime.utcnow()
+        expired_keys = [
+            key for key, (_, cache_time) in self._user_cache.items()
+            if (current_time - cache_time).total_seconds() >= self._cache_ttl
+        ]
+        for key in expired_keys:
+            del self._user_cache[key]
+
+    def _start_update_thread(self):
+        """Start the background thread for processing last_used_at updates."""
+        if self._update_thread is None or not self._update_thread.is_alive():
+            self._update_thread = threading.Thread(target=self._update_worker, daemon=True)
+            self._update_thread.start()
+            logger.debug("Started background update thread")
+
+    def _schedule_last_used_update(self, token_id):
+        """Schedule a last_used_at update for an API token with 10s delay."""
+        with self._update_lock:
+            self._last_used_updates[token_id] = time.time()
+            logger.debug(f"Scheduled last_used update for token {token_id}")
+
+    def _update_worker(self):
+        """Background worker that processes last_used_at updates."""
+        while not self._shutdown_event.is_set():
+            try:
+                current_time = time.time()
+                tokens_to_update = []
+                
+                # Collect tokens that need updating (older than 10 seconds)
+                with self._update_lock:
+                    for token_id, schedule_time in list(self._last_used_updates.items()):
+                        if current_time - schedule_time >= 10:  # 10 second delay
+                            tokens_to_update.append(token_id)
+                            del self._last_used_updates[token_id]
+                
+                # Perform batch update
+                if tokens_to_update:
+                    self._perform_batch_update(tokens_to_update)
+                
+                # Sleep for a short interval
+                time.sleep(10)
+                
+            except Exception as e:
+                logger.error(f"Error in update worker: {e}")
+                time.sleep(5)  # Wait longer on error
+
+    def _perform_batch_update(self, token_ids):
+        """Perform batch update of last_used_at for multiple tokens."""
+        try:
+            with self.db.get_cursor() as cur:
+                # Update all tokens in a single query
+                placeholders = ','.join(['%s'] * len(token_ids))
+                cur.execute(f"""
+                    UPDATE api_tokens 
+                    SET last_used_at = %s
+                    WHERE id IN ({placeholders})
+                """, [datetime.utcnow()] + token_ids)
+                
+                logger.debug(f"Updated last_used_at for {len(token_ids)} tokens: {token_ids}")
+                
+        except Exception as e:
+            logger.error(f"Error performing batch update: {e}")
+
+    def shutdown(self):
+        """Shutdown the background update thread."""
+        self._shutdown_event.set()
+        if self._update_thread and self._update_thread.is_alive():
+            self._update_thread.join(timeout=5)
+            logger.debug("Background update thread shutdown complete")
+
     def get_current_user(self):
         return self._authenticate_request()
 
@@ -512,72 +656,197 @@ class AuthManager:
         return bcrypt.checkpw(password.encode('utf-8'), password_hash.encode('utf-8'))
 
     def _get_oauth_url(self, provider, redirect_uri):
-        if provider == 'google':
-            client_id = self.oauth_config['google']['client_id']
-            scope = 'openid email profile'
-            state = provider  # Pass provider as state for callback
-            return f'https://accounts.google.com/o/oauth2/v2/auth?client_id={client_id}&redirect_uri={redirect_uri}&response_type=code&scope={scope}&state={state}'
-        raise AuthError('Invalid OAuth provider')
+        meta = self._get_provider_meta(provider)
+        client_id = self.oauth_config[provider]['client_id']
+        scope = self.oauth_config[provider].get('scope', meta['default_scope'])
+        state = provider  # Pass provider as state for callback
+        # Some providers require additional params
+        params = {
+            'client_id': client_id,
+            'redirect_uri': redirect_uri,
+            'response_type': 'code',
+            'scope': scope,
+            'state': state
+        }
+        # Facebook requires display; GitHub supports prompt
+        if provider == 'facebook':
+            params['display'] = 'page'
+        # Build URL
+        from urllib.parse import urlencode
+        return f"{meta['auth_url']}?{urlencode(params)}"
 
     def _get_oauth_user_info(self, provider, code):
-        if provider == 'google':
-            client_id = self.oauth_config['google']['client_id']
-            client_secret = self.oauth_config['google']['client_secret']
-            redirect_uri = self.get_redirect_uri()
-
-            # Exchange code for tokens
-            token_url = 'https://oauth2.googleapis.com/token'
+        meta = self._get_provider_meta(provider)
+        client_id = self.oauth_config[provider]['client_id']
+        client_secret = self.oauth_config[provider]['client_secret']
+        redirect_uri = self.get_redirect_uri()
+
+
+        if provider == 'microsoft':
+            import msal
+            client = msal.ConfidentialClientApplication(
+                client_id, 
+                client_credential=client_secret, 
+                authority="https://login.microsoftonline.com/common"
+            )
+            tokens = client.acquire_token_by_authorization_code(
+                code, 
+                scopes=["email"], 
+                redirect_uri=redirect_uri
+            )
+        else:
+            # Standard OAuth flow for other providers
             token_data = {
                 'client_id': client_id,
                 'client_secret': client_secret,
                 'code': code,
                 'grant_type': 'authorization_code',
-                'redirect_uri': redirect_uri
+                'redirect_uri': redirect_uri,
+                'scope': meta['default_scope']
             }
-            token_response = requests.post(token_url, data=token_data)
+            token_headers = {}
+            if provider == 'github':
+                token_headers['Accept'] = 'application/json'
+            token_response = requests.post(meta['token_url'], data=token_data, headers=token_headers)
             logger.info("TOKEN RESPONSE: {} {} {} [[[{}]]]".format(token_response.text, token_response.status_code, token_response.headers, token_data))
             token_response.raise_for_status()
             tokens = token_response.json()
 
-            # Get user info
-            userinfo_url = 'https://www.googleapis.com/oauth2/v3/userinfo'
-            userinfo_response = requests.get(
-                userinfo_url,
-                headers={'Authorization': f"Bearer {tokens['access_token']}"}
-            )
-            userinfo_response.raise_for_status()
-            userinfo = userinfo_response.json()
 
-            # Create or update user
-            with self.db.get_cursor() as cur:
-                cur.execute("SELECT * FROM users WHERE email = %s", (userinfo['email'],))
-                user = cur.fetchone()
+        access_token = tokens.get('access_token') or tokens.get('id_token')
+        if not access_token:
+            # Some providers return id_token separately but require access_token for userinfo
+            access_token = tokens.get('access_token')
 
-                if not user:
-                    # Create new user
-                    user = User(
-                        username=userinfo['email'],
-                        email=userinfo['email'],
-                        real_name=userinfo.get('name', userinfo['email']),
-                        id_generator=self.db.get_id_generator()
-                    )
-                    cur.execute("""
-                        INSERT INTO users (username, email, real_name, created_at, updated_at)
-                        VALUES (%s, %s, %s, %s, %s)
-                        RETURNING id
-                    """, (user.username, user.email, user.real_name, 
-                          user.created_at, user.updated_at))
-                    user.id = cur.fetchone()['id']
-                    user = {'id': user.id, 'username': user.username, 'email': user.email, 
-                           'real_name': user.real_name, 'roles': []}
-                else:
-                    # Update existing user
-                    cur.execute("""
-                        UPDATE users 
-                        SET real_name = %s, updated_at = %s
-                        WHERE email = %s
-                    """, (userinfo.get('name', userinfo['email']), datetime.utcnow(), userinfo['email']))
-                    user['real_name'] = userinfo.get('name', userinfo['email'])
+        # Build userinfo request
+        userinfo_url = meta['userinfo_url']
+        userinfo_headers = {'Authorization': f"Bearer {access_token}"}
+        if provider == 'facebook':
+            # Ensure fields
+            from urllib.parse import urlencode
+            userinfo_url = f"{userinfo_url}?{urlencode({'fields': 'id,name,email'})}"
 
-            return user
-        raise AuthError('Invalid OAuth provider') 
+        userinfo_response = requests.get(userinfo_url, headers=userinfo_headers)
+        userinfo_response.raise_for_status()
+        raw_userinfo = userinfo_response.json()
+
+        # Special handling for GitHub missing email
+        if provider == 'github' and not raw_userinfo.get('email'):
+            emails_resp = requests.get('https://api.github.com/user/emails', headers={**userinfo_headers, 'Accept': 'application/vnd.github+json'})
+            if emails_resp.ok:
+                emails = emails_resp.json()
+                primary = next((e for e in emails if e.get('primary') and e.get('verified')), None)
+                raw_userinfo['email'] = (primary or (emails[0] if emails else {})).get('email')
+
+
+
+
+        # Normalize
+        norm = self._normalize_userinfo(provider, raw_userinfo)
+        if not norm.get('email'):
+            # Fallback pseudo-email if allowed
+            norm['email'] = f"{norm['sub']}@{provider}.local"
+
+        # Create or update user
+        with self.db.get_cursor() as cur:
+            cur.execute("SELECT * FROM users WHERE email = %s", (norm['email'],))
+            user = cur.fetchone()
+
+            if not user:
+                if not self.allow_oauth_auto_create:
+                    raise AuthError('User not found and auto-create disabled', 403)
+                # Create new user (auto-create enabled)
+                user_obj = User(
+                    username=norm['email'],
+                    email=norm['email'],
+                    real_name=norm.get('name', norm['email']),
+                    id_generator=self.db.get_id_generator()
+                )
+                cur.execute("""
+                    INSERT INTO users (username, email, real_name, created_at, updated_at)
+                    VALUES (%s, %s, %s, %s, %s)
+                    RETURNING id
+                """, (user_obj.username, user_obj.email, user_obj.real_name, 
+                      user_obj.created_at, user_obj.updated_at))
+                new_id = cur.fetchone()['id']
+                user = {'id': new_id, 'username': user_obj.username, 'email': user_obj.email, 
+                        'real_name': user_obj.real_name, 'roles': []}
+            else:
+                # Update existing user
+                cur.execute("""
+                    UPDATE users 
+                    SET real_name = %s, updated_at = %s
+                    WHERE email = %s
+                """, (norm.get('name', norm['email']), datetime.utcnow(), norm['email']))
+                user['real_name'] = norm.get('name', norm['email'])
+
+        return user
+
+    def _get_provider_meta(self, provider):
+        providers = {
+            'google': {
+                'auth_url': 'https://accounts.google.com/o/oauth2/v2/auth',
+                'token_url': 'https://oauth2.googleapis.com/token',
+                'userinfo_url': 'https://www.googleapis.com/oauth2/v3/userinfo',
+                'default_scope': 'openid email profile'
+            },
+            'github': {
+                'auth_url': 'https://github.com/login/oauth/authorize',
+                'token_url': 'https://github.com/login/oauth/access_token',
+                'userinfo_url': 'https://api.github.com/user',
+                'default_scope': 'read:user user:email'
+            },
+            'facebook': {
+                'auth_url': 'https://www.facebook.com/v11.0/dialog/oauth',
+                'token_url': 'https://graph.facebook.com/v11.0/oauth/access_token',
+                'userinfo_url': 'https://graph.facebook.com/me',
+                'default_scope': 'email public_profile'
+            },
+            'microsoft': {
+                'auth_url': 'https://login.microsoftonline.com/common/oauth2/v2.0/authorize',
+                'token_url': 'https://login.microsoftonline.com/common/oauth2/v2.0/token',
+                'userinfo_url': 'https://graph.microsoft.com/oidc/userinfo',
+                'default_scope': 'openid email profile'
+            },
+            'linkedin': {
+                'auth_url': 'https://www.linkedin.com/oauth/v2/authorization',
+                'token_url': 'https://www.linkedin.com/oauth/v2/accessToken',
+                'userinfo_url': 'https://api.linkedin.com/v2/userinfo',
+                'default_scope': 'openid profile email'
+            },
+            'slack': {
+                'auth_url': 'https://slack.com/openid/connect/authorize',
+                'token_url': 'https://slack.com/api/openid.connect.token',
+                'userinfo_url': 'https://slack.com/api/openid.connect.userInfo',
+                'default_scope': 'openid profile email'
+            },
+            'apple': {
+                'auth_url': 'https://appleid.apple.com/auth/authorize',
+                'token_url': 'https://appleid.apple.com/auth/token',
+                'userinfo_url': 'https://appleid.apple.com/auth/userinfo',
+                'default_scope': 'name email'
+            }
+        }
+        if provider not in providers:
+            raise AuthError('Invalid OAuth provider')
+        return providers[provider]
+
+    def _normalize_userinfo(self, provider, info):
+        # Map into a common structure: sub, email, name
+        if provider == 'google':
+            return {'sub': info.get('sub'), 'email': info.get('email'), 'name': info.get('name')}
+        if provider == 'github':
+            return {'sub': str(info.get('id')), 'email': info.get('email'), 'name': info.get('name') or info.get('login')}
+        if provider == 'facebook':
+            return {'sub': info.get('id'), 'email': info.get('email'), 'name': info.get('name')}
+        if provider == 'microsoft':
+            # OIDC userinfo
+            return {'sub': info.get('sub') or info.get('oid'), 'email': info.get('email') or info.get('preferred_username'), 'name': info.get('name')}
+        if provider == 'linkedin':
+            return {'sub': info.get('sub') or info.get('id'), 'email': info.get('email'), 'name': info.get('name')}
+        if provider == 'slack':
+            return {'sub': info.get('sub'), 'email': info.get('email'), 'name': info.get('name')}
+        if provider == 'apple':
+            # Apple email may be private relay; name not always present
+            return {'sub': info.get('sub'), 'email': info.get('email'), 'name': info.get('name')}
+        return {'sub': info.get('sub'), 'email': info.get('email'), 'name': info.get('name')}

{the37lab_authlib-0.1.1756367559 → the37lab_authlib-0.1.1756730814}/src/the37lab_authlib.egg-info/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: the37lab_authlib
-Version: 0.1.1756367559
+Version: 0.1.1756730814
 Summary: Python SDK for the Authlib
 Author-email: the37lab <info@the37lab.com>
 Classifier: Programming Language :: Python :: 3