PyPI - the37lab-authlib - Versions diffs - 0.1.1756371198__tar.gz → 0.1.1756730814__tar.gz - Mend

the37lab-authlib 0.1.1756371198tar.gz → 0.1.1756730814tar.gz

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Potentially problematic release.

This version of the37lab-authlib might be problematic. Click here for more details.

Files changed (15) hide show

{the37lab_authlib-0.1.1756371198 → the37lab_authlib-0.1.1756730814}/PKG-INFO RENAMED Viewed

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: the37lab_authlib
-Version: 0.1.1756371198
+Version: 0.1.1756730814
 Summary: Python SDK for the Authlib
 Author-email: the37lab <info@the37lab.com>
 Classifier: Programming Language :: Python :: 3

{the37lab_authlib-0.1.1756371198 → the37lab_authlib-0.1.1756730814}/pyproject.toml RENAMED Viewed

@@ -4,7 +4,7 @@ build-backend = "setuptools.build_meta"
 [project]
 name = "the37lab_authlib"
-version = "0.1.1756371198"
+version = "0.1.1756730814"
 description = "Python SDK for the Authlib"
 authors = [{name = "the37lab", email = "info@the37lab.com"}]
 dependencies = ["flask", "psycopg2-binary", "pyjwt", "python-dotenv", "requests", "authlib", "bcrypt"]

{the37lab_authlib-0.1.1756371198 → the37lab_authlib-0.1.1756730814}/src/the37lab_authlib/auth.py RENAMED Viewed

@@ -14,12 +14,13 @@ from functools import wraps
 from isodate import parse_duration
 import threading
 import time
+import msal
 logging.basicConfig(level=logging.DEBUG)
 logger = logging.getLogger(__name__)
 class AuthManager:
-    def __init__(self, app=None, db_dsn=None, jwt_secret=None, oauth_config=None, id_type='integer', environment_prefix=None, api_tokens=None, cache_ttl=10):
+    def __init__(self, app=None, db_dsn=None, jwt_secret=None, oauth_config=None, id_type='integer', environment_prefix=None, api_tokens=None, cache_ttl=10, allow_oauth_auto_create=False):
         self.user_override = None
         self._user_cache = {}
         self._cache_ttl = cache_ttl or 10  # 10 seconds
@@ -27,6 +28,9 @@ class AuthManager:
         self._update_lock = threading.Lock()
         self._update_thread = None
         self._shutdown_event = threading.Event()
+        # OAuth user creation policy (can be controlled by env)
+        self.allow_oauth_auto_create = allow_oauth_auto_create
         if environment_prefix:
             prefix = environment_prefix.upper() + '_'
             db_dsn = os.getenv(f'{prefix}DATABASE_URL')
@@ -39,6 +43,10 @@ class AuthManager:
                     'client_id': google_client_id,
                     'client_secret': google_client_secret
                 }
+            # Allow control via prefixed env var (defaults to True)
+            auto_create_env = os.getenv(f'{prefix}OAUTH_ALLOW_AUTO_CREATE')
+            if auto_create_env is not None:
+                self.allow_oauth_auto_create = auto_create_env.lower() in ['1', 'true', 'yes']
             api_tokens_env = os.getenv(f'{prefix}API_TOKENS')
             if api_tokens_env:
                 api_tokens = {}
@@ -297,14 +305,30 @@ class AuthManager:
             if not code or not provider:
                 raise AuthError('Invalid OAuth callback', 400)
-            user_info = self._get_oauth_user_info(provider, code)
-            token = self._create_token(user_info)
-            refresh_token = self._create_refresh_token(user_info)
-            # Redirect to frontend with tokens
+            from urllib.parse import urlencode
             frontend_url = os.getenv('FRONTEND_URL', 'http://localhost:5173')
-            return redirect(f"{frontend_url}/oauth-callback?token={token}&refresh_token={refresh_token}")
+            #if provider == 'microsoft':
+            #    client = msal.ConfidentialClientApplication(
+            #        self.oauth_config[provider]['client_id'], client_credential=self.oauth_config[provider]['client_secret'], authority=f"https://login.microsoftonline.com/common"
+            #    )
+            #    result = client.acquire_token_by_authorization_code(code, scopes=["email"], redirect_uri=self.get_redirect_uri())
+            #    code = result['access_token']
+            try:
+                user_info = self._get_oauth_user_info(provider, code)
+                token = self._create_token(user_info)
+                refresh_token = self._create_refresh_token(user_info)
+                # Redirect to frontend with tokens
+                return redirect(f"{frontend_url}/oauth-callback?" + urlencode({'token': token, 'refresh_token': refresh_token}))
+            except AuthError as e:
+                # Surface error to frontend for user-friendly messaging
+                params = {
+                    'error': str(e.message) if hasattr(e, 'message') else str(e),
+                    'status': getattr(e, 'status_code', 500),
+                    'provider': provider,
+                }
+                return redirect(f"{frontend_url}/oauth-callback?" + urlencode(params))
         @bp.route('/login/profile')
         def profile():
@@ -632,72 +656,197 @@ class AuthManager:
         return bcrypt.checkpw(password.encode('utf-8'), password_hash.encode('utf-8'))
     def _get_oauth_url(self, provider, redirect_uri):
-        if provider == 'google':
-            client_id = self.oauth_config['google']['client_id']
-            scope = 'openid email profile'
-            state = provider  # Pass provider as state for callback
-            return f'https://accounts.google.com/o/oauth2/v2/auth?client_id={client_id}&redirect_uri={redirect_uri}&response_type=code&scope={scope}&state={state}'
-        raise AuthError('Invalid OAuth provider')
+        meta = self._get_provider_meta(provider)
+        client_id = self.oauth_config[provider]['client_id']
+        scope = self.oauth_config[provider].get('scope', meta['default_scope'])
+        state = provider  # Pass provider as state for callback
+        # Some providers require additional params
+        params = {
+            'client_id': client_id,
+            'redirect_uri': redirect_uri,
+            'response_type': 'code',
+            'scope': scope,
+            'state': state
+        }
+        # Facebook requires display; GitHub supports prompt
+        if provider == 'facebook':
+            params['display'] = 'page'
+        # Build URL
+        from urllib.parse import urlencode
+        return f"{meta['auth_url']}?{urlencode(params)}"
     def _get_oauth_user_info(self, provider, code):
-        if provider == 'google':
-            client_id = self.oauth_config['google']['client_id']
-            client_secret = self.oauth_config['google']['client_secret']
-            redirect_uri = self.get_redirect_uri()
-            # Exchange code for tokens
-            token_url = 'https://oauth2.googleapis.com/token'
+        meta = self._get_provider_meta(provider)
+        client_id = self.oauth_config[provider]['client_id']
+        client_secret = self.oauth_config[provider]['client_secret']
+        redirect_uri = self.get_redirect_uri()
+        if provider == 'microsoft':
+            import msal
+            client = msal.ConfidentialClientApplication(
+                client_id,
+                client_credential=client_secret,
+                authority="https://login.microsoftonline.com/common"
+            )
+            tokens = client.acquire_token_by_authorization_code(
+                code,
+                scopes=["email"],
+                redirect_uri=redirect_uri
+            )
+        else:
+            # Standard OAuth flow for other providers
             token_data = {
                 'client_id': client_id,
                 'client_secret': client_secret,
                 'code': code,
                 'grant_type': 'authorization_code',
-                'redirect_uri': redirect_uri
+                'redirect_uri': redirect_uri,
+                'scope': meta['default_scope']
             }
-            token_response = requests.post(token_url, data=token_data)
+            token_headers = {}
+            if provider == 'github':
+                token_headers['Accept'] = 'application/json'
+            token_response = requests.post(meta['token_url'], data=token_data, headers=token_headers)
             logger.info("TOKEN RESPONSE: {} {} {} [[[{}]]]".format(token_response.text, token_response.status_code, token_response.headers, token_data))
             token_response.raise_for_status()
             tokens = token_response.json()
-            # Get user info
-            userinfo_url = 'https://www.googleapis.com/oauth2/v3/userinfo'
-            userinfo_response = requests.get(
-                userinfo_url,
-                headers={'Authorization': f"Bearer {tokens['access_token']}"}
-            )
-            userinfo_response.raise_for_status()
-            userinfo = userinfo_response.json()
-            # Create or update user
-            with self.db.get_cursor() as cur:
-                cur.execute("SELECT * FROM users WHERE email = %s", (userinfo['email'],))
-                user = cur.fetchone()
+        access_token = tokens.get('access_token') or tokens.get('id_token')
+        if not access_token:
+            # Some providers return id_token separately but require access_token for userinfo
+            access_token = tokens.get('access_token')
-                if not user:
-                    # Create new user
-                    user = User(
-                        username=userinfo['email'],
-                        email=userinfo['email'],
-                        real_name=userinfo.get('name', userinfo['email']),
-                        id_generator=self.db.get_id_generator()
-                    )
-                    cur.execute("""
-                        INSERT INTO users (username, email, real_name, created_at, updated_at)
-                        VALUES (%s, %s, %s, %s, %s)
-                        RETURNING id
-                    """, (user.username, user.email, user.real_name,
-                          user.created_at, user.updated_at))
-                    user.id = cur.fetchone()['id']
-                    user = {'id': user.id, 'username': user.username, 'email': user.email,
-                           'real_name': user.real_name, 'roles': []}
-                else:
-                    # Update existing user
-                    cur.execute("""
-                        UPDATE users
-                        SET real_name = %s, updated_at = %s
-                        WHERE email = %s
-                    """, (userinfo.get('name', userinfo['email']), datetime.utcnow(), userinfo['email']))
-                    user['real_name'] = userinfo.get('name', userinfo['email'])
+        # Build userinfo request
+        userinfo_url = meta['userinfo_url']
+        userinfo_headers = {'Authorization': f"Bearer {access_token}"}
+        if provider == 'facebook':
+            # Ensure fields
+            from urllib.parse import urlencode
+            userinfo_url = f"{userinfo_url}?{urlencode({'fields': 'id,name,email'})}"
-            return user
-        raise AuthError('Invalid OAuth provider')
+        userinfo_response = requests.get(userinfo_url, headers=userinfo_headers)
+        userinfo_response.raise_for_status()
+        raw_userinfo = userinfo_response.json()
+        # Special handling for GitHub missing email
+        if provider == 'github' and not raw_userinfo.get('email'):
+            emails_resp = requests.get('https://api.github.com/user/emails', headers={**userinfo_headers, 'Accept': 'application/vnd.github+json'})
+            if emails_resp.ok:
+                emails = emails_resp.json()
+                primary = next((e for e in emails if e.get('primary') and e.get('verified')), None)
+                raw_userinfo['email'] = (primary or (emails[0] if emails else {})).get('email')
+        # Normalize
+        norm = self._normalize_userinfo(provider, raw_userinfo)
+        if not norm.get('email'):
+            # Fallback pseudo-email if allowed
+            norm['email'] = f"{norm['sub']}@{provider}.local"
+        # Create or update user
+        with self.db.get_cursor() as cur:
+            cur.execute("SELECT * FROM users WHERE email = %s", (norm['email'],))
+            user = cur.fetchone()
+            if not user:
+                if not self.allow_oauth_auto_create:
+                    raise AuthError('User not found and auto-create disabled', 403)
+                # Create new user (auto-create enabled)
+                user_obj = User(
+                    username=norm['email'],
+                    email=norm['email'],
+                    real_name=norm.get('name', norm['email']),
+                    id_generator=self.db.get_id_generator()
+                )
+                cur.execute("""
+                    INSERT INTO users (username, email, real_name, created_at, updated_at)
+                    VALUES (%s, %s, %s, %s, %s)
+                    RETURNING id
+                """, (user_obj.username, user_obj.email, user_obj.real_name,
+                      user_obj.created_at, user_obj.updated_at))
+                new_id = cur.fetchone()['id']
+                user = {'id': new_id, 'username': user_obj.username, 'email': user_obj.email,
+                        'real_name': user_obj.real_name, 'roles': []}
+            else:
+                # Update existing user
+                cur.execute("""
+                    UPDATE users
+                    SET real_name = %s, updated_at = %s
+                    WHERE email = %s
+                """, (norm.get('name', norm['email']), datetime.utcnow(), norm['email']))
+                user['real_name'] = norm.get('name', norm['email'])
+        return user
+    def _get_provider_meta(self, provider):
+        providers = {
+            'google': {
+                'auth_url': 'https://accounts.google.com/o/oauth2/v2/auth',
+                'token_url': 'https://oauth2.googleapis.com/token',
+                'userinfo_url': 'https://www.googleapis.com/oauth2/v3/userinfo',
+                'default_scope': 'openid email profile'
+            },
+            'github': {
+                'auth_url': 'https://github.com/login/oauth/authorize',
+                'token_url': 'https://github.com/login/oauth/access_token',
+                'userinfo_url': 'https://api.github.com/user',
+                'default_scope': 'read:user user:email'
+            },
+            'facebook': {
+                'auth_url': 'https://www.facebook.com/v11.0/dialog/oauth',
+                'token_url': 'https://graph.facebook.com/v11.0/oauth/access_token',
+                'userinfo_url': 'https://graph.facebook.com/me',
+                'default_scope': 'email public_profile'
+            },
+            'microsoft': {
+                'auth_url': 'https://login.microsoftonline.com/common/oauth2/v2.0/authorize',
+                'token_url': 'https://login.microsoftonline.com/common/oauth2/v2.0/token',
+                'userinfo_url': 'https://graph.microsoft.com/oidc/userinfo',
+                'default_scope': 'openid email profile'
+            },
+            'linkedin': {
+                'auth_url': 'https://www.linkedin.com/oauth/v2/authorization',
+                'token_url': 'https://www.linkedin.com/oauth/v2/accessToken',
+                'userinfo_url': 'https://api.linkedin.com/v2/userinfo',
+                'default_scope': 'openid profile email'
+            },
+            'slack': {
+                'auth_url': 'https://slack.com/openid/connect/authorize',
+                'token_url': 'https://slack.com/api/openid.connect.token',
+                'userinfo_url': 'https://slack.com/api/openid.connect.userInfo',
+                'default_scope': 'openid profile email'
+            },
+            'apple': {
+                'auth_url': 'https://appleid.apple.com/auth/authorize',
+                'token_url': 'https://appleid.apple.com/auth/token',
+                'userinfo_url': 'https://appleid.apple.com/auth/userinfo',
+                'default_scope': 'name email'
+            }
+        }
+        if provider not in providers:
+            raise AuthError('Invalid OAuth provider')
+        return providers[provider]
+    def _normalize_userinfo(self, provider, info):
+        # Map into a common structure: sub, email, name
+        if provider == 'google':
+            return {'sub': info.get('sub'), 'email': info.get('email'), 'name': info.get('name')}
+        if provider == 'github':
+            return {'sub': str(info.get('id')), 'email': info.get('email'), 'name': info.get('name') or info.get('login')}
+        if provider == 'facebook':
+            return {'sub': info.get('id'), 'email': info.get('email'), 'name': info.get('name')}
+        if provider == 'microsoft':
+            # OIDC userinfo
+            return {'sub': info.get('sub') or info.get('oid'), 'email': info.get('email') or info.get('preferred_username'), 'name': info.get('name')}
+        if provider == 'linkedin':
+            return {'sub': info.get('sub') or info.get('id'), 'email': info.get('email'), 'name': info.get('name')}
+        if provider == 'slack':
+            return {'sub': info.get('sub'), 'email': info.get('email'), 'name': info.get('name')}
+        if provider == 'apple':
+            # Apple email may be private relay; name not always present
+            return {'sub': info.get('sub'), 'email': info.get('email'), 'name': info.get('name')}
+        return {'sub': info.get('sub'), 'email': info.get('email'), 'name': info.get('name')}

{the37lab_authlib-0.1.1756371198 → the37lab_authlib-0.1.1756730814}/src/the37lab_authlib.egg-info/PKG-INFO RENAMED Viewed

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: the37lab_authlib
-Version: 0.1.1756371198
+Version: 0.1.1756730814
 Summary: Python SDK for the Authlib
 Author-email: the37lab <info@the37lab.com>
 Classifier: Programming Language :: Python :: 3