usso 0.24.19__py3-none-any.whl → 0.25.1__py3-none-any.whl

usso/async_session.py

@@ -2,7 +2,6 @@ from contextlib import asynccontextmanager
 from datetime import datetime, timedelta
 
 import aiohttp
-from fastapi import params
 import jwt
 
 

usso/core.py

@@ -1,11 +1,12 @@
+import json
 import logging
 import os
 import uuid
 from functools import lru_cache
-from typing import Optional, Tuple
 
+import cachetools.func
 import jwt
-from pydantic import BaseModel
+from pydantic import BaseModel, model_validator
 from singleton import Singleton
 
 from . import b64tools
@@ -16,12 +17,20 @@ logger = logging.getLogger("usso")
 
 class UserData(BaseModel):
     user_id: str
+    workspace_id: str | None = None
+    workspace_ids: list[str] = []
+    token_type: str = "access"
+
     email: str | None = None
     phone: str | None = None
+    username: str | None = None
+
     authentication_method: str | None = None
     is_active: bool = False
+
     jti: str | None = None
     data: dict | None = None
+
     token: str | None = None
 
     @property
@@ -40,74 +49,153 @@ class UserData(BaseModel):
         return b64tools.b64_encode_uuid_strip(self.uid)
 
 
-class Usso(metaclass=Singleton):
-    def __init__(self, jwks_url: str | None = None):
-        if jwks_url is None:
-            jwks_url = os.getenv("USSO_JWKS_URL")
-        self.jwks_url = jwks_url
+def get_authorization_scheme_param(
+    authorization_header_value: str | None,
+) -> tuple[str, str]:
+    if not authorization_header_value:
+        return "", ""
+    scheme, _, param = authorization_header_value.partition(" ")
+    return scheme, param
+
+
+def decode_token(key, token: str, algorithms=["RS256"], **kwargs) -> dict:
+    try:
+        decoded = jwt.decode(token, key, algorithms=algorithms)
+        decoded["token"] = token
+        return UserData(**decoded)
+    except jwt.exceptions.ExpiredSignatureError:
+        if kwargs.get("raise_exception", True):
+            raise USSOException(status_code=401, error="expired_signature")
+    except jwt.exceptions.InvalidSignatureError:
+        if kwargs.get("raise_exception", True):
+            raise USSOException(status_code=401, error="invalid_signature")
+    except jwt.exceptions.InvalidAlgorithmError:
+        if kwargs.get("raise_exception", True):
+            raise USSOException(status_code=401, error="invalid_algorithm")
+    except jwt.exceptions.InvalidIssuedAtError:
+        if kwargs.get("raise_exception", True):
+            raise USSOException(status_code=401, error="invalid_issued_at")
+    except jwt.exceptions.InvalidTokenError:
+        if kwargs.get("raise_exception", True):
+            raise USSOException(status_code=401, error="invalid_token")
+    except jwt.exceptions.InvalidKeyError:
+        if kwargs.get("raise_exception", True):
+            raise USSOException(status_code=401, error="invalid_key")
+    except USSOException as e:
+        if kwargs.get("raise_exception", True):
+            raise e
+    except Exception as e:
+        if kwargs.get("raise_exception", True):
+            raise USSOException(status_code=401, error="error", message=str(e))
+        logger.error(e)
+
+
+@lru_cache
+def get_jwk_keys(jwk_url: str) -> jwt.PyJWKClient:
+    return jwt.PyJWKClient(jwk_url, headers={"User-Agent": "usso-python"})
+
+
+def decode_token_jwk(jwk_url: str, token: str, **kwargs) -> UserData | None:
+    """Return the user associated with a token value."""
+    try:
+        jwk_client = get_jwk_keys(jwk_url)
+        signing_key = jwk_client.get_signing_key_from_jwt(token)
+        return decode_token(signing_key.key, token, **kwargs)
+    except USSOException as e:
+        if kwargs.get("raise_exception", True):
+            raise e
+        logger.error(e)
+    except Exception as e:
+        if kwargs.get("raise_exception", True):
+            raise USSOException(
+                status_code=401,
+                error="error",
+                message=str(e),
+            )
+        logger.error(e)
+
+
+class JWTConfig(BaseModel):
+    jwk_url: str | None = None
+    secret: str | None = None
+    type: str = "RS256"
+    header: dict[str, str] = {"type": "Cookie", "name": "usso_access_token"}
+
+    def __hash__(self):
+        return hash(self.model_dump_json())
 
-    @lru_cache
-    def get_jwks_keys(self):
-        return jwt.PyJWKClient(
-            self.jwks_url,
-            headers={
-                "User-Agent": "usso-python",
-            },
-        )
+    @model_validator(mode="before")
+    def validate_secret(cls, data: dict):
+        if not data.get("jwk_url") and not data.get("secret"):
+            raise ValueError("Either jwk_url or secret must be provided")
+        return data
 
-    def get_authorization_scheme_param(
+    @classmethod
+    @cachetools.func.ttl_cache(maxsize=128, ttl=10 * 60)
+    def get_jwk_keys(cls, jwk_url):
+        return get_jwk_keys(jwk_url)
+
+    @cachetools.func.ttl_cache(maxsize=128, ttl=10 * 60)
+    def decode(self, token: str):
+        if self.jwk_url:
+            return decode_token_jwk(self.jwk_url, token)
+        return decode_token(self.secret, token, algorithms=[self.type])
+
+
+class Usso:
+
+    def __init__(
         self,
-        authorization_header_value: Optional[str],
-    ) -> Tuple[str, str]:
-        if not authorization_header_value:
-            return "", ""
-        scheme, _, param = authorization_header_value.partition(" ")
-        return scheme, param
-
-    def decode_token(self, key, token: str, **kwargs) -> dict:
-        try:
-            decoded = jwt.decode(token, key, algorithms=["RS256"])
-            if decoded["token_type"] != "access":
-                raise USSOException(status_code=401, error="invalid_token_type")
-            decoded["token"] = token
-            return UserData(**decoded)
-        except jwt.exceptions.ExpiredSignatureError:
-            if kwargs.get("raise_exception", True):
-                raise USSOException(status_code=401, error="expired_signature")
-        except jwt.exceptions.InvalidSignatureError:
-            if kwargs.get("raise_exception", True):
-                raise USSOException(status_code=401, error="invalid_signature")
-        except jwt.exceptions.InvalidAlgorithmError:
-            if kwargs.get("raise_exception", True):
-                raise USSOException(status_code=401, error="invalid_algorithm")
-        except jwt.exceptions.InvalidIssuedAtError:
-            if kwargs.get("raise_exception", True):
-                raise USSOException(status_code=401, error="invalid_issued_at")
-        except jwt.exceptions.InvalidTokenError:
-            if kwargs.get("raise_exception", True):
-                raise USSOException(status_code=401, error="invalid_token")
-        except jwt.exceptions.InvalidKeyError:
-            if kwargs.get("raise_exception", True):
-                raise USSOException(status_code=401, error="invalid_key")
-        except USSOException as e:
-            if kwargs.get("raise_exception", True):
-                raise e
-        except Exception as e:
-            if kwargs.get("raise_exception", True):
-                raise USSOException(status_code=401, error="error", message=str(e))
-            logger.error(e)
+        *,
+        jwt_config: str | dict | JWTConfig | None = None,
+        jwt_configs: list[str] | list[dict] | list[JWTConfig] | None = None,
+    ):
+        if jwt_config is None and jwt_configs is None:
+            jwt_config = os.getenv("USSO_JWT_CONFIG")
+
+        if jwt_config is None and jwt_configs is None:
+            jwk_url = os.getenv("USSO_JWK_URL") or os.getenv("USSO_JWKS_URL")
+            if not jwk_url:
+                self.jwt_configs = [JWTConfig(jwk_url=jwk_url)]
+                return
+
+            raise ValueError(
+                "\n".join(
+                    [
+                        "Either jwt_config or jwt_configs must be provided",
+                        "or set the environment variable USSO_JWT_CONFIG or USSO_JWK_URL",
+                    ]
+                )
+            )
+
+        def _get_config(jwt_config):
+            if isinstance(jwt_config, str):
+                jwt_config = json.loads(jwt_config)
+            if isinstance(jwt_config, dict):
+                jwt_config = JWTConfig(**jwt_config)
+            return jwt_config
+
+        if isinstance(jwt_config, str | dict | JWTConfig):
+            jwt_config = [_get_config(jwt_config)]
+        elif isinstance(jwt_config, list):
+            jwt_config = [_get_config(j) for j in jwt_config]
+
+        # self.jwk_url = jwt_config
+        self.jwt_configs = jwt_config
 
     def user_data_from_token(self, token: str, **kwargs) -> UserData | None:
         """Return the user associated with a token value."""
-        try:
-            jwks_client = self.get_jwks_keys()
-            signing_key = jwks_client.get_signing_key_from_jwt(token)
-            return self.decode_token(signing_key.key, token, **kwargs)
-        except Exception as e:
-            if kwargs.get("raise_exception", True):
-                raise USSOException(
-                    status_code=401,
-                    error="error",
-                    message=str(e),
-                )
-            logger.error(e)
+        exp = None
+        for jwk_config in self.jwt_configs:
+            try:
+                return jwk_config.decode(token)
+            except USSOException as e:
+                exp = e
+
+        if kwargs.get("raise_exception", True):
+            if exp:
+                raise exp
+            raise USSOException(
+                status_code=401,
+                error="unauthorized",
+            )

usso/fastapi/integration.py

@@ -3,9 +3,10 @@ import logging
 from fastapi import Request, WebSocket
 from starlette.status import HTTP_401_UNAUTHORIZED
 
-from usso.core import UserData, Usso
 from usso.exceptions import USSOException
 
+from ..core import UserData, Usso
+
 logger = logging.getLogger("usso")
 
 

{usso-0.24.19.dist-info → usso-0.25.1.dist-info}/METADATA

@@ -1,6 +1,6 @@
 Metadata-Version: 2.1
 Name: usso
-Version: 0.24.19
+Version: 0.25.1
 Summary: A plug-and-play client for integrating universal single sign-on (SSO) with Python frameworks, enabling secure and seamless authentication across microservices.
 Author-email: Mahdi Kiani <mahdikiany@gmail.com>
 Maintainer-email: Mahdi Kiani <mahdikiany@gmail.com>
@@ -46,6 +46,7 @@ Requires-Dist: pydantic >=2
 Requires-Dist: requests >=2.26.0
 Requires-Dist: pyjwt[crypto]
 Requires-Dist: singleton-package
+Requires-Dist: cachetools
 Provides-Extra: dev
 Requires-Dist: check-manifest ; extra == 'dev'
 Provides-Extra: django
@@ -53,7 +54,6 @@ Requires-Dist: Django >=3.2 ; extra == 'django'
 Provides-Extra: fastapi
 Requires-Dist: fastapi >=0.65.0 ; extra == 'fastapi'
 Requires-Dist: uvicorn[standard] >=0.13.0 ; extra == 'fastapi'
-Requires-Dist: cachetools ; extra == 'fastapi'
 Provides-Extra: test
 Requires-Dist: coverage ; extra == 'test'
 

usso-0.25.1.dist-info/RECORD

@@ -0,0 +1,18 @@
+usso/__init__.py,sha256=NnOS_S1a-JKTOlGe1nw-kCL3m0y82mA2mDraus7BQ2o,120
+usso/api.py,sha256=xlDq2nZNpq3mhAvqIbGEfANHNjJpPquSeULBfS7iMJw,5094
+usso/async_api.py,sha256=rb-Xh5oudmZrPYM_iH_B75b5Z0Fvi1V1uurdcKE51w0,5551
+usso/async_session.py,sha256=nFIrtV3Tp0H-s2ZkMLU9_fVSeVGq1EtY1bGT_XOS5Vw,4336
+usso/b64tools.py,sha256=HGQ0E59vzjrQo2-4jrcY03ebtTaYwTtCZ7KgJaEmxO0,610
+usso/core.py,sha256=vrGpfueuX3CwkBdGj9ze-BPuI61TOlLPsCqHiKOQnFY,6510
+usso/exceptions.py,sha256=hawOAuVbvQtjgRfwp1KFZ4SmV7fh720y5Gom9JVA8W8,504
+usso/session.py,sha256=Lky2O8FGbOMJFOMxxdE0rhpgwWKThGQfr-X9YQsFpLk,2358
+usso/django/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
+usso/django/middleware.py,sha256=EEEpHvMQ6QiWw2HY8zQ2Aec0RCATcLWsCKeyiPWJKio,3245
+usso/fastapi/__init__.py,sha256=0EcdOzb4f3yu9nILIdGWnlyUz-0VaVX2az1e3f2BusI,201
+usso/fastapi/integration.py,sha256=LNKd_KStKr5CBj_CUfwkrgtiY5R8nBL61FVBWcIrhQE,1667
+usso-0.25.1.dist-info/LICENSE.txt,sha256=ceC9ZJOV9H6CtQDcYmHOS46NA3dHJ_WD4J9blH513pc,1081
+usso-0.25.1.dist-info/METADATA,sha256=z1rpx_Pqk64o-Bpi6q38jpHDYZDGr9jiYha05I1jxBg,4227
+usso-0.25.1.dist-info/WHEEL,sha256=OVMc5UfuAQiSplgO0_WdW7vXVGAt9Hdd6qtN4HotdyA,91
+usso-0.25.1.dist-info/entry_points.txt,sha256=4Zgpm5ELaAWPf0jPGJFz1_X69H7un8ycT3WdGoJ0Vvk,35
+usso-0.25.1.dist-info/top_level.txt,sha256=g9Jf6h1Oyidh0vPiFni7UHInTJjSvu6cUalpLTIvthg,5
+usso-0.25.1.dist-info/RECORD,,

{usso-0.24.19.dist-info → usso-0.25.1.dist-info}/WHEEL

@@ -1,5 +1,5 @@
 Wheel-Version: 1.0
-Generator: setuptools (75.1.0)
+Generator: setuptools (75.2.0)
 Root-Is-Purelib: true
 Tag: py3-none-any
 

usso/fastapi/auth_middleware.py

@@ -1,186 +0,0 @@
-import json
-import logging
-import os
-
-import cachetools.func
-import jwt
-from fastapi import Request, WebSocket
-from pydantic import BaseModel, model_validator
-from starlette.status import HTTP_401_UNAUTHORIZED
-
-from usso.core import UserData
-from usso.exceptions import USSOException
-
-logger = logging.getLogger("usso")
-
-
-class JWTConfig(BaseModel):
-    jwk_url: str | None = None
-    secret: str | None = None
-    type: str = "RS256"
-    header: dict[str, str] = {"type": "Cookie", "name": "usso_access_token"}
-
-    def __hash__(self):
-        return hash(self.model_dump_json())
-
-    @model_validator(mode="before")
-    def validate_secret(cls, data: dict):
-        if not data.get("jwk_url") and not data.get("secret"):
-            raise ValueError("Either jwk_url or secret must be provided")
-        return data
-
-    @classmethod
-    @cachetools.func.ttl_cache(maxsize=128, ttl=10 * 60)
-    def get_jwk_keys(cls, jwk_url):
-        return jwt.PyJWKClient(
-            jwk_url,
-            headers={
-                "User-Agent": "usso-python",
-            },
-        )
-
-    @cachetools.func.ttl_cache(maxsize=128, ttl=10 * 60)
-    def decode(self, token: str):
-        if self.jwk_url:
-            jwk_client = self.get_jwk_keys(self.jwk_url)
-            signing_key = jwk_client.get_signing_key_from_jwt(token)
-            return jwt.decode(token, signing_key.key, algorithms=[self.type])
-
-        return jwt.decode(token, self.secret, algorithms=[self.type])
-
-
-class Usso:
-
-    def __init__(self, jwt_config: str | dict | JWTConfig | None = None):
-        if jwt_config is None:
-            self.jwk_url = os.getenv("USSO_JWK_URL")
-            return
-
-        if isinstance(jwt_config, str):
-            jwt_config = json.loads(jwt_config)
-        if isinstance(jwt_config, dict):
-            jwt_config = JWTConfig(**jwt_config)
-
-        self.jwk_url = jwt_config
-        self.jwt_config = jwt_config
-
-    def get_authorization_scheme_param(
-        self,
-        authorization_header_value: str | None,
-    ) -> tuple[str, str]:
-        if not authorization_header_value:
-            return "", ""
-        scheme, _, param = authorization_header_value.partition(" ")
-        return scheme, param
-
-    def decode_token(self, key, token: str, **kwargs) -> dict:
-        try:
-            decoded = jwt.decode(token, key, algorithms=["RS256"])
-            if decoded["token_type"] != "access":
-                raise USSOException(status_code=401, error="invalid_token_type")
-            decoded["token"] = token
-            return UserData(**decoded)
-        except jwt.exceptions.ExpiredSignatureError:
-            if kwargs.get("raise_exception", True):
-                raise USSOException(status_code=401, error="expired_signature")
-        except jwt.exceptions.InvalidSignatureError:
-            if kwargs.get("raise_exception", True):
-                raise USSOException(status_code=401, error="invalid_signature")
-        except jwt.exceptions.InvalidAlgorithmError:
-            if kwargs.get("raise_exception", True):
-                raise USSOException(status_code=401, error="invalid_algorithm")
-        except jwt.exceptions.InvalidIssuedAtError:
-            if kwargs.get("raise_exception", True):
-                raise USSOException(status_code=401, error="invalid_issued_at")
-        except jwt.exceptions.InvalidTokenError:
-            if kwargs.get("raise_exception", True):
-                raise USSOException(status_code=401, error="invalid_token")
-        except jwt.exceptions.InvalidKeyError:
-            if kwargs.get("raise_exception", True):
-                raise USSOException(status_code=401, error="invalid_key")
-        except USSOException as e:
-            if kwargs.get("raise_exception", True):
-                raise e
-        except Exception as e:
-            if kwargs.get("raise_exception", True):
-                raise USSOException(status_code=401, error="error", message=str(e))
-            logger.error(e)
-
-    def user_data_from_token(self, token: str, **kwargs) -> UserData | None:
-        """Return the user associated with a token value."""
-        try:
-            decoded = self.jwk_url.decode(token)
-            if decoded["token_type"] != "access":
-                raise USSOException(status_code=401, error="invalid_token_type")
-            decoded["token"] = token
-            return UserData(**decoded)
-        except jwt.exceptions.ExpiredSignatureError:
-            if kwargs.get("raise_exception", True):
-                raise USSOException(status_code=401, error="expired_signature")
-        except jwt.exceptions.InvalidSignatureError:
-            if kwargs.get("raise_exception", True):
-                raise USSOException(status_code=401, error="invalid_signature")
-        except jwt.exceptions.InvalidAlgorithmError:
-            if kwargs.get("raise_exception", True):
-                raise USSOException(status_code=401, error="invalid_algorithm")
-        except jwt.exceptions.InvalidIssuedAtError:
-            if kwargs.get("raise_exception", True):
-                raise USSOException(status_code=401, error="invalid_issued_at")
-        except jwt.exceptions.InvalidTokenError:
-            if kwargs.get("raise_exception", True):
-                raise USSOException(status_code=401, error="invalid_token")
-        except jwt.exceptions.InvalidKeyError:
-            if kwargs.get("raise_exception", True):
-                raise USSOException(status_code=401, error="invalid_key")
-        except KeyError as e:
-            if kwargs.get("raise_exception", True):
-                raise USSOException(status_code=401, error="key_error", message=str(e))
-        except USSOException as e:
-            if kwargs.get("raise_exception", True):
-                raise e
-        except Exception as e:
-            if kwargs.get("raise_exception", True):
-                raise USSOException(status_code=401, error="error", message=str(e))
-            logger.error(e)
-
-    async def jwt_access_security(self, request: Request) -> UserData | None:
-        """Return the user associated with a token value."""
-        kwargs = {}
-        authorization = request.headers.get("Authorization")
-        if authorization:
-            scheme, credentials = self.get_authorization_scheme_param(authorization)
-            if scheme.lower() == "bearer":
-                token = credentials
-                return self.user_data_from_token(token, **kwargs)
-
-        cookie_token = request.cookies.get("usso_access_token")
-        if cookie_token:
-            return self.user_data_from_token(cookie_token, **kwargs)
-
-        if kwargs.get("raise_exception", True):
-            raise USSOException(
-                status_code=HTTP_401_UNAUTHORIZED,
-                error="unauthorized",
-            )
-        return None
-
-    async def jwt_access_security_ws(self, websocket: WebSocket) -> UserData | None:
-        """Return the user associated with a token value."""
-        kwargs = {}
-        authorization = websocket.headers.get("Authorization")
-        if authorization:
-            scheme, credentials = self.get_authorization_scheme_param(authorization)
-            if scheme.lower() == "bearer":
-                token = credentials
-                return self.user_data_from_token(token, **kwargs)
-
-        cookie_token = websocket.cookies.get("usso_access_token")
-        if cookie_token:
-            return self.user_data_from_token(cookie_token, **kwargs)
-
-        if kwargs.get("raise_exception", True):
-            raise USSOException(
-                status_code=HTTP_401_UNAUTHORIZED,
-                error="unauthorized",
-            )
-        return None

usso-0.24.19.dist-info/RECORD

@@ -1,20 +0,0 @@
-usso/__init__.py,sha256=NnOS_S1a-JKTOlGe1nw-kCL3m0y82mA2mDraus7BQ2o,120
-usso/api.py,sha256=xlDq2nZNpq3mhAvqIbGEfANHNjJpPquSeULBfS7iMJw,5094
-usso/async_api.py,sha256=rb-Xh5oudmZrPYM_iH_B75b5Z0Fvi1V1uurdcKE51w0,5551
-usso/async_session.py,sha256=9i74AAcLYzwRkffvDOG64DBvJd-cQG31656RhhpkRtE,4363
-usso/b64tools.py,sha256=HGQ0E59vzjrQo2-4jrcY03ebtTaYwTtCZ7KgJaEmxO0,610
-usso/core.py,sha256=cOpETK_gGVsUJT0EeIebOGLEbF8vHVET-_I-8QxOCyE,3977
-usso/exceptions.py,sha256=hawOAuVbvQtjgRfwp1KFZ4SmV7fh720y5Gom9JVA8W8,504
-usso/package_data.dat,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
-usso/session.py,sha256=Lky2O8FGbOMJFOMxxdE0rhpgwWKThGQfr-X9YQsFpLk,2358
-usso/django/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
-usso/django/middleware.py,sha256=EEEpHvMQ6QiWw2HY8zQ2Aec0RCATcLWsCKeyiPWJKio,3245
-usso/fastapi/__init__.py,sha256=0EcdOzb4f3yu9nILIdGWnlyUz-0VaVX2az1e3f2BusI,201
-usso/fastapi/auth_middleware.py,sha256=DYrNPy_9FIV1amRuafoJtgGMi8uE0FPmSKBUGP79GNo,7616
-usso/fastapi/integration.py,sha256=VAUWaa7ChQ1jTtn8A136VgyG6t2kDo5pGK-3RgmNDVs,1669
-usso-0.24.19.dist-info/LICENSE.txt,sha256=ceC9ZJOV9H6CtQDcYmHOS46NA3dHJ_WD4J9blH513pc,1081
-usso-0.24.19.dist-info/METADATA,sha256=cszPw64wfliP6WNFYMxLUJIQop7-UZDSvHKVHADRYQE,4249
-usso-0.24.19.dist-info/WHEEL,sha256=GV9aMThwP_4oNCtvEC2ec3qUYutgWeAzklro_0m4WJQ,91
-usso-0.24.19.dist-info/entry_points.txt,sha256=4Zgpm5ELaAWPf0jPGJFz1_X69H7un8ycT3WdGoJ0Vvk,35
-usso-0.24.19.dist-info/top_level.txt,sha256=g9Jf6h1Oyidh0vPiFni7UHInTJjSvu6cUalpLTIvthg,5
-usso-0.24.19.dist-info/RECORD,,