usso 0.28.26__tar.gz → 0.28.28__tar.gz

{usso-0.28.26/src/usso.egg-info → usso-0.28.28}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: usso
-Version: 0.28.26
+Version: 0.28.28
 Summary: A plug-and-play client for integrating universal single sign-on (SSO) with Python frameworks, enabling secure and seamless authentication across microservices.
 Author-email: Mahdi Kiani <mahdikiany@gmail.com>
 Maintainer-email: Mahdi Kiani <mahdikiany@gmail.com>
@@ -28,7 +28,7 @@ Requires-Dist: cachetools
 Requires-Dist: singleton_package
 Requires-Dist: json-advanced
 Requires-Dist: httpx
-Requires-Dist: usso-jwt>=0.2.0
+Requires-Dist: usso-jwt>=0.2.6
 Provides-Extra: fastapi
 Requires-Dist: fastapi>=0.65.0; extra == "fastapi"
 Requires-Dist: uvicorn[standard]>=0.13.0; extra == "fastapi"

{usso-0.28.26 → usso-0.28.28}/pyproject.toml

@@ -4,7 +4,7 @@ build-backend = "setuptools.build_meta"
 
 [project]
 name = "usso"
-version = "0.28.26"
+version = "0.28.28"
 description = "A plug-and-play client for integrating universal single sign-on (SSO) with Python frameworks, enabling secure and seamless authentication across microservices."
 readme = "README.md"
 requires-python = ">=3.9"
@@ -30,7 +30,7 @@ dependencies = [
   "singleton_package",
   "json-advanced",
   "httpx",
-  "usso-jwt>=0.2.0",
+  "usso-jwt>=0.2.6",
 ]
 
 [project.optional-dependencies]
@@ -45,7 +45,7 @@ all = [
   "check-manifest",
   "pytest",
   "pytest_asyncio",
-  "coverage"
+  "coverage",
 ]
 
 [project.urls]
@@ -69,7 +69,13 @@ unsafe-fixes = true
 preview = true
 
 [tool.ruff.lint]
-select = ["E", "F", "W", "I", "UP", "B"]
+select = ["E", "F", "W", "I", "UP", "B", "T", "C", "A", "ANN"]
 
 [tool.ruff.format]
 quote-style = "double"
+
+[tool.mypy]
+python_version = "3.13"
+ignore_missing_imports = true
+check_untyped_defs = false
+disallow_untyped_defs = false

{usso-0.28.26 → usso-0.28.28}/src/usso/api_key.py

@@ -10,7 +10,7 @@ from .user import UserData
 logger = logging.getLogger("usso")
 
 
-def _handle_exception(error_type: str, **kwargs):
+def _handle_exception(error_type: str, **kwargs: dict) -> None:
     """Handle API key related exceptions."""
     if kwargs.get("raise_exception", True):
         raise USSOException(
@@ -20,7 +20,7 @@ def _handle_exception(error_type: str, **kwargs):
 
 
 @cachetools.func.ttl_cache(maxsize=128, ttl=60)
-def fetch_api_key_data(api_key_verify_url: str, api_key: str):
+def fetch_api_key_data(api_key_verify_url: str, api_key: str) -> UserData:
     """Fetch user data using an API key.
 
     Args:

{usso-0.28.26 → usso-0.28.28}/src/usso/authorization.py

@@ -26,6 +26,9 @@ def parse_scope(scope: str) -> tuple[str, list[str], dict[str, str]]:
         "*:*" ->
             ("*", ["*"], {})
 
+        "media//files" ->
+            ("", ["media", "*", "files"], {})
+
     Returns:
         - action: str (could be empty string if no scheme present)
         - path_parts: list[str]
@@ -47,91 +50,58 @@ def parse_scope(scope: str) -> tuple[str, list[str], dict[str, str]]:
     query = scope[question_idx + 1 :]
     filters = {k: v[0] for k, v in parse_qs(query).items()}
     resource_path_parts = resource_path.split("/") if resource_path else ["*"]
-    return action, resource_path_parts, filters
-
+    return action, [rp or "*" for rp in resource_path_parts], filters
 
-def is_path_match(
-    user_path: list[str] | str,
-    requested_path: list[str] | str,
-    strict: bool = False,
-) -> bool:
-    """
-    Match resource paths from right to left, supporting wildcards (*).
 
-    Rules:
-    - The final resource name must match exactly or via fnmatch.
-    - Upper-level path parts are matched from right to left.
-    - Wildcards are allowed in any part.
-
-    Examples = [
-        ("files", "files", True),
-        ("file-manager/files", "files", True),
-        ("media/file-manager/files", "files", True),
-        ("media//files", "files", True),
-        ("media//files", "file-manager/files", True),
-        ("files", "file-manager/files", True),
-        ("*/files", "file-manager/files", True),
-        ("*//files", "file-manager/files", True),
-        ("//files", "file-manager/files", True),
-        ("//files", "media/file-manager/files", True),
-        ("media//files", "media/file-manager/files", True),
-        ("media/files/*", "media/files/transactions", True),
-        ("*/*/transactions", "media/files/transactions", True),
-        ("media/*/transactions", "media/images/transactions", True),
-        ("media//files", "media/files", True), # attention
-
-        ("files", "file", False),
-        ("files", "files/transactions", False),
-        ("files", "media/files/transactions", False),
-        ("media/files", "media/files/transactions", False),
-        ("finance/*/*", "wallet", False),
-    ]
-    """
-    if isinstance(user_path, str):
-        user_parts = user_path.split("/")
-    elif isinstance(user_path, list):
-        user_parts = user_path
+def _normalize_path(path: list[str] | str) -> list[str]:
+    if isinstance(path, str):
+        return path.split("/")
+    elif isinstance(path, list):
+        return path
     else:
-        raise ValueError(f"Invalid path type: {type(user_path)}")
+        raise ValueError(f"Invalid path type: {type(path)}")
 
-    if isinstance(requested_path, str):
-        req_parts = requested_path.split("/")
-    elif isinstance(requested_path, list):
-        req_parts = requested_path
-    else:
-        raise ValueError(f"Invalid path type: {type(requested_path)}")
 
+def _match_path_parts(
+    user_parts: list[str], req_parts: list[str], strict: bool
+) -> bool:
     wildcard_found = False
     # Match resource name (rightmost)
     if not fnmatch.fnmatch(req_parts[-1], user_parts[-1]):
         return False
-
     if "*" in user_parts[-1]:
         wildcard_found = True
-
     # Match rest of the path from right to left
     user_path_parts = user_parts[:-1]
     req_path_parts = req_parts[:-1]
-
     for u, r in zip(
-        reversed(user_path_parts),
-        reversed(req_path_parts),
-        strict=strict,
+        reversed(user_path_parts), reversed(req_path_parts), strict=strict
     ):
         if r and u and r != "*" and not fnmatch.fnmatch(r, u):
             return False
         if "*" in u:
             wildcard_found = True
-
     offset = len(user_path_parts) - len(req_path_parts)
     if offset > 0 and wildcard_found:
-        for u in user_path_parts[-offset:]:
+        for u in user_path_parts[:offset]:
             if u != "*":
                 return False
-
     return True
 
 
+def is_path_match(
+    user_path: list[str] | str,
+    requested_path: list[str] | str,
+    strict: bool = False,
+) -> bool:
+    """
+    Match resource paths from right to left, supporting wildcards (*).
+    """
+    user_parts = _normalize_path(user_path)
+    req_parts = _normalize_path(requested_path)
+    return _match_path_parts(user_parts, req_parts, strict)
+
+
 def is_filter_match(user_filters: dict, requested_filters: dict) -> bool:
     """All user filters must match requested filters."""
     for k, v in user_filters.items():
@@ -222,7 +192,7 @@ def is_authorized(
     if not is_path_match(user_path, requested_path, strict=strict):
         return False
 
-    if not is_filter_match(user_filters, reuested_filter):
+    if not is_filter_match(user_filters, reuested_filter or {}):
         return False
 
     if requested_action:
@@ -256,15 +226,15 @@ def check_access(
     if isinstance(filters, dict):
         filters = [{k: v} for k, v in filters.items()]
     elif filters is None:
-        filters = ["*"]
+        filters = [{}]
 
     for scope in user_scopes:
-        for filter in filters:
+        for filt in filters:
             if is_authorized(
                 user_scope=scope,
                 requested_path=resource_path,
                 requested_action=action,
-                reuested_filter=filter,
+                reuested_filter=filt,
                 strict=strict,
             ):
                 return True

{usso-0.28.26 → usso-0.28.28}/src/usso/client.py

@@ -1,4 +1,5 @@
 import logging
+from urllib.parse import urlparse
 
 import usso_jwt.exceptions
 import usso_jwt.schemas
@@ -22,7 +23,9 @@ class UssoAuth:
         self,
         *,
         jwt_config: AvailableJwtConfigs | None = None,
-    ):
+        from_base_usso_url: str | None = None,
+        **kwargs: object,
+    ) -> None:
         """Initialize the USSO authentication client.
 
         Args:
@@ -31,6 +34,7 @@ class UssoAuth:
         if jwt_config is None:
             jwt_config = AuthConfig()
         self.jwt_configs = AuthConfig.validate_jwt_configs(jwt_config)
+        self.from_base_usso_url = from_base_usso_url
 
     def user_data_from_token(
         self,
@@ -38,7 +42,7 @@ class UssoAuth:
         *,
         expected_token_type: str | None = "access",
         raise_exception: bool = True,
-        **kwargs,
+        **kwargs: dict,
     ) -> UserData | None:
         """Get user data from a JWT token.
 
@@ -68,6 +72,25 @@ class UssoAuth:
             except usso_jwt.exceptions.JWTError as e:
                 exp = e
 
+        if self.from_base_usso_url:
+            try:
+                jwt_obj = usso_jwt.schemas.JWT(
+                    token=token, config=jwk_config, payload_class=UserData
+                )
+                iss = jwt_obj.unverified_payload.iss
+                iss_domain = urlparse(iss).netloc
+                jwt_obj.config.jwks_url = (
+                    f"{self.from_base_usso_url}/.well-known/jwks.json?"
+                    f"domain={iss_domain}"
+                )
+                if jwt_obj.verify(
+                    expected_token_type=expected_token_type,
+                    **kwargs,
+                ):
+                    return jwt_obj.payload
+            except usso_jwt.exceptions.JWTError as e:
+                exp = e
+
         _handle_exception(
             "Unauthorized",
             message=str(exp) if exp else None,

{usso-0.28.26 → usso-0.28.28}/src/usso/config.py

@@ -1,4 +1,5 @@
 import json
+import os
 from typing import Any, Literal, Union
 
 import usso_jwt.config
@@ -7,13 +8,15 @@ from pydantic import BaseModel, model_validator
 from .user import UserData
 from .utils.string_utils import get_authorization_scheme_param
 
+BASE_USSO_URL = os.getenv("BASE_USSO_URL") or "https://sso.usso.io"
+
 
 class HeaderConfig(BaseModel):
     type: Literal["Authorization", "Cookie", "CustomHeader"] = "Cookie"
     name: str = "usso_access_token"
 
     @model_validator(mode="before")
-    def validate_header(cls, data: dict):
+    def validate_header(cls, data: dict) -> dict:
         if data.get("type") == "Authorization" and not data.get("name"):
             data["name"] = "Bearer"
         elif data.get("type") == "Cookie":
@@ -22,10 +25,10 @@ class HeaderConfig(BaseModel):
             data["name"] = data.get("name", "x-usso-access-token")
         return data
 
-    def __hash__(self):
+    def __hash__(self) -> int:
         return hash(self.model_dump_json())
 
-    def get_key(self, request) -> str | None:
+    def get_key(self, request: object) -> str | None:  # type: ignore
         headers: dict[str, Any] = getattr(request, "headers", {})
         cookies: dict[str, str] = getattr(
             request, "cookies", headers.get("Cookie", {})
@@ -42,7 +45,7 @@ class HeaderConfig(BaseModel):
 
 
 class APIHeaderConfig(HeaderConfig):
-    verify_endpoint: str = "https://sso.usso.io/api/sso/v1/apikeys/verify"
+    verify_endpoint: str = f"{BASE_USSO_URL}/api/sso/v1/apikeys/verify"
 
 
 class AuthConfig(usso_jwt.config.JWTConfig):
@@ -54,18 +57,18 @@ class AuthConfig(usso_jwt.config.JWTConfig):
     jwt_header: HeaderConfig | None = HeaderConfig()
     static_api_keys: list[str] | None = None
 
-    def get_api_key(self, request) -> str | None:
+    def get_api_key(self, request: object) -> str | None:
         if self.api_key_header:
             return self.api_key_header.get_key(request)
         return None
 
-    def get_jwt(self, request) -> str | None:
+    def get_jwt(self, request: object) -> str | None:
         if self.jwt_header:
             return self.jwt_header.get_key(request)
         return None
 
     def verify_token(
-        self, token: str, *, raise_exception: bool = True, **kwargs
+        self, token: str, *, raise_exception: bool = True, **kwargs: dict
     ) -> bool:
         from usso_jwt import exceptions as jwt_exceptions
         from usso_jwt import schemas

{usso-0.28.26 → usso-0.28.28}/src/usso/exceptions.py

@@ -14,30 +14,44 @@ error_messages = {
 
 class USSOException(Exception):
     def __init__(
-        self, status_code: int, error: str, message: dict | None = None
-    ):
+        self,
+        status_code: int,
+        error: str,
+        detail: str | None = None,
+        message: dict | None = None,
+        **kwargs: dict,
+    ) -> None:
         self.status_code = status_code
         self.error = error
-        self.message = message
+        msg: dict = {}
         if message is None:
-            self.message = error_messages[error]
-        super().__init__(message)
+            if detail:
+                msg["en"] = detail
+            else:
+                msg["en"] = error_messages.get(error, error)
+        else:
+            msg = message
+
+        self.message = msg
+        self.detail = detail or str(self.message)
+        self.data = kwargs
+        super().__init__(detail)
 
 
 class PermissionDenied(USSOException):
     def __init__(
         self,
         error: str = "permission_denied",
-        message: dict = None,
-        detail: str = None,
-        **kwargs,
-    ):
+        detail: str | None = None,
+        message: dict | None = None,
+        **kwargs: dict,
+    ) -> None:
         super().__init__(
             403, error=error, message=message, detail=detail, **kwargs
         )
 
 
-def _handle_exception(error_type: str, **kwargs):
+def _handle_exception(error_type: str, **kwargs: dict) -> None:
     """Handle JWT-related exceptions."""
     if kwargs.get("raise_exception", True):
         raise USSOException(

{usso-0.28.26 → usso-0.28.28}/src/usso/integrations/django/middleware.py

@@ -17,7 +17,7 @@ class USSOAuthenticationMiddleware(MiddlewareMixin):
     def jwt_config(self) -> AuthConfig:
         return settings.USSO_JWT_CONFIG
 
-    def process_request(self, request: HttpRequest):
+    def process_request(self, request: HttpRequest) -> None:
         """
         Middleware to authenticate users by JWT token and create or
         return a user in the database.

{usso-0.28.26 → usso-0.28.28}/src/usso/integrations/fastapi/dependency.py

@@ -14,15 +14,20 @@ class USSOAuthentication(UssoAuth):
     def __init__(
         self,
         jwt_config: AvailableJwtConfigs | None = None,
+        *,
         raise_exception: bool = True,
         expected_token_type: str = "access",
-    ):
+        from_base_usso_url: str | None = None,
+    ) -> None:
         if jwt_config is None:
             jwt_config = AuthConfig()
 
-        super().__init__(jwt_config=jwt_config)
+        super().__init__(
+            jwt_config=jwt_config, from_base_usso_url=from_base_usso_url
+        )
         self.raise_exception = raise_exception
         self.expected_token_type = expected_token_type
+        self.from_base_usso_url = from_base_usso_url
 
     def __call__(self, request: Request) -> UserData:
         return self.usso_access_security(request)
@@ -41,7 +46,6 @@ class USSOAuthentication(UssoAuth):
                 return token
         return None
 
-    # @instance_method
     def usso_access_security(self, request: Request) -> UserData | None:
         """Return the user associated with a token value."""
         api_key = self.get_request_api_key(request)
@@ -62,7 +66,6 @@ class USSOAuthentication(UssoAuth):
             raise_exception=self.raise_exception,
         )
 
-    # @instance_method
     def jwt_access_security_ws(self, websocket: WebSocket) -> UserData | None:
         """Return the user associated with a token value."""
         api_key = self.get_request_api_key(websocket)

{usso-0.28.26 → usso-0.28.28}/src/usso/integrations/fastapi/handler.py

@@ -4,10 +4,17 @@ from fastapi.responses import JSONResponse
 from ...exceptions import USSOException
 
 
-async def usso_exception_handler(request: Request, exc: USSOException):
+async def usso_exception_handler(
+    request: Request, exc: USSOException
+) -> JSONResponse:
     return JSONResponse(
         status_code=exc.status_code,
-        content={"message": exc.message, "error": exc.error},
+        content={
+            "message": exc.message,
+            "error": exc.error,
+            "detail": exc.detail,
+            **exc.data,
+        },
     )
 
 

{usso-0.28.26 → usso-0.28.28}/src/usso/session/async_session.py

@@ -17,8 +17,9 @@ class AsyncUssoSession(httpx.AsyncClient, BaseUssoSession):
         usso_api_key: str | None = os.getenv("USSO_ADMIN_API_KEY"),
         user_id: str | None = None,
         client: "AsyncUssoSession" = None,
-    ):
-        httpx.AsyncClient.__init__(self)
+        **kwargs: dict,
+    ) -> None:
+        httpx.AsyncClient.__init__(self, **kwargs)
         BaseUssoSession.__init__(
             self,
             usso_base_url=usso_base_url,
@@ -100,7 +101,7 @@ class AsyncUssoSession(httpx.AsyncClient, BaseUssoSession):
         )
         return self._handle_refresh_response(response)
 
-    async def get_session(self):
+    async def get_session(self) -> "AsyncUssoSession":
         if hasattr(self, "api_key") and self.api_key:
             return self
 
@@ -108,6 +109,8 @@ class AsyncUssoSession(httpx.AsyncClient, BaseUssoSession):
             await self._refresh()
         return self
 
-    async def _request(self, method: str, url: str, **kwargs):
+    async def _request(
+        self, method: str, url: str, **kwargs: dict
+    ) -> httpx.Response:
         session = await self.get_session()
         return await session.request(method, url, **kwargs)

{usso-0.28.26 → usso-0.28.28}/src/usso/session/base_session.py

@@ -14,7 +14,7 @@ class BaseUssoSession:
         app_secret: str | None = None,
         usso_url: str = "https://sso.usso.io",
         client: Optional["BaseUssoSession"] = None,
-    ):
+    ) -> None:
         if client:
             self.copy_attributes_from(client)
             return
@@ -54,7 +54,7 @@ class BaseUssoSession:
         self.access_token = None
         self.headers = getattr(self, "headers", {})
 
-    def copy_attributes_from(self, client: "BaseUssoSession"):
+    def copy_attributes_from(self, client: "BaseUssoSession") -> None:
         self.usso_url = client.usso_url
         self.usso_refresh_url = client.usso_refresh_url
         self._refresh_token = client._refresh_token
@@ -64,7 +64,7 @@ class BaseUssoSession:
         self.headers = client.headers.copy()
 
     @property
-    def refresh_token(self):
+    def refresh_token(self) -> JWT:
         if (
             self._refresh_token
             and self._refresh_token.verify(  # noqa: W503

{usso-0.28.26 → usso-0.28.28}/src/usso/session/session.py

@@ -14,8 +14,8 @@ class UssoSession(httpx.Client, BaseUssoSession):
         refresh_token: str | None = os.getenv("USSO_REFRESH_TOKEN"),
         usso_url: str | None = os.getenv("USSO_URL"),
         client: "UssoSession" = None,
-        **kwargs,
-    ):
+        **kwargs: dict,
+    ) -> None:
         httpx.Client.__init__(self, **kwargs)
 
         BaseUssoSession.__init__(
@@ -28,7 +28,7 @@ class UssoSession(httpx.Client, BaseUssoSession):
         if not self.api_key:
             self._refresh()
 
-    def _refresh(self):
+    def _refresh(self) -> dict:
         assert self.refresh_token, "refresh_token is required"
 
         response = httpx.post(
@@ -43,7 +43,7 @@ class UssoSession(httpx.Client, BaseUssoSession):
         self.headers.update({"Authorization": f"Bearer {self.access_token}"})
         return response.json()
 
-    def get_session(self):
+    def get_session(self) -> "UssoSession":
         if self.api_key:
             return self
 
@@ -51,6 +51,8 @@ class UssoSession(httpx.Client, BaseUssoSession):
             self._refresh()
         return self
 
-    def _request(self, method: str, url: str, **kwargs):
+    def _request(
+        self, method: str, url: str, **kwargs: dict
+    ) -> httpx.Response:
         self.get_session()
         return super().request(self, method, url, **kwargs)

{usso-0.28.26 → usso-0.28.28}/src/usso/user.py

@@ -55,8 +55,8 @@ class UserData(BaseModel):
         acr: str | None = None,
         amr: list[str] | None = None,
         signing_level: str | None = None,
-        **kwargs,
-    ):
+        **kwargs: dict,
+    ) -> None:
         super().__init__(
             jti=jti,
             token_type=token_type,
@@ -109,9 +109,9 @@ class UserData(BaseModel):
         self,
         *,
         mode: Literal["json", "python"] | str = "python",
-        include=None,
-        exclude=None,
-        context: Any | None = None,
+        include: set[str] | list[str] | None = None,
+        exclude: set[str] | list[str] | None = None,
+        context: object | None = None,
         by_alias: bool | None = None,
         exclude_unset: bool = False,
         exclude_defaults: bool = False,
@@ -120,7 +120,7 @@ class UserData(BaseModel):
         warnings: bool | Literal["none", "warn", "error"] = True,
         fallback: Callable[[Any], Any] | None = None,
         serialize_as_any: bool = False,
-    ):
+    ) -> dict:
         return super().model_dump(
             mode=mode,
             include=include,

{usso-0.28.26 → usso-0.28.28/src/usso.egg-info}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: usso
-Version: 0.28.26
+Version: 0.28.28
 Summary: A plug-and-play client for integrating universal single sign-on (SSO) with Python frameworks, enabling secure and seamless authentication across microservices.
 Author-email: Mahdi Kiani <mahdikiany@gmail.com>
 Maintainer-email: Mahdi Kiani <mahdikiany@gmail.com>
@@ -28,7 +28,7 @@ Requires-Dist: cachetools
 Requires-Dist: singleton_package
 Requires-Dist: json-advanced
 Requires-Dist: httpx
-Requires-Dist: usso-jwt>=0.2.0
+Requires-Dist: usso-jwt>=0.2.6
 Provides-Extra: fastapi
 Requires-Dist: fastapi>=0.65.0; extra == "fastapi"
 Requires-Dist: uvicorn[standard]>=0.13.0; extra == "fastapi"

{usso-0.28.26 → usso-0.28.28}/src/usso.egg-info/requires.txt

@@ -4,7 +4,7 @@ cachetools
 singleton_package
 json-advanced
 httpx
-usso-jwt>=0.2.0
+usso-jwt>=0.2.6
 
 [all]
 fastapi>=0.65.0

{usso-0.28.26 → usso-0.28.28}/tests/test_authorization.py

@@ -22,11 +22,6 @@ from src.usso.authorization import (
         ("//files", "file-manager/files", True),
         ("//files", "media/file-manager/files", True),
         ("media//files", "media/file-manager/files", True),
-        (
-            "media//files",
-            "media/files",
-            True,
-        ),  # !! atention it matches because the middle part is empty
         ("media/files/*", "media/files/transactions", True),
         ("*/*/transactions", "media/files/transactions", True),
         ("media/*/transactions", "media/images/transactions", True),
@@ -35,14 +30,17 @@ from src.usso.authorization import (
         ("files", "media/files/transactions", False),
         ("media/files", "media/files/transactions", False),
         ("finance/*/*", "wallet", False),
+        ("media//files", "media/files", True),
     ],
 )
-def test_path_match(user_path, requested_path, expected):
+def test_path_match(
+    user_path: str, requested_path: str, expected: bool
+) -> None:
     assert is_path_match(user_path, requested_path, strict=False) == expected
 
 
 # Define pytest tests
-def test_exact_match_id():
+def test_exact_match_id() -> None:
     scopes = ["read:media/file-manager/files?uid=file123"]
     assert (
         check_access(
@@ -50,9 +48,9 @@ def test_exact_match_id():
             "files",
             action="read",
             filters=[
-                dict(namespace="media"),
-                dict(service="file-manager"),
-                dict(uid="file123"),
+                {"namespace": "media"},
+                {"service": "file-manager"},
+                {"uid": "file123"},
             ],
         )
         is True
@@ -60,7 +58,7 @@ def test_exact_match_id():
 
 
 # Define pytest tests
-def test_wildcard():
+def test_wildcard() -> None:
     scopes = [
         "update:media/files/transactions?user_id=abc",
         "read:media/files/*",
@@ -86,7 +84,7 @@ def test_wildcard():
     )
 
 
-def test_insufficient_privilege():
+def test_insufficient_privilege() -> None:
     scopes = ["read:media/files/file:uid:file123"]
     assert (
         check_access(
@@ -94,33 +92,33 @@ def test_insufficient_privilege():
             "file",
             "update",
             filters=[
-                dict(namespace="finance"),
-                dict(service="wallet"),
-                dict(workspace_id="ws_7"),
+                {"namespace": "finance"},
+                {"service": "wallet"},
+                {"workspace_id": "ws_7"},
             ],
         )
         is False
     )
 
 
-def test_wildcard_match():
+def test_wildcard_match() -> None:
     scopes = ["manage:media/files/file?*"]
     assert (
         check_access(
             scopes,
             "file",
             "update",
-            filters=dict(
-                namespace="finance",
-                service="wallet",
-                workspace_id="ws_7",
-            ),
+            filters={
+                "namespace": "finance",
+                "service": "wallet",
+                "workspace_id": "ws_7",
+            },
         )
         is True
     )
 
 
-def test_match_by_user_id():
+def test_match_by_user_id() -> None:
     scopes = ["manage:finance/wallet/transaction?user=user_1"]
     assert (
         check_access(
@@ -128,9 +126,9 @@ def test_match_by_user_id():
             "transaction",
             "update",
             filters=[
-                dict(namespace="finance"),
-                dict(service="wallet"),
-                dict(workspace_id="ws_7"),
+                {"namespace": "finance"},
+                {"service": "wallet"},
+                {"workspace_id": "ws_7"},
             ],
         )
         is False
@@ -140,13 +138,13 @@ def test_match_by_user_id():
             scopes,
             "transaction",
             "update",
-            filters=dict(namespace="finance", user="user_1"),
+            filters={"namespace": "finance", "user": "user_1"},
         )
         is True
     )
 
 
-def test_match_by_workspace_id():
+def test_match_by_workspace_id() -> None:
     scopes = ["delete:finance/wallet/transaction?workspace_id=ws_7"]
     assert (
         check_access(
@@ -154,31 +152,31 @@ def test_match_by_workspace_id():
             "transaction",
             "delete",
             filters=[
-                dict(namespace="finance"),
-                dict(service="wallet"),
-                dict(workspace_id="ws_7"),
+                {"namespace": "finance"},
+                {"service": "wallet"},
+                {"workspace_id": "ws_7"},
             ],
         )
         is True
     )
 
 
-def test_minimal_params_success():
+def test_minimal_params_success() -> None:
     scopes = ["create:file?*"]
     assert check_access(scopes, "file", "create") is True
 
 
-def test_minimal_params_fail():
+def test_minimal_params_fail() -> None:
     scopes = ["read:file?*"]
     assert check_access(scopes, "file", "create") is False
 
 
-def test_minimal_params_read_create_fail():
+def test_minimal_params_read_create_fail() -> None:
     scopes = ["file"]
     assert check_access(scopes, "file", "create") is False
 
 
-def test_scope_subset():
+def test_scope_subset() -> None:
     assert is_subset_scope(
         subset_scope="read:media/files?user_id=123",
         super_scope="read:media/files",

{usso-0.28.26 → usso-0.28.28}/tests/test_fastapi.py

@@ -5,7 +5,7 @@ from collections.abc import AsyncGenerator
 import httpx
 import pytest
 import pytest_asyncio
-from fastapi import Depends, WebSocket
+from fastapi import Depends, FastAPI, WebSocket
 from starlette.testclient import TestClient
 from usso_jwt.algorithms import AbstractKey
 
@@ -18,7 +18,7 @@ from src.usso.integrations.fastapi import (
 
 
 @pytest.fixture(scope="session")
-def app(test_key: AbstractKey):
+def app(test_key: AbstractKey) -> FastAPI:
     import fastapi
 
     os.environ["JWT_CONFIG"] = json.dumps({
@@ -36,14 +36,14 @@ def app(test_key: AbstractKey):
     @app.get("/user")
     async def get_user(
         user: UserData = Depends(usso.usso_access_security),  # noqa: B008
-    ):
+    ) -> dict:
         return user.model_dump()
 
     @app.websocket("/ws")
     async def websocket_endpoint(
         websocket: WebSocket,
         user: UserData = Depends(usso.jwt_access_security_ws),  # noqa: B008
-    ):
+    ) -> None:
         await websocket.accept()
         await websocket.send_json({"msg": user.model_dump()})
         # await websocket.send_json({"msg": "Hello WebSocket"})
@@ -53,7 +53,7 @@ def app(test_key: AbstractKey):
 
 
 @pytest_asyncio.fixture(scope="session")
-async def client(app) -> AsyncGenerator[httpx.AsyncClient]:
+async def client(app: FastAPI) -> AsyncGenerator[httpx.AsyncClient]:
     """Fixture to provide an AsyncClient for FastAPI app."""
 
     async with httpx.AsyncClient(
@@ -64,14 +64,13 @@ async def client(app) -> AsyncGenerator[httpx.AsyncClient]:
 
 
 @pytest.mark.asyncio
-async def test_get_user_no_token(client: httpx.AsyncClient):
+async def test_get_user_no_token(client: httpx.AsyncClient) -> None:
     response = await client.get("/user")
-    print(response.json())
     assert response.status_code == 401
 
 
 @pytest.mark.asyncio
-async def test_get_user_with_invalid_token(client: httpx.AsyncClient):
+async def test_get_user_with_invalid_token(client: httpx.AsyncClient) -> None:
     response = await client.get(
         "/user",
         headers={"Authorization": "Bearer test"},
@@ -84,7 +83,7 @@ async def test_get_user_with_token(
     client: httpx.AsyncClient,
     test_valid_token: str,
     test_valid_payload: dict,
-):
+) -> None:
     response = await client.get(
         "/user",
         headers={"Authorization": f"Bearer {test_valid_token}"},
@@ -93,7 +92,11 @@ async def test_get_user_with_token(
     assert response.json().get("claims") == test_valid_payload
 
 
-def test_websocket(app, test_valid_token: str, test_valid_payload: dict):
+def test_websocket(
+    app: FastAPI,
+    test_valid_token: str,
+    test_valid_payload: dict,
+) -> None:
     client = TestClient(app)
     with client.websocket_connect(
         "/ws", headers={"Authorization": f"Bearer {test_valid_token}"}