PyPI - verge-auth-sdk - Versions diffs - 0.1.14__py3-none-any.whl → 0.1.48__py3-none-any.whl - Mend

verge-auth-sdk 0.1.14py3-none-any.whl → 0.1.48py3-none-any.whl

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (9) hide show

verge_auth_sdk/__init__.py CHANGED Viewed

@@ -2,7 +2,7 @@
 """
 verge_auth_sdk package public API.
 Exports:
- - add_central_auth(app)  -> middleware to attach to FastAPI app
+ - add_central_auth(app)  -> middleware to attach to Python app
  - get_secret(name)       -> secret retrieval helper
 """
 from .middleware import add_central_auth

verge_auth_sdk/middleware.py CHANGED Viewed

@@ -1,135 +1,879 @@
+# from fastapi import FastAPI, Request
+# from fastapi.responses import RedirectResponse, JSONResponse
+# import httpx
+# import os
+# import asyncio
+# import jwt
+# from typing import List
+# from .secret_provider import get_secret
+# from .verge_routes import router as verge_routes_router
+# def is_request_secure(request: Request) -> bool:
+#     """
+#     Returns True when the browser-facing connection is HTTPS.
+#     Works for:
+#     - Real production HTTPS
+#     - Ngrok (HTTPS → HTTP backend)
+#     - Cloud LB / Nginx / ALB setups
+#     """
+#     # Case 1: Native HTTPS
+#     if request.url.scheme == "https":
+#         return True
+#     # Case 2: Behind proxy / ngrok
+#     forwarded_proto = request.headers.get("x-forwarded-proto")
+#     if forwarded_proto and forwarded_proto.lower() == "https":
+#         return True
+#     return False
+# REGISTERED_ROUTES: List = []
+# # ============================================================
+# # GLOBAL JWT CACHE
+# # ============================================================
+# JWT_PUBLIC_KEY: str | None = None
+# JWT_KEY_ID: str | None = None
+# JWT_ALGORITHMS = ["RS256"]
+# # -----------------------------------------------------------
+# # HTTP helper with retries
+# # -----------------------------------------------------------
+# async def _post_with_retries(
+#     client,
+#     url,
+#     json=None,
+#     headers=None,
+#     timeout=10,
+#     retries=8,
+#     backoff=1,
+# ):
+#     last_exc = None
+#     for attempt in range(1, retries + 1):
+#         try:
+#             resp = await client.post(
+#                 url,
+#                 json=json,
+#                 headers=headers,
+#                 timeout=timeout,
+#             )
+#             return resp
+#         except Exception as e:
+#             last_exc = e
+#             print(
+#                 f"❗ Retry {attempt}/{retries} failed for {url}: "
+#                 f"{type(e).__name__}: {e}"
+#             )
+#             await asyncio.sleep(backoff * attempt)
+#     raise last_exc
+# # -----------------------------------------------------------
+# # PUBLIC KEY DISCOVERY
+# # -----------------------------------------------------------
+# async def load_public_key(force: bool = False):
+#     global JWT_PUBLIC_KEY, JWT_KEY_ID
+#     if JWT_PUBLIC_KEY and not force:
+#         return
+#     AUTH_PUBLIC_KEY_URL = os.getenv("AUTH_PUBLIC_KEY_URL")
+#     if not AUTH_PUBLIC_KEY_URL:
+#         print("❌ AUTH_PUBLIC_KEY_URL not set! Please Set it.")
+#         return
+#     try:
+#         async with httpx.AsyncClient(timeout=5) as client:
+#             resp = await client.get(AUTH_PUBLIC_KEY_URL)
+#             resp.raise_for_status()
+#             data = resp.json()
+#             JWT_PUBLIC_KEY = data.get("public_key")
+#             JWT_KEY_ID = data.get("kid")
+#             if JWT_PUBLIC_KEY:
+#                 print("✅ Security Key Loaded Successfully")
+#             else:
+#                 print("❌ Security Key Loading Failed")
+#     except Exception as e:
+#         print("❌ Failed to load Security Key:", str(e))
+# # -----------------------------------------------------------
+# # MAIN INTEGRATION
+# # -----------------------------------------------------------
+# def add_central_auth(app: FastAPI):
+#     AUTH_BASE_URL = os.getenv("AUTH_BASE_URL")
+#     SERVICE_NAME = os.getenv("SERVICE_NAME")
+#     SERVICE_BASE_URL = os.getenv("SERVICE_BASE_URL")
+#     CLIENT_ID = os.getenv("VERGE_CLIENT_ID")
+#     CLIENT_SECRET = os.getenv("VERGE_CLIENT_SECRET")
+#     VERGE_SERVICE_SECRET = get_secret("VERGE_SERVICE_SECRET")
+#     AUTH_REGISTER_URL = os.getenv("AUTH_REGISTER_URL")
+#     AUTH_ROUTE_SYNC_URL = os.getenv("AUTH_ROUTE_SYNC_URL")
+#     INTROSPECT_URL = os.getenv("AUTH_INTROSPECT_URL")
+#     # Include internal verge routes
+#     app.include_router(verge_routes_router)
+#     # -------------------------------------------------------
+#     # MICROSERVICE BOOTSTRAP ON STARTUP
+#     # -------------------------------------------------------
+#     @app.on_event("startup")
+#     async def verge_bootstrap():
+#         print("🔥 Verge Auth started")
+#         # Load JWT public key
+#         await load_public_key(force=True)
+#         await asyncio.sleep(2)
+#         REGISTERED_ROUTES.clear()
+#         print("📌 Collecting routes...")
+#         for route in app.routes:
+#             try:
+#                 path = getattr(route, "path", None)
+#                 methods = getattr(route, "methods", [])
+#                 if not path:
+#                     continue
+#                 if path.startswith(("/docs", "/openapi", "/__verge__")):
+#                     continue
+#                 for m in methods:
+#                     if m in ("GET", "POST", "PUT", "PATCH", "DELETE"):
+#                         REGISTERED_ROUTES.append({"path": path, "method": m})
+#             except Exception as e:
+#                 print("❌ Error collecting route:", e)
+#         print("\n📡 Registering service with Verge Auth...")
+#         async with httpx.AsyncClient() as client:
+#             if AUTH_REGISTER_URL:
+#                 try:
+#                     resp = await _post_with_retries(
+#                         client,
+#                         AUTH_REGISTER_URL,
+#                         json={
+#                             "service_name": SERVICE_NAME,
+#                             "base_url": SERVICE_BASE_URL,
+#                         },
+#                         headers={
+#                             "X-Client-Id": CLIENT_ID or "",
+#                             "X-Client-Secret": CLIENT_SECRET or "",
+#                             "X-Verge-Service-Secret": VERGE_SERVICE_SECRET or "",
+#                         },
+#                     )
+#                     print(
+#                         "📡 Registration response:",
+#                         resp.status_code,
+#                         resp.text,
+#                     )
+#                 except Exception as e:
+#                     print("❌ Registration failed:", e)
+#             if AUTH_ROUTE_SYNC_URL:
+#                 try:
+#                     resp = await _post_with_retries(
+#                         client,
+#                         AUTH_ROUTE_SYNC_URL,
+#                         json={
+#                             "service_name": SERVICE_NAME,
+#                             "base_url": SERVICE_BASE_URL,
+#                             "routes": REGISTERED_ROUTES,
+#                         },
+#                         headers={
+#                             "X-Client-Id": CLIENT_ID or "",
+#                             "X-Client-Secret": CLIENT_SECRET or "",
+#                             "X-Verge-Service-Secret": VERGE_SERVICE_SECRET or "",
+#                         },
+#                         timeout=20,
+#                     )
+#                     print(
+#                         "📡 Route sync response:",
+#                         resp.status_code,
+#                         resp.text,
+#                     )
+#                 except Exception as e:
+#                     print("❌ Route sync failed:", e)
+#     # -------------------------------------------------------
+#     # CENTRAL AUTHZ MIDDLEWARE (CORRECTED FLOW)
+#     # -------------------------------------------------------
+#     @app.middleware("http")
+#     async def central_auth(request: Request, call_next):
+#         path = request.url.path
+#         SKIP_PATHS = {
+#             "/health",
+#             "/openapi.json",
+#             "/favicon.ico",
+#             "/service-registry/register",
+#             "/route-sync",
+#             "/__verge__",
+#             "/post-login",
+#         }
+#         # safer matching (handles trailing slash)
+#         if path.rstrip("/") in SKIP_PATHS or path.startswith("/__verge__"):
+#             return await call_next(request)
+#         # ---------------------------------------------------
+#         # STEP 1 — HANDLE AUTH CODE FIRST
+#         # ---------------------------------------------------
+#         if "code" in request.query_params:
+#             code = request.query_params.get("code")
+#             # Prevent infinite redirect loop
+#             if request.cookies.get("verge_access"):
+#                 return await call_next(request)
+#             try:
+#                 async with httpx.AsyncClient(timeout=5) as client:
+#                     resp = await client.post(
+#                         f"{AUTH_BASE_URL}/auth/exchange",
+#                         json={"code": code},
+#                         headers={
+#                             "X-Client-Id": os.getenv("VERGE_CLIENT_ID") or "",
+#                             "X-Client-Secret": os.getenv("VERGE_CLIENT_SECRET") or "",
+#                         },
+#                     )
+#                     resp.raise_for_status()
+#                     token = resp.json().get("access_token")
+#                     if not token:
+#                         return JSONResponse(
+#                             {"detail": "Authorization failed: no token returned"},
+#                             status_code=401,
+#                         )
+#                     clean_url = str(request.url.remove_query_params("code"))
+#                     response = RedirectResponse(clean_url)
+#                     response.set_cookie(
+#                         "verge_access",
+#                         token,
+#                         httponly=True,
+#                         secure=is_request_secure(request),
+#                         samesite="lax",
+#                         path="/",
+#                     )
+#                     response.set_cookie(
+#                         "verge_fresh_auth",
+#                         "1",
+#                         httponly=True,
+#                         secure=is_request_secure(request),
+#                         samesite="lax",
+#                         path="/",
+#                         max_age=5,   # only valid for 5 seconds
+#                     )
+#                     return response
+#             except Exception as e:
+#                 return JSONResponse(
+#                     {"detail": "Authorization failed", "error": str(e)},
+#                     status_code=401,
+#                 )
+#         # ---------------------------------------------------
+#         # STEP 2 — COLLECT TOKEN (cookie → header → session)
+#         # ---------------------------------------------------
+#         token = request.cookies.get("verge_access")
+#         if not token:
+#             auth_header = request.headers.get("authorization")
+#             if auth_header and auth_header.lower().startswith("bearer "):
+#                 token = auth_header.split(" ", 1)[1].strip()
+#         if not token and "session" in request.scope:
+#             token = request.scope["session"].get("access_token")
+#         # if getattr(request.state, "_just_authenticated", False):
+#         #     return await call_next(request)
+#         if request.cookies.get("verge_fresh_auth") == "1":
+#             response = await call_next(request)
+#             # clean up the flag so normal auth resumes next time
+#             response.delete_cookie("verge_fresh_auth")
+#             return response
+#         # ---------------------------------------------------
+#         # STEP 3 — FAIL CLEANLY IF STILL NO TOKEN
+#         # ---------------------------------------------------
+#         if not token:
+#             login_url = f"{os.getenv('AUTH_LOGIN_URL')}?redirect={request.url}"
+#             return RedirectResponse(login_url)
+#         # ---------------------------------------------------
+#         # STEP 4 — LOCAL JWT VERIFICATION
+#         # ---------------------------------------------------
+#         try:
+#             if not JWT_PUBLIC_KEY:
+#                 await load_public_key(force=True)
+#             if not JWT_PUBLIC_KEY:
+#                 return JSONResponse(
+#                     {"detail": "Auth key not ready"},
+#                     status_code=503,
+#                 )
+#             payload = jwt.decode(
+#                 token,
+#                 JWT_PUBLIC_KEY,
+#                 algorithms=JWT_ALGORITHMS,
+#                 options={"require": ["exp", "iat"]},
+#             )
+#         except jwt.ExpiredSignatureError:
+#             return JSONResponse({"detail": "Token expired"}, status_code=401)
+#         except jwt.InvalidTokenError:
+#             return JSONResponse({"detail": "Invalid token"}, status_code=401)
+#         except Exception as e:
+#             return JSONResponse(
+#                 {"detail": "Auth verification failed", "error": str(e)},
+#                 status_code=401,
+#             )
+#         # ---------------------------------------------------
+#         # STEP 5 — CENTRAL INTROSPECTION
+#         # ---------------------------------------------------
+#         try:
+#             async with httpx.AsyncClient(timeout=5) as client:
+#                 resp = await client.post(
+#                     INTROSPECT_URL,
+#                     headers={
+#                         "Authorization": f"Bearer {token}",
+#                         "X-Client-Id": os.getenv("VERGE_CLIENT_ID") or "",
+#                         "X-Client-Secret": os.getenv("VERGE_CLIENT_SECRET") or "",
+#                     },
+#                 )
+#                 data = resp.json()
+#                 if not data.get("active"):
+#                     return JSONResponse(
+#                         {
+#                             "detail": "Session inactive",
+#                             "reason": data.get("reason"),
+#                         },
+#                         status_code=401,
+#                     )
+#                 request.state.introspect = data
+#         except Exception as e:
+#             return JSONResponse(
+#                 {"detail": "Auth introspection failed", "error": str(e)},
+#                 status_code=401,
+#             )
+#         # ---------------------------------------------------
+#         # STEP 6 — PERMISSION CHECK
+#         # ---------------------------------------------------
+#         request.state.user = payload
+#         permissions = payload.get("roles") or []
+#         route_obj = request.scope.get("route")
+#         route_path = route_obj.path if route_obj else path
+#         method = request.method
+#         # 🔹 SPECIAL CASE: allow redoc AFTER auth
+#         if path.rstrip("/") in {"/redoc", "/docs"}:
+#             return await call_next(request)
+#         required_key = f"{SERVICE_NAME}:{route_path}:{method}".lower()
+#         normalized_permissions = [p.lower() for p in permissions]
+#         if required_key not in normalized_permissions:
+#             return JSONResponse(
+#                 {"detail": "Contact admin for access"},
+#                 status_code=403,
+#             )
+#         return await call_next(request)
 from fastapi import FastAPI, Request
 from fastapi.responses import RedirectResponse, JSONResponse
 import httpx
 import os
+import asyncio
+import jwt
+from typing import List
 from .secret_provider import get_secret
 from .verge_routes import router as verge_routes_router
-REGISTERED_ROUTES = []
+def is_request_secure(request: Request) -> bool:
+    """
+    Returns True when the browser-facing connection is HTTPS.
+    Works for:
+    - Real production HTTPS
+    - Ngrok (HTTPS → HTTP backend)
+    - Cloud LB / Nginx / ALB setups
+    """
+    # Case 1: Native HTTPS
+    if request.url.scheme == "https":
+        return True
-def add_central_auth(app: FastAPI):
+    # Case 2: Behind proxy / ngrok
+    forwarded_proto = request.headers.get("x-forwarded-proto")
+    if forwarded_proto and forwarded_proto.lower() == "https":
+        return True
-    AUTH_INTROSPECT_URL = os.getenv("AUTH_INTROSPECT_URL")
-    AUTH_LOGIN_URL = os.getenv("AUTH_LOGIN_URL")
+    return False
-    CLIENT_ID = os.getenv("VERGE_CLIENT_ID")
-    CLIENT_SECRET = os.getenv("VERGE_CLIENT_SECRET")
+REGISTERED_ROUTES: List = []
+# ============================================================
+# GLOBAL JWT CACHE
+# ============================================================
+JWT_PUBLIC_KEY: str | None = None
+JWT_KEY_ID: str | None = None
+JWT_ALGORITHMS = ["RS256"]
+# -----------------------------------------------------------
+# HTTP helper with retries
+# -----------------------------------------------------------
+async def _post_with_retries(
+    client,
+    url,
+    json=None,
+    headers=None,
+    timeout=10,
+    retries=8,
+    backoff=1,
+):
+    last_exc = None
+    for attempt in range(1, retries + 1):
+        try:
+            resp = await client.post(
+                url,
+                json=json,
+                headers=headers,
+                timeout=timeout,
+            )
+            return resp
+        except Exception as e:
+            last_exc = e
+            print(
+                f"❗ Retry {attempt}/{retries} failed for {url}: "
+                f"{type(e).__name__}: {e}"
+            )
+            await asyncio.sleep(backoff * attempt)
+    raise last_exc
+# -----------------------------------------------------------
+# PUBLIC KEY DISCOVERY
+# -----------------------------------------------------------
+async def load_public_key(force: bool = False):
+    global JWT_PUBLIC_KEY, JWT_KEY_ID
+    if JWT_PUBLIC_KEY and not force:
+        return
+    AUTH_PUBLIC_KEY_URL = os.getenv("AUTH_PUBLIC_KEY_URL")
+    if not AUTH_PUBLIC_KEY_URL:
+        print("❌ AUTH_PUBLIC_KEY_URL not set! Please Set it.")
+        return
+    try:
+        async with httpx.AsyncClient(timeout=50) as client:
+            resp = await client.get(AUTH_PUBLIC_KEY_URL)
+            resp.raise_for_status()
+            data = resp.json()
+            JWT_PUBLIC_KEY = data.get("public_key")
+            JWT_KEY_ID = data.get("kid")
+            if JWT_PUBLIC_KEY:
+                print("✅ Security Key Loaded Successfully")
+            else:
+                print("❌ Security Key Loading Failed")
+    except Exception as e:
+        print("❌ Failed to load Security Key:", str(e))
+# -----------------------------------------------------------
+# MAIN INTEGRATION
+# -----------------------------------------------------------
+def add_central_auth(app: FastAPI):
+    AUTH_BASE_URL = os.getenv("AUTH_BASE_URL")
     SERVICE_NAME = os.getenv("SERVICE_NAME")
     SERVICE_BASE_URL = os.getenv("SERVICE_BASE_URL")
+    CLIENT_ID = os.getenv("VERGE_CLIENT_ID")
+    CLIENT_SECRET = os.getenv("VERGE_CLIENT_SECRET")
+    VERGE_SERVICE_SECRET = get_secret("VERGE_SERVICE_SECRET")
     AUTH_REGISTER_URL = os.getenv("AUTH_REGISTER_URL")
+    AUTH_ROUTE_SYNC_URL = os.getenv("AUTH_ROUTE_SYNC_URL")
+    INTROSPECT_URL = os.getenv("AUTH_INTROSPECT_URL")
-    VERGE_SECRET = get_secret("VERGE_SERVICE_SECRET")
-    # ---------------------------------------
-    # INTERNAL ROUTES (MUST LOAD FIRST)
-    # ---------------------------------------
+    # Include internal verge routes
     app.include_router(verge_routes_router)
-    # ---------------------------------------
-    # STARTUP — ONLY COLLECT ROUTES (NO REGISTER)
-    # ---------------------------------------
+    # ================== ADD THIS BLOCK HERE ==================
+    @app.post("/__verge__/set-cookie")
+    def verge_set_cookie(request: Request):
+        auth = request.headers.get("authorization")
+        if not auth:
+            return JSONResponse({"detail": "Missing Authorization header"}, status_code=401)
+        token = auth.split(" ")[1]
+        response = JSONResponse({"ok": True})
+        response.set_cookie(
+            "verge_access",
+            token,
+            httponly=True,
+            secure=True,
+            # samesite="lax",
+            samesite="None",
+            path="/",
+        )
+        return response
+    # ================== END OF INSERT =======================
+    # -------------------------------------------------------
+    # MICROSERVICE BOOTSTRAP ON STARTUP
+    # -------------------------------------------------------
     @app.on_event("startup")
-    async def collect_routes():
-        print("🔥 Verge bootstrap started")
+    async def verge_bootstrap():
+        print("🔥 Verge Auth started")
+        # Load JWT public key
+        await load_public_key(force=True)
+        await asyncio.sleep(2)
         REGISTERED_ROUTES.clear()
+        print("📌 Collecting routes...")
         for route in app.routes:
-            path = getattr(route, "path", None)
-            methods = getattr(route, "methods", [])
+            try:
+                path = getattr(route, "path", None)
+                methods = getattr(route, "methods", [])
-            if not path:
-                continue
+                if not path:
+                    continue
-            if path.startswith(("/docs", "/openapi", "/__verge__")):
-                continue
+                if path.startswith(("/docs", "/openapi", "/__verge__")):
+                    continue
-            for m in methods:
-                if m in ("GET", "POST", "PUT", "PATCH", "DELETE"):
-                    REGISTERED_ROUTES.append({"path": path, "method": m})
+                for m in methods:
+                    if m in ("GET", "POST", "PUT", "PATCH", "DELETE"):
+                        REGISTERED_ROUTES.append({"path": path, "method": m})
-        print("✅ Collected Routes:", REGISTERED_ROUTES)
+            except Exception as e:
+                print("❌ Error collecting route:", e)
-    # ---------------------------------------
-    # SUPER ADMIN TRIGGERED REGISTRATION
-    # ---------------------------------------
-    async def register_with_auth():
-        try:
-            async with httpx.AsyncClient(timeout=5) as client:
-                resp = await client.post(
-                    AUTH_REGISTER_URL,
-                    params={
-                        "name": SERVICE_NAME,
-                        "base_url": SERVICE_BASE_URL,
-                    },
-                    headers={"X-Verge-Service-Secret": VERGE_SECRET}
-                )
+        print("\n📡 Registering service with Verge Auth...")
-            print(f"📡 Registration: {resp.status_code}")
-            print(resp.text)
+        async with httpx.AsyncClient() as client:
+            if AUTH_REGISTER_URL:
+                try:
+                    resp = await _post_with_retries(
+                        client,
+                        AUTH_REGISTER_URL,
+                        json={
+                            "service_name": SERVICE_NAME,
+                            "base_url": SERVICE_BASE_URL,
+                        },
+                        headers={
+                            "X-Client-Id": CLIENT_ID or "",
+                            "X-Client-Secret": CLIENT_SECRET or "",
+                            "X-Verge-Service-Secret": VERGE_SERVICE_SECRET or "",
+                        },
+                    )
+                    print(
+                        "📡 Registration response:",
+                        resp.status_code,
+                        resp.text,
+                    )
+                except Exception as e:
+                    print("❌ Registration failed:", e)
-        except Exception as e:
-            print("❌ Registration failed:", e)
+            if AUTH_ROUTE_SYNC_URL:
+                try:
+                    resp = await _post_with_retries(
+                        client,
+                        AUTH_ROUTE_SYNC_URL,
+                        json={
+                            "service_name": SERVICE_NAME,
+                            "base_url": SERVICE_BASE_URL,
+                            "routes": REGISTERED_ROUTES,
+                        },
+                        headers={
+                            "X-Client-Id": CLIENT_ID or "",
+                            "X-Client-Secret": CLIENT_SECRET or "",
+                            "X-Verge-Service-Secret": VERGE_SERVICE_SECRET or "",
+                        },
+                        timeout=20,
+                    )
+                    print(
+                        "📡 Route sync response:",
+                        resp.status_code,
+                        resp.text,
+                    )
+                except Exception as e:
+                    print("❌ Route sync failed:", e)
-    # ---------------------------------------
-    # MIDDLEWARE AUTH
-    # ---------------------------------------
+    # -------------------------------------------------------
+    # CENTRAL AUTHZ MIDDLEWARE (FIXED FLOW)
+    # -------------------------------------------------------
     @app.middleware("http")
     async def central_auth(request: Request, call_next):
         path = request.url.path
-        # Whitelisted paths
-        if path.startswith("/__verge__") or path in {"/docs", "/openapi.json", "/health"}:
+        SKIP_PATHS = {
+            "/service-registry/register",
+            "/route-sync",
+            "/__verge__",
+        }
+        # Safer matching (handles trailing slash)
+        normalized_path = path.rstrip("/")
+        if normalized_path in SKIP_PATHS or path.startswith("/__verge__"):
             return await call_next(request)
-        # Extract token
-        token = None
-        auth_header = request.headers.get("authorization")
+        # ---------------------------------------------------
+        # STEP 1 — HANDLE AUTH CODE EXCHANGE (SERVICE-SIDE ONLY)
+        # ---------------------------------------------------
+        # NOTE: The auth frontend already exchanges codes via /auth/exchange
+        # This middleware only needs to handle codes coming from /services/launch
+        # which generates codes for microservice access
+        # code = request.query_params.get("code")
+        # print("code in request param", code)
+        # if code:
+        #     # Check if we already have a valid token cookie
+        #     existing_token = request.cookies.get("verge_access")
+        #     print("existing token ", existing_token)
+        #     if existing_token:
+        #         # Already authenticated - just clean URL and proceed
+        #         clean_url = str(request.url.remove_query_params("code"))
+        #         print("clean_url RedirectResponse", clean_url)
+        #         return RedirectResponse(clean_url, status_code=302)
+        #     # Exchange code for token (from /services/launch flow)
+        #     try:
+        #         async with httpx.AsyncClient(timeout=30) as client:
+        #             resp = await client.post(
+        #                 f"{AUTH_BASE_URL}/auth/exchange",
+        #                 json={"code": code},
+        #                 headers={
+        #                     "X-Client-Id": CLIENT_ID or "",
+        #                     "X-Client-Secret": CLIENT_SECRET or "",
+        #                 },
+        #             )
+        #             resp.raise_for_status()
+        #             data = resp.json()
+        #             token = data.get("access_token")
+        #             if not token:
+        #                 return JSONResponse(
+        #                     {"detail": "Authorization failed: no token returned"},
+        #                     status_code=401,
+        #                 )
+        #             # Set cookie with token and redirect to clean URL
+        #             clean_url = str(request.url.remove_query_params("code"))
+        #             response = RedirectResponse(clean_url, status_code=302)
+        #             print("clean url when no existinig toke ", clean_url)
+        #             response.set_cookie(
+        #                 key="verge_access",
+        #                 value=token,
+        #                 httponly=True,
+        #                 secure=is_request_secure(request),
+        #                 samesite="lax",
+        #                 path="/",
+        #                 max_age=28800,  # 8 hours to match session
+        #             )
+        #             return response
+        #     except httpx.HTTPStatusError as e:
+        #         error_detail = e.response.text if hasattr(
+        #             e.response, 'text') else str(e)
+        #         print(f"❌ Code exchange failed: {error_detail}")
+        #         return JSONResponse(
+        #             {
+        #                 "detail": "Authorization code exchange failed",
+        #                 "error": error_detail,
+        #                 "status_code": e.response.status_code if hasattr(e.response, 'status_code') else 500
+        #             },
+        #             status_code=401,
+        #         )
+        #     except Exception as e:
+        #         print(f"❌ Code exchange error: {str(e)}")
+        #         return JSONResponse(
+        #             {"detail": "Authorization failed", "error": str(e)},
+        #             status_code=401,
+        #         )
-        if auth_header and auth_header.lower().startswith("bearer "):
-            token = auth_header.split(" ")[1]
+        # ---------------------------------------------------
+        # STEP 2 — COLLECT TOKEN (cookie → header → session)
+        # ---------------------------------------------------
+        token = request.cookies.get("verge_access")
         if not token:
-            token = request.cookies.get("access_token")
+            auth_header = request.headers.get("authorization")
+            if auth_header and auth_header.lower().startswith("bearer "):
+                token = auth_header.split(" ", 1)[1].strip()
-        # redirect if HTML request
-        if not token and "text/html" in request.headers.get("accept", ""):
-            return RedirectResponse(
-                f"{AUTH_LOGIN_URL}?redirect_url={request.url}"
-            )
+        if not token and "session" in request.scope:
+            token = request.scope["session"].get("access_token")
+        # ---------------------------------------------------
+        # STEP 3 — REDIRECT TO LOGIN IF NO TOKEN
+        # ---------------------------------------------------
+        # add the paths that needs to be public paths ex "/redoc", "/docs"
+        _raw_public = os.getenv("PUBLIC_PATHS", "")
+        PUBLIC_PATHS = {
+            "/" + p.strip("/ ")
+            for p in _raw_public.split(",")
+            if p.strip()
+        }
         if not token:
-            return JSONResponse({"detail": "Unauthorized"}, status_code=401)
+            if normalized_path in PUBLIC_PATHS:
+                return await call_next(request)
+            # login_url = f"{os.getenv('AUTH_LOGIN_URL')}?redirect={request.url}"
+            login_url = f"{os.getenv('AUTH_LOGIN_URL')}?redirect_url={request.url}"
+            print("Login_Url ***", login_url)
-        # Validate token
+            return RedirectResponse(login_url, status_code=302)
+        # ---------------------------------------------------
+        # STEP 4 — LOCAL JWT VERIFICATION
+        # ---------------------------------------------------
         try:
-            async with httpx.AsyncClient(timeout=4) as client:
-                res = await client.post(
-                    AUTH_INTROSPECT_URL,
-                    headers={
-                        "Authorization": f"Bearer {token}",
-                        "X-Client-Id": CLIENT_ID,
-                        "X-Client-Secret": CLIENT_SECRET,
-                    },
+            if not JWT_PUBLIC_KEY:
+                await load_public_key(force=True)
+            if not JWT_PUBLIC_KEY:
+                return JSONResponse(
+                    {"detail": "Auth key not ready, please try again"},
+                    status_code=503,
                 )
-                data = res.json()
-        except Exception:
-            return JSONResponse({"detail": "Auth service unreachable"}, status_code=503)
+            payload = jwt.decode(
+                token,
+                JWT_PUBLIC_KEY,
+                algorithms=JWT_ALGORITHMS,
+                options={"require": ["exp", "iat"]},
+            )
-        if not data.get("active"):
-            return JSONResponse({"detail": "Session expired"}, status_code=401)
+        except jwt.ExpiredSignatureError:
+            # Clear expired cookie and redirect to login
+            response = RedirectResponse(
+                # f"{os.getenv('AUTH_LOGIN_URL')}?redirect={request.url}&reason=expired",
+                f"{os.getenv('AUTH_LOGIN_URL')}?redirect_url={request.url}&reason=expired",
+                status_code=302
+            )
+            response.delete_cookie("verge_access")
+            return response
-        user = data.get("user", {})
-        request.state.user = user
+        except jwt.InvalidTokenError as e:
+            # Clear invalid cookie and redirect to login
+            response = RedirectResponse(
+                # f"{os.getenv('AUTH_LOGIN_URL')}?redirect={request.url}&reason=invalid",
+                f"{os.getenv('AUTH_LOGIN_URL')}?redirect_url={request.url}&reason=invalid",
+                status_code=302
+            )
+            response.delete_cookie("verge_access")
+            return response
+        except Exception as e:
+            return JSONResponse(
+                {"detail": "Token verification failed", "error": str(e)},
+                status_code=401,
+            )
+        # ---------------------------------------------------
+        # STEP 5 — CENTRAL INTROSPECTION (Optional but recommended)
+        # ---------------------------------------------------
+        if INTROSPECT_URL:
+            try:
+                async with httpx.AsyncClient(timeout=5) as client:
+                    resp = await client.post(
+                        INTROSPECT_URL,
+                        headers={
+                            "Authorization": f"Bearer {token}",
+                            "X-Client-Id": CLIENT_ID or "",
+                            "X-Client-Secret": CLIENT_SECRET or "",
+                        },
+                    )
+                    if resp.status_code == 200:
+                        data = resp.json()
+                        if not data.get("active"):
+                            # Session revoked/inactive - clear cookie and redirect
+                            response = RedirectResponse(
+                                # f"{os.getenv('AUTH_LOGIN_URL')}?redirect={request.url}&reason=inactive",
+                                f"{os.getenv('AUTH_LOGIN_URL')}?redirect_url={request.url}&reason=inactive",
+                                status_code=302
+                            )
+                            response.delete_cookie("verge_access")
+                            return response
+                        request.state.introspect = data
+                    else:
+                        # Introspection failed - treat as unauthorized
+                        response = RedirectResponse(
+                            f"{os.getenv('AUTH_LOGIN_URL')}?redirect={request.url}",
+                            status_code=302
+                        )
+                        response.delete_cookie("verge_access")
+                        return response
+            except Exception as e:
+                # If introspection fails, log but continue with JWT validation
+                print(f"⚠️  Introspection failed: {e}")
+                # Could optionally fail open or closed here based on your security posture
-        # ----------------------------------------------
-        # ⭐ SUPER ADMIN LOGGED IN → REGISTER SERVICE
-        # ----------------------------------------------
-        if user.get("is_super_admin", False):
-            print("🔐 Super Admin logged in → triggering service registration")
-            await register_with_auth()
+        # ---------------------------------------------------
+        # STEP 6 — PERMISSION CHECK
+        # ---------------------------------------------------
+        request.state.user = payload
+        permissions = payload.get("roles") or []
+        route_obj = request.scope.get("route")
+        route_path = route_obj.path if route_obj else path
+        method = request.method
+        # # Allow docs/redoc after authentication
+        # if normalized_path in {"/redoc", "/docs"}:
+        #     return await call_next(request)
+        if normalized_path in PUBLIC_PATHS:
+            return await call_next(request)
+        # Build permission key: service_name:route_path:method
+        required_key = f"{SERVICE_NAME}:{route_path}:{method}".lower()
+        normalized_permissions = [p.lower() for p in permissions]
+        if required_key not in normalized_permissions:
+            return JSONResponse(
+                {
+                    "detail": "Insufficient permissions. Contact admin for access.",
+                    "required": required_key,
+                    "user_permissions": permissions
+                },
+                status_code=403,
+            )
+        # ---------------------------------------------------
+        # STEP 7 — PROCEED TO ROUTE HANDLER
+        # ---------------------------------------------------
         return await call_next(request)

verge_auth_sdk/verge_routes.py CHANGED Viewed

@@ -10,8 +10,8 @@ async def verge_internal_routes(request: Request):
     expected_secret = get_secret("VERGE_SERVICE_SECRET")
     received_secret = request.headers.get("X-Verge-Service-Secret")
-    # Enforce exact secret match
     if not expected_secret or expected_secret != received_secret:
         raise HTTPException(status_code=403, detail="Forbidden")
     collected = []

{verge_auth_sdk-0.1.14.dist-info → verge_auth_sdk-0.1.48.dist-info}/METADATA RENAMED Viewed

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: verge-auth-sdk
-Version: 0.1.14
+Version: 0.1.48
 Summary: Secure centralized authentication SDK for FastAPI microservices
 Author-email: Verge Infosoft <contactus@vergeinfosoft.com>
 License: MIT
@@ -14,7 +14,8 @@ Requires-Dist: python-dotenv
 Dynamic: license-file
 🔐 Verge Auth SDK
-Secure Identity & Access Management for FastAPI Microservices
+Secure Identity & Access Management for FastAPI Microservices and all Python-based frameworks Monolithic and Microservice Architectures
 Verge Auth SDK is a lightweight integration library that connects your FastAPI microservices to the Verge Auth Platform — a centralized identity, role management, and access-control system built for modern SaaS applications.
@@ -53,8 +54,8 @@ Users sign up with their organization details, company domain, and email.
 2. Email Verification
-A verification link is sent from no-reply@vergeinfosoft.com
-.
+A verification email is sent to the registered address.
 Once verified, the user is redirected to the Verge Auth platform.
 3. Login
@@ -155,6 +156,7 @@ Add users into the group
 This makes onboarding smoother and keeps role management scalable.
 🔌 Integrating the SDK Into a Microservice
 Install from PyPI
 pip install verge_auth_sdk
@@ -163,6 +165,8 @@ from fastapi import FastAPI
 from verge_auth_sdk import add_central_auth
 app = FastAPI()
+# call this at the last line of your apps main
 add_central_auth(app)
 That’s it.
@@ -171,30 +175,55 @@ The service will now:
 ✓ Authenticate incoming requests
 ✓ Communicate securely with Verge Auth
 ✓ Provide user identity + roles
-✓ Automatically register its routes for RBAC assignment
+✓ Secure synchronization of service access metadata for centralized permission governance.
 ⚙ Environment Configuration
 Each service requires a minimal set of environment variables:
+Exact endpoint configurations and integration details may vary by deployment and are abstracted by the SDK.
+############## DO NOT CHANGE THIS #################################
-######################################################################
+AUTH_BASE_URL=https://auth.vergeinfosoft.com
+AUTH_SESSION_URL=https://auth.vergeinfosoft.com/session
+AUTH_INTROSPECT_URL=https://auth.vergeinfosoft.com/introspect
+AUTH_REGISTER_URL=https://auth.vergeinfosoft.com/service-registry/register
+AUTH_ROUTE_SYNC_URL=https://auth.vergeinfosoft.com/route-sync
+AUTH_PUBLIC_KEY_URL=https://auth.vergeinfosoft.com/auth/keys/public
+AUTH_LOGIN_URL=https://auth.vergeinfosoft.com/login
-AUTH_INTROSPECT_URL=<auth-server-introspection-endpoint>
-AUTH_LOGIN_URL=<auth-server-login-ui>
+############## DO NOT CHANGE THIS #################################
+################# CHANGE THESE AS PER DETAILS PROVIDED #############################################
 VERGE_CLIENT_ID=<client-id>
 VERGE_CLIENT_SECRET=<client-secret>
 VERGE_SERVICE_SECRET=<service-integration-secret>
 # These are provided by Verge Infosoft during onboarding.
-# Optional secret provider:
+####################################################################################################
-SECRETS_PROVIDER=env # azure | aws
+# Select Optional secret provider:
+SECRETS_PROVIDER=env | AZURE | AWS | GCP | ORACLE # Supported cloud providers for secret management
+env=env # if you want to load from your local ENV
+azure=<AZURE_URL>
+aws=<AWS_URL>
+gcp=<GCP_URL>
+oracle=<ORACLE_URL>
+########################################################################
+SERVICE_NAME=<SERVICE_NAME>  # example billing service or hr service
+SERVICE_BASE_URL=<SERVICE_BASE_URL>  example https://hr.yourdomain.com
 ########################################################################
 🛡 Middleware Responsibilities
 The SDK transparently handles:
@@ -215,7 +244,7 @@ You do not need to implement any auth or RBAC logic manually.
 🔐 Security Highlights
-RSA-based JWT verification
+Industry-standard asymmetric token verification with key rotation support
 Centralized session & token lifecycle management
@@ -227,7 +256,7 @@ HTTPS-only communication
 Support for cloud key vaults
-💼 Ideal For
+💼 Ideal For (including but not limited to):
 HRMS, ERP, CRM, Billing platforms

verge_auth_sdk-0.1.48.dist-info/RECORD ADDED Viewed

@@ -0,0 +1,9 @@
+verge_auth_sdk/__init__.py,sha256=fna_P4l-tc3ZLKwERFEdOpT4hqPQoJSikrbt_ze5yME,410
+verge_auth_sdk/middleware.py,sha256=MJdukBVCMAwZbBcnHY-viccyc5TsUbX4Mbdp13at1MM,34019
+verge_auth_sdk/secret_provider.py,sha256=j89rj9LZHl4qTI2fdf0qnn-mgDD3oTbdP3imsm0S9n8,1653
+verge_auth_sdk/verge_routes.py,sha256=GAFS8HdSNznuh6two6DAHZZeq2t29l3IlzDJjBcOGKA,1413
+verge_auth_sdk-0.1.48.dist-info/licenses/LICENSE,sha256=OLuFd1VUvl1QKIJJ_qJ8zR4ypcDhzeRkEywc7PX2ABQ,1090
+verge_auth_sdk-0.1.48.dist-info/METADATA,sha256=H4XiQRVtQWbmsynBw4AT_dG7Zw3dwqyAIcXqE-VpmeE,7075
+verge_auth_sdk-0.1.48.dist-info/WHEEL,sha256=_zCd3N1l69ArxyTb8rzEoP9TpbYXkqRFSNOD5OuxnTs,91
+verge_auth_sdk-0.1.48.dist-info/top_level.txt,sha256=0ik2K2CJZrP11DvuR7USTYJkX_kv2DSJS5wyhP1yAfA,15
+verge_auth_sdk-0.1.48.dist-info/RECORD,,

verge_auth_sdk-0.1.14.dist-info/RECORD DELETED Viewed

@@ -1,9 +0,0 @@
-verge_auth_sdk/__init__.py,sha256=n76KSaK3CohCP7dzrUXWlTPNPGzWesLTlYl-C7rfW60,411
-verge_auth_sdk/middleware.py,sha256=2WKXMgW7mxaHbEyE1g8qpTM0SAcuXs4XVnB5xr5KEKs,4707
-verge_auth_sdk/secret_provider.py,sha256=j89rj9LZHl4qTI2fdf0qnn-mgDD3oTbdP3imsm0S9n8,1653
-verge_auth_sdk/verge_routes.py,sha256=R0WUb0OyIkapZ0dKhqfYzfhI6I_cnHSJsB6p-8lt9V4,1445
-verge_auth_sdk-0.1.14.dist-info/licenses/LICENSE,sha256=OLuFd1VUvl1QKIJJ_qJ8zR4ypcDhzeRkEywc7PX2ABQ,1090
-verge_auth_sdk-0.1.14.dist-info/METADATA,sha256=FqrFVVuW2xS5mSWo9xGRWR_nT3IFvVxNiG6pgcPuIwA,5702
-verge_auth_sdk-0.1.14.dist-info/WHEEL,sha256=_zCd3N1l69ArxyTb8rzEoP9TpbYXkqRFSNOD5OuxnTs,91
-verge_auth_sdk-0.1.14.dist-info/top_level.txt,sha256=0ik2K2CJZrP11DvuR7USTYJkX_kv2DSJS5wyhP1yAfA,15
-verge_auth_sdk-0.1.14.dist-info/RECORD,,

{verge_auth_sdk-0.1.14.dist-info → verge_auth_sdk-0.1.48.dist-info}/WHEEL RENAMED Viewed

File without changes

{verge_auth_sdk-0.1.14.dist-info → verge_auth_sdk-0.1.48.dist-info}/licenses/LICENSE RENAMED Viewed

File without changes

{verge_auth_sdk-0.1.14.dist-info → verge_auth_sdk-0.1.48.dist-info}/top_level.txt RENAMED Viewed

File without changes

verge-auth-sdk 0.1.14__py3-none-any.whl → 0.1.48__py3-none-any.whl

verge-auth-sdk 0.1.14py3-none-any.whl → 0.1.48py3-none-any.whl