PyPI - verge-auth-sdk - Versions diffs - 0.1.18__py3-none-any.whl → 0.1.27__py3-none-any.whl - Mend

verge-auth-sdk 0.1.18py3-none-any.whl → 0.1.27py3-none-any.whl

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Potentially problematic release.

This version of verge-auth-sdk might be problematic. Click here for more details.

Files changed (8) hide show

verge_auth_sdk/middleware.py CHANGED Viewed

@@ -1,140 +1,285 @@
 from fastapi import FastAPI, Request
 from fastapi.responses import RedirectResponse, JSONResponse
-import httpx
-import os
 from .secret_provider import get_secret
 from .verge_routes import router as verge_routes_router
+import httpx
+import os
+import asyncio
+import jwt
 REGISTERED_ROUTES = []
+# ============================================================
+# GLOBAL JWT CACHE
+# ============================================================
+JWT_PUBLIC_KEY: str | None = None
+JWT_KEY_ID: str | None = None
+JWT_ALGORITHMS = ["RS256"]
+# -----------------------------------------------------------
+# HTTP helper with retries
+# -----------------------------------------------------------
+async def _post_with_retries(
+    client,
+    url,
+    json=None,
+    headers=None,
+    timeout=10,
+    retries=8,
+    backoff=1,
+):
+    last_exc = None
+    for attempt in range(1, retries + 1):
+        try:
+            resp = await client.post(
+                url,
+                json=json,
+                headers=headers,
+                timeout=timeout,
+            )
+            return resp
+        except Exception as e:
+            last_exc = e
+            print(
+                f"❗ Retry {attempt}/{retries} failed for {url}: "
+                f"{type(e).__name__}: {e}"
+            )
+            await asyncio.sleep(backoff * attempt)
+    raise last_exc
+# -----------------------------------------------------------
+# PUBLIC KEY DISCOVERY
+# -----------------------------------------------------------
+async def load_public_key(force: bool = False):
+    """
+    Loads and caches the JWT public key from auth-service.
+    Safe to call multiple times.
+    """
+    global JWT_PUBLIC_KEY, JWT_KEY_ID
+    if JWT_PUBLIC_KEY and not force:
+        return
+    AUTH_PUBLIC_KEY_URL = os.getenv("AUTH_PUBLIC_KEY_URL")
+    if not AUTH_PUBLIC_KEY_URL:
+        print("❌ AUTH_PUBLIC_KEY_URL not set")
+        return
+    try:
+        async with httpx.AsyncClient(timeout=5) as client:
+            resp = await client.get(AUTH_PUBLIC_KEY_URL)
+            resp.raise_for_status()
+            data = resp.json()
+            JWT_PUBLIC_KEY = data.get("public_key")
+            JWT_KEY_ID = data.get("kid")
+            if JWT_PUBLIC_KEY:
+                print("✅ JWT public key loaded from auth service")
+            else:
+                print("❌ JWT public key missing in response")
+    except Exception as e:
+        print("❌ Failed to load JWT public key:", str(e))
+# -----------------------------------------------------------
+# MAIN INTEGRATION
+# -----------------------------------------------------------
 def add_central_auth(app: FastAPI):
-    AUTH_INTROSPECT_URL = os.getenv("AUTH_INTROSPECT_URL")
     AUTH_LOGIN_URL = os.getenv("AUTH_LOGIN_URL")
+    SERVICE_NAME = os.getenv("SERVICE_NAME")
+    SERVICE_BASE_URL = os.getenv("SERVICE_BASE_URL")
     CLIENT_ID = os.getenv("VERGE_CLIENT_ID")
     CLIENT_SECRET = os.getenv("VERGE_CLIENT_SECRET")
-    SERVICE_NAME = os.getenv("SERVICE_NAME")
-    SERVICE_BASE_URL = os.getenv("SERVICE_BASE_URL")
-    AUTH_REGISTER_URL = os.getenv("AUTH_REGISTER_URL")
+    VERGE_SERVICE_SECRET = get_secret("VERGE_SERVICE_SECRET")
-    VERGE_SECRET = get_secret("VERGE_SERVICE_SECRET")
+    AUTH_REGISTER_URL = os.getenv("AUTH_REGISTER_URL")
+    AUTH_ROUTE_SYNC_URL = os.getenv("AUTH_ROUTE_SYNC_URL")
-    # ---------------------------------------
-    # INTERNAL ROUTES (MUST LOAD FIRST)
-    # ---------------------------------------
+    # -------------------------------------------------------
+    # INTERNAL VERGE ROUTES
+    # -------------------------------------------------------
     app.include_router(verge_routes_router)
-    # ---------------------------------------
-    # STARTUP — ONLY COLLECT ROUTES (NO REGISTER)
-    # ---------------------------------------
+    # -------------------------------------------------------
+    # MICROSERVICE BOOTSTRAP ON STARTUP
+    # -------------------------------------------------------
     @app.on_event("startup")
-    async def collect_routes():
+    async def verge_bootstrap():
         print("🔥 Verge bootstrap started")
+        # 🔐 Load JWT public key FIRST (retry-safe)
+        await load_public_key(force=True)
+        await asyncio.sleep(2)
         REGISTERED_ROUTES.clear()
+        print("📌 Collecting routes...")
         for route in app.routes:
-            path = getattr(route, "path", None)
-            methods = getattr(route, "methods", [])
-            if not path:
-                continue
-            if path.startswith(("/docs", "/openapi", "/__verge__")):
-                continue
-            for m in methods:
-                if m in ("GET", "POST", "PUT", "PATCH", "DELETE"):
-                    REGISTERED_ROUTES.append({"path": path, "method": m})
-        print("✅ Collected Routes:", REGISTERED_ROUTES)
-    # ---------------------------------------
-    # SUPER ADMIN TRIGGERED REGISTRATION
-    # ---------------------------------------
-    async def register_with_auth():
-        print("🔧 Triggered register_with_auth()")
-        print("📍 AUTH_REGISTER_URL =", AUTH_REGISTER_URL)
-        print("📍 SERVICE_NAME =", SERVICE_NAME)
-        print("📍 SERVICE_BASE_URL =", SERVICE_BASE_URL)
-        print("📍 CLIENT_ID =", CLIENT_ID)
-        print("📍 ROUTES =", REGISTERED_ROUTES)
-        try:
-            async with httpx.AsyncClient(timeout=20) as client:
-                resp = await client.post(
-                    AUTH_REGISTER_URL,
-                    params={
-                        "name": SERVICE_NAME,
-                        "base_url": SERVICE_BASE_URL,
-                        "client_id": CLIENT_ID,
-                        "client_secret": CLIENT_SECRET
-                    },
-                    headers={"X-Verge-Service-Secret": VERGE_SECRET}
-                )
+            try:
+                path = getattr(route, "path", None)
+                methods = getattr(route, "methods", [])
-            print(f"📡 Registration: {resp.status_code}")
-            print(resp.text)
+                if not path:
+                    continue
-        except Exception as e:
-            print("❌ Registration failed:", e)
+                if path.startswith(("/docs", "/openapi", "/__verge__")):
+                    continue
+                for m in methods:
+                    if m in ("GET", "POST", "PUT", "PATCH", "DELETE"):
+                        REGISTERED_ROUTES.append(
+                            {"path": path, "method": m}
+                        )
+            except Exception as e:
+                print("❌ Error collecting route:", e)
+        print("\n📡 Registering service with Auth Service...")
+        async with httpx.AsyncClient() as client:
+            if AUTH_REGISTER_URL:
+                try:
+                    resp = await _post_with_retries(
+                        client,
+                        AUTH_REGISTER_URL,
+                        json={
+                            "service_name": SERVICE_NAME,
+                            "base_url": SERVICE_BASE_URL,
+                        },
+                        headers={
+                            "X-Client-Id": CLIENT_ID or "",
+                            "X-Client-Secret": CLIENT_SECRET or "",
+                            "X-Verge-Service-Secret": VERGE_SERVICE_SECRET or "",
+                        },
+                    )
+                    print(
+                        "📡 Registration response:",
+                        resp.status_code,
+                        resp.text,
+                    )
+                except Exception as e:
+                    print("❌ Registration failed:", e)
-    # ---------------------------------------
-    # MIDDLEWARE AUTH
-    # ---------------------------------------
+            if AUTH_ROUTE_SYNC_URL:
+                try:
+                    resp = await _post_with_retries(
+                        client,
+                        AUTH_ROUTE_SYNC_URL,
+                        json={
+                            "service_name": SERVICE_NAME,
+                            "base_url": SERVICE_BASE_URL,
+                            "routes": REGISTERED_ROUTES,
+                        },
+                        headers={
+                            "X-Client-Id": CLIENT_ID or "",
+                            "X-Client-Secret": CLIENT_SECRET or "",
+                            "X-Verge-Service-Secret": VERGE_SERVICE_SECRET or "",
+                        },
+                        timeout=20,
+                    )
+                    print(
+                        "📡 Route sync response:",
+                        resp.status_code,
+                        resp.text,
+                    )
+                except Exception as e:
+                    print("❌ Route sync failed:", e)
+    # -------------------------------------------------------
+    # CENTRAL AUTHZ MIDDLEWARE
+    # -------------------------------------------------------
     @app.middleware("http")
     async def central_auth(request: Request, call_next):
         path = request.url.path
-        # Whitelisted paths
-        if path.startswith("/__verge__") or path in {"/docs", "/openapi.json", "/health"}:
+        SKIP_PATHS = {
+            "/health",
+            "/docs",
+            "/openapi.json",
+            "/favicon.ico",
+            "/service-registry/register",
+            "/route-sync",
+            "/__verge__",
+        }
+        if path in SKIP_PATHS or path.startswith("/__verge__"):
             return await call_next(request)
-        # Extract token
         token = None
         auth_header = request.headers.get("authorization")
         if auth_header and auth_header.lower().startswith("bearer "):
-            token = auth_header.split(" ")[1]
+            token = auth_header.split(" ", 1)[1].strip()
         if not token:
             token = request.cookies.get("access_token")
-        # redirect if HTML request
-        if not token and "text/html" in request.headers.get("accept", ""):
-            return RedirectResponse(
-                f"{AUTH_LOGIN_URL}?redirect_url={request.url}"
-            )
+        if not token and "session" in request.scope:
+            token = request.scope["session"].get("access_token")
         if not token:
+            if "text/html" in request.headers.get("accept", ""):
+                return RedirectResponse(
+                    f"{AUTH_LOGIN_URL}?redirect_url={request.url}"
+                )
             return JSONResponse({"detail": "Unauthorized"}, status_code=401)
-        # Validate token
+        # ---------------------------------------------------
+        # LOCAL JWT VERIFICATION
+        # ---------------------------------------------------
         try:
-            async with httpx.AsyncClient(timeout=4) as client:
-                res = await client.post(
-                    AUTH_INTROSPECT_URL,
-                    headers={
-                        "Authorization": f"Bearer {token}",
-                        "X-Client-Id": CLIENT_ID,
-                        "X-Client-Secret": CLIENT_SECRET,
-                    },
+            if not JWT_PUBLIC_KEY:
+                await load_public_key(force=True)
+            if not JWT_PUBLIC_KEY:
+                return JSONResponse(
+                    {"detail": "Auth key not ready"},
+                    status_code=503,
                 )
-                data = res.json()
-        except Exception:
-            return JSONResponse({"detail": "Auth service unreachable"}, status_code=503)
+            payload = jwt.decode(
+                token,
+                JWT_PUBLIC_KEY,
+                algorithms=JWT_ALGORITHMS,
+                options={"require": ["exp", "iat"]},
+            )
+        except jwt.ExpiredSignatureError:
+            return JSONResponse({"detail": "Token expired"}, status_code=401)
+        except jwt.InvalidTokenError:
+            return JSONResponse({"detail": "Invalid token"}, status_code=401)
+        except Exception as e:
+            return JSONResponse(
+                {"detail": "Auth verification failed", "error": str(e)},
+                status_code=401,
+            )
+        # ---------------------------------------------------
+        # PERMISSION CHECK
+        # ---------------------------------------------------
+        request.state.user = payload
+        permissions = payload.get("roles") or []
+        route_obj = request.scope.get("route")
+        route_path = route_obj.path if route_obj else path
+        method = request.method
-        if not data.get("active"):
-            return JSONResponse({"detail": "Session expired"}, status_code=401)
+        required_key = f"{SERVICE_NAME}:{route_path}:{method}".lower()
+        normalized_permissions = [p.lower() for p in permissions]
-        user = data.get("user", {})
-        request.state.user = user
+        if required_key not in normalized_permissions:
+            return JSONResponse(
+                {"detail": "Contact admin for access"},
+                status_code=403,
+            )
-        # ----------------------------------------------
-        # ⭐ ANY authenticated user triggers auto-registration
-        # ----------------------------------------------
-        print("🔐 Authenticated user → auto-registering service")
-        await register_with_auth()
+        return await call_next(request)

verge_auth_sdk/verge_routes.py CHANGED Viewed

@@ -1,12 +1,8 @@
 from fastapi import APIRouter, Request, HTTPException
 from .secret_provider import get_secret
-import os
 router = APIRouter()
-SERVICE_NAME = os.getenv("SERVICE_NAME")
-SERVICE_BASE_URL = os.getenv("SERVICE_BASE_URL")
 @router.get("/__verge__/routes", include_in_schema=False)
 async def verge_internal_routes(request: Request):
@@ -14,8 +10,8 @@ async def verge_internal_routes(request: Request):
     expected_secret = get_secret("VERGE_SERVICE_SECRET")
     received_secret = request.headers.get("X-Verge-Service-Secret")
-    # Enforce exact secret match
     if not expected_secret or expected_secret != received_secret:
         raise HTTPException(status_code=403, detail="Forbidden")
     collected = []
@@ -51,48 +47,3 @@ async def verge_internal_routes(request: Request):
     collected.sort(key=lambda r: (r["path"], r["method"]))
     return collected
-@router.post("/sync/service-routes", include_in_schema=False)
-async def sync_service_routes(request: Request):
-    expected_secret = get_secret("VERGE_SERVICE_SECRET")
-    received_secret = request.headers.get("X-Verge-Service-Secret")
-    if not expected_secret or expected_secret != received_secret:
-        raise HTTPException(status_code=403, detail="Forbidden")
-    collected = []
-    INTERNAL_PREFIXES = (
-        "/__verge__",
-        "/openapi",
-        "/docs",
-        "/redoc"
-    )
-    # Collect routes from the app
-    for route in request.app.routes:
-        path = getattr(route, "path", None)
-        methods = getattr(route, "methods", [])
-        if not path:
-            continue
-        if path.startswith(INTERNAL_PREFIXES):
-            continue
-        for method in methods:
-            if method in ("GET", "POST", "PUT", "PATCH", "DELETE"):
-                collected.append({
-                    "path": path,
-                    "method": method
-                })
-    collected.sort(key=lambda r: (r["path"], r["method"]))
-    return {
-        "service": SERVICE_NAME,
-        "base_url": SERVICE_BASE_URL,
-        "routes": collected
-    }

{verge_auth_sdk-0.1.18.dist-info → verge_auth_sdk-0.1.27.dist-info}/METADATA RENAMED Viewed

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: verge-auth-sdk
-Version: 0.1.18
+Version: 0.1.27
 Summary: Secure centralized authentication SDK for FastAPI microservices
 Author-email: Verge Infosoft <contactus@vergeinfosoft.com>
 License: MIT
@@ -14,7 +14,8 @@ Requires-Dist: python-dotenv
 Dynamic: license-file
 🔐 Verge Auth SDK
-Secure Identity & Access Management for FastAPI Microservices
+Secure Identity & Access Management for FastAPI Microservices and all Python-based frameworks Monolithic and Microservice Architectures
 Verge Auth SDK is a lightweight integration library that connects your FastAPI microservices to the Verge Auth Platform — a centralized identity, role management, and access-control system built for modern SaaS applications.
@@ -53,8 +54,8 @@ Users sign up with their organization details, company domain, and email.
 2. Email Verification
-A verification link is sent from no-reply@vergeinfosoft.com
-.
+A verification email is sent to the registered address.
 Once verified, the user is redirected to the Verge Auth platform.
 3. Login
@@ -155,6 +156,7 @@ Add users into the group
 This makes onboarding smoother and keeps role management scalable.
 🔌 Integrating the SDK Into a Microservice
 Install from PyPI
 pip install verge_auth_sdk
@@ -163,6 +165,8 @@ from fastapi import FastAPI
 from verge_auth_sdk import add_central_auth
 app = FastAPI()
+# call this at the last line of your apps main
 add_central_auth(app)
 That’s it.
@@ -171,30 +175,54 @@ The service will now:
 ✓ Authenticate incoming requests
 ✓ Communicate securely with Verge Auth
 ✓ Provide user identity + roles
-✓ Automatically register its routes for RBAC assignment
+✓ Secure synchronization of service access metadata for centralized permission governance.
 ⚙ Environment Configuration
 Each service requires a minimal set of environment variables:
+Exact endpoint configurations and integration details may vary by deployment and are abstracted by the SDK.
+############## DO NOT CHANGE THESE VALUES #################################
-######################################################################
+AUTH_SESSION_URL=https://auth.vergeinfosoft.com/session
+AUTH_INTROSPECT_URL=https://auth.vergeinfosoft.com/introspect
+AUTH_REGISTER_URL=https://auth.vergeinfosoft.com/service-registry/register
+AUTH_ROUTE_SYNC_URL=https://auth.vergeinfosoft.com/route-sync
+AUTH_PUBLIC_KEY_URL=https:/auth.vergeinfosoft.com/auth/keys/public
+AUTH_LOGIN_URL=https://auth-ui.vergeinfosoft.com/login/
-AUTH_INTROSPECT_URL=<auth-server-introspection-endpoint>
-AUTH_LOGIN_URL=<auth-server-login-ui>
+############## DO NOT CHANGE THESE VALUES #################################
+################# CHANGE THESE AS PER DETAILS PROVIDED #############################################
 VERGE_CLIENT_ID=<client-id>
 VERGE_CLIENT_SECRET=<client-secret>
 VERGE_SERVICE_SECRET=<service-integration-secret>
 # These are provided by Verge Infosoft during onboarding.
-# Optional secret provider:
+####################################################################################################
-SECRETS_PROVIDER=env # azure | aws
+# Select Optional secret provider:
+SECRETS_PROVIDER=env | AZURE | AWS | GCP | ORACLE # Supported cloud providers for secret management
+env=env # if you want to load from your local ENV
+azure=<AZURE_URL>
+aws=<AWS_URL>
+gcp=<GCP_URL>
+oracle=<ORACLE_URL>
+########################################################################
+SERVICE_NAME=<SERVICE_NAME>  # example billing service or hr service
+SERVICE_BASE_URL=<SERVICE_BASE_URL>  example https://hr.yourdomain.com
 ########################################################################
 🛡 Middleware Responsibilities
 The SDK transparently handles:
@@ -215,7 +243,7 @@ You do not need to implement any auth or RBAC logic manually.
 🔐 Security Highlights
-RSA-based JWT verification
+Industry-standard asymmetric token verification with key rotation support
 Centralized session & token lifecycle management
@@ -227,7 +255,7 @@ HTTPS-only communication
 Support for cloud key vaults
-💼 Ideal For
+💼 Ideal For (including but not limited to):
 HRMS, ERP, CRM, Billing platforms

verge_auth_sdk-0.1.27.dist-info/RECORD ADDED Viewed

@@ -0,0 +1,9 @@
+verge_auth_sdk/__init__.py,sha256=n76KSaK3CohCP7dzrUXWlTPNPGzWesLTlYl-C7rfW60,411
+verge_auth_sdk/middleware.py,sha256=K9xebqoR_wa8KZMY1WgwtgQ4nFSZxp3eH4RTGCIK7cM,9837
+verge_auth_sdk/secret_provider.py,sha256=j89rj9LZHl4qTI2fdf0qnn-mgDD3oTbdP3imsm0S9n8,1653
+verge_auth_sdk/verge_routes.py,sha256=GAFS8HdSNznuh6two6DAHZZeq2t29l3IlzDJjBcOGKA,1413
+verge_auth_sdk-0.1.27.dist-info/licenses/LICENSE,sha256=OLuFd1VUvl1QKIJJ_qJ8zR4ypcDhzeRkEywc7PX2ABQ,1090
+verge_auth_sdk-0.1.27.dist-info/METADATA,sha256=dj105An051Rc6f-lekRXc9tCaceB464T0cp5Rm3vcmo,7048
+verge_auth_sdk-0.1.27.dist-info/WHEEL,sha256=_zCd3N1l69ArxyTb8rzEoP9TpbYXkqRFSNOD5OuxnTs,91
+verge_auth_sdk-0.1.27.dist-info/top_level.txt,sha256=0ik2K2CJZrP11DvuR7USTYJkX_kv2DSJS5wyhP1yAfA,15
+verge_auth_sdk-0.1.27.dist-info/RECORD,,

verge_auth_sdk-0.1.18.dist-info/RECORD DELETED Viewed

@@ -1,9 +0,0 @@
-verge_auth_sdk/__init__.py,sha256=n76KSaK3CohCP7dzrUXWlTPNPGzWesLTlYl-C7rfW60,411
-verge_auth_sdk/middleware.py,sha256=8bwOOVELZs_yqGuG_OjQnW3P7T0zaF1_Fj_Cvyk0Y_w,5037
-verge_auth_sdk/secret_provider.py,sha256=j89rj9LZHl4qTI2fdf0qnn-mgDD3oTbdP3imsm0S9n8,1653
-verge_auth_sdk/verge_routes.py,sha256=hRPHe32tBEdiAOj7qbfaa4m-obOBfATLSrx6z70xvIY,2773
-verge_auth_sdk-0.1.18.dist-info/licenses/LICENSE,sha256=OLuFd1VUvl1QKIJJ_qJ8zR4ypcDhzeRkEywc7PX2ABQ,1090
-verge_auth_sdk-0.1.18.dist-info/METADATA,sha256=-ETqtoG-z8Rk1fThTUXhO-vv9TKb9XfePAnDGnZLbR0,5702
-verge_auth_sdk-0.1.18.dist-info/WHEEL,sha256=_zCd3N1l69ArxyTb8rzEoP9TpbYXkqRFSNOD5OuxnTs,91
-verge_auth_sdk-0.1.18.dist-info/top_level.txt,sha256=0ik2K2CJZrP11DvuR7USTYJkX_kv2DSJS5wyhP1yAfA,15
-verge_auth_sdk-0.1.18.dist-info/RECORD,,

{verge_auth_sdk-0.1.18.dist-info → verge_auth_sdk-0.1.27.dist-info}/WHEEL RENAMED Viewed

File without changes

{verge_auth_sdk-0.1.18.dist-info → verge_auth_sdk-0.1.27.dist-info}/licenses/LICENSE RENAMED Viewed

File without changes

{verge_auth_sdk-0.1.18.dist-info → verge_auth_sdk-0.1.27.dist-info}/top_level.txt RENAMED Viewed

File without changes

verge-auth-sdk 0.1.18__py3-none-any.whl → 0.1.27__py3-none-any.whl

Potentially problematic release.

verge-auth-sdk 0.1.18py3-none-any.whl → 0.1.27py3-none-any.whl