zndraw-auth 0.1.0__py3-none-any.whl → 0.2.0__py3-none-any.whl

zndraw_auth/__init__.py

@@ -29,6 +29,7 @@ from zndraw_auth.db import (
     Base,
     User,
     create_db_and_tables,
+    ensure_default_admin,
     get_async_session,
     get_user_db,
 )
@@ -51,6 +52,7 @@ __all__ = [
     "User",
     # Database
     "create_db_and_tables",
+    "ensure_default_admin",
     "get_async_session",
     "get_user_db",
     # Schemas

zndraw_auth/db.py

@@ -1,5 +1,6 @@
 """Database models and session management."""
 
+import logging
 import uuid
 from collections.abc import AsyncGenerator
 from functools import lru_cache
@@ -7,6 +8,8 @@ from typing import Annotated
 
 from fastapi import Depends
 from fastapi_users.db import SQLAlchemyBaseUserTableUUID, SQLAlchemyUserDatabase
+from fastapi_users.password import PasswordHelper
+from sqlalchemy import select
 from sqlalchemy.ext.asyncio import (
     AsyncEngine,
     AsyncSession,
@@ -17,6 +20,8 @@ from sqlalchemy.orm import DeclarativeBase
 
 from zndraw_auth.settings import AuthSettings, get_auth_settings
 
+log = logging.getLogger(__name__)
+
 
 class Base(DeclarativeBase):
     """SQLAlchemy declarative base."""
@@ -53,7 +58,7 @@ def get_session_maker(database_url: str) -> async_sessionmaker[AsyncSession]:
 
 
 async def create_db_and_tables(settings: AuthSettings | None = None) -> None:
-    """Create all database tables.
+    """Create all database tables and ensure default admin exists.
 
     Call this in your app's lifespan or startup.
     """
@@ -63,6 +68,67 @@ async def create_db_and_tables(settings: AuthSettings | None = None) -> None:
     async with engine.begin() as conn:
         await conn.run_sync(Base.metadata.create_all)
 
+    # Ensure default admin user exists (if configured)
+    await ensure_default_admin(settings)
+
+
+async def ensure_default_admin(settings: AuthSettings | None = None) -> None:
+    """Create or promote the default admin user if configured.
+
+    If DEFAULT_ADMIN_EMAIL and DEFAULT_ADMIN_PASSWORD are set:
+    - Creates the user with is_superuser=True if they don't exist
+    - Promotes existing user to superuser if they exist but aren't one
+
+    If not configured, does nothing (dev mode - all users are superusers).
+    """
+    if settings is None:
+        settings = get_auth_settings()
+
+    admin_email = settings.default_admin_email
+    admin_password = settings.default_admin_password
+
+    if admin_email is None:
+        log.info("No default admin configured - running in dev mode")
+        return
+
+    if admin_password is None:
+        log.warning(
+            "DEFAULT_ADMIN_EMAIL is set but DEFAULT_ADMIN_PASSWORD is not - "
+            "skipping admin creation"
+        )
+        return
+
+    session_maker = get_session_maker(settings.database_url)
+    password_helper = PasswordHelper()
+
+    async with session_maker() as session:
+        # Check if user already exists
+        result = await session.execute(
+            select(User).where(User.email == admin_email)  # type: ignore[arg-type]
+        )
+        existing_user = result.scalar_one_or_none()
+
+        if existing_user is None:
+            # Create new admin user
+            hashed_password = password_helper.hash(admin_password.get_secret_value())
+            admin_user = User(
+                email=admin_email,
+                hashed_password=hashed_password,
+                is_active=True,
+                is_superuser=True,
+                is_verified=True,
+            )
+            session.add(admin_user)
+            await session.commit()
+            log.info(f"Created default admin user: {admin_email}")
+        elif not existing_user.is_superuser:
+            # Promote existing user to superuser
+            existing_user.is_superuser = True
+            await session.commit()
+            log.info(f"Promoted user to superuser: {admin_email}")
+        else:
+            log.debug(f"Default admin already exists: {admin_email}")
+
 
 async def get_async_session(
     settings: Annotated[AuthSettings, Depends(get_auth_settings)],

zndraw_auth/settings.py

@@ -2,7 +2,7 @@
 
 from functools import lru_cache
 
-from pydantic import SecretStr
+from pydantic import SecretStr, computed_field
 from pydantic_settings import BaseSettings, SettingsConfigDict
 
 
@@ -11,6 +11,13 @@ class AuthSettings(BaseSettings):
 
     All settings can be overridden with ZNDRAW_AUTH_ prefix.
     Example: ZNDRAW_AUTH_SECRET_KEY=your-secret-key
+
+    Admin mode vs Dev mode:
+    - If DEFAULT_ADMIN_EMAIL and DEFAULT_ADMIN_PASSWORD are set, the system
+      runs in "production mode": only the configured admin is a superuser,
+      and new users are created as regular users.
+    - If they are NOT set, the system runs in "dev mode": all newly
+      registered users are automatically granted superuser privileges.
     """
 
     model_config = SettingsConfigDict(
@@ -30,6 +37,19 @@ class AuthSettings(BaseSettings):
     reset_password_token_secret: SecretStr = SecretStr("CHANGE-ME-RESET")
     verification_token_secret: SecretStr = SecretStr("CHANGE-ME-VERIFY")
 
+    # Default admin user (production mode)
+    default_admin_email: str | None = None
+    """Email for the default admin user. If set, enables production mode."""
+
+    default_admin_password: SecretStr | None = None
+    """Password for the default admin user."""
+
+    @computed_field  # type: ignore[prop-decorator]
+    @property
+    def is_dev_mode(self) -> bool:
+        """True if no admin credentials configured (all users become superusers)."""
+        return self.default_admin_email is None
+
 
 @lru_cache
 def get_auth_settings() -> AuthSettings:

zndraw_auth/users.py

@@ -28,6 +28,7 @@ from fastapi_users.authentication import (
 from fastapi_users.db import SQLAlchemyUserDatabase
 
 from zndraw_auth.db import User, get_user_db
+from zndraw_auth.schemas import UserUpdate
 from zndraw_auth.settings import AuthSettings, get_auth_settings
 
 # --- User Manager ---
@@ -41,12 +42,17 @@ class UserManager(UUIDIDMixin, BaseUserManager[User, uuid.UUID]):
 
     reset_password_token_secret: str
     verification_token_secret: str
+    is_dev_mode: bool = False
 
     async def on_after_register(
         self, user: User, request: Request | None = None
     ) -> None:
         """Called after successful registration."""
-        print(f"User {user.id} has registered.")
+        if self.is_dev_mode and not user.is_superuser:
+            await self.update(UserUpdate(is_superuser=True), user, safe=False)
+            print(f"User {user.id} has registered (granted superuser - dev mode).")
+        else:
+            print(f"User {user.id} has registered.")
 
     async def on_after_forgot_password(
         self, user: User, token: str, request: Request | None = None
@@ -73,6 +79,7 @@ async def get_user_manager(
     manager.verification_token_secret = (
         settings.verification_token_secret.get_secret_value()
     )
+    manager.is_dev_mode = settings.is_dev_mode
     yield manager
 
 

{zndraw_auth-0.1.0.dist-info → zndraw_auth-0.2.0.dist-info}/METADATA

@@ -1,6 +1,6 @@
 Metadata-Version: 2.3
 Name: zndraw-auth
-Version: 0.1.0
+Version: 0.2.0
 Summary: Shared authentication for ZnDraw using fastapi-users
 Requires-Dist: fastapi>=0.128.0
 Requires-Dist: fastapi-users[sqlalchemy]>=14.0.0
@@ -222,6 +222,27 @@ Settings are loaded from environment variables with the `ZNDRAW_AUTH_` prefix:
 | `ZNDRAW_AUTH_DATABASE_URL` | `sqlite+aiosqlite:///./zndraw_auth.db` | Database connection URL |
 | `ZNDRAW_AUTH_RESET_PASSWORD_TOKEN_SECRET` | `CHANGE-ME-RESET` | Password reset token secret |
 | `ZNDRAW_AUTH_VERIFICATION_TOKEN_SECRET` | `CHANGE-ME-VERIFY` | Email verification token secret |
+| `ZNDRAW_AUTH_DEFAULT_ADMIN_EMAIL` | `None` | Email for the default admin user |
+| `ZNDRAW_AUTH_DEFAULT_ADMIN_PASSWORD` | `None` | Password for the default admin user |
+
+### Dev Mode vs Production Mode
+
+The system has two operating modes based on admin configuration:
+
+**Dev Mode** (default - no admin configured):
+- All newly registered users are automatically granted superuser privileges
+- Useful for development and testing
+
+**Production Mode** (admin configured):
+- Set `ZNDRAW_AUTH_DEFAULT_ADMIN_EMAIL` and `ZNDRAW_AUTH_DEFAULT_ADMIN_PASSWORD`
+- The configured admin user is created/promoted on startup
+- New users are created as regular users (not superusers)
+
+```bash
+# Production mode example
+export ZNDRAW_AUTH_DEFAULT_ADMIN_EMAIL=admin@example.com
+export ZNDRAW_AUTH_DEFAULT_ADMIN_PASSWORD=secure-password
+```
 
 ## Exports
 

zndraw_auth-0.2.0.dist-info/RECORD

@@ -0,0 +1,8 @@
+zndraw_auth/__init__.py,sha256=02v7zx7BxEc1HwsX9ll89HrwfrwGaw_hUn9NkWY44L0,1705
+zndraw_auth/db.py,sha256=rAj5oqheAxoYIb4_kZiPdj1duyu8MDfq_ROyW4s309Q,4764
+zndraw_auth/schemas.py,sha256=lG1c-donAxTqqyQ1-p_GqsNi9DIN2ryESbjVL25R4oQ,399
+zndraw_auth/settings.py,sha256=FIVOJsRcz-4RA5i7R5g8y_iURQ7TDPUg3WTsxF8y7bg,1896
+zndraw_auth/users.py,sha256=zKcng71VnsR_dD0Di5v6purHzDhR4gKmBykC310u8aU,4493
+zndraw_auth-0.2.0.dist-info/WHEEL,sha256=5DEXXimM34_d4Gx1AuF9ysMr1_maoEtGKjaILM3s4w4,80
+zndraw_auth-0.2.0.dist-info/METADATA,sha256=HMZ2LCSS8PaWpMwqpDxSLf98w0ofd4ErpJPh3yibXV0,7687
+zndraw_auth-0.2.0.dist-info/RECORD,,

{zndraw_auth-0.1.0.dist-info → zndraw_auth-0.2.0.dist-info}/WHEEL

@@ -1,4 +1,4 @@
 Wheel-Version: 1.0
-Generator: uv 0.9.28
+Generator: uv 0.9.29
 Root-Is-Purelib: true
 Tag: py3-none-any

zndraw_auth-0.1.0.dist-info/RECORD

@@ -1,8 +0,0 @@
-zndraw_auth/__init__.py,sha256=kHAQDlr6uxJCFFeIrJQWSfRqij6g8cSBj0iAfkqX1P0,1651
-zndraw_auth/db.py,sha256=sxUZ_lfOP_DfZoSsTUhMPaomSF6MPLPD1NuEa_N4hLk,2383
-zndraw_auth/schemas.py,sha256=lG1c-donAxTqqyQ1-p_GqsNi9DIN2ryESbjVL25R4oQ,399
-zndraw_auth/settings.py,sha256=pNXX2-NlvBMobFiGytrEmDZ2EB65BUrvwKCXxrbYp8I,1012
-zndraw_auth/users.py,sha256=LRI4LoY2xXUW24yQZIfa-v6oq1FcHovCEQDZIa2bz_0,4137
-zndraw_auth-0.1.0.dist-info/WHEEL,sha256=fAguSjoiATBe7TNBkJwOjyL1Tt4wwiaQGtNtjRPNMQA,80
-zndraw_auth-0.1.0.dist-info/METADATA,sha256=_iHPAJGDovbkX86AOtt8Jgsr_nTR71BUEnq1gp7rloc,6865
-zndraw_auth-0.1.0.dist-info/RECORD,,