zndraw-auth 0.1.0__tar.gz

zndraw_auth-0.1.0/PKG-INFO

@@ -0,0 +1,267 @@
+Metadata-Version: 2.3
+Name: zndraw-auth
+Version: 0.1.0
+Summary: Shared authentication for ZnDraw using fastapi-users
+Requires-Dist: fastapi>=0.128.0
+Requires-Dist: fastapi-users[sqlalchemy]>=14.0.0
+Requires-Dist: pydantic-settings>=2.0.0
+Requires-Dist: sqlalchemy[asyncio]>=2.0.0
+Requires-Dist: aiosqlite>=0.19.0
+Requires-Dist: pytest>=8.0.0 ; extra == 'dev'
+Requires-Dist: pytest-asyncio>=0.23.0 ; extra == 'dev'
+Requires-Dist: httpx>=0.27.0 ; extra == 'dev'
+Requires-Dist: ruff>=0.8.0 ; extra == 'dev'
+Requires-Dist: mypy>=1.0.0 ; extra == 'dev'
+Requires-Python: >=3.11
+Provides-Extra: dev
+Description-Content-Type: text/markdown
+
+# zndraw-auth
+
+Shared authentication package for the ZnDraw ecosystem using [fastapi-users](https://fastapi-users.github.io/fastapi-users/).
+
+## Installation
+
+```bash
+pip install zndraw-auth
+# or with uv
+uv add zndraw-auth
+```
+
+## Quick Start
+
+```python
+from contextlib import asynccontextmanager
+from fastapi import Depends, FastAPI
+
+from zndraw_auth import (
+    User,
+    UserCreate,
+    UserRead,
+    auth_backend,
+    create_db_and_tables,
+    current_active_user,
+    fastapi_users,
+)
+
+
+@asynccontextmanager
+async def lifespan(app: FastAPI):
+    await create_db_and_tables()
+    yield
+
+
+app = FastAPI(lifespan=lifespan)
+
+# Include auth routers
+app.include_router(
+    fastapi_users.get_auth_router(auth_backend),
+    prefix="/auth/jwt",
+    tags=["auth"],
+)
+app.include_router(
+    fastapi_users.get_register_router(UserRead, UserCreate),
+    prefix="/auth",
+    tags=["auth"],
+)
+
+
+@app.get("/protected")
+async def protected_route(user: User = Depends(current_active_user)):
+    return {"message": f"Hello {user.email}!"}
+```
+
+## Extending with Custom Models (e.g., zndraw-joblib)
+
+Other packages can import `Base` and `get_async_session` to define models that share the same database and have foreign key relationships to `User`.
+
+### Example: Adding a Job model in zndraw-joblib
+
+```python
+# zndraw_joblib/models.py
+import uuid
+from typing import TYPE_CHECKING
+
+from sqlalchemy import ForeignKey, String
+from sqlalchemy.orm import Mapped, mapped_column, relationship
+
+from zndraw_auth import Base
+
+if TYPE_CHECKING:
+    from zndraw_auth import User
+
+
+class Job(Base):
+    """A compute job owned by a user."""
+
+    __tablename__ = "job"
+
+    id: Mapped[uuid.UUID] = mapped_column(primary_key=True, default=uuid.uuid4)
+    name: Mapped[str] = mapped_column(String(255))
+    status: Mapped[str] = mapped_column(String(50), default="pending")
+
+    # Foreign key to User from zndraw-auth (cascade delete when user is deleted)
+    user_id: Mapped[uuid.UUID] = mapped_column(ForeignKey("user.id", ondelete="cascade"))
+
+    # Relationship (optional, for ORM navigation)
+    user: Mapped["User"] = relationship("User", lazy="selectin")
+```
+
+### Example: Using the shared session in endpoints
+
+```python
+# zndraw_joblib/routes.py
+from typing import Annotated
+from uuid import UUID
+
+from fastapi import APIRouter, Depends, HTTPException
+from sqlalchemy import select
+from sqlalchemy.ext.asyncio import AsyncSession
+
+from zndraw_auth import User, current_active_user, get_async_session
+
+from .models import Job
+
+router = APIRouter(prefix="/jobs", tags=["jobs"])
+
+
+@router.post("/")
+async def create_job(
+    name: str,
+    user: Annotated[User, Depends(current_active_user)],
+    session: Annotated[AsyncSession, Depends(get_async_session)],
+):
+    """Create a new job for the current user."""
+    job = Job(name=name, user_id=user.id)
+    session.add(job)
+    await session.commit()
+    await session.refresh(job)
+    return {"id": str(job.id), "name": job.name, "status": job.status}
+
+
+@router.get("/")
+async def list_jobs(
+    user: Annotated[User, Depends(current_active_user)],
+    session: Annotated[AsyncSession, Depends(get_async_session)],
+):
+    """List all jobs for the current user."""
+    result = await session.execute(
+        select(Job).where(Job.user_id == user.id)
+    )
+    jobs = result.scalars().all()
+    return [{"id": str(j.id), "name": j.name, "status": j.status} for j in jobs]
+
+
+@router.get("/{job_id}")
+async def get_job(
+    job_id: UUID,
+    user: Annotated[User, Depends(current_active_user)],
+    session: Annotated[AsyncSession, Depends(get_async_session)],
+):
+    """Get a specific job (must belong to current user)."""
+    result = await session.execute(
+        select(Job).where(Job.id == job_id, Job.user_id == user.id)
+    )
+    job = result.scalar_one_or_none()
+    if not job:
+        raise HTTPException(status_code=404, detail="Job not found")
+    return {"id": str(job.id), "name": job.name, "status": job.status}
+```
+
+### Example: App setup with multiple routers
+
+```python
+# main.py (in zndraw-fastapi or combined app)
+from contextlib import asynccontextmanager
+
+from fastapi import FastAPI
+
+from zndraw_auth import (
+    UserCreate,
+    UserRead,
+    auth_backend,
+    create_db_and_tables,
+    fastapi_users,
+)
+from zndraw_joblib.routes import router as jobs_router
+
+
+@asynccontextmanager
+async def lifespan(app: FastAPI):
+    # Creates tables for User AND Job (all models using Base)
+    await create_db_and_tables()
+    yield
+
+
+app = FastAPI(lifespan=lifespan)
+
+# Auth routes from zndraw-auth
+app.include_router(
+    fastapi_users.get_auth_router(auth_backend),
+    prefix="/auth/jwt",
+    tags=["auth"],
+)
+app.include_router(
+    fastapi_users.get_register_router(UserRead, UserCreate),
+    prefix="/auth",
+    tags=["auth"],
+)
+
+# Job routes from zndraw-joblib
+app.include_router(jobs_router)
+```
+
+## Configuration
+
+Settings are loaded from environment variables with the `ZNDRAW_AUTH_` prefix:
+
+| Variable | Default | Description |
+|----------|---------|-------------|
+| `ZNDRAW_AUTH_SECRET_KEY` | `CHANGE-ME-IN-PRODUCTION` | JWT signing secret |
+| `ZNDRAW_AUTH_TOKEN_LIFETIME_SECONDS` | `3600` | JWT token lifetime |
+| `ZNDRAW_AUTH_DATABASE_URL` | `sqlite+aiosqlite:///./zndraw_auth.db` | Database connection URL |
+| `ZNDRAW_AUTH_RESET_PASSWORD_TOKEN_SECRET` | `CHANGE-ME-RESET` | Password reset token secret |
+| `ZNDRAW_AUTH_VERIFICATION_TOKEN_SECRET` | `CHANGE-ME-VERIFY` | Email verification token secret |
+
+## Exports
+
+```python
+from zndraw_auth import (
+    # SQLAlchemy Base (for extending with your own models)
+    Base,
+
+    # User model
+    User,
+
+    # Database utilities
+    create_db_and_tables,
+    get_async_session,
+    get_user_db,
+
+    # Pydantic schemas
+    UserCreate,
+    UserRead,
+    UserUpdate,
+
+    # Settings
+    AuthSettings,
+    get_auth_settings,
+
+    # User manager (for custom lifecycle hooks)
+    UserManager,
+    get_user_manager,
+
+    # FastAPIUsers instance (for including routers)
+    fastapi_users,
+    auth_backend,
+
+    # Dependencies for Depends()
+    current_active_user,    # Requires authenticated active user
+    current_superuser,      # Requires superuser
+    current_optional_user,  # User | None (optional auth)
+)
+```
+
+## License
+
+MIT

zndraw_auth-0.1.0/README.md

@@ -0,0 +1,249 @@
+# zndraw-auth
+
+Shared authentication package for the ZnDraw ecosystem using [fastapi-users](https://fastapi-users.github.io/fastapi-users/).
+
+## Installation
+
+```bash
+pip install zndraw-auth
+# or with uv
+uv add zndraw-auth
+```
+
+## Quick Start
+
+```python
+from contextlib import asynccontextmanager
+from fastapi import Depends, FastAPI
+
+from zndraw_auth import (
+    User,
+    UserCreate,
+    UserRead,
+    auth_backend,
+    create_db_and_tables,
+    current_active_user,
+    fastapi_users,
+)
+
+
+@asynccontextmanager
+async def lifespan(app: FastAPI):
+    await create_db_and_tables()
+    yield
+
+
+app = FastAPI(lifespan=lifespan)
+
+# Include auth routers
+app.include_router(
+    fastapi_users.get_auth_router(auth_backend),
+    prefix="/auth/jwt",
+    tags=["auth"],
+)
+app.include_router(
+    fastapi_users.get_register_router(UserRead, UserCreate),
+    prefix="/auth",
+    tags=["auth"],
+)
+
+
+@app.get("/protected")
+async def protected_route(user: User = Depends(current_active_user)):
+    return {"message": f"Hello {user.email}!"}
+```
+
+## Extending with Custom Models (e.g., zndraw-joblib)
+
+Other packages can import `Base` and `get_async_session` to define models that share the same database and have foreign key relationships to `User`.
+
+### Example: Adding a Job model in zndraw-joblib
+
+```python
+# zndraw_joblib/models.py
+import uuid
+from typing import TYPE_CHECKING
+
+from sqlalchemy import ForeignKey, String
+from sqlalchemy.orm import Mapped, mapped_column, relationship
+
+from zndraw_auth import Base
+
+if TYPE_CHECKING:
+    from zndraw_auth import User
+
+
+class Job(Base):
+    """A compute job owned by a user."""
+
+    __tablename__ = "job"
+
+    id: Mapped[uuid.UUID] = mapped_column(primary_key=True, default=uuid.uuid4)
+    name: Mapped[str] = mapped_column(String(255))
+    status: Mapped[str] = mapped_column(String(50), default="pending")
+
+    # Foreign key to User from zndraw-auth (cascade delete when user is deleted)
+    user_id: Mapped[uuid.UUID] = mapped_column(ForeignKey("user.id", ondelete="cascade"))
+
+    # Relationship (optional, for ORM navigation)
+    user: Mapped["User"] = relationship("User", lazy="selectin")
+```
+
+### Example: Using the shared session in endpoints
+
+```python
+# zndraw_joblib/routes.py
+from typing import Annotated
+from uuid import UUID
+
+from fastapi import APIRouter, Depends, HTTPException
+from sqlalchemy import select
+from sqlalchemy.ext.asyncio import AsyncSession
+
+from zndraw_auth import User, current_active_user, get_async_session
+
+from .models import Job
+
+router = APIRouter(prefix="/jobs", tags=["jobs"])
+
+
+@router.post("/")
+async def create_job(
+    name: str,
+    user: Annotated[User, Depends(current_active_user)],
+    session: Annotated[AsyncSession, Depends(get_async_session)],
+):
+    """Create a new job for the current user."""
+    job = Job(name=name, user_id=user.id)
+    session.add(job)
+    await session.commit()
+    await session.refresh(job)
+    return {"id": str(job.id), "name": job.name, "status": job.status}
+
+
+@router.get("/")
+async def list_jobs(
+    user: Annotated[User, Depends(current_active_user)],
+    session: Annotated[AsyncSession, Depends(get_async_session)],
+):
+    """List all jobs for the current user."""
+    result = await session.execute(
+        select(Job).where(Job.user_id == user.id)
+    )
+    jobs = result.scalars().all()
+    return [{"id": str(j.id), "name": j.name, "status": j.status} for j in jobs]
+
+
+@router.get("/{job_id}")
+async def get_job(
+    job_id: UUID,
+    user: Annotated[User, Depends(current_active_user)],
+    session: Annotated[AsyncSession, Depends(get_async_session)],
+):
+    """Get a specific job (must belong to current user)."""
+    result = await session.execute(
+        select(Job).where(Job.id == job_id, Job.user_id == user.id)
+    )
+    job = result.scalar_one_or_none()
+    if not job:
+        raise HTTPException(status_code=404, detail="Job not found")
+    return {"id": str(job.id), "name": job.name, "status": job.status}
+```
+
+### Example: App setup with multiple routers
+
+```python
+# main.py (in zndraw-fastapi or combined app)
+from contextlib import asynccontextmanager
+
+from fastapi import FastAPI
+
+from zndraw_auth import (
+    UserCreate,
+    UserRead,
+    auth_backend,
+    create_db_and_tables,
+    fastapi_users,
+)
+from zndraw_joblib.routes import router as jobs_router
+
+
+@asynccontextmanager
+async def lifespan(app: FastAPI):
+    # Creates tables for User AND Job (all models using Base)
+    await create_db_and_tables()
+    yield
+
+
+app = FastAPI(lifespan=lifespan)
+
+# Auth routes from zndraw-auth
+app.include_router(
+    fastapi_users.get_auth_router(auth_backend),
+    prefix="/auth/jwt",
+    tags=["auth"],
+)
+app.include_router(
+    fastapi_users.get_register_router(UserRead, UserCreate),
+    prefix="/auth",
+    tags=["auth"],
+)
+
+# Job routes from zndraw-joblib
+app.include_router(jobs_router)
+```
+
+## Configuration
+
+Settings are loaded from environment variables with the `ZNDRAW_AUTH_` prefix:
+
+| Variable | Default | Description |
+|----------|---------|-------------|
+| `ZNDRAW_AUTH_SECRET_KEY` | `CHANGE-ME-IN-PRODUCTION` | JWT signing secret |
+| `ZNDRAW_AUTH_TOKEN_LIFETIME_SECONDS` | `3600` | JWT token lifetime |
+| `ZNDRAW_AUTH_DATABASE_URL` | `sqlite+aiosqlite:///./zndraw_auth.db` | Database connection URL |
+| `ZNDRAW_AUTH_RESET_PASSWORD_TOKEN_SECRET` | `CHANGE-ME-RESET` | Password reset token secret |
+| `ZNDRAW_AUTH_VERIFICATION_TOKEN_SECRET` | `CHANGE-ME-VERIFY` | Email verification token secret |
+
+## Exports
+
+```python
+from zndraw_auth import (
+    # SQLAlchemy Base (for extending with your own models)
+    Base,
+
+    # User model
+    User,
+
+    # Database utilities
+    create_db_and_tables,
+    get_async_session,
+    get_user_db,
+
+    # Pydantic schemas
+    UserCreate,
+    UserRead,
+    UserUpdate,
+
+    # Settings
+    AuthSettings,
+    get_auth_settings,
+
+    # User manager (for custom lifecycle hooks)
+    UserManager,
+    get_user_manager,
+
+    # FastAPIUsers instance (for including routers)
+    fastapi_users,
+    auth_backend,
+
+    # Dependencies for Depends()
+    current_active_user,    # Requires authenticated active user
+    current_superuser,      # Requires superuser
+    current_optional_user,  # User | None (optional auth)
+)
+```
+
+## License
+
+MIT

zndraw_auth-0.1.0/pyproject.toml

@@ -0,0 +1,81 @@
+[project]
+name = "zndraw-auth"
+version = "0.1.0"
+description = "Shared authentication for ZnDraw using fastapi-users"
+readme = "README.md"
+requires-python = ">=3.11"
+dependencies = [
+    "fastapi>=0.128.0",
+    "fastapi-users[sqlalchemy]>=14.0.0",
+    "pydantic-settings>=2.0.0",
+    "sqlalchemy[asyncio]>=2.0.0",
+    "aiosqlite>=0.19.0",
+]
+
+[project.optional-dependencies]
+dev = [
+    "pytest>=8.0.0",
+    "pytest-asyncio>=0.23.0",
+    "httpx>=0.27.0",
+    "ruff>=0.8.0",
+    "mypy>=1.0.0",
+]
+
+[build-system]
+requires = ["uv_build>=0.9.28,<0.10.0"]
+build-backend = "uv_build"
+
+[tool.hatch.build.targets.wheel]
+packages = ["src/zndraw_auth"]
+
+[tool.pytest.ini_options]
+asyncio_mode = "auto"
+testpaths = ["tests"]
+
+[tool.ruff]
+line-length = 88
+target-version = "py311"
+src = ["src"]
+
+[tool.ruff.lint]
+select = [
+    "E",      # pycodestyle errors
+    "W",      # pycodestyle warnings
+    "F",      # Pyflakes
+    "UP",     # pyupgrade
+    "B",      # flake8-bugbear
+    "SIM",    # flake8-simplify
+    "I",      # isort
+    "C4",     # flake8-comprehensions
+    "RUF",    # Ruff-specific rules
+    "TC",     # flake8-type-checking
+    "ASYNC",  # flake8-async
+    "PTH",    # flake8-use-pathlib
+    "RET",    # flake8-return
+    "ARG",    # flake8-unused-arguments
+    "PL",     # Pylint
+    "PERF",   # Perflint
+]
+ignore = [
+    "ARG001",  # Unused function argument (common in FastAPI dependencies)
+    "ARG002",  # Unused method argument (required by base class interface)
+    "PLR0913", # Too many arguments (FastAPI routes often have many deps)
+    "RUF022",  # __all__ not sorted (we prefer logical grouping)
+]
+
+[tool.ruff.lint.isort]
+known-first-party = ["zndraw_auth"]
+
+[tool.ruff.lint.per-file-ignores]
+"tests/*" = ["ARG", "PLR2004", "PLC0415"]  # Allow magic values, unused args, late imports in tests
+
+[tool.mypy]
+python_version = "3.11"
+strict = true
+warn_return_any = true
+warn_unused_configs = true
+plugins = ["pydantic.mypy"]
+
+[[tool.mypy.overrides]]
+module = ["fastapi_users.*"]
+ignore_missing_imports = true

zndraw_auth-0.1.0/src/zndraw_auth/__init__.py

@@ -0,0 +1,74 @@
+"""ZnDraw Auth - Shared authentication for ZnDraw ecosystem.
+
+Example usage:
+    from zndraw_auth import (
+        current_active_user,
+        current_superuser,
+        fastapi_users,
+        auth_backend,
+        get_async_session,
+        create_db_and_tables,
+        User,
+        UserRead,
+        UserCreate,
+    )
+
+    # In your FastAPI app:
+    app.include_router(
+        fastapi_users.get_auth_router(auth_backend),
+        prefix="/auth/jwt",
+        tags=["auth"],
+    )
+
+    @app.get("/protected")
+    async def protected(user: User = Depends(current_active_user)):
+        return {"user_id": str(user.id)}
+"""
+
+from zndraw_auth.db import (
+    Base,
+    User,
+    create_db_and_tables,
+    get_async_session,
+    get_user_db,
+)
+from zndraw_auth.schemas import UserCreate, UserRead, UserUpdate
+from zndraw_auth.settings import AuthSettings, get_auth_settings
+from zndraw_auth.users import (
+    UserManager,
+    auth_backend,
+    current_active_user,
+    current_optional_user,
+    current_superuser,
+    fastapi_users,
+    get_user_manager,
+)
+
+__all__ = [
+    # SQLAlchemy Base (for extending with your own models)
+    "Base",
+    # User model
+    "User",
+    # Database
+    "create_db_and_tables",
+    "get_async_session",
+    "get_user_db",
+    # Schemas
+    "UserCreate",
+    "UserRead",
+    "UserUpdate",
+    # Settings
+    "AuthSettings",
+    "get_auth_settings",
+    # User manager
+    "UserManager",
+    "get_user_manager",
+    # Auth backend
+    "auth_backend",
+    # FastAPIUsers instance
+    "fastapi_users",
+    # Dependencies for Depends()
+    "current_active_user",
+    "current_superuser",
+    "current_optional_user",
+]

zndraw_auth-0.1.0/src/zndraw_auth/db.py

@@ -0,0 +1,80 @@
+"""Database models and session management."""
+
+import uuid
+from collections.abc import AsyncGenerator
+from functools import lru_cache
+from typing import Annotated
+
+from fastapi import Depends
+from fastapi_users.db import SQLAlchemyBaseUserTableUUID, SQLAlchemyUserDatabase
+from sqlalchemy.ext.asyncio import (
+    AsyncEngine,
+    AsyncSession,
+    async_sessionmaker,
+    create_async_engine,
+)
+from sqlalchemy.orm import DeclarativeBase
+
+from zndraw_auth.settings import AuthSettings, get_auth_settings
+
+
+class Base(DeclarativeBase):
+    """SQLAlchemy declarative base."""
+
+    pass
+
+
+class User(SQLAlchemyBaseUserTableUUID, Base):
+    """User model for authentication.
+
+    Inherits from fastapi-users base which provides:
+    - id: UUID (primary key)
+    - email: str (unique, indexed)
+    - hashed_password: str
+    - is_active: bool (default True)
+    - is_superuser: bool (default False)
+    - is_verified: bool (default False)
+    """
+
+    pass
+
+
+@lru_cache
+def get_engine(database_url: str) -> AsyncEngine:
+    """Get or create the async engine (cached by URL)."""
+    return create_async_engine(database_url, echo=False)
+
+
+@lru_cache
+def get_session_maker(database_url: str) -> async_sessionmaker[AsyncSession]:
+    """Get or create the session maker (cached by URL)."""
+    engine = get_engine(database_url)
+    return async_sessionmaker(engine, expire_on_commit=False)
+
+
+async def create_db_and_tables(settings: AuthSettings | None = None) -> None:
+    """Create all database tables.
+
+    Call this in your app's lifespan or startup.
+    """
+    if settings is None:
+        settings = get_auth_settings()
+    engine = get_engine(settings.database_url)
+    async with engine.begin() as conn:
+        await conn.run_sync(Base.metadata.create_all)
+
+
+async def get_async_session(
+    settings: Annotated[AuthSettings, Depends(get_auth_settings)],
+) -> AsyncGenerator[AsyncSession, None]:
+    """FastAPI dependency that yields an async database session."""
+    session_maker = get_session_maker(settings.database_url)
+    async with session_maker() as session:
+        yield session
+
+
+async def get_user_db(
+    session: Annotated[AsyncSession, Depends(get_async_session)],
+) -> AsyncGenerator[SQLAlchemyUserDatabase[User, uuid.UUID], None]:
+    """FastAPI dependency that yields the user database adapter."""
+    yield SQLAlchemyUserDatabase[User, uuid.UUID](session, User)

zndraw_auth-0.1.0/src/zndraw_auth/schemas.py

@@ -0,0 +1,23 @@
+"""Pydantic schemas for user operations."""
+
+import uuid
+
+from fastapi_users import schemas
+
+
+class UserRead(schemas.BaseUser[uuid.UUID]):
+    """Schema for reading user data (responses)."""
+
+    pass
+
+
+class UserCreate(schemas.BaseUserCreate):
+    """Schema for creating a new user."""
+
+    pass
+
+
+class UserUpdate(schemas.BaseUserUpdate):
+    """Schema for updating an existing user."""
+
+    pass

zndraw_auth-0.1.0/src/zndraw_auth/settings.py

@@ -0,0 +1,36 @@
+"""Configuration settings for zndraw-auth."""
+
+from functools import lru_cache
+
+from pydantic import SecretStr
+from pydantic_settings import BaseSettings, SettingsConfigDict
+
+
+class AuthSettings(BaseSettings):
+    """Authentication settings loaded from environment variables.
+
+    All settings can be overridden with ZNDRAW_AUTH_ prefix.
+    Example: ZNDRAW_AUTH_SECRET_KEY=your-secret-key
+    """
+
+    model_config = SettingsConfigDict(
+        env_prefix="ZNDRAW_AUTH_",
+        env_file=".env",
+        extra="ignore",
+    )
+
+    # JWT settings
+    secret_key: SecretStr = SecretStr("CHANGE-ME-IN-PRODUCTION")
+    token_lifetime_seconds: int = 3600  # 1 hour
+
+    # Database
+    database_url: str = "sqlite+aiosqlite:///./zndraw_auth.db"
+
+    # Password reset / verification tokens
+    reset_password_token_secret: SecretStr = SecretStr("CHANGE-ME-RESET")
+    verification_token_secret: SecretStr = SecretStr("CHANGE-ME-VERIFY")
+
+
+@lru_cache
+def get_auth_settings() -> AuthSettings:
+    return AuthSettings()

zndraw_auth-0.1.0/src/zndraw_auth/users.py

@@ -0,0 +1,139 @@
+"""FastAPI-Users configuration and exported dependencies.
+
+This module exports the key dependencies that other packages should import:
+- current_active_user: Depends() for authenticated active user
+- current_superuser: Depends() for authenticated superuser
+- fastapi_users: The FastAPIUsers instance for including routers
+- auth_backend: The JWT authentication backend
+
+Example usage in other packages:
+    from zndraw_auth import current_active_user, User
+
+    @router.get("/protected")
+    async def protected_route(user: User = Depends(current_active_user)):
+        return {"user_id": str(user.id)}
+"""
+
+import uuid
+from collections.abc import AsyncGenerator
+from typing import Annotated
+
+from fastapi import Depends, Request
+from fastapi_users import BaseUserManager, FastAPIUsers, UUIDIDMixin
+from fastapi_users.authentication import (
+    AuthenticationBackend,
+    BearerTransport,
+    JWTStrategy,
+)
+from fastapi_users.db import SQLAlchemyUserDatabase
+
+from zndraw_auth.db import User, get_user_db
+from zndraw_auth.settings import AuthSettings, get_auth_settings
+
+# --- User Manager ---
+
+
+class UserManager(UUIDIDMixin, BaseUserManager[User, uuid.UUID]):
+    """Custom user manager with lifecycle hooks.
+
+    Token secrets are set via dependency injection in get_user_manager.
+    """
+
+    reset_password_token_secret: str
+    verification_token_secret: str
+
+    async def on_after_register(
+        self, user: User, request: Request | None = None
+    ) -> None:
+        """Called after successful registration."""
+        print(f"User {user.id} has registered.")
+
+    async def on_after_forgot_password(
+        self, user: User, token: str, request: Request | None = None
+    ) -> None:
+        """Called after password reset requested."""
+        print(f"User {user.id} forgot password. Reset token: {token}")
+
+    async def on_after_request_verify(
+        self, user: User, token: str, request: Request | None = None
+    ) -> None:
+        """Called after verification requested."""
+        print(f"Verification requested for {user.id}. Token: {token}")
+
+
+async def get_user_manager(
+    user_db: Annotated[SQLAlchemyUserDatabase[User, uuid.UUID], Depends(get_user_db)],
+    settings: Annotated[AuthSettings, Depends(get_auth_settings)],
+) -> AsyncGenerator[UserManager, None]:
+    """FastAPI dependency that yields the user manager."""
+    manager = UserManager(user_db)
+    manager.reset_password_token_secret = (
+        settings.reset_password_token_secret.get_secret_value()
+    )
+    manager.verification_token_secret = (
+        settings.verification_token_secret.get_secret_value()
+    )
+    yield manager
+
+
+# --- Authentication Backend ---
+
+
+bearer_transport = BearerTransport(tokenUrl="auth/jwt/login")
+
+
+def get_jwt_strategy(
+    settings: Annotated[AuthSettings, Depends(get_auth_settings)],
+) -> JWTStrategy[User, uuid.UUID]:
+    """Get JWT strategy with settings."""
+    return JWTStrategy(
+        secret=settings.secret_key.get_secret_value(),
+        lifetime_seconds=settings.token_lifetime_seconds,
+    )
+
+
+auth_backend = AuthenticationBackend(
+    name="jwt",
+    transport=bearer_transport,
+    get_strategy=get_jwt_strategy,
+)
+
+
+# --- FastAPI Users Instance ---
+
+
+fastapi_users = FastAPIUsers[User, uuid.UUID](
+    get_user_manager,
+    [auth_backend],
+)
+
+
+# --- Exported Dependencies ---
+# These are the main exports that other packages should use
+
+current_active_user = fastapi_users.current_user(active=True)
+"""Dependency for routes requiring an authenticated active user.
+
+Usage:
+    @router.get("/protected")
+    async def route(user: User = Depends(current_active_user)):
+        ...
+"""
+
+current_superuser = fastapi_users.current_user(active=True, superuser=True)
+"""Dependency for routes requiring superuser privileges.
+
+Usage:
+    @router.get("/admin")
+    async def route(user: User = Depends(current_superuser)):
+        ...
+"""
+
+current_optional_user = fastapi_users.current_user(active=True, optional=True)
+"""Dependency for routes with optional authentication.
+
+Usage:
+    @router.get("/public")
+    async def route(user: User | None = Depends(current_optional_user)):
+        ...
+"""