zndraw-auth 0.1.0__tar.gz → 0.2.0__tar.gz

{zndraw_auth-0.1.0 → zndraw_auth-0.2.0}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.3
 Name: zndraw-auth
-Version: 0.1.0
+Version: 0.2.0
 Summary: Shared authentication for ZnDraw using fastapi-users
 Requires-Dist: fastapi>=0.128.0
 Requires-Dist: fastapi-users[sqlalchemy]>=14.0.0
@@ -222,6 +222,27 @@ Settings are loaded from environment variables with the `ZNDRAW_AUTH_` prefix:
 | `ZNDRAW_AUTH_DATABASE_URL` | `sqlite+aiosqlite:///./zndraw_auth.db` | Database connection URL |
 | `ZNDRAW_AUTH_RESET_PASSWORD_TOKEN_SECRET` | `CHANGE-ME-RESET` | Password reset token secret |
 | `ZNDRAW_AUTH_VERIFICATION_TOKEN_SECRET` | `CHANGE-ME-VERIFY` | Email verification token secret |
+| `ZNDRAW_AUTH_DEFAULT_ADMIN_EMAIL` | `None` | Email for the default admin user |
+| `ZNDRAW_AUTH_DEFAULT_ADMIN_PASSWORD` | `None` | Password for the default admin user |
+
+### Dev Mode vs Production Mode
+
+The system has two operating modes based on admin configuration:
+
+**Dev Mode** (default - no admin configured):
+- All newly registered users are automatically granted superuser privileges
+- Useful for development and testing
+
+**Production Mode** (admin configured):
+- Set `ZNDRAW_AUTH_DEFAULT_ADMIN_EMAIL` and `ZNDRAW_AUTH_DEFAULT_ADMIN_PASSWORD`
+- The configured admin user is created/promoted on startup
+- New users are created as regular users (not superusers)
+
+```bash
+# Production mode example
+export ZNDRAW_AUTH_DEFAULT_ADMIN_EMAIL=admin@example.com
+export ZNDRAW_AUTH_DEFAULT_ADMIN_PASSWORD=secure-password
+```
 
 ## Exports
 

{zndraw_auth-0.1.0 → zndraw_auth-0.2.0}/README.md

@@ -204,6 +204,27 @@ Settings are loaded from environment variables with the `ZNDRAW_AUTH_` prefix:
 | `ZNDRAW_AUTH_DATABASE_URL` | `sqlite+aiosqlite:///./zndraw_auth.db` | Database connection URL |
 | `ZNDRAW_AUTH_RESET_PASSWORD_TOKEN_SECRET` | `CHANGE-ME-RESET` | Password reset token secret |
 | `ZNDRAW_AUTH_VERIFICATION_TOKEN_SECRET` | `CHANGE-ME-VERIFY` | Email verification token secret |
+| `ZNDRAW_AUTH_DEFAULT_ADMIN_EMAIL` | `None` | Email for the default admin user |
+| `ZNDRAW_AUTH_DEFAULT_ADMIN_PASSWORD` | `None` | Password for the default admin user |
+
+### Dev Mode vs Production Mode
+
+The system has two operating modes based on admin configuration:
+
+**Dev Mode** (default - no admin configured):
+- All newly registered users are automatically granted superuser privileges
+- Useful for development and testing
+
+**Production Mode** (admin configured):
+- Set `ZNDRAW_AUTH_DEFAULT_ADMIN_EMAIL` and `ZNDRAW_AUTH_DEFAULT_ADMIN_PASSWORD`
+- The configured admin user is created/promoted on startup
+- New users are created as regular users (not superusers)
+
+```bash
+# Production mode example
+export ZNDRAW_AUTH_DEFAULT_ADMIN_EMAIL=admin@example.com
+export ZNDRAW_AUTH_DEFAULT_ADMIN_PASSWORD=secure-password
+```
 
 ## Exports
 

{zndraw_auth-0.1.0 → zndraw_auth-0.2.0}/pyproject.toml

@@ -1,6 +1,6 @@
 [project]
 name = "zndraw-auth"
-version = "0.1.0"
+version = "0.2.0"
 description = "Shared authentication for ZnDraw using fastapi-users"
 readme = "README.md"
 requires-python = ">=3.11"

{zndraw_auth-0.1.0 → zndraw_auth-0.2.0}/src/zndraw_auth/__init__.py

@@ -29,6 +29,7 @@ from zndraw_auth.db import (
     Base,
     User,
     create_db_and_tables,
+    ensure_default_admin,
     get_async_session,
     get_user_db,
 )
@@ -51,6 +52,7 @@ __all__ = [
     "User",
     # Database
     "create_db_and_tables",
+    "ensure_default_admin",
     "get_async_session",
     "get_user_db",
     # Schemas

zndraw_auth-0.2.0/src/zndraw_auth/db.py

@@ -0,0 +1,146 @@
+"""Database models and session management."""
+
+import logging
+import uuid
+from collections.abc import AsyncGenerator
+from functools import lru_cache
+from typing import Annotated
+
+from fastapi import Depends
+from fastapi_users.db import SQLAlchemyBaseUserTableUUID, SQLAlchemyUserDatabase
+from fastapi_users.password import PasswordHelper
+from sqlalchemy import select
+from sqlalchemy.ext.asyncio import (
+    AsyncEngine,
+    AsyncSession,
+    async_sessionmaker,
+    create_async_engine,
+)
+from sqlalchemy.orm import DeclarativeBase
+
+from zndraw_auth.settings import AuthSettings, get_auth_settings
+
+log = logging.getLogger(__name__)
+
+
+class Base(DeclarativeBase):
+    """SQLAlchemy declarative base."""
+
+    pass
+
+
+class User(SQLAlchemyBaseUserTableUUID, Base):
+    """User model for authentication.
+
+    Inherits from fastapi-users base which provides:
+    - id: UUID (primary key)
+    - email: str (unique, indexed)
+    - hashed_password: str
+    - is_active: bool (default True)
+    - is_superuser: bool (default False)
+    - is_verified: bool (default False)
+    """
+
+    pass
+
+
+@lru_cache
+def get_engine(database_url: str) -> AsyncEngine:
+    """Get or create the async engine (cached by URL)."""
+    return create_async_engine(database_url, echo=False)
+
+
+@lru_cache
+def get_session_maker(database_url: str) -> async_sessionmaker[AsyncSession]:
+    """Get or create the session maker (cached by URL)."""
+    engine = get_engine(database_url)
+    return async_sessionmaker(engine, expire_on_commit=False)
+
+
+async def create_db_and_tables(settings: AuthSettings | None = None) -> None:
+    """Create all database tables and ensure default admin exists.
+
+    Call this in your app's lifespan or startup.
+    """
+    if settings is None:
+        settings = get_auth_settings()
+    engine = get_engine(settings.database_url)
+    async with engine.begin() as conn:
+        await conn.run_sync(Base.metadata.create_all)
+
+    # Ensure default admin user exists (if configured)
+    await ensure_default_admin(settings)
+
+
+async def ensure_default_admin(settings: AuthSettings | None = None) -> None:
+    """Create or promote the default admin user if configured.
+
+    If DEFAULT_ADMIN_EMAIL and DEFAULT_ADMIN_PASSWORD are set:
+    - Creates the user with is_superuser=True if they don't exist
+    - Promotes existing user to superuser if they exist but aren't one
+
+    If not configured, does nothing (dev mode - all users are superusers).
+    """
+    if settings is None:
+        settings = get_auth_settings()
+
+    admin_email = settings.default_admin_email
+    admin_password = settings.default_admin_password
+
+    if admin_email is None:
+        log.info("No default admin configured - running in dev mode")
+        return
+
+    if admin_password is None:
+        log.warning(
+            "DEFAULT_ADMIN_EMAIL is set but DEFAULT_ADMIN_PASSWORD is not - "
+            "skipping admin creation"
+        )
+        return
+
+    session_maker = get_session_maker(settings.database_url)
+    password_helper = PasswordHelper()
+
+    async with session_maker() as session:
+        # Check if user already exists
+        result = await session.execute(
+            select(User).where(User.email == admin_email)  # type: ignore[arg-type]
+        )
+        existing_user = result.scalar_one_or_none()
+
+        if existing_user is None:
+            # Create new admin user
+            hashed_password = password_helper.hash(admin_password.get_secret_value())
+            admin_user = User(
+                email=admin_email,
+                hashed_password=hashed_password,
+                is_active=True,
+                is_superuser=True,
+                is_verified=True,
+            )
+            session.add(admin_user)
+            await session.commit()
+            log.info(f"Created default admin user: {admin_email}")
+        elif not existing_user.is_superuser:
+            # Promote existing user to superuser
+            existing_user.is_superuser = True
+            await session.commit()
+            log.info(f"Promoted user to superuser: {admin_email}")
+        else:
+            log.debug(f"Default admin already exists: {admin_email}")
+
+
+async def get_async_session(
+    settings: Annotated[AuthSettings, Depends(get_auth_settings)],
+) -> AsyncGenerator[AsyncSession, None]:
+    """FastAPI dependency that yields an async database session."""
+    session_maker = get_session_maker(settings.database_url)
+    async with session_maker() as session:
+        yield session
+
+
+async def get_user_db(
+    session: Annotated[AsyncSession, Depends(get_async_session)],
+) -> AsyncGenerator[SQLAlchemyUserDatabase[User, uuid.UUID], None]:
+    """FastAPI dependency that yields the user database adapter."""
+    yield SQLAlchemyUserDatabase[User, uuid.UUID](session, User)

{zndraw_auth-0.1.0 → zndraw_auth-0.2.0}/src/zndraw_auth/settings.py

@@ -2,7 +2,7 @@
 
 from functools import lru_cache
 
-from pydantic import SecretStr
+from pydantic import SecretStr, computed_field
 from pydantic_settings import BaseSettings, SettingsConfigDict
 
 
@@ -11,6 +11,13 @@ class AuthSettings(BaseSettings):
 
     All settings can be overridden with ZNDRAW_AUTH_ prefix.
     Example: ZNDRAW_AUTH_SECRET_KEY=your-secret-key
+
+    Admin mode vs Dev mode:
+    - If DEFAULT_ADMIN_EMAIL and DEFAULT_ADMIN_PASSWORD are set, the system
+      runs in "production mode": only the configured admin is a superuser,
+      and new users are created as regular users.
+    - If they are NOT set, the system runs in "dev mode": all newly
+      registered users are automatically granted superuser privileges.
     """
 
     model_config = SettingsConfigDict(
@@ -30,6 +37,19 @@ class AuthSettings(BaseSettings):
     reset_password_token_secret: SecretStr = SecretStr("CHANGE-ME-RESET")
     verification_token_secret: SecretStr = SecretStr("CHANGE-ME-VERIFY")
 
+    # Default admin user (production mode)
+    default_admin_email: str | None = None
+    """Email for the default admin user. If set, enables production mode."""
+
+    default_admin_password: SecretStr | None = None
+    """Password for the default admin user."""
+
+    @computed_field  # type: ignore[prop-decorator]
+    @property
+    def is_dev_mode(self) -> bool:
+        """True if no admin credentials configured (all users become superusers)."""
+        return self.default_admin_email is None
+
 
 @lru_cache
 def get_auth_settings() -> AuthSettings:

{zndraw_auth-0.1.0 → zndraw_auth-0.2.0}/src/zndraw_auth/users.py

@@ -28,6 +28,7 @@ from fastapi_users.authentication import (
 from fastapi_users.db import SQLAlchemyUserDatabase
 
 from zndraw_auth.db import User, get_user_db
+from zndraw_auth.schemas import UserUpdate
 from zndraw_auth.settings import AuthSettings, get_auth_settings
 
 # --- User Manager ---
@@ -41,12 +42,17 @@ class UserManager(UUIDIDMixin, BaseUserManager[User, uuid.UUID]):
 
     reset_password_token_secret: str
     verification_token_secret: str
+    is_dev_mode: bool = False
 
     async def on_after_register(
         self, user: User, request: Request | None = None
     ) -> None:
         """Called after successful registration."""
-        print(f"User {user.id} has registered.")
+        if self.is_dev_mode and not user.is_superuser:
+            await self.update(UserUpdate(is_superuser=True), user, safe=False)
+            print(f"User {user.id} has registered (granted superuser - dev mode).")
+        else:
+            print(f"User {user.id} has registered.")
 
     async def on_after_forgot_password(
         self, user: User, token: str, request: Request | None = None
@@ -73,6 +79,7 @@ async def get_user_manager(
     manager.verification_token_secret = (
         settings.verification_token_secret.get_secret_value()
     )
+    manager.is_dev_mode = settings.is_dev_mode
     yield manager
 
 

zndraw_auth-0.1.0/src/zndraw_auth/db.py

@@ -1,80 +0,0 @@
-"""Database models and session management."""
-
-import uuid
-from collections.abc import AsyncGenerator
-from functools import lru_cache
-from typing import Annotated
-
-from fastapi import Depends
-from fastapi_users.db import SQLAlchemyBaseUserTableUUID, SQLAlchemyUserDatabase
-from sqlalchemy.ext.asyncio import (
-    AsyncEngine,
-    AsyncSession,
-    async_sessionmaker,
-    create_async_engine,
-)
-from sqlalchemy.orm import DeclarativeBase
-
-from zndraw_auth.settings import AuthSettings, get_auth_settings
-
-
-class Base(DeclarativeBase):
-    """SQLAlchemy declarative base."""
-
-    pass
-
-
-class User(SQLAlchemyBaseUserTableUUID, Base):
-    """User model for authentication.
-
-    Inherits from fastapi-users base which provides:
-    - id: UUID (primary key)
-    - email: str (unique, indexed)
-    - hashed_password: str
-    - is_active: bool (default True)
-    - is_superuser: bool (default False)
-    - is_verified: bool (default False)
-    """
-
-    pass
-
-
-@lru_cache
-def get_engine(database_url: str) -> AsyncEngine:
-    """Get or create the async engine (cached by URL)."""
-    return create_async_engine(database_url, echo=False)
-
-
-@lru_cache
-def get_session_maker(database_url: str) -> async_sessionmaker[AsyncSession]:
-    """Get or create the session maker (cached by URL)."""
-    engine = get_engine(database_url)
-    return async_sessionmaker(engine, expire_on_commit=False)
-
-
-async def create_db_and_tables(settings: AuthSettings | None = None) -> None:
-    """Create all database tables.
-
-    Call this in your app's lifespan or startup.
-    """
-    if settings is None:
-        settings = get_auth_settings()
-    engine = get_engine(settings.database_url)
-    async with engine.begin() as conn:
-        await conn.run_sync(Base.metadata.create_all)
-
-
-async def get_async_session(
-    settings: Annotated[AuthSettings, Depends(get_auth_settings)],
-) -> AsyncGenerator[AsyncSession, None]:
-    """FastAPI dependency that yields an async database session."""
-    session_maker = get_session_maker(settings.database_url)
-    async with session_maker() as session:
-        yield session
-
-
-async def get_user_db(
-    session: Annotated[AsyncSession, Depends(get_async_session)],
-) -> AsyncGenerator[SQLAlchemyUserDatabase[User, uuid.UUID], None]:
-    """FastAPI dependency that yields the user database adapter."""
-    yield SQLAlchemyUserDatabase[User, uuid.UUID](session, User)