PyPI - zrb - Versions diffs - 1.0.0b8__py3-none-any.whl → 1.0.0b10__py3-none-any.whl - Mend

zrb 1.0.0b8py3-none-any.whl → 1.0.0b10py3-none-any.whl

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (81) hide show

zrb/builtin/project/add/fastapp/fastapp_template/my_app_name/module/gateway/subroute/auth.py CHANGED Viewed

@@ -1,5 +1,14 @@
-from fastapi import FastAPI
+from typing import Annotated
+from fastapi import Depends, FastAPI, Response
+from fastapi.security import OAuth2PasswordRequestForm
+from my_app_name.common.error import ForbiddenError
 from my_app_name.module.auth.client.auth_client_factory import auth_client
+from my_app_name.module.gateway.util.auth import (
+    get_current_user,
+    set_user_session_cookie,
+    unset_user_session_cookie,
+)
 from my_app_name.schema.permission import (
     MultiplePermissionResponse,
     PermissionCreate,
@@ -13,202 +22,368 @@ from my_app_name.schema.role import (
     RoleUpdateWithPermissions,
 )
 from my_app_name.schema.user import (
+    AuthUserResponse,
     MultipleUserResponse,
     UserCreateWithRoles,
+    UserCredentials,
     UserResponse,
+    UserSessionResponse,
     UserUpdateWithRoles,
 )
 def serve_auth_route(app: FastAPI):
+    @app.post("/api/v1/user-sessions", response_model=UserSessionResponse)
+    async def create_user_session(
+        response: Response, form_data: Annotated[OAuth2PasswordRequestForm, Depends()]
+    ) -> UserSessionResponse:
+        user_session = await auth_client.create_user_session(
+            UserCredentials(
+                username=form_data.username,
+                password=form_data.password,
+            )
+        )
+        set_user_session_cookie(response, user_session)
+        return user_session
+    @app.put("/api/v1/user-sessions", response_model=UserSessionResponse)
+    async def update_user_session(
+        response: Response, refresh_token: str
+    ) -> UserSessionResponse:
+        user_session = await auth_client.update_user_session(refresh_token)
+        set_user_session_cookie(response, user_session)
+        return user_session
+    @app.delete("/api/v1/user-sessions", response_model=UserSessionResponse)
+    async def delete_user_session(
+        response: Response, refresh_token: str
+    ) -> UserSessionResponse:
+        user_session = await auth_client.delete_user_session(refresh_token)
+        unset_user_session_cookie(response)
+        return user_session
     # Permission routes
     @app.get("/api/v1/permissions", response_model=MultiplePermissionResponse)
     async def get_permissions(
+        current_user: Annotated[AuthUserResponse, Depends(get_current_user)],
         page: int = 1,
         page_size: int = 10,
         sort: str | None = None,
         filter: str | None = None,
     ) -> MultiplePermissionResponse:
+        if not current_user.has_permission("permission:read"):
+            raise ForbiddenError("Access denied")
         return await auth_client.get_permissions(
             page=page, page_size=page_size, sort=sort, filter=filter
         )
     @app.get("/api/v1/permissions/{permission_id}", response_model=PermissionResponse)
-    async def get_permission_by_id(permission_id: str) -> PermissionResponse:
+    async def get_permission_by_id(
+        current_user: Annotated[AuthUserResponse, Depends(get_current_user)],
+        permission_id: str,
+    ) -> PermissionResponse:
+        if not current_user.has_permission("permission:read"):
+            raise ForbiddenError("Access denied")
         return await auth_client.get_permission_by_id(permission_id)
     @app.post(
         "/api/v1/permissions/bulk",
         response_model=list[PermissionResponse],
     )
-    async def create_permission_bulk(data: list[PermissionCreate]):
+    async def create_permission_bulk(
+        current_user: Annotated[AuthUserResponse, Depends(get_current_user)],
+        data: list[PermissionCreate],
+    ) -> list[PermissionResponse]:
+        if not current_user.has_permission("permission:create"):
+            raise ForbiddenError("Access denied")
         return await auth_client.create_permission_bulk(
-            [row.with_audit(created_by="system") for row in data]
+            [row.with_audit(created_by=current_user.id) for row in data]
         )
     @app.post(
         "/api/v1/permissions",
         response_model=PermissionResponse,
     )
-    async def create_permission(data: PermissionCreate):
-        return await auth_client.create_permission(data.with_audit(created_by="system"))
+    async def create_permission(
+        current_user: Annotated[AuthUserResponse, Depends(get_current_user)],
+        data: PermissionCreate,
+    ) -> PermissionResponse:
+        if not current_user.has_permission("permission:create"):
+            raise ForbiddenError("Access denied")
+        return await auth_client.create_permission(
+            data.with_audit(created_by=current_user.id)
+        )
     @app.put(
         "/api/v1/permissions/bulk",
         response_model=list[PermissionResponse],
     )
-    async def update_permission_bulk(permission_ids: list[str], data: PermissionUpdate):
+    async def update_permission_bulk(
+        current_user: Annotated[AuthUserResponse, Depends(get_current_user)],
+        permission_ids: list[str],
+        data: PermissionUpdate,
+    ) -> list[PermissionResponse]:
+        if not current_user.has_permission("permission:update"):
+            raise ForbiddenError("Access denied")
         return await auth_client.update_permission_bulk(
-            permission_ids, data.with_audit(updated_by="system")
+            permission_ids, data.with_audit(updated_by=current_user.id)
         )
     @app.put(
         "/api/v1/permissions/{permission_id}",
         response_model=PermissionResponse,
     )
-    async def update_permission(permission_id: str, data: PermissionUpdate):
-        return await auth_client.update_permission(data.with_audit(updated_by="system"))
+    async def update_permission(
+        current_user: Annotated[AuthUserResponse, Depends(get_current_user)],
+        permission_id: str,
+        data: PermissionUpdate,
+    ) -> PermissionResponse:
+        if not current_user.has_permission("permission:update"):
+            raise ForbiddenError("Access denied")
+        return await auth_client.update_permission(
+            permission_id, data.with_audit(updated_by=current_user.id)
+        )
     @app.delete(
         "/api/v1/permissions/bulk",
         response_model=list[PermissionResponse],
     )
-    async def delete_permission_bulk(permission_ids: list[str]):
+    async def delete_permission_bulk(
+        current_user: Annotated[AuthUserResponse, Depends(get_current_user)],
+        permission_ids: list[str],
+    ) -> list[PermissionResponse]:
+        if not current_user.has_permission("permission:delete"):
+            raise ForbiddenError("Access denied")
         return await auth_client.delete_permission_bulk(
-            permission_ids, deleted_by="system"
+            permission_ids, deleted_by=current_user.id
         )
     @app.delete(
         "/api/v1/permissions/{permission_id}",
         response_model=PermissionResponse,
     )
-    async def delete_permission(permission_id: str):
-        return await auth_client.delete_permission(permission_id, deleted_by="system")
+    async def delete_permission(
+        current_user: Annotated[AuthUserResponse, Depends(get_current_user)],
+        permission_id: str,
+    ) -> PermissionResponse:
+        if not current_user.has_permission("permission:delete"):
+            raise ForbiddenError("Access denied")
+        return await auth_client.delete_permission(
+            permission_id, deleted_by=current_user.id
+        )
     # Role routes
     @app.get("/api/v1/roles", response_model=MultipleRoleResponse)
     async def get_roles(
+        current_user: Annotated[AuthUserResponse, Depends(get_current_user)],
         page: int = 1,
         page_size: int = 10,
         sort: str | None = None,
         filter: str | None = None,
     ) -> MultipleRoleResponse:
+        if not current_user.has_permission("role:read"):
+            raise ForbiddenError("Access denied")
         return await auth_client.get_roles(
             page=page, page_size=page_size, sort=sort, filter=filter
         )
     @app.get("/api/v1/roles/{role_id}", response_model=RoleResponse)
-    async def get_role_by_id(role_id: str) -> RoleResponse:
+    async def get_role_by_id(
+        current_user: Annotated[AuthUserResponse, Depends(get_current_user)],
+        role_id: str,
+    ) -> RoleResponse:
+        if not current_user.has_permission("role:read"):
+            raise ForbiddenError("Access denied")
         return await auth_client.get_role_by_id(role_id)
     @app.post(
         "/api/v1/roles/bulk",
         response_model=list[RoleResponse],
     )
-    async def create_role_bulk(data: list[RoleCreateWithPermissions]):
+    async def create_role_bulk(
+        current_user: Annotated[AuthUserResponse, Depends(get_current_user)],
+        data: list[RoleCreateWithPermissions],
+    ) -> list[RoleResponse]:
+        if not current_user.has_permission("role:create"):
+            raise ForbiddenError("Access denied")
         return await auth_client.create_role_bulk(
-            [row.with_audit(created_by="system") for row in data]
+            [row.with_audit(created_by=current_user.id) for row in data]
         )
     @app.post(
         "/api/v1/roles",
         response_model=RoleResponse,
     )
-    async def create_role(data: RoleCreateWithPermissions):
-        return await auth_client.create_role(data.with_audit(created_by="system"))
+    async def create_role(
+        current_user: Annotated[AuthUserResponse, Depends(get_current_user)],
+        data: RoleCreateWithPermissions,
+    ) -> RoleResponse:
+        if not current_user.has_permission("role:create"):
+            raise ForbiddenError("Access denied")
+        return await auth_client.create_role(
+            data.with_audit(created_by=current_user.id)
+        )
     @app.put(
         "/api/v1/roles/bulk",
         response_model=list[RoleResponse],
     )
-    async def update_role_bulk(role_ids: list[str], data: RoleUpdateWithPermissions):
+    async def update_role_bulk(
+        current_user: Annotated[AuthUserResponse, Depends(get_current_user)],
+        role_ids: list[str],
+        data: RoleUpdateWithPermissions,
+    ) -> list[RoleResponse]:
+        if not current_user.has_permission("role:update"):
+            raise ForbiddenError("Access denied")
         return await auth_client.update_role_bulk(
-            role_ids, data.with_audit(updated_by="system")
+            role_ids, data.with_audit(updated_by=current_user.id)
         )
     @app.put(
         "/api/v1/roles/{role_id}",
         response_model=RoleResponse,
     )
-    async def update_role(role_id: str, data: RoleUpdateWithPermissions):
-        return await auth_client.update_role(data.with_audit(updated_by="system"))
+    async def update_role(
+        current_user: Annotated[AuthUserResponse, Depends(get_current_user)],
+        role_id: str,
+        data: RoleUpdateWithPermissions,
+    ) -> RoleResponse:
+        if not current_user.has_permission("role:update"):
+            raise ForbiddenError("Access denied")
+        return await auth_client.update_role(
+            role_id, data.with_audit(updated_by=current_user.id)
+        )
     @app.delete(
         "/api/v1/roles/bulk",
         response_model=list[RoleResponse],
     )
-    async def delete_role_bulk(role_ids: list[str]):
-        return await auth_client.delete_role_bulk(role_ids, deleted_by="system")
+    async def delete_role_bulk(
+        current_user: Annotated[AuthUserResponse, Depends(get_current_user)],
+        role_ids: list[str],
+    ) -> list[RoleResponse]:
+        if not current_user.has_permission("role:delete"):
+            raise ForbiddenError("Access denied")
+        return await auth_client.delete_role_bulk(role_ids, deleted_by=current_user.id)
     @app.delete(
         "/api/v1/roles/{role_id}",
         response_model=RoleResponse,
     )
-    async def delete_role(role_id: str):
-        return await auth_client.delete_role(role_id, deleted_by="system")
+    async def delete_role(
+        current_user: Annotated[AuthUserResponse, Depends(get_current_user)],
+        role_id: str,
+    ) -> RoleResponse:
+        if not current_user.has_permission("role:delete"):
+            raise ForbiddenError("Access denied")
+        return await auth_client.delete_role(role_id, deleted_by=current_user.id)
     # User routes
     @app.get("/api/v1/users", response_model=MultipleUserResponse)
     async def get_users(
+        current_user: Annotated[AuthUserResponse, Depends(get_current_user)],
         page: int = 1,
         page_size: int = 10,
         sort: str | None = None,
         filter: str | None = None,
     ) -> MultipleUserResponse:
+        if not current_user.has_permission("user:read"):
+            raise ForbiddenError("Access denied")
         return await auth_client.get_users(
             page=page, page_size=page_size, sort=sort, filter=filter
         )
     @app.get("/api/v1/users/{user_id}", response_model=UserResponse)
-    async def get_user_by_id(user_id: str) -> UserResponse:
+    async def get_user_by_id(
+        current_user: Annotated[AuthUserResponse, Depends(get_current_user)],
+        user_id: str,
+    ) -> UserResponse:
+        if not current_user.has_permission("user:read"):
+            raise ForbiddenError("Access denied")
         return await auth_client.get_user_by_id(user_id)
     @app.post(
         "/api/v1/users/bulk",
         response_model=list[UserResponse],
     )
-    async def create_user_bulk(data: list[UserCreateWithRoles]):
-        return await auth_client.create_user(
-            [row.with_audit(created_by="system") for row in data]
+    async def create_user_bulk(
+        current_user: Annotated[AuthUserResponse, Depends(get_current_user)],
+        data: list[UserCreateWithRoles],
+    ) -> list[UserResponse]:
+        if not current_user.has_permission("user:create"):
+            raise ForbiddenError("Access denied")
+        return await auth_client.create_user_bulk(
+            [row.with_audit(created_by=current_user.id) for row in data]
         )
     @app.post(
         "/api/v1/users",
         response_model=UserResponse,
     )
-    async def create_user(data: UserCreateWithRoles):
-        return await auth_client.create_user(data.with_audit(created_by="system"))
+    async def create_user(
+        current_user: Annotated[AuthUserResponse, Depends(get_current_user)],
+        data: UserCreateWithRoles,
+    ) -> UserResponse:
+        if not current_user.has_permission("user:create"):
+            raise ForbiddenError("Access denied")
+        return await auth_client.create_user(
+            data.with_audit(created_by=current_user.id)
+        )
     @app.put(
         "/api/v1/users/bulk",
         response_model=list[UserResponse],
     )
-    async def update_user_bulk(user_ids: list[str], data: UserUpdateWithRoles):
+    async def update_user_bulk(
+        current_user: Annotated[AuthUserResponse, Depends(get_current_user)],
+        user_ids: list[str],
+        data: UserUpdateWithRoles,
+    ) -> list[UserResponse]:
+        if not current_user.has_permission("user:update"):
+            raise ForbiddenError("Access denied")
         return await auth_client.update_user_bulk(
-            user_ids, data.with_audit(updated_by="system")
+            user_ids, data.with_audit(updated_by=current_user.id)
         )
     @app.put(
         "/api/v1/users/{user_id}",
         response_model=UserResponse,
     )
-    async def update_user(user_id: str, data: UserUpdateWithRoles):
-        return await auth_client.update_user(data.with_audit(updated_by="system"))
+    async def update_user(
+        current_user: Annotated[AuthUserResponse, Depends(get_current_user)],
+        user_id: str,
+        data: UserUpdateWithRoles,
+    ) -> UserResponse:
+        if not current_user.has_permission("user:update"):
+            raise ForbiddenError("Access denied")
+        return await auth_client.update_user(
+            user_id, data.with_audit(updated_by=current_user.id)
+        )
     @app.delete(
         "/api/v1/users/bulk",
         response_model=list[UserResponse],
     )
-    async def delete_user_bulk(user_ids: list[str]):
-        return await auth_client.delete_user_bulk(user_ids, deleted_by="system")
+    async def delete_user_bulk(
+        current_user: Annotated[AuthUserResponse, Depends(get_current_user)],
+        user_ids: list[str],
+    ) -> list[UserResponse]:
+        if not current_user.has_permission("user:delete"):
+            raise ForbiddenError("Access denied")
+        return await auth_client.delete_user_bulk(user_ids, deleted_by=current_user.id)
     @app.delete(
         "/api/v1/users/{user_id}",
         response_model=UserResponse,
     )
-    async def delete_user(user_id: str):
-        return await auth_client.delete_user(user_id, deleted_by="system")
+    async def delete_user(
+        current_user: Annotated[AuthUserResponse, Depends(get_current_user)],
+        user_id: str,
+    ) -> UserResponse:
+        if not current_user.has_permission("user:delete"):
+            raise ForbiddenError("Access denied")
+        return await auth_client.delete_user(user_id, deleted_by=current_user.id)

zrb/builtin/project/add/fastapp/fastapp_template/my_app_name/module/gateway/util/auth.py ADDED Viewed

@@ -0,0 +1,57 @@
+import datetime
+from fastapi import Depends, Request, Response
+from fastapi.security import OAuth2PasswordBearer
+from my_app_name.config import (
+    APP_AUTH_ACCESS_TOKEN_COOKIE_NAME,
+    APP_AUTH_ACCESS_TOKEN_EXPIRE_MINUTES,
+    APP_AUTH_REFRESH_TOKEN_COOKIE_NAME,
+    APP_AUTH_REFRESH_TOKEN_EXPIRE_MINUTES,
+)
+from my_app_name.module.auth.client.auth_client_factory import auth_client
+from my_app_name.schema.user import AuthUserResponse, UserSessionResponse
+from typing_extensions import Annotated
+oauth2_scheme = OAuth2PasswordBearer(tokenUrl="/api/v1/user-sessions", auto_error=False)
+async def get_current_user(
+    request: Request,
+    response: Response,
+    bearer_access_token: Annotated[str, Depends(oauth2_scheme)],
+) -> AuthUserResponse:
+    # Bearer token exists
+    if bearer_access_token is not None and bearer_access_token != "":
+        return await auth_client.get_current_user(bearer_access_token)
+    cookie_access_token = request.cookies.get(APP_AUTH_ACCESS_TOKEN_COOKIE_NAME)
+    # Cookie exists
+    if cookie_access_token is not None and cookie_access_token != "":
+        cookie_user = await auth_client.get_current_user(cookie_access_token)
+        if cookie_user.is_guest:
+            # If user is guest, the cookie is not needed
+            unset_user_session_cookie(response)
+        return cookie_user
+    # No bearer token or cookie
+    return await auth_client.get_current_user("")
+def set_user_session_cookie(response: Response, user_session: UserSessionResponse):
+    response.set_cookie(
+        key=APP_AUTH_ACCESS_TOKEN_COOKIE_NAME,
+        value=user_session.access_token,
+        httponly=True,
+        max_age=60 * APP_AUTH_ACCESS_TOKEN_EXPIRE_MINUTES,
+        expires=user_session.access_token_expired_at.astimezone(datetime.timezone.utc),
+    )
+    response.set_cookie(
+        key=APP_AUTH_REFRESH_TOKEN_COOKIE_NAME,
+        value=user_session.refresh_token,
+        httponly=True,
+        max_age=60 * APP_AUTH_REFRESH_TOKEN_EXPIRE_MINUTES,
+        expires=user_session.refresh_token_expired_at.astimezone(datetime.timezone.utc),
+    )
+def unset_user_session_cookie(response: Response):
+    response.delete_cookie(APP_AUTH_ACCESS_TOKEN_COOKIE_NAME)
+    response.delete_cookie(APP_AUTH_REFRESH_TOKEN_COOKIE_NAME)

zrb/builtin/project/add/fastapp/fastapp_template/my_app_name/requirements.txt CHANGED Viewed

@@ -3,4 +3,10 @@ alembic~=1.14.0
 sqlmodel~=0.0.22
 ulid-py~=1.1.0
 passlib~=1.7.4
-Jinja2==3.1.5
+Jinja2~=3.1.5
+python-jose~=3.3.0
+passlib~=1.7.4
+pytest~=8.3.4
+pytest-asyncio~=0.24.0
+pytest-cov~=6.0.0

zrb/builtin/project/add/fastapp/fastapp_template/my_app_name/schema/permission.py CHANGED Viewed

@@ -34,6 +34,7 @@ class PermissionUpdateWithAudit(PermissionUpdate):
 class PermissionResponse(PermissionBase):
     id: str
+    description: str
 class MultiplePermissionResponse(BaseModel):
@@ -42,6 +43,7 @@ class MultiplePermissionResponse(BaseModel):
 class Permission(SQLModel, table=True):
+    __tablename__ = "permissions"
     id: str = Field(default_factory=lambda: ulid.new().str, primary_key=True)
     created_at: datetime.datetime | None = Field(index=True)
     created_by: str | None = Field(index=True)

zrb/builtin/project/add/fastapp/fastapp_template/my_app_name/schema/role.py CHANGED Viewed

@@ -1,7 +1,6 @@
 import datetime
 import ulid
-from my_app_name.schema.permission import Permission
 from pydantic import BaseModel
 from sqlmodel import Field, SQLModel
@@ -22,7 +21,7 @@ class RoleCreateWithAudit(RoleCreate):
 class RoleCreateWithPermissions(RoleCreate):
-    permission_ids: list[str] | None = None
+    permission_names: list[str] | None = None
     def with_audit(self, created_by: str) -> "RoleCreateWithPermissionsAndAudit":
         return RoleCreateWithPermissionsAndAudit(
@@ -37,14 +36,14 @@ class RoleCreateWithPermissionsAndAudit(RoleCreateWithPermissions):
         data = {
             key: val
             for key, val in self.model_dump().items()
-            if key != "permission_ids"
+            if key != "permission_names"
         }
         return RoleCreateWithAudit(**data)
-    def get_permission_ids(self) -> list[str]:
-        if self.permission_ids is None:
+    def get_permission_names(self) -> list[str]:
+        if self.permission_names is None:
             return []
-        return self.permission_ids
+        return self.permission_names
 class RoleUpdate(SQLModel):
@@ -60,7 +59,7 @@ class RoleUpdateWithAudit(RoleUpdate):
 class RoleUpdateWithPermissions(RoleUpdate):
-    permission_ids: list[str] | None = None
+    permission_names: list[str] | None = None
     def with_audit(self, updated_by: str) -> "RoleUpdateWithPermissionsAndAudit":
         return RoleUpdateWithPermissionsAndAudit(
@@ -75,19 +74,19 @@ class RoleUpdateWithPermissionsAndAudit(RoleUpdateWithPermissions):
         data = {
             key: val
             for key, val in self.model_dump().items()
-            if key != "permission_ids"
+            if key != "permission_names"
         }
         return RoleUpdateWithAudit(**data)
-    def get_permission_ids(self) -> list[str]:
-        if self.permission_ids is None:
+    def get_permission_names(self) -> list[str]:
+        if self.permission_names is None:
             return []
-        return self.permission_ids
+        return self.permission_names
 class RoleResponse(RoleBase):
     id: str
-    permissions: list[Permission]
+    permission_names: list[str]
 class MultipleRoleResponse(BaseModel):
@@ -96,6 +95,7 @@ class MultipleRoleResponse(BaseModel):
 class Role(SQLModel, table=True):
+    __tablename__ = "roles"
     id: str = Field(default_factory=lambda: ulid.new().str, primary_key=True)
     created_at: datetime.datetime | None = Field(index=True)
     created_by: str | None = Field(index=True)
@@ -106,6 +106,7 @@ class Role(SQLModel, table=True):
 class RolePermission(SQLModel, table=True):
+    __tablename__ = "role_permissions"
     id: str = Field(default_factory=lambda: ulid.new().str, primary_key=True)
     role_id: str = Field(index=True)
     permission_id: str = Field(index=True)

zrb 1.0.0b8__py3-none-any.whl → 1.0.0b10__py3-none-any.whl

zrb 1.0.0b8py3-none-any.whl → 1.0.0b10py3-none-any.whl