lonelyvikingmichael / litestar-users Goto Github PK

We need to set up an autocommit config option and propagate the value to UserRepository.autocommit

An alternative is to point consumers to advanced alchemy's autocommit_before_send_handler but this might not suite everyone's needs.

Currently we're using factory patterns to inject configurations into route handlers and service layers.
This can be cleaned up somewhat by storing the StarliteUsersConfig object in app.state and using dependency injection to retrieve values.

With the merge of #23 , role based authorization is no longer a given. We should remove the roles relationship from the User mixin and make it a seperate opt-in.

Not only will this be cleaner, it will also allow for something like this wherever roles are integrated:

if not hasattr(request.user, 'roles'):
    raise ImproperlyConfiguredException("user roles are not set up")

Since it isn't forbidden to specify custom auth_backend_class in LitestarUsersConfig, I'd like to redefine authentication_middleware_class with a custom middleware like this:

class CustomSessionAuthMiddleware(SessionAuthMiddleware):
    async def authenticate_request(self, connection: ASGIConnection[Any, Any, Any, Any]) -> AuthenticationResult:
        # custom logic here...
        return AuthenticationResult(user=user, auth=connection.session)
        
@dataclass
class MyCustomAppJWTAuth[User](JWTCookieAuth):
    authentication_middleware_class = CustomSessionAuthMiddleware

litestar_users_config = LitestarUsersConfig(
    auth_backend_class=MyCustomAppJWTAuth,
    ...

but litestar-users is still using the default one.
I can add CustomSessionAuthMiddleware on the app layer, but thought that litestar-users itself could use it.

from the docs it seems you can use litestar cli however:

❯ litestar users
                                                                                
 Usage: litestar [OPTIONS] COMMAND [ARGS]...                                    
                                                                                
╭─ Error ──────────────────────────────────────────────────────────────────────╮
│ No such command 'users'.                                                     │
╰──────────────────────────────────────────────────────────────────────────────╯

my pyproject:

[tool.poetry.dependencies]
python = "^3.11"
litestar-users = "^1.2.3"
aiosqlite = "^0.20.0"


[build-system]
requires = ["poetry-core"]
build-backend = "poetry.core.masonry.api"

Add a configurable Role table, as well as a RoleUser association object. We'll use this to implement authorisation logic via Starlite Guards.

• Use timed JWT tokens for user verification after registration
• Add necessary db columns
• Update schemas

Add two new handlers forgot_password and reset_password - the former emits a token, the later verifies and consumes a token.

It would be great to have an explicit option for JWT token TTL in LitestarUsersConfig.
As discussed, it can be the same value as for cookie expiry (for JWTCookieAuth), but since we don't have to setup a session backend config with JWTAuth, it may be better to have a separated option.

The user will be verified if "is_verified": true is part of the JSON payload

A mechanism should be put in place to address this, with care when a user might be created programmatically outside of the REST API scope by an administrator who wishes to bypass verification case by case.

This should be enhanced to be more dynamic - there is nothing in place to avoid collisions on user creation if user_auth_identifier has a custom value.

Look into allowing users to log in with a custom identifier, i.e. username instead of just via email.

Use mkdocs for documentation once the API is stable

If you run the code in the examples, the user's changes are not saved in the database. Should I use session.commit() or auto_commit=True myself, and where exactly?

All primary keys are currently bound to SQLAlchemy/Postgresql UUID types, we should support generic DB back ends and perhaps allow for auto-incrementing integers.

A few typos that may confuse the user (at least they confused me):

https://lonelyvikingmichael.github.io/litestar-users/usage/0-configuration/
LitestarUsers -> LitestarUsersPlugin

litestar_users = LitestarUsers(
    config=LitestarUsersConfig(

https://lonelyvikingmichael.github.io/litestar-users/usage/6-command-line-interface/
--is_verified -> --is-verified, --is_active -> --is-active

--is_verified
Set the user as being verified.
--is_active
Set the user as active.

We need a strategy to implement SQLA 2.0 mixins while maintaining backwards compatibility with 1.4

Leverage Starlite's CLI tools to create users/roles

Support for MFA would be another essential feature. Integration could be done with passlib as well, using its TOTP capabilities.

So far we're pretty much only testing the API endpoints, and even then not for all common scenarios.
There should be unit tests for the repositories, services, guards etc.

Typing is not terrible, but can definitely improve. MyPy will surely fail

Route handler typing was not updated after JWT support was added, this should be addressed.

Currently it's only possible to create roles manually or via seeding scripts. We should add role based methods to UserService at the very least and create new route handlers at most.

Edit: The same applies to adding/revoking roles to/from users

As it is, the user service and repository only caters for SQLAlchemy models.
Other implementations to consider:

• Tortoise ORM
• Piccolo ORM

Developers will need to subclass UserService in order to write their own pre/post operation hooks for login, register, update etc. This likely requires an update to config and typing.

https://lonelyvikingmichael.github.io/litestar-users/usage/0-configuration/

I see rename LitestarUsers class to LitestarUsersPlugin so I changed it and get now:

    config=LitestarUsersConfig(
           ^^^^^^^^^^^^^^^^^^^^
  File "<string>", line 27, in __init__
  File "/home/lotso/.cache/pypoetry/virtualenvs/ollama-liteproxy-wn7kqDdW-py3.11/lib/python3.11/site-packages/litestar_users/config.py", line 279, in __post_init__
    raise ImproperlyConfiguredException(
litestar.exceptions.http_exceptions.ImproperlyConfiguredException: 500: session_backend_config must be set when auth_backend is set to "session"

other examples in the examples folder work fine oob ;) will play with that for now

Needs investigation.