pyxle-auth 0.2.0
Changed (BREAKING)
- Requires
pyxle-db>=0.2.0. Its transaction methods became
coroutines (await tx.execute(...)), and all pyxle-auth SQL is now
written in portable qmark style — the plugin works unchanged on
SQLite, PostgreSQL, and MySQL (DML fully portable; shipped DDL targets
SQLite/PostgreSQL — MySQL schema needs a dialect override, see README).
Upgraders from 0.1: theratelimit_buckets.keycolumn is now
bucket_key(KEY is reserved in MySQL); drop the old table — bucket
data is ephemeral hourly counters and recreates itself. - The plugin now hard-requires the
pyxle-dbplugin to have run
first. List"pyxle-db"before"pyxle-auth"in
pyxle.config.json::plugins; startup aborts with an actionable
error otherwise. - The
ensureSchemaplugin setting is removed. The plugin always
applies its bundled migrations and then runs each service's
idempotentensure_schema()— both are no-ops on an up-to-date
database, so there is nothing left to opt out of.
Added
- Password reset and email verification flows, powered by
TokenService: single-use, purpose-scoped, expiring tokens with
only the SHA-256 stored at rest. The library never sends email —
your app delivers the token through its own mailer. RoleService(RBAC): roles, permissions, and per-user grants,
registered asauth.rbac.ApiTokenService: long-livedpyxle_pat_personal access tokens
with scopes, per-user caps enforced atomically, and revocation.
Registered asauth.api_tokens.- Request guards:
current_user,require_user_page,
require_user_action,require_permission_page,
require_permission_action, andbearer_token, re-exported from
the package root. - New settings:
password_reset_ttl_seconds(default 1800),
email_verify_ttl_seconds(default 86400), and
rate_limit_password_reset_per_hour(default 3), each with a
PYXLE_AUTH_*environment variable and a camelCase plugin key. - Settings precedence: plugin
settingsinpyxle.config.json
overridePYXLE_AUTH_*environment variables, which override the
built-in defaults.AuthSettings.from_envgrew anoverrides
parameter to express this. - Bundled migrations (
pyxle_auth/migrations) applied through
pyxle_db.Migratorat startup, withensure_schema()as
belt-and-braces after. - New exports:
SessionInfo,InvalidToken,TokenClaim,
TokenService,ApiToken,ApiTokenService,TokenLimitReached,
TOKEN_PREFIX, andRoleService. - Live-backend test suite (
tests/test_live_backends.py) running the
real plugin schema path and a full account lifecycle against
PostgreSQL and MySQL (gated onPYXLE_DB_TEST_POSTGRES_URL/
PYXLE_DB_TEST_MYSQL_URL, shared with pyxle-db's suites). PYXLE_AUTH_STRICTenvironment variable:strictnow resolves
config > env > secure-default(True), so a committed config can stay
production-safe (strict + Secure cookies) while local HTTP dev
relaxes via the environment.- Bring your own database. Services and the plugin now bind to the
pyxle_db.DatabaseLikeprotocol instead of the concreteDatabase
class, and the plugin's requirement is thedb.databaseservice
name — any plugin registering a protocol-satisfying object can back
pyxle-auth (pyxle-db remains the reference provider and a hard
dependency for the error types and migrator). The contract (surface,
IntegrityErrortranslation, dialect, datetimes) is documented in the
README and enforced bytests/test_database_contract.py, which runs
the full lifecycle against a deliberately foreign database object.
Fixed
- Schema is now genuinely portable (found by the live-server
suites). Key and indexed columns areVARCHAR(n)instead ofTEXT
(MySQL cannot index bareTEXT), a0001-pyxle-auth-core.mysql.sql
override usesDATETIME(6)(MySQLTIMESTAMPis 2038-capped,
second-rounded, and session-time-zone converted), and
ensure_schema()creates indexes through aninformation_schema
probe on MySQL, which has noCREATE INDEX IF NOT EXISTS. - Dependency floor corrected to
pyxle-framework>=0.4.0— the
pyxle.pluginsAPI first shipped in 0.4.0.
Install: pip install pyxle-auth
Docs: https://pyxle.dev/docs/plugins/pyxle-auth