Skip to content

Releases: timihack/authwarden

v0.7.1

Choose a tag to compare

@timihack timihack released this 27 Jun 12:20
d8dcd77

Added missing httpx dependency that broke v0.7.0 entirely

v0.7.0

Choose a tag to compare

@timihack timihack released this 27 Jun 12:05
5c67062

First PyPI publish. Pre-1.0 — core library complete (auth flows, MFA, RBAC, OAuth 2.0 across 8 providers, FastAPI routers), pending real-world install verification before v1.0.

Phase 7 — End-to-end HTTP Tests

Pre-release

Choose a tag to compare

@timihack timihack released this 26 Jun 11:09
79e0e31

What's included

Full HTTP-level verification of every endpoint — not just the underlying flow
logic, but the actual request/response cycle through FastAPI's routing,
dependency injection, and validation layers.

390 tests passing across all seven phases. The library is now fully built
and verified end-to-end.

Next

PyPI publish pipeline → first real pip install → test project → v1.0

Phase 6 — Assembly

Phase 6 — Assembly Pre-release
Pre-release

Choose a tag to compare

@timihack timihack released this 26 Jun 10:20
987a1dd

What's included

AuthWarden Facade

A single object wiring together every previous phase — password hashing,
JWT, sessions, notifications, OAuth providers — behind one clean constructor.

warden = AuthWarden(config=WardenConfig(secret_key="..."), user_store=MyUserStore())
app.include_router(warden.router, prefix="/auth", tags=["auth"])

20 FastAPI Endpoints

Full router coverage across auth, MFA, and OAuth — register, login, logout,
refresh, password flows (link + OTP), MFA setup/confirm/disable, and the
complete OAuth authorize/callback/connect/disconnect/accounts set.

Dependency Injection

  • warden.current_user — fresh DB fetch + is_active check on every request
  • warden.require_roles(*roles) / warden.require_scopes(*scopes) — JWT-claim-based guards

Fixed

authwarden/__init__.py had been silently empty since Phase 2 — the documented
quickstart now actually works.

Bug caught

FastAPI 0.137.1 changed include_router() internals to lazily wrap sub-routers.
Verified real HTTP routing still resolves correctly via TestClient despite the
new internal representation — all 20 endpoints confirmed working end-to-end.

Test Coverage

29 tests — 29 passing
Cumulative: 323 tests passing across all six phases

Next

Phase 7 — End-to-end HTTP test suite (more exhaustive coverage of every
endpoint's edge cases, beyond Phase 6's wiring-focused tests)

Phase 5 — OAuth 2.0 / Social Login

Pre-release

Choose a tag to compare

@timihack timihack released this 17 Jun 11:31
478d2d7

What's included

  • 8 OAuth providers: Google, Facebook, GitHub, Microsoft, LinkedIn, Discord, Twitter/X, Apple
  • PKCE S256 on every flow
  • Account linking with 3-case resolution + auto-register fallback
  • Apple Sign In: dynamic ES256 client_secret, JWKS-cached id_token verification
  • OAuth tokens encrypted at rest (Fernet)
  • Connect/disconnect with last-login-method protection
  • set_password for OAuth-only accounts

Test Coverage

57 tests — 57 passing
Cumulative: 294 tests across Phases 1–5

Phase 4 — MFA + Permissions

Pre-release

Choose a tag to compare

@timihack timihack released this 16 Jun 08:44
087b64f

What's included

  • TOTP MFA: setup, confirm, disable (pyotp)
  • 8 argon2-hashed single-use backup codes
  • Role hierarchy + scope guards
  • Login brute force lockout (configurable)
  • OTP attempt limiting with auto-invalidation
  • Username and phone uniqueness on registration

Test Coverage

54 tests — 54 passing
Cumulative: 237 tests across Phases 1–4

Phase 3 — Auth Flows

Pre-release

Choose a tag to compare

@timihack timihack released this 11 Jun 14:29

What's included

Auth Flows

9 complete flows: register, verify email (link + OTP), resend verification,
login, logout, refresh, forgot password (link + OTP), reset password (link + OTP),
change password.

SMS Support

Three built-in SMS backends: Twilio, AWS SNS, and Console (dev).
Drop in any custom backend by implementing AbstractSmsBackend.

Flexible Verification

Switch between link-based and OTP-based verification via config.
OTP delivered via email, SMS, or both simultaneously.

Multi-Identifier Login

Users can log in with email, username, or phone number.
Configure the order fields are tried via login_identifier_fields.

NotificationService

Single hub that routes all notifications across channels.
Fully replaceable via AbstractNotificationService protocol.

Flexible User Model

UserInDB supports extra_data dict, extra="allow" for subclassing,
and new phone + OTP fields built in.

Test Coverage

71 tests — 71 passing
Cumulative: 183 tests passing across Phases 1–3

Install

pip install authwarden

With SMS support via Twilio or Mailgun/SendGrid:

pip install httpx

With AWS SNS:

pip install boto3

Phase 2 — Auth Primitives

Pre-release

Choose a tag to compare

@timihack timihack released this 09 Jun 13:32
ed68f75

What's included

Password Hashing

  • argon2 (default) and bcrypt via pwdlib
  • verify_and_update() for silent rehash on login
  • Configurable policy: min length, uppercase, digit, special character

JWT Management

  • Access + refresh token issuance via PyJWT
  • Per-token revocation via jti blacklist
  • Pluggable blacklist backends: in-memory and Redis

Session Backends

  • SessionData model with device fingerprinting (user_agent, ip_hash)
  • In-memory backend for development and testing
  • Redis backend for production (requires authwarden[redis])

Test Coverage

  • 55 tests — 55 passing
  • Cumulative: 112 tests passing across Phase 1 + Phase 2

Notes

  • No breaking changes to Phase 1 interfaces
  • Redis backends require pip install authwarden[redis]

Phase 1 — Foundation

Pre-release

Choose a tag to compare

@timihack timihack released this 09 Jun 07:07
ed68f75

What's included

  • exceptions.py — full typed error hierarchy
  • models/user.py + models/token.py — Pydantic v2 models
  • core/config.py — WardenConfig + OAuthProviderConfig
  • storage/base.py — AbstractUserStore protocol
  • storage/memory.py — in-memory store for testing
  • utils.py — secure token helpers