Releases: timihack/authwarden
Release list
v0.7.1
v0.7.0
Phase 7 — End-to-end HTTP Tests
What's included
Full HTTP-level verification of every endpoint — not just the underlying flow
logic, but the actual request/response cycle through FastAPI's routing,
dependency injection, and validation layers.
390 tests passing across all seven phases. The library is now fully built
and verified end-to-end.
Next
PyPI publish pipeline → first real pip install → test project → v1.0
Phase 6 — Assembly
What's included
AuthWarden Facade
A single object wiring together every previous phase — password hashing,
JWT, sessions, notifications, OAuth providers — behind one clean constructor.
warden = AuthWarden(config=WardenConfig(secret_key="..."), user_store=MyUserStore())
app.include_router(warden.router, prefix="/auth", tags=["auth"])
20 FastAPI Endpoints
Full router coverage across auth, MFA, and OAuth — register, login, logout,
refresh, password flows (link + OTP), MFA setup/confirm/disable, and the
complete OAuth authorize/callback/connect/disconnect/accounts set.
Dependency Injection
warden.current_user— fresh DB fetch + is_active check on every requestwarden.require_roles(*roles)/warden.require_scopes(*scopes)— JWT-claim-based guards
Fixed
authwarden/__init__.py had been silently empty since Phase 2 — the documented
quickstart now actually works.
Bug caught
FastAPI 0.137.1 changed include_router() internals to lazily wrap sub-routers.
Verified real HTTP routing still resolves correctly via TestClient despite the
new internal representation — all 20 endpoints confirmed working end-to-end.
Test Coverage
29 tests — 29 passing
Cumulative: 323 tests passing across all six phases
Next
Phase 7 — End-to-end HTTP test suite (more exhaustive coverage of every
endpoint's edge cases, beyond Phase 6's wiring-focused tests)
Phase 5 — OAuth 2.0 / Social Login
What's included
- 8 OAuth providers: Google, Facebook, GitHub, Microsoft, LinkedIn, Discord, Twitter/X, Apple
- PKCE S256 on every flow
- Account linking with 3-case resolution + auto-register fallback
- Apple Sign In: dynamic ES256 client_secret, JWKS-cached id_token verification
- OAuth tokens encrypted at rest (Fernet)
- Connect/disconnect with last-login-method protection
- set_password for OAuth-only accounts
Test Coverage
57 tests — 57 passing
Cumulative: 294 tests across Phases 1–5
Phase 4 — MFA + Permissions
What's included
- TOTP MFA: setup, confirm, disable (pyotp)
- 8 argon2-hashed single-use backup codes
- Role hierarchy + scope guards
- Login brute force lockout (configurable)
- OTP attempt limiting with auto-invalidation
- Username and phone uniqueness on registration
Test Coverage
54 tests — 54 passing
Cumulative: 237 tests across Phases 1–4
Phase 3 — Auth Flows
What's included
Auth Flows
9 complete flows: register, verify email (link + OTP), resend verification,
login, logout, refresh, forgot password (link + OTP), reset password (link + OTP),
change password.
SMS Support
Three built-in SMS backends: Twilio, AWS SNS, and Console (dev).
Drop in any custom backend by implementing AbstractSmsBackend.
Flexible Verification
Switch between link-based and OTP-based verification via config.
OTP delivered via email, SMS, or both simultaneously.
Multi-Identifier Login
Users can log in with email, username, or phone number.
Configure the order fields are tried via login_identifier_fields.
NotificationService
Single hub that routes all notifications across channels.
Fully replaceable via AbstractNotificationService protocol.
Flexible User Model
UserInDB supports extra_data dict, extra="allow" for subclassing,
and new phone + OTP fields built in.
Test Coverage
71 tests — 71 passing
Cumulative: 183 tests passing across Phases 1–3
Install
pip install authwarden
With SMS support via Twilio or Mailgun/SendGrid:
pip install httpx
With AWS SNS:
pip install boto3
Phase 2 — Auth Primitives
What's included
Password Hashing
- argon2 (default) and bcrypt via pwdlib
verify_and_update()for silent rehash on login- Configurable policy: min length, uppercase, digit, special character
JWT Management
- Access + refresh token issuance via PyJWT
- Per-token revocation via
jtiblacklist - Pluggable blacklist backends: in-memory and Redis
Session Backends
SessionDatamodel with device fingerprinting (user_agent, ip_hash)- In-memory backend for development and testing
- Redis backend for production (requires
authwarden[redis])
Test Coverage
- 55 tests — 55 passing
- Cumulative: 112 tests passing across Phase 1 + Phase 2
Notes
- No breaking changes to Phase 1 interfaces
- Redis backends require
pip install authwarden[redis]
Phase 1 — Foundation
What's included
- exceptions.py — full typed error hierarchy
- models/user.py + models/token.py — Pydantic v2 models
- core/config.py — WardenConfig + OAuthProviderConfig
- storage/base.py — AbstractUserStore protocol
- storage/memory.py — in-memory store for testing
- utils.py — secure token helpers