Metadata-Version: 2.4
Name: outlabs-auth
Version: 0.1.0a17
Summary: Open-source FastAPI authentication and authorization library with RBAC, ABAC, and Postgres-backed permissions.
Project-URL: Homepage, https://outlabs.io
Project-URL: Documentation, https://github.com/outlabsio/outlabsAuth#readme
Project-URL: Repository, https://github.com/outlabsio/outlabsAuth
Project-URL: Issues, https://github.com/outlabsio/outlabsAuth/issues
Author-email: OUTLABS LLC <contact@outlabs.io>
Maintainer-email: OUTLABS LLC <contact@outlabs.io>
License: MIT License
        
        Copyright (c) 2026 OUTLABS LLC
        
        Permission is hereby granted, free of charge, to any person obtaining a copy
        of this software and associated documentation files (the "Software"), to deal
        in the Software without restriction, including without limitation the rights
        to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
        copies of the Software, and to permit persons to whom the Software is
        furnished to do so, subject to the following conditions:
        
        The above copyright notice and this permission notice shall be included in all
        copies or substantial portions of the Software.
        
        THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
        IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
        FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
        AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
        LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
        OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
        SOFTWARE.
License-File: LICENSE
Keywords: abac,authentication,authorization,fastapi,jwt,permissions,postgresql,rbac,sqlmodel
Classifier: Development Status :: 3 - Alpha
Classifier: Framework :: FastAPI
Classifier: Intended Audience :: Developers
Classifier: License :: OSI Approved :: MIT License
Classifier: Operating System :: OS Independent
Classifier: Programming Language :: Python :: 3
Classifier: Programming Language :: Python :: 3.12
Classifier: Topic :: Security
Classifier: Topic :: Software Development :: Libraries :: Python Modules
Requires-Python: >=3.12
Requires-Dist: alembic>=1.13.0
Requires-Dist: asyncpg>=0.29.0
Requires-Dist: click>=8.1.0
Requires-Dist: email-validator>=2.0.0
Requires-Dist: fastapi>=0.104.0
Requires-Dist: httpx>=0.25.0
Requires-Dist: makefun>=1.15.0
Requires-Dist: prometheus-client>=0.19.0
Requires-Dist: pwdlib[argon2,bcrypt]>=0.2.0
Requires-Dist: pydantic-settings>=2.0.0
Requires-Dist: pydantic>=2.0.0
Requires-Dist: pyjwt[crypto]>=2.8.0
Requires-Dist: python-dateutil>=2.8.0
Requires-Dist: python-jose[cryptography]>=3.3.0
Requires-Dist: python-multipart>=0.0.6
Requires-Dist: redis>=6.2.0
Requires-Dist: sqlalchemy[asyncio]>=2.0.0
Requires-Dist: sqlmodel>=0.0.22
Requires-Dist: structlog>=23.0.0
Provides-Extra: all
Requires-Dist: aio-pika>=9.0.0; extra == 'all'
Requires-Dist: aiosmtplib>=3.0.0; extra == 'all'
Requires-Dist: black>=23.0.0; extra == 'all'
Requires-Dist: factory-boy>=3.3.0; extra == 'all'
Requires-Dist: faker>=20.0.0; extra == 'all'
Requires-Dist: httpx-oauth>=0.13.0; extra == 'all'
Requires-Dist: httpx>=0.25.0; extra == 'all'
Requires-Dist: mypy>=1.5.0; extra == 'all'
Requires-Dist: prometheus-client>=0.19.0; extra == 'all'
Requires-Dist: pytest-asyncio>=0.21.0; extra == 'all'
Requires-Dist: pytest-cov>=5.0.0; extra == 'all'
Requires-Dist: pytest>=7.4.0; extra == 'all'
Requires-Dist: python-telegram-bot>=20.0; extra == 'all'
Requires-Dist: redis>=5.0.0; extra == 'all'
Requires-Dist: ruff>=0.9.0; extra == 'all'
Requires-Dist: sendgrid>=6.10.0; extra == 'all'
Requires-Dist: structlog>=23.0.0; extra == 'all'
Requires-Dist: twilio>=8.0.0; extra == 'all'
Requires-Dist: uvicorn[standard]>=0.24.0; extra == 'all'
Provides-Extra: dev
Requires-Dist: black>=23.0.0; extra == 'dev'
Requires-Dist: mypy>=1.5.0; extra == 'dev'
Requires-Dist: questionary>=2.0.0; extra == 'dev'
Requires-Dist: ruff>=0.9.0; extra == 'dev'
Requires-Dist: uvicorn[standard]>=0.24.0; extra == 'dev'
Provides-Extra: notifications
Requires-Dist: aio-pika>=9.0.0; extra == 'notifications'
Requires-Dist: aiosmtplib>=3.0.0; extra == 'notifications'
Requires-Dist: httpx>=0.25.0; extra == 'notifications'
Requires-Dist: python-telegram-bot>=20.0; extra == 'notifications'
Requires-Dist: sendgrid>=6.10.0; extra == 'notifications'
Requires-Dist: twilio>=8.0.0; extra == 'notifications'
Provides-Extra: oauth
Requires-Dist: httpx-oauth>=0.13.0; extra == 'oauth'
Provides-Extra: redis
Requires-Dist: redis>=5.0.0; extra == 'redis'
Provides-Extra: stress
Requires-Dist: aiohttp>=3.9.0; extra == 'stress'
Requires-Dist: asyncio-throttle>=1.0.2; extra == 'stress'
Requires-Dist: click>=8.1.0; extra == 'stress'
Requires-Dist: docker>=7.0.0; extra == 'stress'
Requires-Dist: factory-boy>=3.3.0; extra == 'stress'
Requires-Dist: faker>=20.0.0; extra == 'stress'
Requires-Dist: httpx>=0.25.0; extra == 'stress'
Requires-Dist: locust>=2.17.0; extra == 'stress'
Requires-Dist: matplotlib>=3.8.0; extra == 'stress'
Requires-Dist: memory-profiler>=0.61.0; extra == 'stress'
Requires-Dist: pandas>=2.1.0; extra == 'stress'
Requires-Dist: prometheus-client>=0.19.0; extra == 'stress'
Requires-Dist: psutil>=5.9.0; extra == 'stress'
Requires-Dist: py-spy>=0.3.14; extra == 'stress'
Requires-Dist: requests>=2.31.0; extra == 'stress'
Requires-Dist: rich>=13.7.0; extra == 'stress'
Requires-Dist: uvloop>=0.19.0; extra == 'stress'
Provides-Extra: test
Requires-Dist: factory-boy>=3.3.0; extra == 'test'
Requires-Dist: faker>=20.0.0; extra == 'test'
Requires-Dist: httpx>=0.25.0; extra == 'test'
Requires-Dist: pytest-asyncio>=0.21.0; extra == 'test'
Requires-Dist: pytest-cov>=5.0.0; extra == 'test'
Requires-Dist: pytest>=7.4.0; extra == 'test'
Description-Content-Type: text/markdown

# OutlabsAuth

Open-source FastAPI authentication and authorization for RBAC, ABAC, API keys, and Postgres-backed permission models.

[![Python 3.12+](https://img.shields.io/badge/python-3.12+-blue.svg)](https://www.python.org/downloads/)
[![License: MIT](https://img.shields.io/badge/license-MIT-green.svg)](./LICENSE)
[![Stage: Alpha](https://img.shields.io/badge/stage-alpha-red.svg)](#status)

> **Alpha release** - Public PyPI packaging is supported, but the API surface is still settling before 1.0.

## Status

**Current Library Version**: 0.1.0a17

**Release Stage**: Alpha

## What It Does

OutlabsAuth is a library-first auth system for FastAPI applications that want to keep authentication and authorization inside the app instead of outsourcing it to a separate service.

- SimpleRBAC and EnterpriseRBAC presets
- JWT auth, refresh tokens, API keys, service tokens, and OAuth hooks
- Postgres-backed users, roles, permissions, entities, and audit history
- FastAPI router factories, middleware, and CLI migrations

## Install

```bash
pip install outlabs-auth
```

You will also need a PostgreSQL database available to the consuming app.

The consuming app owns its own configuration. In practice that means you provide:

- a PostgreSQL connection URL
- a JWT signing secret
- any app-specific entity, membership, or host-query integrations you want on top of the base library

## Quickstart

```python
from contextlib import asynccontextmanager

from fastapi import FastAPI
from outlabs_auth import SimpleRBAC, register_exception_handlers
from outlabs_auth.routers import get_auth_router

auth = SimpleRBAC(
    database_url="postgresql+asyncpg://postgres:postgres@localhost:5432/app",
    secret_key="change-me",
    auto_migrate=True,
)


@asynccontextmanager
async def lifespan(app: FastAPI):
    await auth.initialize()
    yield
    await auth.shutdown()


app = FastAPI(lifespan=lifespan)
register_exception_handlers(app)
app.include_router(get_auth_router(auth, prefix="/auth"))
```

This example uses `auto_migrate=True` for convenience. For production, run migrations explicitly with the packaged CLI instead of relying on startup migration.

## CLI Bootstrap

After installation, the package exposes an `outlabs-auth` CLI for schema setup and initial seeding.

```bash
export DATABASE_URL=postgresql+asyncpg://postgres:postgres@localhost:5432/app
# optional: export OUTLABS_AUTH_SCHEMA=auth

outlabs-auth migrate
outlabs-auth seed-system
outlabs-auth bootstrap-admin --email admin@example.com --password change-me
```

## Recommended Production Defaults

For real deployments, use the library with explicit, optimized baseline
settings rather than the convenience quickstart defaults.

### App configuration baseline

```python
from outlabs_auth import EnterpriseRBAC

auth = EnterpriseRBAC(
    database_url="postgresql+asyncpg://user:password@db-host/app?ssl=require",
    database_schema="outlabs_auth",
    secret_key="replace-me",
    auto_migrate=False,
    redis_url="redis://cache-host:6379/0",  # Enables Redis counters + permission cache
)
```

Recommended defaults:

- use an explicit auth schema such as `outlabs_auth`
- keep `auto_migrate=False` in normal runtime
- provide Redis for production API-key counters, rate limits, and permission caching
- mount the library under an app-owned prefix such as `/iam`

### Database connection guidance

For managed Postgres providers that offer both direct and transaction-pooler
URLs, prefer the direct runtime URL for auth-heavy apps.

Why:

- OutlabsAuth already uses SQLAlchemy connection pooling
- auth and permission checks often perform multiple small round trips
- transaction-pooler endpoints add measurable latency for those query patterns
- non-public auth schemas depend on reliable per-connection schema resolution

Use:

- `postgresql+asyncpg://...`

Avoid as the primary runtime URL when you can:

- transaction-pooler URLs such as provider `-pooler` endpoints

### Bootstrap and worker startup

Do not rely on `auto_migrate=True` inside a multi-worker application runtime.

Recommended pattern:

1. Run the packaged CLI in a single-process release or prestart step.
2. Start the application workers only after that step succeeds.

Example:

```bash
export DATABASE_URL='postgresql+asyncpg://user:password@db-host/app?ssl=require'
export OUTLABS_AUTH_SCHEMA='outlabs_auth'

outlabs-auth migrate
outlabs-auth seed-system

exec uvicorn myapp.main:app --host 0.0.0.0 --port 8000 --workers 2
```

This avoids worker races and keeps schema ownership explicit.

### Current operator workflow

Today, the recommended operational commands are:

- `outlabs-auth migrate`
- `outlabs-auth seed-system`
- `outlabs-auth bootstrap-admin`
- `outlabs-auth tables`
- `outlabs-auth current`

The intended next step for the library is a more explicit operator experience
around first-boot and diagnosis, such as `outlabs-auth bootstrap` and
`outlabs-auth doctor`. Until that exists, prefer explicit CLI-driven prestart
or release-hook flows over implicit runtime bootstrap.

## More

The repository includes deeper examples, packaged CLI flows, and design notes:

- GitHub: https://github.com/outlabsio/outlabsAuth
- Examples: [`examples/`](/Users/macbookm3/Documents/projects/outlabsAuth/examples)
- Maintainer release guide: [`docs/PRIVATE_RELEASE.md`](/Users/macbookm3/Documents/projects/outlabsAuth/docs/PRIVATE_RELEASE.md)

## License

MIT, copyright 2026 OUTLABS LLC.
