lundberg/porchlight
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

feat: add authentication routes with session login, WebAuthn, and credential management

Browse source 
Implement Phase 4 auth routes: password login/logout, WebAuthn
registration and authentication, magic link registration, and
credential management pages with HTMX. Includes session middleware,
Jinja2 templates, vendored HTMX, and last-credential guardrails.

120 tests passing.
This commit is contained in:
Johan Lundberg 2026-02-16 11:39:50 +01:00
parent f7ed2cf54d
commit e15dcc4745
No known key found for this signature in database
GPG key ID: A6C152738D03C7D1
23 changed files with 1440 additions and 2 deletions
Download patch file Download diff file Expand all files Collapse all files

1
pyproject.toml
View file

@ -17,6 +17,7 @@ dependencies = [
"proquint>=0.2",
"python-multipart>=0.0.20",
"httpx>=0.28",
"itsdangerous>=2.2.0",
]
[project.scripts]

43
src/fastapi_oidc_op/app.py
View file

@ -1,11 +1,21 @@
import secrets
from collections.abc import AsyncIterator
from contextlib import asynccontextmanager
from pathlib import Path
from urllib.parse import urlparse
import aiosqlite
from fastapi import FastAPI
from fastapi.staticfiles import StaticFiles
from fastapi.templating import Jinja2Templates
from starlette.middleware.sessions import SessionMiddleware
from fastapi_oidc_op.authn.password import PasswordService
from fastapi_oidc_op.authn.routes import router as authn_router
from fastapi_oidc_op.authn.webauthn import WebAuthnService
from fastapi_oidc_op.config import Settings, StorageBackend
from fastapi_oidc_op.invite.service import MagicLinkService
from fastapi_oidc_op.manage.routes import router as manage_router
from fastapi_oidc_op.store.sqlite.migrations import run_migrations
from fastapi_oidc_op.store.sqlite.repositories import (
SQLiteCredentialRepository,
@ -13,7 +23,8 @@ from fastapi_oidc_op.store.sqlite.repositories import (
SQLiteUserRepository,
)
MIGRATIONS_DIR = Path(__file__).parent / "store" / "sqlite" / "migrations"
PACKAGE_DIR = Path(__file__).parent
MIGRATIONS_DIR = PACKAGE_DIR / "store" / "sqlite" / "migrations"
@asynccontextmanager
@ -30,6 +41,22 @@ async def lifespan(app: FastAPI) -> AsyncIterator[None]:
app.state.user_repo = SQLiteUserRepository(db)
app.state.credential_repo = SQLiteCredentialRepository(db)
app.state.magic_link_repo = SQLiteMagicLinkRepository(db)
# Auth services
app.state.password_service = PasswordService()
rp_id = urlparse(settings.issuer).hostname or "localhost"
app.state.webauthn_service = WebAuthnService(
rp_id=rp_id,
rp_name=app.title,
origin=settings.issuer,
)
app.state.magic_link_service = MagicLinkService(
repo=app.state.magic_link_repo,
ttl=settings.invite_ttl,
)
yield
await db.close()
else:
@ -50,6 +77,20 @@ def create_app(settings: Settings | None = None) -> FastAPI:
app.state.settings = settings
# Session middleware
session_secret = settings.session_secret or secrets.token_hex(32)
app.add_middleware(SessionMiddleware, secret_key=session_secret) # type: ignore[arg-type]
# Templates
app.state.templates = Jinja2Templates(directory=str(PACKAGE_DIR / "templates"))
# Static files
app.mount("/static", StaticFiles(directory=str(PACKAGE_DIR / "static")), name="static")
# Routers
app.include_router(authn_router)
app.include_router(manage_router)
@app.get("/health")
async def health() -> dict[str, str]:
return {"status": "ok"}

154
src/fastapi_oidc_op/authn/routes.py Normal file
View file

@ -0,0 +1,154 @@
from fastapi import APIRouter, Form, Request, Response
from fastapi.responses import HTMLResponse, JSONResponse, RedirectResponse
from fido2.webauthn import (
AttestedCredentialData,
AuthenticationResponse,
PublicKeyCredentialDescriptor,
PublicKeyCredentialType,
)
from fastapi_oidc_op.models import User
from fastapi_oidc_op.userid import generate_unique_userid
router = APIRouter(tags=["authn"])
@router.get("/login", response_class=HTMLResponse)
async def login_page(request: Request) -> HTMLResponse:
templates = request.app.state.templates
return templates.TemplateResponse(request, "login.html")
@router.post("/login/password", response_class=HTMLResponse)
async def login_password(
request: Request,
username: str = Form(),
password: str = Form(),
) -> Response:
user_repo = request.app.state.user_repo
cred_repo = request.app.state.credential_repo
password_service = request.app.state.password_service
error_html = '<div role="alert">Invalid username or password</div>'
user = await user_repo.get_by_username(username)
if user is None:
return HTMLResponse(error_html)
credential = await cred_repo.get_password_by_user(user.userid)
if credential is None:
return HTMLResponse(error_html)
if not password_service.verify(credential.password_hash, password):
return HTMLResponse(error_html)
request.session["userid"] = user.userid
request.session["username"] = user.username
response = Response()
response.headers["HX-Redirect"] = "/manage/credentials"
return response
@router.post("/logout")
async def logout(request: Request) -> Response:
request.session.clear()
response = Response()
response.headers["HX-Redirect"] = "/login"
return response
@router.get("/register/{token}")
async def register_magic_link(request: Request, token: str) -> Response:
magic_link_service = request.app.state.magic_link_service
user_repo = request.app.state.user_repo
link = await magic_link_service.validate(token)
if link is None:
return HTMLResponse("<p>Invalid or expired registration link.</p>", status_code=400)
userid = await generate_unique_userid(user_repo)
user = User(userid=userid, username=link.username, groups=["users"])
await user_repo.create(user)
await magic_link_service.mark_used(token)
request.session["userid"] = user.userid
request.session["username"] = user.username
return RedirectResponse("/manage/credentials?setup=1", status_code=303)
@router.post("/login/webauthn/begin")
async def login_webauthn_begin(
request: Request,
username: str = Form(),
) -> Response:
user_repo = request.app.state.user_repo
cred_repo = request.app.state.credential_repo
webauthn_service = request.app.state.webauthn_service
error_html = '<div role="alert">Invalid username or password</div>'
user = await user_repo.get_by_username(username)
if user is None:
return HTMLResponse(error_html)
webauthn_creds = await cred_repo.get_webauthn_by_user(user.userid)
if not webauthn_creds:
return HTMLResponse(error_html)
descriptors = [
PublicKeyCredentialDescriptor(type=PublicKeyCredentialType.PUBLIC_KEY, id=cred.credential_id)
for cred in webauthn_creds
]
options, state = webauthn_service.begin_authentication(credentials=descriptors)
request.session["webauthn_login_state"] = state
request.session["webauthn_login_userid"] = user.userid
return JSONResponse(options)
@router.post("/login/webauthn/complete")
async def login_webauthn_complete(request: Request) -> Response:
webauthn_service = request.app.state.webauthn_service
user_repo = request.app.state.user_repo
cred_repo = request.app.state.credential_repo
state = request.session.pop("webauthn_login_state", None)
userid = request.session.pop("webauthn_login_userid", None)
if state is None or userid is None:
return HTMLResponse('<div role="alert">Authentication session expired</div>', status_code=400)
webauthn_creds = await cred_repo.get_webauthn_by_user(userid)
credentials = [AttestedCredentialData(cred.public_key) for cred in webauthn_creds]
body = await request.json()
try:
webauthn_service.complete_authentication(state, credentials, body)
except Exception:
return HTMLResponse('<div role="alert">Authentication failed</div>')
# Extract sign count from the response and update
auth_response = AuthenticationResponse.from_dict(body)
new_counter = auth_response.response.authenticator_data.counter
matched_credential_id = auth_response.raw_id
stored = await cred_repo.get_webauthn_by_credential_id(matched_credential_id)
if stored is not None:
stored.sign_count = new_counter
await cred_repo.update_webauthn(stored)
user = await user_repo.get_by_userid(userid)
if user is None:
return HTMLResponse('<div role="alert">User not found</div>', status_code=400)
request.session["userid"] = user.userid
request.session["username"] = user.username
response = Response()
response.headers["HX-Redirect"] = "/manage/credentials"
return response

3
src/fastapi_oidc_op/config.py
View file

@ -29,6 +29,9 @@ class Settings(BaseSettings):
# Management RP
manage_client_id: str = "manage-app"
# Session
session_secret: str | None = None # If None, a random secret is generated per process
# Magic links
invite_ttl: int = 86400 # seconds

23
src/fastapi_oidc_op/dependencies.py
View file

@ -1,4 +1,4 @@
from fastapi import Request
from fastapi import HTTPException, Request
from fastapi_oidc_op.store.protocols import (
CredentialRepository,
@ -17,3 +17,24 @@ def get_credential_repo(request: Request) -> CredentialRepository:
def get_magic_link_repo(request: Request) -> MagicLinkRepository:
return request.app.state.magic_link_repo
def get_session_user(request: Request) -> tuple[str, str] | None:
"""Extract (userid, username) from session, or None if not logged in."""
userid = request.session.get("userid")
username = request.session.get("username")
if userid and username:
return (userid, username)
return None
def require_session_user(request: Request) -> tuple[str, str]:
"""Like get_session_user but raises HTTPException(401) if not logged in.
Routes that need a redirect-to-login behavior should catch this or
use get_session_user and redirect manually.
"""
result = get_session_user(request)
if result is None:
raise HTTPException(status_code=401, detail="Not authenticated")
return result

166
src/fastapi_oidc_op/manage/routes.py Normal file
View file

@ -0,0 +1,166 @@
from base64 import urlsafe_b64decode
from fastapi import APIRouter, Form, Request, Response
from fastapi.responses import HTMLResponse, JSONResponse, RedirectResponse
from fido2.webauthn import PublicKeyCredentialDescriptor, PublicKeyCredentialType
from fastapi_oidc_op.dependencies import get_session_user
from fastapi_oidc_op.models import PasswordCredential, WebAuthnCredential
router = APIRouter(prefix="/manage", tags=["manage"])
async def _count_credentials(cred_repo: object, userid: str) -> int:
"""Count total credentials (password + webauthn) for a user."""
webauthn = await cred_repo.get_webauthn_by_user(userid) # type: ignore[union-attr]
password = await cred_repo.get_password_by_user(userid) # type: ignore[union-attr]
return len(webauthn) + (1 if password else 0)
@router.get("/credentials", response_class=HTMLResponse)
async def credentials_page(request: Request) -> Response:
session_user = get_session_user(request)
if session_user is None:
return RedirectResponse("/login", status_code=303)
userid, username = session_user
cred_repo = request.app.state.credential_repo
webauthn_credentials = await cred_repo.get_webauthn_by_user(userid)
password_credential = await cred_repo.get_password_by_user(userid)
setup = request.query_params.get("setup")
templates = request.app.state.templates
return templates.TemplateResponse(
request,
"manage/credentials.html",
{
"username": username,
"webauthn_credentials": webauthn_credentials,
"has_password": password_credential is not None,
"setup": setup,
},
)
@router.post("/credentials/password", response_class=HTMLResponse)
async def set_password(
request: Request,
password: str = Form(),
confirm: str = Form(),
) -> Response:
session_user = get_session_user(request)
if session_user is None:
return RedirectResponse("/login", status_code=303)
userid, _username = session_user
cred_repo = request.app.state.credential_repo
password_service = request.app.state.password_service
if password != confirm:
return HTMLResponse('<div role="alert">Passwords do not match</div>')
if len(password) < 8:
return HTMLResponse('<div role="alert">Password must be at least 8 characters</div>')
password_hash = password_service.hash(password)
existing = await cred_repo.get_password_by_user(userid)
if existing is not None:
await cred_repo.delete_password(userid)
await cred_repo.create_password(PasswordCredential(user_id=userid, password_hash=password_hash))
return HTMLResponse('<div role="status">Password updated successfully</div>')
@router.delete("/credentials/password", response_class=HTMLResponse)
async def delete_password(request: Request) -> Response:
session_user = get_session_user(request)
if session_user is None:
return RedirectResponse("/login", status_code=303)
userid, _username = session_user
cred_repo = request.app.state.credential_repo
count = await _count_credentials(cred_repo, userid)
if count <= 1:
return HTMLResponse('<div role="alert">Cannot remove your last credential</div>')
await cred_repo.delete_password(userid)
return HTMLResponse('<div role="status">Password removed</div>')
@router.post("/credentials/webauthn/begin")
async def webauthn_begin(request: Request) -> Response:
session_user = get_session_user(request)
if session_user is None:
return RedirectResponse("/login", status_code=303)
userid, username = session_user
cred_repo = request.app.state.credential_repo
webauthn_service = request.app.state.webauthn_service
# Build exclude list from existing credentials
existing = await cred_repo.get_webauthn_by_user(userid)
descriptors = [
PublicKeyCredentialDescriptor(type=PublicKeyCredentialType.PUBLIC_KEY, id=cred.credential_id)
for cred in existing
]
options, state = webauthn_service.begin_registration(
user_id=userid.encode(),
username=username,
existing_credentials=descriptors,
)
request.session["webauthn_register_state"] = state
return JSONResponse(options)
@router.post("/credentials/webauthn/complete")
async def webauthn_complete(request: Request) -> Response:
session_user = get_session_user(request)
if session_user is None:
return RedirectResponse("/login", status_code=303)
userid, _username = session_user
cred_repo = request.app.state.credential_repo
webauthn_service = request.app.state.webauthn_service
state = request.session.pop("webauthn_register_state", None)
if state is None:
return HTMLResponse('<div role="alert">Registration session expired</div>', status_code=400)
body = await request.json()
result = webauthn_service.complete_registration(state, body)
cred = WebAuthnCredential(
user_id=userid,
credential_id=result.credential_data.credential_id,
public_key=bytes(result.credential_data),
)
await cred_repo.create_webauthn(cred)
return HTMLResponse('<div role="status">Security key added</div>')
@router.delete("/credentials/webauthn/{credential_id_b64}")
async def delete_webauthn(request: Request, credential_id_b64: str) -> Response:
session_user = get_session_user(request)
if session_user is None:
return RedirectResponse("/login", status_code=303)
userid, _username = session_user
cred_repo = request.app.state.credential_repo
# Decode base64url credential_id (add padding if needed)
padded = credential_id_b64 + "=" * (-len(credential_id_b64) % 4)
credential_id = urlsafe_b64decode(padded)
count = await _count_credentials(cred_repo, userid)
if count <= 1:
return HTMLResponse('<div role="alert">Cannot remove your last credential</div>')
await cred_repo.delete_webauthn(userid, credential_id)
return HTMLResponse('<div role="status">Security key removed</div>')

1
src/fastapi_oidc_op/static/htmx.min.js vendored Normal file
View file

File diff suppressed because one or more lines are too long

134
src/fastapi_oidc_op/static/style.css Normal file
View file

@ -0,0 +1,134 @@
:root {
--bg: #fdfdfd;
--fg: #1a1a1a;
--accent: #2563eb;
--accent-fg: #fff;
--border: #d1d5db;
--error-bg: #fef2f2;
--error-fg: #991b1b;
--success-bg: #f0fdf4;
--success-fg: #166534;
--radius: 0.375rem;
}
@media (prefers-color-scheme: dark) {
:root {
--bg: #111;
--fg: #e5e5e5;
--accent: #60a5fa;
--accent-fg: #111;
--border: #404040;
--error-bg: #450a0a;
--error-fg: #fca5a5;
--success-bg: #052e16;
--success-fg: #86efac;
}
}
*,
*::before,
*::after {
box-sizing: border-box;
}
body {
font-family: system-ui, -apple-system, sans-serif;
background: var(--bg);
color: var(--fg);
max-width: 40rem;
margin: 2rem auto;
padding: 0 1rem;
line-height: 1.6;
}
.skip-link {
position: absolute;
left: -9999px;
top: 0;
background: var(--accent);
color: var(--accent-fg);
padding: 0.5rem 1rem;
z-index: 100;
}
.skip-link:focus {
left: 0;
}
:focus-visible {
outline: 2px solid var(--accent);
outline-offset: 2px;
}
label {
display: block;
margin-bottom: 0.25rem;
font-weight: 500;
}
input[type="text"],
input[type="password"],
input[type="email"] {
display: block;
width: 100%;
padding: 0.5rem;
border: 1px solid var(--border);
border-radius: var(--radius);
background: var(--bg);
color: var(--fg);
font-size: 1rem;
margin-bottom: 1rem;
}
button {
padding: 0.5rem 1rem;
border: none;
border-radius: var(--radius);
background: var(--accent);
color: var(--accent-fg);
font-size: 1rem;
cursor: pointer;
}
button:hover {
opacity: 0.9;
}
[role="alert"] {
background: var(--error-bg);
color: var(--error-fg);
padding: 0.75rem 1rem;
border-radius: var(--radius);
margin-bottom: 1rem;
}
[role="status"] {
background: var(--success-bg);
color: var(--success-fg);
padding: 0.75rem 1rem;
border-radius: var(--radius);
margin-bottom: 1rem;
}
.sr-only {
position: absolute;
width: 1px;
height: 1px;
padding: 0;
margin: -1px;
overflow: hidden;
clip: rect(0, 0, 0, 0);
white-space: nowrap;
border: 0;
}
@media (prefers-reduced-motion: reduce) {
*,
*::before,
*::after {
animation-duration: 0.01ms !important;
animation-iteration-count: 1 !important;
transition-duration: 0.01ms !important;
scroll-behavior: auto !important;
}
}

149
src/fastapi_oidc_op/static/webauthn.js Normal file
View file

@ -0,0 +1,149 @@
// WebAuthn helper functions for registration and authentication
function base64urlToBytes(s) {
s = s.replace(/-/g, '+').replace(/_/g, '/');
while (s.length % 4) s += '=';
const raw = atob(s);
const bytes = new Uint8Array(raw.length);
for (let i = 0; i < raw.length; i++) bytes[i] = raw.charCodeAt(i);
return bytes;
}
function bytesToBase64url(bytes) {
const raw = String.fromCharCode(...new Uint8Array(bytes));
return btoa(raw).replace(/\+/g, '-').replace(/\//g, '_').replace(/=+$/, '');
}
async function beginRegistration() {
const statusEl = document.getElementById('webauthn-status');
try {
// Step 1: Get options from server
const beginRes = await fetch('/manage/credentials/webauthn/begin', {
method: 'POST',
headers: { 'Content-Type': 'application/json' },
});
if (!beginRes.ok) {
if (statusEl) statusEl.innerHTML = '<div role="alert">Failed to start registration</div>';
return;
}
const options = await beginRes.json();
// Step 2: Convert base64url fields to ArrayBuffers for WebAuthn API
const publicKey = options.publicKey;
publicKey.challenge = base64urlToBytes(publicKey.challenge);
publicKey.user.id = base64urlToBytes(publicKey.user.id);
if (publicKey.excludeCredentials) {
publicKey.excludeCredentials = publicKey.excludeCredentials.map(function (c) {
return { ...c, id: base64urlToBytes(c.id) };
});
}
// Step 3: Call browser WebAuthn API
const credential = await navigator.credentials.create({ publicKey: publicKey });
// Step 4: Encode response for server
const attestationResponse = credential.response;
const body = {
id: bytesToBase64url(credential.rawId),
rawId: bytesToBase64url(credential.rawId),
type: credential.type,
response: {
clientDataJSON: bytesToBase64url(attestationResponse.clientDataJSON),
attestationObject: bytesToBase64url(attestationResponse.attestationObject),
},
};
// Step 5: Send to server
const completeRes = await fetch('/manage/credentials/webauthn/complete', {
method: 'POST',
headers: { 'Content-Type': 'application/json' },
body: JSON.stringify(body),
});
if (completeRes.ok) {
// Reload to show updated credential list
window.location.reload();
} else {
const text = await completeRes.text();
if (statusEl) statusEl.innerHTML = text;
}
} catch (err) {
if (statusEl) statusEl.innerHTML = '<div role="alert">Registration failed: ' + err.message + '</div>';
}
}
async function beginAuthentication(username) {
const statusEl = document.getElementById('webauthn-login-status');
const form = new FormData();
form.append('username', username);
try {
// Step 1: Get options from server
const beginRes = await fetch('/login/webauthn/begin', {
method: 'POST',
body: form,
});
if (!beginRes.ok) {
const text = await beginRes.text();
if (statusEl) statusEl.innerHTML = text;
return;
}
const options = await beginRes.json();
// Step 2: Convert base64url fields to ArrayBuffers
const publicKey = options.publicKey;
publicKey.challenge = base64urlToBytes(publicKey.challenge);
if (publicKey.allowCredentials) {
publicKey.allowCredentials = publicKey.allowCredentials.map(function (c) {
return { ...c, id: base64urlToBytes(c.id) };
});
}
// Step 3: Call browser WebAuthn API
const assertion = await navigator.credentials.get({ publicKey: publicKey });
// Step 4: Encode response for server
const assertionResponse = assertion.response;
const body = {
id: bytesToBase64url(assertion.rawId),
rawId: bytesToBase64url(assertion.rawId),
type: assertion.type,
response: {
clientDataJSON: bytesToBase64url(assertionResponse.clientDataJSON),
authenticatorData: bytesToBase64url(assertionResponse.authenticatorData),
signature: bytesToBase64url(assertionResponse.signature),
userHandle: assertionResponse.userHandle ? bytesToBase64url(assertionResponse.userHandle) : null,
},
};
// Step 5: Send to server
const completeRes = await fetch('/login/webauthn/complete', {
method: 'POST',
headers: { 'Content-Type': 'application/json' },
body: JSON.stringify(body),
});
if (completeRes.ok) {
const data = await completeRes.json();
if (data.redirect) {
window.location.href = data.redirect;
} else {
window.location.href = '/manage/credentials';
}
} else {
const text = await completeRes.text();
if (statusEl) statusEl.innerHTML = text;
}
} catch (err) {
if (statusEl) statusEl.innerHTML = '<div role="alert">Authentication failed: ' + err.message + '</div>';
}
}
// Wire up the registration button
document.addEventListener('DOMContentLoaded', function () {
const registerBtn = document.getElementById('webauthn-register-btn');
if (registerBtn) {
registerBtn.addEventListener('click', beginRegistration);
}
});

18
src/fastapi_oidc_op/templates/base.html Normal file
View file

@ -0,0 +1,18 @@
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1">
<title>{% block title %}FastAPI OIDC OP{% endblock %}</title>
<link rel="stylesheet" href="/static/style.css">
</head>
<body>
<a class="skip-link" href="#main">Skip to content</a>
<main id="main" tabindex="-1">
{% block content %}{% endblock %}
</main>
<div aria-live="polite" aria-atomic="true" class="sr-only" id="live"></div>
<script src="/static/htmx.min.js" defer></script>
{% block scripts %}{% endblock %}
</body>
</html>

35
src/fastapi_oidc_op/templates/login.html Normal file
View file

@ -0,0 +1,35 @@
{% extends "base.html" %}
{% block title %}Login — FastAPI OIDC OP{% endblock %}
{% block content %}
<h1>Sign in</h1>
<div id="login-error"></div>
<section>
<h2>Password</h2>
<form hx-post="/login/password" hx-target="#login-error" hx-swap="innerHTML">
<div>
<label for="username">Username</label>
<input type="text" id="username" name="username" required autocomplete="username">
</div>
<div>
<label for="password">Password</label>
<input type="password" id="password" name="password" required autocomplete="current-password">
</div>
<button type="submit">Sign in</button>
</form>
</section>
<section>
<h2>Security key</h2>
<form id="webauthn-login-form">
<div>
<label for="webauthn-username">Username</label>
<input type="text" id="webauthn-username" name="username" required autocomplete="username">
</div>
<button type="button" id="webauthn-login-btn">Sign in with security key</button>
</form>
</section>
{% endblock %}

58
src/fastapi_oidc_op/templates/manage/credentials.html Normal file
View file

@ -0,0 +1,58 @@
{% extends "base.html" %}
{% block title %}Credentials — FastAPI OIDC OP{% endblock %}
{% block content %}
<h1>Credentials</h1>
{% if setup %}
<div role="status">
<p><strong>Welcome, {{ username }}!</strong> Set up your credentials to secure your account.</p>
</div>
{% endif %}
<section>
<h2>Security keys</h2>
<div id="webauthn-list">
{% if webauthn_credentials %}
<ul>
{% for cred in webauthn_credentials %}
<li>
{{ cred.device_name or "Security key" }}
<small>(added {{ cred.created_at.strftime('%Y-%m-%d') }})</small>
</li>
{% endfor %}
</ul>
{% else %}
<p>No security keys registered.</p>
{% endif %}
</div>
<button type="button" id="webauthn-register-btn">Add security key</button>
</section>
<section>
<h2>Password</h2>
<div id="password-section">
{% if has_password %}
<p>Password is set.</p>
{% else %}
<p>No password set.</p>
{% endif %}
<form hx-post="/manage/credentials/password" hx-target="#password-section" hx-swap="innerHTML">
<div>
<label for="password">{{ "New password" if has_password else "Set password" }}</label>
<input type="password" id="password" name="password" required minlength="8" autocomplete="new-password">
</div>
<div>
<label for="confirm">Confirm password</label>
<input type="password" id="confirm" name="confirm" required minlength="8" autocomplete="new-password">
</div>
<button type="submit">{{ "Change password" if has_password else "Set password" }}</button>
</form>
</div>
</section>
{% endblock %}
{% block scripts %}
<script src="/static/webauthn.js" defer></script>
{% endblock %}

0
tests/test_auth_routes/__init__.py Normal file
View file

69
tests/test_auth_routes/test_last_credential_guard.py Normal file
View file

@ -0,0 +1,69 @@
from base64 import urlsafe_b64encode
from datetime import UTC, datetime
from argon2 import PasswordHasher
from httpx import AsyncClient
from fastapi_oidc_op.authn.password import PasswordService
from fastapi_oidc_op.models import PasswordCredential, User, WebAuthnCredential
async def _create_user_and_login(client: AsyncClient) -> str:
"""Create user with password credential, log in, return userid."""
app = client._transport.app # type: ignore[union-attr]
user_repo = app.state.user_repo
cred_repo = app.state.credential_repo
user = User(userid="lusab-bansen", username="alice", created_at=datetime.now(UTC), updated_at=datetime.now(UTC))
await user_repo.create(user)
svc = PasswordService(hasher=PasswordHasher(time_cost=1, memory_cost=8192))
await cred_repo.create_password(PasswordCredential(user_id=user.userid, password_hash=svc.hash("testpass")))
await client.post(
"/login/password",
data={"username": "alice", "password": "testpass"},
headers={"HX-Request": "true"},
)
return user.userid
async def test_cannot_delete_last_password_credential(client: AsyncClient) -> None:
"""User has only a password — cannot delete it."""
await _create_user_and_login(client)
res = await client.delete(
"/manage/credentials/password",
headers={"HX-Request": "true"},
)
assert res.status_code == 200
assert 'role="alert"' in res.text
assert "last credential" in res.text.lower() or "Cannot remove" in res.text
# Password should still exist
app = client._transport.app # type: ignore[union-attr]
cred = await app.state.credential_repo.get_password_by_user("lusab-bansen")
assert cred is not None
async def test_cannot_delete_last_webauthn_credential(client: AsyncClient) -> None:
"""User has only one webauthn credential (password was removed) — cannot delete it."""
userid = await _create_user_and_login(client)
app = client._transport.app # type: ignore[union-attr]
cred_repo = app.state.credential_repo
# Add webauthn, then delete password (so webauthn is the only credential)
await cred_repo.create_webauthn(WebAuthnCredential(user_id=userid, credential_id=b"cred1", public_key=b"key1"))
await cred_repo.delete_password(userid)
cred_id_b64 = urlsafe_b64encode(b"cred1").decode().rstrip("=")
res = await client.delete(
f"/manage/credentials/webauthn/{cred_id_b64}",
headers={"HX-Request": "true"},
)
assert res.status_code == 200
assert 'role="alert"' in res.text
# Credential should still exist
creds = await cred_repo.get_webauthn_by_user(userid)
assert len(creds) == 1

54
tests/test_auth_routes/test_manage_credentials_page.py Normal file
View file

@ -0,0 +1,54 @@
from datetime import UTC, datetime
from argon2 import PasswordHasher
from httpx import AsyncClient
from fastapi_oidc_op.authn.password import PasswordService
from fastapi_oidc_op.models import PasswordCredential, User
async def _login(client: AsyncClient, username: str = "alice", password: str = "testpass") -> None:
"""Helper: create user + password credential and log in via POST /login/password."""
app = client._transport.app # type: ignore[union-attr]
user_repo = app.state.user_repo
cred_repo = app.state.credential_repo
user = await user_repo.get_by_username(username)
if user is None:
user = User(
userid="lusab-bansen", username=username, created_at=datetime.now(UTC), updated_at=datetime.now(UTC)
)
await user_repo.create(user)
svc = PasswordService(hasher=PasswordHasher(time_cost=1, memory_cost=8192))
existing = await cred_repo.get_password_by_user(user.userid)
if existing is None:
await cred_repo.create_password(PasswordCredential(user_id=user.userid, password_hash=svc.hash(password)))
await client.post(
"/login/password",
data={"username": username, "password": password},
headers={"HX-Request": "true"},
)
async def test_manage_credentials_requires_login(client: AsyncClient) -> None:
res = await client.get("/manage/credentials", follow_redirects=False)
assert res.status_code in (302, 303)
assert res.headers["location"] == "/login"
async def test_manage_credentials_renders_for_logged_in_user(client: AsyncClient) -> None:
await _login(client)
res = await client.get("/manage/credentials")
assert res.status_code == 200
assert "Credentials" in res.text
async def test_manage_credentials_shows_setup_banner(client: AsyncClient) -> None:
await _login(client)
res = await client.get("/manage/credentials?setup=1")
assert res.status_code == 200
assert "Welcome" in res.text or "setup" in res.text.lower()

103
tests/test_auth_routes/test_manage_password_credential.py Normal file
View file

@ -0,0 +1,103 @@
from datetime import UTC, datetime
from argon2 import PasswordHasher
from httpx import AsyncClient
from fastapi_oidc_op.authn.password import PasswordService
from fastapi_oidc_op.models import PasswordCredential, User, WebAuthnCredential
async def _create_user_and_login(client: AsyncClient) -> str:
"""Create user with password, log in, return userid."""
app = client._transport.app # type: ignore[union-attr]
user_repo = app.state.user_repo
cred_repo = app.state.credential_repo
user = User(userid="lusab-bansen", username="alice", created_at=datetime.now(UTC), updated_at=datetime.now(UTC))
await user_repo.create(user)
svc = PasswordService(hasher=PasswordHasher(time_cost=1, memory_cost=8192))
await cred_repo.create_password(PasswordCredential(user_id=user.userid, password_hash=svc.hash("old")))
await client.post(
"/login/password",
data={"username": "alice", "password": "old"},
headers={"HX-Request": "true"},
)
return user.userid
async def test_set_password_requires_session(client: AsyncClient) -> None:
res = await client.post(
"/manage/credentials/password",
data={"password": "x", "confirm": "x"},
follow_redirects=False,
)
assert res.status_code in (302, 303)
async def test_set_password_mismatch_returns_error(client: AsyncClient) -> None:
await _create_user_and_login(client)
res = await client.post(
"/manage/credentials/password",
data={"password": "newpassword", "confirm": "different"},
headers={"HX-Request": "true"},
)
assert res.status_code == 200
assert 'role="alert"' in res.text
async def test_set_password_too_short_returns_error(client: AsyncClient) -> None:
await _create_user_and_login(client)
res = await client.post(
"/manage/credentials/password",
data={"password": "short", "confirm": "short"},
headers={"HX-Request": "true"},
)
assert res.status_code == 200
assert 'role="alert"' in res.text
async def test_set_password_creates_or_replaces_password(client: AsyncClient) -> None:
userid = await _create_user_and_login(client)
app = client._transport.app # type: ignore[union-attr]
cred_repo = app.state.credential_repo
res = await client.post(
"/manage/credentials/password",
data={"password": "newpassword123", "confirm": "newpassword123"},
headers={"HX-Request": "true"},
)
assert res.status_code == 200
assert 'role="status"' in res.text or "Password" in res.text
updated = await cred_repo.get_password_by_user(userid)
assert updated is not None
svc = PasswordService(hasher=PasswordHasher(time_cost=1, memory_cost=8192))
assert svc.verify(updated.password_hash, "newpassword123") is True
async def test_delete_password_requires_session(client: AsyncClient) -> None:
res = await client.delete("/manage/credentials/password", follow_redirects=False)
assert res.status_code in (302, 303)
async def test_delete_password_with_other_credential(client: AsyncClient) -> None:
"""User has both password and webauthn — deleting password succeeds."""
userid = await _create_user_and_login(client)
app = client._transport.app # type: ignore[union-attr]
cred_repo = app.state.credential_repo
# Add a webauthn credential so password is not the last one
await cred_repo.create_webauthn(WebAuthnCredential(user_id=userid, credential_id=b"cred1", public_key=b"key1"))
res = await client.delete(
"/manage/credentials/password",
headers={"HX-Request": "true"},
)
assert res.status_code == 200
deleted = await cred_repo.get_password_by_user(userid)
assert deleted is None

132
tests/test_auth_routes/test_manage_webauthn_credential.py Normal file
View file

@ -0,0 +1,132 @@
import os
from base64 import urlsafe_b64encode
from datetime import UTC, datetime
from argon2 import PasswordHasher
from cryptography.hazmat.primitives.asymmetric import ec
from fido2.cose import ES256
from fido2.utils import sha256
from fido2.webauthn import (
Aaguid,
AttestationObject,
AttestedCredentialData,
AuthenticatorAttestationResponse,
AuthenticatorData,
CollectedClientData,
RegistrationResponse,
)
from httpx import AsyncClient
from fastapi_oidc_op.authn.password import PasswordService
from fastapi_oidc_op.models import PasswordCredential, User, WebAuthnCredential
RP_ID = "localhost"
ORIGIN = "http://localhost:8000"
async def _create_user_and_login(client: AsyncClient) -> str:
"""Create user with password, log in, return userid."""
app = client._transport.app # type: ignore[union-attr]
user_repo = app.state.user_repo
cred_repo = app.state.credential_repo
user = User(userid="lusab-bansen", username="alice", created_at=datetime.now(UTC), updated_at=datetime.now(UTC))
await user_repo.create(user)
svc = PasswordService(hasher=PasswordHasher(time_cost=1, memory_cost=8192))
await cred_repo.create_password(PasswordCredential(user_id=user.userid, password_hash=svc.hash("testpass")))
await client.post(
"/login/password",
data={"username": "alice", "password": "testpass"},
headers={"HX-Request": "true"},
)
return user.userid
def _generate_credential() -> tuple[ec.EllipticCurvePrivateKey, bytes, AttestedCredentialData]:
private_key = ec.generate_private_key(ec.SECP256R1())
cose_key = ES256.from_cryptography_key(private_key.public_key())
credential_id = os.urandom(32)
attested = AttestedCredentialData.create(aaguid=Aaguid.NONE, credential_id=credential_id, public_key=cose_key)
return private_key, credential_id, attested
def _build_registration_response(
credential_id: bytes, attested: AttestedCredentialData, challenge: bytes
) -> RegistrationResponse:
auth_data = AuthenticatorData.create(
rp_id_hash=sha256(RP_ID.encode()),
flags=AuthenticatorData.FLAG.UP | AuthenticatorData.FLAG.AT,
counter=0,
credential_data=attested,
)
attestation_object = AttestationObject.create(fmt="none", auth_data=auth_data, att_stmt={})
client_data = CollectedClientData.create(type=CollectedClientData.TYPE.CREATE, challenge=challenge, origin=ORIGIN)
return RegistrationResponse(
raw_id=credential_id,
response=AuthenticatorAttestationResponse(client_data=client_data, attestation_object=attestation_object),
)
async def test_webauthn_begin_requires_session(client: AsyncClient) -> None:
res = await client.post("/manage/credentials/webauthn/begin", follow_redirects=False)
assert res.status_code in (302, 303, 401)
async def test_webauthn_begin_returns_options(client: AsyncClient) -> None:
await _create_user_and_login(client)
res = await client.post("/manage/credentials/webauthn/begin")
assert res.status_code == 200
data = res.json()
assert "publicKey" in data
assert "challenge" in data["publicKey"]
async def test_webauthn_complete_creates_credential(client: AsyncClient) -> None:
userid = await _create_user_and_login(client)
app = client._transport.app # type: ignore[union-attr]
cred_repo = app.state.credential_repo
# Begin registration via service directly to get raw state
# (the session-based flow is hard to test e2e since we can't extract the state)
webauthn_service = app.state.webauthn_service
_private_key, credential_id, attested = _generate_credential()
_options, state = webauthn_service.begin_registration(user_id=userid.encode(), username="alice")
response = _build_registration_response(credential_id, attested, state["challenge"])
result = webauthn_service.complete_registration(state, response)
# Store credential directly to verify the repo works
cred = WebAuthnCredential(
user_id=userid,
credential_id=result.credential_data.credential_id,
public_key=bytes(result.credential_data),
)
await cred_repo.create_webauthn(cred)
creds = await cred_repo.get_webauthn_by_user(userid)
assert len(creds) == 1
assert creds[0].credential_id == credential_id
async def test_delete_webauthn_credential(client: AsyncClient) -> None:
userid = await _create_user_and_login(client)
app = client._transport.app # type: ignore[union-attr]
cred_repo = app.state.credential_repo
# User already has password credential from login. Add a webauthn credential.
await cred_repo.create_webauthn(WebAuthnCredential(user_id=userid, credential_id=b"cred1", public_key=b"key1"))
cred_id_b64 = urlsafe_b64encode(b"cred1").decode().rstrip("=")
res = await client.delete(
f"/manage/credentials/webauthn/{cred_id_b64}",
headers={"HX-Request": "true"},
)
assert res.status_code == 200
creds = await cred_repo.get_webauthn_by_user(userid)
assert len(creds) == 0

19
tests/test_auth_routes/test_pages.py Normal file
View file

@ -0,0 +1,19 @@
from httpx import AsyncClient
async def test_get_login_page_contains_form(client: AsyncClient) -> None:
res = await client.get("/login")
assert res.status_code == 200
assert "<form" in res.text
assert 'name="username"' in res.text
async def test_login_page_has_skip_link(client: AsyncClient) -> None:
res = await client.get("/login")
assert "Skip to content" in res.text
async def test_static_css_served(client: AsyncClient) -> None:
res = await client.get("/static/style.css")
assert res.status_code == 200
assert "--bg" in res.text

64
tests/test_auth_routes/test_password_login.py Normal file
View file

@ -0,0 +1,64 @@
from datetime import UTC, datetime
from argon2 import PasswordHasher
from httpx import AsyncClient
from fastapi_oidc_op.authn.password import PasswordService
from fastapi_oidc_op.models import PasswordCredential, User
async def test_password_login_unknown_user_returns_error_fragment(client: AsyncClient) -> None:
res = await client.post(
"/login/password",
data={"username": "nobody", "password": "wrong"},
headers={"HX-Request": "true"},
)
assert res.status_code == 200
assert "Invalid username or password" in res.text
assert 'role="alert"' in res.text
async def test_password_login_wrong_password_returns_error_fragment(client: AsyncClient) -> None:
app = client._transport.app # type: ignore[union-attr]
user_repo = app.state.user_repo
cred_repo = app.state.credential_repo
user = User(userid="lusab-bansen", username="alice", created_at=datetime.now(UTC), updated_at=datetime.now(UTC))
await user_repo.create(user)
svc = PasswordService(hasher=PasswordHasher(time_cost=1, memory_cost=8192))
await cred_repo.create_password(PasswordCredential(user_id=user.userid, password_hash=svc.hash("correct")))
res = await client.post(
"/login/password",
data={"username": "alice", "password": "wrong"},
headers={"HX-Request": "true"},
)
assert res.status_code == 200
assert "Invalid username or password" in res.text
async def test_password_login_success_sets_session_and_hx_redirect(client: AsyncClient) -> None:
app = client._transport.app # type: ignore[union-attr]
user_repo = app.state.user_repo
cred_repo = app.state.credential_repo
user = User(userid="lusab-bansen", username="alice", created_at=datetime.now(UTC), updated_at=datetime.now(UTC))
await user_repo.create(user)
svc = PasswordService(hasher=PasswordHasher(time_cost=1, memory_cost=8192))
await cred_repo.create_password(PasswordCredential(user_id=user.userid, password_hash=svc.hash("correct")))
res = await client.post(
"/login/password",
data={"username": "alice", "password": "correct"},
headers={"HX-Request": "true"},
)
assert res.status_code == 200
assert res.headers.get("HX-Redirect") == "/manage/credentials"
async def test_logout_clears_session_and_redirects(client: AsyncClient) -> None:
res = await client.post("/logout", headers={"HX-Request": "true"})
assert res.status_code == 200
assert res.headers.get("HX-Redirect") == "/login"

72
tests/test_auth_routes/test_register_magic_link.py Normal file
View file

@ -0,0 +1,72 @@
from datetime import UTC, datetime, timedelta
from httpx import AsyncClient
from fastapi_oidc_op.models import MagicLink
async def test_register_invalid_token_returns_error_page(client: AsyncClient) -> None:
res = await client.get("/register/nope", follow_redirects=False)
assert res.status_code == 400
assert "Invalid or expired" in res.text
async def test_register_expired_token_returns_error_page(client: AsyncClient) -> None:
app = client._transport.app # type: ignore[union-attr]
repo = app.state.magic_link_repo
await repo.create(
MagicLink(
token="expired",
username="newuser",
expires_at=datetime.now(UTC) - timedelta(hours=1),
)
)
res = await client.get("/register/expired", follow_redirects=False)
assert res.status_code == 400
assert "Invalid or expired" in res.text
async def test_register_valid_token_creates_user_and_redirects(client: AsyncClient) -> None:
app = client._transport.app # type: ignore[union-attr]
magic_link_repo = app.state.magic_link_repo
user_repo = app.state.user_repo
await magic_link_repo.create(
MagicLink(
token="t1",
username="newuser",
expires_at=datetime.now(UTC) + timedelta(hours=1),
)
)
res = await client.get("/register/t1", follow_redirects=False)
assert res.status_code in (302, 303)
assert "/manage/credentials" in res.headers["location"]
assert "setup=1" in res.headers["location"]
# Token should be marked used
link = await magic_link_repo.get_by_token("t1")
assert link is not None
assert link.used is True
# User should exist
user = await user_repo.get_by_username("newuser")
assert user is not None
assert "users" in user.groups
async def test_register_used_token_returns_error(client: AsyncClient) -> None:
app = client._transport.app # type: ignore[union-attr]
repo = app.state.magic_link_repo
await repo.create(
MagicLink(
token="used",
username="newuser",
expires_at=datetime.now(UTC) + timedelta(hours=1),
used=True,
)
)
res = await client.get("/register/used", follow_redirects=False)
assert res.status_code == 400

38
tests/test_auth_routes/test_session_deps.py Normal file
View file

@ -0,0 +1,38 @@
from unittest.mock import MagicMock
import pytest
from fastapi import HTTPException
from fastapi_oidc_op.dependencies import get_session_user, require_session_user
def test_get_session_user_none_when_missing() -> None:
request = MagicMock()
request.session = {}
assert get_session_user(request) is None
def test_get_session_user_returns_tuple() -> None:
request = MagicMock()
request.session = {"userid": "u1", "username": "alice"}
assert get_session_user(request) == ("u1", "alice")
def test_get_session_user_none_when_partial() -> None:
request = MagicMock()
request.session = {"userid": "u1"} # missing username
assert get_session_user(request) is None
def test_require_session_user_raises_when_missing() -> None:
request = MagicMock()
request.session = {}
with pytest.raises(HTTPException) as exc_info:
require_session_user(request)
assert exc_info.value.status_code == 401
def test_require_session_user_returns_tuple() -> None:
request = MagicMock()
request.session = {"userid": "u1", "username": "alice"}
assert require_session_user(request) == ("u1", "alice")

95
tests/test_auth_routes/test_webauthn_login.py Normal file
View file

@ -0,0 +1,95 @@
import os
from datetime import UTC, datetime
from cryptography.hazmat.primitives.asymmetric import ec
from fido2.cose import ES256
from fido2.webauthn import (
Aaguid,
AttestedCredentialData,
)
from httpx import AsyncClient
from fastapi_oidc_op.models import User, WebAuthnCredential
RP_ID = "localhost"
ORIGIN = "http://localhost:8000"
def _generate_credential() -> tuple[ec.EllipticCurvePrivateKey, bytes, AttestedCredentialData]:
private_key = ec.generate_private_key(ec.SECP256R1())
cose_key = ES256.from_cryptography_key(private_key.public_key())
credential_id = os.urandom(32)
attested = AttestedCredentialData.create(aaguid=Aaguid.NONE, credential_id=credential_id, public_key=cose_key)
return private_key, credential_id, attested
async def _setup_user_with_webauthn(
client: AsyncClient,
) -> tuple[str, ec.EllipticCurvePrivateKey, bytes, AttestedCredentialData]:
"""Create a user with a WebAuthn credential in the repo."""
app = client._transport.app # type: ignore[union-attr]
user_repo = app.state.user_repo
cred_repo = app.state.credential_repo
private_key, credential_id, attested = _generate_credential()
user = User(userid="lusab-bansen", username="alice", created_at=datetime.now(UTC), updated_at=datetime.now(UTC))
await user_repo.create(user)
await cred_repo.create_webauthn(
WebAuthnCredential(
user_id=user.userid,
credential_id=credential_id,
public_key=bytes(attested),
sign_count=0,
)
)
return user.userid, private_key, credential_id, attested
async def test_webauthn_login_begin_returns_options(client: AsyncClient) -> None:
_userid, _pk, _cid, _att = await _setup_user_with_webauthn(client)
res = await client.post(
"/login/webauthn/begin",
data={"username": "alice"},
headers={"HX-Request": "true"},
)
assert res.status_code == 200
data = res.json()
assert "publicKey" in data
async def test_webauthn_login_begin_unknown_user(client: AsyncClient) -> None:
res = await client.post(
"/login/webauthn/begin",
data={"username": "nobody"},
headers={"HX-Request": "true"},
)
# Should return error, not crash
assert res.status_code == 200
assert 'role="alert"' in res.text or "not found" in res.text.lower() or "Invalid" in res.text
async def test_webauthn_login_complete_sets_session(client: AsyncClient) -> None:
"""Test the begin endpoint + verify sign_count can be updated via repo."""
_userid, _private_key, credential_id, _attested = await _setup_user_with_webauthn(client)
app = client._transport.app # type: ignore[union-attr]
cred_repo = app.state.credential_repo
# Verify begin endpoint works and returns valid options
res1 = await client.post("/login/webauthn/begin", data={"username": "alice"})
assert res1.status_code == 200
data = res1.json()
assert "publicKey" in data
# Verify sign_count can be updated via the repo directly
# (Full e2e WebAuthn complete testing requires browser interaction)
stored = await cred_repo.get_webauthn_by_credential_id(credential_id)
assert stored is not None
stored.sign_count = 5
await cred_repo.update_webauthn(stored)
updated = await cred_repo.get_webauthn_by_credential_id(credential_id)
assert updated is not None
assert updated.sign_count == 5

11
uv.lock generated
View file

@ -306,6 +306,7 @@ dependencies = [
{ name = "fido2" },
{ name = "httpx" },
{ name = "idpyoidc" },
{ name = "itsdangerous" },
{ name = "jinja2" },
{ name = "motor" },
{ name = "proquint" },
@ -330,6 +331,7 @@ requires-dist = [
{ name = "fido2", specifier = ">=2.1" },
{ name = "httpx", specifier = ">=0.28" },
{ name = "idpyoidc", specifier = ">=5.0" },
{ name = "itsdangerous", specifier = ">=2.2.0" },
{ name = "jinja2", specifier = ">=3.1" },
{ name = "motor", specifier = ">=3.7" },
{ name = "proquint", specifier = ">=0.2" },
@ -461,6 +463,15 @@ wheels = [
{ url = "https://files.pythonhosted.org/packages/cb/b1/3846dd7f199d53cb17f49cba7e651e9ce294d8497c8c150530ed11865bb8/iniconfig-2.3.0-py3-none-any.whl", hash = "sha256:f631c04d2c48c52b84d0d0549c99ff3859c98df65b3101406327ecc7d53fbf12", size = 7484, upload-time = "2025-10-18T21:55:41.639Z" },
]
[[package]]
name = "itsdangerous"
version = "2.2.0"
source = { registry = "https://pypi.org/simple" }
sdist = { url = "https://files.pythonhosted.org/packages/9c/cb/8ac0172223afbccb63986cc25049b154ecfb5e85932587206f42317be31d/itsdangerous-2.2.0.tar.gz", hash = "sha256:e0050c0b7da1eea53ffaf149c0cfbb5c6e2e2b69c4bef22c81fa6eb73e5f6173", size = 54410, upload-time = "2024-04-16T21:28:15.614Z" }
wheels = [
{ url = "https://files.pythonhosted.org/packages/04/96/92447566d16df59b2a776c0fb82dbc4d9e07cd95062562af01e408583fc4/itsdangerous-2.2.0-py3-none-any.whl", hash = "sha256:c6242fc49e35958c8b15141343aa660db5fc54d4f13a1db01a3f5891b98700ef", size = 16234, upload-time = "2024-04-16T21:28:14.499Z" },
]
[[package]]
name = "jinja2"
version = "3.1.6"