Skip to content

auth hardening and dep bumps#23

Merged
mdfarhankc merged 1 commit into
mainfrom
cleanup/polish-and-deps
May 20, 2026
Merged

auth hardening and dep bumps#23
mdfarhankc merged 1 commit into
mainfrom
cleanup/polish-and-deps

Conversation

@mdfarhankc
Copy link
Copy Markdown
Owner

@mdfarhankc mdfarhankc commented May 20, 2026
edited by coderabbitai Bot
Loading

Summary

  • logout: refresh token revocation now verifies the token belongs to the authenticated user before revoking the family. Previously any valid access token could revoke any refresh token whose value was known/guessed.
  • login: a transient DB error during the transparent password rehash is now logged and swallowed instead of failing an otherwise-valid login.
  • deps: all dependency floors bumped to current latest PyPI versions across runtime, optional extras, and dev group.

Test plan

  • uv run pytest tests/ - 202 passed, 1 skipped
  • uv run ruff check . - clean
  • uv run mypy --strict fastapi_fullauth - clean

Summary by CodeRabbit

Release Notes

  • Documentation

    • Expanded and clarified guides across authentication, configuration, passkeys, OAuth, and RBAC features
    • Improved hook documentation with explicit timing semantics and debugging guidance
    • Enhanced migration and troubleshooting references

  • Bug Fixes

    • Improved password rehashing resilience during login—rehash failures no longer block successful authentication
    • Enhanced logout logging for better audit trails and security monitoring

  • Chores

    • Updated core dependencies to latest stable versions

Review Change Stack

@mdfarhankc
auth hardening and dep bumps
91d87e2 
- logout: verify refresh_token belongs to the authenticated user
  before revoking the family
- login: swallow DB errors during password rehash so they can't
  block a valid login
- bump all dependency floors to current latest versions
@coderabbitai
Copy link
Copy Markdown

coderabbitai Bot commented May 20, 2026
edited
Loading

Caution

Review failed

The pull request is closed.

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 699d9d40-a697-43fc-9ee4-4f30fdcb0270

📥 Commits

Reviewing files that changed from the base of the PR and between 7e058a1 and 91d87e2.

⛔ Files ignored due to path filters (1)
  • uv.lock is excluded by !**/*.lock
📒 Files selected for processing (61)
  • CHANGELOG.md
  • CONTRIBUTING.md
  • Makefile
  • README.md
  • docs/adapters/index.md
  • docs/adapters/sqlalchemy.md
  • docs/adapters/sqlmodel.md
  • docs/api-reference.md
  • docs/auth/custom-claims.md
  • docs/auth/dependencies.md
  • docs/configuration.md
  • docs/getting-started.md
  • docs/index.md
  • docs/llms-full.txt
  • docs/migrations.md
  • docs/oauth.md
  • docs/security/middleware.md
  • docs/security/rate-limiting.md
  • fastapi_fullauth/.agents/skills/fastapi-fullauth/SKILL.md
  • fastapi_fullauth/.agents/skills/fastapi-fullauth/references/adapters.md
  • fastapi_fullauth/.agents/skills/fastapi-fullauth/references/api-reference.md
  • fastapi_fullauth/.agents/skills/fastapi-fullauth/references/composable-design.md
  • fastapi_fullauth/.agents/skills/fastapi-fullauth/references/getting-started.md
  • fastapi_fullauth/.agents/skills/fastapi-fullauth/references/hooks.md
  • fastapi_fullauth/.agents/skills/fastapi-fullauth/references/migrations.md
  • fastapi_fullauth/.agents/skills/fastapi-fullauth/references/oauth.md
  • fastapi_fullauth/.agents/skills/fastapi-fullauth/references/passkeys.md
  • fastapi_fullauth/.agents/skills/fastapi-fullauth/references/production.md
  • fastapi_fullauth/.agents/skills/fastapi-fullauth/references/rbac.md
  • fastapi_fullauth/.agents/skills/fastapi-fullauth/references/testing.md
  • fastapi_fullauth/.agents/skills/fastapi-fullauth/references/troubleshooting.md
  • fastapi_fullauth/adapters/__init__.py
  • fastapi_fullauth/adapters/base.py
  • fastapi_fullauth/adapters/sqlalchemy.py
  • fastapi_fullauth/backends/cookie.py
  • fastapi_fullauth/config.py
  • fastapi_fullauth/core/tokens.py
  • fastapi_fullauth/dependencies/rbac.py
  • fastapi_fullauth/flows/change_password.py
  • fastapi_fullauth/flows/email_verify.py
  • fastapi_fullauth/flows/login.py
  • fastapi_fullauth/flows/logout.py
  • fastapi_fullauth/flows/oauth.py
  • fastapi_fullauth/flows/passkey.py
  • fastapi_fullauth/flows/password_reset.py
  • fastapi_fullauth/flows/register.py
  • fastapi_fullauth/fullauth.py
  • fastapi_fullauth/models/sqlalchemy/__init__.py
  • fastapi_fullauth/models/sqlmodel/__init__.py
  • fastapi_fullauth/protection/challenges.py
  • fastapi_fullauth/routers/auth.py
  • pyproject.toml
  • tests/test_auth.py
  • tests/test_config.py
  • tests/test_hooks.py
  • tests/test_oauth.py
  • tests/test_profile.py
  • tests/test_rbac.py
  • tests/test_security.py
  • tests/test_sqlalchemy_adapter.py
  • tests/test_sqlmodel_adapter.py
📝 Walkthrough

Walkthrough

This PR is a large documentation and comment normalization release alongside two auth-flow improvements. The major changes include: password-rehash robustness in login (catch and log failures instead of blocking login), refresh-token ownership validation in logout (only revoke when token matches the authenticated user), comprehensive v0.10.0 changelog, and consistent punctuation updates (em-dash to equals signs) across all documentation, source comments, and test section headers. Dependency versions are bumped across the stack.

Changes

Documentation, release notes, auth robustness, and dependency updates

Layer / File(s) Summary
Auth flow robustness = password rehash and logout ownership
fastapi_fullauth/flows/login.py, fastapi_fullauth/flows/logout.py		 Login now wraps password-rehash attempts in try/except, logging failures while allowing successful login to proceed. Logout validates refresh-token ownership before revocation and adds audit logging for user_id and jti.
Dependency version updates
pyproject.toml		 Core and dev dependency versions are bumped: FastAPI, Pydantic, PyJWT, Argon2, Redis, Webauthn, pytest, mypy, ruff, uvicorn, and others to newer minimum versions.
v0.10.0 release notes and historical changelog
CHANGELOG.md		 v0.10.0 breaking changes (nullable passwords, removed routes/modules, config simplifications, router list changes), security improvements (refresh-token issuance, timing-oracle hardening, CSRF secret validation), fixes (UUID handling, OAuth unlinking, hook isolation), and changes (mypy cleanliness, dependency versions, passkey base64 padding). Earlier versions (0.9.x–0.2.0) also updated for consistency.
Public documentation = README, getting started, and user guides
README.md, docs/getting-started.md, docs/index.md, docs/configuration.md, docs/security/*.md, docs/auth/custom-claims.md, docs/auth/dependencies.md		 Consistent punctuation updates (em-dash to equals) and minor wording clarifications for config options, feature descriptions, and dependency guidance.
Adapter and API reference documentation
docs/adapters/*.md, docs/api-reference.md, docs/oauth.md		 Adapter selection and setup instructions are clarified with consistent punctuation and formatting updates for SQLAlchemy/SQLModel selection, configuration requirements, and OAuth redirect validation.
Auth feature documentation = claims, dependencies, OAuth, hooks, RBAC
docs/auth/custom-claims.md, docs/auth/dependencies.md, docs/oauth.md, fastapi_fullauth/.agents/skills/fastapi-fullauth/references/hooks.md, fastapi_fullauth/.agents/skills/fastapi-fullauth/references/rbac.md		 Documentation for custom JWT claims, role/permission checks, OAuth identity flow, hook lifecycle (including debugging guidance that hooks are awaited and run sequentially), and RBAC role/permission layering is updated with clarifications and consistent formatting.
Advanced reference documentation = adapters, passkeys, migrations, production, testing
fastapi_fullauth/.agents/skills/fastapi-fullauth/references/adapters.md, fastapi_fullauth/.agents/skills/fastapi-fullauth/references/passkeys.md, fastapi_fullauth/.agents/skills/fastapi-fullauth/references/migrations.md, fastapi_fullauth/.agents/skills/fastapi-fullauth/references/production.md, fastapi_fullauth/.agents/skills/fastapi-fullauth/references/testing.md, fastapi_fullauth/.agents/skills/fastapi-fullauth/references/troubleshooting.md		 Advanced topics including adapter interface contracts, passkey WebAuthn setup (RP ID, origins, challenge store, platform-specific domains), Alembic migration patterns, production deployment checklist (proxy headers, CSRF, passkeys, observability), testing strategies (fixtures, mocking, rate-limiter disabling), and troubleshooting error scenarios are updated with clarifications and consistent punctuation.
Agent and AI-friendly documentation
fastapi_fullauth/.agents/skills/fastapi-fullauth/SKILL.md, docs/llms-full.txt		 Agent skill documentation and the comprehensive AI-friendly documentation file (llms-full.txt) are normalized with consistent punctuation (em-dash to equals signs) across feature lists, section headers, option descriptions, and explanatory notes.
Source code comment normalization = adapters, flows, config, routers
fastapi_fullauth/adapters/*.py, fastapi_fullauth/backends/cookie.py, fastapi_fullauth/config.py, fastapi_fullauth/core/tokens.py, fastapi_fullauth/dependencies/rbac.py, fastapi_fullauth/flows/*.py, fastapi_fullauth/fullauth.py, fastapi_fullauth/models/*/, fastapi_fullauth/protection/challenges.py, fastapi_fullauth/routers/auth.py		 Inline docstrings, comments, and error messages across source files are updated with consistent punctuation (em-dash to equals) in clarifying notes, exception messages, and logging text. No functional logic is changed.
Test file comment restructuring
tests/test_*.py		 Test files are reorganized with simpler single-line section header comments replacing decorative multi-line dividers. Comment wording is adjusted for clarity but no test logic, assertions, or behavioral changes are made.
Contributing guidelines and build files
CONTRIBUTING.md, Makefile		 Branch-naming guidelines and Makefile comments are updated with consistent punctuation for uniform presentation style.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

  • mdfarhankc/fastapi-fullauth#6: Introduced the llms-full.txt AI-friendly docs file, which this PR now normalizes for punctuation consistency.
  • mdfarhankc/fastapi-fullauth#20: Added refresh-token rate limiting and UUID consistency; this PR's logout ownership validation aligns with that auth-robustness work.
  • mdfarhankc/fastapi-fullauth#21: Introduced password-rehash failure handling and refresh-token ownership checks; this PR consolidates and documents those improvements in release notes.

🐰 Em-dashes take a hop and equals signs take the lead,
Password rehashes dance with grace—no login lost in need,
Logout now checks if tokens match their rightful home,
And docs all shimmer clean across the codebase's foam!

✨ Finishing Touches
📝 Generate docstrings
  • Create stacked PR
  • Commit on current branch
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch cleanup/polish-and-deps

@mdfarhankc mdfarhankc merged commit f9eb8be into main May 20, 2026
5 of 7 checks passed
@mdfarhankc mdfarhankc deleted the cleanup/polish-and-deps branch May 20, 2026 12:18
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@mdfarhankc