blog.pyaqa.ru/app/infrastructure/auth/__init__.py at 184b95969c7fc0ff8630fc757c283119e710b438 - blog.pyaqa.ru - pyaqa.ru

pi3c/blog.pyaqa.ru

Files

Sergey Vanyushkin 184b95969c

ci/woodpecker/pr/lint Pipeline failed

Details

ci/woodpecker/pr/test Pipeline was successful

Details

ci/woodpecker/pr/type Pipeline was successful

Details

feat(auth): implement Keycloak authentication with RBAC and pagination

Major changes:
- Add Keycloak integration via token introspection endpoint
- Implement RBAC system with roles: admin, user, guest
- Add role-based permissions for post operations
- Add pagination support (default limit: 10) to list endpoints
- Add published_only filter with admin-only override for unpublished posts

Security improvements:
- Remove hardcoded default secrets (SECRET_KEY, KEYCLOAK_CLIENT_SECRET)
- Update .env.example with proper security placeholders
- Add comprehensive RBAC unit tests

Infrastructure:
- Add httpx dependency for HTTP client
- Add KeycloakAuthClient with token caching (TTL: 60s)
- Add role-based dependencies (RequireAdmin, RequireUser, etc.)
- Update DI container with Keycloak provider

Endpoints updated:
- GET /posts: filter by published status (admin can see all)
- Add pagination params (limit, offset) to list endpoints
- Enforce RBAC on post operations

Tests:
- Add 16 auth infrastructure tests
- Add 13 RBAC role tests
- Update existing tests for new required settings

Breaking changes:
- SECRET_KEY and KEYCLOAK_CLIENT_SECRET now required (no defaults)

2026-05-02 11:21:45 +03:00

7 lines

238 B

Python

Raw Blame History

 """Authentication infrastructure package."""
 from app.infrastructure.auth.client import KeycloakAuthClient
 from app.infrastructure.auth.models import KeycloakUser, TokenInfo
 __all__ = ["KeycloakAuthClient", "KeycloakUser", "TokenInfo"]