Minimal JWT auth server for the pico ecosystem

Navigation

Verified details

These details have been verified by PyPI
Project links
GitHub Statistics
Maintainers
Avatar for dperezcabrera from gravatar.com dperezcabrera

Unverified details

These details have not been verified by PyPI
Meta
  • License: MIT License (MIT)
  • Author: David Perez
  • Requires: Python >=3.11
  • Provides-Extra: dev , docs
Classifiers
Report project as malware

Project description

Pico-Auth

PyPI Ask DeepWiki License: MIT CI (tox matrix) codecov Docs

Minimal JWT auth server for the Pico ecosystem.

Pico-Auth is a ready-to-run authentication server built on top of the pico-framework stack. It provides:

  • RS256 JWT tokens with auto-generated RSA key pairs
  • Refresh token rotation with SHA-256 hashed storage
  • RBAC with four built-in roles: superadmin, org_admin, operator, viewer
  • Group management with CRUD API, membership, and groups JWT claim
  • OIDC discovery endpoints (.well-known/openid-configuration, JWKS)
  • Bcrypt password hashing (72-byte input limit enforced)
  • Zero-config startup with auto-created admin user

Requires Python 3.11+

Architecture

Pico-Auth uses the full Pico stack with dependency injection:

Layer Component Decorator
Config AuthSettings @configured(prefix="auth")
Models User, RefreshToken, Group, GroupMember SQLAlchemy AppBase
Repository UserRepository, RefreshTokenRepository, GroupRepository @component
Service AuthService, GroupService @component
Security JWTProvider, PasswordService, LocalJWKSProvider @component
Routes AuthController, GroupController, OIDCController @controller

Installation

pip install -e ".[dev]"

Quick Start

1. Run the Server

python -m pico_auth.main

The server starts on http://localhost:8100 with:

  • An auto-created admin user (admin@pico.local / admin)
  • SQLite database at auth.db
  • RSA keys at ~/.pico-auth/

2. Register a User

curl -X POST http://localhost:8100/api/v1/auth/register \
  -H "Content-Type: application/json" \
  -d '{"email": "alice@example.com", "password": "secret123", "display_name": "Alice"}'

3. Login

curl -X POST http://localhost:8100/api/v1/auth/login \
  -H "Content-Type: application/json" \
  -d '{"email": "alice@example.com", "password": "secret123"}'

Returns:

{
  "access_token": "eyJhbGciOiJSUzI1NiIs...",
  "refresh_token": "a1b2c3d4...",
  "token_type": "Bearer",
  "expires_in": 900
}

4. Access Protected Endpoint

curl http://localhost:8100/api/v1/auth/me \
  -H "Authorization: Bearer eyJhbGciOiJSUzI1NiIs..."

API Endpoints

Method Path Auth Description
POST /api/v1/auth/register No Register a new user
POST /api/v1/auth/login No Login and get tokens
POST /api/v1/auth/refresh No Refresh access token
GET /api/v1/auth/me Bearer Get current user profile
POST /api/v1/auth/me/password Bearer Change password
GET /api/v1/auth/users Admin List all users
PUT /api/v1/auth/users/{id}/role Admin Update user role
GET /api/v1/auth/jwks No JSON Web Key Set
POST /api/v1/groups Admin Create a group
GET /api/v1/groups Bearer List groups (by org)
GET /api/v1/groups/{id} Bearer Get group with members
PUT /api/v1/groups/{id} Admin Update group
DELETE /api/v1/groups/{id} Admin Delete group
POST /api/v1/groups/{id}/members Admin Add member to group
DELETE /api/v1/groups/{id}/members/{uid} Admin Remove member
GET /.well-known/openid-configuration No OIDC discovery

Configuration

All settings are loaded from application.yaml and can be overridden with environment variables:

auth:
  data_dir: "~/.pico-auth"              # RSA key storage
  access_token_expire_minutes: 15        # JWT lifetime
  refresh_token_expire_days: 7           # Refresh token lifetime
  issuer: "http://localhost:8100"        # JWT issuer claim
  audience: "pico-bot"                   # JWT audience claim
  auto_create_admin: true                # Create admin on startup
  admin_email: "admin@pico.local"        # Default admin email
  admin_password: "admin"                # Default admin password

database:
  url: "sqlite+aiosqlite:///auth.db"     # Database URL
  echo: false                            # SQL logging

auth_client:
  enabled: true                          # Enable auth middleware
  issuer: "http://localhost:8100"        # Must match auth.issuer
  audience: "pico-bot"                   # Must match auth.audience

fastapi:
  title: "Pico Auth API"
  version: "0.1.0"

Environment variable override example:

AUTH_ISSUER=https://auth.myapp.com AUTH_ADMIN_PASSWORD=strong-password python -m pico_auth.main

JWT Token Claims

Access tokens include:

Claim Description
sub User ID
email User email
role User role (superadmin, org_admin, operator, viewer)
org_id Organization ID
groups Group IDs the user belongs to
iss Issuer URL
aud Audience
iat Issued at (Unix timestamp)
exp Expiration (Unix timestamp)
jti Unique token ID

Ecosystem

Pico-Auth is built on:

Package Role
pico-ioc Dependency injection container
pico-boot Bootstrap and plugin discovery
pico-fastapi FastAPI integration with @controller
pico-sqlalchemy Async SQLAlchemy with SessionManager
pico-client-auth JWT auth middleware with SecurityContext

Development

# Install in dev mode
pip install -e ".[dev]"

# Run tests
pytest tests/ -v

# Run with coverage
pytest --cov=pico_auth --cov-report=term-missing tests/

# Full test matrix
tox

# Lint
ruff check pico_auth/ tests/

License

MIT - LICENSE

Project details

Verified details

These details have been verified by PyPI
Project links
GitHub Statistics
Maintainers
Avatar for dperezcabrera from gravatar.com dperezcabrera

Unverified details

These details have not been verified by PyPI
Meta
  • License: MIT License (MIT)
  • Author: David Perez
  • Requires: Python >=3.11
  • Provides-Extra: dev , docs
Classifiers

Release history Release notifications | RSS feed

This version

0.2.0

0.1.4

0.1.3

0.1.2

0.1.0

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

pico_auth-0.2.0.tar.gz (40.1 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

pico_auth-0.2.0-py3-none-any.whl (17.2 kB view details)

Uploaded Python 3

File details

Details for the file pico_auth-0.2.0.tar.gz.

File metadata

  • Download URL: pico_auth-0.2.0.tar.gz
  • Upload date:
  • Size: 40.1 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.7

File hashes

Hashes for pico_auth-0.2.0.tar.gz
Algorithm Hash digest
SHA256 b82ea1eb77aa0d578b4331fca14517dfc5af7eb8a4ed90d36f80098387cd9706
MD5 c67c483553412ccfcecf371c9665b6cd
BLAKE2b-256 4c6909727eabc796d10344268ce27a251728b195eb0fcc1c8cd786b2facb6c61

See more details on using hashes here.

Provenance

The following attestation bundles were made for pico_auth-0.2.0.tar.gz:

Publisher: publish-to-pypi.yml on dperezcabrera/pico-auth

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file pico_auth-0.2.0-py3-none-any.whl.

File metadata

  • Download URL: pico_auth-0.2.0-py3-none-any.whl
  • Upload date:
  • Size: 17.2 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.7

File hashes

Hashes for pico_auth-0.2.0-py3-none-any.whl
Algorithm Hash digest
SHA256 b5d46f3c7db8c494aa004cb7d0b2302116c93c040f35ab5d23ad6b75c04f3f0a
MD5 c5bad93d7464200dc71d7efc765b8dbe
BLAKE2b-256 29065ef74764488540246559faba0920025d594299e69229716b0cbc7dedc9c4

See more details on using hashes here.

Provenance

The following attestation bundles were made for pico_auth-0.2.0-py3-none-any.whl:

Publisher: publish-to-pypi.yml on dperezcabrera/pico-auth

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page