Skip to content

Release v4.2.0: Token-based Authentication feature #78

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
obervinov merged 6 commits into from
Dec 31, 2025
Merged

Release v4.2.0: Token-based Authentication feature #78

obervinov merged 6 commits into from
Dec 31, 2025

Conversation

@obervinov
Copy link
Owner

@obervinov obervinov commented Dec 30, 2025
edited by github-actions bot
Loading

v4.2.0 - 2025-12-31

What's Changed

Full Changelog: v4.1.3...v4.2.0 by @obervinov in #78

🚀 Features

  • Add generic token-based authentication support for frontend integration web UIs, mobile apps, CLI tools
    • New methods: issue_token, validate_token, revoke_token
    • PBKDF2 hashing with 100,000 iterations and unique salts
    • Single-use token enforcement and automatic revocation
    • Backward compatible: gracefully handles missing users_tokens table

Copilot AI review requested due to automatic review settings December 30, 2025 18:19
@obervinov obervinov self-assigned this Dec 30, 2025
@obervinov obervinov added documentation Improvements or additions to documentation enhancement New feature or request labels Dec 30, 2025
@obervinov obervinov added this to the v4.2.0 milestone Dec 30, 2025
Copilot AI reviewed Dec 30, 2025
View reviewed changes
Copy link

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR introduces token-based authentication functionality (v4.2.0) to enable temporary access for frontend applications (web UIs, mobile apps, CLI tools) without storing user credentials. The implementation uses PBKDF2 hashing with salts for secure token storage and includes single-use token enforcement.

Key Changes

  • Added three new token management methods: issue_token(), validate_token(), and revoke_token()
  • Implemented PBKDF2-based token hashing with 100,000 iterations and unique salts per token
  • Added backward compatibility for deployments without the users_tokens database table

Reviewed changes

Copilot reviewed 8 out of 8 changed files in this pull request and generated 11 comments.

Show a summary per file
File Description
users/users.py Added three token management methods (issue_token, validate_token, revoke_token) with PBKDF2 security
users/storage.py Added database operations for token storage, retrieval, and marking as used with backward compatibility checks
tests/test_tokens.py Comprehensive test suite covering token lifecycle, security, expiration, single-use enforcement, and edge cases
tests/postgres/tables.sql Added users_tokens table schema with indexed user_id for token storage
pyproject.toml Version bump from 4.1.3 to 4.2.0
README.md Added extensive documentation for token authentication feature with usage examples and security details
CHANGELOG.md Added v4.2.0 release notes documenting the new token authentication feature
.github/copilot-instructions.md New file documenting project architecture, conventions, and token authentication implementation guidelines

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

users/users.py
token_hash = hashlib.pbkdf2_hmac('sha256', token_id.encode(), token_salt.encode(), 100_000).hex()

# Calculate expiration
expires_at = datetime.now() + timedelta(minutes=ttl_minutes)
Copy link

Copilot AI Dec 30, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Using datetime.now() without timezone information can lead to inconsistencies when comparing timestamps across different systems or when the database uses timezone-aware timestamps. Consider using datetime.now(timezone.utc) or datetime.utcnow() for consistency with the PostgreSQL NOW() function which returns UTC time by default.

Copilot uses AI. Check for mistakes.
Copy link
Owner Author

@obervinov obervinov Dec 31, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I've made a separate issue on this and plan to fix it in the future #79

@obervinov obervinov mentioned this pull request Dec 31, 2025
Open
@obervinov obervinov merged commit d87f4e8 into main Dec 31, 2025
5 checks passed
@obervinov obervinov deleted the release/v4.2.0 branch December 31, 2025 10:09
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

@obervinov obervinov

Labels

documentation Improvements or additions to documentation enhancement New feature or request

Projects

@obervinov's Python packages
Status: Done

Milestone

v4.2.0

Development

Successfully merging this pull request may close these issues.

2 participants

@obervinov