refactor(auth): type auth providers and decouple Google auth from disk storage
- Make MailIntakeAuthProvider generic over credential type to enforce typed auth contracts between providers and adapters - Refactor Google OAuth provider to use CredentialStore abstraction instead of filesystem-based pickle persistence - Remove node-local state assumptions from Google auth implementation - Clarify documentation to distinguish credential lifecycle from credential persistence responsibilities This change enables distributed-safe authentication providers and allows multiple credential persistence strategies without modifying auth logic.
This commit is contained in:
96
mail_intake/credentials/pickle.py
Normal file
96
mail_intake/credentials/pickle.py
Normal file
@@ -0,0 +1,96 @@
|
||||
"""
|
||||
Local filesystem–based credential persistence for Mail Intake.
|
||||
|
||||
This module provides a file-backed implementation of the
|
||||
``CredentialStore`` abstraction using Python's ``pickle`` module.
|
||||
|
||||
The pickle-based credential store is intended for local development,
|
||||
single-node deployments, and controlled environments where credentials
|
||||
do not need to be shared across processes or machines.
|
||||
|
||||
Due to the security and portability risks associated with pickle-based
|
||||
serialization, this implementation is not suitable for distributed or
|
||||
untrusted environments.
|
||||
"""
|
||||
|
||||
import pickle
|
||||
from typing import Optional, TypeVar
|
||||
|
||||
from mail_intake.credentials.store import CredentialStore
|
||||
|
||||
T = TypeVar("T")
|
||||
|
||||
|
||||
class PickleCredentialStore(CredentialStore[T]):
|
||||
"""
|
||||
Filesystem-backed credential store using pickle serialization.
|
||||
|
||||
This store persists credentials as a pickled object on the local
|
||||
filesystem. It is a simple implementation intended primarily for
|
||||
development, testing, and single-process execution contexts.
|
||||
|
||||
This implementation:
|
||||
- Stores credentials on the local filesystem
|
||||
- Uses pickle for serialization and deserialization
|
||||
- Does not provide encryption, locking, or concurrency guarantees
|
||||
|
||||
Credential lifecycle management, validation, and refresh logic are
|
||||
explicitly out of scope for this class.
|
||||
"""
|
||||
|
||||
def __init__(self, path: str):
|
||||
"""
|
||||
Initialize a pickle-backed credential store.
|
||||
|
||||
Args:
|
||||
path:
|
||||
Filesystem path where credentials will be stored.
|
||||
The file will be created or overwritten as needed.
|
||||
"""
|
||||
self.path = path
|
||||
|
||||
def load(self) -> Optional[T]:
|
||||
"""
|
||||
Load credentials from the local filesystem.
|
||||
|
||||
If the credential file does not exist or cannot be successfully
|
||||
deserialized, this method returns ``None``.
|
||||
|
||||
The store does not attempt to validate or interpret the returned
|
||||
credentials.
|
||||
|
||||
Returns:
|
||||
An instance of type ``T`` if credentials are present and
|
||||
successfully deserialized; otherwise ``None``.
|
||||
"""
|
||||
try:
|
||||
with open(self.path, "rb") as fh:
|
||||
return pickle.load(fh)
|
||||
except Exception:
|
||||
return None
|
||||
|
||||
def save(self, credentials: T) -> None:
|
||||
"""
|
||||
Persist credentials to the local filesystem.
|
||||
|
||||
Any previously stored credentials at the configured path are
|
||||
overwritten.
|
||||
|
||||
Args:
|
||||
credentials:
|
||||
The credential object to persist.
|
||||
"""
|
||||
with open(self.path, "wb") as fh:
|
||||
pickle.dump(credentials, fh)
|
||||
|
||||
def clear(self) -> None:
|
||||
"""
|
||||
Remove persisted credentials from the local filesystem.
|
||||
|
||||
This method deletes the credential file if it exists and should
|
||||
be treated as an idempotent operation.
|
||||
"""
|
||||
import os
|
||||
|
||||
if os.path.exists(self.path):
|
||||
os.remove(self.path)
|
||||
Reference in New Issue
Block a user