nat.data_models.user_info#

Structured user identity model supporting multiple credential sources.

Attributes#

_USER_ID_NAMESPACE

Classes#

`JwtUserInfo`	JWT-derived identity fields extracted from decoded token claims.
`BasicUserInfo`	Username/password identity.
`UserInfo`	Resolved user identity, independent of how it was identified.

Module Contents#

_USER_ID_NAMESPACE: uuid.UUID#

class JwtUserInfo(/, **data: Any)#

Bases: pydantic.BaseModel

JWT-derived identity fields extracted from decoded token claims.

Registered claims (sub, iss, aud, exp, iat) per RFC 7519. Identity claims (email, preferred_username, name) per OpenID Connect Core 1.0.

Create a new model by parsing and validating input data from keyword arguments.

Raises [ValidationError][pydantic_core.ValidationError] if the input data cannot be validated to form a valid model.

self is explicitly positional-only to allow self as a field name.

model_config#: Configuration for the model, should be a dictionary conforming to [ConfigDict][pydantic.config.ConfigDict].

given_name: str | None = None#

family_name: str | None = None#

email: str | None = None#

preferred_username: str | None = None#

roles: list[str] = None#

groups: list[str] = None#

scopes: list[str] = None#

issuer: str | None = None#

subject: str | None = None#

audience: list[str] | None = None#

expires_at: int | None = None#

issued_at: int | None = None#

client_id: str | None = None#

claims: dict[str, Any] = None#

property identity_claim: str | None#: Return the first non-empty value using sub > email > preferred_username precedence. sub is the stable, locally-unique identifier per RFC 7519 Section 4.1.2. email and preferred_username are OIDC fallbacks (OpenID Connect Core 1.0 Section 5.1).

class BasicUserInfo(/, **data: Any)#

Bases: pydantic.BaseModel

Username/password identity.

The user provides username and password. A base64-encoded credential (base64(username:password)) is derived automatically and used as the identity key for UUID v5 generation.

Because the password is part of the identity key, changing a password produces a new user_id and the user’s prior per-user workflow state becomes inaccessible.

Create a new model by parsing and validating input data from keyword arguments.

Raises [ValidationError][pydantic_core.ValidationError] if the input data cannot be validated to form a valid model.

self is explicitly positional-only to allow self as a field name.

model_config#: Configuration for the model, should be a dictionary conforming to [ConfigDict][pydantic.config.ConfigDict].

username: str = None#

password: nat.data_models.common.SerializableSecretStr = None#

_credential: str = None#

model_post_init(__context: Any) → None#: Override this method to perform additional initialization after __init__ and model_construct. This is useful if you want to do some validation that requires the entire model to be initialized.

property credential: str#: Base64-encoded username:password used to differentiate users.

class UserInfo(/, **data: Any)#

Bases: pydantic.BaseModel

Resolved user identity, independent of how it was identified.

Construct with exactly one identity source:

UserInfo(basic_user=BasicUserInfo(username="alice", password="s3cret"))
UserInfo(api_key=SecretStr("sk-service-abc123"))

For runtime credentials (session cookie / JWT), use UserManager or the _from_* factory classmethods.

Create a new model by parsing and validating input data from keyword arguments.

Raises [ValidationError][pydantic_core.ValidationError] if the input data cannot be validated to form a valid model.

self is explicitly positional-only to allow self as a field name.

model_config#: Configuration for the model, should be a dictionary conforming to [ConfigDict][pydantic.config.ConfigDict].

basic_user: BasicUserInfo | None = None#

api_key: nat.data_models.common.OptionalSecretStr = None#

_user_id: str = None#

_session_cookie: str | None = None#

_jwt: JwtUserInfo | None = None#

_validate_single_identity_source() → UserInfo#

model_post_init(__context: Any) → None#: Override this method to perform additional initialization after __init__ and model_construct. This is useful if you want to do some validation that requires the entire model to be initialized.

get_user_id() → str#: Return the user ID.

_set_user_id(identity_key: str) → None#: Derive and set the deterministic UUID from an identity source value.

get_user_details() → JwtUserInfo | BasicUserInfo | str | None#

Return the identity-source data used to create this user.

Returns:: JwtUserInfo for JWT users, BasicUserInfo for username/password users, the raw API key or cookie string for those users, or None if no source was set.

classmethod _from_session_cookie(cookie: str) → UserInfo#

classmethod _from_api_key(api_key: str) → UserInfo#

classmethod _from_jwt(jwt_info: JwtUserInfo) → UserInfo#