Initial commit

Author: masenf

.github/actions/setup_build_env/action.yml

@@ -0,0 +1,71 @@
+# Entry conditions:
+# - `setup/checkout` has already happened
+# - working dir is the root directory of your project (e.g. `reflex/`).
+# - You have a `uv.lock` file in the root directory of your project
+# - You have a `pyproject.toml` file in the root directory of your project
+#
+# Exit conditions:
+# - Python of version `python-version` is ready to be invoked as `python`.
+# - Uv of version `uv-version` is ready to be invoked as `uv`.
+# - If `run-uv-sync` is true, deps as defined in `pyproject.toml` will have been installed into the venv at `create-venv-at-path`.
+
+name: "Setup Reflex build environment"
+description: "Sets up Python, install uv (cached), install project deps (cached)"
+inputs:
+  python-version:
+    description: "Python version setup"
+    required: true
+  uv-version:
+    description: "Uv version to install"
+    required: false
+    default: "0.8.0"
+  run-uv-sync:
+    description: "Whether to run uv sync on current dir"
+    required: false
+    default: false
+  create-venv-at-path:
+    description: "Path to venv (if uv sync is enabled)"
+    required: false
+    default: ".venv"
+
+runs:
+  using: "composite"
+  steps:
+    - name: Install UV
+      uses: astral-sh/setup-uv@v5
+      with:
+        version: ${{ inputs.uv-version }}
+        python-version: ${{ inputs.python-version }}
+        enable-cache: true
+        prune-cache: false
+        cache-dependency-glob: "uv.lock"
+
+    - name: Restore cached project python deps
+      id: restore-pydeps-cache
+      uses: actions/cache/restore@v4
+      with:
+        path: ${{ inputs.create-venv-at-path }}
+        key: ${{ runner.os }}-python-${{ inputs.python-version }}-pydeps-${{ hashFiles('**/uv.lock') }}
+
+    - if: ${{ inputs.run-uv-sync == 'true' && steps.restore-pydeps-cache.outputs.cache-hit != 'true' }}
+      name: Run uv sync (will get cached)
+      # We skip over installing the root package (the current project code under CI)
+      # Root package should not be cached - its content is not reflected in uv.lock / cache key
+      shell: bash
+      run: |
+        uv sync --all-extras --dev --no-install-project --prerelease=allow
+
+    - if: steps.restore-pydeps-cache.outputs.cache-hit != 'true'
+      name: Save Python deps to cache
+      uses: actions/cache/save@v4
+      with:
+        path: ${{ inputs.create-venv-at-path }}
+        key: ${{ steps.restore-pydeps-cache.outputs.cache-primary-key }}
+
+    - if: ${{ inputs.run-uv-sync == 'true' }}
+      name: Run uv sync (root package)
+      # Here we really install the root package (the current project code under CI).env:
+      # This should not be cached.
+      shell: bash
+      run: |
+        uv sync --all-extras --dev

.github/workflows/export-demos.yml

@@ -0,0 +1,46 @@
+name: export-demos
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.id }}
+  cancel-in-progress: true
+
+on:
+  pull_request:
+    branches: ["main"]
+    paths-ignore:
+      - "**/*.md"
+  workflow_dispatch:
+
+permissions:
+  contents: read
+
+jobs:
+  demo-export-tests:
+    timeout-minutes: 30
+    strategy:
+      fail-fast: false
+      matrix:
+        python-version: ["3.11.11", "3.12.8", "3.13.1"]
+    runs-on: ubuntu-22.04
+    
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0  # Fetch all history and tags for proper versioning
+      - uses: ./.github/actions/setup_build_env
+        with:
+          python-version: ${{ matrix.python-version }}
+          run-uv-sync: true
+
+      - name: Install demo requirements
+        run: |
+          cd demos
+          uv pip install --prerelease=allow -r requirements.txt
+
+      - name: Test demo export
+        env:
+          REFLEX_ACCESS_TOKEN: ${{ secrets.REFLEX_ACCESS_TOKEN }}
+        run: |
+          cd demos
+          uv run --no-sync reflex --version
+          uv run --no-sync reflex export

.github/workflows/pre-commit.yml

@@ -0,0 +1,21 @@
+name: pre-commit
+
+on:
+  pull_request:
+    branches: ["main"]
+  push:
+    branches: ["main"]
+
+jobs:
+  pre-commit:
+    timeout-minutes: 30
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: ./.github/actions/setup_build_env
+        with:
+          python-version: 3.13
+          run-uv-sync: true
+      - run: uv run pre-commit run --all-files --show-diff-on-failure
+        env:
+          SKIP: update-pyi-files

.github/workflows/publish.yml

@@ -0,0 +1,71 @@
+name: Build and Publish
+
+on:
+  release:
+    types: [published]
+  workflow_dispatch:
+
+permissions:
+  contents: read  # Required for checkout
+  id-token: write  # For trusted publishing if using OIDC
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0  # Fetch all history for tags
+
+      - name: Set up Python
+        uses: actions/setup-python@v5
+        with:
+          python-version: "3.10"
+
+      - name: Install UV
+        run: |
+          pip install uv
+
+      - name: Build Wheel (without sdist)
+        run: uv build --wheel
+
+      - name: Upload wheel artifact
+        uses: actions/upload-artifact@v4
+        with:
+          name: built-wheel
+          path: dist/*.whl
+          retention-days: 1  # Keep for 1 day
+
+  publish:
+    needs: build
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0  # Fetch all history for tags
+      - name: Set up Python
+        uses: actions/setup-python@v5
+        with:
+          python-version: "3.10"
+      - name: Download all compiled wheels
+        uses: actions/download-artifact@v4
+        with:
+          path: dist/
+          name: built-wheel
+        #   pattern: reflex_enterprise*.whl
+          merge-multiple: true
+      - name: List dist folder contents (for debugging)
+        run: |
+          pwd
+          echo "-------"
+          ls -l
+          echo "-------"
+          ls -l dist/
+      - name: Install UV
+        run: |
+          pip install uv
+
+      - name: Publish to PyPI
+        run: uv publish --token ${{ secrets.PYPI_API_TOKEN }}

.gitignore

@@ -0,0 +1,18 @@
+**/.DS_Store
+**/*.pyc
+assets/external/*
+dist/*
+examples/
+.web
+.states
+.idea
+.vscode
+.coverage
+.coverage.*
+.venv
+venv
+.pyi_generator_last_run
+.pyi_generator_diff
+reflex.db
+.codspeed
+*.egg-info

.pre-commit-config.yaml

@@ -0,0 +1,25 @@
+fail_fast: true
+
+repos:
+
+  - repo: https://github.com/charliermarsh/ruff-pre-commit
+    rev: v0.9.3
+    hooks:
+      - id: ruff-format
+        args: [reflex_azure_auth]
+      - id: ruff
+        args: ["--fix", "--exit-non-zero-on-fix"]
+        exclude: '^integration/benchmarks/'
+
+  - repo: https://github.com/codespell-project/codespell
+    rev: v2.3.0
+    hooks:
+      - id: codespell
+        args: ["reflex_azure_auth"]
+
+  - repo: https://github.com/RobertCraigie/pyright-python
+    rev: v1.1.396
+    hooks:
+      - id: pyright
+        args: [reflex_azure_auth]
+        language: system

README.md

@@ -0,0 +1,99 @@
+# reflex-azure-auth
+
+This package requires the `reflex_enterprise` package to be installed.
+
+## Installation
+
+```bash
+pip install reflex-azure-auth
+```
+
+## Usage
+
+### Set Up an Azure (Microsoft identity platform) Application
+
+Create a new Application (App Registration) in the Azure portal and set up a .env file with the following variables:
+
+```env
+AZURE_CLIENT_ID=your_client_id
+AZURE_CLIENT_SECRET=your_client_secret
+AZURE_ISSUER_URI=your tenant issuer or authority URL
+```
+
+Reflex will need to access these variables to authenticate users via OpenID Connect on the Microsoft identity platform.
+
+#### Step-by-step: App Registration
+
+1. Sign in to the Azure portal and open "Azure Active Directory" → "App registrations".
+2. Click "New registration".
+    - Name: choose a friendly name (example: "Reflex Demo App").
+    - Supported account types: choose the tenant(s) you want (single or multi-tenant).
+    - Redirect URI: add the authorization callback path for your app, e.g. `https://your-app.example.com/authorization-code/callback` (use `http://localhost:3000/authorization-code/callback` for local development).
+3. Register the app and copy the "Application (client) ID" → this is `AZURE_CLIENT_ID`.
+4. Under "Certificates & secrets" create a new client secret and copy the value → this is `AZURE_CLIENT_SECRET`.
+5. Under "Expose an API" or "API permissions" add the scopes your app needs. For typical OpenID Connect sign-in, request the `openid`, `profile`, and `email` scopes. If you need access to a custom API, expose an application ID URI (e.g. `api://<client-id>`) and create delegated scopes.
+6. Determine your issuer (authority) URL:
+    - For a single tenant: `https://login.microsoftonline.com/<your-tenant-id>`
+    - For common/multi-tenant flows: `https://login.microsoftonline.com/common`
+    Use the `AZURE_ISSUER_URI` env var to set this (you can include the `/v2.0` suffix or we default to `v2.0` for endpoint assembly).
+
+Example .env (local development):
+
+```env
+AZURE_CLIENT_ID=00000000-0000-0000-0000-000000000000
+AZURE_CLIENT_SECRET=very-secret-value
+AZURE_ISSUER_URI=https://login.microsoftonline.com/common
+AZURE_AUDIENCE=api://default
+```
+
+Notes:
+- Redirect URIs must match exactly. For Reflex demo pages running locally, use the full local URL including the `/authorization-code/callback` path.
+- Use `openid email profile` in the authorization request to receive an ID token containing standard claims (sub, name, email).
+- When testing with a real tenant, use the tenant-specific issuer URL (recommended for production).
+
+### Register Auth Callback
+
+```python
+from reflex_enterprise import App
+from reflex_azure_auth import register_auth_endpoints
+
+...
+
+app = App()
+register_auth_endpoints(app)
+```
+
+### Check `AzureAuthState.userinfo` for user identity/validity
+
+```python
+import reflex as rx
+from reflex_azure_auth import AzureAuthState
+
+@rx.page()
+def index():
+    return rx.container(
+        rx.vstack(
+            rx.heading("Azure (Microsoft) Auth Demo"),
+            rx.cond(
+                rx.State.is_hydrated,
+                rx.cond(
+                    AzureAuthState.userinfo,
+                    rx.vstack(
+                        rx.text(f"Welcome, {AzureAuthState.userinfo["name"]}!"),
+                        rx.text(AzureAuthState.userinfo.to_string()),
+                        rx.button("Logout", on_click=AzureAuthState.redirect_to_logout),
+                    ),
+                    rx.button("Log In with Microsoft", on_click=AzureAuthState.redirect_to_login),
+                ),
+                rx.spinner(),
+            ),
+        ),
+    )
+```
+
+### Validate the Tokens
+
+tokens to ensure they have not been tampered with. Use
+Before performing privileged backend operations, it is important to validate the
+tokens to ensure they have not been tampered with. Use
+`AzureAuthState._validate_tokens()` helper method to validate the tokens.

demos/.gitignore

@@ -0,0 +1,6 @@
+.web
+__pycache__/
+*.db
+.states
+*.py[cod]
+assets/external/