daylily-auth-cognito

daylily-auth-cognito is the standalone Cognito auth repo for Daylily. It publishes the daylily_auth_cognito Python package and the daycog CLI.

The 2.0 line is a breaking refactor with hard boundaries:

runtime/: JWT verification and FastAPI bearer auth
browser/: Hosted UI session auth with token-free session storage
admin/: Cognito pool, app-client, user, password, and federation mutations
cli/: daycog wiring only
policy/: email-domain policy helpers

Install

pip install daylily-auth-cognito

For development in this repo:

source ./activate
pytest -q

activate installs the editable repo and the published cli-core-yo==2.1.1 dependency.

Public API

The top-level package is intentionally small:

from daylily_auth_cognito import (
    CognitoTokenVerifier,
    CognitoWebSessionConfig,
    JWKSCache,
    SessionPrincipal,
    clear_session_principal,
    complete_cognito_callback,
    configure_session_middleware,
    create_auth_dependency,
    load_session_principal,
    start_cognito_login,
    store_session_principal,
    verify_m2m_token_with_jwks,
)

Use submodules directly for admin and CLI-specific work. CLI config handling lives under daylily_auth_cognito.cli.config and is CLI-only.

Runtime Example

from daylily_auth_cognito import CognitoTokenVerifier, create_auth_dependency

verifier = CognitoTokenVerifier(
    region="us-west-2",
    user_pool_id="us-west-2_example",
    app_client_id="client-123",
)

current_principal = create_auth_dependency(verifier)

Browser Session Example

from daylily_auth_cognito import CognitoWebSessionConfig, configure_session_middleware

config = CognitoWebSessionConfig(
    domain="auth.example.test",
    client_id="client-123",
    redirect_uri="https://app.example.test/auth/callback",
    logout_uri="https://app.example.test/logout",
    session_secret_key="replace-me",
    session_cookie_name="app_session",
    public_base_url="https://app.example.test",
    server_instance_id="server-1",
)

configure_session_middleware(app, config)

Hosted UI callbacks exchange the authorization code asynchronously in the web path and only persist normalized principal data in the session. Raw OAuth tokens are rejected.

CLI

Activate the repo, then use daycog:

source ./activate
daycog --help
daycog status
daycog auth-config print
daycog setup --help

CLI config remains at ~/.config/daycog/config.yaml.

The flat-file config model is implemented in daylily_auth_cognito.cli.config; its internal config helper is not part of the runtime surface.

Layout

daylily_auth_cognito/
  runtime/
  browser/
  admin/
  cli/
  policy/

Name		Name	Last commit message	Last commit date
Latest commit History 125 Commits
.github/workflows		.github/workflows
daylily_auth_cognito		daylily_auth_cognito
docs		docs
scripts		scripts
tests		tests
tools		tools
.gitignore		.gitignore
.pre-commit-config.yaml		.pre-commit-config.yaml
AGENTS.md		AGENTS.md
AI_DIRECTIVE.md		AI_DIRECTIVE.md
CHANGELOG.md		CHANGELOG.md
CHANGELOG_2_0_0.md		CHANGELOG_2_0_0.md
IMPLEMENTATION_PLAN.md		IMPLEMENTATION_PLAN.md
LICENSE		LICENSE
MIGRATING_TO_2_0_0.md		MIGRATING_TO_2_0_0.md
README.md		README.md
activate		activate
daylily_cognito_env.yaml		daylily_cognito_env.yaml
environment.yml		environment.yml
pyproject.toml		pyproject.toml

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Repository files navigation

daylily-auth-cognito

Install

Public API

Runtime Example

Browser Session Example

CLI

Layout

Docs

About

Uh oh!

Releases 7

Packages

Uh oh!

Uh oh!

Contributors

Uh oh!

Languages

Folders and files

Latest commit

History

Repository files navigation

daylily-auth-cognito

Install

Public API

Runtime Example

Browser Session Example

CLI

Layout

Docs

About

Resources

License

Uh oh!

Stars

Watchers

Forks

Releases 7

Packages 0

Uh oh!

Uh oh!

Contributors

Uh oh!

Languages

Packages