user-module
myfy UserModule for authentication with email/password, OAuth, sessions, and JWT. Use when working with UserModule, BaseUser, OAuth providers, login, registration, password reset, email verification, or user authentication.
What this skill does
# UserModule - User Authentication
UserModule provides complete user authentication with email/password, OAuth, sessions, and JWT tokens.
## Quick Start
```python
from myfy.core import Application
from myfy.data import DataModule
from myfy.web import WebModule
from myfy.web.auth import AuthModule
from myfy.user import UserModule, BaseUser
from sqlalchemy.orm import Mapped, mapped_column
from sqlalchemy import String
# Extend BaseUser with custom fields
class User(BaseUser):
__tablename__ = "users"
phone: Mapped[str | None] = mapped_column(String(20))
# Create module
user_module = UserModule(
user_model=User,
oauth_providers=["google", "github"],
auto_create_tables=True,
)
# Set up application
app = Application()
app.add_module(DataModule())
app.add_module(WebModule())
app.add_module(AuthModule(
authenticated_provider=user_module.get_authenticated_provider(),
))
app.add_module(user_module)
```
## Configuration
Environment variables use the `MYFY_USER_` prefix:
| Variable | Default | Description |
|----------|---------|-------------|
| `MYFY_USER_SECRET_KEY` | (auto-generated) | Secret for JWT/sessions |
| `MYFY_USER_SESSION_LIFETIME` | `604800` | Session duration (7 days, in seconds) |
| `MYFY_USER_JWT_ALGORITHM` | `HS256` | JWT signing algorithm |
| `MYFY_USER_JWT_ACCESS_TOKEN_LIFETIME` | `3600` | JWT access token lifetime |
| `MYFY_USER_PASSWORD_MIN_LENGTH` | `8` | Minimum password length |
| `MYFY_USER_REQUIRE_EMAIL_VERIFICATION` | `True` | Require email verification |
### OAuth Configuration
```bash
# Google OAuth
MYFY_USER_OAUTH_GOOGLE_CLIENT_ID=your-client-id
MYFY_USER_OAUTH_GOOGLE_CLIENT_SECRET=your-secret
# GitHub OAuth
MYFY_USER_OAUTH_GITHUB_CLIENT_ID=your-client-id
MYFY_USER_OAUTH_GITHUB_CLIENT_SECRET=your-secret
```
## Module Options
```python
UserModule(
user_model=User, # Custom user model (must extend BaseUser)
oauth_providers=["google"], # OAuth providers to enable
auto_create_tables=True, # Create tables on start
enable_routes=True, # Register auth routes
enable_templates=True, # Provide Jinja2 templates
)
```
## Custom User Model
```python
from myfy.user import BaseUser
from sqlalchemy.orm import Mapped, mapped_column
from sqlalchemy import String, Boolean
class User(BaseUser):
__tablename__ = "users"
# Custom fields
phone: Mapped[str | None] = mapped_column(String(20))
is_admin: Mapped[bool] = mapped_column(Boolean, default=False)
company_id: Mapped[int | None] = mapped_column(ForeignKey("companies.id"))
# Relationships
company: Mapped["Company"] = relationship(back_populates="users")
```
BaseUser provides:
- `id`: Primary key
- `email`: Unique email address
- `password_hash`: Hashed password
- `is_active`: Account active status
- `is_verified`: Email verified status
- `created_at`, `updated_at`: Timestamps
## Protected Routes
```python
from myfy.web import route, Authenticated
@route.get("/profile")
async def profile(user: User) -> dict:
# user is injected if authenticated
# Returns 401 if not authenticated
return {"email": user.email, "name": user.name}
@route.get("/admin")
async def admin_dashboard(user: User) -> dict:
if not user.is_admin:
abort(403, "Admin access required")
return {"message": "Welcome, admin"}
```
## Auth Routes
UserModule registers these routes by default:
| Route | Method | Description |
|-------|--------|-------------|
| `/auth/login` | GET/POST | Login page and handler |
| `/auth/logout` | POST | Logout (clear session) |
| `/auth/register` | GET/POST | Registration page and handler |
| `/auth/forgot-password` | GET/POST | Password reset request |
| `/auth/reset-password` | GET/POST | Password reset form |
| `/auth/verify-email` | GET | Email verification link |
| `/auth/google` | GET | Google OAuth start |
| `/auth/google/callback` | GET | Google OAuth callback |
| `/auth/github` | GET | GitHub OAuth start |
| `/auth/github/callback` | GET | GitHub OAuth callback |
## Using UserService
```python
from myfy.user import UserService
@route.post("/users")
async def create_user(body: CreateUserRequest, user_service: UserService) -> dict:
user = await user_service.create(
email=body.email,
password=body.password,
)
return {"id": user.id}
@route.get("/users/{user_id}")
async def get_user(user_id: int, user_service: UserService) -> dict:
user = await user_service.get_by_id(user_id)
if not user:
abort(404, "User not found")
return {"email": user.email}
```
## Session vs JWT
### Session-Based (Web)
Default for web routes. Session ID stored in cookie.
```python
@route.get("/dashboard")
async def dashboard(user: User) -> str:
# Session cookie auto-validated
return render_template("dashboard.html", user=user)
```
### JWT-Based (API)
For API clients, use JWT tokens.
```python
from myfy.user import JWTService
@route.post("/api/login")
async def api_login(body: LoginRequest, jwt_service: JWTService, user_service: UserService) -> dict:
user = await user_service.authenticate(body.email, body.password)
if not user:
abort(401, "Invalid credentials")
token = jwt_service.create_token(user)
return {"token": token}
```
Client sends token in header:
```
Authorization: Bearer <token>
```
## OAuth Integration
### Google OAuth
```python
user_module = UserModule(
user_model=User,
oauth_providers=["google"],
)
```
Login link:
```html
<a href="/auth/google" class="btn">Login with Google</a>
```
### GitHub OAuth
```python
user_module = UserModule(
user_model=User,
oauth_providers=["github"],
)
```
Login link:
```html
<a href="/auth/github" class="btn">Login with GitHub</a>
```
## Email Verification
Enable verification:
```bash
MYFY_USER_REQUIRE_EMAIL_VERIFICATION=true
```
Users must verify email before full access. Verification link sent on registration.
## Password Reset
1. User requests reset at `/auth/forgot-password`
2. Reset email sent with secure token
3. User clicks link to `/auth/reset-password?token=...`
4. User enters new password
## Custom Templates
Override default templates by placing files in your templates directory:
```
frontend/templates/auth/
login.html
register.html
forgot-password.html
reset-password.html
verify-email.html
```
## Best Practices
1. **Set a strong SECRET_KEY** - Use a long random string
2. **Enable email verification** - For production apps
3. **Use OAuth where possible** - Reduces password management burden
4. **Extend BaseUser** - Don't modify it directly
5. **Use sessions for web, JWT for API** - Different use cases
6. **Hash passwords** - UserService handles this automatically
7. **Rate limit auth routes** - Prevent brute force attacks
Related in Productivity
gitea-workflow
IncludedOrchestrate agile development workflows for Gitea repositories using the tea CLI. Use when working with Gitea-hosted repos and asking to 'run the workflow', 'continue working', 'what's next', 'complete the task cycle', 'start my day', 'end the sprint', 'implement the next task', or wanting guided step-by-step development assistance. Keywords: workflow, orchestrate, agile, task cycle, sprint, daily, implement, review, PR, standup, retrospective, gitea, tea.
microsoft-graph-gateway
IncludedRoute Microsoft Graph work in this workspace. Use when users want to read or write Outlook mail, calendar events, contacts, OneDrive or SharePoint files, Teams, Planner, To Do, users, groups, directory data, or arbitrary Microsoft Graph endpoints from VS Code. Prefer WorkIQ for common read scenarios. Use Microsoft Graph for write actions and gap-read scenarios that need exact Graph properties, filters, permissions, or endpoints.
copilotkit
IncludedUse when building with CopilotKit — setup, development, integrations, debugging, upgrading, or contributing. Routes to the appropriate specialized skill based on the task.
wordly-wisdom
IncludedProvides calibrated decision analysis using Charlie Munger-style multiple mental models, inversion, incentive mapping, circle-of-competence checks, misjudgment audits, second-order effects, and forecast updates. Use when the user asks for an oracle take, a hard call, a decision memo, a premortem, an outside view, a red-team, a sanity-check, what am I missing, think this through, or wants a strategy, hire, investment, plan, product, partnership, or major life choice analysed. Avoid for simple factual lookups or time-sensitive legal, medical, or market questions without fresh evidence.
swain-session
IncludedSession management and project status dashboard. Owns the full session lifecycle (start/work/close/resume), focus lane, bookmarks, worktree detection, and tab naming. Also serves as the project status dashboard — shows active epics, progress, actionable next steps, blocked items, tasks, GitHub issues, and recommendations. Worktree creation is deferred to swain-do task dispatch (SPEC-195). Triggers on: 'session', 'status', 'what's next', 'dashboard', 'overview', 'where are we', 'what should I work on', 'show me priorities', 'bookmark', 'focus on', 'session info'.
gandi
IncludedComprehensive Gandi domain registrar integration for domain and DNS management. Register and manage domains, create/update/delete DNS records (A, AAAA, CNAME, MX, TXT, SRV, and more), configure email forwarding and aliases, check SSL certificate status, create DNS snapshots for safe rollback, bulk update zone files, and monitor domain expiration. Supports multi-domain management, zone file import/export, and automated DNS backups. Includes both read-only and destructive operations with safety controls.