📝 Update documentation.

Author: Raphael Krupinski

Readme.md

@@ -5,7 +5,7 @@
 Python DSL for Web API clients.
 
 Also check [lapidary-render](https://github.com/python-lapidary/lapidary-render/),
-a command line program that generates Lapidary client code from OpenAPI documents.
+a command line program that generates Lapidary clients from OpenAPI.
 
 ## Features
 
@@ -20,65 +20,57 @@ pip install lapidary
 ```
 
 or with Poetry
+
 ```console
 poetry add lapidary
 ```
 
 ## Usage
 
+With Lapidary, you define an API client by creating a class that mirrors the API structure, akin to OpenAPI but through
+decorated and annotated Python methods. Calling these method handles making HTTP requests and transforming the responses
+back into Python objects.
+
 ```python
-import dataclasses as dc
 from typing import Annotated, Self
-
-import pydantic
-
-from lapidary.runtime import ClientBase, ParamStyle, Path, Responses, get
-
+from lapidary.runtime import *
 
 # Define models
-# Pydantic models are recommended, but classes cannot inherit from both BaseModel and Exception.
 
-@dc.dataclass
-class ServerError(Exception):
-    msg: str
-
-
-class Cat(pydantic.BaseModel):
+class Cat(ModelBase):
     id: int
     name: str
 
 # Declare the client
 
 class CatClient(ClientBase):
     def __init__(
-            self,
-            base_url = 'http://localhost:8080/api',
+        self,
+        base_url='http://localhost:8080/api',
     ):
         super().__init__(base_url=base_url)
 
-    # Parameters are interpreted according to their annotation.
-    # Response is parsed according to the return type annotation.
-
     @get('/cat/{id}')
     async def cat_get(
-            self: Self,
-            *,
-            id: Annotated[int, Path(style=ParamStyle.simple)],
+        self: Self,
+        *,
+        id: Annotated[int, Path(style=ParamStyle.simple)],
     ) -> Annotated[Cat, Responses({
         '2XX': {
             'application/json': Cat
         },
-        '4XX': {
-            'application/json': ServerError
-        },
     })]:
         pass
 
-client = CatClient()
-cat = await client.cat_get(id=7)
+# User code
+
+async def main():
+    client = CatClient()
+    cat = await client.cat_get(id=7)
 ```
 
-See [this test file](https://github.com/python-lapidary/lapidary/blob/develop/tests/test_client.py) for a working example.
+See [this test file](https://github.com/python-lapidary/lapidary/blob/develop/tests/test_client.py) for a working
+example.
 
 [Full documentation](https://lapidary.dev)
 

docs/usage/auth.md

@@ -1,116 +1,101 @@
 # Authentication
 
-OpenAPI allows declaring security schemes and security requirements of operations.
+## Model
 
-Lapidary allows declaring methods that create or consume `httpx.Auth` objects.
+Lapidary allows API client authors to declare security requirements using maps that specify acceptable security schemes
+per request. OAuth2 schemes require specifying scopes, while other schemes use an empty list.
 
-## Basic auth
+For example, a call might require authentication with either two specific schemes together (auth1 and auth2) or another
+pair (auth3 and auth4):
 
-TODO
+```python
+security = [
+    {
+        'auth1': ['scope1'],
+        'auth2': ['scope1', 'scope2'],
+    },
+    {
+        'auth3': ['scope3'],
+        'auth4': [],
+    },
+]
+```
+
+Lapidary also supports optional authentication, allowing for certain operations, such as a login endpoint, to forego the
+global security requirements specified for the API:
+
+```python
+security = [
+    {'auth': []},
+    {},  # unauthenticated calls allowed
+]
+```
 
-## Login endpoints
+You can also use this method to disable global security requirement for a particular operation (e.g. login endpoint).
 
-A `/login/` or `/authenticate/` endpoint that returns the token is quite common with simpler authentication schemes like http or apiKey, yet their support is poor in OpenAPI. There's no way to connect
-such endpoint to a security scheme as in the case of OIDC.
+## Usage
 
-A function that handles such an endpoint can declare that it returns an Auth object, but it's not obvious to the user of python API which security scheme the method returns.
+Lapidary handles security schemes through httpx.Auth instances, wrapped in `NamedAuth` tuple.
+You can define security requirements globally in the client `__init__()` or at the operation level with decorators, where
+operation-level declarations override global settings.
+
+Lapidary validates security requirements at runtime, ensuring that any method call is accompanied by the necessary
+authentication, as specified by its security requirements. This process involves matching the provided authentication
+against the declared requirements before proceeding with the request. To meet these requirements, the user must have
+previously configured the necessary Auth instances using lapidary_authenticate.
 
 ```python
-from httpx import Auth
-import pydantic
-from typing_extensions import Annotated, Self
-
-from lapidary.runtime import post, ClientBase, RequestBody, APIKeyAuth, Responses
-
-
-class LoginRequest(pydantic.BaseModel):
-    ...
-
-
-class LoginResponse(pydantic.BaseModel):
-    token: str
-
-
-class Client(ClientBase):
-    @post('/login')
-    def login(
-            self: Self,
-            *,
-            body: Annotated[LoginRequest, RequestBody({'application/json': LoginRequest})],
-    ) -> Annotated[
-        Auth,
-        Responses({
-            '200': {
-                'application/json': Annotated[
-                    LoginResponse,
-                    APIKeyAuth(
-                        in_='header',
-                        name='Authorization',
-                        format='Token {body.token}'
-                    ),
-                ]
-            }
-        }),
-    ]:
-        """Authenticates with the "primary" security scheme"""
-```
+from lapidary.runtime import *
+from lapidary.runtime.auth import HeaderApiKey
+from typing import Self, Annotated
 
-The top return Annotated declares the returned type, the inner one declares the processing steps for the actual response.
-First the response is parsed as LoginResponse, then that object is passed to ApiKeyAuth which is a callable object.
 
-The result of the call, in this case an Auth object, is returned by the `login` function.
+class MyClient(ClientBase):
+    def __init__(self):
+        super().__init__(
+            base_url=...,
+            security=[{'apiKeyAuth': []}],
+        )
 
-The innermost Annotated is not necessary from the python syntax standpoint. It's done this way since it kind of matches the semantics of Annotated, but it could be replaced with a simple tuple or other type in the future.
+    @get('/api/operation', security=[{'admin_only': []}])
+    async def my_op(self: Self) -> ...:
+        pass
+
+    @post('/api/login', security=())
+    async def login(
+        self: Self,
+        user: Annotated[str, ...],
+        password: Annotated[str, ...],
+    ) -> ...:
+        pass
 
-## Using auth tokens
+# User code
+async def main():
+    client = MyClient()
 
-OpenApi allows operations to declare a collection of alternative groups of security requirements.
+    token = await client.login().token
+    client.lapidary_authenticate(apiKeyAuth=HeaderApiKey(token))
+    await client.my_op()
 
-The second most trivial example (the first being no security) is a single required security scheme.
-```yaml
-security:
-- primary: []
+    # optionally
+    client.lapidary_deauthenticate('apiKeyAuth')
 ```
-The name of the security scheme corresponds to a key in `components.securitySchemes` object.
 
-This can be represented as a simple parameter, named for example `primary_auth` and of type `httpx.Auth`.
-The parameter could be annotated as `Optional` if the security requirement is optional for the operation.
+`lapidary_authenticate` also accepts tuples of Auth instances with names, so this is possible:
 
-In case of multiple alternative groups of security requirements, it gets harder to properly describe which schemes are required and in what combination.
+```python
+def admin_auth(api_key: str) -> NamedAuth:
+    return 'admin_only', HeaderApiKey(api_key)
 
-Lapidary takes all passed `httpx.Auth` parameters and passes them to `httpx.AsyncClient.send(..., auth=auth_params)`, leaving the responsibility to select the right ones to the user.
 
-If multiple `Auth` parameters are passed, they're wrapped in `lapidary.runtime.aauth.MultiAuth`, which is just reexported `_MultiAuth` from `https_auth` package.
+client.lapidary_authencticate(admin_auth('my token'))
+```
 
-#### Example
+## De-registering Auth instances
 
-Auth object returned by the login operation declared in the above example can be used by another operation.
+To remove an auth instance, thereby allowing for unauthenticated calls or the use of alternative security schemes,
+lapidary_deauthenticate is used:
 
 ```python
-from httpx import Auth
-from typing import Annotated, Self
-
-from lapidary.runtime import ClientBase, get, post
-
-
-class Client(ClientBase):
-    @post('/login')
-    def login(
-            self: Self,
-            body: ...,
-    ) -> Annotated[
-        Auth,
-        ...
-    ]:
-        """Authenticates with the "primary" security scheme"""
-
-    @get('/private')
-    def private(
-            self: Self,
-            *,
-            primary_auth: Auth,
-    ):
-        pass
+client.lapidary_deauthenticate('apiKeyAuth')
 ```
-
-In this example the method `client.private` can be called with the auth object returned by `client.login`.

docs/usage/client.md

@@ -1,18 +1,24 @@
 # Client class
 
-Lapidary client is represented by a single class that holds all operation methods and encapsulates a `httpx.AsyncClient` instance.
+The core of the Lapidary API client is a single class that contains all the methods for API operations. This class is
+built around an `httpx.AsyncClient` instance to manage HTTP requests and responses.
+
+Example usage:
 
 ```python
-import lapidary.runtime
+from lapidary.runtime import *
 
 
-class CatClient(lapidary.runtime.ClientBase):
+class CatClient(ClientBase):
     ...
 ```
 
 # `__init__()` method
 
-Implementing `__init__()` is optional, and provides means to pass arguments, like `base_url`, to `httpx.AsyncClient.__init__`.
+Implementing the `__init__()` method is optional but useful for specifying default values for settings like
+the `base_url` of the API.
+
+Example implementation:
 
 ```python
 import lapidary.runtime
@@ -21,11 +27,12 @@ import lapidary.runtime
 class CatClient(lapidary.runtime.ClientBase):
     def __init__(
             self,
-            base_url='https://example.com/api'
+            base_url='https://example.com/api',
+            **kwargs
     ):
         super().__init__(
             base_url=base_url,
+            **kwargs
         )
-
     ...
 ```