remove username/password auth (#270)

* remove user/pass sessions

* update templates

Author: Graeme22

.github/CONTRIBUTING.md

@@ -5,6 +5,6 @@ Since Tastytrade certification sessions are severely limited in capabilities, th
 ## Steps to follow to contribute
 
 1. Fork the repository to your personal Github account and make your proposed changes.
-2. Export your username, password, and account number to the following Github Actions repository secrets: `TT_USERNAME`, `TT_PASSWORD`, and `TT_ACCOUNT`. The account should be a margin account.
+2. Export your username, password, and account number to the following Github Actions repository secrets: `TT_SECRET`, `TT_REFRESH`, and `TT_ACCOUNT`. The account should be a margin account.
 3. Make sure you have at least one share of long $F in your account, which will be used to place the OCO complex order (nothing will fill), as well as at least $2 of buying power.
 4. Run `make install` to create the virtual environment, `make lint` to format your code, and `make test` to run the tests locally.

.github/pull_request_template.md

@@ -6,7 +6,7 @@ Fixes ...
 ## Pre-merge checklist
 - [ ] Code formatted correctly (check with `make lint`)
 - [ ] Code implemented for both sync and async
-- [ ] Passing tests locally (check with `make test`, make sure you have `TT_USERNAME`, `TT_PASSWORD`, and `TT_ACCOUNT` environment variables set)
+- [ ] Passing tests locally (check with `make test`, make sure you have `TT_REFRESH`, `TT_SECRET`, and `TT_ACCOUNT` environment variables set)
 - [ ] New tests added (if applicable)
 
 Please note that, in order to pass the tests, you'll need to set up your Tastytrade credentials as repository secrets on your local fork. Read more at CONTRIBUTING.md.

.github/workflows/python-app.yml

@@ -32,10 +32,8 @@ jobs:
       run: |
         uv run pytest --cov=tastytrade --cov-report=term-missing tests/ --cov-fail-under=95
       env:
-        TT_USERNAME: ${{ secrets.TT_USERNAME }}
-        TT_PASSWORD: ${{ secrets.TT_PASSWORD }}
-        TT_USERNAME_SANDBOX: ${{ secrets.TT_USERNAME_SANDBOX }}
-        TT_PASSWORD_SANDBOX: ${{ secrets.TT_PASSWORD_SANDBOX }}
+        TT_REFRESH_SANDBOX: ${{ secrets.TT_REFRESH_SANDBOX }}
+        TT_SECRET_SANDBOX: ${{ secrets.TT_SECRET_SANDBOX }}
         TT_ACCOUNT: ${{ secrets.TT_ACCOUNT }}
         TT_REFRESH: ${{ secrets.TT_REFRESH }}
         TT_SECRET: ${{ secrets.TT_SECRET }}

docs/api/backtesting.rst

@@ -39,7 +39,6 @@ A simple, reverse-engineered, sync/async SDK for Tastytrade built on their (now
    account-streamer
    data-streamer
    market-data
-   backtest
    market-sessions
    watchlists
 
@@ -49,7 +48,6 @@ A simple, reverse-engineered, sync/async SDK for Tastytrade built on their (now
    :hidden:
 
    api/account
-   api/backtesting
    api/dxfeed
    api/instruments
    api/market-data

docs/backtest.rst

@@ -1,68 +1,33 @@
 Sessions
 ========
 
-Creating a session
-------------------
+Creating an OAuth application
+-----------------------------
 
-A session object is required to authenticate your requests to the Tastytrade API.
-To create a production (real) session using your normal login:
+A session object is required to authenticate your requests to the Tastytrade API. Tastytrade uses OAuth logins, which allow you to connect applications (third-party or private) to your trading account to use the API.
 
-.. code-block:: python
+To get started, create a new OAuth application `here <https://my.tastytrade.com/app.html#/manage/api-access/oauth-applications>`_. Check all the scopes you plan to use, then create the application. **Save the client secret**, then go to OAuth Applications > Manage > Create Grant to create a new grant with the same scopes. This will give you a refresh token, **which you should also save**.
 
-   from tastytrade import Session
-   session = Session('username', 'password')
+At this point, OAuth is now setup correctly! Doing the above once is sufficient for **indefinite usage** of ``Session`` for authentication to the API, since refresh tokens never expire. From now on you can simply authenticate with your client secret and refresh token.
 
-A certification (test) account can be created `here <https://developer.tastytrade.com/sandbox/>`_, then used to create a session.
+Creating a session
+------------------
 
 .. code-block:: python
 
    from tastytrade import Session
-   session = Session('username', 'password', is_test=True)
-
-You can make a session persistent by generating a remember token, which is valid for 24 hours:
-
-.. code-block:: python
-
-   session = Session('username', 'password', remember_me=True)
-   remember_token = session.remember_token
-   # remember token replaces the password for the next login
-   new_session = Session('username', remember_token=remember_token)
-
-.. note::
-   If you used a certification (test) account to create the session associated with the `remember_token`, you must set `is_test=True` when creating subsequent sessions.
-
-OAuth sessions
---------------
-
-Tastytrade has recently added support for OAuth logins, which allow you to connect an application for the purposes of managing trades on your behalf. Apart from allowing you to connect to 3rd-party apps (or build your own), you can also build a private OAuth application, which provides better security compared to username/password authentication since you don't have to expose your login information.
-
-To get started, create a new OAuth application `here <https://my.tastytrade.com/app.html#/manage/api-access/oauth-applications>`_. You'll need to check all the scopes and save the client ID and client secret. Then, run this code:
 
-.. code-block:: python
-
-   from tastytrade.oauth import login
-
-   login()
-
-This will open up a web interface in your browser where you'll be prompted to paste your client ID and client secret. These credentials will then be used to connect your application to Tastytrade. After following the steps in your browser, you should see your refresh token in the browser and in the console, which you should save.
-
-At this point, OAuth is now setup correctly! Doing the above once is sufficient for **indefinite usage** of ``OAuthSession`` for authentication to the API, since refresh tokens never expire. From now on you can simply authenticate like so:
-
-.. code-block:: python
+   session = Session('client_secret', 'refresh_token')
 
-   from tastytrade import OAuthSession
-
-   session = OAuthSession('my-client-secret', 'my-refresh-token')
-
-These session objects can be used almost anywhere you can use a normal session:
+These session objects can be used to make API requests:
 
 .. code-block:: python
 
    from tastytrade import Account
 
    accounts = Account.get(session)
 
-Note that OAuth sessions make API requests using a special session token, which has a duration of only 15 minutes. However, since the refresh tokens last forever, you can call ``OAuthSession.refresh()`` to refresh the session token whenever needed. The session object will keep track of session expiration time for you to make it easier to know when to refresh:
+Note that OAuth sessions make API requests using a special session token, which has a duration of only 15 minutes. However, since the refresh tokens last forever, you can call ``Session.refresh()`` to refresh the session token whenever needed. The session object will keep track of session expiration time for you to make it easier to know when to refresh:
 
 .. code-block:: python
 
@@ -71,3 +36,10 @@ Note that OAuth sessions make API requests using a special session token, which
    if now_in_new_york() > session.session_expiration:
        session.refresh()
        print(Account.get(session))
+
+A sandbox account for testing can be created `here <https://developer.tastytrade.com/sandbox/>`_, then used to create a session in the same way:
+
+.. code-block:: python
+
+   from tastytrade import Session
+   session = Session('client_secret', 'refresh_token', is_test=True)

docs/index.rst

@@ -1,10 +1,9 @@
 import logging
 
 API_URL = "https://api.tastyworks.com"
-BACKTEST_URL = "https://backtester.vast.tastyworks.com"
 CERT_URL = "https://api.cert.tastyworks.com"
 VAST_URL = "https://vast.tastyworks.com"
-VERSION = "10.3.1"
+VERSION = "11.0.0"
 
 __version__ = VERSION
 version_str: str = f"tastyware/tastytrade:v{VERSION}"
@@ -15,13 +14,7 @@
 # ruff: noqa: E402
 
 from .account import Account
-from .session import OAuthSession, Session
+from .session import Session
 from .streamer import AlertStreamer, DXLinkStreamer
 
-__all__ = [
-    "Account",
-    "AlertStreamer",
-    "DXLinkStreamer",
-    "OAuthSession",
-    "Session",
-]
+__all__ = ["Account", "AlertStreamer", "DXLinkStreamer", "Session"]

docs/sessions.rst

@@ -1681,6 +1681,8 @@ async def a_get_order_chains(
         Get a list of order chains (open + rolls + close) for given symbol
         over the given time frame, with total P/L, commissions, etc.
 
+        Not supported for OAuth sessions--write Tasty to get this added!
+
         :param session: the session to use for the request.
         :param symbol: the underlying symbol for the chains.
         :param start_time: the beginning time of the query.
@@ -1720,6 +1722,8 @@ def get_order_chains(
         Get a list of order chains (open + rolls + close) for given symbol
         over the given time frame, with total P/L, commissions, etc.
 
+        Not supported for OAuth sessions--write Tasty to get this added!
+
         :param session: the session to use for the request.
         :param symbol: the underlying symbol for the chains.
         :param start_time: the beginning time of the query.