aljaz/enclava
1
0
Fork 0
mirror of https://github.com/aljazceru/enclava.git synced 2025-12-17 15:34:36 +01:00
Code Issues Packages Projects Releases Wiki Activity

mega changes

Browse Source
This commit is contained in:
Aljaz Ceru
2025-11-20 11:11:18 +01:00
parent e070c95190
commit 841d79f26b
138 changed files with 21499 additions and 8844 deletions
Download Patch File Download Diff File Expand all files Collapse all files

251
backend/app/api/v1/auth.py
View File

@@ -9,6 +9,7 @@ from fastapi.security import HTTPBearer
from pydantic import BaseModel, EmailStr, validator
from sqlalchemy.ext.asyncio import AsyncSession
from sqlalchemy import select
from sqlalchemy.orm import selectinload
from app.core.config import settings
from app.core.logging import get_logger
@@ -38,25 +39,25 @@ class UserRegisterRequest(BaseModel):
password: str
first_name: Optional[str] = None
last_name: Optional[str] = None
@validator('password')
@validator("password")
def validate_password(cls, v):
if len(v) < 8:
raise ValueError('Password must be at least 8 characters long')
raise ValueError("Password must be at least 8 characters long")
if not any(c.isupper() for c in v):
raise ValueError('Password must contain at least one uppercase letter')
raise ValueError("Password must contain at least one uppercase letter")
if not any(c.islower() for c in v):
raise ValueError('Password must contain at least one lowercase letter')
raise ValueError("Password must contain at least one lowercase letter")
if not any(c.isdigit() for c in v):
raise ValueError('Password must contain at least one digit')
raise ValueError("Password must contain at least one digit")
return v
@validator('username')
@validator("username")
def validate_username(cls, v):
if len(v) < 3:
raise ValueError('Username must be at least 3 characters long')
raise ValueError("Username must be at least 3 characters long")
if not v.isalnum():
raise ValueError('Username must contain only alphanumeric characters')
raise ValueError("Username must contain only alphanumeric characters")
return v
@@ -65,10 +66,10 @@ class UserLoginRequest(BaseModel):
username: Optional[str] = None
password: str
@validator('email')
@validator("email")
def validate_email_or_username(cls, v, values):
if v is None and not values.get('username'):
raise ValueError('Either email or username must be provided')
if v is None and not values.get("username"):
raise ValueError("Either email or username must be provided")
return v
@@ -77,6 +78,8 @@ class TokenResponse(BaseModel):
refresh_token: str
token_type: str = "bearer"
expires_in: int
force_password_change: Optional[bool] = None
message: Optional[str] = None
class UserResponse(BaseModel):
@@ -86,9 +89,9 @@ class UserResponse(BaseModel):
full_name: Optional[str]
is_active: bool
is_verified: bool
role: str
role: Optional[str]
created_at: datetime
class Config:
from_attributes = True
@@ -100,50 +103,47 @@ class RefreshTokenRequest(BaseModel):
class ChangePasswordRequest(BaseModel):
current_password: str
new_password: str
@validator('new_password')
@validator("new_password")
def validate_new_password(cls, v):
if len(v) < 8:
raise ValueError('Password must be at least 8 characters long')
raise ValueError("Password must be at least 8 characters long")
if not any(c.isupper() for c in v):
raise ValueError('Password must contain at least one uppercase letter')
raise ValueError("Password must contain at least one uppercase letter")
if not any(c.islower() for c in v):
raise ValueError('Password must contain at least one lowercase letter')
raise ValueError("Password must contain at least one lowercase letter")
if not any(c.isdigit() for c in v):
raise ValueError('Password must contain at least one digit')
raise ValueError("Password must contain at least one digit")
return v
@router.post("/register", response_model=UserResponse, status_code=status.HTTP_201_CREATED)
async def register(
user_data: UserRegisterRequest,
db: AsyncSession = Depends(get_db)
):
@router.post(
"/register", response_model=UserResponse, status_code=status.HTTP_201_CREATED
)
async def register(user_data: UserRegisterRequest, db: AsyncSession = Depends(get_db)):
"""Register a new user"""
# Check if user already exists
stmt = select(User).where(User.email == user_data.email)
result = await db.execute(stmt)
if result.scalar_one_or_none():
raise HTTPException(
status_code=status.HTTP_400_BAD_REQUEST,
detail="Email already registered"
status_code=status.HTTP_400_BAD_REQUEST, detail="Email already registered"
)
# Check if username already exists
stmt = select(User).where(User.username == user_data.username)
result = await db.execute(stmt)
if result.scalar_one_or_none():
raise HTTPException(
status_code=status.HTTP_400_BAD_REQUEST,
detail="Username already taken"
status_code=status.HTTP_400_BAD_REQUEST, detail="Username already taken"
)
# Create new user
full_name = None
if user_data.first_name or user_data.last_name:
full_name = f"{user_data.first_name or ''} {user_data.last_name or ''}".strip()
user = User(
email=user_data.email,
username=user_data.username,
@@ -151,23 +151,29 @@ async def register(
full_name=full_name,
is_active=True,
is_verified=False,
role="user"
role_id=2, # Default to 'user' role (id=2)
)
db.add(user)
await db.commit()
await db.refresh(user)
return UserResponse.from_orm(user)
return UserResponse(
id=user.id,
email=user.email,
username=user.username,
full_name=user.full_name,
is_active=user.is_active,
is_verified=user.is_verified,
role=user.role.name if user.role else None,
created_at=user.created_at,
)
@router.post("/login", response_model=TokenResponse)
async def login(
user_data: UserLoginRequest,
db: AsyncSession = Depends(get_db)
):
async def login(user_data: UserLoginRequest, db: AsyncSession = Depends(get_db)):
"""Login user and return access tokens"""
# Determine identifier for logging and user lookup
identifier = user_data.email if user_data.email else user_data.username
logger.info(
@@ -187,9 +193,9 @@ async def login(
query_start = datetime.utcnow()
if user_data.email:
stmt = select(User).where(User.email == user_data.email)
stmt = select(User).options(selectinload(User.role)).where(User.email == user_data.email)
else:
stmt = select(User).where(User.username == user_data.username)
stmt = select(User).options(selectinload(User.role)).where(User.username == user_data.username)
result = await db.execute(stmt)
query_end = datetime.utcnow()
@@ -205,13 +211,18 @@ async def login(
identifier_lower = identifier.lower() if identifier else ""
admin_email = settings.ADMIN_EMAIL.lower() if settings.ADMIN_EMAIL else None
if user_data.email and admin_email and identifier_lower == admin_email and settings.ADMIN_PASSWORD:
if (
user_data.email
and admin_email
and identifier_lower == admin_email
and settings.ADMIN_PASSWORD
):
bootstrap_attempted = True
logger.info("LOGIN_ADMIN_BOOTSTRAP_START", email=user_data.email)
try:
await create_default_admin()
# Re-run lookup after bootstrap attempt
stmt = select(User).where(User.email == user_data.email)
stmt = select(User).options(selectinload(User.role)).where(User.email == user_data.email)
result = await db.execute(stmt)
user = result.scalar_one_or_none()
if user:
@@ -232,19 +243,21 @@ async def login(
)
except Exception as e:
logger.error("LOGIN_USER_LIST_FAILURE", error=str(e))
if bootstrap_attempted:
logger.warning("LOGIN_ADMIN_BOOTSTRAP_UNSUCCESSFUL", email=user_data.email)
logger.warning(
"LOGIN_ADMIN_BOOTSTRAP_UNSUCCESSFUL", email=user_data.email
)
raise HTTPException(
status_code=status.HTTP_401_UNAUTHORIZED,
detail="Incorrect email or password"
detail="Incorrect email or password",
)
logger.info("LOGIN_USER_FOUND", email=user.email, is_active=user.is_active)
logger.info("LOGIN_PASSWORD_VERIFY_START")
verify_start = datetime.utcnow()
if not verify_password(user_data.password, user.hashed_password):
verify_end = datetime.utcnow()
logger.warning(
@@ -253,21 +266,20 @@ async def login(
)
raise HTTPException(
status_code=status.HTTP_401_UNAUTHORIZED,
detail="Incorrect email or password"
detail="Incorrect email or password",
)
verify_end = datetime.utcnow()
logger.info(
"LOGIN_PASSWORD_VERIFY_SUCCESS",
duration_seconds=(verify_end - verify_start).total_seconds(),
)
if not user.is_active:
raise HTTPException(
status_code=status.HTTP_401_UNAUTHORIZED,
detail="User account is disabled"
status_code=status.HTTP_401_UNAUTHORIZED, detail="User account is disabled"
)
# Update last login
logger.info("LOGIN_LAST_LOGIN_UPDATE_START")
update_start = datetime.utcnow()
@@ -289,14 +301,12 @@ async def login(
"sub": str(user.id),
"email": user.email,
"is_superuser": user.is_superuser,
"role": user.role
"role": user.role.name if user.role else None,
},
expires_delta=access_token_expires
expires_delta=access_token_expires,
)
refresh_token = create_refresh_token(
data={"sub": str(user.id), "type": "refresh"}
)
refresh_token = create_refresh_token(data={"sub": str(user.id), "type": "refresh"})
token_end = datetime.utcnow()
logger.info(
"LOGIN_TOKEN_CREATE_SUCCESS",
@@ -308,65 +318,76 @@ async def login(
"LOGIN_DEBUG_COMPLETE",
total_duration_seconds=total_time.total_seconds(),
)
return TokenResponse(
access_token=access_token,
refresh_token=refresh_token,
expires_in=settings.ACCESS_TOKEN_EXPIRE_MINUTES * 60
)
# Check if user needs to change password
response_data = {
"access_token": access_token,
"refresh_token": refresh_token,
"token_type": "bearer",
"expires_in": settings.ACCESS_TOKEN_EXPIRE_MINUTES * 60,
}
# Add force password change flag if needed
if user.force_password_change:
response_data["force_password_change"] = True
response_data["message"] = "Password change required on first login"
return response_data
@router.post("/refresh", response_model=TokenResponse)
async def refresh_token(
token_data: RefreshTokenRequest,
db: AsyncSession = Depends(get_db)
token_data: RefreshTokenRequest, db: AsyncSession = Depends(get_db)
):
"""Refresh access token using refresh token"""
try:
payload = verify_token(token_data.refresh_token)
user_id = payload.get("sub")
token_type = payload.get("type")
if not user_id or token_type != "refresh":
raise HTTPException(
status_code=status.HTTP_401_UNAUTHORIZED,
detail="Invalid refresh token"
status_code=status.HTTP_401_UNAUTHORIZED, detail="Invalid refresh token"
)
# Get user from database
stmt = select(User).where(User.id == int(user_id))
stmt = select(User).options(selectinload(User.role)).where(User.id == int(user_id))
result = await db.execute(stmt)
user = result.scalar_one_or_none()
if not user or not user.is_active:
raise HTTPException(
status_code=status.HTTP_401_UNAUTHORIZED,
detail="User not found or inactive"
detail="User not found or inactive",
)
# Create new access token
access_token_expires = timedelta(minutes=settings.ACCESS_TOKEN_EXPIRE_MINUTES)
logger.info(f"REFRESH: Creating new access token with expiration: {access_token_expires}")
logger.info(f"REFRESH: ACCESS_TOKEN_EXPIRE_MINUTES from settings: {settings.ACCESS_TOKEN_EXPIRE_MINUTES}")
logger.info(
f"REFRESH: Creating new access token with expiration: {access_token_expires}"
)
logger.info(
f"REFRESH: ACCESS_TOKEN_EXPIRE_MINUTES from settings: {settings.ACCESS_TOKEN_EXPIRE_MINUTES}"
)
logger.info(f"REFRESH: Current UTC time: {datetime.utcnow().isoformat()}")
access_token = create_access_token(
data={
"sub": str(user.id),
"email": user.email,
"is_superuser": user.is_superuser,
"role": user.role
"role": user.role.name if user.role else None,
},
expires_delta=access_token_expires
expires_delta=access_token_expires,
)
return TokenResponse(
access_token=access_token,
refresh_token=token_data.refresh_token, # Keep same refresh token
expires_in=settings.ACCESS_TOKEN_EXPIRE_MINUTES * 60
expires_in=settings.ACCESS_TOKEN_EXPIRE_MINUTES * 60,
)
except HTTPException:
# Re-raise HTTPException without modification
raise
@@ -374,30 +395,37 @@ async def refresh_token(
# Log the actual error for debugging
logger.error(f"Refresh token error: {str(e)}", exc_info=True)
raise HTTPException(
status_code=status.HTTP_401_UNAUTHORIZED,
detail="Invalid refresh token"
status_code=status.HTTP_401_UNAUTHORIZED, detail="Invalid refresh token"
)
@router.get("/me", response_model=UserResponse)
async def get_current_user_info(
current_user: dict = Depends(get_current_active_user),
db: AsyncSession = Depends(get_db)
db: AsyncSession = Depends(get_db),
):
"""Get current user information"""
# Get full user details from database
stmt = select(User).where(User.id == int(current_user["id"]))
stmt = select(User).options(selectinload(User.role)).where(User.id == int(current_user["id"]))
result = await db.execute(stmt)
user = result.scalar_one_or_none()
if not user:
raise HTTPException(
status_code=status.HTTP_404_NOT_FOUND,
detail="User not found"
status_code=status.HTTP_404_NOT_FOUND, detail="User not found"
)
return UserResponse.from_orm(user)
return UserResponse(
id=user.id,
email=user.email,
username=user.username,
full_name=user.full_name,
is_active=user.is_active,
is_verified=user.is_verified,
role=user.role.name if user.role else None,
created_at=user.created_at,
)
@router.post("/logout")
@@ -407,14 +435,12 @@ async def logout():
@router.post("/verify-token")
async def verify_user_token(
current_user: dict = Depends(get_current_user)
):
async def verify_user_token(current_user: dict = Depends(get_current_user)):
"""Verify if the current token is valid"""
return {
"valid": True,
"user_id": current_user["id"],
"email": current_user["email"]
"email": current_user["email"],
}
@@ -422,32 +448,31 @@ async def verify_user_token(
async def change_password(
password_data: ChangePasswordRequest,
current_user: dict = Depends(get_current_active_user),
db: AsyncSession = Depends(get_db)
db: AsyncSession = Depends(get_db),
):
"""Change user password"""
# Get user from database
stmt = select(User).where(User.id == int(current_user["id"]))
result = await db.execute(stmt)
user = result.scalar_one_or_none()
if not user:
raise HTTPException(
status_code=status.HTTP_404_NOT_FOUND,
detail="User not found"
status_code=status.HTTP_404_NOT_FOUND, detail="User not found"
)
# Verify current password
if not verify_password(password_data.current_password, user.hashed_password):
raise HTTPException(
status_code=status.HTTP_400_BAD_REQUEST,
detail="Current password is incorrect"
detail="Current password is incorrect",
)
# Update password
user.hashed_password = get_password_hash(password_data.new_password)
user.updated_at = datetime.utcnow()
await db.commit()
return {"message": "Password changed successfully"}