# Authentication and Authorization from datetime import datetime, timedelta from typing import Optional from jose import JWTError, jwt from passlib.context import CryptContext from fastapi import Depends, HTTPException, status, Header from fastapi.security import HTTPBearer, HTTPAuthorizationCredentials from sqlalchemy.ext.asyncio import AsyncSession from sqlalchemy import select import secrets from app.config.settings import settings from app.core.database import get_db from app.models.models import User from app.models.schemas import UserResponse # Password hashing pwd_context = CryptContext(schemes=["bcrypt"], deprecated="auto") # Bearer token security security = HTTPBearer(auto_error=False) def verify_password(plain_password: str, hashed_password: str) -> bool: """Verify a password against its hash""" return pwd_context.verify(plain_password, hashed_password) def get_password_hash(password: str) -> str: """Generate password hash""" return pwd_context.hash(password) def generate_api_key() -> str: """Generate a secure random API key""" return secrets.token_urlsafe(48) def create_access_token(data: dict, expires_delta: Optional[timedelta] = None) -> str: """Create JWT access token""" to_encode = data.copy() if expires_delta: expire = datetime.utcnow() + expires_delta else: expire = datetime.utcnow() + timedelta(minutes=settings.ACCESS_TOKEN_EXPIRE_MINUTES) to_encode.update({"exp": expire, "type": "access"}) encoded_jwt = jwt.encode(to_encode, settings.SECRET_KEY, algorithm=settings.ALGORITHM) return encoded_jwt def create_refresh_token(data: dict) -> str: """Create JWT refresh token""" to_encode = data.copy() expire = datetime.utcnow() + timedelta(days=settings.REFRESH_TOKEN_EXPIRE_DAYS) to_encode.update({"exp": expire, "type": "refresh"}) encoded_jwt = jwt.encode(to_encode, settings.SECRET_KEY, algorithm=settings.ALGORITHM) return encoded_jwt def decode_token(token: str) -> dict: """Decode and verify JWT token""" try: payload = jwt.decode(token, settings.SECRET_KEY, algorithms=[settings.ALGORITHM]) return payload except JWTError: raise HTTPException( status_code=status.HTTP_401_UNAUTHORIZED, detail="Could not validate credentials", headers={"WWW-Authenticate": "Bearer"}, ) async def get_user_by_email(db: AsyncSession, email: str) -> Optional[User]: """Get user by email""" result = await db.execute(select(User).filter(User.email == email)) return result.scalar_one_or_none() async def get_user_by_id(db: AsyncSession, user_id: int) -> Optional[User]: """Get user by ID""" result = await db.execute(select(User).filter(User.id == user_id)) return result.scalar_one_or_none() async def get_user_by_api_key(db: AsyncSession, api_key: str) -> Optional[User]: """Get user by API key""" result = await db.execute(select(User).filter(User.api_key == api_key)) return result.scalar_one_or_none() async def authenticate_user(db: AsyncSession, email: str, password: str) -> Optional[User]: """Authenticate user with email and password""" user = await get_user_by_email(db, email) if not user: return None if not verify_password(password, user.hashed_password): return None return user async def get_current_user_from_token( credentials: Optional[HTTPAuthorizationCredentials] = Depends(security), db: AsyncSession = Depends(get_db) ) -> User: """Get current user from JWT token""" if not credentials: raise HTTPException( status_code=status.HTTP_401_UNAUTHORIZED, detail="Not authenticated", headers={"WWW-Authenticate": "Bearer"}, ) payload = decode_token(credentials.credentials) user_id: int = payload.get("sub") if user_id is None: raise HTTPException( status_code=status.HTTP_401_UNAUTHORIZED, detail="Invalid authentication credentials", ) user = await get_user_by_id(db, user_id) if user is None: raise HTTPException( status_code=status.HTTP_401_UNAUTHORIZED, detail="User not found", ) if not user.is_active: raise HTTPException( status_code=status.HTTP_403_FORBIDDEN, detail="Inactive user", ) return user async def get_current_user_from_api_key( api_key: Optional[str] = Header(None, alias=settings.API_KEY_HEADER), db: AsyncSession = Depends(get_db) ) -> Optional[User]: """Get current user from API key (optional)""" if not api_key: return None user = await get_user_by_api_key(db, api_key) if user and user.is_active: return user return None async def get_current_user_optional( token_user: Optional[User] = Depends(lambda: None), api_key_user: Optional[User] = Depends(get_current_user_from_api_key) ) -> Optional[User]: """Get current user from either token or API key (optional authentication)""" return token_user or api_key_user async def get_current_user( credentials: Optional[HTTPAuthorizationCredentials] = Depends(security), api_key: Optional[str] = Header(None, alias=settings.API_KEY_HEADER), db: AsyncSession = Depends(get_db) ) -> User: """Get current user from either JWT token or API key""" # Try JWT token first if credentials: payload = decode_token(credentials.credentials) user_id: int = payload.get("sub") if user_id: user = await get_user_by_id(db, user_id) if user and user.is_active: return user # Try API key if api_key: user = await get_user_by_api_key(db, api_key) if user and user.is_active: return user # If REQUIRE_AUTH is False, allow anonymous access if not settings.REQUIRE_AUTH: return None # Anonymous user raise HTTPException( status_code=status.HTTP_401_UNAUTHORIZED, detail="Not authenticated", headers={"WWW-Authenticate": "Bearer"}, ) async def get_current_active_admin( current_user: User = Depends(get_current_user_from_token) ) -> User: """Get current user and verify admin role""" if current_user.role != "admin": raise HTTPException( status_code=status.HTTP_403_FORBIDDEN, detail="Not enough permissions", ) return current_user async def check_rate_limit(user: Optional[User], db: AsyncSession) -> bool: """Check if user has exceeded their daily quota""" if not user: return True # Anonymous users don't have quotas if user.requests_today >= user.daily_quota: raise HTTPException( status_code=status.HTTP_429_TOO_MANY_REQUESTS, detail=f"Daily quota exceeded. Limit: {user.daily_quota} requests per day", ) # Increment request count user.requests_today += 1 user.total_requests += 1 await db.commit() return True