Add foundational user authentication and registration system

Introduces schemas for user management, token handling, and password hashing. Implements routes for user registration, login, token refresh, and user info retrieval. Sets up authentication dependencies and integrates the API router with the application.
2025-02-28 16:18:03 +01:00
parent 290d91d395
commit 43df9d73b0
11 changed files with 467 additions and 1 deletions
--- a/backend/app/auth/init.py
+++ b/backend/app/auth/init.py
--- a/backend/app/auth/dependencies.py
+++ b/backend/app/auth/dependencies.py
@@ -0,0 +1,45 @@
+from fastapi import Depends, HTTPException, status
+from fastapi.security import OAuth2PasswordBearer
+from jose import JWTError, jwt
+from sqlalchemy.ext.asyncio import AsyncSession
+
+from auth.security import SECRET_KEY, ALGORITHM
+from app.core.database import get_db
+from models.user import User
+from app.schemas.token import TokenData
+
+oauth2_scheme = OAuth2PasswordBearer(tokenUrl="auth/token")
+
+async def get_current_user(
+        token: str = Depends(oauth2_scheme),
+        db: AsyncSession = Depends(get_db)
+):
+    credentials_exception = HTTPException(
+        status_code=status.HTTP_401_UNAUTHORIZED,
+        detail="Could not validate credentials",
+        headers={"WWW-Authenticate": "Bearer"},
+    )
+
+    try:
+        payload = jwt.decode(token, SECRET_KEY, algorithms=[ALGORITHM])
+        user_id: str = payload.get("sub")
+        token_type: str = payload.get("type")
+
+        if user_id is None or token_type != "access":
+            raise credentials_exception
+
+    except JWTError:
+        raise credentials_exception
+
+    user = await db.get(User, user_id)
+    if user is None:
+        raise credentials_exception
+
+    return user
+
+async def get_current_active_user(
+        current_user: User = Depends(get_current_user),
+):
+    if not current_user.is_active:
+        raise HTTPException(status_code=400, detail="Inactive user")
+    return current_user
--- a/backend/app/auth/security.py
+++ b/backend/app/auth/security.py
@@ -0,0 +1,111 @@
+from datetime import datetime, timedelta
+from typing import Optional, Tuple
+from uuid import uuid4
+
+from jose import jwt, JWTError
+from passlib.context import CryptContext
+from app.core.config import settings
+from .token import TokenPayload, TokenResponse
+
+# Configuration
+SECRET_KEY = settings.SECRET_KEY
+ALGORITHM = "HS256"
+ACCESS_TOKEN_EXPIRE_MINUTES = 30
+REFRESH_TOKEN_EXPIRE_DAYS = 7
+
+# Password hashing context
+pwd_context = CryptContext(schemes=["bcrypt"], deprecated="auto")
+
+
+def verify_password(plain_password: str, hashed_password: str) -> bool:
+    """Verify a plain password against its hash."""
+    return pwd_context.verify(plain_password, hashed_password)
+
+
+def get_password_hash(password: str) -> str:
+    """Generate password hash."""
+    return pwd_context.hash(password)
+
+
+def create_tokens(user_id: str) -> TokenResponse:
+    """
+    Create both access and refresh tokens for a user.
+
+    Args:
+        user_id: The user's ID
+
+    Returns:
+        TokenResponse containing both tokens and metadata
+    """
+    access_token = create_access_token({"sub": user_id})
+    refresh_token = create_refresh_token({"sub": user_id})
+
+    return TokenResponse(
+        access_token=access_token,
+        refresh_token=refresh_token,
+        token_type="bearer",
+        expires_in=ACCESS_TOKEN_EXPIRE_MINUTES * 60,
+        user_id=user_id
+    )
+
+
+def create_token(
+        data: dict,
+        expires_delta: Optional[timedelta] = None,
+        token_type: str = "access"
+) -> str:
+    """Create a JWT token with the specified type and expiration."""
+    to_encode = data.copy()
+
+    if expires_delta:
+        expire = datetime.utcnow() + expires_delta
+    else:
+        expire = datetime.utcnow() + (
+            timedelta(minutes=ACCESS_TOKEN_EXPIRE_MINUTES) if token_type == "access"
+            else timedelta(days=REFRESH_TOKEN_EXPIRE_DAYS)
+        )
+
+    to_encode.update({
+        "exp": expire,
+        "type": token_type,
+        "iat": datetime.utcnow(),
+        "jti": str(uuid4())
+    })
+
+    return jwt.encode(to_encode, SECRET_KEY, algorithm=ALGORITHM)
+
+
+def decode_token(token: str) -> TokenPayload:
+    """
+    Decode and validate a JWT token.
+
+    Args:
+        token: The JWT token to decode
+
+    Returns:
+        TokenPayload containing the decoded data
+
+    Raises:
+        JWTError: If token is invalid or expired
+    """
+    try:
+        payload = jwt.decode(token, SECRET_KEY, algorithms=[ALGORITHM])
+        return TokenPayload(
+            sub=payload["sub"],
+            type=payload["type"],
+            exp=datetime.fromtimestamp(payload["exp"]),
+            iat=datetime.fromtimestamp(payload["iat"]),
+            jti=payload.get("jti")
+        )
+    except JWTError as e:
+        raise JWTError(f"Invalid token: {str(e)}")
+
+
+def create_access_token(data: dict, expires_delta: Optional[timedelta] = None) -> str:
+    """Create a new access token."""
+    return create_token(data, expires_delta, "access")
+
+
+def create_refresh_token(data: dict, expires_delta: Optional[timedelta] = None) -> str:
+    """Create a new refresh token."""
+    return create_token(data, expires_delta, "refresh")