from datetime import datetime, timedelta from typing import Optional, Tuple from uuid import uuid4 from black import timezone from jose import jwt, ExpiredSignatureError, JWTError from passlib.context import CryptContext from app.core.config import settings from app.schemas.token import TokenPayload, TokenResponse # Configuration SECRET_KEY = settings.SECRET_KEY ALGORITHM = "HS256" ACCESS_TOKEN_EXPIRE_MINUTES = 30 REFRESH_TOKEN_EXPIRE_DAYS = 7 # Password hashing context pwd_context = CryptContext(schemes=["bcrypt"], deprecated="auto") def verify_password(plain_password: str, hashed_password: str) -> bool: """Verify a plain password against its hash.""" return pwd_context.verify(plain_password, hashed_password) def get_password_hash(password: str) -> str: """Generate password hash.""" return pwd_context.hash(password) def create_tokens(user_id: str) -> TokenResponse: """ Create both access and refresh tokens for a user. Args: user_id: The user's ID Returns: TokenResponse containing both tokens and metadata """ access_token = create_access_token({"sub": user_id}) refresh_token = create_refresh_token({"sub": user_id}) return TokenResponse( access_token=access_token, refresh_token=refresh_token, token_type="bearer", expires_in=ACCESS_TOKEN_EXPIRE_MINUTES * 60, user_id=user_id ) def create_token( data: dict, expires_delta: Optional[timedelta] = None, token_type: str = "access" ) -> str: """Create a JWT token with the specified type and expiration.""" to_encode = data.copy() if expires_delta: expire = datetime.utcnow() + expires_delta else: expire = datetime.utcnow() + ( timedelta(minutes=ACCESS_TOKEN_EXPIRE_MINUTES) if token_type == "access" else timedelta(days=REFRESH_TOKEN_EXPIRE_DAYS) ) to_encode.update({ "exp": expire, "type": token_type, "iat": datetime.utcnow(), "jti": str(uuid4()) }) return jwt.encode(to_encode, SECRET_KEY, algorithm=ALGORITHM) def decode_token(token: str, required_type: str = "access") -> TokenPayload: """ Decode and validate a JWT token with explicit edge-case handling. Args: token: The JWT token to decode. required_type: The expected token type (default: "access"). Returns: TokenPayload containing the decoded data. Raises: JWTError: If the token is expired, invalid, or malformed. """ try: payload = jwt.decode(token, SECRET_KEY, algorithms=[ALGORITHM]) # Explicitly validate required claims (`exp`, `sub`, `type`) if "exp" not in payload or "sub" not in payload or "type" not in payload: raise KeyError("Missing required claim.") # Verify token expiration (`exp`) if datetime.now() > datetime.fromtimestamp(payload["exp"]): raise ExpiredSignatureError("Token has expired.") # Verify token type (`type`) if payload["type"] != required_type: expected_type = required_type actual_type = payload["type"] raise JWTError(f"Invalid token type: expected '{expected_type}', got '{actual_type}'.") # Create TokenPayload object from token claims return TokenPayload( sub=payload["sub"], type=payload["type"], exp=datetime.fromtimestamp(payload["exp"]), iat=datetime.fromtimestamp(payload.get("iat", 0)), jti=payload.get("jti") ) except KeyError as e: raise JWTError("Malformed token. Missing required claim.") from e except ExpiredSignatureError as e: raise JWTError("Token expired. Please refresh your token to continue.") from e except JWTError as e: raise JWTError(str(e)) from e def create_access_token(data: dict, expires_delta: Optional[timedelta] = None) -> str: """Create a new access token.""" return create_token(data, expires_delta, "access") def create_refresh_token(data: dict, expires_delta: Optional[timedelta] = None) -> str: """Create a new refresh token.""" return create_token(data, expires_delta, "refresh")