cardosofelipe/fast-next-template
Template
1
0
Fork 1
Code Issues 1 Pull Requests Packages Projects Releases Wiki Activity

- **Authentication & Lifespan Updates:** Add @asynccontextmanager for application lifecycle management, including startup/shutdown handling and daily session cleanup scheduling. Reduce token expiration from 24 hours to 15 minutes for enhanced security. Streamline superuser field validation via schema, removing redundant defensive checks.

Browse Source
This commit is contained in:
Felipe Cardoso
2025-11-02 12:38:09 +01:00
parent 6e95469d99
commit 76d36e1b12
4 changed files with 50 additions and 631 deletions
Download Patch File Download Diff File Expand all files Collapse all files

22
backend/app/api/routes/users.py
View File

@@ -143,17 +143,8 @@ async def update_current_user(
"""
Update current user's profile.
Users cannot elevate their own permissions (is_superuser).
Users cannot elevate their own permissions (protected by UserUpdate schema validator).
"""
# Prevent users from making themselves superuser
# NOTE: Pydantic validator will reject is_superuser != None, but this provides defense in depth
if getattr(user_update, 'is_superuser', None) is not None:
logger.warning(f"User {current_user.id} attempted to modify is_superuser field")
raise AuthorizationError(
message="Cannot modify superuser status",
error_code=ErrorCode.INSUFFICIENT_PERMISSIONS
)
try:
updated_user = await user_crud.update(
db,
@@ -243,7 +234,7 @@ async def update_user(
Update user by ID.
Users can update their own profile. Superusers can update any profile.
Regular users cannot modify is_superuser field.
Superuser field modification is prevented by UserUpdate schema validator.
"""
# Check permissions
is_own_profile = str(user_id) == str(current_user.id)
@@ -265,15 +256,6 @@ async def update_user(
error_code=ErrorCode.USER_NOT_FOUND
)
# Prevent non-superusers from modifying superuser status
# NOTE: Pydantic validator will reject is_superuser != None, but this provides defense in depth
if getattr(user_update, 'is_superuser', None) is not None and not current_user.is_superuser:
logger.warning(f"User {current_user.id} attempted to modify is_superuser field")
raise AuthorizationError(
message="Cannot modify superuser status",
error_code=ErrorCode.INSUFFICIENT_PERMISSIONS
)
try:
updated_user = await user_crud.update(db, db_obj=user, obj_in=user_update)
logger.info(f"User {user_id} updated by {current_user.id}")