cardosofelipe/syndarix
1
0
Fork 0
forked from cardosofelipe/pragma-stack
Code Issues 18 Pull Requests Wiki Activity

refactor(backend): enforce route→service→repo layered architecture

Browse Source 
- introduce custom repository exception hierarchy (DuplicateEntryError,
  IntegrityConstraintError, InvalidInputError) replacing raw ValueError
- eliminate all direct repository imports and raw SQL from route layer
- add UserService, SessionService, OrganizationService to service layer
- add get_stats/get_org_distribution service methods replacing admin inline SQL
- fix timing side-channel in authenticate_user via dummy bcrypt check
- replace SHA-256 client secret fallback with explicit InvalidClientError
- replace assert with InvalidGrantError in authorization code exchange
- replace N+1 token revocation loops with bulk UPDATE statements
- rename oauth account token fields (drop misleading 'encrypted' suffix)
- add Alembic migration 0003 for token field column rename
- add 45 new service/repository tests; 975 passing, 94% coverage
This commit is contained in:
Felipe Cardoso
2026-02-27 09:32:57 +01:00
parent 0646c96b19
commit 98b455fdc3
62 changed files with 2933 additions and 1728 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
backend/app/api/dependencies/auth.py
View File

@@ -1,12 +1,12 @@
from fastapi import Depends, Header, HTTPException, status
from fastapi.security import OAuth2PasswordBearer
from fastapi.security.utils import get_authorization_scheme_param
from sqlalchemy import select
from sqlalchemy.ext.asyncio import AsyncSession
from app.core.auth import TokenExpiredError, TokenInvalidError, get_token_data
from app.core.database import get_db
from app.models.user import User
from app.repositories.user import user_repo
# OAuth2 configuration
oauth2_scheme = OAuth2PasswordBearer(tokenUrl="/api/v1/auth/login")
@@ -32,9 +32,8 @@ async def get_current_user(
# Decode token and get user ID
token_data = get_token_data(token)
# Get user from database
result = await db.execute(select(User).where(User.id == token_data.user_id))
user = result.scalar_one_or_none()
# Get user from database via repository
user = await user_repo.get(db, id=str(token_data.user_id))
if not user:
raise HTTPException(
@@ -144,8 +143,7 @@ async def get_optional_current_user(
try:
token_data = get_token_data(token)
result = await db.execute(select(User).where(User.id == token_data.user_id))
user = result.scalar_one_or_none()
user = await user_repo.get(db, id=str(token_data.user_id))
if not user or not user.is_active:
return None
return user

6
backend/app/api/dependencies/permissions.py
View File

@@ -15,9 +15,9 @@ from sqlalchemy.ext.asyncio import AsyncSession
from app.api.dependencies.auth import get_current_user
from app.core.database import get_db
from app.crud.organization import organization as organization_crud
from app.models.user import User
from app.models.user_organization import OrganizationRole
from app.services.organization_service import organization_service
def require_superuser(current_user: User = Depends(get_current_user)) -> User:
@@ -81,7 +81,7 @@ class OrganizationPermission:
return current_user
# Get user's role in organization
user_role = await organization_crud.get_user_role_in_org(
user_role = await organization_service.get_user_role_in_org(
db, user_id=current_user.id, organization_id=organization_id
)
@@ -123,7 +123,7 @@ async def require_org_membership(
if current_user.is_superuser:
return current_user
user_role = await organization_crud.get_user_role_in_org(
user_role = await organization_service.get_user_role_in_org(
db, user_id=current_user.id, organization_id=organization_id
)

41
backend/app/api/dependencies/services.py Normal file
View File

@@ -0,0 +1,41 @@
# app/api/dependencies/services.py
"""FastAPI dependency functions for service singletons."""
from app.services import oauth_provider_service
from app.services.auth_service import AuthService
from app.services.oauth_service import OAuthService
from app.services.organization_service import OrganizationService, organization_service
from app.services.session_service import SessionService, session_service
from app.services.user_service import UserService, user_service
def get_auth_service() -> AuthService:
"""Return the AuthService singleton for dependency injection."""
from app.services.auth_service import AuthService as _AuthService
return _AuthService()
def get_user_service() -> UserService:
"""Return the UserService singleton for dependency injection."""
return user_service
def get_organization_service() -> OrganizationService:
"""Return the OrganizationService singleton for dependency injection."""
return organization_service
def get_session_service() -> SessionService:
"""Return the SessionService singleton for dependency injection."""
return session_service
def get_oauth_service() -> OAuthService:
"""Return OAuthService for dependency injection."""
return OAuthService()
def get_oauth_provider_service():
"""Return the oauth_provider_service module for dependency injection."""
return oauth_provider_service

214
backend/app/api/routes/admin.py
View File

@@ -14,7 +14,6 @@ from uuid import UUID
from fastapi import APIRouter, Depends, Query, status
from pydantic import BaseModel, Field
from sqlalchemy import func, select
from sqlalchemy.ext.asyncio import AsyncSession
from app.api.dependencies.permissions import require_superuser
@@ -25,12 +24,12 @@ from app.core.exceptions import (
ErrorCode,
NotFoundError,
)
from app.crud.organization import organization as organization_crud
from app.crud.session import session as session_crud
from app.crud.user import user as user_crud
from app.models.organization import Organization
from app.core.repository_exceptions import DuplicateEntryError
from app.models.user import User
from app.models.user_organization import OrganizationRole, UserOrganization
from app.models.user_organization import OrganizationRole
from app.services.organization_service import organization_service
from app.services.session_service import session_service
from app.services.user_service import user_service
from app.schemas.common import (
MessageResponse,
PaginatedResponse,
@@ -178,38 +177,29 @@ async def admin_get_stats(
"""Get admin dashboard statistics with real data from database."""
from app.core.config import settings
# Check if we have any data
total_users_query = select(func.count()).select_from(User)
total_users = (await db.execute(total_users_query)).scalar() or 0
stats = await user_service.get_stats(db)
total_users = stats["total_users"]
active_count = stats["active_count"]
inactive_count = stats["inactive_count"]
all_users = stats["all_users"]
# If database is essentially empty (only admin user), return demo data
if total_users <= 1 and settings.DEMO_MODE: # pragma: no cover
logger.info("Returning demo stats data (empty database in demo mode)")
return _generate_demo_stats()
# 1. User Growth (Last 30 days) - Improved calculation
datetime.now(UTC) - timedelta(days=30)
# Get all users with their creation dates
all_users_query = select(User).order_by(User.created_at)
result = await db.execute(all_users_query)
all_users = result.scalars().all()
# Build cumulative counts per day
# 1. User Growth (Last 30 days)
user_growth = []
for i in range(29, -1, -1):
date = datetime.now(UTC) - timedelta(days=i)
date_start = date.replace(hour=0, minute=0, second=0, microsecond=0, tzinfo=UTC)
date_end = date_start + timedelta(days=1)
# Count all users created before end of this day
# Make comparison timezone-aware
total_users_on_date = sum(
1
for u in all_users
if u.created_at and u.created_at.replace(tzinfo=UTC) < date_end
)
# Count active users created before end of this day
active_users_on_date = sum(
1
for u in all_users
@@ -227,27 +217,16 @@ async def admin_get_stats(
)
# 2. Organization Distribution - Top 6 organizations by member count
org_query = (
select(Organization.name, func.count(UserOrganization.user_id).label("count"))
.join(UserOrganization, Organization.id == UserOrganization.organization_id)
.group_by(Organization.name)
.order_by(func.count(UserOrganization.user_id).desc())
.limit(6)
)
result = await db.execute(org_query)
org_dist = [
OrgDistributionData(name=row.name, value=row.count) for row in result.all()
]
org_rows = await organization_service.get_org_distribution(db, limit=6)
org_dist = [OrgDistributionData(name=r["name"], value=r["value"]) for r in org_rows]
# 3. User Registration Activity (Last 14 days) - NEW
# 3. User Registration Activity (Last 14 days)
registration_activity = []
for i in range(13, -1, -1):
date = datetime.now(UTC) - timedelta(days=i)
date_start = date.replace(hour=0, minute=0, second=0, microsecond=0, tzinfo=UTC)
date_end = date_start + timedelta(days=1)
# Count users created on this specific day
# Make comparison timezone-aware
day_registrations = sum(
1
for u in all_users
@@ -263,14 +242,6 @@ async def admin_get_stats(
)
# 4. User Status - Active vs Inactive
active_query = select(func.count()).select_from(User).where(User.is_active)
inactive_query = (
select(func.count()).select_from(User).where(User.is_active.is_(False))
)
active_count = (await db.execute(active_query)).scalar() or 0
inactive_count = (await db.execute(inactive_query)).scalar() or 0
logger.info(
f"User status counts - Active: {active_count}, Inactive: {inactive_count}"
)
@@ -321,7 +292,7 @@ async def admin_list_users(
filters["is_superuser"] = is_superuser
# Get users with search
users, total = await user_crud.get_multi_with_total(
users, total = await user_service.list_users(
db,
skip=pagination.offset,
limit=pagination.limit,
@@ -364,12 +335,12 @@ async def admin_create_user(
Allows setting is_superuser and other fields.
"""
try:
user = await user_crud.create(db, obj_in=user_in)
user = await user_service.create_user(db, user_in)
logger.info(f"Admin {admin.email} created user {user.email}")
return user
except ValueError as e:
except DuplicateEntryError as e:
logger.warning(f"Failed to create user: {e!s}")
raise NotFoundError(message=str(e), error_code=ErrorCode.USER_ALREADY_EXISTS)
raise DuplicateError(message=str(e), error_code=ErrorCode.USER_ALREADY_EXISTS)
except Exception as e:
logger.error(f"Error creating user (admin): {e!s}", exc_info=True)
raise
@@ -388,11 +359,7 @@ async def admin_get_user(
db: AsyncSession = Depends(get_db),
) -> Any:
"""Get detailed information about a specific user."""
user = await user_crud.get(db, id=user_id)
if not user:
raise NotFoundError(
message=f"User {user_id} not found", error_code=ErrorCode.USER_NOT_FOUND
)
user = await user_service.get_user(db, str(user_id))
return user
@@ -411,18 +378,11 @@ async def admin_update_user(
) -> Any:
"""Update user information with admin privileges."""
try:
user = await user_crud.get(db, id=user_id)
if not user:
raise NotFoundError(
message=f"User {user_id} not found", error_code=ErrorCode.USER_NOT_FOUND
)
updated_user = await user_crud.update(db, db_obj=user, obj_in=user_in)
user = await user_service.get_user(db, str(user_id))
updated_user = await user_service.update_user(db, user=user, obj_in=user_in)
logger.info(f"Admin {admin.email} updated user {updated_user.email}")
return updated_user
except NotFoundError:
raise
except Exception as e:
logger.error(f"Error updating user (admin): {e!s}", exc_info=True)
raise
@@ -442,11 +402,7 @@ async def admin_delete_user(
) -> Any:
"""Soft delete a user (sets deleted_at timestamp)."""
try:
user = await user_crud.get(db, id=user_id)
if not user:
raise NotFoundError(
message=f"User {user_id} not found", error_code=ErrorCode.USER_NOT_FOUND
)
user = await user_service.get_user(db, str(user_id))
# Prevent deleting yourself
if user.id == admin.id:
@@ -456,15 +412,13 @@ async def admin_delete_user(
error_code=ErrorCode.OPERATION_FORBIDDEN,
)
await user_crud.soft_delete(db, id=user_id)
await user_service.soft_delete_user(db, str(user_id))
logger.info(f"Admin {admin.email} deleted user {user.email}")
return MessageResponse(
success=True, message=f"User {user.email} has been deleted"
)
except NotFoundError:
raise
except Exception as e:
logger.error(f"Error deleting user (admin): {e!s}", exc_info=True)
raise
@@ -484,21 +438,14 @@ async def admin_activate_user(
) -> Any:
"""Activate a user account."""
try:
user = await user_crud.get(db, id=user_id)
if not user:
raise NotFoundError(
message=f"User {user_id} not found", error_code=ErrorCode.USER_NOT_FOUND
)
await user_crud.update(db, db_obj=user, obj_in={"is_active": True})
user = await user_service.get_user(db, str(user_id))
await user_service.update_user(db, user=user, obj_in={"is_active": True})
logger.info(f"Admin {admin.email} activated user {user.email}")
return MessageResponse(
success=True, message=f"User {user.email} has been activated"
)
except NotFoundError:
raise
except Exception as e:
logger.error(f"Error activating user (admin): {e!s}", exc_info=True)
raise
@@ -518,11 +465,7 @@ async def admin_deactivate_user(
) -> Any:
"""Deactivate a user account."""
try:
user = await user_crud.get(db, id=user_id)
if not user:
raise NotFoundError(
message=f"User {user_id} not found", error_code=ErrorCode.USER_NOT_FOUND
)
user = await user_service.get_user(db, str(user_id))
# Prevent deactivating yourself
if user.id == admin.id:
@@ -532,15 +475,13 @@ async def admin_deactivate_user(
error_code=ErrorCode.OPERATION_FORBIDDEN,
)
await user_crud.update(db, db_obj=user, obj_in={"is_active": False})
await user_service.update_user(db, user=user, obj_in={"is_active": False})
logger.info(f"Admin {admin.email} deactivated user {user.email}")
return MessageResponse(
success=True, message=f"User {user.email} has been deactivated"
)
except NotFoundError:
raise
except Exception as e:
logger.error(f"Error deactivating user (admin): {e!s}", exc_info=True)
raise
@@ -567,16 +508,16 @@ async def admin_bulk_user_action(
try:
# Use efficient bulk operations instead of loop
if bulk_action.action == BulkAction.ACTIVATE:
affected_count = await user_crud.bulk_update_status(
affected_count = await user_service.bulk_update_status(
db, user_ids=bulk_action.user_ids, is_active=True
)
elif bulk_action.action == BulkAction.DEACTIVATE:
affected_count = await user_crud.bulk_update_status(
affected_count = await user_service.bulk_update_status(
db, user_ids=bulk_action.user_ids, is_active=False
)
elif bulk_action.action == BulkAction.DELETE:
# bulk_soft_delete automatically excludes the admin user
affected_count = await user_crud.bulk_soft_delete(
affected_count = await user_service.bulk_soft_delete(
db, user_ids=bulk_action.user_ids, exclude_user_id=admin.id
)
else: # pragma: no cover
@@ -624,7 +565,7 @@ async def admin_list_organizations(
"""List all organizations with filtering and search."""
try:
# Use optimized method that gets member counts in single query (no N+1)
orgs_with_data, total = await organization_crud.get_multi_with_member_counts(
orgs_with_data, total = await organization_service.get_multi_with_member_counts(
db,
skip=pagination.offset,
limit=pagination.limit,
@@ -680,7 +621,7 @@ async def admin_create_organization(
) -> Any:
"""Create a new organization."""
try:
org = await organization_crud.create(db, obj_in=org_in)
org = await organization_service.create_organization(db, obj_in=org_in)
logger.info(f"Admin {admin.email} created organization {org.name}")
# Add member count
@@ -697,9 +638,9 @@ async def admin_create_organization(
}
return OrganizationResponse(**org_dict)
except ValueError as e:
except DuplicateEntryError as e:
logger.warning(f"Failed to create organization: {e!s}")
raise NotFoundError(message=str(e), error_code=ErrorCode.ALREADY_EXISTS)
raise DuplicateError(message=str(e), error_code=ErrorCode.ALREADY_EXISTS)
except Exception as e:
logger.error(f"Error creating organization (admin): {e!s}", exc_info=True)
raise
@@ -718,12 +659,7 @@ async def admin_get_organization(
db: AsyncSession = Depends(get_db),
) -> Any:
"""Get detailed information about a specific organization."""
org = await organization_crud.get(db, id=org_id)
if not org:
raise NotFoundError(
message=f"Organization {org_id} not found", error_code=ErrorCode.NOT_FOUND
)
org = await organization_service.get_organization(db, str(org_id))
org_dict = {
"id": org.id,
"name": org.name,
@@ -733,7 +669,7 @@ async def admin_get_organization(
"settings": org.settings,
"created_at": org.created_at,
"updated_at": org.updated_at,
"member_count": await organization_crud.get_member_count(
"member_count": await organization_service.get_member_count(
db, organization_id=org.id
),
}
@@ -755,14 +691,10 @@ async def admin_update_organization(
) -> Any:
"""Update organization information."""
try:
org = await organization_crud.get(db, id=org_id)
if not org:
raise NotFoundError(
message=f"Organization {org_id} not found",
error_code=ErrorCode.NOT_FOUND,
)
updated_org = await organization_crud.update(db, db_obj=org, obj_in=org_in)
org = await organization_service.get_organization(db, str(org_id))
updated_org = await organization_service.update_organization(
db, org=org, obj_in=org_in
)
logger.info(f"Admin {admin.email} updated organization {updated_org.name}")
org_dict = {
@@ -774,14 +706,12 @@ async def admin_update_organization(
"settings": updated_org.settings,
"created_at": updated_org.created_at,
"updated_at": updated_org.updated_at,
"member_count": await organization_crud.get_member_count(
"member_count": await organization_service.get_member_count(
db, organization_id=updated_org.id
),
}
return OrganizationResponse(**org_dict)
except NotFoundError:
raise
except Exception as e:
logger.error(f"Error updating organization (admin): {e!s}", exc_info=True)
raise
@@ -801,22 +731,14 @@ async def admin_delete_organization(
) -> Any:
"""Delete an organization and all its relationships."""
try:
org = await organization_crud.get(db, id=org_id)
if not org:
raise NotFoundError(
message=f"Organization {org_id} not found",
error_code=ErrorCode.NOT_FOUND,
)
await organization_crud.remove(db, id=org_id)
org = await organization_service.get_organization(db, str(org_id))
await organization_service.remove_organization(db, str(org_id))
logger.info(f"Admin {admin.email} deleted organization {org.name}")
return MessageResponse(
success=True, message=f"Organization {org.name} has been deleted"
)
except NotFoundError:
raise
except Exception as e:
logger.error(f"Error deleting organization (admin): {e!s}", exc_info=True)
raise
@@ -838,14 +760,8 @@ async def admin_list_organization_members(
) -> Any:
"""List all members of an organization."""
try:
org = await organization_crud.get(db, id=org_id)
if not org:
raise NotFoundError(
message=f"Organization {org_id} not found",
error_code=ErrorCode.NOT_FOUND,
)
members, total = await organization_crud.get_organization_members(
await organization_service.get_organization(db, str(org_id)) # validates exists
members, total = await organization_service.get_organization_members(
db,
organization_id=org_id,
skip=pagination.offset,
@@ -898,21 +814,10 @@ async def admin_add_organization_member(
) -> Any:
"""Add a user to an organization."""
try:
org = await organization_crud.get(db, id=org_id)
if not org:
raise NotFoundError(
message=f"Organization {org_id} not found",
error_code=ErrorCode.NOT_FOUND,
)
org = await organization_service.get_organization(db, str(org_id))
user = await user_service.get_user(db, str(request.user_id))
user = await user_crud.get(db, id=request.user_id)
if not user:
raise NotFoundError(
message=f"User {request.user_id} not found",
error_code=ErrorCode.USER_NOT_FOUND,
)
await organization_crud.add_user(
await organization_service.add_member(
db, organization_id=org_id, user_id=request.user_id, role=request.role
)
@@ -925,14 +830,11 @@ async def admin_add_organization_member(
success=True, message=f"User {user.email} added to organization {org.name}"
)
except ValueError as e:
except DuplicateEntryError as e:
logger.warning(f"Failed to add user to organization: {e!s}")
# Use DuplicateError for "already exists" scenarios
raise DuplicateError(
message=str(e), error_code=ErrorCode.USER_ALREADY_EXISTS, field="user_id"
)
except NotFoundError:
raise
except Exception as e:
logger.error(
f"Error adding member to organization (admin): {e!s}", exc_info=True
@@ -955,20 +857,10 @@ async def admin_remove_organization_member(
) -> Any:
"""Remove a user from an organization."""
try:
org = await organization_crud.get(db, id=org_id)
if not org:
raise NotFoundError(
message=f"Organization {org_id} not found",
error_code=ErrorCode.NOT_FOUND,
)
org = await organization_service.get_organization(db, str(org_id))
user = await user_service.get_user(db, str(user_id))
user = await user_crud.get(db, id=user_id)
if not user:
raise NotFoundError(
message=f"User {user_id} not found", error_code=ErrorCode.USER_NOT_FOUND
)
success = await organization_crud.remove_user(
success = await organization_service.remove_member(
db, organization_id=org_id, user_id=user_id
)
@@ -1022,7 +914,7 @@ async def admin_list_sessions(
"""List all sessions across all users with filtering and pagination."""
try:
# Get sessions with user info (eager loaded to prevent N+1)
sessions, total = await session_crud.get_all_sessions(
sessions, total = await session_service.get_all_sessions(
db,
skip=pagination.offset,
limit=pagination.limit,

58
backend/app/api/routes/auth.py
View File

@@ -15,16 +15,14 @@ from app.core.auth import (
TokenExpiredError,
TokenInvalidError,
decode_token,
get_password_hash,
)
from app.core.database import get_db
from app.core.exceptions import (
AuthenticationError as AuthError,
DatabaseError,
DuplicateError,
ErrorCode,
)
from app.crud.session import session as session_crud
from app.crud.user import user as user_crud
from app.models.user import User
from app.schemas.common import MessageResponse
from app.schemas.sessions import LogoutRequest, SessionCreate
@@ -39,6 +37,8 @@ from app.schemas.users import (
)
from app.services.auth_service import AuthenticationError, AuthService
from app.services.email_service import email_service
from app.services.session_service import session_service
from app.services.user_service import user_service
from app.utils.device import extract_device_info
from app.utils.security import create_password_reset_token, verify_password_reset_token
@@ -91,7 +91,7 @@ async def _create_login_session(
location_country=device_info.location_country,
)
await session_crud.create_session(db, obj_in=session_data)
await session_service.create_session(db, obj_in=session_data)
logger.info(
f"{login_type.capitalize()} successful: {user.email} from {device_info.device_name} "
@@ -123,8 +123,14 @@ async def register_user(
try:
user = await AuthService.create_user(db, user_data)
return user
except AuthenticationError as e:
except DuplicateError:
# SECURITY: Don't reveal if email exists - generic error message
logger.warning(f"Registration failed: duplicate email {user_data.email}")
raise HTTPException(
status_code=status.HTTP_400_BAD_REQUEST,
detail="Registration failed. Please check your information and try again.",
)
except AuthError as e:
logger.warning(f"Registration failed: {e!s}")
raise HTTPException(
status_code=status.HTTP_400_BAD_REQUEST,
@@ -259,7 +265,7 @@ async def refresh_token(
)
# Check if session exists and is active
session = await session_crud.get_active_by_jti(db, jti=refresh_payload.jti)
session = await session_service.get_active_by_jti(db, jti=refresh_payload.jti)
if not session:
logger.warning(
@@ -279,7 +285,7 @@ async def refresh_token(
# Update session with new refresh token JTI and expiration
try:
await session_crud.update_refresh_token(
await session_service.update_refresh_token(
db,
session=session,
new_jti=new_refresh_payload.jti,
@@ -347,7 +353,7 @@ async def request_password_reset(
"""
try:
# Look up user by email
user = await user_crud.get_by_email(db, email=reset_request.email)
user = await user_service.get_by_email(db, email=reset_request.email)
# Only send email if user exists and is active
if user and user.is_active:
@@ -412,31 +418,25 @@ async def confirm_password_reset(
detail="Invalid or expired password reset token",
)
# Look up user
user = await user_crud.get_by_email(db, email=email)
if not user:
raise HTTPException(
status_code=status.HTTP_404_NOT_FOUND, detail="User not found"
# Reset password via service (validates user exists and is active)
try:
user = await AuthService.reset_password(
db, email=email, new_password=reset_confirm.new_password
)
if not user.is_active:
except AuthenticationError as e:
err_msg = str(e)
if "inactive" in err_msg.lower():
raise HTTPException(
status_code=status.HTTP_400_BAD_REQUEST, detail=err_msg
)
raise HTTPException(
status_code=status.HTTP_400_BAD_REQUEST,
detail="User account is inactive",
status_code=status.HTTP_404_NOT_FOUND, detail=err_msg
)
# Update password
user.password_hash = get_password_hash(reset_confirm.new_password)
db.add(user)
await db.commit()
# SECURITY: Invalidate all existing sessions after password reset
# This prevents stolen sessions from being used after password change
from app.crud.session import session as session_crud
try:
deactivated_count = await session_crud.deactivate_all_user_sessions(
deactivated_count = await session_service.deactivate_all_user_sessions(
db, user_id=str(user.id)
)
logger.info(
@@ -511,7 +511,7 @@ async def logout(
return MessageResponse(success=True, message="Logged out successfully")
# Find the session by JTI
session = await session_crud.get_by_jti(db, jti=refresh_payload.jti)
session = await session_service.get_by_jti(db, jti=refresh_payload.jti)
if session:
# Verify session belongs to current user (security check)
@@ -526,7 +526,7 @@ async def logout(
)
# Deactivate the session
await session_crud.deactivate(db, session_id=str(session.id))
await session_service.deactivate(db, session_id=str(session.id))
logger.info(
f"User {current_user.id} logged out from {session.device_name} "
@@ -584,7 +584,7 @@ async def logout_all(
"""
try:
# Deactivate all sessions for this user
count = await session_crud.deactivate_all_user_sessions(
count = await session_service.deactivate_all_user_sessions(
db, user_id=str(current_user.id)
)

9
backend/app/api/routes/oauth.py
View File

@@ -25,8 +25,7 @@ from app.core.auth import decode_token
from app.core.config import settings
from app.core.database import get_db
from app.core.exceptions import AuthenticationError as AuthError
from app.crud import oauth_account
from app.crud.session import session as session_crud
from app.services.session_service import session_service
from app.models.user import User
from app.schemas.oauth import (
OAuthAccountsListResponse,
@@ -82,7 +81,7 @@ async def _create_oauth_login_session(
location_country=device_info.location_country,
)
await session_crud.create_session(db, obj_in=session_data)
await session_service.create_session(db, obj_in=session_data)
logger.info(
f"OAuth login successful: {user.email} via {provider} "
@@ -289,7 +288,7 @@ async def list_accounts(
Returns:
List of linked OAuth accounts
"""
accounts = await oauth_account.get_user_accounts(db, user_id=current_user.id)
accounts = await OAuthService.get_user_accounts(db, user_id=current_user.id)
return OAuthAccountsListResponse(accounts=accounts)
@@ -397,7 +396,7 @@ async def start_link(
)
# Check if user already has this provider linked
existing = await oauth_account.get_user_account_by_provider(
existing = await OAuthService.get_user_account_by_provider(
db, user_id=current_user.id, provider=provider
)
if existing:

32
backend/app/api/routes/oauth_provider.py
View File

@@ -34,7 +34,6 @@ from app.api.dependencies.auth import (
)
from app.core.config import settings
from app.core.database import get_db
from app.crud import oauth_client as oauth_client_crud
from app.models.user import User
from app.schemas.oauth import (
OAuthClientCreate,
@@ -712,7 +711,7 @@ async def register_client(
client_type=client_type,
)
client, secret = await oauth_client_crud.create_client(db, obj_in=client_data)
client, secret = await provider_service.register_client(db, client_data)
# Update MCP server URL if provided
if mcp_server_url:
@@ -750,7 +749,7 @@ async def list_clients(
current_user: User = Depends(get_current_superuser),
) -> list[OAuthClientResponse]:
"""List all OAuth clients."""
clients = await oauth_client_crud.get_all_clients(db)
clients = await provider_service.list_clients(db)
return [OAuthClientResponse.model_validate(c) for c in clients]
@@ -776,7 +775,7 @@ async def delete_client(
detail="Client not found",
)
await oauth_client_crud.delete_client(db, client_id=client_id)
await provider_service.delete_client_by_id(db, client_id=client_id)
# ============================================================================
@@ -797,30 +796,7 @@ async def list_my_consents(
current_user: User = Depends(get_current_active_user),
) -> list[dict]:
"""List applications the user has authorized."""
from sqlalchemy import select
from app.models.oauth_client import OAuthClient
from app.models.oauth_provider_token import OAuthConsent
result = await db.execute(
select(OAuthConsent, OAuthClient)
.join(OAuthClient, OAuthConsent.client_id == OAuthClient.client_id)
.where(OAuthConsent.user_id == current_user.id)
)
rows = result.all()
return [
{
"client_id": consent.client_id,
"client_name": client.client_name,
"client_description": client.client_description,
"granted_scopes": consent.granted_scopes.split()
if consent.granted_scopes
else [],
"granted_at": consent.created_at.isoformat(),
}
for consent, client in rows
]
return await provider_service.list_user_consents(db, user_id=current_user.id)
@router.delete(

35
backend/app/api/routes/organizations.py
View File

@@ -15,9 +15,8 @@ from sqlalchemy.ext.asyncio import AsyncSession
from app.api.dependencies.auth import get_current_user
from app.api.dependencies.permissions import require_org_admin, require_org_membership
from app.core.database import get_db
from app.core.exceptions import ErrorCode, NotFoundError
from app.crud.organization import organization as organization_crud
from app.models.user import User
from app.services.organization_service import organization_service
from app.schemas.common import (
PaginatedResponse,
PaginationParams,
@@ -54,7 +53,7 @@ async def get_my_organizations(
"""
try:
# Get all org data in single query with JOIN and subquery
orgs_data = await organization_crud.get_user_organizations_with_details(
orgs_data = await organization_service.get_user_organizations_with_details(
db, user_id=current_user.id, is_active=is_active
)
@@ -100,13 +99,7 @@ async def get_organization(
User must be a member of the organization.
"""
try:
org = await organization_crud.get(db, id=organization_id)
if not org: # pragma: no cover - Permission check prevents this (see docs/UNREACHABLE_DEFENSIVE_CODE_ANALYSIS.md)
raise NotFoundError(
detail=f"Organization {organization_id} not found",
error_code=ErrorCode.NOT_FOUND,
)
org = await organization_service.get_organization(db, str(organization_id))
org_dict = {
"id": org.id,
"name": org.name,
@@ -116,14 +109,12 @@ async def get_organization(
"settings": org.settings,
"created_at": org.created_at,
"updated_at": org.updated_at,
"member_count": await organization_crud.get_member_count(
"member_count": await organization_service.get_member_count(
db, organization_id=org.id
),
}
return OrganizationResponse(**org_dict)
except NotFoundError: # pragma: no cover - See above
raise
except Exception as e:
logger.error(f"Error getting organization: {e!s}", exc_info=True)
raise
@@ -149,7 +140,7 @@ async def get_organization_members(
User must be a member of the organization to view members.
"""
try:
members, total = await organization_crud.get_organization_members(
members, total = await organization_service.get_organization_members(
db,
organization_id=organization_id,
skip=pagination.offset,
@@ -192,14 +183,10 @@ async def update_organization(
Requires owner or admin role in the organization.
"""
try:
org = await organization_crud.get(db, id=organization_id)
if not org: # pragma: no cover - Permission check prevents this (see docs/UNREACHABLE_DEFENSIVE_CODE_ANALYSIS.md)
raise NotFoundError(
detail=f"Organization {organization_id} not found",
error_code=ErrorCode.NOT_FOUND,
)
updated_org = await organization_crud.update(db, db_obj=org, obj_in=org_in)
org = await organization_service.get_organization(db, str(organization_id))
updated_org = await organization_service.update_organization(
db, org=org, obj_in=org_in
)
logger.info(
f"User {current_user.email} updated organization {updated_org.name}"
)
@@ -213,14 +200,12 @@ async def update_organization(
"settings": updated_org.settings,
"created_at": updated_org.created_at,
"updated_at": updated_org.updated_at,
"member_count": await organization_crud.get_member_count(
"member_count": await organization_service.get_member_count(
db, organization_id=updated_org.id
),
}
return OrganizationResponse(**org_dict)
except NotFoundError: # pragma: no cover - See above
raise
except Exception as e:
logger.error(f"Error updating organization: {e!s}", exc_info=True)
raise

10
backend/app/api/routes/sessions.py
View File

@@ -17,8 +17,8 @@ from app.api.dependencies.auth import get_current_user
from app.core.auth import decode_token
from app.core.database import get_db
from app.core.exceptions import AuthorizationError, ErrorCode, NotFoundError
from app.crud.session import session as session_crud
from app.models.user import User
from app.services.session_service import session_service
from app.schemas.common import MessageResponse
from app.schemas.sessions import SessionListResponse, SessionResponse
@@ -60,7 +60,7 @@ async def list_my_sessions(
"""
try:
# Get all active sessions for user
sessions = await session_crud.get_user_sessions(
sessions = await session_service.get_user_sessions(
db, user_id=str(current_user.id), active_only=True
)
@@ -150,7 +150,7 @@ async def revoke_session(
"""
try:
# Get the session
session = await session_crud.get(db, id=str(session_id))
session = await session_service.get_session(db, str(session_id))
if not session:
raise NotFoundError(
@@ -170,7 +170,7 @@ async def revoke_session(
)
# Deactivate the session
await session_crud.deactivate(db, session_id=str(session_id))
await session_service.deactivate(db, session_id=str(session_id))
logger.info(
f"User {current_user.id} revoked session {session_id} "
@@ -224,7 +224,7 @@ async def cleanup_expired_sessions(
"""
try:
# Use optimized bulk DELETE instead of N individual deletes
deleted_count = await session_crud.cleanup_expired_for_user(
deleted_count = await session_service.cleanup_expired_for_user(
db, user_id=str(current_user.id)
)

38
backend/app/api/routes/users.py
View File

@@ -14,7 +14,6 @@ from sqlalchemy.ext.asyncio import AsyncSession
from app.api.dependencies.auth import get_current_superuser, get_current_user
from app.core.database import get_db
from app.core.exceptions import AuthorizationError, ErrorCode, NotFoundError
from app.crud.user import user as user_crud
from app.models.user import User
from app.schemas.common import (
MessageResponse,
@@ -25,6 +24,7 @@ from app.schemas.common import (
)
from app.schemas.users import PasswordChange, UserResponse, UserUpdate
from app.services.auth_service import AuthenticationError, AuthService
from app.services.user_service import user_service
logger = logging.getLogger(__name__)
@@ -71,7 +71,7 @@ async def list_users(
filters["is_superuser"] = is_superuser
# Get paginated users with total count
users, total = await user_crud.get_multi_with_total(
users, total = await user_service.list_users(
db,
skip=pagination.offset,
limit=pagination.limit,
@@ -107,7 +107,7 @@ async def list_users(
""",
operation_id="get_current_user_profile",
)
def get_current_user_profile(current_user: User = Depends(get_current_user)) -> Any:
async def get_current_user_profile(current_user: User = Depends(get_current_user)) -> Any:
"""Get current user's profile."""
return current_user
@@ -138,8 +138,8 @@ async def update_current_user(
Users cannot elevate their own permissions (protected by UserUpdate schema validator).
"""
try:
updated_user = await user_crud.update(
db, db_obj=current_user, obj_in=user_update
updated_user = await user_service.update_user(
db, user=current_user, obj_in=user_update
)
logger.info(f"User {current_user.id} updated their profile")
return updated_user
@@ -190,13 +190,7 @@ async def get_user_by_id(
)
# Get user
user = await user_crud.get(db, id=str(user_id))
if not user:
raise NotFoundError(
message=f"User with id {user_id} not found",
error_code=ErrorCode.USER_NOT_FOUND,
)
user = await user_service.get_user(db, str(user_id))
return user
@@ -241,15 +235,10 @@ async def update_user(
)
# Get user
user = await user_crud.get(db, id=str(user_id))
if not user:
raise NotFoundError(
message=f"User with id {user_id} not found",
error_code=ErrorCode.USER_NOT_FOUND,
)
user = await user_service.get_user(db, str(user_id))
try:
updated_user = await user_crud.update(db, db_obj=user, obj_in=user_update)
updated_user = await user_service.update_user(db, user=user, obj_in=user_update)
logger.info(f"User {user_id} updated by {current_user.id}")
return updated_user
except ValueError as e:
@@ -346,17 +335,12 @@ async def delete_user(
error_code=ErrorCode.INSUFFICIENT_PERMISSIONS,
)
# Get user
user = await user_crud.get(db, id=str(user_id))
if not user:
raise NotFoundError(
message=f"User with id {user_id} not found",
error_code=ErrorCode.USER_NOT_FOUND,
)
# Get user (raises NotFoundError if not found)
await user_service.get_user(db, str(user_id))
try:
# Use soft delete instead of hard delete
await user_crud.soft_delete(db, id=str(user_id))
await user_service.soft_delete_user(db, str(user_id))
logger.info(f"User {user_id} soft-deleted by {current_user.id}")
return MessageResponse(
success=True, message=f"User {user_id} deleted successfully"