backend/app/api/deps.py

from __future__ import annotations

from dataclasses import dataclass

from fastapi import Depends, HTTPException, status
from fastapi.security import HTTPAuthorizationCredentials, HTTPBearer
from sqlalchemy import select
from sqlalchemy.orm import Session, selectinload

from app.core.security import verify_token
from app.db.session import get_db
from app.models.client_access import ClientFeatureAccess, ClientUser
from app.services.client_access_service import has_access_level, module_access_map

bearer_scheme = HTTPBearer(auto_error=False)


@dataclass(frozen=True)
class AuthSession:
    role: str
    email: str
    name: str
    tenant_id: str | None = None
    client_role: str | None = None
    user_id: int | None = None
    client_account_id: int | None = None
    module_permissions: dict[str, str] | None = None


def get_auth_session(credentials: HTTPAuthorizationCredentials | None = Depends(bearer_scheme)) -> AuthSession:
    if credentials is None:
        raise HTTPException(status_code=status.HTTP_401_UNAUTHORIZED, detail="Authentication required")

    payload = verify_token(credentials.credentials)
    return AuthSession(
        role=str(payload.get("role", "")),
        email=str(payload.get("email", "")),
        name=str(payload.get("name", "")),
        tenant_id=payload.get("tenant_id"),
        client_role=payload.get("client_role"),
        user_id=payload.get("user_id"),
        client_account_id=payload.get("client_account_id"),
        module_permissions={},
    )


def require_client_session(session: AuthSession = Depends(get_auth_session)) -> AuthSession:
    if session.role != "client":
        raise HTTPException(status_code=status.HTTP_403_FORBIDDEN, detail="Client access required")
    if not session.tenant_id:
        raise HTTPException(status_code=status.HTTP_403_FORBIDDEN, detail="Client tenant is missing")
    if not session.user_id or not session.client_account_id:
        raise HTTPException(status_code=status.HTTP_403_FORBIDDEN, detail="Client user context is missing")
    return session


def require_admin_session(session: AuthSession = Depends(get_auth_session)) -> AuthSession:
    if session.role != "admin":
        raise HTTPException(status_code=status.HTTP_403_FORBIDDEN, detail="Admin access required")
    return session


def load_current_client_user(db: Session, session: AuthSession) -> ClientUser:
    user = db.scalar(
        select(ClientUser)
        .where(
            ClientUser.id == session.user_id,
            ClientUser.client_account_id == session.client_account_id,
            ClientUser.tenant_id == session.tenant_id,
        )
        .options(selectinload(ClientUser.module_permissions))
    )
    if user is None:
        raise HTTPException(status_code=status.HTTP_403_FORBIDDEN, detail="Client user access is no longer valid")
    if user.status == "suspended":
        raise HTTPException(status_code=status.HTTP_403_FORBIDDEN, detail="Client user access is suspended")
    return user


def require_client_module_access(module_key: str, minimum_level: str = "view"):
    def dependency(
        session: AuthSession = Depends(require_client_session),
        db: Session = Depends(get_db),
    ) -> AuthSession:
        user = load_current_client_user(db, session)
        feature = db.scalar(
            select(ClientFeatureAccess).where(
                ClientFeatureAccess.client_account_id == user.client_account_id,
                ClientFeatureAccess.tenant_id == user.tenant_id,
                ClientFeatureAccess.feature_key == module_key,
            )
        )
        if feature is not None and not feature.enabled:
            raise HTTPException(status_code=status.HTTP_403_FORBIDDEN, detail=f"{module_key} is disabled for this client")

        permissions = module_access_map(user)
        if not has_access_level(permissions.get(module_key), minimum_level):
            raise HTTPException(status_code=status.HTTP_403_FORBIDDEN, detail=f"{module_key} access is not permitted")

        return AuthSession(
            role=session.role,
            email=session.email,
            name=session.name,
            tenant_id=session.tenant_id,
            client_role=user.role,
            user_id=user.id,
            client_account_id=user.client_account_id,
            module_permissions=permissions,
        )

    return dependency


def require_client_access_manager_session(
    session: AuthSession = Depends(get_auth_session),
    db: Session = Depends(get_db),
) -> AuthSession:
    if session.role == "admin":
        return session
    if session.role != "client":
        raise HTTPException(status_code=status.HTTP_403_FORBIDDEN, detail="Client access management requires admin or superadmin access")

    user = load_current_client_user(db, require_client_session(session))
    permissions = module_access_map(user)
    if user.role != "superadmin" or not has_access_level(permissions.get("client_access"), "manage"):
        raise HTTPException(status_code=status.HTTP_403_FORBIDDEN, detail="Superadmin client access is required")

    return AuthSession(
        role=session.role,
        email=session.email,
        name=session.name,
        tenant_id=session.tenant_id,
        client_role=user.role,
        user_id=user.id,
        client_account_id=user.client_account_id,
        module_permissions=permissions,
    )
v1.3 - client and admin scaffolding 2026-04-25 22:51:36 +12:00			`from __future__ import annotations`

			`from dataclasses import dataclass`

			`from fastapi import Depends, HTTPException, status`
			`from fastapi.security import HTTPAuthorizationCredentials, HTTPBearer`
Move working documents to its own area, rename dashboard 2026-04-29 01:21:16 +12:00			`from sqlalchemy import select`
			`from sqlalchemy.orm import Session, selectinload`
v1.3 - client and admin scaffolding 2026-04-25 22:51:36 +12:00
			`from app.core.security import verify_token`
Move working documents to its own area, rename dashboard 2026-04-29 01:21:16 +12:00			`from app.db.session import get_db`
			`from app.models.client_access import ClientFeatureAccess, ClientUser`
			`from app.services.client_access_service import has_access_level, module_access_map`
v1.3 - client and admin scaffolding 2026-04-25 22:51:36 +12:00
			`bearer_scheme = HTTPBearer(auto_error=False)`


			`@dataclass(frozen=True)`
			`class AuthSession:`
			`role: str`
			`email: str`
			`name: str`
			`tenant_id: str \| None = None`
Move working documents to its own area, rename dashboard 2026-04-29 01:21:16 +12:00			`client_role: str \| None = None`
			`user_id: int \| None = None`
			`client_account_id: int \| None = None`
			`module_permissions: dict[str, str] \| None = None`
v1.3 - client and admin scaffolding 2026-04-25 22:51:36 +12:00

			`def get_auth_session(credentials: HTTPAuthorizationCredentials \| None = Depends(bearer_scheme)) -> AuthSession:`
			`if credentials is None:`
			`raise HTTPException(status_code=status.HTTP_401_UNAUTHORIZED, detail="Authentication required")`

			`payload = verify_token(credentials.credentials)`
			`return AuthSession(`
			`role=str(payload.get("role", "")),`
			`email=str(payload.get("email", "")),`
			`name=str(payload.get("name", "")),`
			`tenant_id=payload.get("tenant_id"),`
Move working documents to its own area, rename dashboard 2026-04-29 01:21:16 +12:00			`client_role=payload.get("client_role"),`
			`user_id=payload.get("user_id"),`
			`client_account_id=payload.get("client_account_id"),`
			`module_permissions={},`
v1.3 - client and admin scaffolding 2026-04-25 22:51:36 +12:00			`)`


			`def require_client_session(session: AuthSession = Depends(get_auth_session)) -> AuthSession:`
			`if session.role != "client":`
			`raise HTTPException(status_code=status.HTTP_403_FORBIDDEN, detail="Client access required")`
			`if not session.tenant_id:`
			`raise HTTPException(status_code=status.HTTP_403_FORBIDDEN, detail="Client tenant is missing")`
Move working documents to its own area, rename dashboard 2026-04-29 01:21:16 +12:00			`if not session.user_id or not session.client_account_id:`
			`raise HTTPException(status_code=status.HTTP_403_FORBIDDEN, detail="Client user context is missing")`
v1.3 - client and admin scaffolding 2026-04-25 22:51:36 +12:00			`return session`


			`def require_admin_session(session: AuthSession = Depends(get_auth_session)) -> AuthSession:`
			`if session.role != "admin":`
			`raise HTTPException(status_code=status.HTTP_403_FORBIDDEN, detail="Admin access required")`
			`return session`
Move working documents to its own area, rename dashboard 2026-04-29 01:21:16 +12:00

			`def load_current_client_user(db: Session, session: AuthSession) -> ClientUser:`
			`user = db.scalar(`
			`select(ClientUser)`
			`.where(`
			`ClientUser.id == session.user_id,`
			`ClientUser.client_account_id == session.client_account_id,`
			`ClientUser.tenant_id == session.tenant_id,`
			`)`
			`.options(selectinload(ClientUser.module_permissions))`
			`)`
			`if user is None:`
			`raise HTTPException(status_code=status.HTTP_403_FORBIDDEN, detail="Client user access is no longer valid")`
			`if user.status == "suspended":`
			`raise HTTPException(status_code=status.HTTP_403_FORBIDDEN, detail="Client user access is suspended")`
			`return user`


			`def require_client_module_access(module_key: str, minimum_level: str = "view"):`
			`def dependency(`
			`session: AuthSession = Depends(require_client_session),`
			`db: Session = Depends(get_db),`
			`) -> AuthSession:`
			`user = load_current_client_user(db, session)`
			`feature = db.scalar(`
			`select(ClientFeatureAccess).where(`
			`ClientFeatureAccess.client_account_id == user.client_account_id,`
			`ClientFeatureAccess.tenant_id == user.tenant_id,`
			`ClientFeatureAccess.feature_key == module_key,`
			`)`
			`)`
			`if feature is not None and not feature.enabled:`
			`raise HTTPException(status_code=status.HTTP_403_FORBIDDEN, detail=f"{module_key} is disabled for this client")`

			`permissions = module_access_map(user)`
			`if not has_access_level(permissions.get(module_key), minimum_level):`
			`raise HTTPException(status_code=status.HTTP_403_FORBIDDEN, detail=f"{module_key} access is not permitted")`

			`return AuthSession(`
			`role=session.role,`
			`email=session.email,`
			`name=session.name,`
			`tenant_id=session.tenant_id,`
			`client_role=user.role,`
			`user_id=user.id,`
			`client_account_id=user.client_account_id,`
			`module_permissions=permissions,`
			`)`

			`return dependency`


			`def require_client_access_manager_session(`
			`session: AuthSession = Depends(get_auth_session),`
			`db: Session = Depends(get_db),`
			`) -> AuthSession:`
			`if session.role == "admin":`
			`return session`
			`if session.role != "client":`
			`raise HTTPException(status_code=status.HTTP_403_FORBIDDEN, detail="Client access management requires admin or superadmin access")`

			`user = load_current_client_user(db, require_client_session(session))`
			`permissions = module_access_map(user)`
			`if user.role != "superadmin" or not has_access_level(permissions.get("client_access"), "manage"):`
			`raise HTTPException(status_code=status.HTTP_403_FORBIDDEN, detail="Superadmin client access is required")`

			`return AuthSession(`
			`role=session.role,`
			`email=session.email,`
			`name=session.name,`
			`tenant_id=session.tenant_id,`
			`client_role=user.role,`
			`user_id=user.id,`
			`client_account_id=user.client_account_id,`
			`module_permissions=permissions,`
			`)`