backend/app/api/auth.py

from fastapi import APIRouter, Depends, HTTPException, Request, Response, status
from pydantic import BaseModel, Field
from sqlalchemy import select
from sqlalchemy.orm import Session

from app.api.deps import AuthSession, require_admin_session, require_client_session
from app.core.config import settings
from app.core.http import ADMIN_AUTH_COOKIE, CLIENT_AUTH_COOKIE
from app.core.rate_limit import SlidingWindowRateLimiter, request_client_key
from app.core.security_logging import log_security_event
from app.core.security import issue_token
from app.db.session import get_db
from app.models.client_access import ClientAccount
from app.services.client_access_service import get_client_user_by_email, module_access_map

router = APIRouter(prefix="/api/auth", tags=["auth"])
login_rate_limiter = SlidingWindowRateLimiter(
    limit=settings.login_rate_limit_attempts,
    window_seconds=settings.login_rate_limit_window_seconds,
)


class LoginRequest(BaseModel):
    email: str
    password: str


class SessionResponse(BaseModel):
    name: str
    email: str
    role: str
    tenant_id: str | None = None
    client_role: str | None = None
    user_id: int | None = None
    client_account_id: int | None = None
    module_permissions: dict[str, str] = Field(default_factory=dict)
    token: str | None = None


def _build_session_response(
    *,
    name: str,
    email: str,
    role: str,
    tenant_id: str | None = None,
    client_role: str | None = None,
    user_id: int | None = None,
    client_account_id: int | None = None,
    module_permissions: dict[str, str] | None = None,
) -> SessionResponse:
    token = issue_token(
        {
            "name": name,
            "email": email,
            "role": role,
            "tenant_id": tenant_id,
            "client_role": client_role,
            "user_id": user_id,
            "client_account_id": client_account_id,
        },
        ttl_seconds=settings.session_ttl_seconds,
    )
    return SessionResponse(
        name=name,
        email=email,
        role=role,
        tenant_id=tenant_id,
        client_role=client_role,
        user_id=user_id,
        client_account_id=client_account_id,
        module_permissions=module_permissions or {},
        token=token,
    )


@router.post("/client/login", response_model=SessionResponse)
def client_login(payload: LoginRequest, response: Response, request: Request, db: Session = Depends(get_db)):
    login_rate_limiter.hit(request_client_key(request, suffix="client-login"))
    if payload.password != settings.client_password:
        log_security_event("auth.login_failed", audience="client", ip=request_client_key(request))
        raise HTTPException(status_code=status.HTTP_401_UNAUTHORIZED, detail="Invalid client email or password")

    user = get_client_user_by_email(db, email=payload.email.strip().lower())
    if user is None:
        log_security_event("auth.login_failed", audience="client", ip=request_client_key(request))
        raise HTTPException(status_code=status.HTTP_401_UNAUTHORIZED, detail="Invalid client email or password")

    client_account = db.scalar(select(ClientAccount).where(ClientAccount.id == user.client_account_id))
    if client_account is None:
        raise HTTPException(status_code=status.HTTP_404_NOT_FOUND, detail="Client account is not configured for this user")

    session_response = _build_session_response(
        name=user.full_name,
        email=user.email,
        role="client",
        tenant_id=client_account.tenant_id,
        client_role=user.role,
        user_id=user.id,
        client_account_id=client_account.id,
        module_permissions=module_access_map(user),
    )
    if session_response.token:
        CLIENT_AUTH_COOKIE.apply(response, session_response.token)
    log_security_event("auth.login_succeeded", audience="client", role="client", user_id=user.id, tenant_id=client_account.tenant_id)
    return session_response.model_copy(update={"token": None})


@router.post("/admin/login", response_model=SessionResponse)
def admin_login(payload: LoginRequest, response: Response, request: Request):
    login_rate_limiter.hit(request_client_key(request, suffix="admin-login"))
    if payload.email.strip().lower() != settings.admin_email.lower() or payload.password != settings.admin_password:
        log_security_event("auth.login_failed", audience="admin", ip=request_client_key(request))
        raise HTTPException(status_code=status.HTTP_401_UNAUTHORIZED, detail="Invalid admin email or password")

    session_response = _build_session_response(name=settings.admin_name, email=settings.admin_email, role="admin")
    if session_response.token:
        ADMIN_AUTH_COOKIE.apply(response, session_response.token)
    log_security_event("auth.login_succeeded", audience="admin", role="admin")
    return session_response.model_copy(update={"token": None})


@router.get("/client/session", response_model=SessionResponse)
def read_client_session(session: AuthSession = Depends(require_client_session), db: Session = Depends(get_db)):
    user = get_client_user_by_email(db, email=session.email, tenant_id=session.tenant_id)
    if user is None:
        raise HTTPException(status_code=status.HTTP_404_NOT_FOUND, detail="Client user session is no longer available")
    return _build_session_response(
        name=user.full_name,
        email=user.email,
        role=session.role,
        tenant_id=session.tenant_id,
        client_role=user.role,
        user_id=user.id,
        client_account_id=user.client_account_id,
        module_permissions=module_access_map(user),
    ).model_copy(update={"token": None})


@router.get("/admin/session", response_model=SessionResponse)
def read_admin_session(session: AuthSession = Depends(require_admin_session)):
    return _build_session_response(name=session.name, email=session.email, role=session.role).model_copy(update={"token": None})


@router.post("/client/logout", status_code=status.HTTP_204_NO_CONTENT)
def client_logout(response: Response):
    CLIENT_AUTH_COOKIE.clear(response)
    response.status_code = status.HTTP_204_NO_CONTENT
    return None


@router.post("/admin/logout", status_code=status.HTTP_204_NO_CONTENT)
def admin_logout(response: Response):
    ADMIN_AUTH_COOKIE.clear(response)
    response.status_code = status.HTTP_204_NO_CONTENT
    return None
Updates 2026-05-10 09:46:07 +12:00			`from fastapi import APIRouter, Depends, HTTPException, Request, Response, status`
Move working documents to its own area, rename dashboard 2026-04-29 01:21:16 +12:00			`from pydantic import BaseModel, Field`
v1.3 - client and admin scaffolding 2026-04-25 22:51:36 +12:00			`from sqlalchemy import select`
			`from sqlalchemy.orm import Session`
v1.2 scaffold 2026-04-25 20:43:37 +12:00
v1.3 - client and admin scaffolding 2026-04-25 22:51:36 +12:00			`from app.api.deps import AuthSession, require_admin_session, require_client_session`
v1.2 scaffold 2026-04-25 20:43:37 +12:00			`from app.core.config import settings`
Updates 2026-05-10 09:46:07 +12:00			`from app.core.http import ADMIN_AUTH_COOKIE, CLIENT_AUTH_COOKIE`
			`from app.core.rate_limit import SlidingWindowRateLimiter, request_client_key`
			`from app.core.security_logging import log_security_event`
v1.3 - client and admin scaffolding 2026-04-25 22:51:36 +12:00			`from app.core.security import issue_token`
			`from app.db.session import get_db`
			`from app.models.client_access import ClientAccount`
Move working documents to its own area, rename dashboard 2026-04-29 01:21:16 +12:00			`from app.services.client_access_service import get_client_user_by_email, module_access_map`
v1.2 scaffold 2026-04-25 20:43:37 +12:00
			`router = APIRouter(prefix="/api/auth", tags=["auth"])`
Updates 2026-05-10 09:46:07 +12:00			`login_rate_limiter = SlidingWindowRateLimiter(`
			`limit=settings.login_rate_limit_attempts,`
			`window_seconds=settings.login_rate_limit_window_seconds,`
			`)`
v1.2 scaffold 2026-04-25 20:43:37 +12:00

			`class LoginRequest(BaseModel):`
			`email: str`
			`password: str`


v1.3 - client and admin scaffolding 2026-04-25 22:51:36 +12:00			`class SessionResponse(BaseModel):`
v1.2 scaffold 2026-04-25 20:43:37 +12:00			`name: str`
			`email: str`
			`role: str`
v1.3 - client and admin scaffolding 2026-04-25 22:51:36 +12:00			`tenant_id: str \| None = None`
Move working documents to its own area, rename dashboard 2026-04-29 01:21:16 +12:00			`client_role: str \| None = None`
			`user_id: int \| None = None`
			`client_account_id: int \| None = None`
			`module_permissions: dict[str, str] = Field(default_factory=dict)`
Updates 2026-05-10 09:46:07 +12:00			`token: str \| None = None`
v1.2 scaffold 2026-04-25 20:43:37 +12:00

Move working documents to its own area, rename dashboard 2026-04-29 01:21:16 +12:00			`def _build_session_response(`
			`*,`
			`name: str,`
			`email: str,`
			`role: str,`
			`tenant_id: str \| None = None,`
			`client_role: str \| None = None,`
			`user_id: int \| None = None,`
			`client_account_id: int \| None = None,`
			`module_permissions: dict[str, str] \| None = None,`
			`) -> SessionResponse:`
			`token = issue_token(`
			`{`
			`"name": name,`
			`"email": email,`
			`"role": role,`
			`"tenant_id": tenant_id,`
			`"client_role": client_role,`
			`"user_id": user_id,`
			`"client_account_id": client_account_id,`
Updates 2026-05-10 09:46:07 +12:00			`},`
			`ttl_seconds=settings.session_ttl_seconds,`
Move working documents to its own area, rename dashboard 2026-04-29 01:21:16 +12:00			`)`
			`return SessionResponse(`
			`name=name,`
			`email=email,`
			`role=role,`
			`tenant_id=tenant_id,`
			`client_role=client_role,`
			`user_id=user_id,`
			`client_account_id=client_account_id,`
			`module_permissions=module_permissions or {},`
			`token=token,`
			`)`
v1.3 - client and admin scaffolding 2026-04-25 22:51:36 +12:00

			`@router.post("/client/login", response_model=SessionResponse)`
Updates 2026-05-10 09:46:07 +12:00			`def client_login(payload: LoginRequest, response: Response, request: Request, db: Session = Depends(get_db)):`
			`login_rate_limiter.hit(request_client_key(request, suffix="client-login"))`
Move working documents to its own area, rename dashboard 2026-04-29 01:21:16 +12:00			`if payload.password != settings.client_password:`
Updates 2026-05-10 09:46:07 +12:00			`log_security_event("auth.login_failed", audience="client", ip=request_client_key(request))`
Move working documents to its own area, rename dashboard 2026-04-29 01:21:16 +12:00			`raise HTTPException(status_code=status.HTTP_401_UNAUTHORIZED, detail="Invalid client email or password")`

			`user = get_client_user_by_email(db, email=payload.email.strip().lower())`
			`if user is None:`
Updates 2026-05-10 09:46:07 +12:00			`log_security_event("auth.login_failed", audience="client", ip=request_client_key(request))`
v1.3 - client and admin scaffolding 2026-04-25 22:51:36 +12:00			`raise HTTPException(status_code=status.HTTP_401_UNAUTHORIZED, detail="Invalid client email or password")`

Move working documents to its own area, rename dashboard 2026-04-29 01:21:16 +12:00			`client_account = db.scalar(select(ClientAccount).where(ClientAccount.id == user.client_account_id))`
v1.3 - client and admin scaffolding 2026-04-25 22:51:36 +12:00			`if client_account is None:`
Move working documents to its own area, rename dashboard 2026-04-29 01:21:16 +12:00			`raise HTTPException(status_code=status.HTTP_404_NOT_FOUND, detail="Client account is not configured for this user")`
v1.3 - client and admin scaffolding 2026-04-25 22:51:36 +12:00
Updates 2026-05-10 09:46:07 +12:00			`session_response = _build_session_response(`
Move working documents to its own area, rename dashboard 2026-04-29 01:21:16 +12:00			`name=user.full_name,`
			`email=user.email,`
v1.3 - client and admin scaffolding 2026-04-25 22:51:36 +12:00			`role="client",`
			`tenant_id=client_account.tenant_id,`
Move working documents to its own area, rename dashboard 2026-04-29 01:21:16 +12:00			`client_role=user.role,`
			`user_id=user.id,`
			`client_account_id=client_account.id,`
			`module_permissions=module_access_map(user),`
v1.3 - client and admin scaffolding 2026-04-25 22:51:36 +12:00			`)`
Updates 2026-05-10 09:46:07 +12:00			`if session_response.token:`
			`CLIENT_AUTH_COOKIE.apply(response, session_response.token)`
			`log_security_event("auth.login_succeeded", audience="client", role="client", user_id=user.id, tenant_id=client_account.tenant_id)`
			`return session_response.model_copy(update={"token": None})`
v1.3 - client and admin scaffolding 2026-04-25 22:51:36 +12:00

			`@router.post("/admin/login", response_model=SessionResponse)`
Updates 2026-05-10 09:46:07 +12:00			`def admin_login(payload: LoginRequest, response: Response, request: Request):`
			`login_rate_limiter.hit(request_client_key(request, suffix="admin-login"))`
v1.3 - client and admin scaffolding 2026-04-25 22:51:36 +12:00			`if payload.email.strip().lower() != settings.admin_email.lower() or payload.password != settings.admin_password:`
Updates 2026-05-10 09:46:07 +12:00			`log_security_event("auth.login_failed", audience="admin", ip=request_client_key(request))`
v1.3 - client and admin scaffolding 2026-04-25 22:51:36 +12:00			`raise HTTPException(status_code=status.HTTP_401_UNAUTHORIZED, detail="Invalid admin email or password")`

Updates 2026-05-10 09:46:07 +12:00			`session_response = _build_session_response(name=settings.admin_name, email=settings.admin_email, role="admin")`
			`if session_response.token:`
			`ADMIN_AUTH_COOKIE.apply(response, session_response.token)`
			`log_security_event("auth.login_succeeded", audience="admin", role="admin")`
			`return session_response.model_copy(update={"token": None})`
v1.3 - client and admin scaffolding 2026-04-25 22:51:36 +12:00

			`@router.get("/client/session", response_model=SessionResponse)`
Move working documents to its own area, rename dashboard 2026-04-29 01:21:16 +12:00			`def read_client_session(session: AuthSession = Depends(require_client_session), db: Session = Depends(get_db)):`
			`user = get_client_user_by_email(db, email=session.email, tenant_id=session.tenant_id)`
			`if user is None:`
			`raise HTTPException(status_code=status.HTTP_404_NOT_FOUND, detail="Client user session is no longer available")`
			`return _build_session_response(`
			`name=user.full_name,`
			`email=user.email,`
			`role=session.role,`
			`tenant_id=session.tenant_id,`
			`client_role=user.role,`
			`user_id=user.id,`
			`client_account_id=user.client_account_id,`
			`module_permissions=module_access_map(user),`
Updates 2026-05-10 09:46:07 +12:00			`).model_copy(update={"token": None})`
v1.3 - client and admin scaffolding 2026-04-25 22:51:36 +12:00

			`@router.get("/admin/session", response_model=SessionResponse)`
			`def read_admin_session(session: AuthSession = Depends(require_admin_session)):`
Updates 2026-05-10 09:46:07 +12:00			`return _build_session_response(name=session.name, email=session.email, role=session.role).model_copy(update={"token": None})`


			`@router.post("/client/logout", status_code=status.HTTP_204_NO_CONTENT)`
			`def client_logout(response: Response):`
			`CLIENT_AUTH_COOKIE.clear(response)`
			`response.status_code = status.HTTP_204_NO_CONTENT`
			`return None`


			`@router.post("/admin/logout", status_code=status.HTTP_204_NO_CONTENT)`
			`def admin_logout(response: Response):`
			`ADMIN_AUTH_COOKIE.clear(response)`
			`response.status_code = status.HTTP_204_NO_CONTENT`
			`return None`