lean101/data-entry-app
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Updates

Browse Source
This commit is contained in:
ponzischeme89
2026-05-10 09:46:07 +12:00
parent cfc193b713
commit 2f2466ecac
81 changed files with 2571 additions and 413 deletions
Download Patch File Download Diff File Expand all files Collapse all files
backend/app/api/auth.py
+44 -9
View File
@@ -1,16 +1,23 @@
from fastapi import APIRouter, Depends, HTTPException, status
from fastapi import APIRouter, Depends, HTTPException, Request, Response, status
from pydantic import BaseModel, Field
from sqlalchemy import select
from sqlalchemy.orm import Session
from app.api.deps import AuthSession, require_admin_session, require_client_session
from app.core.config import settings
from app.core.http import ADMIN_AUTH_COOKIE, CLIENT_AUTH_COOKIE
from app.core.rate_limit import SlidingWindowRateLimiter, request_client_key
from app.core.security_logging import log_security_event
from app.core.security import issue_token
from app.db.session import get_db
from app.models.client_access import ClientAccount
from app.services.client_access_service import get_client_user_by_email, module_access_map
router = APIRouter(prefix="/api/auth", tags=["auth"])
login_rate_limiter = SlidingWindowRateLimiter(
limit=settings.login_rate_limit_attempts,
window_seconds=settings.login_rate_limit_window_seconds,
)
class LoginRequest(BaseModel):
@@ -27,7 +34,7 @@ class SessionResponse(BaseModel):
user_id: int | None = None
client_account_id: int | None = None
module_permissions: dict[str, str] = Field(default_factory=dict)
token: str
token: str | None = None
def _build_session_response(
@@ -50,7 +57,8 @@ def _build_session_response(
"client_role": client_role,
"user_id": user_id,
"client_account_id": client_account_id,
}
},
ttl_seconds=settings.session_ttl_seconds,
)
return SessionResponse(
name=name,
@@ -66,19 +74,22 @@ def _build_session_response(
@router.post("/client/login", response_model=SessionResponse)
def client_login(payload: LoginRequest, db: Session = Depends(get_db)):
def client_login(payload: LoginRequest, response: Response, request: Request, db: Session = Depends(get_db)):
login_rate_limiter.hit(request_client_key(request, suffix="client-login"))
if payload.password != settings.client_password:
log_security_event("auth.login_failed", audience="client", ip=request_client_key(request))
raise HTTPException(status_code=status.HTTP_401_UNAUTHORIZED, detail="Invalid client email or password")
user = get_client_user_by_email(db, email=payload.email.strip().lower())
if user is None:
log_security_event("auth.login_failed", audience="client", ip=request_client_key(request))
raise HTTPException(status_code=status.HTTP_401_UNAUTHORIZED, detail="Invalid client email or password")
client_account = db.scalar(select(ClientAccount).where(ClientAccount.id == user.client_account_id))
if client_account is None:
raise HTTPException(status_code=status.HTTP_404_NOT_FOUND, detail="Client account is not configured for this user")
return _build_session_response(
session_response = _build_session_response(
name=user.full_name,
email=user.email,
role="client",
@@ -88,14 +99,24 @@ def client_login(payload: LoginRequest, db: Session = Depends(get_db)):
client_account_id=client_account.id,
module_permissions=module_access_map(user),
)
if session_response.token:
CLIENT_AUTH_COOKIE.apply(response, session_response.token)
log_security_event("auth.login_succeeded", audience="client", role="client", user_id=user.id, tenant_id=client_account.tenant_id)
return session_response.model_copy(update={"token": None})
@router.post("/admin/login", response_model=SessionResponse)
def admin_login(payload: LoginRequest):
def admin_login(payload: LoginRequest, response: Response, request: Request):
login_rate_limiter.hit(request_client_key(request, suffix="admin-login"))
if payload.email.strip().lower() != settings.admin_email.lower() or payload.password != settings.admin_password:
log_security_event("auth.login_failed", audience="admin", ip=request_client_key(request))
raise HTTPException(status_code=status.HTTP_401_UNAUTHORIZED, detail="Invalid admin email or password")
return _build_session_response(name=settings.admin_name, email=settings.admin_email, role="admin")
session_response = _build_session_response(name=settings.admin_name, email=settings.admin_email, role="admin")
if session_response.token:
ADMIN_AUTH_COOKIE.apply(response, session_response.token)
log_security_event("auth.login_succeeded", audience="admin", role="admin")
return session_response.model_copy(update={"token": None})
@router.get("/client/session", response_model=SessionResponse)
@@ -112,9 +133,23 @@ def read_client_session(session: AuthSession = Depends(require_client_session),
user_id=user.id,
client_account_id=user.client_account_id,
module_permissions=module_access_map(user),
)
).model_copy(update={"token": None})
@router.get("/admin/session", response_model=SessionResponse)
def read_admin_session(session: AuthSession = Depends(require_admin_session)):
return _build_session_response(name=session.name, email=session.email, role=session.role)
return _build_session_response(name=session.name, email=session.email, role=session.role).model_copy(update={"token": None})
@router.post("/client/logout", status_code=status.HTTP_204_NO_CONTENT)
def client_logout(response: Response):
CLIENT_AUTH_COOKIE.clear(response)
response.status_code = status.HTTP_204_NO_CONTENT
return None
@router.post("/admin/logout", status_code=status.HTTP_204_NO_CONTENT)
def admin_logout(response: Response):
ADMIN_AUTH_COOKIE.clear(response)
response.status_code = status.HTTP_204_NO_CONTENT
return None