from datetime import datetime, timedelta from typing import Any, Optional, Union from fastapi import Depends, HTTPException, status from fastapi.security import OAuth2PasswordBearer from jose import JWTError, jwt from pydantic import ValidationError from sqlalchemy.orm import Session from app.core.security import ACCESS_TOKEN_EXPIRE_MINUTES, ALGORITHM, SECRET_KEY from app.db.session import get_db from app.models.user import User from app.schemas.token import TokenPayload from app.services import user as user_service oauth2_scheme = OAuth2PasswordBearer(tokenUrl="/api/v1/auth/login") def create_access_token(*, sub: Union[str, Any], expires_delta: Optional[timedelta] = None) -> str: """ Create a JWT access token for authentication """ if expires_delta: expire = datetime.utcnow() + expires_delta else: expire = datetime.utcnow() + timedelta(minutes=ACCESS_TOKEN_EXPIRE_MINUTES) to_encode = {"exp": expire, "sub": str(sub)} encoded_jwt = jwt.encode(to_encode, SECRET_KEY, algorithm=ALGORITHM) return encoded_jwt def get_current_user(db: Session = Depends(get_db), token: str = Depends(oauth2_scheme)) -> User: """ Validate access token and return current user """ try: payload = jwt.decode(token, SECRET_KEY, algorithms=[ALGORITHM]) token_data = TokenPayload(**payload) except (JWTError, ValidationError): raise HTTPException( status_code=status.HTTP_401_UNAUTHORIZED, detail="Could not validate credentials", headers={"WWW-Authenticate": "Bearer"}, ) user = user_service.get(db, user_id=token_data.sub) if not user: raise HTTPException(status_code=status.HTTP_404_NOT_FOUND, detail="User not found") return user def get_current_active_user(current_user: User = Depends(get_current_user)) -> User: """ Validate that the current user is active """ if not user_service.is_active(current_user): raise HTTPException(status_code=status.HTTP_403_FORBIDDEN, detail="Inactive user") return current_user def get_current_superuser(current_user: User = Depends(get_current_active_user)) -> User: """ Validate that the current user is a superuser """ if not user_service.is_superuser(current_user): raise HTTPException( status_code=status.HTTP_403_FORBIDDEN, detail="Not enough permissions" ) return current_user