95 lines
2.9 KiB
Python
95 lines
2.9 KiB
Python
"""Authentication endpoints for credential login, session introspection, and logout."""
|
|
|
|
from fastapi import APIRouter, Depends, HTTPException, Request, status
|
|
from sqlalchemy.orm import Session
|
|
|
|
from app.api.auth import AuthContext, require_user_or_admin
|
|
from app.db.base import get_session
|
|
from app.schemas.auth import (
|
|
AuthLoginRequest,
|
|
AuthLoginResponse,
|
|
AuthLogoutResponse,
|
|
AuthSessionResponse,
|
|
AuthUserResponse,
|
|
)
|
|
from app.services.authentication import authenticate_user, issue_user_session, revoke_auth_session
|
|
|
|
|
|
router = APIRouter(prefix="/auth", tags=["auth"])
|
|
|
|
|
|
def _request_ip_address(request: Request) -> str | None:
|
|
"""Returns best-effort client IP extracted from the request transport context."""
|
|
|
|
return request.client.host if request.client is not None else None
|
|
|
|
|
|
def _request_user_agent(request: Request) -> str | None:
|
|
"""Returns best-effort user-agent metadata for created auth sessions."""
|
|
|
|
user_agent = request.headers.get("user-agent", "").strip()
|
|
return user_agent[:512] if user_agent else None
|
|
|
|
|
|
@router.post("/login", response_model=AuthLoginResponse)
|
|
def login(
|
|
payload: AuthLoginRequest,
|
|
request: Request,
|
|
session: Session = Depends(get_session),
|
|
) -> AuthLoginResponse:
|
|
"""Authenticates username and password and returns an issued bearer session token."""
|
|
|
|
user = authenticate_user(
|
|
session,
|
|
username=payload.username,
|
|
password=payload.password,
|
|
)
|
|
if user is None:
|
|
raise HTTPException(
|
|
status_code=status.HTTP_401_UNAUTHORIZED,
|
|
detail="Invalid username or password",
|
|
)
|
|
|
|
issued_session = issue_user_session(
|
|
session,
|
|
user=user,
|
|
user_agent=_request_user_agent(request),
|
|
ip_address=_request_ip_address(request),
|
|
)
|
|
session.commit()
|
|
return AuthLoginResponse(
|
|
access_token=issued_session.token,
|
|
expires_at=issued_session.expires_at,
|
|
user=AuthUserResponse.model_validate(user),
|
|
)
|
|
|
|
|
|
@router.get("/me", response_model=AuthSessionResponse)
|
|
def me(context: AuthContext = Depends(require_user_or_admin)) -> AuthSessionResponse:
|
|
"""Returns current authenticated session identity and expiration metadata."""
|
|
|
|
return AuthSessionResponse(
|
|
expires_at=context.expires_at,
|
|
user=AuthUserResponse(
|
|
id=context.user_id,
|
|
username=context.username,
|
|
role=context.role,
|
|
),
|
|
)
|
|
|
|
|
|
@router.post("/logout", response_model=AuthLogoutResponse)
|
|
def logout(
|
|
context: AuthContext = Depends(require_user_or_admin),
|
|
session: Session = Depends(get_session),
|
|
) -> AuthLogoutResponse:
|
|
"""Revokes current bearer session token and confirms logout state."""
|
|
|
|
revoked = revoke_auth_session(
|
|
session,
|
|
session_id=context.session_id,
|
|
)
|
|
if revoked:
|
|
session.commit()
|
|
return AuthLogoutResponse(revoked=revoked)
|