ledgerdock/backend/app/api/routes_auth.py

"""Authentication endpoints for credential login, session introspection, and logout."""

import logging
import secrets
from datetime import UTC, datetime
from urllib.parse import urlparse

from fastapi import APIRouter, Depends, HTTPException, Request, status
from sqlalchemy.orm import Session

from app.api.auth import (
    AuthContext,
    SESSION_COOKIE_NAME,
    CSRF_COOKIE_NAME,
    require_user_or_admin,
)
from app.core.config import get_settings
from app.db.base import get_session
from app.schemas.auth import (
    AuthLoginRequest,
    AuthLoginResponse,
    AuthLogoutResponse,
    AuthSessionResponse,
    AuthUserResponse,
)
from app.services.auth_login_throttle import (
    check_login_throttle,
    clear_login_throttle,
    record_failed_login_attempt,
)

try:
    from fastapi import Response
except (ImportError, AttributeError):
    from fastapi.responses import Response
from app.services.authentication import authenticate_user, issue_user_session, revoke_auth_session

router = APIRouter(prefix="/auth", tags=["auth"])
logger = logging.getLogger(__name__)

LOGIN_THROTTLED_DETAIL = "Too many login attempts. Try again later."
LOGIN_RATE_LIMITER_UNAVAILABLE_DETAIL = "Login rate limiter backend unavailable"


def _request_ip_address(request: Request) -> str | None:
    """Returns best-effort client IP extracted from the request transport context."""

    return request.client.host if request.client is not None else None


def _request_user_agent(request: Request) -> str | None:
    """Returns best-effort user-agent metadata for created auth sessions."""

    user_agent = request.headers.get("user-agent", "").strip()
    return user_agent[:512] if user_agent else None


def _retry_after_headers(retry_after_seconds: int) -> dict[str, str]:
    """Returns a bounded Retry-After header payload for throttled authentication responses."""

    return {"Retry-After": str(max(1, int(retry_after_seconds)))}


def _is_https_request(request: Request) -> bool:
    """Returns whether the incoming request should be treated as HTTPS for cookie flags."""

    forwarded_protocol = request.headers.get("x-forwarded-proto", "").strip().lower().split(",")[0]
    if forwarded_protocol:
        return forwarded_protocol == "https"
    request_url = getattr(request, "url", None)
    request_scheme = str(getattr(request_url, "scheme", "")).lower() if request_url is not None else ""
    if request_scheme == "https":
        return True

    parsed_public_base_url = urlparse(get_settings().public_base_url.strip())
    return parsed_public_base_url.scheme.lower() == "https"


def _resolve_cookie_domain() -> str | None:
    """Returns optional cookie domain override for multi-subdomain deployments."""

    configured_domain = get_settings().auth_cookie_domain.strip().lower().lstrip(".")
    if not configured_domain or "." not in configured_domain:
        return None
    return configured_domain


def _resolve_cookie_samesite(secure_cookie: bool) -> str:
    """Returns cookie SameSite mode with secure-aware defaults for browser compatibility."""

    configured_mode = get_settings().auth_cookie_samesite.strip().lower()
    if configured_mode in {"strict", "lax", "none"}:
        return configured_mode
    return "none" if secure_cookie else "lax"


def _session_cookie_ttl_seconds(expires_at: datetime) -> int:
    """Converts session expiration datetime into cookie max-age seconds."""

    now = datetime.now(UTC)
    ttl = int((expires_at - now).total_seconds())
    return max(1, ttl)


def _set_session_cookie(response: Response, session_token: str, *, expires_at: datetime, secure: bool) -> None:
    """Stores the issued session token in a browser HttpOnly auth cookie."""

    if response is None or not hasattr(response, "set_cookie"):
        return
    expires_seconds = _session_cookie_ttl_seconds(expires_at)
    cookie_domain = _resolve_cookie_domain()
    same_site_mode = _resolve_cookie_samesite(secure)
    response.set_cookie(
        SESSION_COOKIE_NAME,
        value=session_token,
        max_age=expires_seconds,
        httponly=True,
        secure=secure,
        samesite=same_site_mode,
        path="/",
        domain=cookie_domain,
    )


def _set_csrf_cookie(
    response: Response,
    csrf_token: str,
    *,
    expires_at: datetime,
    secure: bool,
) -> None:
    """Stores an anti-CSRF token in a browser cookie for JavaScript-safe extraction."""

    if response is None or not hasattr(response, "set_cookie"):
        return
    cookie_domain = _resolve_cookie_domain()
    same_site_mode = _resolve_cookie_samesite(secure)
    response.set_cookie(
        CSRF_COOKIE_NAME,
        value=csrf_token,
        max_age=_session_cookie_ttl_seconds(expires_at),
        httponly=False,
        secure=secure,
        samesite=same_site_mode,
        path="/",
        domain=cookie_domain,
    )


def _clear_session_cookies(response: Response) -> None:
    """Clears auth cookies returned by login responses."""

    if response is None or not hasattr(response, "delete_cookie"):
        return
    cookie_domain = _resolve_cookie_domain()
    response.delete_cookie(SESSION_COOKIE_NAME, path="/", domain=cookie_domain)
    response.delete_cookie(CSRF_COOKIE_NAME, path="/", domain=cookie_domain)


@router.post("/login", response_model=AuthLoginResponse)
def login(
    payload: AuthLoginRequest,
    request: Request,
    response: Response,
    session: Session = Depends(get_session),
) -> AuthLoginResponse:
    """Authenticates credentials with throttle protection and returns issued session metadata."""

    ip_address = _request_ip_address(request)
    try:
        throttle_status = check_login_throttle(
            username=payload.username,
            ip_address=ip_address,
        )
    except RuntimeError as error:
        raise HTTPException(
            status_code=status.HTTP_503_SERVICE_UNAVAILABLE,
            detail=LOGIN_RATE_LIMITER_UNAVAILABLE_DETAIL,
        ) from error
    if throttle_status.is_throttled:
        raise HTTPException(
            status_code=status.HTTP_429_TOO_MANY_REQUESTS,
            detail=LOGIN_THROTTLED_DETAIL,
            headers=_retry_after_headers(throttle_status.retry_after_seconds),
        )

    user = authenticate_user(
        session,
        username=payload.username,
        password=payload.password,
    )
    if user is None:
        try:
            lockout_seconds = record_failed_login_attempt(
                username=payload.username,
                ip_address=ip_address,
            )
        except RuntimeError as error:
            raise HTTPException(
                status_code=status.HTTP_503_SERVICE_UNAVAILABLE,
                detail=LOGIN_RATE_LIMITER_UNAVAILABLE_DETAIL,
            ) from error
        if lockout_seconds > 0:
            raise HTTPException(
                status_code=status.HTTP_429_TOO_MANY_REQUESTS,
                detail=LOGIN_THROTTLED_DETAIL,
                headers=_retry_after_headers(lockout_seconds),
            )
        raise HTTPException(
            status_code=status.HTTP_401_UNAUTHORIZED,
            detail="Invalid username or password",
        )

    try:
        clear_login_throttle(
            username=payload.username,
            ip_address=ip_address,
        )
    except RuntimeError:
        logger.warning(
            "Failed to clear login throttle state after successful authentication: username=%s ip=%s",
            payload.username.strip().lower(),
            ip_address or "",
        )

    issued_session = issue_user_session(
        session,
        user=user,
        user_agent=_request_user_agent(request),
        ip_address=ip_address,
    )
    session.commit()

    csrf_token = secrets.token_urlsafe(32)
    secure_cookie = _is_https_request(request)
    _set_session_cookie(
        response,
        issued_session.token,
        expires_at=issued_session.expires_at,
        secure=secure_cookie,
    )
    _set_csrf_cookie(
        response,
        csrf_token,
        expires_at=issued_session.expires_at,
        secure=secure_cookie,
    )

    return AuthLoginResponse(
        user=AuthUserResponse.model_validate(user),
        expires_at=issued_session.expires_at,
        access_token=issued_session.token,
        csrf_token=csrf_token,
    )


@router.get("/me", response_model=AuthSessionResponse)
def me(context: AuthContext = Depends(require_user_or_admin)) -> AuthSessionResponse:
    """Returns current authenticated session identity and expiration metadata."""

    return AuthSessionResponse(
        expires_at=context.expires_at,
        user=AuthUserResponse(
            id=context.user_id,
            username=context.username,
            role=context.role,
        ),
    )


@router.post("/logout", response_model=AuthLogoutResponse)
def logout(
    response: Response,
    context: AuthContext = Depends(require_user_or_admin),
    session: Session = Depends(get_session),
) -> AuthLogoutResponse:
    """Revokes current session token and clears client auth cookies."""

    revoked = revoke_auth_session(
        session,
        session_id=context.session_id,
    )
    if revoked:
        session.commit()

    _clear_session_cookies(response)
    return AuthLogoutResponse(revoked=revoked)