ledgerdock/backend/app/api/routes_auth.py

"""Authentication endpoints for credential login, session introspection, and logout."""

import logging
import secrets
from datetime import UTC, datetime
from urllib.parse import urlparse

from fastapi import APIRouter, Depends, HTTPException, Request, status
from sqlalchemy.orm import Session

from app.api.auth import (
    AuthContext,
    SESSION_COOKIE_NAME,
    CSRF_COOKIE_NAME,
    require_user_or_admin,
)
from app.core.config import get_settings
from app.db.base import get_session
from app.schemas.auth import (
    AuthLoginRequest,
    AuthLoginResponse,
    AuthLogoutResponse,
    AuthSessionResponse,
    AuthUserResponse,
)
from app.services.auth_login_throttle import (
    check_login_throttle,
    clear_login_throttle,
    record_failed_login_attempt,
)

try:
    from fastapi import Cookie, Response
except (ImportError, AttributeError):
    from fastapi.responses import Response

    def Cookie(_default=None, **_kwargs):  # type: ignore[no-untyped-def]
        """Compatibility fallback for environments that stub fastapi without request params."""

        return None
from app.services.authentication import authenticate_user, issue_user_session, revoke_auth_session

router = APIRouter(prefix="/auth", tags=["auth"])
logger = logging.getLogger(__name__)

LOGIN_THROTTLED_DETAIL = "Too many login attempts. Try again later."
LOGIN_RATE_LIMITER_UNAVAILABLE_DETAIL = "Login rate limiter backend unavailable"


def _request_ip_address(request: Request) -> str | None:
    """Returns best-effort client IP extracted from the request transport context."""

    return request.client.host if request.client is not None else None


def _request_user_agent(request: Request) -> str | None:
    """Returns best-effort user-agent metadata for created auth sessions."""

    user_agent = request.headers.get("user-agent", "").strip()
    return user_agent[:512] if user_agent else None


def _retry_after_headers(retry_after_seconds: int) -> dict[str, str]:
    """Returns a bounded Retry-After header payload for throttled authentication responses."""

    return {"Retry-After": str(max(1, int(retry_after_seconds)))}


def _is_https_request(request: Request) -> bool:
    """Returns whether the incoming request should be treated as HTTPS for cookie flags."""

    forwarded_protocol = request.headers.get("x-forwarded-proto", "").strip().lower().split(",")[0]
    if forwarded_protocol:
        return forwarded_protocol == "https"
    request_url = getattr(request, "url", None)
    request_scheme = str(getattr(request_url, "scheme", "")).lower() if request_url is not None else ""
    if request_scheme == "https":
        return True

    parsed_public_base_url = urlparse(get_settings().public_base_url.strip())
    return parsed_public_base_url.scheme.lower() == "https"


def _resolve_cookie_domain() -> str | None:
    """Returns optional cookie domain override for multi-subdomain deployments."""

    configured_domain = get_settings().auth_cookie_domain.strip().lower().lstrip(".")
    if not configured_domain or "." not in configured_domain:
        return None
    return configured_domain


def _resolve_cookie_domains() -> tuple[str | None, ...]:
    """Returns cookie domain variants with a host-only cookie first for browser compatibility."""

    configured_domain = _resolve_cookie_domain()
    if configured_domain is None:
        return (None,)
    return (None, configured_domain)


def _request_matches_cookie_domain(request: Request) -> bool:
    """Returns whether request and origin hosts both sit under the configured cookie domain."""

    configured_domain = _resolve_cookie_domain()
    if configured_domain is None:
        return False

    origin_header = request.headers.get("origin", "").strip()
    origin_host = urlparse(origin_header).hostname.strip().lower() if origin_header else ""
    if not origin_host:
        return False

    request_url = getattr(request, "url", None)
    request_host = str(getattr(request_url, "hostname", "")).strip().lower() if request_url is not None else ""
    if not request_host:
        parsed_public_base_url = urlparse(get_settings().public_base_url.strip())
        request_host = parsed_public_base_url.hostname.strip().lower() if parsed_public_base_url.hostname else ""
    if not request_host:
        return False

    def _matches(candidate: str) -> bool:
        return candidate == configured_domain or candidate.endswith(f".{configured_domain}")

    return _matches(origin_host) and _matches(request_host)


def _resolve_cookie_samesite(request: Request, secure_cookie: bool) -> str:
    """Returns cookie SameSite mode with same-site subdomain compatibility defaults."""

    configured_mode = get_settings().auth_cookie_samesite.strip().lower()
    if configured_mode in {"strict", "lax"}:
        return configured_mode
    if configured_mode == "none":
        return "lax" if _request_matches_cookie_domain(request) else "none"
    return "none" if secure_cookie else "lax"


def _session_cookie_ttl_seconds(expires_at: datetime) -> int:
    """Converts session expiration datetime into cookie max-age seconds."""

    now = datetime.now(UTC)
    ttl = int((expires_at - now).total_seconds())
    return max(1, ttl)


def _set_session_cookie(
    response: Response,
    session_token: str,
    *,
    request: Request,
    expires_at: datetime,
    secure: bool,
) -> None:
    """Stores the issued session token in a browser HttpOnly auth cookie."""

    if response is None or not hasattr(response, "set_cookie"):
        return
    expires_seconds = _session_cookie_ttl_seconds(expires_at)
    same_site_mode = _resolve_cookie_samesite(request, secure)
    for cookie_domain in _resolve_cookie_domains():
        cookie_kwargs = {
            "value": session_token,
            "max_age": expires_seconds,
            "httponly": True,
            "secure": secure,
            "samesite": same_site_mode,
            "path": "/",
        }
        if cookie_domain is not None:
            cookie_kwargs["domain"] = cookie_domain
        response.set_cookie(SESSION_COOKIE_NAME, **cookie_kwargs)


def _set_csrf_cookie(
    response: Response,
    csrf_token: str,
    *,
    request: Request,
    expires_at: datetime,
    secure: bool,
) -> None:
    """Stores an anti-CSRF token in a browser cookie for JavaScript-safe extraction."""

    if response is None or not hasattr(response, "set_cookie"):
        return
    same_site_mode = _resolve_cookie_samesite(request, secure)
    for cookie_domain in _resolve_cookie_domains():
        cookie_kwargs = {
            "value": csrf_token,
            "max_age": _session_cookie_ttl_seconds(expires_at),
            "httponly": False,
            "secure": secure,
            "samesite": same_site_mode,
            "path": "/",
        }
        if cookie_domain is not None:
            cookie_kwargs["domain"] = cookie_domain
        response.set_cookie(CSRF_COOKIE_NAME, **cookie_kwargs)


def _clear_session_cookies(response: Response) -> None:
    """Clears auth cookies returned by login responses."""

    if response is None or not hasattr(response, "delete_cookie"):
        return
    for cookie_domain in _resolve_cookie_domains():
        delete_kwargs = {"path": "/"}
        if cookie_domain is not None:
            delete_kwargs["domain"] = cookie_domain
        response.delete_cookie(SESSION_COOKIE_NAME, **delete_kwargs)
        response.delete_cookie(CSRF_COOKIE_NAME, **delete_kwargs)


@router.post("/login", response_model=AuthLoginResponse)
def login(
    payload: AuthLoginRequest,
    request: Request,
    response: Response,
    session: Session = Depends(get_session),
) -> AuthLoginResponse:
    """Authenticates credentials with throttle protection and returns issued session metadata."""

    ip_address = _request_ip_address(request)
    try:
        throttle_status = check_login_throttle(
            username=payload.username,
            ip_address=ip_address,
        )
    except RuntimeError as error:
        raise HTTPException(
            status_code=status.HTTP_503_SERVICE_UNAVAILABLE,
            detail=LOGIN_RATE_LIMITER_UNAVAILABLE_DETAIL,
        ) from error
    if throttle_status.is_throttled:
        raise HTTPException(
            status_code=status.HTTP_429_TOO_MANY_REQUESTS,
            detail=LOGIN_THROTTLED_DETAIL,
            headers=_retry_after_headers(throttle_status.retry_after_seconds),
        )

    user = authenticate_user(
        session,
        username=payload.username,
        password=payload.password,
    )
    if user is None:
        try:
            lockout_seconds = record_failed_login_attempt(
                username=payload.username,
                ip_address=ip_address,
            )
        except RuntimeError as error:
            raise HTTPException(
                status_code=status.HTTP_503_SERVICE_UNAVAILABLE,
                detail=LOGIN_RATE_LIMITER_UNAVAILABLE_DETAIL,
            ) from error
        if lockout_seconds > 0:
            raise HTTPException(
                status_code=status.HTTP_429_TOO_MANY_REQUESTS,
                detail=LOGIN_THROTTLED_DETAIL,
                headers=_retry_after_headers(lockout_seconds),
            )
        raise HTTPException(
            status_code=status.HTTP_401_UNAUTHORIZED,
            detail="Invalid username or password",
        )

    try:
        clear_login_throttle(
            username=payload.username,
            ip_address=ip_address,
        )
    except RuntimeError:
        logger.warning(
            "Failed to clear login throttle state after successful authentication: username=%s ip=%s",
            payload.username.strip().lower(),
            ip_address or "",
        )

    issued_session = issue_user_session(
        session,
        user=user,
        user_agent=_request_user_agent(request),
        ip_address=ip_address,
    )
    session.commit()

    csrf_token = secrets.token_urlsafe(32)
    secure_cookie = _is_https_request(request)
    _set_session_cookie(
        response,
        issued_session.token,
        request=request,
        expires_at=issued_session.expires_at,
        secure=secure_cookie,
    )
    _set_csrf_cookie(
        response,
        csrf_token,
        request=request,
        expires_at=issued_session.expires_at,
        secure=secure_cookie,
    )

    return AuthLoginResponse(
        user=AuthUserResponse.model_validate(user),
        expires_at=issued_session.expires_at,
        access_token=issued_session.token,
        csrf_token=csrf_token,
    )


@router.get("/me", response_model=AuthSessionResponse)
def me(
    context: AuthContext = Depends(require_user_or_admin),
    csrf_cookie: str | None = Cookie(None, alias=CSRF_COOKIE_NAME),
) -> AuthSessionResponse:
    """Returns current authenticated session identity and expiration metadata."""

    normalized_csrf_cookie = (csrf_cookie or "").strip() or None
    return AuthSessionResponse(
        expires_at=context.expires_at,
        user=AuthUserResponse(
            id=context.user_id,
            username=context.username,
            role=context.role,
        ),
        csrf_token=normalized_csrf_cookie,
    )


@router.post("/logout", response_model=AuthLogoutResponse)
def logout(
    response: Response,
    context: AuthContext = Depends(require_user_or_admin),
    session: Session = Depends(get_session),
) -> AuthLogoutResponse:
    """Revokes current session token and clears client auth cookies."""

    revoked = revoke_auth_session(
        session,
        session_id=context.session_id,
    )
    if revoked:
        session.commit()

    _clear_session_cookies(response)
    return AuthLogoutResponse(revoked=revoked)