summaryrefslogtreecommitdiff
path: root/backend/app/auth
diff options
context:
space:
mode:
Diffstat (limited to 'backend/app/auth')
-rw-r--r--backend/app/auth/__init__.py17
-rw-r--r--backend/app/auth/models.py44
-rw-r--r--backend/app/auth/routes.py269
-rw-r--r--backend/app/auth/utils.py73
4 files changed, 403 insertions, 0 deletions
diff --git a/backend/app/auth/__init__.py b/backend/app/auth/__init__.py
new file mode 100644
index 0000000..8234b6f
--- /dev/null
+++ b/backend/app/auth/__init__.py
@@ -0,0 +1,17 @@
+from .routes import router as auth_router
+from .routes import get_current_user, get_current_user_optional
+from .models import User, get_db, init_db
+from .utils import Token, UserCreate, UserResponse
+
+__all__ = [
+ 'auth_router',
+ 'get_current_user',
+ 'get_current_user_optional',
+ 'User',
+ 'get_db',
+ 'init_db',
+ 'Token',
+ 'UserCreate',
+ 'UserResponse',
+]
+
diff --git a/backend/app/auth/models.py b/backend/app/auth/models.py
new file mode 100644
index 0000000..8477ba2
--- /dev/null
+++ b/backend/app/auth/models.py
@@ -0,0 +1,44 @@
+import os
+from sqlalchemy import Column, Integer, String, DateTime, Text, create_engine
+from sqlalchemy.ext.declarative import declarative_base
+from sqlalchemy.orm import sessionmaker
+from datetime import datetime
+
+# Database configuration
+DATA_ROOT = os.path.abspath(os.getenv("DATA_ROOT", os.path.join(os.getcwd(), "data")))
+DATABASE_PATH = os.path.join(DATA_ROOT, "users.db")
+DATABASE_URL = f"sqlite:///{DATABASE_PATH}"
+
+engine = create_engine(DATABASE_URL, connect_args={"check_same_thread": False})
+SessionLocal = sessionmaker(autocommit=False, autoflush=False, bind=engine)
+Base = declarative_base()
+
+
+class User(Base):
+ __tablename__ = "users"
+
+ id = Column(Integer, primary_key=True, index=True)
+ username = Column(String(50), unique=True, index=True, nullable=False)
+ email = Column(String(100), unique=True, index=True, nullable=False)
+ hashed_password = Column(String(255), nullable=False)
+ created_at = Column(DateTime, default=datetime.utcnow)
+ is_active = Column(Integer, default=1)
+ # API Keys (stored encrypted in production, plain for simplicity here)
+ openai_api_key = Column(Text, nullable=True)
+ gemini_api_key = Column(Text, nullable=True)
+
+
+def init_db():
+ """Initialize database tables"""
+ os.makedirs(DATA_ROOT, exist_ok=True)
+ Base.metadata.create_all(bind=engine)
+
+
+def get_db():
+ """Dependency to get database session"""
+ db = SessionLocal()
+ try:
+ yield db
+ finally:
+ db.close()
+
diff --git a/backend/app/auth/routes.py b/backend/app/auth/routes.py
new file mode 100644
index 0000000..3c906b5
--- /dev/null
+++ b/backend/app/auth/routes.py
@@ -0,0 +1,269 @@
+from fastapi import APIRouter, Depends, HTTPException, status
+from fastapi.security import OAuth2PasswordBearer, OAuth2PasswordRequestForm
+from sqlalchemy.orm import Session
+from typing import Optional
+from pydantic import BaseModel
+
+from .models import User, get_db
+from .utils import (
+ Token, UserCreate, UserLogin, UserResponse,
+ verify_password, get_password_hash, create_access_token, decode_token
+)
+
+router = APIRouter(prefix="/api/auth", tags=["Authentication"])
+
+# OAuth2 scheme for token extraction
+oauth2_scheme = OAuth2PasswordBearer(tokenUrl="/api/auth/login", auto_error=True)
+oauth2_scheme_optional = OAuth2PasswordBearer(tokenUrl="/api/auth/login", auto_error=False)
+
+
+async def get_current_user(
+ token: str = Depends(oauth2_scheme),
+ db: Session = Depends(get_db)
+) -> User:
+ """
+ Dependency: Validate JWT token and return current user.
+ Raises 401 if token is invalid or user not found.
+ """
+ username = decode_token(token)
+ if not username:
+ raise HTTPException(
+ status_code=status.HTTP_401_UNAUTHORIZED,
+ detail="Invalid or expired token",
+ headers={"WWW-Authenticate": "Bearer"},
+ )
+
+ user = db.query(User).filter(User.username == username).first()
+ if not user:
+ raise HTTPException(
+ status_code=status.HTTP_401_UNAUTHORIZED,
+ detail="User not found",
+ headers={"WWW-Authenticate": "Bearer"},
+ )
+
+ if not user.is_active:
+ raise HTTPException(
+ status_code=status.HTTP_403_FORBIDDEN,
+ detail="User account is disabled"
+ )
+
+ return user
+
+
+async def get_current_user_optional(
+ token: Optional[str] = Depends(oauth2_scheme_optional),
+ db: Session = Depends(get_db)
+) -> Optional[User]:
+ """
+ Dependency: Try to get current user, but don't fail if not authenticated.
+ Returns None if no valid token.
+ """
+ if not token:
+ return None
+
+ username = decode_token(token)
+ if not username:
+ return None
+
+ user = db.query(User).filter(User.username == username).first()
+ if not user or not user.is_active:
+ return None
+
+ return user
+
+
+@router.get("/check-username/{username}")
+async def check_username(username: str, db: Session = Depends(get_db)):
+ """
+ Check if a username is available.
+ """
+ existing = db.query(User).filter(User.username == username).first()
+ return {"available": existing is None}
+
+
+@router.get("/check-email/{email}")
+async def check_email(email: str, db: Session = Depends(get_db)):
+ """
+ Check if an email is available.
+ """
+ existing = db.query(User).filter(User.email == email).first()
+ return {"available": existing is None}
+
+
+@router.post("/register", response_model=UserResponse, status_code=status.HTTP_201_CREATED)
+async def register(user_data: UserCreate, db: Session = Depends(get_db)):
+ """
+ Register a new user account.
+ """
+ # Check if username already exists
+ existing_user = db.query(User).filter(User.username == user_data.username).first()
+ if existing_user:
+ raise HTTPException(
+ status_code=status.HTTP_400_BAD_REQUEST,
+ detail="Username already registered"
+ )
+
+ # Check if email already exists
+ existing_email = db.query(User).filter(User.email == user_data.email).first()
+ if existing_email:
+ raise HTTPException(
+ status_code=status.HTTP_400_BAD_REQUEST,
+ detail="Email already registered"
+ )
+
+ # Validate password length
+ if len(user_data.password) < 6:
+ raise HTTPException(
+ status_code=status.HTTP_400_BAD_REQUEST,
+ detail="Password must be at least 6 characters"
+ )
+
+ # Create new user
+ user = User(
+ username=user_data.username,
+ email=user_data.email,
+ hashed_password=get_password_hash(user_data.password)
+ )
+ db.add(user)
+ db.commit()
+ db.refresh(user)
+
+ return user
+
+
+@router.post("/login", response_model=Token)
+async def login(form_data: OAuth2PasswordRequestForm = Depends(), db: Session = Depends(get_db)):
+ """
+ Login with username and password, returns JWT token.
+ """
+ # Find user by username
+ user = db.query(User).filter(User.username == form_data.username).first()
+
+ if not user:
+ raise HTTPException(
+ status_code=status.HTTP_401_UNAUTHORIZED,
+ detail="Incorrect username or password",
+ headers={"WWW-Authenticate": "Bearer"},
+ )
+
+ if not verify_password(form_data.password, user.hashed_password):
+ raise HTTPException(
+ status_code=status.HTTP_401_UNAUTHORIZED,
+ detail="Incorrect username or password",
+ headers={"WWW-Authenticate": "Bearer"},
+ )
+
+ if not user.is_active:
+ raise HTTPException(
+ status_code=status.HTTP_403_FORBIDDEN,
+ detail="User account is disabled"
+ )
+
+ # Create access token
+ access_token = create_access_token(data={"sub": user.username})
+
+ return {
+ "access_token": access_token,
+ "token_type": "bearer",
+ "username": user.username
+ }
+
+
+@router.post("/login/json", response_model=Token)
+async def login_json(user_data: UserLogin, db: Session = Depends(get_db)):
+ """
+ Login with JSON body (alternative to form-data).
+ """
+ # Find user by username
+ user = db.query(User).filter(User.username == user_data.username).first()
+
+ if not user:
+ raise HTTPException(
+ status_code=status.HTTP_401_UNAUTHORIZED,
+ detail="Incorrect username or password",
+ )
+
+ if not verify_password(user_data.password, user.hashed_password):
+ raise HTTPException(
+ status_code=status.HTTP_401_UNAUTHORIZED,
+ detail="Incorrect username or password",
+ )
+
+ if not user.is_active:
+ raise HTTPException(
+ status_code=status.HTTP_403_FORBIDDEN,
+ detail="User account is disabled"
+ )
+
+ # Create access token
+ access_token = create_access_token(data={"sub": user.username})
+
+ return {
+ "access_token": access_token,
+ "token_type": "bearer",
+ "username": user.username
+ }
+
+
+@router.get("/me", response_model=UserResponse)
+async def get_me(current_user: User = Depends(get_current_user)):
+ """
+ Get current authenticated user's info.
+ """
+ return current_user
+
+
+@router.get("/api-keys")
+async def get_api_keys(current_user: User = Depends(get_current_user)):
+ """
+ Get current user's API keys (masked for security).
+ """
+ def mask_key(key: str | None) -> str:
+ if not key:
+ return ""
+ if len(key) <= 8:
+ return "*" * len(key)
+ return key[:4] + "*" * (len(key) - 8) + key[-4:]
+
+ return {
+ "openai_api_key": mask_key(current_user.openai_api_key),
+ "gemini_api_key": mask_key(current_user.gemini_api_key),
+ "has_openai_key": bool(current_user.openai_api_key),
+ "has_gemini_key": bool(current_user.gemini_api_key),
+ }
+
+
+class ApiKeysUpdate(BaseModel):
+ openai_api_key: Optional[str] = None
+ gemini_api_key: Optional[str] = None
+
+
+@router.post("/api-keys")
+async def update_api_keys(
+ keys: ApiKeysUpdate,
+ current_user: User = Depends(get_current_user),
+ db: Session = Depends(get_db)
+):
+ """
+ Update current user's API keys.
+ Pass empty string to clear a key, or omit to keep unchanged.
+ """
+ if keys.openai_api_key is not None:
+ current_user.openai_api_key = keys.openai_api_key if keys.openai_api_key else None
+
+ if keys.gemini_api_key is not None:
+ current_user.gemini_api_key = keys.gemini_api_key if keys.gemini_api_key else None
+
+ db.commit()
+
+ return {"message": "API keys updated successfully"}
+
+
+@router.post("/logout")
+async def logout():
+ """
+ Logout endpoint (client should discard the token).
+ JWT tokens are stateless, so this is just for API completeness.
+ """
+ return {"message": "Successfully logged out"}
+
diff --git a/backend/app/auth/utils.py b/backend/app/auth/utils.py
new file mode 100644
index 0000000..5889279
--- /dev/null
+++ b/backend/app/auth/utils.py
@@ -0,0 +1,73 @@
+import os
+import bcrypt
+from datetime import datetime, timedelta
+from typing import Optional
+from jose import JWTError, jwt
+from pydantic import BaseModel, EmailStr
+
+# Configuration - use environment variables in production
+SECRET_KEY = os.getenv("JWT_SECRET_KEY", "contextflow-secret-key-change-in-production-2024")
+ALGORITHM = "HS256"
+ACCESS_TOKEN_EXPIRE_MINUTES = int(os.getenv("JWT_EXPIRE_MINUTES", "1440")) # 24 hours default
+
+
+# Pydantic models for request/response
+class Token(BaseModel):
+ access_token: str
+ token_type: str
+ username: str
+
+
+class TokenData(BaseModel):
+ username: Optional[str] = None
+
+
+class UserCreate(BaseModel):
+ username: str
+ email: EmailStr
+ password: str
+
+
+class UserLogin(BaseModel):
+ username: str
+ password: str
+
+
+class UserResponse(BaseModel):
+ id: int
+ username: str
+ email: str
+ created_at: datetime
+ is_active: int
+
+ class Config:
+ from_attributes = True
+
+
+def verify_password(plain_password: str, hashed_password: str) -> bool:
+ """Verify a password against its hash"""
+ return bcrypt.checkpw(plain_password.encode('utf-8'), hashed_password.encode('utf-8'))
+
+
+def get_password_hash(password: str) -> str:
+ """Hash a password"""
+ return bcrypt.hashpw(password.encode('utf-8'), bcrypt.gensalt()).decode('utf-8')
+
+
+def create_access_token(data: dict, expires_delta: Optional[timedelta] = None) -> str:
+ """Create a JWT access token"""
+ to_encode = data.copy()
+ expire = datetime.utcnow() + (expires_delta or timedelta(minutes=ACCESS_TOKEN_EXPIRE_MINUTES))
+ to_encode.update({"exp": expire})
+ return jwt.encode(to_encode, SECRET_KEY, algorithm=ALGORITHM)
+
+
+def decode_token(token: str) -> Optional[str]:
+ """Decode a JWT token and return the username"""
+ try:
+ payload = jwt.decode(token, SECRET_KEY, algorithms=[ALGORITHM])
+ username: str = payload.get("sub")
+ return username
+ except JWTError:
+ return None
+
generated by cgit v1.2.3 (git 2.25.1) at 2025-12-11 23:24:16 +0000