from fastapi import APIRouter, Depends, HTTPException, status from fastapi.security import OAuth2PasswordBearer, OAuth2PasswordRequestForm from sqlalchemy.orm import Session from typing import Optional from pydantic import BaseModel from .models import User, get_db from .utils import ( Token, UserCreate, UserLogin, UserResponse, verify_password, get_password_hash, create_access_token, decode_token ) router = APIRouter(prefix="/api/auth", tags=["Authentication"]) # OAuth2 scheme for token extraction oauth2_scheme = OAuth2PasswordBearer(tokenUrl="/api/auth/login", auto_error=True) oauth2_scheme_optional = OAuth2PasswordBearer(tokenUrl="/api/auth/login", auto_error=False) async def get_current_user( token: str = Depends(oauth2_scheme), db: Session = Depends(get_db) ) -> User: """ Dependency: Validate JWT token and return current user. Raises 401 if token is invalid or user not found. """ username = decode_token(token) if not username: raise HTTPException( status_code=status.HTTP_401_UNAUTHORIZED, detail="Invalid or expired token", headers={"WWW-Authenticate": "Bearer"}, ) user = db.query(User).filter(User.username == username).first() if not user: raise HTTPException( status_code=status.HTTP_401_UNAUTHORIZED, detail="User not found", headers={"WWW-Authenticate": "Bearer"}, ) if not user.is_active: raise HTTPException( status_code=status.HTTP_403_FORBIDDEN, detail="User account is disabled" ) return user async def get_current_user_optional( token: Optional[str] = Depends(oauth2_scheme_optional), db: Session = Depends(get_db) ) -> Optional[User]: """ Dependency: Try to get current user, but don't fail if not authenticated. Returns None if no valid token. """ if not token: return None username = decode_token(token) if not username: return None user = db.query(User).filter(User.username == username).first() if not user or not user.is_active: return None return user @router.get("/check-username/{username}") async def check_username(username: str, db: Session = Depends(get_db)): """ Check if a username is available. """ existing = db.query(User).filter(User.username == username).first() return {"available": existing is None} @router.get("/check-email/{email}") async def check_email(email: str, db: Session = Depends(get_db)): """ Check if an email is available. """ existing = db.query(User).filter(User.email == email).first() return {"available": existing is None} @router.post("/register", response_model=UserResponse, status_code=status.HTTP_201_CREATED) async def register(user_data: UserCreate, db: Session = Depends(get_db)): """ Register a new user account. """ # Check if username already exists existing_user = db.query(User).filter(User.username == user_data.username).first() if existing_user: raise HTTPException( status_code=status.HTTP_400_BAD_REQUEST, detail="Username already registered" ) # Check if email already exists existing_email = db.query(User).filter(User.email == user_data.email).first() if existing_email: raise HTTPException( status_code=status.HTTP_400_BAD_REQUEST, detail="Email already registered" ) # Validate password length if len(user_data.password) < 6: raise HTTPException( status_code=status.HTTP_400_BAD_REQUEST, detail="Password must be at least 6 characters" ) # Create new user user = User( username=user_data.username, email=user_data.email, hashed_password=get_password_hash(user_data.password) ) db.add(user) db.commit() db.refresh(user) return user @router.post("/login", response_model=Token) async def login(form_data: OAuth2PasswordRequestForm = Depends(), db: Session = Depends(get_db)): """ Login with username and password, returns JWT token. """ # Find user by username user = db.query(User).filter(User.username == form_data.username).first() if not user: raise HTTPException( status_code=status.HTTP_401_UNAUTHORIZED, detail="Incorrect username or password", headers={"WWW-Authenticate": "Bearer"}, ) if not verify_password(form_data.password, user.hashed_password): raise HTTPException( status_code=status.HTTP_401_UNAUTHORIZED, detail="Incorrect username or password", headers={"WWW-Authenticate": "Bearer"}, ) if not user.is_active: raise HTTPException( status_code=status.HTTP_403_FORBIDDEN, detail="User account is disabled" ) # Create access token access_token = create_access_token(data={"sub": user.username}) return { "access_token": access_token, "token_type": "bearer", "username": user.username } @router.post("/login/json", response_model=Token) async def login_json(user_data: UserLogin, db: Session = Depends(get_db)): """ Login with JSON body (alternative to form-data). """ # Find user by username user = db.query(User).filter(User.username == user_data.username).first() if not user: raise HTTPException( status_code=status.HTTP_401_UNAUTHORIZED, detail="Incorrect username or password", ) if not verify_password(user_data.password, user.hashed_password): raise HTTPException( status_code=status.HTTP_401_UNAUTHORIZED, detail="Incorrect username or password", ) if not user.is_active: raise HTTPException( status_code=status.HTTP_403_FORBIDDEN, detail="User account is disabled" ) # Create access token access_token = create_access_token(data={"sub": user.username}) return { "access_token": access_token, "token_type": "bearer", "username": user.username } @router.get("/me", response_model=UserResponse) async def get_me(current_user: User = Depends(get_current_user)): """ Get current authenticated user's info. """ return current_user @router.get("/api-keys") async def get_api_keys(current_user: User = Depends(get_current_user)): """ Get current user's API keys (masked for security). """ def mask_key(key: str | None) -> str: if not key: return "" if len(key) <= 8: return "*" * len(key) return key[:4] + "*" * (len(key) - 8) + key[-4:] return { "openai_api_key": mask_key(current_user.openai_api_key), "gemini_api_key": mask_key(current_user.gemini_api_key), "has_openai_key": bool(current_user.openai_api_key), "has_gemini_key": bool(current_user.gemini_api_key), } class ApiKeysUpdate(BaseModel): openai_api_key: Optional[str] = None gemini_api_key: Optional[str] = None @router.post("/api-keys") async def update_api_keys( keys: ApiKeysUpdate, current_user: User = Depends(get_current_user), db: Session = Depends(get_db) ): """ Update current user's API keys. Pass empty string to clear a key, or omit to keep unchanged. """ if keys.openai_api_key is not None: current_user.openai_api_key = keys.openai_api_key if keys.openai_api_key else None if keys.gemini_api_key is not None: current_user.gemini_api_key = keys.gemini_api_key if keys.gemini_api_key else None db.commit() return {"message": "API keys updated successfully"} @router.post("/logout") async def logout(): """ Logout endpoint (client should discard the token). JWT tokens are stateless, so this is just for API completeness. """ return {"message": "Successfully logged out"}