1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
|
from fastapi import APIRouter, Depends, HTTPException, status
from fastapi.security import OAuth2PasswordBearer, OAuth2PasswordRequestForm
from sqlalchemy.orm import Session
from typing import Optional
from pydantic import BaseModel
from .models import User, get_db
from .utils import (
Token, UserCreate, UserLogin, UserResponse,
verify_password, get_password_hash, create_access_token, decode_token
)
router = APIRouter(prefix="/api/auth", tags=["Authentication"])
# OAuth2 scheme for token extraction
oauth2_scheme = OAuth2PasswordBearer(tokenUrl="/api/auth/login", auto_error=True)
oauth2_scheme_optional = OAuth2PasswordBearer(tokenUrl="/api/auth/login", auto_error=False)
async def get_current_user(
token: str = Depends(oauth2_scheme),
db: Session = Depends(get_db)
) -> User:
"""
Dependency: Validate JWT token and return current user.
Raises 401 if token is invalid or user not found.
"""
username = decode_token(token)
if not username:
raise HTTPException(
status_code=status.HTTP_401_UNAUTHORIZED,
detail="Invalid or expired token",
headers={"WWW-Authenticate": "Bearer"},
)
user = db.query(User).filter(User.username == username).first()
if not user:
raise HTTPException(
status_code=status.HTTP_401_UNAUTHORIZED,
detail="User not found",
headers={"WWW-Authenticate": "Bearer"},
)
if not user.is_active:
raise HTTPException(
status_code=status.HTTP_403_FORBIDDEN,
detail="User account is disabled"
)
return user
async def get_current_user_optional(
token: Optional[str] = Depends(oauth2_scheme_optional),
db: Session = Depends(get_db)
) -> Optional[User]:
"""
Dependency: Try to get current user, but don't fail if not authenticated.
Returns None if no valid token.
"""
if not token:
return None
username = decode_token(token)
if not username:
return None
user = db.query(User).filter(User.username == username).first()
if not user or not user.is_active:
return None
return user
@router.get("/check-username/{username}")
async def check_username(username: str, db: Session = Depends(get_db)):
"""
Check if a username is available.
"""
existing = db.query(User).filter(User.username == username).first()
return {"available": existing is None}
@router.get("/check-email/{email}")
async def check_email(email: str, db: Session = Depends(get_db)):
"""
Check if an email is available.
"""
existing = db.query(User).filter(User.email == email).first()
return {"available": existing is None}
@router.post("/register", response_model=UserResponse, status_code=status.HTTP_201_CREATED)
async def register(user_data: UserCreate, db: Session = Depends(get_db)):
"""
Register a new user account.
"""
# Check if username already exists
existing_user = db.query(User).filter(User.username == user_data.username).first()
if existing_user:
raise HTTPException(
status_code=status.HTTP_400_BAD_REQUEST,
detail="Username already registered"
)
# Check if email already exists
existing_email = db.query(User).filter(User.email == user_data.email).first()
if existing_email:
raise HTTPException(
status_code=status.HTTP_400_BAD_REQUEST,
detail="Email already registered"
)
# Validate password length
if len(user_data.password) < 6:
raise HTTPException(
status_code=status.HTTP_400_BAD_REQUEST,
detail="Password must be at least 6 characters"
)
# Create new user
user = User(
username=user_data.username,
email=user_data.email,
hashed_password=get_password_hash(user_data.password)
)
db.add(user)
db.commit()
db.refresh(user)
return user
@router.post("/login", response_model=Token)
async def login(form_data: OAuth2PasswordRequestForm = Depends(), db: Session = Depends(get_db)):
"""
Login with username and password, returns JWT token.
"""
# Find user by username
user = db.query(User).filter(User.username == form_data.username).first()
if not user:
raise HTTPException(
status_code=status.HTTP_401_UNAUTHORIZED,
detail="Incorrect username or password",
headers={"WWW-Authenticate": "Bearer"},
)
if not verify_password(form_data.password, user.hashed_password):
raise HTTPException(
status_code=status.HTTP_401_UNAUTHORIZED,
detail="Incorrect username or password",
headers={"WWW-Authenticate": "Bearer"},
)
if not user.is_active:
raise HTTPException(
status_code=status.HTTP_403_FORBIDDEN,
detail="User account is disabled"
)
# Create access token
access_token = create_access_token(data={"sub": user.username})
return {
"access_token": access_token,
"token_type": "bearer",
"username": user.username
}
@router.post("/login/json", response_model=Token)
async def login_json(user_data: UserLogin, db: Session = Depends(get_db)):
"""
Login with JSON body (alternative to form-data).
"""
# Find user by username
user = db.query(User).filter(User.username == user_data.username).first()
if not user:
raise HTTPException(
status_code=status.HTTP_401_UNAUTHORIZED,
detail="Incorrect username or password",
)
if not verify_password(user_data.password, user.hashed_password):
raise HTTPException(
status_code=status.HTTP_401_UNAUTHORIZED,
detail="Incorrect username or password",
)
if not user.is_active:
raise HTTPException(
status_code=status.HTTP_403_FORBIDDEN,
detail="User account is disabled"
)
# Create access token
access_token = create_access_token(data={"sub": user.username})
return {
"access_token": access_token,
"token_type": "bearer",
"username": user.username
}
@router.get("/me", response_model=UserResponse)
async def get_me(current_user: User = Depends(get_current_user)):
"""
Get current authenticated user's info.
"""
return current_user
@router.get("/api-keys")
async def get_api_keys(current_user: User = Depends(get_current_user)):
"""
Get current user's API keys (masked for security).
"""
def mask_key(key: str | None) -> str:
if not key:
return ""
if len(key) <= 8:
return "*" * len(key)
return key[:4] + "*" * (len(key) - 8) + key[-4:]
return {
"openai_api_key": mask_key(current_user.openai_api_key),
"gemini_api_key": mask_key(current_user.gemini_api_key),
"has_openai_key": bool(current_user.openai_api_key),
"has_gemini_key": bool(current_user.gemini_api_key),
}
class ApiKeysUpdate(BaseModel):
openai_api_key: Optional[str] = None
gemini_api_key: Optional[str] = None
@router.post("/api-keys")
async def update_api_keys(
keys: ApiKeysUpdate,
current_user: User = Depends(get_current_user),
db: Session = Depends(get_db)
):
"""
Update current user's API keys.
Pass empty string to clear a key, or omit to keep unchanged.
"""
if keys.openai_api_key is not None:
current_user.openai_api_key = keys.openai_api_key if keys.openai_api_key else None
if keys.gemini_api_key is not None:
current_user.gemini_api_key = keys.gemini_api_key if keys.gemini_api_key else None
db.commit()
return {"message": "API keys updated successfully"}
@router.post("/logout")
async def logout():
"""
Logout endpoint (client should discard the token).
JWT tokens are stateless, so this is just for API completeness.
"""
return {"message": "Successfully logged out"}
|
