allucanget/ai.allucanget.biz
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

implement initial backend structure with authentication, user management, and database integration

Browse Source
This commit is contained in:
zwitschi
2026-04-27 17:58:32 +02:00
parent 48a7ed68e6
commit 78b503fe43
14 changed files with 653 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
backend/app/routers/__init__.py
View File
backend/app/routers/admin.py
+62
View File
@@ -0,0 +1,62 @@
"""Admin router: operational endpoints for application management."""
from datetime import datetime, timezone
from fastapi import APIRouter, Depends
from backend.app.db import get_conn, get_write_lock
from backend.app.dependencies import require_admin
router = APIRouter(prefix="/admin", tags=["admin"])
@router.get("/stats")
async def get_stats(_: dict = Depends(require_admin)) -> dict:
"""Return aggregate statistics: user counts and token counts."""
conn = get_conn()
total_users = conn.execute("SELECT COUNT(*) FROM users").fetchone()[0]
users_by_role = conn.execute(
"SELECT role, COUNT(*) FROM users GROUP BY role ORDER BY role"
).fetchall()
total_tokens = conn.execute(
"SELECT COUNT(*) FROM refresh_tokens").fetchone()[0]
active_tokens = conn.execute(
"SELECT COUNT(*) FROM refresh_tokens WHERE revoked = false AND expires_at > ?",
[datetime.now(timezone.utc)],
).fetchone()[0]
return {
"users": {
"total": total_users,
"by_role": {row[0]: row[1] for row in users_by_role},
},
"refresh_tokens": {
"total": total_tokens,
"active": active_tokens,
"revoked_or_expired": total_tokens - active_tokens,
},
}
@router.get("/health/db")
async def db_health(_: dict = Depends(require_admin)) -> dict:
"""Verify DuckDB is reachable."""
conn = get_conn()
result = conn.execute("SELECT 1").fetchone()[0]
return {"status": "ok" if result == 1 else "error"}
@router.post("/tokens/purge", status_code=200)
async def purge_tokens(_: dict = Depends(require_admin)) -> dict:
"""Delete all expired or revoked refresh tokens. Returns count removed."""
conn = get_conn()
lock = get_write_lock()
now = datetime.now(timezone.utc)
async with lock:
before = conn.execute(
"SELECT COUNT(*) FROM refresh_tokens").fetchone()[0]
conn.execute(
"DELETE FROM refresh_tokens WHERE revoked = true OR expires_at <= ?", [
now]
)
after = conn.execute(
"SELECT COUNT(*) FROM refresh_tokens").fetchone()[0]
return {"deleted": before - after, "remaining": after}
backend/app/routers/auth.py
+96
View File
@@ -0,0 +1,96 @@
"""Auth router: register, login, refresh, logout."""
import uuid
from fastapi import APIRouter, HTTPException, status
from jose import JWTError
from backend.app.models.auth import LoginRequest, RefreshRequest, RegisterRequest, TokenResponse
from backend.app.services.auth import (
authenticate_user,
create_access_token,
create_refresh_token,
decode_token,
register_user,
revoke_refresh_token,
store_refresh_token,
validate_refresh_token_jti,
)
router = APIRouter(prefix="/auth", tags=["auth"])
@router.post("/register", status_code=status.HTTP_201_CREATED)
async def register(body: RegisterRequest) -> dict:
try:
user = await register_user(body.email, body.password)
except ValueError as exc:
raise HTTPException(status_code=status.HTTP_409_CONFLICT, detail=str(exc))
return {"id": user["id"], "email": user["email"], "role": user["role"]}
@router.post("/login", response_model=TokenResponse)
async def login(body: LoginRequest) -> TokenResponse:
user = await authenticate_user(body.email, body.password)
if user is None:
raise HTTPException(
status_code=status.HTTP_401_UNAUTHORIZED,
detail="Invalid credentials.",
headers={"WWW-Authenticate": "Bearer"},
)
jti = str(uuid.uuid4())
await store_refresh_token(user["id"], jti)
return TokenResponse(
access_token=create_access_token(user["id"], user["email"], user["role"]),
refresh_token=create_refresh_token(user["id"], jti),
)
@router.post("/refresh", response_model=TokenResponse)
async def refresh(body: RefreshRequest) -> TokenResponse:
credentials_error = HTTPException(
status_code=status.HTTP_401_UNAUTHORIZED,
detail="Invalid or expired refresh token.",
headers={"WWW-Authenticate": "Bearer"},
)
try:
payload = decode_token(body.refresh_token)
except JWTError:
raise credentials_error
if payload.get("type") != "refresh":
raise credentials_error
user_id: str = payload.get("sub", "")
jti: str = payload.get("jti", "")
if not await validate_refresh_token_jti(jti, user_id):
raise credentials_error
# Rotate: revoke old JTI, issue new pair
await revoke_refresh_token(jti)
new_jti = str(uuid.uuid4())
await store_refresh_token(user_id, new_jti)
from backend.app.db import get_conn
conn = get_conn()
row = conn.execute(
"SELECT email, role FROM users WHERE id = ?", [user_id]
).fetchone()
if row is None:
raise credentials_error
return TokenResponse(
access_token=create_access_token(user_id, row[0], row[1]),
refresh_token=create_refresh_token(user_id, new_jti),
)
@router.post("/logout", status_code=status.HTTP_204_NO_CONTENT)
async def logout(body: RefreshRequest) -> None:
try:
payload = decode_token(body.refresh_token)
except JWTError:
return # Already invalid — treat as success
jti = payload.get("jti", "")
if jti:
await revoke_refresh_token(jti)
backend/app/routers/users.py
+86
View File
@@ -0,0 +1,86 @@
"""Users router: self-service profile and admin user management."""
from fastapi import APIRouter, Depends, HTTPException, status
from backend.app.dependencies import get_current_user, require_admin
from backend.app.models.users import SetRoleRequest, UpdateUserRequest, UserResponse
from backend.app.services.users import (
delete_user,
get_user,
list_users,
set_user_role,
update_user,
)
router = APIRouter(prefix="/users", tags=["users"])
ALLOWED_ROLES = {"user", "admin"}
# ---------------------------------------------------------------------------
# Self-service
# ---------------------------------------------------------------------------
@router.get("/me", response_model=UserResponse)
async def get_me(current_user: dict = Depends(get_current_user)) -> UserResponse:
user = await get_user(current_user["id"])
if user is None:
raise HTTPException(
status_code=status.HTTP_404_NOT_FOUND, detail="User not found.")
return UserResponse(**user)
@router.put("/me", response_model=UserResponse)
async def update_me(
body: UpdateUserRequest,
current_user: dict = Depends(get_current_user),
) -> UserResponse:
try:
user = await update_user(current_user["id"], email=body.email, password=body.password)
except ValueError as exc:
raise HTTPException(
status_code=status.HTTP_409_CONFLICT, detail=str(exc))
if user is None:
raise HTTPException(
status_code=status.HTTP_404_NOT_FOUND, detail="User not found.")
return UserResponse(**user)
# ---------------------------------------------------------------------------
# Admin
# ---------------------------------------------------------------------------
@router.get("", response_model=list[UserResponse])
async def get_all_users(_: dict = Depends(require_admin)) -> list[UserResponse]:
users = await list_users()
return [UserResponse(**u) for u in users]
@router.delete("/{user_id}", status_code=status.HTTP_204_NO_CONTENT)
async def remove_user(
user_id: str,
current_user: dict = Depends(require_admin),
) -> None:
if user_id == current_user["id"]:
raise HTTPException(
status_code=status.HTTP_400_BAD_REQUEST,
detail="Cannot delete your own account.",
)
await delete_user(user_id)
@router.put("/{user_id}/role", response_model=UserResponse)
async def change_role(
user_id: str,
body: SetRoleRequest,
_: dict = Depends(require_admin),
) -> UserResponse:
if body.role not in ALLOWED_ROLES:
raise HTTPException(
status_code=status.HTTP_422_UNPROCESSABLE_ENTITY,
detail=f"Role must be one of: {', '.join(sorted(ALLOWED_ROLES))}.",
)
user = await set_user_role(user_id, body.role)
if user is None:
raise HTTPException(
status_code=status.HTTP_404_NOT_FOUND, detail="User not found.")
return UserResponse(**user)