""" Authentication module for backend API. Handles JWT-based authentication, token generation, and user context. """ from datetime import datetime, timedelta, timezone from typing import Optional, Dict, Any, Tuple from fastapi import Depends, HTTPException, status from fastapi.security import OAuth2PasswordBearer from jose import JWTError, jwt import logging from modules.interfaces.gatewayInterface import getInterface from modules.shared.configuration import APP_CONFIG # Get Config Data SECRET_KEY = APP_CONFIG.get("APP_JWT_SECRET_SECRET") ALGORITHM = APP_CONFIG.get("Auth_ALGORITHM") ACCESS_TOKEN_EXPIRE_MINUTES = int(APP_CONFIG.get("APP_TOKEN_EXPIRY")) # OAuth2 Setup oauth2Scheme = OAuth2PasswordBearer(tokenUrl="token") # Logger logger = logging.getLogger(__name__) def createAccessToken(data: dict, expiresDelta: Optional[timedelta] = None) -> str: """ Creates a JWT Access Token. Args: data: Data to encode (usually user ID or username) expiresDelta: Validity duration of the token (optional) Returns: JWT Token as string """ toEncode = data.copy() if expiresDelta: expire = datetime.now(timezone.utc) + expiresDelta else: expire = datetime.now(timezone.utc) + timedelta(minutes=ACCESS_TOKEN_EXPIRE_MINUTES) toEncode.update({"exp": expire}) encodedJwt = jwt.encode(toEncode, SECRET_KEY, algorithm=ALGORITHM) return encodedJwt def _getCurrentUser(token: str = Depends(oauth2Scheme)) -> Dict[str, Any]: """ Extracts and validates the current user from the JWT token. Args: token: JWT Token from the Authorization header Returns: User data Raises: HTTPException: For invalid token or user """ credentialsException = HTTPException( status_code=status.HTTP_401_UNAUTHORIZED, detail="Invalid authentication credentials", headers={"WWW-Authenticate": "Bearer"}, ) try: # Decode token payload = jwt.decode(token, SECRET_KEY, algorithms=[ALGORITHM]) # Extract username from token username: str = payload.get("sub") if username is None: raise credentialsException # Extract mandate ID and user ID from token _mandateId: str = payload.get("_mandateId") _userId: str = payload.get("_userId") if not _mandateId or not _userId: logger.error(f"Missing context in token: _mandateId={_mandateId}, _userId={_userId}") raise credentialsException except JWTError: logger.warning("Invalid JWT Token") raise credentialsException # Initialize Gateway Interface with context gateway = getRootInterface() # Retrieve user from database user = gateway.getUserByUsername(username) if user is None: logger.warning(f"User {username} not found") raise credentialsException if user.get("disabled", False): logger.warning(f"User {username} is disabled") raise HTTPException(status_code=status.HTTP_403_FORBIDDEN, detail="User is disabled") # Ensure the user has the correct context if str(user.get("_mandateId")) != str(_mandateId) or str(user.get("id")) != str(_userId): logger.error(f"User context mismatch: token(_mandateId={_mandateId}, _userId={_userId}) vs user(_mandateId={user.get('_mandateId')}, id={user.get('id')})") raise credentialsException # Add authentication authority to user data user["authenticationAuthority"] = user.get("authenticationAuthority", "local") return user def getCurrentActiveUser(currentUser: Dict[str, Any] = Depends(_getCurrentUser)) -> Dict[str, Any]: if currentUser.get("disabled", False): raise HTTPException( status_code=status.HTTP_403_FORBIDDEN, detail="User is disabled" ) auth_authority = currentUser.get("authenticationAuthority", "local") if auth_authority not in ["local", "microsoft"]: raise HTTPException( status_code=status.HTTP_403_FORBIDDEN, detail=f"Invalid authentication authority: {auth_authority}" ) return currentUser def getRootInterface() -> Dict[str, Any]: try: return getInterface(currentUser={"id": "-1", "_mandateId": "-1"}) except Exception as e: logger.error(f"Error getting root access: {str(e)}") raise HTTPException( status_code=status.HTTP_500_INTERNAL_SERVER_ERROR, detail=f"Failed to get root access: {str(e)}" )