Spaces:

m-ahmad-official
/

full-stack-todo-backend

Running

File size: 8,371 Bytes

6bed18e

from datetime import datetime, timedelta
from typing import Optional
import os
from jose import JWTError, jwt
from fastapi import HTTPException, status, Depends
from fastapi.security import HTTPBearer, HTTPAuthorizationCredentials
from sqlmodel import Session
from src.core.database import get_session
from src.models.task import Task
from src.core.config import settings
from src.core.logging import log_operation, log_token_validation_result, log_token_lifecycle_event


# JWT token creation and validation functions
def create_access_token(data: dict, expires_delta: Optional[timedelta] = None):
    """
    Create a JWT access token with the provided data
    """
    to_encode = data.copy()

    # Validate input data for security
    if "user_id" in to_encode:
        user_id = to_encode["user_id"]
        if not isinstance(user_id, str) or len(user_id) == 0 or len(user_id) > 255:
            raise ValueError("Invalid user_id: must be a non-empty string with max 255 characters")

    if "role" in to_encode:
        role = to_encode["role"]
        if role not in ["user", "admin"]:
            # In a real application, you might want to be more flexible with roles
            # For now, we'll only allow "user" and "admin" roles
            log_security_event("INVALID_ROLE_ASSIGNED", user_id=to_encode.get("user_id", "unknown"), severity="ERROR")
            raise ValueError(f"Invalid role: {role}. Only 'user' and 'admin' roles are allowed.")

    if expires_delta:
        expire = datetime.utcnow() + expires_delta
    else:
        expire = datetime.utcnow() + timedelta(seconds=int(settings.JWT_EXPIRATION_DELTA))

    to_encode.update({"exp": expire})

    # Add additional security claims
    to_encode.update({
        "iat": datetime.utcnow(),  # Issued at
        "nbf": datetime.utcnow(),  # Not before (token valid immediately)
    })

    encoded_jwt = jwt.encode(to_encode, settings.SECRET_KEY, algorithm=settings.JWT_ALGORITHM)

    # Log token creation
    user_id = data.get("user_id", "unknown")
    log_operation("TOKEN_CREATED", user_id=user_id)
    log_token_validation_result("CREATED", user_id=user_id)

    return encoded_jwt


def verify_token(token: str) -> Optional[dict]:
    """
    Verify a JWT token and return the payload if valid
    """
    try:
        # Additional security validation
        if not token or len(token) == 0:
            log_security_event("EMPTY_TOKEN_RECEIVED", severity="ERROR")
            return None

        # Check token format (should have 3 parts separated by dots)
        parts = token.split('.')
        if len(parts) != 3:
            log_security_event("MALFORMED_TOKEN_RECEIVED", severity="ERROR")
            return None

        # Verify the token
        payload = jwt.decode(token, settings.SECRET_KEY, algorithms=[settings.JWT_ALGORITHM])

        # Additional security checks
        user_id = payload.get("user_id", "unknown")

        # Check that the token has not expired (double-check)
        exp_time = payload.get("exp")
        if exp_time:
            current_time = datetime.utcnow().timestamp()
            if current_time >= exp_time:
                log_token_validation_result("EXPIRED", user_id=user_id, reason="Token expiry time reached")
                return None

        # Log successful validation
        log_token_lifecycle_event("VALID", user_id=user_id)

        return payload
    except JWTError as e:
        log_token_validation_result("INVALID", user_id="unknown", reason=f"JWT Error: {str(e)}")
        log_security_event("TOKEN_VERIFICATION_FAILED", severity="ERROR", details=str(e))
        return None
    except Exception as e:
        log_token_validation_result("INVALID", user_id="unknown", reason=f"Unexpected error: {str(e)}")
        log_security_event("TOKEN_VERIFICATION_ERROR", severity="ERROR", details=str(e))
        return None


def validate_jwt_token(token: str) -> Optional[dict]:
    """
    Validate a JWT token and return the payload if valid.
    This function specifically implements the token validation functionality
    """
    try:
        payload = jwt.decode(token, settings.SECRET_KEY, algorithms=[settings.JWT_ALGORITHM])

        # Check if token is expired
        exp_time = payload.get("exp")
        if exp_time:
            current_time = datetime.utcnow().timestamp()
            if current_time >= exp_time:
                user_id = payload.get("user_id", "unknown")
                log_token_validation_result("EXPIRED", user_id=user_id, reason="Token expiry time reached")
                return None

        user_id = payload.get("user_id", "unknown")
        log_token_validation_result("VALID", user_id=user_id)
        return payload
    except JWTError as e:
        log_token_validation_result("INVALID", reason=str(e))
        return None


def get_current_user_payload(
    credentials: HTTPAuthorizationCredentials = Depends(HTTPBearer(auto_error=False)),
    db: Session = Depends(get_session)
):
    """
    Get the current user's payload from the JWT token
    """
    if credentials is None:
        log_token_validation_result("MISSING", reason="No authorization token provided")
        raise HTTPException(
            status_code=status.HTTP_401_UNAUTHORIZED,
            detail="No authorization token provided",
            headers={"WWW-Authenticate": "Bearer"},
        )

    token = credentials.credentials
    payload = validate_jwt_token(token)

    if payload is None:
        user_id = "unknown"
        if credentials:
            # Try to extract user_id from the invalid token for logging purposes
            try:
                temp_payload = jwt.decode(token, settings.SECRET_KEY, algorithms=[settings.JWT_ALGORITHM], options={"verify_exp": False})
                user_id = temp_payload.get("user_id", "unknown")
            except:
                pass

        log_token_validation_result("FAILED", user_id=user_id, reason="Invalid or expired token")
        raise HTTPException(
            status_code=status.HTTP_401_UNAUTHORIZED,
            detail="Invalid or expired token",
            headers={"WWW-Authenticate": "Bearer"},
        )

    user_id: str = payload.get("user_id")
    if user_id is None:
        log_token_validation_result("FAILED", reason="No user_id in token payload")
        raise HTTPException(
            status_code=status.HTTP_401_UNAUTHORIZED,
            detail="Could not validate credentials",
            headers={"WWW-Authenticate": "Bearer"},
        )

    return payload


def get_current_user_id(
    current_user_payload: dict = Depends(get_current_user_payload)
):
    """
    Extract the user ID from the current user's payload
    """
    user_id = current_user_payload.get("user_id")
    if user_id is None:
        raise HTTPException(
            status_code=status.HTTP_401_UNAUTHORIZED,
            detail="Could not validate credentials",
            headers={"WWW-Authenticate": "Bearer"},
        )
    return user_id


def authorize_user_for_task(
    task: Task,
    current_user_id: str = Depends(get_current_user_id)
):
    """
    Verify that the current user has access to the specified task
    """
    if task.user_id != current_user_id:
        log_operation("AUTHORIZATION_DENIED", user_id=current_user_id, task_id=task.id)
        raise HTTPException(
            status_code=status.HTTP_403_FORBIDDEN,
            detail="Not authorized to access this task"
        )

    log_operation("AUTHORIZATION_GRANTED", user_id=current_user_id, task_id=task.id)
    return task


def validate_token_not_expired(payload: dict) -> bool:
    """
    Validate that the token has not expired
    """
    exp_time = payload.get("exp")
    if exp_time is None:
        return False

    current_time = datetime.utcnow().timestamp()
    is_valid = current_time < exp_time

    user_id = payload.get("user_id", "unknown")
    if not is_valid:
        log_token_validation_result("EXPIRED_CHECK", user_id=user_id, reason="Token expiry validation failed")
    else:
        log_token_validation_result("NOT_EXPIRED", user_id=user_id)

    return is_valid


def get_user_id_from_token_payload(payload: dict) -> Optional[str]:
    """
    Extract the user ID from the token payload
    """
    user_id = payload.get("user_id")
    if user_id:
        log_operation("USER_ID_EXTRACTED", user_id=user_id)
    return user_id