Spaces:

m-ahmad-official
/

full-stack-todo-backend

Running

App Files Files Community

full-stack-todo-backend / src /auth /security.py

m-ahmad-official

Initial commit: Full-stack todo backend for Hugging Face Spaces

6bed18e 3 months ago

raw

history blame contribute delete

8.37 kB

	from datetime import datetime, timedelta
	from typing import Optional
	import os
	from jose import JWTError, jwt
	from fastapi import HTTPException, status, Depends
	from fastapi.security import HTTPBearer, HTTPAuthorizationCredentials
	from sqlmodel import Session
	from src.core.database import get_session
	from src.models.task import Task
	from src.core.config import settings
	from src.core.logging import log_operation, log_token_validation_result, log_token_lifecycle_event


	# JWT token creation and validation functions
	def create_access_token(data: dict, expires_delta: Optional[timedelta] = None):
	"""
	Create a JWT access token with the provided data
	"""
	to_encode = data.copy()

	# Validate input data for security
	if "user_id" in to_encode:
	user_id = to_encode["user_id"]
	if not isinstance(user_id, str) or len(user_id) == 0 or len(user_id) > 255:
	raise ValueError("Invalid user_id: must be a non-empty string with max 255 characters")

	if "role" in to_encode:
	role = to_encode["role"]
	if role not in ["user", "admin"]:
	# In a real application, you might want to be more flexible with roles
	# For now, we'll only allow "user" and "admin" roles
	log_security_event("INVALID_ROLE_ASSIGNED", user_id=to_encode.get("user_id", "unknown"), severity="ERROR")
	raise ValueError(f"Invalid role: {role}. Only 'user' and 'admin' roles are allowed.")

	if expires_delta:
	expire = datetime.utcnow() + expires_delta
	else:
	expire = datetime.utcnow() + timedelta(seconds=int(settings.JWT_EXPIRATION_DELTA))

	to_encode.update({"exp": expire})

	# Add additional security claims
	to_encode.update({
	"iat": datetime.utcnow(), # Issued at
	"nbf": datetime.utcnow(), # Not before (token valid immediately)
	})

	encoded_jwt = jwt.encode(to_encode, settings.SECRET_KEY, algorithm=settings.JWT_ALGORITHM)

	# Log token creation
	user_id = data.get("user_id", "unknown")
	log_operation("TOKEN_CREATED", user_id=user_id)
	log_token_validation_result("CREATED", user_id=user_id)

	return encoded_jwt


	def verify_token(token: str) -> Optional[dict]:
	"""
	Verify a JWT token and return the payload if valid
	"""
	try:
	# Additional security validation
	if not token or len(token) == 0:
	log_security_event("EMPTY_TOKEN_RECEIVED", severity="ERROR")
	return None

	# Check token format (should have 3 parts separated by dots)
	parts = token.split('.')
	if len(parts) != 3:
	log_security_event("MALFORMED_TOKEN_RECEIVED", severity="ERROR")
	return None

	# Verify the token
	payload = jwt.decode(token, settings.SECRET_KEY, algorithms=[settings.JWT_ALGORITHM])

	# Additional security checks
	user_id = payload.get("user_id", "unknown")

	# Check that the token has not expired (double-check)
	exp_time = payload.get("exp")
	if exp_time:
	current_time = datetime.utcnow().timestamp()
	if current_time >= exp_time:
	log_token_validation_result("EXPIRED", user_id=user_id, reason="Token expiry time reached")
	return None

	# Log successful validation
	log_token_lifecycle_event("VALID", user_id=user_id)

	return payload
	except JWTError as e:
	log_token_validation_result("INVALID", user_id="unknown", reason=f"JWT Error: {str(e)}")
	log_security_event("TOKEN_VERIFICATION_FAILED", severity="ERROR", details=str(e))
	return None
	except Exception as e:
	log_token_validation_result("INVALID", user_id="unknown", reason=f"Unexpected error: {str(e)}")
	log_security_event("TOKEN_VERIFICATION_ERROR", severity="ERROR", details=str(e))
	return None


	def validate_jwt_token(token: str) -> Optional[dict]:
	"""
	Validate a JWT token and return the payload if valid.
	This function specifically implements the token validation functionality
	"""
	try:
	payload = jwt.decode(token, settings.SECRET_KEY, algorithms=[settings.JWT_ALGORITHM])

	# Check if token is expired
	exp_time = payload.get("exp")
	if exp_time:
	current_time = datetime.utcnow().timestamp()
	if current_time >= exp_time:
	user_id = payload.get("user_id", "unknown")
	log_token_validation_result("EXPIRED", user_id=user_id, reason="Token expiry time reached")
	return None

	user_id = payload.get("user_id", "unknown")
	log_token_validation_result("VALID", user_id=user_id)
	return payload
	except JWTError as e:
	log_token_validation_result("INVALID", reason=str(e))
	return None


	def get_current_user_payload(
	credentials: HTTPAuthorizationCredentials = Depends(HTTPBearer(auto_error=False)),
	db: Session = Depends(get_session)
	):
	"""
	Get the current user's payload from the JWT token
	"""
	if credentials is None:
	log_token_validation_result("MISSING", reason="No authorization token provided")
	raise HTTPException(
	status_code=status.HTTP_401_UNAUTHORIZED,
	detail="No authorization token provided",
	headers={"WWW-Authenticate": "Bearer"},
	)

	token = credentials.credentials
	payload = validate_jwt_token(token)

	if payload is None:
	user_id = "unknown"
	if credentials:
	# Try to extract user_id from the invalid token for logging purposes
	try:
	temp_payload = jwt.decode(token, settings.SECRET_KEY, algorithms=[settings.JWT_ALGORITHM], options={"verify_exp": False})
	user_id = temp_payload.get("user_id", "unknown")
	except:
	pass

	log_token_validation_result("FAILED", user_id=user_id, reason="Invalid or expired token")
	raise HTTPException(
	status_code=status.HTTP_401_UNAUTHORIZED,
	detail="Invalid or expired token",
	headers={"WWW-Authenticate": "Bearer"},
	)

	user_id: str = payload.get("user_id")
	if user_id is None:
	log_token_validation_result("FAILED", reason="No user_id in token payload")
	raise HTTPException(
	status_code=status.HTTP_401_UNAUTHORIZED,
	detail="Could not validate credentials",
	headers={"WWW-Authenticate": "Bearer"},
	)

	return payload


	def get_current_user_id(
	current_user_payload: dict = Depends(get_current_user_payload)
	):
	"""
	Extract the user ID from the current user's payload
	"""
	user_id = current_user_payload.get("user_id")
	if user_id is None:
	raise HTTPException(
	status_code=status.HTTP_401_UNAUTHORIZED,
	detail="Could not validate credentials",
	headers={"WWW-Authenticate": "Bearer"},
	)
	return user_id


	def authorize_user_for_task(
	task: Task,
	current_user_id: str = Depends(get_current_user_id)
	):
	"""
	Verify that the current user has access to the specified task
	"""
	if task.user_id != current_user_id:
	log_operation("AUTHORIZATION_DENIED", user_id=current_user_id, task_id=task.id)
	raise HTTPException(
	status_code=status.HTTP_403_FORBIDDEN,
	detail="Not authorized to access this task"
	)

	log_operation("AUTHORIZATION_GRANTED", user_id=current_user_id, task_id=task.id)
	return task


	def validate_token_not_expired(payload: dict) -> bool:
	"""
	Validate that the token has not expired
	"""
	exp_time = payload.get("exp")
	if exp_time is None:
	return False

	current_time = datetime.utcnow().timestamp()
	is_valid = current_time < exp_time

	user_id = payload.get("user_id", "unknown")
	if not is_valid:
	log_token_validation_result("EXPIRED_CHECK", user_id=user_id, reason="Token expiry validation failed")
	else:
	log_token_validation_result("NOT_EXPIRED", user_id=user_id)

	return is_valid


	def get_user_id_from_token_payload(payload: dict) -> Optional[str]:
	"""
	Extract the user ID from the token payload
	"""
	user_id = payload.get("user_id")
	if user_id:
	log_operation("USER_ID_EXTRACTED", user_id=user_id)
	return user_id