File size: 2,241 Bytes
0e76632 | 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 | """Security utilities β password hashing, JWT tokens, API keys."""
import secrets
from datetime import datetime, timedelta, timezone
import bcrypt
from jose import jwt, JWTError
from mac.config import settings
# ββ Passwords βββββββββββββββββββββββββββββββββββββββββββββ
def hash_password(password: str) -> str:
return bcrypt.hashpw(password.encode("utf-8"), bcrypt.gensalt()).decode("utf-8")
def verify_password(plain: str, hashed: str) -> bool:
return bcrypt.checkpw(plain.encode("utf-8"), hashed.encode("utf-8"))
# ββ JWT βββββββββββββββββββββββββββββββββββββββββββββββββββ
def create_access_token(data: dict) -> str:
to_encode = data.copy()
expire = datetime.now(timezone.utc) + timedelta(minutes=settings.jwt_access_token_expire_minutes)
jti = secrets.token_hex(16)
to_encode.update({"exp": expire, "type": "access", "jti": jti})
return jwt.encode(to_encode, settings.jwt_secret_key, algorithm=settings.jwt_algorithm)
def create_refresh_token() -> str:
return secrets.token_urlsafe(48)
def decode_access_token(token: str) -> dict | None:
try:
payload = jwt.decode(token, settings.jwt_secret_key, algorithms=[settings.jwt_algorithm])
if payload.get("type") != "access":
return None
return payload
except JWTError:
return None
# ββ API Keys βββββββββββββββββββββββββββββββββββββββββββββ
def generate_api_key() -> str:
return f"mac_sk_live_{secrets.token_hex(24)}"
def hash_token(token: str) -> str:
"""Hash a refresh token or API key for storage."""
import hashlib
return hashlib.sha256(token.encode()).hexdigest()
# ββ Request IDs ββββββββββββββββββββββββββββββββββββββββββ
def generate_request_id(prefix: str = "mac") -> str:
return f"{prefix}-{secrets.token_hex(4)}"
|