| """Security utilities β password hashing, JWT tokens, API keys."""
|
|
|
| import secrets
|
| from datetime import datetime, timedelta, timezone
|
| import bcrypt
|
| from jose import jwt, JWTError
|
| from mac.config import settings
|
|
|
|
|
|
|
|
|
| def hash_password(password: str) -> str:
|
| return bcrypt.hashpw(password.encode("utf-8"), bcrypt.gensalt()).decode("utf-8")
|
|
|
|
|
| def verify_password(plain: str, hashed: str) -> bool:
|
| return bcrypt.checkpw(plain.encode("utf-8"), hashed.encode("utf-8"))
|
|
|
|
|
|
|
|
|
| def create_access_token(data: dict) -> str:
|
| to_encode = data.copy()
|
| expire = datetime.now(timezone.utc) + timedelta(minutes=settings.jwt_access_token_expire_minutes)
|
| jti = secrets.token_hex(16)
|
| to_encode.update({"exp": expire, "type": "access", "jti": jti})
|
| return jwt.encode(to_encode, settings.jwt_secret_key, algorithm=settings.jwt_algorithm)
|
|
|
|
|
| def create_refresh_token() -> str:
|
| return secrets.token_urlsafe(48)
|
|
|
|
|
| def decode_access_token(token: str) -> dict | None:
|
| try:
|
| payload = jwt.decode(token, settings.jwt_secret_key, algorithms=[settings.jwt_algorithm])
|
| if payload.get("type") != "access":
|
| return None
|
| return payload
|
| except JWTError:
|
| return None
|
|
|
|
|
|
|
|
|
| def generate_api_key() -> str:
|
| return f"mac_sk_live_{secrets.token_hex(24)}"
|
|
|
|
|
| def hash_token(token: str) -> str:
|
| """Hash a refresh token or API key for storage."""
|
| import hashlib
|
| return hashlib.sha256(token.encode()).hexdigest()
|
|
|
|
|
|
|
|
|
| def generate_request_id(prefix: str = "mac") -> str:
|
| return f"{prefix}-{secrets.token_hex(4)}"
|
|
|
