auth

app/auth/__init__.py

@@ -0,0 +1,24 @@
+"""Authentication models."""
+
+from datetime import datetime
+from pydantic import BaseModel, Field
+
+
+class GoogleLoginRequest(BaseModel):
+    """Google OAuth login request."""
+    access_token: str = Field(..., description="Google OAuth access token")
+
+
+class LoginResponse(BaseModel):
+    """Login response."""
+    user_id: str = Field(..., description="User ID (UUID)")
+    email: str = Field(..., description="User email")
+    full_name: str = Field(..., description="User's full name")
+    avatar_url: str | None = Field(None, description="Avatar URL")
+    token: str = Field(..., description="JWT token")
+    message: str = "Login successful"
+
+
+class LogoutResponse(BaseModel):
+    """Logout response."""
+    message: str = "Logout successful"

app/auth/controls.py

@@ -0,0 +1,176 @@
+"""Authentication control functions."""
+
+import httpx
+from fastapi import HTTPException
+from sqlalchemy.ext.asyncio import AsyncSession
+from sqlalchemy import text
+from datetime import datetime, timedelta
+import jwt
+import os
+from uuid import uuid4
+
+# Google OAuth verification URL
+GOOGLE_VERIFY_URL = "https://www.googleapis.com/oauth2/v3/userinfo?access_token="
+
+# JWT settings (should be in environment variables)
+JWT_SECRET = os.getenv("JWT_SECRET", "your-secret-key-change-in-production")
+JWT_ALGORITHM = "HS256"
+JWT_EXPIRATION_HOURS = 24
+
+
+async def login_control(access_token: str, db: AsyncSession) -> dict:
+    """
+    Login with Google OAuth access token.
+    
+    Steps:
+    1. Verify access token with Google
+    2. Get user info from Google
+    3. Check if user exists in database
+    4. Create user if not exists
+    5. Generate JWT token
+    6. Return user info and token
+    
+    Args:
+        access_token: Google OAuth access token
+        db: Database session
+        
+    Returns:
+        dict: User info and JWT token
+        
+    Raises:
+        HTTPException: If token is invalid or verification fails
+    """
+    # Verify token with Google
+    async with httpx.AsyncClient() as client:
+        try:
+            response = await client.get(f"{GOOGLE_VERIFY_URL}{access_token}")
+            
+            if response.status_code != 200:
+                raise HTTPException(
+                    status_code=401,
+                    detail="Invalid access token"
+                )
+            
+            google_user_info = response.json()
+            
+        except httpx.RequestError as e:
+            raise HTTPException(
+                status_code=500,
+                detail=f"Failed to verify token with Google: {str(e)}"
+            )
+    
+    # Extract user info from Google response
+    email = google_user_info.get("email")
+    full_name = google_user_info.get("name", "")
+    avatar_url = google_user_info.get("picture")
+    
+    if not email:
+        raise HTTPException(
+            status_code=400,
+            detail="Email not provided by Google"
+        )
+    
+    # Check if user exists
+    result = await db.execute(
+        text("""
+            SELECT id, full_name, avatar_url, role
+            FROM profiles
+            WHERE id = (
+                SELECT id FROM auth.users WHERE email = :email
+            )
+        """),
+        {"email": email}
+    )
+    row = result.fetchone()
+    
+    if row:
+        # User exists - update avatar if changed
+        user_id = str(row.id)
+        
+        if avatar_url and avatar_url != row.avatar_url:
+            await db.execute(
+                text("""
+                    UPDATE profiles
+                    SET avatar_url = :avatar_url, updated_at = NOW()
+                    WHERE id = :user_id
+                """),
+                {"avatar_url": avatar_url, "user_id": user_id}
+            )
+            await db.commit()
+    else:
+        # Create new user
+        user_id = str(uuid4())
+        
+        # Create auth.users entry (assuming Supabase-like schema)
+        await db.execute(
+            text("""
+                INSERT INTO auth.users (id, email, created_at)
+                VALUES (:id, :email, NOW())
+                ON CONFLICT (email) DO UPDATE SET email = :email
+                RETURNING id
+            """),
+            {"id": user_id, "email": email}
+        )
+        
+        # Create profile
+        await db.execute(
+            text("""
+                INSERT INTO profiles (id, full_name, avatar_url, role, locale, created_at, updated_at)
+                VALUES (:id, :full_name, :avatar_url, 'tourist', 'vi_VN', NOW(), NOW())
+            """),
+            {
+                "id": user_id,
+                "full_name": full_name,
+                "avatar_url": avatar_url
+            }
+        )
+        
+        await db.commit()
+    
+    # Generate JWT token
+    token_payload = {
+        "user_id": user_id,
+        "email": email,
+        "exp": datetime.utcnow() + timedelta(hours=JWT_EXPIRATION_HOURS)
+    }
+    token = jwt.encode(token_payload, JWT_SECRET, algorithm=JWT_ALGORITHM)
+    
+    return {
+        "user_id": user_id,
+        "email": email,
+        "full_name": full_name,
+        "avatar_url": avatar_url,
+        "token": token
+    }
+
+
+async def logout_control(user_id: str, db: AsyncSession) -> dict:
+    """
+    Logout user.
+    
+    For now, this is a simple logout that just confirms the action.
+    In a production system, you might want to:
+    - Blacklist the JWT token
+    - Clear server-side sessions
+    - Log the logout event
+    
+    Args:
+        user_id: User ID
+        db: Database session
+        
+    Returns:
+        dict: Logout confirmation message
+    """
+    # Optional: Log logout event
+    await db.execute(
+        text("""
+            INSERT INTO auth.audit_log (user_id, action, timestamp)
+            VALUES (:user_id, 'logout', NOW())
+        """),
+        {"user_id": user_id}
+    )
+    
+    # Note: The above will fail if audit_log table doesn't exist
+    # Comment it out if not needed or create the table
+    
+    return {"message": "Logout successful"}

app/auth/router.py

@@ -0,0 +1,74 @@
+"""Authentication Router."""
+
+from fastapi import APIRouter, HTTPException, Depends, Query
+from sqlalchemy.ext.asyncio import AsyncSession
+
+from app.shared.db.session import get_db
+from app.auth import GoogleLoginRequest, LoginResponse, LogoutResponse
+from app.auth.controls import login_control, logout_control
+
+
+router = APIRouter(prefix="/auth", tags=["Authentication"])
+
+
+@router.post(
+    "/login",
+    response_model=LoginResponse,
+    summary="Login with Google OAuth",
+    description="Authenticate user with Google OAuth access token and return JWT token.",
+)
+async def login(
+    request: GoogleLoginRequest,
+    db: AsyncSession = Depends(get_db),
+) -> LoginResponse:
+    """
+    Login with Google OAuth.
+    
+    Verifies the Google access token, creates or updates the user profile,
+    and returns a JWT token for authentication.
+    """
+    try:
+        result = await login_control(request.access_token, db)
+        
+        return LoginResponse(
+            user_id=result["user_id"],
+            email=result["email"],
+            full_name=result["full_name"],
+            avatar_url=result["avatar_url"],
+            token=result["token"],
+            message="Login successful"
+        )
+    except HTTPException:
+        raise
+    except Exception as e:
+        raise HTTPException(
+            status_code=500,
+            detail=f"Login failed: {str(e)}"
+        )
+
+
+@router.post(
+    "/logout",
+    response_model=LogoutResponse,
+    summary="Logout user",
+    description="Logout the current user.",
+)
+async def logout(
+    user_id: str = Query(..., description="User ID (from JWT token)"),
+    db: AsyncSession = Depends(get_db),
+) -> LogoutResponse:
+    """
+    Logout user.
+    
+    Performs logout operations such as logging the event.
+    Client should discard the JWT token after this call.
+    """
+    try:
+        result = await logout_control(user_id, db)
+        
+        return LogoutResponse(message=result["message"])
+    except Exception as e:
+        raise HTTPException(
+            status_code=500,
+            detail=f"Logout failed: {str(e)}"
+        )

app/main.py

@@ -13,6 +13,7 @@ from app.api.router import router as api_router
 from app.planner.router import router as planner_router
 from app.users.router import router as users_router
 from app.itineraries.router import router as itineraries_router
+from app.auth.router import router as auth_router
 from app.shared.db.session import engine
 from app.shared.integrations.neo4j_client import neo4j_client
 
@@ -75,6 +76,7 @@ app.include_router(api_router, prefix="/api/v1", tags=["Chat"])
 app.include_router(planner_router, prefix="/api/v1", tags=["Trip Planner"])
 app.include_router(users_router, prefix="/api/v1", tags=["Users"])
 app.include_router(itineraries_router, prefix="/api/v1", tags=["Itineraries"])
+app.include_router(auth_router, prefix="/api/v1", tags=["Authentication"])
 
 # Upload router
 from app.upload import router as upload_router

pyproject.toml

@@ -18,6 +18,7 @@ dependencies = [
     "pgvector>=0.3.0",
     "python-dotenv>=1.0.0",
     "httpx>=0.28.0",
+    "pyjwt>=2.9.0",
     "python-multipart>=0.0.9",
     # Image embedding (SigLIP local)
     "torch>=2.0.0",