Email based Auth Auth completed

.gitignore

@@ -0,0 +1,79 @@
+# --------------------------
+# Python
+# --------------------------
+__pycache__/
+*.py[cod]
+*.pyo
+*.pyd
+*.so
+*.egg-info/
+*.egg
+*.log
+
+# Virtual environments
+venv/
+env/
+.venv/
+
+# Byte-compiled / optimized / DLL files
+*.pyc
+*.pyo
+*.pyd
+*.pdb
+
+# --------------------------
+# FastAPI / Uvicorn / Cache
+# --------------------------
+.cache/
+.pytest_cache/
+.mypy_cache/
+.coverage
+htmlcov/
+dist/
+build/
+
+# --------------------------
+# Environment / Secrets
+# --------------------------
+.env
+.env.local
+.env.*.local
+*.secret
+*.key
+
+# --------------------------
+# IDE / Editors
+# --------------------------
+.vscode/
+.idea/
+*.swp
+*.swo
+
+# --------------------------
+# OS Generated
+# --------------------------
+.DS_Store
+Thumbs.db
+
+# --------------------------
+# Uploads (if stored locally)
+# --------------------------
+uploads/
+media/
+static/uploads/
+tmp/
+
+# --------------------------
+# Mongo / GridFS (if local)
+# --------------------------
+fs/
+*.gridfs
+*.lock
+
+# --------------------------
+# Node (if frontend exists)
+# --------------------------
+node_modules/
+npm-debug.log
+yarn-debug.log
+yarn-error.log

Dockerfile

@@ -0,0 +1,25 @@
+# Base image using Python 3.11
+FROM python:3.11
+
+# Create a new user to run the app
+RUN useradd -m -u 1000 user
+USER user
+
+# Set environment variables
+ENV PATH="/home/user/.local/bin:$PATH"
+
+# Set the working directory
+WORKDIR /app
+
+# Copy the requirements and install dependencies
+COPY --chown=user ./requirements.txt requirements.txt
+RUN pip install --no-cache-dir --upgrade -r requirements.txt
+
+# Copy the rest of the application
+COPY --chown=user . /app
+
+# Expose port 7860 for the application
+EXPOSE 7860
+
+# Command to run the FastAPI app using uvicorn
+CMD ["uvicorn", "app.main:app", "--host", "0.0.0.0", "--port", "7860"]

app/core/config.py

@@ -0,0 +1,32 @@
+# app/core/config.py
+import os
+from dotenv import load_dotenv
+
+load_dotenv()
+
+# === MongoDB Cloud Only ===
+CONNECTION_STRING = os.getenv("CONNECTION_STRING")
+DB_NAME = os.getenv("DB_NAME")
+MONGO_COLLECTION = os.getenv("MONGO_COLLECTION")
+AVATAR_COLLECTION = os.getenv("AVATAR_COLLECTION")
+
+if not CONNECTION_STRING:
+    raise ValueError("❌ Missing CONNECTION_STRING in .env")
+
+if not DB_NAME:
+    raise ValueError("❌ Missing DB_NAME in .env")
+
+if not MONGO_COLLECTION:
+    raise ValueError("❌ Missing MONGO_COLLECTION in .env")
+
+if not AVATAR_COLLECTION:
+    raise ValueError("❌ Missing AVATAR_COLLECTION in .env")
+
+# === JWT Settings ===
+SECRET_KEY = os.getenv("SECRET_KEY")
+ACCESS_TOKEN_EXPIRE_MINUTES = int(os.getenv("ACCESS_TOKEN_EXPIRE_MINUTES"))
+REFRESH_TOKEN_EXPIRE_DAYS = int(os.getenv("REFRESH_TOKEN_EXPIRE_DAYS"))
+
+if not SECRET_KEY:
+    raise ValueError("❌ Missing SECRET_KEY in .env")
+

app/core/db.py

@@ -0,0 +1,8 @@
+from pymongo import MongoClient
+from app.core.config import CONNECTION_STRING, DB_NAME, MONGO_COLLECTION, AVATAR_COLLECTION
+import gridfs
+
+client = MongoClient(CONNECTION_STRING)
+db = client[DB_NAME]
+users_collection = db[MONGO_COLLECTION]
+fs = gridfs.GridFS(db, collection=AVATAR_COLLECTION)

app/main.py

@@ -0,0 +1,14 @@
+from fastapi import FastAPI
+from app.routes.auth import router as auth_router
+
+app = FastAPI(
+    title="User Authentication API",
+    description="Handles user signup, login, profile update, and avatar management.",
+    version="1.0.0"
+)
+
+app.include_router(auth_router)
+
+@app.get("/")
+async def root():
+    return {"message": "Welcome to the User Auth API"}

app/routes/auth.py

@@ -0,0 +1,180 @@
+# app/routes/auth.py
+import logging
+from fastapi import APIRouter, HTTPException, Depends, Form, UploadFile, File
+from fastapi.security import OAuth2PasswordBearer, OAuth2PasswordRequestForm
+from fastapi.responses import StreamingResponse
+from jose import jwt, JWTError
+from bson import ObjectId
+from typing import Optional
+
+from app.schemas.models import User, UserUpdate, Token, LoginResponse, UserResponse
+from app.services.auth_service import (
+    hash_password, authenticate, fetch_user,
+    create_access_token, create_refresh_token,
+    save_avatar, update_user_profile
+)
+from app.core.config import SECRET_KEY
+from app.core.db import users_collection, fs
+
+router = APIRouter(prefix="/auth", tags=["auth"])
+
+oauth2 = OAuth2PasswordBearer(tokenUrl="/auth/login")
+
+logger = logging.getLogger("uvicorn")
+
+
+def get_current_user(token: str = Depends(oauth2)):
+    logger.info("Decoding JWT token for /me or update profile")
+    try:
+        payload = jwt.decode(token, SECRET_KEY, algorithms=["HS256"])
+        email = payload.get("sub")
+        logger.info("Token decoded successfully for email: %s", email)
+
+        user = fetch_user(email)
+        if not user:
+            logger.warning("User not found for token email: %s", email)
+            raise HTTPException(status_code=401, detail="User not found")
+
+        return user
+
+    except JWTError as exc:
+        logger.error("JWT Error: %s", exc)
+        raise HTTPException(status_code=401, detail="Invalid token")
+
+
+# --------------------------
+# SIGNUP
+# --------------------------
+
+@router.post("/signup", response_model=Token)
+async def signup(
+    name: str = Form(...),
+    email: str = Form(...),
+    password: str = Form(...),
+    role: Optional[str] = Form("user"),
+    avatar: Optional[UploadFile] = File(None)
+):
+    logger.info("Signup attempt for email: %s", email)
+
+    if fetch_user(email):
+        logger.warning("Signup failed — email already registered: %s", email)
+        raise HTTPException(status_code=400, detail="Email already registered")
+
+    _ = User(name=name, email=email, password=password)
+
+    data = {
+        "name": name,
+        "email": email,
+        "hashed_password": hash_password(password),
+        "role": role
+    }
+
+    if avatar:
+        logger.info("User uploaded avatar during signup: %s", avatar.filename)
+        data["avatar"] = save_avatar(avatar)
+
+    users_collection.insert_one(data)
+    logger.info("User created successfully: %s", email)
+
+    return {
+        "access_token": create_access_token(email),
+        "refresh_token": create_refresh_token(email),
+        "token_type": "bearer"
+    }
+
+
+# --------------------------
+# LOGIN
+# --------------------------
+
+@router.post("/login", response_model=LoginResponse)
+async def login(form: OAuth2PasswordRequestForm = Depends()):
+    logger.info("Login attempt for email: %s", form.username)
+
+    user = authenticate(form.username, form.password)
+    if not user:
+        logger.warning("Login failed for email: %s", form.username)
+        raise HTTPException(status_code=401, detail="Incorrect email or password")
+
+    logger.info("Login successful for email: %s", user['email'])
+
+    avatar_url = f"/auth/avatar/{user['avatar']}" if "avatar" in user else None
+
+    return {
+        "access_token": create_access_token(user["email"]),
+        "refresh_token": create_refresh_token(user["email"]),
+        "token_type": "bearer",
+        "name": user["name"],
+        "avatar": avatar_url
+    }
+
+
+# --------------------------
+# GET AVATAR
+# --------------------------
+
+@router.get("/avatar/{file_id}")
+async def avatar(file_id: str):
+    logger.info("Avatar fetch requested for file_id: %s", file_id)
+    try:
+        file = fs.get(ObjectId(file_id))
+        return StreamingResponse(file, media_type=file.content_type)
+    except Exception as exc:
+        logger.warning("Avatar not found for id %s: %s", file_id, exc)
+        raise HTTPException(status_code=404, detail="Avatar not found")
+
+
+# --------------------------
+# GET /me
+# --------------------------
+
+@router.get("/me", response_model=UserResponse)
+def get_me(current_user: dict = Depends(get_current_user)):
+    logger.info("Fetching /me for user: %s", current_user.get("email"))
+
+    avatar_url = f"/auth/avatar/{current_user['avatar']}" if current_user.get("avatar") else None
+    return {
+        "name": current_user.get("name"),
+        "email": current_user.get("email"),
+        "avatar": avatar_url,
+        "role": current_user.get("role", "user")
+    }
+
+
+# --------------------------
+# UPDATE /me
+# --------------------------
+
+@router.put("/me", response_model=UserResponse)
+def update_me(
+    name: Optional[str] = Form(None),
+    email: Optional[str] = Form(None),
+    password: Optional[str] = Form(None),
+    avatar: Optional[UploadFile] = File(None),
+    current_user: dict = Depends(get_current_user)
+):
+    logger.info("Profile update requested for: %s", current_user.get("email"))
+
+    if email and email != current_user.get("email"):
+        existing = fetch_user(email)
+        if existing:
+            logger.warning("Email update failed — already in use: %s", email)
+            raise HTTPException(status_code=400, detail="Email already in use")
+
+    updated = update_user_profile(
+        current_email=current_user.get("email"),
+        name=name,
+        new_email=email,
+        password=password,
+        avatar=avatar
+    )
+
+    logger.info("Profile updated successfully for: %s", updated.get("email"))
+
+    avatar_url = f"/auth/avatar/{updated['avatar']}" if updated.get("avatar") else None
+    return {
+        "name": updated.get("name"),
+        "email": updated.get("email"),
+        "avatar": avatar_url,
+        "role": updated.get("role", "user")
+    }

app/schemas/models.py

@@ -0,0 +1,48 @@
+# app/schemas/models.py
+from pydantic import BaseModel, EmailStr, Field, validator
+from typing import Optional
+
+class User(BaseModel):
+    name: str = Field(..., min_length=3, max_length=50)
+    email: EmailStr
+    password: str
+
+    @validator("password")
+    def validate_password(cls, value):
+        if len(value) < 8:
+            raise ValueError("Password must be at least 8 characters long.")
+        if not any(char.isdigit() for char in value):
+            raise ValueError("Password must include at least one number.")
+        if not any(char.isupper() for char in value):
+            raise ValueError("Password must include at least one uppercase letter.")
+        if not any(char.islower() for char in value):
+            raise ValueError("Password must include at least one lowercase letter.")
+        if not any(char in "!@#$%^&*()-_+=<>?/" for char in value):
+            raise ValueError("Password must include at least one special character.")
+        return value
+
+class UserUpdate(BaseModel):
+    name: Optional[str] = Field(None, min_length=3, max_length=50)
+    email: Optional[EmailStr]
+    password: Optional[str]
+
+class Token(BaseModel):
+    access_token: str
+    refresh_token: str
+    token_type: str
+
+class LoginResponse(Token):
+    name: str
+    avatar: Optional[str] = None
+
+class TokenData(BaseModel):
+    email: Optional[str] = None
+
+class UserResponse(BaseModel):
+    """
+    Response model for GET /auth/me and PUT /auth/me
+    """
+    name: str
+    email: EmailStr
+    avatar: Optional[str] = None
+    role: Optional[str] = "user"

app/services/auth_service.py

@@ -0,0 +1,215 @@
+# app/services/auth_service.py
+from datetime import datetime, timedelta
+from jose import jwt
+from passlib.context import CryptContext
+from fastapi import HTTPException, UploadFile
+from bson import ObjectId
+from app.core.config import SECRET_KEY, ACCESS_TOKEN_EXPIRE_MINUTES, REFRESH_TOKEN_EXPIRE_DAYS
+from app.core.db import users_collection, fs
+import logging
+
+# Use a module-specific logger so logs are easy to filter
+logger = logging.getLogger("app.services.auth_service")
+
+pwd_context = CryptContext(schemes=["bcrypt"], deprecated="auto")
+
+
+def hash_password(password: str) -> str:
+    """Hash a plaintext password (do NOT log the password)."""
+    logger.debug("hash_password called")
+    hashed = pwd_context.hash(password)
+    logger.debug("Password hashed successfully")
+    return hashed
+
+
+def verify_password(plain_password: str, hashed_password: str) -> bool:
+    """Verify plaintext password against stored hash."""
+    logger.debug("verify_password called")
+    try:
+        ok = pwd_context.verify(plain_password, hashed_password)
+        logger.debug("Password verification result: %s", ok)
+        return ok
+    except Exception as exc:
+        # Something unexpected happened during verify
+        logger.exception("Error verifying password: %s", exc)
+        return False
+
+
+def create_token(data: dict, expires: timedelta):
+    """Create a JWT token with expiry. `data` should contain 'sub'."""
+    sub = data.get("sub")
+    logger.debug("create_token called for subject=%s expires=%s", sub, expires)
+    payload = data.copy()
+    payload["exp"] = datetime.utcnow() + expires
+    try:
+        token = jwt.encode(payload, SECRET_KEY, algorithm="HS256")
+        logger.info("JWT created for subject=%s", sub)
+        return token
+    except Exception as exc:
+        logger.exception("Failed to create JWT for subject=%s: %s", sub, exc)
+        raise HTTPException(status_code=500, detail="Token generation failed") from exc
+
+
+def create_access_token(email: str):
+    logger.debug("create_access_token called for email=%s", email)
+    token = create_token({"sub": email}, timedelta(minutes=ACCESS_TOKEN_EXPIRE_MINUTES))
+    logger.info("Access token generated for %s", email)
+    return token
+
+
+def create_refresh_token(email: str):
+    logger.debug("create_refresh_token called for email=%s", email)
+    token = create_token({"sub": email}, timedelta(days=REFRESH_TOKEN_EXPIRE_DAYS))
+    logger.info("Refresh token generated for %s", email)
+    return token
+
+
+def _delete_avatar_file_if_exists(file_id: str) -> None:
+    """Delete an avatar file from GridFS if it exists. Non-fatal on failure."""
+    if not file_id:
+        logger.debug("_delete_avatar_file_if_exists called with empty file_id; skipping")
+        return
+    try:
+        oid = ObjectId(file_id)
+    except Exception:
+        logger.warning("Invalid avatar file_id, skipping delete: %s", file_id)
+        return
+
+    try:
+        fs.delete(oid)
+        logger.info("Deleted old avatar from GridFS: %s", file_id)
+    except Exception as exc:
+        # Non-fatal: log and continue. Common causes: already deleted or invalid id.
+        logger.warning("Failed to delete avatar %s from GridFS: %s", file_id, exc)
+
+
+def save_avatar(file: UploadFile) -> str:
+    """Save a new avatar to GridFS and return its file id (string)."""
+    logger.debug("save_avatar called filename=%s content_type=%s", getattr(file, "filename", None), getattr(file, "content_type", None))
+    allowed = ["image/jpeg", "image/png", "image/gif"]
+    if file.content_type not in allowed:
+        logger.warning("Rejected avatar upload due to invalid content type: %s", file.content_type)
+        raise HTTPException(status_code=400, detail="Invalid image type.")
+
+    # read file content (UploadFile.file is a file-like object)
+    try:
+        contents = file.file.read()
+    except Exception as exc:
+        logger.exception("Failed to read uploaded avatar file: %s", exc)
+        raise HTTPException(status_code=400, detail="Failed to read uploaded file") from exc
+
+    try:
+        file_id = fs.put(contents, filename=file.filename, contentType=file.content_type)
+        logger.info("Saved avatar to GridFS with id: %s (size=%d bytes)", file_id, len(contents))
+        return str(file_id)
+    except Exception as exc:
+        logger.exception("Failed to save avatar to GridFS: %s", exc)
+        raise HTTPException(status_code=500, detail="Failed to store avatar") from exc
+
+
+def fetch_user(email: str):
+    """Return the raw user document (or None) by email."""
+    logger.debug("fetch_user called for email=%s", email)
+    if not email:
+        logger.debug("fetch_user called with empty email")
+        return None
+    try:
+        user = users_collection.find_one({"email": email})
+        logger.debug("fetch_user found: %s", bool(user))
+        return user
+    except Exception as exc:
+        logger.exception("Error fetching user %s: %s", email, exc)
+        raise HTTPException(status_code=500, detail="Failed to fetch user") from exc
+
+
+def authenticate(email: str, password: str):
+    """Authenticate user by email and password. Returns user dict or None."""
+    logger.debug("authenticate called for email=%s", email)
+    user = fetch_user(email)
+    if not user:
+        logger.warning("Authenticate failed: user not found for email=%s", email)
+        return None
+
+    if not verify_password(password, user.get("hashed_password", "")):
+        logger.warning("Authenticate failed: invalid credentials for email=%s", email)
+        return None
+
+    logger.info("User authenticated successfully: %s", email)
+    return user
+
+
+def update_user_profile(current_email: str, name: str | None = None, new_email: str | None = None,
+                        password: str | None = None, avatar: UploadFile | None = None):
+    """
+    Update profile fields for the user identified by current_email.
+    If avatar is provided, the old avatar (if any) will be deleted from GridFS.
+    Returns the updated user document (with hashed_password removed).
+    """
+    logger.info("update_user_profile called for current_email=%s", current_email)
+    if not current_email:
+        logger.error("update_user_profile missing current_email")
+        raise HTTPException(status_code=400, detail="Missing current user email")
+
+    # Fetch current user to get current avatar id (if any)
+    current_user = fetch_user(current_email)
+    if not current_user:
+        logger.warning("update_user_profile user not found: %s", current_email)
+        raise HTTPException(status_code=404, detail="User not found")
+
+    update_data = {}
+    if name:
+        update_data["name"] = name
+        logger.debug("Will update name for %s", current_email)
+    if new_email:
+        update_data["email"] = new_email
+        logger.debug("Will update email for %s -> %s", current_email, new_email)
+    if password:
+        update_data["hashed_password"] = hash_password(password)
+        logger.debug("Password updated for %s (hashed, not logged)", current_email)
+
+    if avatar:
+        logger.debug("Avatar upload detected for %s; processing replacement", current_email)
+        # Delete the old avatar first (if exists)
+        old_avatar_id = current_user.get("avatar")
+        if old_avatar_id:
+            logger.debug("Deleting old avatar id=%s for user=%s", old_avatar_id, current_email)
+            _delete_avatar_file_if_exists(old_avatar_id)
+
+        # Save the new avatar and set the new id
+        new_file_id = save_avatar(avatar)
+        update_data["avatar"] = new_file_id
+        logger.debug("New avatar saved with id=%s for user=%s", new_file_id, current_email)
+
+    if not update_data:
+        logger.info("No update parameters provided for %s", current_email)
+        raise HTTPException(status_code=400, detail="No update parameters provided")
+
+    try:
+        result = users_collection.update_one({"email": current_email}, {"$set": update_data})
+    except Exception as exc:
+        logger.exception("Failed to update user in DB for %s: %s", current_email, exc)
+        raise HTTPException(status_code=500, detail="Failed to update user") from exc
+
+    if result.matched_count == 0:
+        logger.warning("Update attempted but user not found during DB update for %s", current_email)
+        raise HTTPException(status_code=404, detail="User not found")
+
+    # fetch and return the updated document (prefer the new email if changed)
+    lookup_email = new_email if new_email else current_email
+    try:
+        updated_user = users_collection.find_one({"email": lookup_email})
+    except Exception as exc:
+        logger.exception("Failed to fetch updated user %s: %s", lookup_email, exc)
+        raise HTTPException(status_code=500, detail="Failed to fetch updated user") from exc
+
+    if not updated_user:
+        logger.error("Updated user document not found after update for %s", lookup_email)
+        raise HTTPException(status_code=500, detail="Updated user not found")
+
+    # Remove hashed_password before returning user object to any caller
+    if "hashed_password" in updated_user:
+        updated_user.pop("hashed_password", None)
+        logger.debug("Removed hashed_password from returned user object for %s", lookup_email)
+
+    logger.info("User profile updated successfully for %s", lookup_email)
+    return updated_user

requirements.txt

@@ -0,0 +1,8 @@
+fastapi
+uvicorn
+python-dotenv
+pymongo
+passlib
+python-jose
+pydantic[email]
+python-multipart