api/dependencies.py

"""
FastAPI dependencies for authentication and authorization.

Per @specs/001-auth-api-bridge/research.md - FastAPI Dependencies pattern
"""
from fastapi import Depends, HTTPException, Request, status
from services.auth import verify_token


async def get_current_user(request: Request) -> str:
    """
    Extract and verify user_id from JWT token.

    This dependency enforces JWT authentication on protected endpoints.
    Per @specs/001-auth-api-bridge/research.md

    Args:
        request: FastAPI request object

    Returns:
        User ID (UUID string) from verified JWT token

    Raises:
        HTTPException 401: If token is missing, invalid, or expired
    """
    auth_header = request.headers.get("Authorization")

    if not auth_header or not auth_header.startswith("Bearer "):
        raise HTTPException(
            status_code=status.HTTP_401_UNAUTHORIZED,
            detail="Missing or invalid Authorization header",
            headers={"WWW-Authenticate": "Bearer"},
        )

    token = auth_header.split(" ")[1]
    user_id = await verify_token(token)

    if user_id is None:
        raise HTTPException(
            status_code=status.HTTP_401_UNAUTHORIZED,
            detail="Invalid or expired token",
            headers={"WWW-Authenticate": "Bearer"},
        )

    # Attach user_id to request state for use in route handlers
    request.state.user_id = user_id
    return user_id


async def verify_user_ownership(request: Request, user_id: str) -> None:
    """
    Verify that the requested user_id matches the authenticated user.

    This enforces user isolation - users can only access their own resources.
    Per @specs/001-auth-api-bridge/api/rest-endpoints.md security requirements

    Args:
        request: FastAPI request object (contains authenticated user_id in state)
        user_id: User ID from URL path parameter

    Raises:
        HTTPException 403: If user_id doesn't match authenticated user
    """
    current_user = request.state.user_id
    if current_user != user_id:
        raise HTTPException(
            status_code=status.HTTP_403_FORBIDDEN,
            detail="Access forbidden: You can only access your own resources"
        )