Update core/security.py

core/security.py

@@ -1,89 +1,80 @@
-# core/security.py
 from datetime import datetime, timedelta
-from passlib.context import CryptContext
-from jose import jwt, JWTError
-from fastapi import Depends, HTTPException, status
+from fastapi import HTTPException, status, Depends, Request
 from fastapi.security import OAuth2PasswordBearer
-from core.config import SECRET_KEY, ALGORITHM, ACCESS_TOKEN_EXPIRE_MINUTES
-from db.mongo import users_collection
+from jose import jwt, JWTError
+from pydantic import BaseModel
+from typing import Optional
 import logging
-from fastapi import Request
+from core.config import settings
 
 logger = logging.getLogger(__name__)
 
-# OAuth2 setup
 oauth2_scheme = OAuth2PasswordBearer(
-    tokenUrl="/auth/login",
+    tokenUrl=f"{settings.API_V1_STR}/auth/login",
     scheme_name="JWT"
 )
 
-# Password hashing context
-pwd_context = CryptContext(schemes=["bcrypt"], deprecated="auto")
-
-def hash_password(password: str) -> str:
-    return pwd_context.hash(password)
-
-def verify_password(plain: str, hashed: str) -> bool:
-    return pwd_context.verify(plain, hashed)
-
-def create_access_token(data: dict, expires_delta: timedelta = None):
-    to_encode = data.copy()
-    expire = datetime.utcnow() + (expires_delta or timedelta(minutes=ACCESS_TOKEN_EXPIRE_MINUTES))
-    to_encode.update({"exp": expire, "iat": datetime.utcnow()})
-    encoded_jwt = jwt.encode(to_encode, SECRET_KEY, algorithm=ALGORITHM)
-    logger.debug(f"Created JWT for {data.get('sub')}, expires at {expire}")
-    return encoded_jwt
+class TokenPayload(BaseModel):
+    sub: str
+    exp: int
+    iat: int
+    role: Optional[str] = None
 
-async def get_current_user(request: Request, token: str = Depends(oauth2_scheme)):
-    auth_header = request.headers.get("Authorization", "No Authorization header")
-    logger.debug(f"Raw Authorization header: {auth_header}")
-    logger.debug(f"Processed token: {token[:10]}... if present")
-
-    if not token:
-        logger.error(f"No token provided. Full headers: {dict(request.headers)}")
+def create_access_token(*, data: dict, expires_delta: timedelta = None) -> str:
+    try:
+        to_encode = data.copy()
+        expire = datetime.utcnow() + (expires_delta or timedelta(minutes=settings.ACCESS_TOKEN_EXPIRE_MINUTES))
+        to_encode.update({"exp": expire, "iat": datetime.utcnow()})
+        encoded_jwt = jwt.encode(
+            to_encode, 
+            settings.SECRET_KEY, 
+            algorithm=settings.ALGORITHM
+        )
+        logger.info(f"Token created for {data.get('sub')}")
+        return encoded_jwt
+    except Exception as e:
+        logger.error(f"Token creation failed: {str(e)}")
         raise HTTPException(
-            status_code=status.HTTP_401_UNAUTHORIZED,
-            detail="No token provided",
-            headers={"WWW-Authenticate": "Bearer"}
+            status_code=status.HTTP_500_INTERNAL_SERVER_ERROR,
+            detail="Token creation failed"
         )
 
+async def verify_token(token: str = Depends(oauth2_scheme)) -> TokenPayload:
+    credentials_exception = HTTPException(
+        status_code=status.HTTP_401_UNAUTHORIZED,
+        detail="Could not validate credentials",
+        headers={"WWW-Authenticate": "Bearer"},
+    )
+    
     try:
-        payload = jwt.decode(token, SECRET_KEY, algorithms=[ALGORITHM])
-        logger.debug(f"Token payload: {payload}")
+        if not token:
+            logger.error("Empty token provided")
+            raise credentials_exception
 
-        email = payload.get("sub")
-        if not email:
-            logger.error("Invalid token: missing subject")
-            raise HTTPException(
-                status_code=status.HTTP_401_UNAUTHORIZED,
-                detail="Invalid token: missing subject",
-                headers={"WWW-Authenticate": "Bearer"}
-            )
+        if token.startswith("Bearer "):
+            token = token[7:]
+            logger.debug("Removed 'Bearer ' prefix from token")
 
-        exp = payload.get("exp")
-        if exp and datetime.utcnow().timestamp() > exp:
-            logger.error(f"Token expired for {email}")
+        payload = jwt.decode(
+            token,
+            settings.SECRET_KEY,
+            algorithms=[settings.ALGORITHM]
+        )
+        token_data = TokenPayload(**payload)
+        
+        if datetime.fromtimestamp(token_data.exp) < datetime.utcnow():
+            logger.error("Token expired")
             raise HTTPException(
                 status_code=status.HTTP_401_UNAUTHORIZED,
-                detail="Token has expired",
-                headers={"WWW-Authenticate": "Bearer"}
+                detail="Token expired"
             )
-
+            
+        logger.info(f"Token verified for {token_data.sub}")
+        return token_data
+        
     except JWTError as e:
-        logger.error(f"JWT decode error: {str(e)}. Token: {token[:10]}...")
-        raise HTTPException(
-            status_code=status.HTTP_401_UNAUTHORIZED,
-            detail=f"Could not validate token: {str(e)}",
-            headers={"WWW-Authenticate": "Bearer"}
-        )
-
-    user = await users_collection.find_one({"email": email})
-    if not user:
-        logger.error(f"User not found for email: {email}")
-        raise HTTPException(
-            status_code=status.HTTP_404_NOT_FOUND,
-            detail="User not found"
-        )
-
-    logger.info(f"Authenticated user: {user['email']}, role: {user.get('role')}")
-    return user
+        logger.error(f"JWT validation failed: {str(e)}")
+        raise credentials_exception
+    except Exception as e:
+        logger.error(f"Unexpected token verification error: {str(e)}")
+        raise credentials_exception