Refactor user model and service; implement OAuth and OTP login features, enhance JWT handling, and update requirements

app/models/user_model.py

@@ -1,9 +1,10 @@
 from fastapi import HTTPException
 from app.core.nosql_client import db
 from app.utils.common_utils import is_email  # Assumes utility exists
+from app.schemas.user_schema import UserRegisterRequest
 
 class BookMyServiceUserModel:
-    collection = db["book_my_service_users"]
+    collection = db["customers"]
 
     @staticmethod
     async def find_by_email(email: str):
@@ -31,8 +32,9 @@ class BookMyServiceUserModel:
         }) is not None
 
     @staticmethod
-    async def create(user_data: dict):
-        result = await BookMyServiceUserModel.collection.insert_one(user_data)
+    async def create(user_data: UserRegisterRequest):
+        user_dict = user_data.dict()
+        result = await BookMyServiceUserModel.collection.insert_one(user_dict)
         return result.inserted_id
 
     @staticmethod

app/routers/user_router.py

@@ -1,29 +1,96 @@
-## bookmyservice-ums/app/routers/user_router.py
+from fastapi import APIRouter, HTTPException, Depends, Security
+from fastapi.security import APIKeyHeader
 
-from fastapi import APIRouter, HTTPException
-from app.schemas.user_schema import OTPRequest, OTPVerifyRequest, UserRegisterRequest, OAuthLoginRequest, TokenResponse
+from app.schemas.user_schema import (
+    OTPRequest,
+    OTPVerifyRequest,
+    UserRegisterRequest,
+    OAuthLoginRequest,
+    TokenResponse,
+)
 from app.services.user_service import UserService
-from app.utils.jwt import create_access_token
+from app.utils.jwt import create_temp_token, decode_token
+from app.utils.social_utils import verify_google_token, verify_apple_token
 
 router = APIRouter()
 
+# 🔐 Declare API key header scheme (Swagger shows a single token input box)
+api_key_scheme = APIKeyHeader(name="Authorization", auto_error=True)
+
+# 🔍 Bearer token parser
+# More flexible bearer token parser
+def get_bearer_token(api_key: str = Security(api_key_scheme)) -> str:
+    try:
+        # If "Bearer " prefix is included, strip it
+        if api_key.lower().startswith("bearer "):
+            return api_key[7:]  # Remove "Bearer " prefix
+
+        # Else, assume it's already a raw JWT
+        return api_key
+
+    except Exception as e:
+        raise HTTPException(
+            status_code=status.HTTP_401_UNAUTHORIZED,
+            detail="Invalid or missing Authorization token"
+        )
+    
+
+
 @router.post("/send-otp")
 async def send_otp_handler(payload: OTPRequest):
     identifier = payload.email or payload.phone
     if not identifier:
         raise HTTPException(status_code=400, detail="Email or phone required")
+    
     await UserService.send_otp(identifier, payload.phone or "N/A")
-    return {"message": "OTP sent"}
+    
+    temp_token = create_temp_token({
+        "sub": identifier,
+        "type": "otp_verification"
+    }, expires_minutes=10)
+
+    return {"message": "OTP sent", "temp_token": temp_token}
 
-@router.post("/verify-otp", response_model=TokenResponse)
-async def verify_otp_handler(payload: OTPVerifyRequest):
-    return await UserService.verify_otp_and_login(payload.login_input, payload.otp)
+# 🔐 OTP Login using temporary token
+@router.post("/otp-login", response_model=TokenResponse)
+async def otp_login_handler(
+    payload: OTPVerifyRequest,
+    temp_token: str = Depends(get_bearer_token)
+):
+    decoded = decode_token(temp_token)
+    if not decoded or decoded.get("sub") != payload.login_input or decoded.get("type") != "otp_verification":
+        raise HTTPException(status_code=401, detail="Invalid or expired OTP session token")
+    
+    return await UserService.otp_login_handler(payload.login_input, payload.otp)
 
+# 🌐 OAuth Login for Google / Apple
 @router.post("/oauth-login", response_model=TokenResponse)
 async def oauth_login_handler(payload: OAuthLoginRequest):
-    user_id = f"{payload.provider}_{payload.token}"  # In production: validate token and extract user info
-    return await UserService.verify_otp_and_login(user_id, otp="")  # simulate OTP match via token
+    if payload.provider == "google":
+        user_info = await verify_google_token(payload.token)
+        user_id = f"google_{user_info['id']}"
+    elif payload.provider == "apple":
+        user_info = await verify_apple_token(payload.token)
+        user_id = f"apple_{user_info['id']}"
+    else:
+        raise HTTPException(status_code=400, detail="Unsupported OAuth provider")
+
+    temp_token = create_temp_token({
+        "sub": user_id,
+        "type": "oauth_session",
+        "verified": True
+    }, expires_minutes=10)
+
+    return {"access_token": temp_token, "token_type": "bearer"}
 
+# 👤 Final user registration after OTP or OAuth
 @router.post("/register", response_model=TokenResponse)
-async def register_user(payload: UserRegisterRequest):
-    return await UserService.register(payload)
+async def register_user(
+    payload: UserRegisterRequest,
+    temp_token: str = Depends(get_bearer_token)
+):
+    decoded = decode_token(temp_token)
+    if not decoded or decoded.get("type") not in ["otp_verification", "oauth_session"]:
+        raise HTTPException(status_code=401, detail="Invalid or expired registration token")
+    
+    return await UserService.register(payload, decoded)

app/schemas/user_schema.py

@@ -3,7 +3,7 @@ from typing import Optional, Literal
 
 # Used for OTP-based or OAuth-based user registration
 class UserRegisterRequest(BaseModel):
-    full_name: str
+    name: str
     email: Optional[EmailStr] = None
     phone: Optional[str] = None
     otp: Optional[str] = None

app/services/user_service.py

@@ -19,7 +19,7 @@ class UserService:
         logger.debug(f"OTP sent to {identifier}: {otp}")
 
     @staticmethod
-    async def verify_otp_and_login(identifier: str, otp: str):
+    async def otp_login_handler(identifier: str, otp: str):
         if not await BookMyServiceOTPModel.verify_otp(identifier, otp):
             logger.debug(f"Invalid or expired OTP for identifier: {identifier}")
             raise HTTPException(status_code=400, detail="Invalid or expired OTP")

app/utils/jwt.py

@@ -1,14 +1,24 @@
 
 ## bookmyservice-ums/app/utils/jwt.py
 
-from jose import jwt
+from jose import jwt, JWTError
 from datetime import datetime, timedelta
 
 SECRET_KEY = "secret-key-placeholder"
 ALGORITHM = "HS256"
 
+
 def create_access_token(data: dict, expires_minutes: int = 60):
     to_encode = data.copy()
     expire = datetime.utcnow() + timedelta(minutes=expires_minutes)
     to_encode.update({"exp": expire})
-    return jwt.encode(to_encode, SECRET_KEY, algorithm=ALGORITHM)
+    return jwt.encode(to_encode, SECRET_KEY, algorithm=ALGORITHM)
+
+def create_temp_token(data: dict, expires_minutes: int = 10):
+    return create_access_token(data, expires_minutes=expires_minutes)
+
+def decode_token(token: str) -> dict:
+    try:
+        return jwt.decode(token, SECRET_KEY, algorithms=[ALGORITHM])
+    except JWTError:
+        return {}

app/utils/social_utils.py

@@ -0,0 +1,70 @@
+from google.oauth2 import id_token as google_id_token
+from google.auth.transport import requests as google_requests
+from jose import jwt as jose_jwt, JWTError, jwk
+from jose.utils import base64url_decode
+from typing import Dict
+import httpx
+import json
+
+# Async wrapper to run Google’s sync function in a thread pool
+import asyncio
+from functools import partial
+
+# ✅ Async Google token verification
+async def verify_google_token(token: str, client_id: str) -> Dict:
+    """
+    Asynchronously verifies a Google ID token and returns the payload if valid.
+    """
+    try:
+        loop = asyncio.get_event_loop()
+        # Run the sync method in a thread to avoid blocking
+        idinfo = await loop.run_in_executor(
+            None,
+            partial(google_id_token.verify_oauth2_token, token, google_requests.Request(), client_id)
+        )
+        if idinfo.get('iss') not in ['accounts.google.com', 'https://accounts.google.com']:
+            raise ValueError('Wrong issuer.')
+        return idinfo
+    except Exception as e:
+        raise ValueError(f"Invalid Google token: {str(e)}")
+
+
+# ✅ Async Apple token verification
+async def verify_apple_token(token: str, audience: str) -> Dict:
+    """
+    Asynchronously verifies an Apple identity token and returns the decoded payload.
+    """
+    try:
+        # Fetch Apple's public keys (JWKS)
+        async with httpx.AsyncClient() as client:
+            response = await client.get('https://appleid.apple.com/auth/keys')
+            response.raise_for_status()
+            keys = response.json().get('keys', [])
+
+        # Decode header to get kid and alg
+        header = jose_jwt.get_unverified_header(token)
+        kid = header.get('kid')
+        alg = header.get('alg')
+
+        key = next((k for k in keys if k['kid'] == kid and k['alg'] == alg), None)
+        if not key:
+            raise ValueError("Public key not found for Apple token")
+
+        public_key = jwk.construct(key)
+        message, encoded_sig = token.rsplit('.', 1)
+        decoded_sig = base64url_decode(encoded_sig.encode())
+
+        if not public_key.verify(message.encode(), decoded_sig):
+            raise ValueError("Invalid Apple token signature")
+
+        claims = jose_jwt.decode(
+            token,
+            key,
+            algorithms=['RS256'],
+            audience=audience,
+            issuer='https://appleid.apple.com'
+        )
+        return claims
+
+    except Exception as e:
+        raise ValueError(f"Invalid Apple token: {str(e)}")

requirements.txt

@@ -16,4 +16,6 @@ twilio
 
 # Optional useful utilities (highly recommended)
 httpx                      # async HTTP client (e.g., for calling 3rd party APIs)
-passlib[bcrypt]           # password hashing (if needed)
+passlib[bcrypt]           # password hashing (if needed)
+
+httpx