feat(auth): implement enhanced social login with security middleware

- Add Facebook OAuth support with token verification
- Implement rate limiting and IP-based security for OAuth logins
- Create account management endpoints for social account linking
- Add security middleware for request logging and device tracking
- Enhance OTP verification with account locking and rate limiting
- Update user schemas with social account and security fields

.env

@@ -5,11 +5,12 @@ DB_NAME=book-my-service
 
 DATABASE_URI=postgresql+asyncpg://trans_owner:BookMyService7@ep-sweet-surf-a1qeduoy.ap-southeast-1.aws.neon.tech/bookmyservice?options=-csearch_path%3Dtrans
 
-CACHE_URI=redis-11382.c305.ap-south-1-1.ec2.redns.redis-cloud.com:11382
+#CACHE_URI=redis-11382.c305.ap-south-1-1.ec2.redns.redis-cloud.com:11382
 
 #CACHE_URI=redis-11521.crce182.ap-south-1-1.ec2.redns.redis-cloud.com:11521
 
-CACHE_K=dLRZrhU1d5EP9N1CW6grUgsj7MyWIj2i
+CACHE_URI=localhost:6379
+CACHE_K=
 
 
 RAZORPAY_KEY_ID=rzp_test_2UTAol2AFSV5VN

app/app.py

@@ -2,7 +2,9 @@
 
 from fastapi import FastAPI
 from fastapi.middleware.cors import CORSMiddleware
-from app.routers import user_router, profile_router
+from app.routers import user_router, profile_router, account_router
+from app.middleware.rate_limiter import RateLimitMiddleware
+from app.middleware.security_middleware import SecurityMiddleware
 import logging
 import sys
 
@@ -29,6 +31,12 @@ logging.getLogger("fastapi").setLevel(logging.INFO)
 
 app = FastAPI(title="BookMyService User Management Service")
 
+# Add security middleware (should be added first for proper request logging)
+app.add_middleware(SecurityMiddleware)
+
+# Add rate limiting middleware
+app.add_middleware(RateLimitMiddleware, calls=100, period=60)
+
 app.add_middleware(
     CORSMiddleware,
     allow_origins=["*"],
@@ -39,6 +47,7 @@ app.add_middleware(
 
 app.include_router(user_router.router, prefix="/auth", tags=["user_auth"])
 app.include_router(profile_router.router, prefix="/profile", tags=["profile"])
+app.include_router(account_router.router, prefix="/account", tags=["account_management"])
 
 @app.get("/")
 def root():

app/core/config.py

@@ -12,19 +12,35 @@ class Settings:
     CACHE_URI: str = os.getenv("CACHE_URI")
     CACHE_K: str = os.getenv("CACHE_K")
 
+    # JWT
     SECRET_KEY: str = os.getenv("SECRET_KEY", "B00Kmyservice@7")
     ALGORITHM: str = os.getenv("ALGORITHM", "HS256")
 
+    # Twilio SMS
     TWILIO_ACCOUNT_SID: str = os.getenv("TWILIO_ACCOUNT_SID")
     TWILIO_AUTH_TOKEN: str = os.getenv("TWILIO_AUTH_TOKEN")
     TWILIO_SMS_FROM: str = os.getenv("TWILIO_SMS_FROM")
 
+    # SMTP Email
     SMTP_HOST: str = os.getenv("SMTP_HOST")
     SMTP_PORT: int = int(os.getenv("SMTP_PORT", "587"))
     SMTP_USER: str = os.getenv("SMTP_USER")
     SMTP_PASS: str = os.getenv("SMTP_PASS")
     SMTP_FROM: str = os.getenv("SMTP_FROM")
 
+    # OAuth Providers
+    GOOGLE_CLIENT_ID: str = os.getenv("GOOGLE_CLIENT_ID")
+    APPLE_AUDIENCE: str = os.getenv("APPLE_AUDIENCE")
+    FACEBOOK_APP_ID: str = os.getenv("FACEBOOK_APP_ID")
+    FACEBOOK_APP_SECRET: str = os.getenv("FACEBOOK_APP_SECRET")
+
+    # Security Settings
+    MAX_LOGIN_ATTEMPTS: int = int(os.getenv("MAX_LOGIN_ATTEMPTS", "5"))
+    ACCOUNT_LOCK_DURATION: int = int(os.getenv("ACCOUNT_LOCK_DURATION", "900"))  # 15 minutes
+    OTP_VALIDITY_MINUTES: int = int(os.getenv("OTP_VALIDITY_MINUTES", "5"))
+    IP_RATE_LIMIT_MAX: int = int(os.getenv("IP_RATE_LIMIT_MAX", "10"))
+    IP_RATE_LIMIT_WINDOW: int = int(os.getenv("IP_RATE_LIMIT_WINDOW", "3600"))  # 1 hour
+
     def __post_init__(self):
         if not self.MONGO_URI or not self.DB_NAME:
             raise ValueError("MongoDB URI or DB_NAME not configured.")

app/middleware/rate_limiter.py

@@ -0,0 +1,27 @@
+from fastapi import Request, HTTPException
+from starlette.middleware.base import BaseHTTPMiddleware
+import time
+from collections import defaultdict, deque
+
+class RateLimitMiddleware(BaseHTTPMiddleware):
+    def __init__(self, app, calls: int = 100, period: int = 60):
+        super().__init__(app)
+        self.calls = calls
+        self.period = period
+        self.clients = defaultdict(deque)
+    
+    async def dispatch(self, request: Request, call_next):
+        client_ip = request.client.host
+        now = time.time()
+        
+        # Clean old requests
+        while self.clients[client_ip] and self.clients[client_ip][0] <= now - self.period:
+            self.clients[client_ip].popleft()
+        
+        # Check rate limit
+        if len(self.clients[client_ip]) >= self.calls:
+            raise HTTPException(status_code=429, detail="Rate limit exceeded")
+        
+        self.clients[client_ip].append(now)
+        response = await call_next(request)
+        return response

app/middleware/security_middleware.py

@@ -0,0 +1,237 @@
+from fastapi import Request, Response
+from starlette.middleware.base import BaseHTTPMiddleware
+from datetime import datetime
+import json
+import logging
+from typing import Dict, Any
+from app.core.nosql_client import db
+
+# Configure logging
+logging.basicConfig(level=logging.INFO)
+logger = logging.getLogger(__name__)
+
+class SecurityMiddleware(BaseHTTPMiddleware):
+    """
+    Enhanced security middleware for request logging, device tracking, and security monitoring
+    """
+    
+    def __init__(self, app):
+        super().__init__(app)
+        self.security_collection = db.security_logs
+        self.device_collection = db.device_tracking
+    
+    def get_client_ip(self, request: Request) -> str:
+        """Extract client IP from request headers"""
+        # Check for forwarded headers first (for proxy/load balancer scenarios)
+        forwarded_for = request.headers.get("X-Forwarded-For")
+        if forwarded_for:
+            return forwarded_for.split(",")[0].strip()
+        
+        real_ip = request.headers.get("X-Real-IP")
+        if real_ip:
+            return real_ip
+        
+        # Fallback to direct client IP
+        return request.client.host if request.client else "unknown"
+    
+    def extract_device_info(self, request: Request) -> Dict[str, Any]:
+        """Extract device and browser information from request headers"""
+        user_agent = request.headers.get("User-Agent", "")
+        accept_language = request.headers.get("Accept-Language", "")
+        accept_encoding = request.headers.get("Accept-Encoding", "")
+        
+        return {
+            "user_agent": user_agent,
+            "accept_language": accept_language,
+            "accept_encoding": accept_encoding,
+            "platform": self._parse_platform(user_agent),
+            "browser": self._parse_browser(user_agent)
+        }
+    
+    def _parse_platform(self, user_agent: str) -> str:
+        """Parse platform from user agent string"""
+        user_agent_lower = user_agent.lower()
+        
+        if "windows" in user_agent_lower:
+            return "Windows"
+        elif "macintosh" in user_agent_lower or "mac os" in user_agent_lower:
+            return "macOS"
+        elif "linux" in user_agent_lower:
+            return "Linux"
+        elif "android" in user_agent_lower:
+            return "Android"
+        elif "iphone" in user_agent_lower or "ipad" in user_agent_lower:
+            return "iOS"
+        else:
+            return "Unknown"
+    
+    def _parse_browser(self, user_agent: str) -> str:
+        """Parse browser from user agent string"""
+        user_agent_lower = user_agent.lower()
+        
+        if "chrome" in user_agent_lower and "edg" not in user_agent_lower:
+            return "Chrome"
+        elif "firefox" in user_agent_lower:
+            return "Firefox"
+        elif "safari" in user_agent_lower and "chrome" not in user_agent_lower:
+            return "Safari"
+        elif "edg" in user_agent_lower:
+            return "Edge"
+        elif "opera" in user_agent_lower:
+            return "Opera"
+        else:
+            return "Unknown"
+    
+    def is_sensitive_endpoint(self, path: str) -> bool:
+        """Check if the endpoint is security-sensitive and should be logged"""
+        sensitive_paths = [
+            "/auth/",
+            "/login",
+            "/register",
+            "/otp",
+            "/oauth",
+            "/profile",
+            "/account",
+            "/security"
+        ]
+        
+        return any(sensitive_path in path for sensitive_path in sensitive_paths)
+    
+    async def log_security_event(self, request: Request, response: Response, 
+                                processing_time: float, client_ip: str, 
+                                device_info: Dict[str, Any]):
+        """Log security-relevant events to database"""
+        try:
+            # Only log sensitive endpoints or failed requests
+            if not (self.is_sensitive_endpoint(str(request.url.path)) or response.status_code >= 400):
+                return
+            
+            log_entry = {
+                "timestamp": datetime.utcnow(),
+                "method": request.method,
+                "path": str(request.url.path),
+                "query_params": dict(request.query_params),
+                "client_ip": client_ip,
+                "status_code": response.status_code,
+                "processing_time_ms": round(processing_time * 1000, 2),
+                "device_info": device_info,
+                "headers": {
+                    "user_agent": request.headers.get("User-Agent", ""),
+                    "referer": request.headers.get("Referer", ""),
+                    "content_type": request.headers.get("Content-Type", "")
+                },
+                "is_suspicious": self._detect_suspicious_activity(request, response, client_ip)
+            }
+            
+            # Add user ID if available from JWT token
+            auth_header = request.headers.get("Authorization")
+            if auth_header and auth_header.startswith("Bearer "):
+                try:
+                    from app.utils.jwt import decode_token
+                    token = auth_header.split(" ")[1]
+                    payload = decode_token(token)
+                    log_entry["user_id"] = payload.get("user_id")
+                except Exception:
+                    pass  # Token might be invalid or expired
+            
+            await self.security_collection.insert_one(log_entry)
+            
+        except Exception as e:
+            logger.error(f"Failed to log security event: {str(e)}")
+    
+    async def track_device(self, client_ip: str, device_info: Dict[str, Any], 
+                          user_id: str = None):
+        """Track device information for security monitoring"""
+        try:
+            device_fingerprint = f"{client_ip}_{device_info.get('user_agent', '')[:100]}"
+            
+            device_entry = {
+                "device_fingerprint": device_fingerprint,
+                "client_ip": client_ip,
+                "device_info": device_info,
+                "first_seen": datetime.utcnow(),
+                "last_seen": datetime.utcnow(),
+                "user_id": user_id,
+                "access_count": 1,
+                "is_trusted": False
+            }
+            
+            # Update or insert device tracking
+            await self.device_collection.update_one(
+                {"device_fingerprint": device_fingerprint},
+                {
+                    "$set": {
+                        "last_seen": datetime.utcnow(),
+                        "device_info": device_info
+                    },
+                    "$inc": {"access_count": 1},
+                    "$setOnInsert": {
+                        "device_fingerprint": device_fingerprint,
+                        "client_ip": client_ip,
+                        "first_seen": datetime.utcnow(),
+                        "user_id": user_id,
+                        "is_trusted": False
+                    }
+                },
+                upsert=True
+            )
+            
+        except Exception as e:
+            logger.error(f"Failed to track device: {str(e)}")
+    
+    def _detect_suspicious_activity(self, request: Request, response: Response, 
+                                   client_ip: str) -> bool:
+        """Detect potentially suspicious activity patterns"""
+        suspicious_indicators = []
+        
+        # Check for multiple failed login attempts
+        if response.status_code == 401 and "login" in str(request.url.path):
+            suspicious_indicators.append("failed_login")
+        
+        # Check for unusual user agent patterns
+        user_agent = request.headers.get("User-Agent", "")
+        if not user_agent or len(user_agent) < 10:
+            suspicious_indicators.append("suspicious_user_agent")
+        
+        # Check for rapid requests (basic detection)
+        if hasattr(request.state, "request_count") and request.state.request_count > 10:
+            suspicious_indicators.append("rapid_requests")
+        
+        # Check for access to sensitive endpoints without proper authentication
+        if (self.is_sensitive_endpoint(str(request.url.path)) and 
+            response.status_code == 403 and 
+            not request.headers.get("Authorization")):
+            suspicious_indicators.append("unauthorized_sensitive_access")
+        
+        return len(suspicious_indicators) > 0
+    
+    async def dispatch(self, request: Request, call_next):
+        """Main middleware dispatch method"""
+        start_time = datetime.utcnow()
+        
+        # Extract client information
+        client_ip = self.get_client_ip(request)
+        device_info = self.extract_device_info(request)
+        
+        # Process the request
+        response = await call_next(request)
+        
+        # Calculate processing time
+        end_time = datetime.utcnow()
+        processing_time = (end_time - start_time).total_seconds()
+        
+        # Log security events asynchronously
+        try:
+            await self.log_security_event(request, response, processing_time, 
+                                        client_ip, device_info)
+            await self.track_device(client_ip, device_info)
+        except Exception as e:
+            logger.error(f"Security middleware error: {str(e)}")
+        
+        # Add security headers to response
+        response.headers["X-Content-Type-Options"] = "nosniff"
+        response.headers["X-Frame-Options"] = "DENY"
+        response.headers["X-XSS-Protection"] = "1; mode=block"
+        response.headers["Strict-Transport-Security"] = "max-age=31536000; includeSubDomains"
+        
+        return response

app/models/otp_model.py

@@ -11,16 +11,26 @@ class BookMyServiceOTPModel:
     OTP_TTL = 300  # 5 minutes
     RATE_LIMIT_MAX = 3
     RATE_LIMIT_WINDOW = 600  # 10 minutes
+    IP_RATE_LIMIT_MAX = 10  # Max 10 OTPs per IP per hour
+    IP_RATE_LIMIT_WINDOW = 3600  # 1 hour
+    FAILED_ATTEMPTS_MAX = 5  # Max 5 failed attempts before lock
+    FAILED_ATTEMPTS_WINDOW = 3600  # 1 hour
+    ACCOUNT_LOCK_DURATION = 1800  # 30 minutes
 
     @staticmethod
-    async def store_otp(identifier: str, phone: str, otp: str, ttl: int = OTP_TTL):
-        logger.info(f"Storing OTP for identifier: {identifier}")
+    async def store_otp(identifier: str, phone: str, otp: str, ttl: int = OTP_TTL, client_ip: str = None):
+        logger.info(f"Storing OTP for identifier: {identifier}, IP: {client_ip}")
         
         try:
             redis = await get_redis()
             logger.debug(f"Redis connection established for OTP storage")
 
-            # Rate limit: max 3 OTPs per 10 minutes
+            # Check if account is locked
+            if await BookMyServiceOTPModel.is_account_locked(identifier):
+                logger.warning(f"Account locked for identifier: {identifier}")
+                raise HTTPException(status_code=423, detail="Account temporarily locked due to too many failed attempts")
+
+            # Rate limit: max 3 OTPs per identifier per 10 minutes
             rate_key = f"otp_rate_limit:{identifier}"
             logger.debug(f"Checking rate limit with key: {rate_key}")
             
@@ -34,6 +44,17 @@ class BookMyServiceOTPModel:
                 logger.warning(f"Rate limit exceeded for {identifier}: {attempts} attempts")
                 raise HTTPException(status_code=429, detail="Too many OTP requests. Try again later.")
 
+            # IP-based rate limiting
+            if client_ip:
+                ip_rate_key = f"otp_ip_rate_limit:{client_ip}"
+                ip_attempts = await redis.incr(ip_rate_key)
+                
+                if ip_attempts == 1:
+                    await redis.expire(ip_rate_key, BookMyServiceOTPModel.IP_RATE_LIMIT_WINDOW)
+                elif ip_attempts > BookMyServiceOTPModel.IP_RATE_LIMIT_MAX:
+                    logger.warning(f"IP rate limit exceeded for {client_ip}: {ip_attempts} attempts")
+                    raise HTTPException(status_code=429, detail="Too many OTP requests from this IP address")
+
             # Store OTP
             otp_key = f"bms_otp:{identifier}"
             await redis.setex(otp_key, ttl, otp)
@@ -62,14 +83,19 @@ class BookMyServiceOTPModel:
                     raise HTTPException(status_code=500, detail="SMS failed and no email fallback available.")
     '''
     @staticmethod
-    async def verify_otp(identifier: str, otp: str):
-        logger.info(f"Verifying OTP for identifier: {identifier}")
+    async def verify_otp(identifier: str, otp: str, client_ip: str = None):
+        logger.info(f"Verifying OTP for identifier: {identifier}, IP: {client_ip}")
         logger.debug(f"Provided OTP: {otp}")
         
         try:
             redis = await get_redis()
             logger.debug("Redis connection established for OTP verification")
             
+            # Check if account is locked
+            if await BookMyServiceOTPModel.is_account_locked(identifier):
+                logger.warning(f"Account locked for identifier: {identifier}")
+                raise HTTPException(status_code=423, detail="Account temporarily locked due to too many failed attempts")
+            
             key = f"bms_otp:{identifier}"
             logger.debug(f"Looking up OTP with key: {key}")
             
@@ -81,15 +107,24 @@ class BookMyServiceOTPModel:
                 if stored == otp:
                     logger.info(f"OTP verification successful for {identifier}")
                     await redis.delete(key)
+                    # Clear failed attempts on successful verification
+                    await BookMyServiceOTPModel.clear_failed_attempts(identifier)
                     logger.debug(f"OTP deleted from Redis after successful verification")
                     return True
                 else:
                     logger.warning(f"OTP mismatch for {identifier}: provided='{otp}' vs stored='{stored}'")
+                    # Track failed attempt
+                    await BookMyServiceOTPModel.track_failed_attempt(identifier, client_ip)
                     return False
             else:
                 logger.warning(f"No OTP found in Redis for identifier: {identifier} with key: {key}")
+                # Track failed attempt for expired/non-existent OTP
+                await BookMyServiceOTPModel.track_failed_attempt(identifier, client_ip)
                 return False
                 
+        except HTTPException as e:
+            logger.error(f"HTTP error verifying OTP for {identifier}: {e.status_code} - {e.detail}")
+            raise e
         except Exception as e:
             logger.error(f"Error verifying OTP for {identifier}: {str(e)}", exc_info=True)
             return False
@@ -101,4 +136,95 @@ class BookMyServiceOTPModel:
         otp = await redis.get(key)
         if otp:
             return otp
-        raise HTTPException(status_code=404, detail="OTP not found or expired")
+        raise HTTPException(status_code=404, detail="OTP not found or expired")
+
+    @staticmethod
+    async def track_failed_attempt(identifier: str, client_ip: str = None):
+        """Track failed OTP verification attempts"""
+        logger.info(f"Tracking failed attempt for identifier: {identifier}, IP: {client_ip}")
+        
+        try:
+            redis = await get_redis()
+            
+            # Track failed attempts for identifier
+            failed_key = f"failed_otp:{identifier}"
+            attempts = await redis.incr(failed_key)
+            
+            if attempts == 1:
+                await redis.expire(failed_key, BookMyServiceOTPModel.FAILED_ATTEMPTS_WINDOW)
+            
+            # Lock account if too many failed attempts
+            if attempts >= BookMyServiceOTPModel.FAILED_ATTEMPTS_MAX:
+                await BookMyServiceOTPModel.lock_account(identifier)
+                logger.warning(f"Account locked for {identifier} after {attempts} failed attempts")
+            
+            # Track IP-based failed attempts
+            if client_ip:
+                ip_failed_key = f"failed_otp_ip:{client_ip}"
+                ip_attempts = await redis.incr(ip_failed_key)
+                
+                if ip_attempts == 1:
+                    await redis.expire(ip_failed_key, BookMyServiceOTPModel.FAILED_ATTEMPTS_WINDOW)
+                
+                logger.debug(f"IP {client_ip} failed attempts: {ip_attempts}")
+            
+        except Exception as e:
+            logger.error(f"Error tracking failed attempt for {identifier}: {str(e)}", exc_info=True)
+
+    @staticmethod
+    async def clear_failed_attempts(identifier: str):
+        """Clear failed attempts counter on successful verification"""
+        try:
+            redis = await get_redis()
+            failed_key = f"failed_otp:{identifier}"
+            await redis.delete(failed_key)
+            logger.debug(f"Cleared failed attempts for {identifier}")
+        except Exception as e:
+            logger.error(f"Error clearing failed attempts for {identifier}: {str(e)}", exc_info=True)
+
+    @staticmethod
+    async def lock_account(identifier: str):
+        """Lock account temporarily"""
+        try:
+            redis = await get_redis()
+            lock_key = f"account_locked:{identifier}"
+            await redis.setex(lock_key, BookMyServiceOTPModel.ACCOUNT_LOCK_DURATION, "locked")
+            logger.info(f"Account locked for {identifier} for {BookMyServiceOTPModel.ACCOUNT_LOCK_DURATION} seconds")
+        except Exception as e:
+            logger.error(f"Error locking account for {identifier}: {str(e)}", exc_info=True)
+
+    @staticmethod
+    async def is_account_locked(identifier: str) -> bool:
+        """Check if account is currently locked"""
+        try:
+            redis = await get_redis()
+            lock_key = f"account_locked:{identifier}"
+            locked = await redis.get(lock_key)
+            return locked is not None
+        except Exception as e:
+            logger.error(f"Error checking account lock for {identifier}: {str(e)}", exc_info=True)
+            return False
+
+    @staticmethod
+    async def get_rate_limit_count(rate_key: str) -> int:
+        """Get current rate limit count for a key"""
+        try:
+            redis = await get_redis()
+            count = await redis.get(rate_key)
+            return int(count) if count else 0
+        except Exception as e:
+            logger.error(f"Error getting rate limit count for {rate_key}: {str(e)}", exc_info=True)
+            return 0
+
+    @staticmethod
+    async def increment_rate_limit(rate_key: str, window: int) -> int:
+        """Increment rate limit counter with expiry"""
+        try:
+            redis = await get_redis()
+            count = await redis.incr(rate_key)
+            if count == 1:
+                await redis.expire(rate_key, window)
+            return count
+        except Exception as e:
+            logger.error(f"Error incrementing rate limit for {rate_key}: {str(e)}", exc_info=True)
+            return 0

app/models/social_account_model.py

@@ -0,0 +1,257 @@
+from fastapi import HTTPException
+from app.core.nosql_client import db
+from datetime import datetime
+from typing import Optional, List, Dict, Any
+import logging
+
+logger = logging.getLogger("social_account_model")
+
+class SocialAccountModel:
+    """Model for managing social login accounts and linking"""
+    
+    collection = db["social_accounts"]
+    
+    @staticmethod
+    async def create_social_account(user_id: str, provider: str, provider_user_id: str, user_info: Dict[str, Any]) -> str:
+        """Create a new social account record"""
+        try:
+            social_account = {
+                "user_id": user_id,
+                "provider": provider,
+                "provider_user_id": provider_user_id,
+                "email": user_info.get("email"),
+                "name": user_info.get("name"),
+                "picture": user_info.get("picture"),
+                "profile_data": user_info,
+                "created_at": datetime.utcnow(),
+                "updated_at": datetime.utcnow(),
+                "is_active": True,
+                "last_login": datetime.utcnow()
+            }
+            
+            result = await SocialAccountModel.collection.insert_one(social_account)
+            logger.info(f"Created social account for user {user_id} with provider {provider}")
+            return str(result.inserted_id)
+            
+        except Exception as e:
+            logger.error(f"Error creating social account: {str(e)}", exc_info=True)
+            raise HTTPException(status_code=500, detail="Failed to create social account")
+    
+    @staticmethod
+    async def find_by_provider_and_user_id(provider: str, provider_user_id: str) -> Optional[Dict[str, Any]]:
+        """Find social account by provider and provider user ID"""
+        try:
+            account = await SocialAccountModel.collection.find_one({
+                "provider": provider,
+                "provider_user_id": provider_user_id,
+                "is_active": True
+            })
+            return account
+        except Exception as e:
+            logger.error(f"Error finding social account: {str(e)}", exc_info=True)
+            return None
+    
+    @staticmethod
+    async def find_by_user_id(user_id: str) -> List[Dict[str, Any]]:
+        """Find all social accounts for a user"""
+        try:
+            cursor = SocialAccountModel.collection.find({
+                "user_id": user_id,
+                "is_active": True
+            })
+            accounts = await cursor.to_list(length=None)
+            return accounts
+        except Exception as e:
+            logger.error(f"Error finding social accounts for user {user_id}: {str(e)}", exc_info=True)
+            return []
+    
+    @staticmethod
+    async def update_social_account(provider: str, provider_user_id: str, user_info: Dict[str, Any]) -> bool:
+        """Update social account with latest user info"""
+        try:
+            update_data = {
+                "email": user_info.get("email"),
+                "name": user_info.get("name"),
+                "picture": user_info.get("picture"),
+                "profile_data": user_info,
+                "updated_at": datetime.utcnow(),
+                "last_login": datetime.utcnow()
+            }
+            
+            result = await SocialAccountModel.collection.update_one(
+                {
+                    "provider": provider,
+                    "provider_user_id": provider_user_id,
+                    "is_active": True
+                },
+                {"$set": update_data}
+            )
+            
+            return result.modified_count > 0
+            
+        except Exception as e:
+            logger.error(f"Error updating social account: {str(e)}", exc_info=True)
+            return False
+    
+    @staticmethod
+    async def link_social_account(user_id: str, provider: str, provider_user_id: str, user_info: Dict[str, Any]) -> bool:
+        """Link a social account to an existing user"""
+        try:
+            # Check if this social account is already linked to another user
+            existing_account = await SocialAccountModel.find_by_provider_and_user_id(provider, provider_user_id)
+            
+            if existing_account and existing_account["user_id"] != user_id:
+                logger.warning(f"Social account {provider}:{provider_user_id} already linked to user {existing_account['user_id']}")
+                raise HTTPException(
+                    status_code=409, 
+                    detail=f"This {provider} account is already linked to another user"
+                )
+            
+            if existing_account and existing_account["user_id"] == user_id:
+                # Update existing account
+                await SocialAccountModel.update_social_account(provider, provider_user_id, user_info)
+                return True
+            
+            # Create new social account link
+            await SocialAccountModel.create_social_account(user_id, provider, provider_user_id, user_info)
+            return True
+            
+        except HTTPException:
+            raise
+        except Exception as e:
+            logger.error(f"Error linking social account: {str(e)}", exc_info=True)
+            raise HTTPException(status_code=500, detail="Failed to link social account")
+    
+    @staticmethod
+    async def unlink_social_account(user_id: str, provider: str) -> bool:
+        """Unlink a social account from a user"""
+        try:
+            result = await SocialAccountModel.collection.update_one(
+                {
+                    "user_id": user_id,
+                    "provider": provider,
+                    "is_active": True
+                },
+                {
+                    "$set": {
+                        "is_active": False,
+                        "updated_at": datetime.utcnow()
+                    }
+                }
+            )
+            
+            if result.modified_count > 0:
+                logger.info(f"Unlinked {provider} account for user {user_id}")
+                return True
+            else:
+                logger.warning(f"No active {provider} account found for user {user_id}")
+                return False
+                
+        except Exception as e:
+            logger.error(f"Error unlinking social account: {str(e)}", exc_info=True)
+            return False
+    
+    @staticmethod
+    async def get_profile_picture(user_id: str, preferred_provider: str = None) -> Optional[str]:
+        """Get user's profile picture from social accounts"""
+        try:
+            query = {"user_id": user_id, "is_active": True}
+            
+            # If preferred provider specified, try that first
+            if preferred_provider:
+                account = await SocialAccountModel.collection.find_one({
+                    **query,
+                    "provider": preferred_provider,
+                    "picture": {"$exists": True, "$ne": None}
+                })
+                if account and account.get("picture"):
+                    return account["picture"]
+            
+            # Otherwise, get any account with a profile picture
+            account = await SocialAccountModel.collection.find_one({
+                **query,
+                "picture": {"$exists": True, "$ne": None}
+            })
+            
+            return account.get("picture") if account else None
+            
+        except Exception as e:
+            logger.error(f"Error getting profile picture for user {user_id}: {str(e)}", exc_info=True)
+            return None
+    
+    @staticmethod
+    async def get_social_account_summary(user_id: str) -> Dict[str, Any]:
+        """Get summary of all linked social accounts for a user"""
+        try:
+            accounts = await SocialAccountModel.find_by_user_id(user_id)
+            
+            summary = {
+                "linked_accounts": [],
+                "total_accounts": len(accounts),
+                "profile_picture": None
+            }
+            
+            for account in accounts:
+                summary["linked_accounts"].append({
+                    "provider": account["provider"],
+                    "email": account.get("email"),
+                    "name": account.get("name"),
+                    "linked_at": account["created_at"],
+                    "last_login": account.get("last_login")
+                })
+                
+                # Set profile picture if available
+                if not summary["profile_picture"] and account.get("picture"):
+                    summary["profile_picture"] = account["picture"]
+            
+            return summary
+            
+        except Exception as e:
+            logger.error(f"Error getting social account summary for user {user_id}: {str(e)}", exc_info=True)
+            return {"linked_accounts": [], "total_accounts": 0, "profile_picture": None}
+    
+    @staticmethod
+    async def merge_social_accounts(primary_user_id: str, secondary_user_id: str) -> bool:
+        """Merge social accounts from secondary user to primary user"""
+        try:
+            # Get all social accounts from secondary user
+            secondary_accounts = await SocialAccountModel.find_by_user_id(secondary_user_id)
+            
+            for account in secondary_accounts:
+                # Check if primary user already has this provider linked
+                existing = await SocialAccountModel.collection.find_one({
+                    "user_id": primary_user_id,
+                    "provider": account["provider"],
+                    "is_active": True
+                })
+                
+                if not existing:
+                    # Transfer the account to primary user
+                    await SocialAccountModel.collection.update_one(
+                        {"_id": account["_id"]},
+                        {
+                            "$set": {
+                                "user_id": primary_user_id,
+                                "updated_at": datetime.utcnow()
+                            }
+                        }
+                    )
+                    logger.info(f"Transferred {account['provider']} account from user {secondary_user_id} to {primary_user_id}")
+                else:
+                    # Deactivate the secondary account
+                    await SocialAccountModel.collection.update_one(
+                        {"_id": account["_id"]},
+                        {
+                            "$set": {
+                                "is_active": False,
+                                "updated_at": datetime.utcnow()
+                            }
+                        }
+                    )
+                    logger.info(f"Deactivated duplicate {account['provider']} account for user {secondary_user_id}")
+            
+            return True
+            
+        except Exception as e:
+            logger.error(f"Error merging social accounts: {str(e)}", exc_info=True)
+            return False

app/models/social_security_model.py

@@ -0,0 +1,171 @@
+from datetime import datetime, timedelta
+import logging
+from app.core.cache_client import get_redis
+from fastapi import HTTPException
+
+logger = logging.getLogger(__name__)
+
+class SocialSecurityModel:
+    """Model for handling social login security features"""
+    
+    # Rate limiting constants
+    OAUTH_RATE_LIMIT_MAX = 5  # Max OAuth attempts per IP per hour
+    OAUTH_RATE_LIMIT_WINDOW = 3600  # 1 hour in seconds
+    
+    # Failed attempt tracking
+    OAUTH_FAILED_ATTEMPTS_MAX = 3  # Max failed OAuth attempts per IP
+    OAUTH_FAILED_ATTEMPTS_WINDOW = 1800  # 30 minutes
+    OAUTH_IP_LOCK_DURATION = 3600  # 1 hour lock for IP
+    
+    @staticmethod
+    async def check_oauth_rate_limit(client_ip: str, provider: str) -> bool:
+        """Check if OAuth rate limit is exceeded for IP and provider"""
+        if not client_ip:
+            return True  # Allow if no IP provided
+            
+        try:
+            redis = await get_redis()
+            rate_key = f"oauth_rate:{client_ip}:{provider}"
+            
+            current_count = await redis.get(rate_key)
+            if current_count and int(current_count) >= SocialSecurityModel.OAUTH_RATE_LIMIT_MAX:
+                logger.warning(f"OAuth rate limit exceeded for IP {client_ip} and provider {provider}")
+                return False
+                
+            return True
+            
+        except Exception as e:
+            logger.error(f"Error checking OAuth rate limit: {str(e)}", exc_info=True)
+            return True  # Allow on error to avoid blocking legitimate users
+    
+    @staticmethod
+    async def increment_oauth_rate_limit(client_ip: str, provider: str):
+        """Increment OAuth rate limit counter"""
+        if not client_ip:
+            return
+            
+        try:
+            redis = await get_redis()
+            rate_key = f"oauth_rate:{client_ip}:{provider}"
+            
+            count = await redis.incr(rate_key)
+            if count == 1:
+                await redis.expire(rate_key, SocialSecurityModel.OAUTH_RATE_LIMIT_WINDOW)
+                
+            logger.debug(f"OAuth rate limit count for {client_ip}:{provider} = {count}")
+            
+        except Exception as e:
+            logger.error(f"Error incrementing OAuth rate limit: {str(e)}", exc_info=True)
+    
+    @staticmethod
+    async def track_oauth_failed_attempt(client_ip: str, provider: str):
+        """Track failed OAuth verification attempts"""
+        if not client_ip:
+            return
+            
+        try:
+            redis = await get_redis()
+            failed_key = f"oauth_failed:{client_ip}:{provider}"
+            
+            attempts = await redis.incr(failed_key)
+            if attempts == 1:
+                await redis.expire(failed_key, SocialSecurityModel.OAUTH_FAILED_ATTEMPTS_WINDOW)
+            
+            # Lock IP if too many failed attempts
+            if attempts >= SocialSecurityModel.OAUTH_FAILED_ATTEMPTS_MAX:
+                await SocialSecurityModel.lock_oauth_ip(client_ip, provider)
+                logger.warning(f"IP {client_ip} locked for provider {provider} after {attempts} failed attempts")
+            
+            logger.debug(f"OAuth failed attempts for {client_ip}:{provider} = {attempts}")
+            
+        except Exception as e:
+            logger.error(f"Error tracking OAuth failed attempt: {str(e)}", exc_info=True)
+    
+    @staticmethod
+    async def lock_oauth_ip(client_ip: str, provider: str):
+        """Lock IP for OAuth attempts on specific provider"""
+        try:
+            redis = await get_redis()
+            lock_key = f"oauth_ip_locked:{client_ip}:{provider}"
+            await redis.setex(lock_key, SocialSecurityModel.OAUTH_IP_LOCK_DURATION, "locked")
+            logger.info(f"IP {client_ip} locked for OAuth provider {provider}")
+        except Exception as e:
+            logger.error(f"Error locking OAuth IP: {str(e)}", exc_info=True)
+    
+    @staticmethod
+    async def is_oauth_ip_locked(client_ip: str, provider: str) -> bool:
+        """Check if IP is locked for OAuth attempts on specific provider"""
+        if not client_ip:
+            return False
+            
+        try:
+            redis = await get_redis()
+            lock_key = f"oauth_ip_locked:{client_ip}:{provider}"
+            locked = await redis.get(lock_key)
+            return locked is not None
+        except Exception as e:
+            logger.error(f"Error checking OAuth IP lock: {str(e)}", exc_info=True)
+            return False
+    
+    @staticmethod
+    async def clear_oauth_failed_attempts(client_ip: str, provider: str):
+        """Clear failed OAuth attempts on successful verification"""
+        if not client_ip:
+            return
+            
+        try:
+            redis = await get_redis()
+            failed_key = f"oauth_failed:{client_ip}:{provider}"
+            await redis.delete(failed_key)
+            logger.debug(f"Cleared OAuth failed attempts for {client_ip}:{provider}")
+        except Exception as e:
+            logger.error(f"Error clearing OAuth failed attempts: {str(e)}", exc_info=True)
+    
+    @staticmethod
+    async def validate_oauth_token_format(token: str, provider: str) -> bool:
+        """Basic validation of OAuth token format"""
+        if not token or not isinstance(token, str):
+            return False
+            
+        # Basic length and format checks
+        if provider == "google":
+            # Google ID tokens are typically JWT format
+            return len(token) > 100 and token.count('.') == 2
+        elif provider == "apple":
+            # Apple ID tokens are also JWT format
+            return len(token) > 100 and token.count('.') == 2
+        elif provider == "facebook":
+            # Facebook access tokens are typically shorter
+            return len(token) > 20 and len(token) < 500
+        
+        return True  # Allow unknown providers
+    
+    @staticmethod
+    async def log_oauth_attempt(client_ip: str, provider: str, success: bool, user_id: str = None):
+        """Log OAuth authentication attempts for security monitoring"""
+        try:
+            redis = await get_redis()
+            log_key = f"oauth_log:{datetime.utcnow().strftime('%Y-%m-%d')}"
+            
+            log_entry = {
+                "timestamp": datetime.utcnow().isoformat(),
+                "ip": client_ip,
+                "provider": provider,
+                "success": success,
+                "user_id": user_id
+            }
+            
+            # Store as JSON string in Redis list
+            import json
+            await redis.lpush(log_key, json.dumps(log_entry))
+            
+            # Keep only last 1000 entries per day
+            await redis.ltrim(log_key, 0, 999)
+            
+            # Set expiry for 30 days
+            await redis.expire(log_key, 30 * 24 * 3600)
+            
+            logger.info(f"OAuth attempt logged: {provider} from {client_ip} - {'success' if success else 'failed'}")
+            
+        except Exception as e:
+            logger.error(f"Error logging OAuth attempt: {str(e)}", exc_info=True)

app/routers/account_router.py

@@ -0,0 +1,218 @@
+from fastapi import APIRouter, Depends, HTTPException, Request, Query
+from fastapi.security import HTTPBearer
+from typing import List, Optional
+from datetime import datetime, timedelta
+import logging
+
+from app.schemas.user_schema import (
+    LinkSocialAccountRequest, UnlinkSocialAccountRequest,
+    SocialAccountSummary, LoginHistoryResponse, SecuritySettingsResponse,
+    TokenResponse
+)
+from app.services.account_service import AccountService
+from app.utils.jwt import decode_token
+
+# Configure logging
+logger = logging.getLogger(__name__)
+
+router = APIRouter()
+security = HTTPBearer()
+
+def get_current_user(token: str = Depends(security)):
+    """Extract user ID from JWT token"""
+    try:
+        payload = decode_token(token.credentials)
+        user_id = payload.get("user_id")
+        if not user_id:
+            raise HTTPException(status_code=401, detail="Invalid token")
+        return user_id
+    except Exception as e:
+        logger.error(f"Token validation error: {str(e)}")
+        raise HTTPException(status_code=401, detail="Invalid or expired token")
+
+def get_client_ip(request: Request) -> str:
+    """Extract client IP from request"""
+    forwarded_for = request.headers.get("X-Forwarded-For")
+    if forwarded_for:
+        return forwarded_for.split(",")[0].strip()
+    
+    real_ip = request.headers.get("X-Real-IP")
+    if real_ip:
+        return real_ip
+    
+    return request.client.host if request.client else "unknown"
+
+@router.get("/social-accounts", response_model=SocialAccountSummary)
+async def get_social_accounts(user_id: str = Depends(get_current_user)):
+    """Get all linked social accounts for the current user"""
+    try:
+        account_service = AccountService()
+        summary = await account_service.get_social_account_summary(user_id)
+        return summary
+    except Exception as e:
+        logger.error(f"Error fetching social accounts for user {user_id}: {str(e)}")
+        raise HTTPException(status_code=500, detail="Failed to fetch social accounts")
+
+@router.post("/link-social-account", response_model=dict)
+async def link_social_account(
+    request: LinkSocialAccountRequest,
+    req: Request,
+    user_id: str = Depends(get_current_user)
+):
+    """Link a new social account to the current user"""
+    try:
+        client_ip = get_client_ip(req)
+        account_service = AccountService()
+        
+        result = await account_service.link_social_account(
+            user_id=user_id,
+            provider=request.provider,
+            token=request.token,
+            client_ip=client_ip
+        )
+        
+        return {"message": f"Successfully linked {request.provider} account", "result": result}
+    except ValueError as e:
+        logger.warning(f"Invalid link request for user {user_id}: {str(e)}")
+        raise HTTPException(status_code=400, detail=str(e))
+    except Exception as e:
+        logger.error(f"Error linking social account for user {user_id}: {str(e)}")
+        raise HTTPException(status_code=500, detail="Failed to link social account")
+
+@router.delete("/unlink-social-account", response_model=dict)
+async def unlink_social_account(
+    request: UnlinkSocialAccountRequest,
+    user_id: str = Depends(get_current_user)
+):
+    """Unlink a social account from the current user"""
+    try:
+        account_service = AccountService()
+        
+        result = await account_service.unlink_social_account(
+            user_id=user_id,
+            provider=request.provider
+        )
+        
+        return {"message": f"Successfully unlinked {request.provider} account", "result": result}
+    except ValueError as e:
+        logger.warning(f"Invalid unlink request for user {user_id}: {str(e)}")
+        raise HTTPException(status_code=400, detail=str(e))
+    except Exception as e:
+        logger.error(f"Error unlinking social account for user {user_id}: {str(e)}")
+        raise HTTPException(status_code=500, detail="Failed to unlink social account")
+
+@router.get("/login-history", response_model=LoginHistoryResponse)
+async def get_login_history(
+    page: int = Query(1, ge=1, description="Page number"),
+    per_page: int = Query(10, ge=1, le=50, description="Items per page"),
+    days: int = Query(30, ge=1, le=365, description="Number of days to look back"),
+    user_id: str = Depends(get_current_user)
+):
+    """Get login history for the current user"""
+    try:
+        account_service = AccountService()
+        
+        history = await account_service.get_login_history(
+            user_id=user_id,
+            page=page,
+            per_page=per_page,
+            days=days
+        )
+        
+        return history
+    except Exception as e:
+        logger.error(f"Error fetching login history for user {user_id}: {str(e)}")
+        raise HTTPException(status_code=500, detail="Failed to fetch login history")
+
+@router.get("/security-settings", response_model=SecuritySettingsResponse)
+async def get_security_settings(user_id: str = Depends(get_current_user)):
+    """Get security settings and status for the current user"""
+    try:
+        account_service = AccountService()
+        
+        settings = await account_service.get_security_settings(user_id)
+        
+        return settings
+    except Exception as e:
+        logger.error(f"Error fetching security settings for user {user_id}: {str(e)}")
+        raise HTTPException(status_code=500, detail="Failed to fetch security settings")
+
+@router.post("/merge-accounts", response_model=dict)
+async def merge_social_accounts(
+    target_user_id: str,
+    req: Request,
+    user_id: str = Depends(get_current_user)
+):
+    """Merge social accounts from another user (admin function or user-initiated)"""
+    try:
+        # For security, only allow users to merge their own accounts or implement admin check
+        if user_id != target_user_id:
+            # In a real implementation, you'd check if the current user is an admin
+            # or if they have proper authorization to merge accounts
+            raise HTTPException(status_code=403, detail="Insufficient permissions")
+        
+        client_ip = get_client_ip(req)
+        account_service = AccountService()
+        
+        result = await account_service.merge_social_accounts(
+            primary_user_id=user_id,
+            secondary_user_id=target_user_id,
+            client_ip=client_ip
+        )
+        
+        return {"message": "Successfully merged social accounts", "result": result}
+    except ValueError as e:
+        logger.warning(f"Invalid merge request for user {user_id}: {str(e)}")
+        raise HTTPException(status_code=400, detail=str(e))
+    except Exception as e:
+        logger.error(f"Error merging social accounts for user {user_id}: {str(e)}")
+        raise HTTPException(status_code=500, detail="Failed to merge social accounts")
+
+@router.delete("/revoke-all-sessions", response_model=dict)
+async def revoke_all_sessions(
+    req: Request,
+    user_id: str = Depends(get_current_user)
+):
+    """Revoke all active sessions for security purposes"""
+    try:
+        client_ip = get_client_ip(req)
+        account_service = AccountService()
+        
+        result = await account_service.revoke_all_sessions(user_id, client_ip)
+        
+        return {"message": "All sessions have been revoked", "result": result}
+    except Exception as e:
+        logger.error(f"Error revoking sessions for user {user_id}: {str(e)}")
+        raise HTTPException(status_code=500, detail="Failed to revoke sessions")
+
+@router.get("/trusted-devices", response_model=dict)
+async def get_trusted_devices(user_id: str = Depends(get_current_user)):
+    """Get list of trusted devices for the current user"""
+    try:
+        account_service = AccountService()
+        
+        devices = await account_service.get_trusted_devices(user_id)
+        
+        return {"devices": devices}
+    except Exception as e:
+        logger.error(f"Error fetching trusted devices for user {user_id}: {str(e)}")
+        raise HTTPException(status_code=500, detail="Failed to fetch trusted devices")
+
+@router.delete("/trusted-devices/{device_id}", response_model=dict)
+async def remove_trusted_device(
+    device_id: str,
+    user_id: str = Depends(get_current_user)
+):
+    """Remove a trusted device"""
+    try:
+        account_service = AccountService()
+        
+        result = await account_service.remove_trusted_device(user_id, device_id)
+        
+        return {"message": "Trusted device removed successfully", "result": result}
+    except ValueError as e:
+        logger.warning(f"Invalid device removal request for user {user_id}: {str(e)}")
+        raise HTTPException(status_code=400, detail=str(e))
+    except Exception as e:
+        logger.error(f"Error removing trusted device for user {user_id}: {str(e)}")
+        raise HTTPException(status_code=500, detail="Failed to remove trusted device")

app/routers/user_router.py

@@ -12,8 +12,10 @@ from app.schemas.user_schema import (
 )
 from app.services.user_service import UserService
 from app.utils.jwt import create_temp_token, decode_token
-from app.utils.social_utils import verify_google_token, verify_apple_token
+from app.utils.social_utils import verify_google_token, verify_apple_token, verify_facebook_token
 from app.utils.common_utils import validate_identifier
+from app.models.social_security_model import SocialSecurityModel
+from fastapi import Request
 import logging
 
 logger = logging.getLogger("user_router")
@@ -187,23 +189,84 @@ async def otp_login_handler(
 
 # 🌐 OAuth Login for Google / Apple
 @router.post("/oauth-login", response_model=TokenResponse)
-async def oauth_login_handler(payload: OAuthLoginRequest):
-    if payload.provider == "google":
-        user_info = await verify_google_token(payload.token)
-        user_id = f"google_{user_info['id']}"
-    elif payload.provider == "apple":
-        user_info = await verify_apple_token(payload.token)
-        user_id = f"apple_{user_info['id']}"
-    else:
-        raise HTTPException(status_code=400, detail="Unsupported OAuth provider")
-
-    temp_token = create_temp_token({
-        "sub": user_id,
-        "type": "oauth_session",
-        "verified": True
-    }, expires_minutes=10)
-
-    return {"access_token": temp_token, "token_type": "bearer"}
+async def oauth_login_handler(payload: OAuthLoginRequest, request: Request):
+    from app.core.config import settings
+    
+    # Get client IP
+    client_ip = request.client.host if request.client else None
+    
+    # Check if IP is locked for this provider
+    if await SocialSecurityModel.is_oauth_ip_locked(client_ip, payload.provider):
+        await SocialSecurityModel.log_oauth_attempt(client_ip, payload.provider, False)
+        raise HTTPException(
+            status_code=429, 
+            detail=f"Too many failed attempts. IP temporarily locked for {payload.provider} OAuth."
+        )
+    
+    # Check rate limiting
+    if not await SocialSecurityModel.check_oauth_rate_limit(client_ip, payload.provider):
+        await SocialSecurityModel.log_oauth_attempt(client_ip, payload.provider, False)
+        raise HTTPException(
+            status_code=429, 
+            detail=f"Rate limit exceeded for {payload.provider} OAuth. Please try again later."
+        )
+    
+    # Validate token format
+    if not await SocialSecurityModel.validate_oauth_token_format(payload.token, payload.provider):
+        await SocialSecurityModel.track_oauth_failed_attempt(client_ip, payload.provider)
+        await SocialSecurityModel.log_oauth_attempt(client_ip, payload.provider, False)
+        raise HTTPException(status_code=400, detail="Invalid token format")
+    
+    # Increment rate limit counter
+    await SocialSecurityModel.increment_oauth_rate_limit(client_ip, payload.provider)
+    
+    try:
+        if payload.provider == "google":
+            if not settings.GOOGLE_CLIENT_ID:
+                raise HTTPException(status_code=500, detail="Google OAuth not configured")
+            user_info = await verify_google_token(payload.token, settings.GOOGLE_CLIENT_ID)
+            user_id = f"google_{user_info.get('sub', user_info.get('id'))}"
+            
+        elif payload.provider == "apple":
+            if not settings.APPLE_AUDIENCE:
+                raise HTTPException(status_code=500, detail="Apple OAuth not configured")
+            user_info = await verify_apple_token(payload.token, settings.APPLE_AUDIENCE)
+            user_id = f"apple_{user_info.get('sub', user_info.get('id'))}"
+            
+        elif payload.provider == "facebook":
+            if not settings.FACEBOOK_APP_ID or not settings.FACEBOOK_APP_SECRET:
+                raise HTTPException(status_code=500, detail="Facebook OAuth not configured")
+            user_info = await verify_facebook_token(payload.token, settings.FACEBOOK_APP_ID, settings.FACEBOOK_APP_SECRET)
+            user_id = f"facebook_{user_info.get('id')}"
+            
+        else:
+            raise HTTPException(status_code=400, detail="Unsupported OAuth provider")
+
+        # Clear failed attempts on successful verification
+        await SocialSecurityModel.clear_oauth_failed_attempts(client_ip, payload.provider)
+        
+        # Log successful attempt
+        await SocialSecurityModel.log_oauth_attempt(client_ip, payload.provider, True, user_id)
+
+        temp_token = create_temp_token({
+            "sub": user_id,
+            "type": "oauth_session",
+            "verified": True,
+            "provider": payload.provider,
+            "user_info": user_info
+        }, expires_minutes=10)
+
+        return {"access_token": temp_token, "token_type": "bearer"}
+        
+    except HTTPException:
+        # Re-raise HTTP exceptions (configuration errors, etc.)
+        raise
+    except Exception as e:
+        # Track failed attempt for token verification failures
+        await SocialSecurityModel.track_oauth_failed_attempt(client_ip, payload.provider)
+        await SocialSecurityModel.log_oauth_attempt(client_ip, payload.provider, False)
+        logger.error(f"OAuth verification failed for {payload.provider}: {str(e)}", exc_info=True)
+        raise HTTPException(status_code=401, detail="OAuth token verification failed")
 
 # 👤 Final user registration after OTP or OAuth
 @router.post("/register", response_model=TokenResponse)

app/schemas/user_schema.py

@@ -1,17 +1,18 @@
 from pydantic import BaseModel, EmailStr, validator
-from typing import Optional, Literal
+from typing import Optional, Literal, List, Dict, Any
+from datetime import datetime
 import re
 
 # Used for OTP-based or OAuth-based user registration
 class UserRegisterRequest(BaseModel):
     name: str
-    email: Optional[EmailStr] = None
-    phone: Optional[str] = None
-    otpIdentifer: Optional[str] = None  # email or phone
+    email: EmailStr  # Mandatory for all registration modes
+    phone: str  # Mandatory for all registration modes (always used as OTP identifier)
+    otpIdentifer: Optional[str] = None  # Deprecated - phone is always the OTP identifier
     otp: Optional[str] = None
     dob: Optional[str] = None  # ISO format date string
     oauth_token: Optional[str] = None
-    provider: Optional[Literal["google", "apple"]] = None
+    provider: Optional[Literal["google", "apple", "facebook"]] = None
     mode: Literal["otp", "oauth"]
 
     @validator('phone')
@@ -108,18 +109,77 @@ class OTPVerifyRequest(BaseModel):
 
 # OAuth login using Google/Apple
 class OAuthLoginRequest(BaseModel):
-    provider: Literal["google", "apple"]
+    provider: Literal["google", "apple", "facebook"]
     token: str
 
-# JWT Token response format
+# JWT Token response format with enhanced security info
 class TokenResponse(BaseModel):
     access_token: str
     token_type: str = "bearer"
-    name: str = None  # Added for OTP login response
+    expires_in: Optional[int] = 28800  # 8 hours in seconds
+    user_id: Optional[str] = None
+    name: Optional[str] = None
+    email: Optional[str] = None
+    profile_picture: Optional[str] = None
+    auth_method: Optional[str] = None  # "otp" or "oauth"
+    provider: Optional[str] = None  # For OAuth logins
+    security_info: Optional[Dict[str, Any]] = None
 
-# Optional: profile info response post-login
+# Enhanced user profile response with social accounts
 class UserProfileResponse(BaseModel):
     user_id: str
-    full_name: str
+    name: str
     email: Optional[EmailStr] = None
-    phone: Optional[str] = None
+    phone: Optional[str] = None
+    profile_picture: Optional[str] = None
+    auth_method: str
+    created_at: datetime
+    social_accounts: Optional[List[Dict[str, Any]]] = None
+    security_info: Optional[Dict[str, Any]] = None
+
+# Social account information
+class SocialAccountInfo(BaseModel):
+    provider: str
+    email: Optional[str] = None
+    name: Optional[str] = None
+    linked_at: datetime
+    last_login: Optional[datetime] = None
+
+# Social account summary response
+class SocialAccountSummary(BaseModel):
+    linked_accounts: List[SocialAccountInfo]
+    total_accounts: int
+    profile_picture: Optional[str] = None
+
+# Account linking request
+class LinkSocialAccountRequest(BaseModel):
+    provider: Literal["google", "apple", "facebook"]
+    token: str
+
+# Account unlinking request
+class UnlinkSocialAccountRequest(BaseModel):
+    provider: Literal["google", "apple", "facebook"]
+
+# Login history entry
+class LoginHistoryEntry(BaseModel):
+    timestamp: datetime
+    method: str  # "otp" or "oauth"
+    provider: Optional[str] = None
+    ip_address: Optional[str] = None
+    success: bool
+    device_info: Optional[str] = None
+
+# Login history response
+class LoginHistoryResponse(BaseModel):
+    entries: List[LoginHistoryEntry]
+    total_entries: int
+    page: int
+    per_page: int
+
+# Security settings response
+class SecuritySettingsResponse(BaseModel):
+    two_factor_enabled: bool = False
+    linked_social_accounts: int
+    last_password_change: Optional[datetime] = None
+    recent_login_attempts: int
+    account_locked: bool = False

app/services/account_service.py

@@ -0,0 +1,396 @@
+from datetime import datetime, timedelta
+from typing import List, Dict, Any, Optional
+import logging
+from bson import ObjectId
+
+from app.models.social_account_model import SocialAccountModel
+from app.models.user_model import BookMyServiceUserModel
+from app.schemas.user_schema import (
+    SocialAccountSummary, SocialAccountInfo, LoginHistoryResponse, 
+    LoginHistoryEntry, SecuritySettingsResponse
+)
+from app.utils.social_utils import verify_google_token, verify_apple_token, verify_facebook_token
+from app.core.nosql_client import db
+
+# Configure logging
+logger = logging.getLogger(__name__)
+
+class AccountService:
+    """Service for managing user accounts, social accounts, and security settings"""
+    
+    def __init__(self):
+        self.security_collection = db.get_collection("security_logs")
+        self.device_collection = db.get_collection("device_tracking")
+        self.session_collection = db.get_collection("user_sessions")
+    
+    async def get_social_account_summary(self, user_id: str) -> SocialAccountSummary:
+        """Get summary of all linked social accounts for a user"""
+        try:
+            social_accounts = await SocialAccountModel.find_by_user_id(user_id)
+            
+            linked_accounts = []
+            profile_picture = None
+            
+            for account in social_accounts:
+                account_info = SocialAccountInfo(
+                    provider=account["provider"],
+                    email=account.get("email"),
+                    name=account.get("name"),
+                    linked_at=account["created_at"],
+                    last_login=account.get("last_login")
+                )
+                linked_accounts.append(account_info)
+                
+                # Use the first available profile picture
+                if not profile_picture and account.get("profile_picture"):
+                    profile_picture = account["profile_picture"]
+            
+            return SocialAccountSummary(
+                linked_accounts=linked_accounts,
+                total_accounts=len(linked_accounts),
+                profile_picture=profile_picture
+            )
+            
+        except Exception as e:
+            logger.error(f"Error getting social account summary for user {user_id}: {str(e)}")
+            raise
+    
+    async def link_social_account(self, user_id: str, provider: str, token: str, client_ip: str) -> Dict[str, Any]:
+        """Link a new social account to an existing user"""
+        try:
+            # Verify the token and get user info
+            user_info = await self._verify_social_token(provider, token)
+            
+            # Check if this social account is already linked to another user
+            existing_account = await SocialAccountModel.find_by_provider_id(
+                provider, user_info["id"]
+            )
+            
+            if existing_account and existing_account["user_id"] != user_id:
+                raise ValueError(f"This {provider} account is already linked to another user")
+            
+            # Check if user already has this provider linked
+            user_provider_account = await SocialAccountModel.find_by_user_and_provider(
+                user_id, provider
+            )
+            
+            if user_provider_account:
+                # Update existing account
+                await SocialAccountModel.update_social_account(
+                    user_id, provider, user_info, client_ip
+                )
+                action = "updated"
+            else:
+                # Create new social account link
+                await SocialAccountModel.create_social_account(
+                    user_id, provider, user_info, client_ip
+                )
+                action = "linked"
+            
+            # Log the action
+            await self._log_account_action(
+                user_id, f"social_account_{action}", 
+                {"provider": provider, "client_ip": client_ip}
+            )
+            
+            return {"action": action, "provider": provider, "user_info": user_info}
+            
+        except Exception as e:
+            logger.error(f"Error linking social account for user {user_id}: {str(e)}")
+            raise
+    
+    async def unlink_social_account(self, user_id: str, provider: str) -> Dict[str, Any]:
+        """Unlink a social account from a user"""
+        try:
+            # Check if account exists
+            account = await SocialAccountModel.find_by_user_and_provider(user_id, provider)
+            if not account:
+                raise ValueError(f"No {provider} account found for this user")
+            
+            # Check if this is the only authentication method
+            user = await BookMyServiceUserModel.find_by_id(user_id)
+            if not user:
+                raise ValueError("User not found")
+            
+            # Count total social accounts
+            social_accounts = await SocialAccountModel.find_by_user_id(user_id)
+            
+            # If user has no phone/email and this is their only social account, prevent unlinking
+            if (len(social_accounts) == 1 and 
+                not user.get("phone") and not user.get("email")):
+                raise ValueError("Cannot unlink the only authentication method")
+            
+            # Unlink the account
+            result = await SocialAccountModel.unlink_social_account(user_id, provider)
+            
+            # Log the action
+            await self._log_account_action(
+                user_id, "social_account_unlinked", 
+                {"provider": provider}
+            )
+            
+            return {"action": "unlinked", "provider": provider, "result": result}
+            
+        except Exception as e:
+            logger.error(f"Error unlinking social account for user {user_id}: {str(e)}")
+            raise
+    
+    async def get_login_history(self, user_id: str, page: int = 1, 
+                               per_page: int = 10, days: int = 30) -> LoginHistoryResponse:
+        """Get login history for a user"""
+        try:
+            # Calculate date range
+            end_date = datetime.utcnow()
+            start_date = end_date - timedelta(days=days)
+            
+            # Query security logs for login events
+            skip = (page - 1) * per_page
+            
+            pipeline = [
+                {
+                    "$match": {
+                        "user_id": user_id,
+                        "timestamp": {"$gte": start_date, "$lte": end_date},
+                        "$or": [
+                            {"path": {"$regex": "/login"}},
+                            {"path": {"$regex": "/oauth"}},
+                            {"path": {"$regex": "/otp"}}
+                        ]
+                    }
+                },
+                {"$sort": {"timestamp": -1}},
+                {"$skip": skip},
+                {"$limit": per_page}
+            ]
+            
+            cursor = self.security_collection.aggregate(pipeline)
+            logs = await cursor.to_list(length=per_page)
+            
+            # Count total entries
+            total_count = await self.security_collection.count_documents({
+                "user_id": user_id,
+                "timestamp": {"$gte": start_date, "$lte": end_date},
+                "$or": [
+                    {"path": {"$regex": "/login"}},
+                    {"path": {"$regex": "/oauth"}},
+                    {"path": {"$regex": "/otp"}}
+                ]
+            })
+            
+            # Convert to response format
+            entries = []
+            for log in logs:
+                method = "oauth" if "oauth" in log["path"] else "otp"
+                provider = None
+                
+                # Extract provider from query params if available
+                if method == "oauth" and log.get("query_params"):
+                    provider = log["query_params"].get("provider")
+                
+                entry = LoginHistoryEntry(
+                    timestamp=log["timestamp"],
+                    method=method,
+                    provider=provider,
+                    ip_address=log.get("client_ip"),
+                    success=log["status_code"] < 400,
+                    device_info=log.get("device_info", {}).get("user_agent")
+                )
+                entries.append(entry)
+            
+            return LoginHistoryResponse(
+                entries=entries,
+                total_entries=total_count,
+                page=page,
+                per_page=per_page
+            )
+            
+        except Exception as e:
+            logger.error(f"Error getting login history for user {user_id}: {str(e)}")
+            raise
+    
+    async def get_security_settings(self, user_id: str) -> SecuritySettingsResponse:
+        """Get security settings and status for a user"""
+        try:
+            # Get user info
+            user = await BookMyServiceUserModel.find_by_id(user_id)
+            if not user:
+                raise ValueError("User not found")
+            
+            # Count linked social accounts
+            social_accounts = await SocialAccountModel.find_by_user_id(user_id)
+            linked_accounts_count = len(social_accounts)
+            
+            # Get recent login attempts (last 24 hours)
+            yesterday = datetime.utcnow() - timedelta(days=1)
+            recent_attempts = await self.security_collection.count_documents({
+                "user_id": user_id,
+                "timestamp": {"$gte": yesterday},
+                "$or": [
+                    {"path": {"$regex": "/login"}},
+                    {"path": {"$regex": "/oauth"}},
+                    {"path": {"$regex": "/otp"}}
+                ]
+            })
+            
+            # Check if account is locked (this would be implemented based on your locking logic)
+            account_locked = False  # Implement based on your account locking mechanism
+            
+            return SecuritySettingsResponse(
+                two_factor_enabled=False,  # Implement 2FA if needed
+                linked_social_accounts=linked_accounts_count,
+                last_password_change=None,  # Implement if you have password functionality
+                recent_login_attempts=recent_attempts,
+                account_locked=account_locked
+            )
+            
+        except Exception as e:
+            logger.error(f"Error getting security settings for user {user_id}: {str(e)}")
+            raise
+    
+    async def merge_social_accounts(self, primary_user_id: str, secondary_user_id: str, 
+                                   client_ip: str) -> Dict[str, Any]:
+        """Merge social accounts from secondary user to primary user"""
+        try:
+            # Get social accounts from secondary user
+            secondary_accounts = await SocialAccountModel.find_by_user_id(secondary_user_id)
+            
+            merged_count = 0
+            for account in secondary_accounts:
+                # Check if primary user already has this provider
+                existing = await SocialAccountModel.find_by_user_and_provider(
+                    primary_user_id, account["provider"]
+                )
+                
+                if not existing:
+                    # Transfer the account to primary user
+                    await SocialAccountModel.update_user_id(
+                        account["_id"], primary_user_id
+                    )
+                    merged_count += 1
+            
+            # Log the merge action
+            await self._log_account_action(
+                primary_user_id, "accounts_merged", 
+                {
+                    "secondary_user_id": secondary_user_id,
+                    "merged_accounts": merged_count,
+                    "client_ip": client_ip
+                }
+            )
+            
+            return {
+                "merged_accounts": merged_count,
+                "primary_user_id": primary_user_id,
+                "secondary_user_id": secondary_user_id
+            }
+            
+        except Exception as e:
+            logger.error(f"Error merging accounts {secondary_user_id} -> {primary_user_id}: {str(e)}")
+            raise
+    
+    async def revoke_all_sessions(self, user_id: str, client_ip: str) -> Dict[str, Any]:
+        """Revoke all active sessions for a user"""
+        try:
+            # In a real implementation, you'd have a sessions collection
+            # For now, we'll just log the action
+            await self._log_account_action(
+                user_id, "all_sessions_revoked", 
+                {"client_ip": client_ip}
+            )
+            
+            # Here you would typically:
+            # 1. Delete all session tokens from database
+            # 2. Add tokens to a blacklist
+            # 3. Force re-authentication on next request
+            
+            return {"action": "revoked", "user_id": user_id}
+            
+        except Exception as e:
+            logger.error(f"Error revoking sessions for user {user_id}: {str(e)}")
+            raise
+    
+    async def get_trusted_devices(self, user_id: str) -> List[Dict[str, Any]]:
+        """Get list of trusted devices for a user"""
+        try:
+            cursor = self.device_collection.find({
+                "user_id": user_id,
+                "is_trusted": True
+            }).sort("last_seen", -1)
+            
+            devices = await cursor.to_list(length=None)
+            
+            # Format device information
+            trusted_devices = []
+            for device in devices:
+                device_info = {
+                    "device_id": str(device["_id"]),
+                    "device_fingerprint": device["device_fingerprint"],
+                    "platform": device.get("device_info", {}).get("platform", "Unknown"),
+                    "browser": device.get("device_info", {}).get("browser", "Unknown"),
+                    "first_seen": device["first_seen"],
+                    "last_seen": device["last_seen"],
+                    "access_count": device.get("access_count", 0)
+                }
+                trusted_devices.append(device_info)
+            
+            return trusted_devices
+            
+        except Exception as e:
+            logger.error(f"Error getting trusted devices for user {user_id}: {str(e)}")
+            raise
+    
+    async def remove_trusted_device(self, user_id: str, device_id: str) -> Dict[str, Any]:
+        """Remove a trusted device"""
+        try:
+            result = await self.device_collection.update_one(
+                {
+                    "_id": ObjectId(device_id),
+                    "user_id": user_id
+                },
+                {"$set": {"is_trusted": False}}
+            )
+            
+            if result.matched_count == 0:
+                raise ValueError("Device not found or not owned by user")
+            
+            await self._log_account_action(
+                user_id, "trusted_device_removed", 
+                {"device_id": device_id}
+            )
+            
+            return {"action": "removed", "device_id": device_id}
+            
+        except Exception as e:
+            logger.error(f"Error removing trusted device for user {user_id}: {str(e)}")
+            raise
+    
+    async def _verify_social_token(self, provider: str, token: str) -> Dict[str, Any]:
+        """Verify social media token and return user info"""
+        try:
+            if provider == "google":
+                return await verify_google_token(token)
+            elif provider == "apple":
+                return await verify_apple_token(token)
+            elif provider == "facebook":
+                return await verify_facebook_token(token)
+            else:
+                raise ValueError(f"Unsupported provider: {provider}")
+        except Exception as e:
+            logger.error(f"Token verification failed for {provider}: {str(e)}")
+            raise ValueError(f"Invalid {provider} token")
+    
+    async def _log_account_action(self, user_id: str, action: str, details: Dict[str, Any]):
+        """Log account-related actions for audit purposes"""
+        try:
+            log_entry = {
+                "timestamp": datetime.utcnow(),
+                "user_id": user_id,
+                "action": action,
+                "details": details,
+                "type": "account_management"
+            }
+            
+            await self.security_collection.insert_one(log_entry)
+            
+        except Exception as e:
+            logger.error(f"Failed to log account action: {str(e)}")

app/services/user_service.py

@@ -4,6 +4,7 @@ from datetime import datetime, timedelta
 from fastapi import HTTPException
 from app.models.user_model import BookMyServiceUserModel
 from app.models.otp_model import BookMyServiceOTPModel
+from app.models.social_account_model import SocialAccountModel
 from app.core.config import settings
 from app.utils.common_utils import is_email, validate_identifier
 from app.schemas.user_schema import UserRegisterRequest
@@ -11,16 +12,27 @@ import logging
 
 logger = logging.getLogger("user_service")
 
+
+
+
 class UserService:
     @staticmethod
-    async def send_otp(identifier: str, phone: str = None):
-        logger.info(f"UserService.send_otp called - identifier: {identifier}, phone: {phone}")
+    async def send_otp(identifier: str, phone: str = None, client_ip: str = None):
+        logger.info(f"UserService.send_otp called - identifier: {identifier}, phone: {phone}, ip: {client_ip}")
         
         try:
             # Validate identifier format
             identifier_type = validate_identifier(identifier)
             logger.debug(f"Identifier type: {identifier_type}")
             
+            # Enhanced rate limiting by IP and identifier
+            if client_ip:
+                ip_rate_key = f"otp_ip_rate:{client_ip}"
+                ip_attempts = await BookMyServiceOTPModel.get_rate_limit_count(ip_rate_key)
+                if ip_attempts >= 10:  # Max 10 OTPs per IP per hour
+                    logger.warning(f"IP rate limit exceeded for {client_ip}")
+                    raise HTTPException(status_code=429, detail="Too many OTP requests from this IP")
+            
             # For phone identifiers, use the identifier itself as phone
             # For email identifiers, use the provided phone parameter
             if identifier_type == "phone":
@@ -31,13 +43,19 @@ class UserService:
                 # If email identifier but no phone provided, we'll send OTP via email
                 phone_number = None
                 
-            # Using dummy OTP for testing
-            otp = "777777"
-            logger.debug(f"Generated OTP: {otp} for identifier: {identifier}")
+            # Generate secure OTP (6 digits, cryptographically secure)
+            import secrets
+            otp = ''.join([str(secrets.randbelow(10)) for _ in range(6)])
+            logger.debug(f"Generated secure OTP for identifier: {identifier}")
             
             await BookMyServiceOTPModel.store_otp(identifier, phone_number, otp)
+            
+            # Track IP-based rate limiting
+            if client_ip:
+                await BookMyServiceOTPModel.increment_rate_limit(ip_rate_key, 3600)  # 1 hour window
+            
             logger.info(f"OTP stored successfully for identifier: {identifier}")
-            logger.debug(f"OTP sent to {identifier}: {otp}")
+            logger.debug(f"OTP sent to {identifier}")
             
         except ValueError as ve:
             logger.error(f"Validation error for identifier {identifier}: {str(ve)}")
@@ -47,23 +65,32 @@ class UserService:
             raise HTTPException(status_code=500, detail="Failed to send OTP")
 
     @staticmethod
-    async def otp_login_handler(identifier: str, otp: str):
-        logger.info(f"UserService.otp_login_handler called - identifier: {identifier}, otp: {otp}")
+    async def otp_login_handler(identifier: str, otp: str, client_ip: str = None):
+        logger.info(f"UserService.otp_login_handler called - identifier: {identifier}, otp: {otp}, ip: {client_ip}")
         
         try:
             # Validate identifier format
             identifier_type = validate_identifier(identifier)
             logger.debug(f"Identifier type: {identifier_type}")
             
-            # Verify OTP
+            # Check if account is locked
+            if await BookMyServiceOTPModel.is_account_locked(identifier):
+                logger.warning(f"Account locked for identifier: {identifier}")
+                raise HTTPException(status_code=423, detail="Account temporarily locked due to too many failed attempts")
+            
+            # Verify OTP with client IP tracking
             logger.debug(f"Verifying OTP for identifier: {identifier}")
-            otp_valid = await BookMyServiceOTPModel.verify_otp(identifier, otp)
+            otp_valid = await BookMyServiceOTPModel.verify_otp(identifier, otp, client_ip)
             logger.debug(f"OTP verification result: {otp_valid}")
             
             if not otp_valid:
                 logger.warning(f"Invalid or expired OTP for identifier: {identifier}")
+                # Track failed attempt
+                await BookMyServiceOTPModel.track_failed_attempt(identifier, client_ip)
                 raise HTTPException(status_code=400, detail="Invalid or expired OTP")
             
+            # Clear failed attempts on successful verification
+            await BookMyServiceOTPModel.clear_failed_attempts(identifier)
             logger.info(f"OTP verification successful for identifier: {identifier}")
             
             # Find user by identifier
@@ -108,17 +135,28 @@ class UserService:
     async def register(data: UserRegisterRequest, decoded):
         logger.info(f"Registering user with data: {data}")
 
-        if data.mode == "otp":
-            identifier = data.otpIdentifer or decoded.get("sub")
-            if not identifier:
-                raise HTTPException(status_code=400, detail="Missing verified identifier")
+        # Validate mandatory fields for all registration modes
+        if not data.name or not data.name.strip():
+            raise HTTPException(status_code=400, detail="Name is required")
+        
+        if not data.email:
+            raise HTTPException(status_code=400, detail="Email is required")
+            
+        if not data.phone or not data.phone.strip():
+            raise HTTPException(status_code=400, detail="Phone is required")
 
-            # Validate identifier format
+        if data.mode == "otp":
+            # Always use phone as the OTP identifier as per documentation
+            identifier = data.phone
+            
+            # Validate phone format
             try:
                 identifier_type = validate_identifier(identifier)
+                if identifier_type != "phone":
+                    raise ValueError("Phone number format is invalid")
                 logger.debug(f"Registration identifier type: {identifier_type}")
             except ValueError as ve:
-                logger.error(f"Invalid identifier format during registration: {str(ve)}")
+                logger.error(f"Invalid phone format during registration: {str(ve)}")
                 raise HTTPException(status_code=400, detail=str(ve))
 
             redis_key = f"bms_otp:{identifier}"
@@ -133,9 +171,44 @@ class UserService:
             user_id = f"otp_{identifier}"
 
         elif data.mode == "oauth":
+            # Validate OAuth-specific mandatory fields
             if not data.oauth_token or not data.provider:
-                raise HTTPException(status_code=400, detail="OAuth token and provider required")
-            user_id = f"{data.provider}_{data.oauth_token}"
+                raise HTTPException(status_code=400, detail="OAuth token and provider are required")
+            
+            # Extract user info from decoded token
+            user_info = decoded.get("user_info", {})
+            provider_user_id = user_info.get("sub") or user_info.get("id")
+            
+            if not provider_user_id:
+                raise HTTPException(status_code=400, detail="Invalid OAuth user information")
+            
+            # Check if this social account already exists
+            existing_social_account = await SocialAccountModel.find_by_provider_and_user_id(
+                data.provider, provider_user_id
+            )
+            
+            if existing_social_account:
+                # User already has this social account linked
+                existing_user = await BookMyServiceUserModel.collection.find_one({
+                    "user_id": existing_social_account["user_id"]
+                })
+                if existing_user:
+                    # Update social account with latest info and return existing user token
+                    await SocialAccountModel.update_social_account(data.provider, provider_user_id, user_info)
+                    
+                    token_data = {
+                        "sub": existing_user["user_id"],
+                        "user_id": existing_user["user_id"],
+                        "email": existing_user.get("email"),
+                        "phone": existing_user.get("phone"),
+                        "role": "user",
+                        "exp": datetime.utcnow() + timedelta(hours=8)
+                    }
+                    access_token = jwt.encode(token_data, settings.SECRET_KEY, algorithm=settings.ALGORITHM)
+                    return {"access_token": access_token}
+            
+            user_id = f"{data.provider}_{provider_user_id}"
+            
         else:
             raise HTTPException(status_code=400, detail="Unsupported registration mode")
 
@@ -151,6 +224,7 @@ class UserService:
         if existing_user:
             raise HTTPException(status_code=409, detail="User with this email or phone already exists")
 
+        # Create user document
         user_doc = {
             "user_id": user_id,
             "name": data.name,
@@ -159,7 +233,20 @@ class UserService:
             "auth_mode": data.mode,
             "created_at": datetime.utcnow()
         }
+        
+        # Add profile picture from social account if available
+        if data.mode == "oauth" and user_info.get("picture"):
+            user_doc["profile_picture"] = user_info["picture"]
+        
         await BookMyServiceUserModel.collection.insert_one(user_doc)
+        logger.info(f"Created new user: {user_id}")
+
+        # Create social account record for OAuth registration
+        if data.mode == "oauth":
+            await SocialAccountModel.create_social_account(
+                user_id, data.provider, provider_user_id, user_info
+            )
+            logger.info(f"Created social account link for {data.provider}")
 
         token_data = {
             "sub": user_id,

app/utils/social_utils.py

@@ -15,6 +15,62 @@ class TokenVerificationError(Exception):
     """Custom exception for token verification errors"""
     pass
 
+class FacebookTokenVerifier:
+    def __init__(self, app_id: str, app_secret: str):
+        self.app_id = app_id
+        self.app_secret = app_secret
+    
+    async def verify_token(self, token: str) -> Dict:
+        """
+        Asynchronously verifies a Facebook access token and returns user data.
+        """
+        try:
+            # First, verify the token with Facebook's debug endpoint
+            async with httpx.AsyncClient(timeout=10.0) as client:
+                # Verify token validity
+                debug_url = f"https://graph.facebook.com/debug_token"
+                debug_params = {
+                    "input_token": token,
+                    "access_token": f"{self.app_id}|{self.app_secret}"
+                }
+                
+                debug_response = await client.get(debug_url, params=debug_params)
+                debug_response.raise_for_status()
+                debug_data = debug_response.json()
+                
+                if not debug_data.get("data", {}).get("is_valid"):
+                    raise TokenVerificationError("Invalid Facebook token")
+                
+                # Check if token is for our app
+                token_app_id = debug_data.get("data", {}).get("app_id")
+                if token_app_id != self.app_id:
+                    raise TokenVerificationError("Token not for this app")
+                
+                # Get user data
+                user_url = "https://graph.facebook.com/me"
+                user_params = {
+                    "access_token": token,
+                    "fields": "id,name,email,picture.type(large)"
+                }
+                
+                user_response = await client.get(user_url, params=user_params)
+                user_response.raise_for_status()
+                user_data = user_response.json()
+                
+                # Validate required fields
+                if not user_data.get("id"):
+                    raise TokenVerificationError("Missing user ID in Facebook response")
+                
+                logger.info(f"Successfully verified Facebook token for user: {user_data.get('email', user_data.get('id'))}")
+                return user_data
+                
+        except httpx.RequestError as e:
+            logger.error(f"Facebook token verification request failed: {str(e)}")
+            raise TokenVerificationError(f"Facebook API request failed: {str(e)}")
+        except Exception as e:
+            logger.error(f"Facebook token verification failed: {str(e)}")
+            raise TokenVerificationError(f"Invalid Facebook token: {str(e)}")
+
 class GoogleTokenVerifier:
     def __init__(self, client_id: str):
         self.client_id = client_id
@@ -140,9 +196,11 @@ class AppleTokenVerifier:
 
 # Factory class for easier usage
 class OAuthVerifier:
-    def __init__(self, google_client_id: Optional[str] = None, apple_audience: Optional[str] = None):
+    def __init__(self, google_client_id: Optional[str] = None, apple_audience: Optional[str] = None, 
+                 facebook_app_id: Optional[str] = None, facebook_app_secret: Optional[str] = None):
         self.google_verifier = GoogleTokenVerifier(google_client_id) if google_client_id else None
         self.apple_verifier = AppleTokenVerifier(apple_audience) if apple_audience else None
+        self.facebook_verifier = FacebookTokenVerifier(facebook_app_id, facebook_app_secret) if facebook_app_id and facebook_app_secret else None
     
     async def verify_google_token(self, token: str) -> Dict:
         if not self.google_verifier:
@@ -153,6 +211,11 @@ class OAuthVerifier:
         if not self.apple_verifier:
             raise TokenVerificationError("Apple verifier not configured")
         return await self.apple_verifier.verify_token(token)
+    
+    async def verify_facebook_token(self, token: str) -> Dict:
+        if not self.facebook_verifier:
+            raise TokenVerificationError("Facebook verifier not configured")
+        return await self.facebook_verifier.verify_token(token)
 
 # Convenience functions (backward compatibility)
 async def verify_google_token(token: str, client_id: str) -> Dict:
@@ -169,6 +232,13 @@ async def verify_apple_token(token: str, audience: str) -> Dict:
     verifier = AppleTokenVerifier(audience)
     return await verifier.verify_token(token)
 
+async def verify_facebook_token(token: str, app_id: str, app_secret: str) -> Dict:
+    """
+    Asynchronously verifies a Facebook access token and returns user data.
+    """
+    verifier = FacebookTokenVerifier(app_id, app_secret)
+    return await verifier.verify_token(token)
+
 # Example usage
 async def example_usage():
     # Initialize verifier