🚀 Auto-deploy from GitHub

app/api/v1/endpoints/auth.py

@@ -2,14 +2,27 @@
 Authentication endpoints for token management
 """
 from fastapi import APIRouter, HTTPException, Depends
+from fastapi.security import HTTPBearer
 from datetime import datetime, timedelta
 from typing import Dict, Any
 import jwt
 import os
-from ..schemas.auth_schemas import TokenRequest, TokenResponse
+import uuid
+from ..schemas.auth_schemas import TokenRequest, TokenResponse, UserRegistrationRequest, UserResponse
 from ....core.config import settings
+from ....services.database import (
+    get_user_by_username, 
+    get_user_by_email, 
+    create_user, 
+    verify_password, 
+    update_last_login,
+    create_user_session,
+    get_user_session,
+    revoke_user_session
+)
 
 router = APIRouter()
+security = HTTPBearer(auto_error=False)
 
 @router.post("/auth/token", response_model=TokenResponse)
 async def get_access_token(credentials: TokenRequest):
@@ -17,16 +30,27 @@ async def get_access_token(credentials: TokenRequest):
     Exchange user credentials for a temporary access token
     This endpoint allows users to authenticate and receive a JWT token
     """
-    # Example: validate user credentials against your user database
-    # For now, this is just a placeholder implementation
-    
-    if not validate_user_credentials(credentials.dict()):
+    # Validate user credentials against your Supabase database
+    user = await validate_user_credentials(credentials.dict())
+    if not user:
         raise HTTPException(status_code=401, detail="Invalid credentials")
     
+    # Update last login timestamp
+    await update_last_login(user["id"])
+    
+    # Generate unique JTI (JWT ID) for session tracking
+    jti = str(uuid.uuid4())
+    expires_at = datetime.utcnow() + timedelta(hours=24)
+    
+    # Create session in database
+    await create_user_session(user["id"], jti, expires_at)
+    
     # Generate a temporary JWT token
     payload = {
         "sub": credentials.username,
-        "exp": datetime.utcnow() + timedelta(hours=24),
+        "user_id": user["id"],
+        "jti": jti,
+        "exp": expires_at,
         "iat": datetime.utcnow(),
         "type": "access_token"
     }
@@ -71,28 +95,68 @@ async def refresh_access_token(refresh_token: str):
     except jwt.InvalidTokenError:
         raise HTTPException(status_code=401, detail="Invalid refresh token")
 
-def validate_user_credentials(credentials: Dict[str, Any]) -> bool:
+@router.post("/auth/register", response_model=UserResponse)
+async def register_user(user_data: UserRegistrationRequest):
+    """
+    Register a new user account
+    """
+    # Check if username already exists
+    existing_user = await get_user_by_username(user_data.username)
+    if existing_user:
+        raise HTTPException(status_code=400, detail="Username already exists")
+    
+    # Check if email already exists
+    existing_email = await get_user_by_email(user_data.email)
+    if existing_email:
+        raise HTTPException(status_code=400, detail="Email already registered")
+    
+    # Create new user
+    new_user = await create_user(user_data.username, user_data.email, user_data.password)
+    if not new_user:
+        raise HTTPException(status_code=500, detail="Failed to create user")
+    
+    return UserResponse(**new_user)
+
+@router.post("/auth/logout")
+async def logout_user(token: str = Depends(security)):
+    """
+    Logout user by revoking their session
     """
-    Validate user credentials against your user database
+    if not token:
+        raise HTTPException(status_code=401, detail="No token provided")
     
-    TODO: Implement your actual user validation logic here
-    This could check against:
-    - Database users table
-    - LDAP/Active Directory
-    - OAuth provider
-    - etc.
+    try:
+        secret_key = os.getenv("SECRET_KEY", "your-secret-key-change-this")
+        payload = jwt.decode(token.credentials, secret_key, algorithms=["HS256"])
+        jti = payload.get("jti")
+        
+        if jti:
+            await revoke_user_session(jti)
+            return {"message": "Successfully logged out"}
+        else:
+            raise HTTPException(status_code=400, detail="Invalid token format")
+            
+    except jwt.InvalidTokenError:
+        raise HTTPException(status_code=401, detail="Invalid token")
+
+async def validate_user_credentials(credentials: Dict[str, Any]) -> Dict[str, Any] | None:
+    """
+    Validate user credentials against your Supabase database
+    Returns user data if valid, None if invalid
     """
-    # Placeholder implementation - replace with your actual auth logic
     username = credentials.get("username")
     password = credentials.get("password")
     
-    # Example: simple hardcoded validation (NOT for production!)
-    if username == "demo" and password == "demo123":
-        return True
+    if not username or not password:
+        return None
+    
+    # Get user from database
+    user = await get_user_by_username(username)
+    if not user:
+        return None
     
-    # In a real implementation, you would:
-    # 1. Hash the password and compare with stored hash
-    # 2. Check against your user database
-    # 3. Validate any additional requirements
+    # Verify password
+    if not await verify_password(password, user["password_hash"]):
+        return None
     
-    return False
+    return user

app/api/v1/schemas/auth_schemas.py

@@ -1,8 +1,9 @@
 """
 Authentication schemas for request/response models
 """
-from pydantic import BaseModel
+from pydantic import BaseModel, EmailStr
 from typing import Optional
+from datetime import datetime
 
 class TokenRequest(BaseModel):
     """Request model for token authentication"""
@@ -18,3 +19,17 @@ class TokenResponse(BaseModel):
 class RefreshTokenRequest(BaseModel):
     """Request model for token refresh"""
     refresh_token: str
+
+class UserRegistrationRequest(BaseModel):
+    """Request model for user registration"""
+    username: str
+    email: EmailStr
+    password: str
+
+class UserResponse(BaseModel):
+    """Response model for user data (without sensitive info)"""
+    id: str
+    username: str
+    email: str
+    created_at: datetime
+    last_login: Optional[datetime] = None

app/core/auth.py

@@ -8,6 +8,7 @@ import os
 import jwt
 from datetime import datetime
 from dotenv import load_dotenv
+from ..services.database import get_user_session
 
 load_dotenv()
 
@@ -17,7 +18,7 @@ def get_hf_api_key() -> str:
     """Get HuggingFace API key from environment"""
     return os.getenv("HF_API_KEY", "")
 
-def verify_hf_token(credentials: Optional[HTTPAuthorizationCredentials] = Depends(security)) -> bool:
+async def verify_hf_token(credentials: Optional[HTTPAuthorizationCredentials] = Depends(security)) -> bool:
     """
     Verify HuggingFace API token or JWT token
     Returns True if no authentication is required (public space) or if token is valid
@@ -46,9 +47,22 @@ def verify_hf_token(credentials: Optional[HTTPAuthorizationCredentials] = Depend
     try:
         secret_key = os.getenv("SECRET_KEY", "your-secret-key")
         payload = jwt.decode(token, secret_key, algorithms=["HS256"])
+        
         # Verify token hasn't expired
         if payload.get("exp") and datetime.fromtimestamp(payload["exp"]) < datetime.utcnow():
             raise jwt.ExpiredSignatureError("Token has expired")
+        
+        # Check if session is still valid (not revoked)
+        jti = payload.get("jti")
+        if jti:
+            session = await get_user_session(jti)
+            if not session:
+                raise HTTPException(
+                    status_code=status.HTTP_401_UNAUTHORIZED,
+                    detail="Session has been revoked",
+                    headers={"WWW-Authenticate": "Bearer"},
+                )
+        
         return True
     except jwt.InvalidTokenError:
         pass
@@ -60,7 +74,7 @@ def verify_hf_token(credentials: Optional[HTTPAuthorizationCredentials] = Depend
         headers={"WWW-Authenticate": "Bearer"},
     )
 
-def optional_auth(credentials: Optional[HTTPAuthorizationCredentials] = Depends(security)) -> bool:
+async def optional_auth(credentials: Optional[HTTPAuthorizationCredentials] = Depends(security)) -> bool:
     """
     Optional authentication - doesn't raise errors if no token provided
     Used for endpoints that can work with or without authentication
@@ -76,4 +90,26 @@ def optional_auth(credentials: Optional[HTTPAuthorizationCredentials] = Depends(
         return False
     
     # If credentials provided, verify them
-    return credentials.credentials == expected_token
+    token = credentials.credentials
+    
+    # Check HF API key
+    if token == expected_token:
+        return True
+    
+    # Check JWT token
+    try:
+        secret_key = os.getenv("SECRET_KEY", "your-secret-key")
+        payload = jwt.decode(token, secret_key, algorithms=["HS256"])
+        
+        if payload.get("exp") and datetime.fromtimestamp(payload["exp"]) < datetime.utcnow():
+            return False
+        
+        # Check session validity
+        jti = payload.get("jti")
+        if jti:
+            session = await get_user_session(jti)
+            return session is not None
+        
+        return True
+    except jwt.InvalidTokenError:
+        return False

app/services/database.py

@@ -1,6 +1,10 @@
 import os
 from supabase import create_client
 from dotenv import load_dotenv
+import bcrypt
+import uuid
+from datetime import datetime, timedelta
+from typing import Optional, Dict, Any
 
 load_dotenv()
 
@@ -36,3 +40,108 @@ async def save_card(supabase_client, card_data: dict):
         # Hier wäre ein besseres Logging/Fehlerhandling gut
         print(f"Error saving to Supabase: {e}")
         raise
+
+# User management functions
+async def get_user_by_username(username: str) -> Optional[Dict[str, Any]]:
+    """Get user by username from the database"""
+    try:
+        response = supabase.table("users").select("*").eq("username", username).execute()
+        if response.data:
+            return response.data[0]
+        return None
+    except Exception as e:
+        print(f"Error getting user by username: {e}")
+        return None
+
+async def get_user_by_email(email: str) -> Optional[Dict[str, Any]]:
+    """Get user by email from the database"""
+    try:
+        response = supabase.table("users").select("*").eq("email", email).execute()
+        if response.data:
+            return response.data[0]
+        return None
+    except Exception as e:
+        print(f"Error getting user by email: {e}")
+        return None
+
+async def create_user(username: str, email: str, password: str) -> Optional[Dict[str, Any]]:
+    """Create a new user with hashed password"""
+    try:
+        # Hash the password
+        password_hash = bcrypt.hashpw(password.encode('utf-8'), bcrypt.gensalt()).decode('utf-8')
+        
+        user_data = {
+            "username": username,
+            "email": email,
+            "password_hash": password_hash
+        }
+        
+        response = supabase.table("users").insert(user_data).execute()
+        if response.data:
+            return response.data[0]
+        return None
+    except Exception as e:
+        print(f"Error creating user: {e}")
+        return None
+
+async def verify_password(plain_password: str, hashed_password: str) -> bool:
+    """Verify a password against its hash"""
+    try:
+        return bcrypt.checkpw(plain_password.encode('utf-8'), hashed_password.encode('utf-8'))
+    except Exception as e:
+        print(f"Error verifying password: {e}")
+        return False
+
+async def update_last_login(user_id: str):
+    """Update the last login timestamp for a user"""
+    try:
+        from datetime import datetime
+        current_time = datetime.utcnow().isoformat()
+        supabase.table("users").update({"last_login": current_time}).eq("id", user_id).execute()
+    except Exception as e:
+        print(f"Error updating last login: {e}")
+
+# Session management functions
+async def create_user_session(user_id: str, token_jti: str, expires_at: datetime) -> Optional[Dict[str, Any]]:
+    """Create a new user session"""
+    try:
+        session_data = {
+            "user_id": user_id,
+            "token_jti": token_jti,
+            "expires_at": expires_at.isoformat(),
+            "is_revoked": False
+        }
+        
+        response = supabase.table("user_sessions").insert(session_data).execute()
+        if response.data:
+            return response.data[0]
+        return None
+    except Exception as e:
+        print(f"Error creating user session: {e}")
+        return None
+
+async def get_user_session(token_jti: str) -> Optional[Dict[str, Any]]:
+    """Get user session by token JTI"""
+    try:
+        response = supabase.table("user_sessions").select("*").eq("token_jti", token_jti).eq("is_revoked", False).execute()
+        if response.data:
+            return response.data[0]
+        return None
+    except Exception as e:
+        print(f"Error getting user session: {e}")
+        return None
+
+async def revoke_user_session(token_jti: str):
+    """Revoke a user session"""
+    try:
+        supabase.table("user_sessions").update({"is_revoked": True}).eq("token_jti", token_jti).execute()
+    except Exception as e:
+        print(f"Error revoking user session: {e}")
+
+async def cleanup_expired_sessions():
+    """Remove expired sessions from the database"""
+    try:
+        current_time = datetime.utcnow().isoformat()
+        supabase.table("user_sessions").delete().lt("expires_at", current_time).execute()
+    except Exception as e:
+        print(f"Error cleaning up expired sessions: {e}")