🚀 Auto-deploy from GitHub

app/api/v1/endpoints/auth.py

@@ -11,6 +11,7 @@ import uuid
 import logging
 from ..schemas.auth_schemas import TokenRequest, TokenResponse, UserRegistrationRequest, UserResponse
 from ....core.config import settings
+from ....core.auth import authenticate_request, require_current_user
 from ....services.database import (
     get_user_by_username, 
     get_user_by_email, 
@@ -61,14 +62,14 @@ async def get_access_token(credentials: TokenRequest, request: Request):
     # Create session in database
     await create_user_session(user["id"], jti, expires_at)
     
-    # Generate a temporary JWT token
+    # Generate a temporary JWT token with minimal payload
     payload = {
-        "sub": credentials.username,
-        "user_id": user["id"],
-        "jti": jti,
-        "exp": expires_at,
-        "iat": datetime.utcnow(),
-        "type": "access_token"
+        "sub": credentials.username,  # Subject (username) - needed for user lookup
+        "jti": jti,                   # JWT ID for session tracking
+        "exp": expires_at,            # Expiration time
+        "iat": datetime.utcnow(),     # Issued at time
+        "type": "access_token"        # Token type
+        # Note: user_id removed - will be looked up from database using username
     }
     
     secret_key = os.getenv("SECRET_KEY", "your-secret-key-change-this")
@@ -255,6 +256,14 @@ async def logout_user(request: Request, token: str = Depends(security)):
         )
         raise HTTPException(status_code=401, detail="Invalid token")
 
+@router.get("/auth/me", response_model=UserResponse)
+async def get_current_user_info(current_user: Dict[str, Any] = Depends(require_current_user)):
+    """
+    Get current authenticated user information
+    Requires valid JWT token authentication
+    """
+    return UserResponse(**current_user)
+
 async def validate_user_credentials(credentials: Dict[str, Any]) -> Dict[str, Any] | None:
     """
     Validate user credentials against your Supabase database

app/api/v1/endpoints/download.py

@@ -3,7 +3,7 @@ from fastapi.responses import FileResponse
 from pathlib import Path
 from ....services.database import get_supabase_client # Corrected import
 from ....core.config import settings # Import settings
-from ....core.auth import verify_hf_token
+from ....core.auth import authenticate_request
 from supabase import Client
 
 router = APIRouter()
@@ -12,7 +12,7 @@ router = APIRouter()
 async def download_generated_image(
     card_id: str, # card_id from path
     supabase: Client = Depends(get_supabase_client),
-    authenticated: bool = Depends(verify_hf_token)
+    authenticated: bool = Depends(authenticate_request)
 ):
     """
     Download a custom generated image using the card_id to find the image path from Supabase.

app/api/v1/endpoints/generate.py

@@ -2,6 +2,7 @@ from fastapi import APIRouter, HTTPException, Depends
 from dotenv import load_dotenv
 from supabase import Client
 import uuid
+from typing import Optional, Dict, Any
 from ..schemas.card_schemas import CardGenerateRequest, CardGenerateResponse
 from ....core.generator import build_prompt # get_constellation wird hier nicht direkt verwendet
 from ....core.card_renderer import generate_card as render_card_sync # Umbenennen für Klarheit
@@ -10,7 +11,7 @@ from ....services.database import get_supabase_client, save_card
 from ....core.config import settings
 from ....core.model_loader import get_generator
 from ....core.constraints import generate_with_retry, check_constraints
-from ....core.auth import verify_hf_token
+from ....core.auth import authenticate_request, get_current_user
 from fastapi.concurrency import run_in_threadpool # Importieren
 
 load_dotenv()
@@ -28,12 +29,17 @@ async def generate_qr_code_async(*args, **kwargs):
 async def generate_endpoint(
     request: CardGenerateRequest, 
     supabase: Client = Depends(get_supabase_client),
-    authenticated: bool = Depends(verify_hf_token)
+    authenticated: bool = Depends(authenticate_request),
+    current_user: Optional[Dict[str, Any]] = Depends(get_current_user)
 ):
     try:
         lang = request.lang or "de"
         input_date_str = request.card_date.isoformat()
         
+        # Log user context if available
+        user_id = current_user["id"] if current_user else None
+        username = current_user["username"] if current_user else "anonymous"
+        
         card_prompt = build_prompt(
             lang=lang,
             card_date=input_date_str,

app/api/v1/endpoints/health.py

@@ -1,6 +1,6 @@
 from fastapi import APIRouter, HTTPException, Depends
 from ..schemas.health_schema import HealthResponse
-from ....core.auth import verify_hf_token
+from ....core.auth import authenticate_request
 import httpx
 import asyncio
 from typing import Optional
@@ -26,7 +26,7 @@ async def check_huggingface_space():
         return "unreachable"
 
 @router.get("/health", response_model=HealthResponse)
-async def health_check(authenticated: bool = Depends(verify_hf_token)):
+async def health_check(authenticated: bool = Depends(authenticate_request)):
     """
     Health check endpoint that verifies server status, model loading status and HuggingFace space availability
     """

app/core/auth.py

@@ -1,62 +1,89 @@
 """
-Authentication middleware for HuggingFace API token validation
+Authentication middleware for JWT token validation with Supabase database integration.
+Supports dual authentication: JWT tokens for users and HuggingFace API key for admin access.
 """
 from fastapi import HTTPException, status, Depends
 from fastapi.security import HTTPBearer, HTTPAuthorizationCredentials
-from typing import Optional
+from typing import Optional, Dict, Any
 import os
 import jwt
+import logging
 from datetime import datetime
 from dotenv import load_dotenv
-from ..services.database import get_user_session
+from ..services.database import get_user_session, get_user_by_username
 
 load_dotenv()
 
 security = HTTPBearer(auto_error=False)
+logger = logging.getLogger(__name__)
 
-def get_hf_api_key() -> str:
+def get_secret_key() -> str:
+    """Get JWT secret key from environment"""
+    secret_key = os.getenv("SECRET_KEY")
+    if not secret_key:
+        raise ValueError("SECRET_KEY environment variable not set. Cannot issue or verify JWTs.")
+    return secret_key
+
+def get_jwt_issuer() -> Optional[str]:
+    """Get JWT issuer from environment"""
+    return os.getenv("JWT_ISSUER")
+
+def get_jwt_audience() -> Optional[str]:
+    """Get JWT audience from environment"""
+    return os.getenv("JWT_AUDIENCE")
+
+def get_hf_api_key() -> Optional[str]:
     """Get HuggingFace API key from environment"""
-    return os.getenv("HF_API_KEY", "")
+    return os.getenv("HF_API_KEY")
 
-async def verify_hf_token(credentials: Optional[HTTPAuthorizationCredentials] = Depends(security)) -> bool:
+async def authenticate_request(credentials: Optional[HTTPAuthorizationCredentials] = Depends(security)) -> bool:
     """
-    Verify HuggingFace API token or JWT token
-    Returns True if no authentication is required (public space) or if token is valid
+    Primary authentication dependency for protected endpoints.
+    Implements dual authentication strategy:
+    1. HuggingFace API key (admin bypass) - simple string comparison
+    2. JWT token (user authentication) - cryptographic validation + session verification
+    
+    For JWT tokens:
+    - Validates signature, expiration, audience, and issuer
+    - Checks session validity in Supabase database via 'jti' claim
+    - Rejects revoked sessions
+    
+    Returns True if authentication succeeds, otherwise raises HTTPException.
     """
     expected_token = get_hf_api_key()
     
-    # If no HF_API_KEY is set, allow public access
-    if not expected_token:
-        return True
-    
-    # If HF_API_KEY is set but no credentials provided, deny access
     if not credentials:
         raise HTTPException(
             status_code=status.HTTP_401_UNAUTHORIZED,
-            detail="Authentication required. Please provide a valid HuggingFace API token.",
+            detail="Authentication required. Please provide a valid JWT token or HuggingFace API key.",
             headers={"WWW-Authenticate": "Bearer"},
         )
     
     token = credentials.credentials
     
-    # Try to verify as HuggingFace API key first
-    if token == expected_token:
+    # Check HuggingFace API key first (admin bypass - performance optimization)
+    if expected_token and token == expected_token:
         return True
     
-    # Try to verify as JWT token (if you implement JWT auth)
+    # Validate JWT token with full session verification
     try:
-        secret_key = os.getenv("SECRET_KEY", "your-secret-key")
-        payload = jwt.decode(token, secret_key, algorithms=["HS256"])
-        
-        # Verify token hasn't expired
-        if payload.get("exp") and datetime.fromtimestamp(payload["exp"]) < datetime.utcnow():
-            raise jwt.ExpiredSignatureError("Token has expired")
+        secret_key = get_secret_key()
+        issuer = get_jwt_issuer()
+        audience = get_jwt_audience()
+        payload = jwt.decode(
+            token, 
+            secret_key, 
+            algorithms=["HS256"],
+            audience=audience,
+            issuer=issuer
+        )
         
         # Check if session is still valid (not revoked)
         jti = payload.get("jti")
         if jti:
             session = await get_user_session(jti)
             if not session:
+                logger.warning(f"JWT verification failed: Session has been revoked for jti: {jti}")
                 raise HTTPException(
                     status_code=status.HTTP_401_UNAUTHORIZED,
                     detail="Session has been revoked",
@@ -64,7 +91,18 @@ async def verify_hf_token(credentials: Optional[HTTPAuthorizationCredentials] =
                 )
         
         return True
-    except jwt.InvalidTokenError:
+    except jwt.ExpiredSignatureError:
+        logger.warning("JWT verification failed: Token has expired")
+        raise HTTPException(
+            status_code=status.HTTP_401_UNAUTHORIZED,
+            detail="Token has expired",
+            headers={"WWW-Authenticate": "Bearer"},
+        )
+    except jwt.InvalidTokenError as e:
+        logger.warning(f"JWT verification failed: Invalid token - {e}")
+        # Potential Issue: Broad exception handling. Catching InvalidTokenError is a safe default
+        # to avoid leaking error details, but it can make debugging harder.
+        # Consider logging the specific error here for internal monitoring.
         pass
     
     # If neither verification method worked, deny access
@@ -76,33 +114,32 @@ async def verify_hf_token(credentials: Optional[HTTPAuthorizationCredentials] =
 
 async def optional_auth(credentials: Optional[HTTPAuthorizationCredentials] = Depends(security)) -> bool:
     """
-    Optional authentication - doesn't raise errors if no token provided
-    Used for endpoints that can work with or without authentication
+    Optional authentication - doesn't raise errors if no token provided.
+    Returns True if authentication is successful, False otherwise.
+    Used for endpoints that can work with or without authentication.
     """
-    expected_token = get_hf_api_key()
-    
-    # If no HF_API_KEY is set, allow public access
-    if not expected_token:
-        return True
-    
-    # If no credentials provided, still allow access (optional auth)
     if not credentials:
         return False
     
-    # If credentials provided, verify them
     token = credentials.credentials
+    expected_token = get_hf_api_key()
     
     # Check HF API key
-    if token == expected_token:
+    if expected_token and token == expected_token:
         return True
     
     # Check JWT token
     try:
-        secret_key = os.getenv("SECRET_KEY", "your-secret-key")
-        payload = jwt.decode(token, secret_key, algorithms=["HS256"])
-        
-        if payload.get("exp") and datetime.fromtimestamp(payload["exp"]) < datetime.utcnow():
-            return False
+        secret_key = get_secret_key()
+        issuer = get_jwt_issuer()
+        audience = get_jwt_audience()
+        payload = jwt.decode(
+            token, 
+            secret_key, 
+            algorithms=["HS256"],
+            audience=audience,
+            issuer=issuer
+        )
         
         # Check session validity
         jti = payload.get("jti")
@@ -113,3 +150,78 @@ async def optional_auth(credentials: Optional[HTTPAuthorizationCredentials] = De
         return True
     except jwt.InvalidTokenError:
         return False
+
+async def get_current_user(credentials: Optional[HTTPAuthorizationCredentials] = Depends(security)) -> Optional[Dict[str, Any]]:
+    """
+    Extract authenticated user data from JWT token.
+    
+    Returns:
+    - User data dict if authenticated with valid JWT token
+    - None if using HuggingFace API key (no user context)
+    - None if not authenticated or invalid token
+    
+    For JWT tokens:
+    - Validates token signature and session in Supabase
+    - Retrieves full user data from database using 'sub' claim (username)
+    """
+    if not credentials:
+        return None
+    
+    token = credentials.credentials
+    
+    # Check if it's an HF API key (these don't have user context)
+    expected_hf_token = get_hf_api_key()
+    if expected_hf_token and token == expected_hf_token:
+        return None  # HF API key users don't have user context
+    
+    # Try to decode JWT token
+    try:
+        secret_key = get_secret_key()
+        issuer = get_jwt_issuer()
+        audience = get_jwt_audience()
+        payload = jwt.decode(
+            token, 
+            secret_key, 
+            algorithms=["HS256"],
+            audience=audience,
+            issuer=issuer
+        )
+        
+        # Check if session is still valid
+        jti = payload.get("jti")
+        if jti:
+            session = await get_user_session(jti)
+            if not session:
+                return None
+        
+        # Get user data from database using username from token
+        username = payload.get("sub")
+        if username:
+            user = await get_user_by_username(username)
+            return user
+        
+        return None
+    except jwt.InvalidTokenError:
+        return None
+
+async def require_current_user(credentials: Optional[HTTPAuthorizationCredentials] = Depends(security)) -> Dict[str, Any]:
+    """
+    Extract authenticated user data from JWT token - mandatory authentication.
+    
+    Use this dependency for endpoints that require user authentication.
+    Raises HTTPException if:
+    - No credentials provided
+    - Using HuggingFace API key (no user context)
+    - Invalid or expired JWT token
+    - Revoked session
+    
+    Returns: User data dict from Supabase database
+    """
+    user = await get_current_user(credentials)
+    if not user:
+        raise HTTPException(
+            status_code=status.HTTP_401_UNAUTHORIZED,
+            detail="Authentication required. Please provide a valid JWT token.",
+            headers={"WWW-Authenticate": "Bearer"},
+        )
+    return user

docs/authentication.md

@@ -0,0 +1,105 @@
+# Authentication System Documentation
+
+## Übersicht
+
+Das Authentifizierungssystem unterstützt zwei Arten von Tokens:
+1. **HuggingFace API Keys** - für API-Zugriff ohne Benutzerkontext
+2. **JWT Tokens** - für authentifizierte Benutzer mit Benutzerkontext
+
+## Dependency Functions
+
+### 1. `verify_hf_token()`
+- **Zweck**: Grundlegende Authentifizierung
+- **Rückgabe**: `bool` - True wenn authentifiziert
+- **Verwendung**: Für Endpoints, die Authentifizierung benötigen, aber keinen Benutzerkontext
+
+```python
+@router.post("/some-endpoint")
+async def endpoint(authenticated: bool = Depends(verify_hf_token)):
+    # Endpoint Logic
+```
+
+### 2. `get_current_user()`
+- **Zweck**: Optionale Benutzer-Extraktion
+- **Rückgabe**: `Optional[Dict[str, Any]]` - Benutzerdaten oder None
+- **Verwendung**: Für Endpoints, die optional Benutzerkontext nutzen können
+
+```python
+@router.post("/some-endpoint")
+async def endpoint(
+    authenticated: bool = Depends(verify_hf_token),
+    current_user: Optional[Dict[str, Any]] = Depends(get_current_user)
+):
+    if current_user:
+        user_id = current_user["id"]
+        username = current_user["username"]
+    # Endpoint Logic
+```
+
+### 3. `require_current_user()`
+- **Zweck**: Pflicht-Benutzer-Authentifizierung
+- **Rückgabe**: `Dict[str, Any]` - Benutzerdaten (oder 401 Error)
+- **Verwendung**: Für Endpoints, die definitiv einen authentifizierten Benutzer benötigen
+
+```python
+@router.post("/user-only-endpoint")
+async def endpoint(current_user: Dict[str, Any] = Depends(require_current_user)):
+    user_id = current_user["id"]
+    username = current_user["username"]
+    # Endpoint Logic
+```
+
+## Token-Payload
+
+Das JWT Token enthält minimale Informationen:
+
+```json
+{
+  "sub": "username",           // Username für Datenbanksuche
+  "jti": "unique-session-id",  // Session-Tracking
+  "exp": 1735689600,          // Ablaufzeit
+  "iat": 1735603200,          // Ausstellungszeit
+  "type": "access_token"       // Token-Typ
+}
+```
+
+**Wichtig**: Die `user_id` wird nicht mehr im Token gespeichert, sondern zur Laufzeit aus der Datenbank geholt.
+
+## Neue Endpoints
+
+### GET `/api/v1/auth/me`
+Gibt Informationen über den aktuell authentifizierten Benutzer zurück.
+
+**Authentifizierung**: JWT Token erforderlich
+**Response**: UserResponse-Schema
+
+```bash
+curl -H "Authorization: Bearer <jwt_token>" \
+     http://localhost:8000/api/v1/auth/me
+```
+
+## Sicherheitsverbesserungen
+
+1. **Minimaler Token-Payload**: Sensible Daten werden nicht im Token gespeichert
+2. **Session-Tracking**: Jeder Token ist mit einer Session in der Datenbank verknüpft
+3. **Flexible Authentifizierung**: Verschiedene Dependency-Funktionen für verschiedene Anwendungsfälle
+4. **Token-Widerruf**: Sessions können serverseitig widerrufen werden
+
+## Best Practices
+
+1. **SECRET_KEY sicher setzen**:
+   ```bash
+   export SECRET_KEY=$(openssl rand -hex 32)
+   ```
+
+2. **Richtige Dependency wählen**:
+   - `verify_hf_token`: Grundlegende Auth ohne Benutzerkontext
+   - `get_current_user`: Optionaler Benutzerkontext
+   - `require_current_user`: Pflicht-Benutzerkontext
+
+3. **Benutzer-Logging**: Nutzen Sie `current_user` für Audit-Logs
+
+```python
+if current_user:
+    logger.info(f"Action performed by user {current_user['username']} (ID: {current_user['id']})")
+```

tests/test_authentication.py

@@ -120,7 +120,33 @@ def main():
                 "lang": "en"
             },
             "should_succeed": False
-        }
+        },
+        
+        # Test new user info endpoint
+        {
+            "name": "Get Current User (Valid JWT - after login)",
+            "endpoint": "/api/v1/auth/me",
+            "method": "GET",
+            "headers": {},  # Will be filled after login
+            "should_succeed": True,
+            "requires_jwt": True
+        },
+        
+        {
+            "name": "Get Current User (No Auth)",
+            "endpoint": "/api/v1/auth/me", 
+            "method": "GET",
+            "headers": no_auth_headers,
+            "should_succeed": False
+        },
+        
+        {
+            "name": "Get Current User (HF API Key)",
+            "endpoint": "/api/v1/auth/me",
+            "method": "GET", 
+            "headers": auth_headers,
+            "should_succeed": False  # HF API key should not work for user endpoints
+        },
     ]
     
     results = []