code

CLAUDE.md

@@ -0,0 +1,194 @@
+# Claude Code Instructions: Backend - Task Management API
+
+## Project Context
+
+This is the backend component of "The Evolution of Todo" - Phase II, a full-stack web application for managing personal tasks with user authentication. Built with FastAPI, SQLModel, Python 3.13+, and PostgreSQL, following RESTful API design principles with automatic OpenAPI documentation.
+
+## Project Constitution (MANDATORY - Read Carefully)
+
+You MUST follow the constitutional requirements defined in the root `.specify/memory/constitution.md`:
+
+### Core Principles (MANDATORY)
+1. **Spec-Driven Development Only**: All features must be implemented from approved specifications in `specs/`
+2. **AI as Primary Developer**: Humans write specs, Claude Code implements all code
+3. **Mandatory Traceability**: Complete audit trail (ADR → Spec → Plan → Tasks → Implementation → Tests)
+4. **Test-First Mandate**: Minimum 80% coverage target (pytest backend, Jest frontend, Playwright E2E)
+5. **Evolutionary Consistency**: Phase II extends Phase I without breaking changes
+
+### Phase II Backend Technology Stack Requirements (MANDATORY)
+
+#### FastAPI Framework + SQLModel ORM (NOT raw SQLAlchemy)
+- Python 3.13+ with UV package manager
+- SQLModel ORM for type-safe database operations (NOT raw SQLAlchemy)
+- Pydantic v2 for request/response validation and serialization
+- Automatic OpenAPI/Swagger documentation generation
+- Async/await patterns for non-blocking I/O
+- Dependency injection for testability
+
+#### Security Requirements (NON-NEGOTIABLE)
+- User Data Isolation: ALL database queries MUST filter by user_id
+- Authorization: verify user_id in URL matches authenticated user
+- Return 404 (NOT 403) for unauthorized access attempts
+- SQL injection prevention via SQLModel parameterized queries
+- JWT validation on all protected endpoints
+- Password hashing with bcrypt (NEVER plaintext passwords)
+
+#### API Design Standards
+- RESTful resource naming (`/api/tasks`, not `/api/getTasks`)
+- Standard HTTP methods (GET, POST, PUT, PATCH, DELETE)
+- Consistent error response format (JSON with status, message, details)
+- Proper HTTP status codes (200 OK, 201 Created, 400 Bad Request, 401 Unauthorized, 404 Not Found, 500 Internal Server Error)
+- Type-safe request/response schemas using Pydantic
+
+## Current Feature Context
+
+**Feature**: Task CRUD Operations with Authentication (001-task-crud-auth)
+**Spec**: `../specs/001-task-crud-auth/spec.md`
+**Plan**: `../specs/001-task-crud-auth/plan.md`
+**Tasks**: `../specs/001-task-crud-auth/tasks.md`
+
+### User Stories (Priority Order):
+1. **US1 (P1)**: User Registration - New users can create accounts
+2. **US2 (P1)**: User Login - Registered users can authenticate
+3. **US3 (P2)**: View All My Tasks - Display user's tasks with data isolation
+4. **US4 (P2)**: Create New Task - Add tasks with title/description
+5. **US5 (P3)**: Mark Task Complete/Incomplete - Toggle completion status
+6. **US6 (P3)**: Update Task - Edit task title/description
+7. **US7 (P4)**: Delete Task - Remove tasks permanently
+
+### Key Entities
+- **User**: id (UUID), email (unique, indexed), password_hash (bcrypt), account timestamps
+- **Task**: id (int), user_id (FK, indexed), title (1-200 chars), description (0-1000 chars), completed (bool, indexed), task timestamps
+
+## Implementation Guidelines
+
+### Database Layer (SQLModel)
+- Use SQLModel models with proper relationships and constraints
+- Add indexes on critical fields (user_id for performance, completed for filtering)
+- Implement proper foreign key relationships
+- Use automatic timestamp fields (created_at, updated_at)
+- Follow SQLModel best practices for type safety
+
+### Authentication Layer
+- Implement JWT-based authentication with 7-day expiration
+- Store secrets in environment variables (BETTER_AUTH_SECRET)
+- Validate JWT tokens on all protected endpoints
+- Return httpOnly cookies for secure token storage
+- Hash passwords with bcrypt before storing
+
+### Authorization Layer (CRITICAL - Security)
+- ALL database queries must filter by user_id (100% data isolation)
+- Verify user_id in URL paths matches authenticated user (return 404 if mismatch)
+- Use dependency injection for authentication (get_current_user)
+- Return 404 (not 403) for unauthorized access to prevent information leakage
+- Implement proper role-based access if needed (though user isolation is primary)
+
+### API Design
+- Use FastAPI routers for endpoint organization
+- Implement proper request/response validation with Pydantic schemas
+- Follow RESTful conventions for resource naming and HTTP methods
+- Include comprehensive API documentation via FastAPI auto-generation
+- Handle errors consistently with proper HTTP status codes
+
+### Error Handling
+- Use HTTPException for API errors with appropriate status codes
+- Implement custom exception handlers for consistent error responses
+- Log errors for debugging while protecting sensitive information from users
+- Provide user-friendly error messages without exposing system details
+
+## Quality Standards
+
+### Code Quality
+- Clean, readable, well-documented code
+- Follow Python PEP 8 standards
+- Use type hints for all public interfaces
+- Implement separation of concerns (models, schemas, routers, middleware, utils)
+- No circular dependencies between modules
+
+### Security
+- Parameterized queries via SQLModel to prevent SQL injection
+- Input validation and sanitization to prevent XSS
+- Proper authentication and authorization on all endpoints
+- Secure password handling with bcrypt
+- Environment variable configuration for secrets
+
+### Performance
+- Proper indexing on database queries (especially user_id)
+- Efficient database queries with proper joins when needed
+- Async/await patterns for non-blocking operations
+- Connection pooling for database operations
+
+### Testing Requirements
+- Unit tests for models and utility functions
+- API integration tests for all endpoints
+- Authentication and authorization tests (especially user isolation)
+- Database transaction tests
+- Error handling tests
+
+### Documentation
+- Type hints for all public interfaces
+- Docstrings for complex functions
+- API documentation via FastAPI auto-generation
+- Inline comments for complex business logic only
+
+## File Structure
+
+```
+backend/
+├── src/
+│   ├── main.py                    # FastAPI app entry point and configuration
+│   ├── config.py                  # Configuration management (env vars, settings)
+│   ├── database.py                # Database connection and session management
+│   ├── models/                    # SQLModel database models
+│   │   ├── __init__.py
+│   │   ├── user.py                # User model with authentication fields
+│   │   └── task.py                # Task model with user relationship
+│   ├── schemas/                   # Pydantic request/response schemas
+│   │   ├── __init__.py
+│   │   ├── auth.py                # Auth request/response schemas
+│   │   └── task.py                # Task request/response schemas
+│   ├── routers/                   # API route handlers
+│   │   ├── __init__.py
+│   │   ├── auth.py                # Authentication endpoints (register, login)
+│   │   └── tasks.py               # Task CRUD endpoints
+│   ├── middleware/                # FastAPI middleware
+│   │   ├── __init__.py
+│   │   └── auth.py                # JWT validation middleware
+│   └── utils/                     # Utility functions
+│       ├── __init__.py
+│       ├── security.py            # Password hashing, JWT utilities
+│       └── deps.py                # Dependency injection functions
+├── tests/                         # Backend tests
+│   ├── conftest.py                # pytest fixtures (test database, client)
+│   ├── unit/                      # Unit tests
+│   │   ├── test_models.py         # Model validation tests
+│   │   └── test_security.py       # Security utility tests
+│   └── integration/               # API integration tests
+│       ├── test_auth.py           # Authentication flow tests
+│       ├── test_tasks.py          # Task CRUD operation tests
+│       └── test_user_isolation.py # User data isolation tests (CRITICAL)
+├── alembic/                       # Database migrations
+│   ├── versions/                  # Migration files
+│   ├── env.py                     # Alembic environment
+│   └── alembic.ini                # Alembic configuration
+├── .env                           # Backend environment variables
+├── pyproject.toml                 # UV project configuration
+├── uv.lock                        # UV lock file
+└── CLAUDE.md                      # Backend-specific agent instructions
+```
+
+## Working with Claude Code
+
+1. **Follow Specifications**: Implement exactly what's in the spec, nothing more/less
+2. **Maintain Security**: Never compromise user data isolation requirements
+3. **Keep User Focus**: Remember this is for individual task management
+4. **Test Thoroughly**: Implement tests for all acceptance scenarios, especially security
+5. **Stay Organized**: Follow the defined project structure
+
+## Success Metrics
+
+- API endpoints respond in under 200ms (p95)
+- 100% user data isolation (no cross-user data access)
+- 95%+ of API requests succeed
+- 80%+ test coverage across all layers
+- Proper error handling with appropriate HTTP status codes

Dockerfile

@@ -0,0 +1,19 @@
+# Base Image
+FROM python:3.11-slim
+
+# Set work directory
+WORKDIR /app
+
+# Install Dependencies
+COPY requirements.txt .
+RUN pip install --no-cache-dir -r requirements.txt
+
+
+# Copy application code
+COPY . .
+
+# Expose the port Hugging Face expects
+EXPOSE 7860
+
+# Command to run FastAPI with uvicorn
+CMD ["uvicorn", "src.main:app", "--host", "0.0.0.0", "--port", "7860"]

alembic.ini

@@ -0,0 +1,147 @@
+# A generic, single database configuration.
+
+[alembic]
+# path to migration scripts.
+# this is typically a path given in POSIX (e.g. forward slashes)
+# format, relative to the token %(here)s which refers to the location of this
+# ini file
+script_location = %(here)s/alembic
+
+# template used to generate migration file names; The default value is %%(rev)s_%%(slug)s
+# Uncomment the line below if you want the files to be prepended with date and time
+# see https://alembic.sqlalchemy.org/en/latest/tutorial.html#editing-the-ini-file
+# for all available tokens
+# file_template = %%(year)d_%%(month).2d_%%(day).2d_%%(hour).2d%%(minute).2d-%%(rev)s_%%(slug)s
+
+# sys.path path, will be prepended to sys.path if present.
+# defaults to the current working directory.  for multiple paths, the path separator
+# is defined by "path_separator" below.
+prepend_sys_path = .
+
+
+# timezone to use when rendering the date within the migration file
+# as well as the filename.
+# If specified, requires the tzdata library which can be installed by adding
+# `alembic[tz]` to the pip requirements.
+# string value is passed to ZoneInfo()
+# leave blank for localtime
+# timezone =
+
+# max length of characters to apply to the "slug" field
+# truncate_slug_length = 40
+
+# set to 'true' to run the environment during
+# the 'revision' command, regardless of autogenerate
+# revision_environment = false
+
+# set to 'true' to allow .pyc and .pyo files without
+# a source .py file to be detected as revisions in the
+# versions/ directory
+# sourceless = false
+
+# version location specification; This defaults
+# to <script_location>/versions.  When using multiple version
+# directories, initial revisions must be specified with --version-path.
+# The path separator used here should be the separator specified by "path_separator"
+# below.
+# version_locations = %(here)s/bar:%(here)s/bat:%(here)s/alembic/versions
+
+# path_separator; This indicates what character is used to split lists of file
+# paths, including version_locations and prepend_sys_path within configparser
+# files such as alembic.ini.
+# The default rendered in new alembic.ini files is "os", which uses os.pathsep
+# to provide os-dependent path splitting.
+#
+# Note that in order to support legacy alembic.ini files, this default does NOT
+# take place if path_separator is not present in alembic.ini.  If this
+# option is omitted entirely, fallback logic is as follows:
+#
+# 1. Parsing of the version_locations option falls back to using the legacy
+#    "version_path_separator" key, which if absent then falls back to the legacy
+#    behavior of splitting on spaces and/or commas.
+# 2. Parsing of the prepend_sys_path option falls back to the legacy
+#    behavior of splitting on spaces, commas, or colons.
+#
+# Valid values for path_separator are:
+#
+# path_separator = :
+# path_separator = ;
+# path_separator = space
+# path_separator = newline
+#
+# Use os.pathsep. Default configuration used for new projects.
+path_separator = os
+
+# set to 'true' to search source files recursively
+# in each "version_locations" directory
+# new in Alembic version 1.10
+# recursive_version_locations = false
+
+# the output encoding used when revision files
+# are written from script.py.mako
+# output_encoding = utf-8
+
+# database URL.  This is consumed by the user-maintained env.py script only.
+# other means of configuring database URLs may be customized within the env.py
+# file.
+sqlalchemy.url = postgresql://postgres:postgres@localhost:5432/todoapp
+
+
+[post_write_hooks]
+# post_write_hooks defines scripts or Python functions that are run
+# on newly generated revision scripts.  See the documentation for further
+# detail and examples
+
+# format using "black" - use the console_scripts runner, against the "black" entrypoint
+# hooks = black
+# black.type = console_scripts
+# black.entrypoint = black
+# black.options = -l 79 REVISION_SCRIPT_FILENAME
+
+# lint with attempts to fix using "ruff" - use the module runner, against the "ruff" module
+# hooks = ruff
+# ruff.type = module
+# ruff.module = ruff
+# ruff.options = check --fix REVISION_SCRIPT_FILENAME
+
+# Alternatively, use the exec runner to execute a binary found on your PATH
+# hooks = ruff
+# ruff.type = exec
+# ruff.executable = ruff
+# ruff.options = check --fix REVISION_SCRIPT_FILENAME
+
+# Logging configuration.  This is also consumed by the user-maintained
+# env.py script only.
+[loggers]
+keys = root,sqlalchemy,alembic
+
+[handlers]
+keys = console
+
+[formatters]
+keys = generic
+
+[logger_root]
+level = WARNING
+handlers = console
+qualname =
+
+[logger_sqlalchemy]
+level = WARNING
+handlers =
+qualname = sqlalchemy.engine
+
+[logger_alembic]
+level = INFO
+handlers =
+qualname = alembic
+
+[handler_console]
+class = StreamHandler
+args = (sys.stderr,)
+level = NOTSET
+formatter = generic
+
+[formatter_generic]
+format = %(levelname)-5.5s [%(name)s] %(message)s
+datefmt = %H:%M:%S

alembic/README

@@ -0,0 +1 @@
+Generic single-database configuration.

alembic/env.py

@@ -0,0 +1,83 @@
+from logging.config import fileConfig
+import sys
+import os
+
+# Add the backend directory to the path so we can import our models
+sys.path.append(os.path.dirname(os.path.dirname(os.path.abspath(__file__))))
+
+from sqlalchemy import engine_from_config
+from sqlalchemy import pool
+
+from alembic import context
+
+# Import our models to make them available for Alembic
+from src.models.user import User
+from src.models.task import Task
+from src.database import SQLModel
+
+# this is the Alembic Config object, which provides
+# access to the values within the .ini file in use.
+config = context.config
+
+# Interpret the config file for Python logging.
+# This line sets up loggers basically.
+if config.config_file_name is not None:
+    fileConfig(config.config_file_name)
+
+# Set the target_metadata to our SQLModel's metadata
+target_metadata = SQLModel.metadata
+
+# other values from the config, defined by the needs of env.py,
+# can be acquired:
+# my_important_option = config.get_main_option("my_important_option")
+# ... etc.
+
+
+def run_migrations_offline() -> None:
+    """Run migrations in 'offline' mode.
+
+    This configures the context with just a URL
+    and not an Engine, though an Engine is acceptable
+    here as well.  By skipping the Engine creation
+    we don't even need a DBAPI to be available.
+
+    Calls to context.execute() here emit the given string to the
+    script output.
+
+    """
+    url = config.get_main_option("sqlalchemy.url")
+    context.configure(
+        url=url,
+        target_metadata=target_metadata,
+        dialect_opts={"paramstyle": "named"},
+    )
+
+    context.run_migrations()
+
+
+def run_migrations_online() -> None:
+    """Run migrations in 'online' mode.
+
+    In this scenario we need to create an Engine
+    and associate a connection with the context.
+
+    """
+    connectable = engine_from_config(
+        config.get_section(config.config_ini_section, {}),
+        prefix="sqlalchemy.",
+        poolclass=pool.NullPool,
+    )
+
+    with connectable.connect() as connection:
+        context.configure(
+            connection=connection, target_metadata=target_metadata
+        )
+
+        with context.begin_transaction():
+            context.run_migrations()
+
+
+if context.is_offline_mode():
+    run_migrations_offline()
+else:
+    run_migrations_online()

alembic/script.py.mako

@@ -0,0 +1,28 @@
+"""${message}
+
+Revision ID: ${up_revision}
+Revises: ${down_revision | comma,n}
+Create Date: ${create_date}
+
+"""
+from typing import Sequence, Union
+
+from alembic import op
+import sqlalchemy as sa
+${imports if imports else ""}
+
+# revision identifiers, used by Alembic.
+revision: str = ${repr(up_revision)}
+down_revision: Union[str, Sequence[str], None] = ${repr(down_revision)}
+branch_labels: Union[str, Sequence[str], None] = ${repr(branch_labels)}
+depends_on: Union[str, Sequence[str], None] = ${repr(depends_on)}
+
+
+def upgrade() -> None:
+    """Upgrade schema."""
+    ${upgrades if upgrades else "pass"}
+
+
+def downgrade() -> None:
+    """Downgrade schema."""
+    ${downgrades if downgrades else "pass"}

alembic/versions/20251221_164149_initial_migration_for_users_and_tasks_tables.py

@@ -0,0 +1,65 @@
+"""Initial migration for users and tasks tables
+
+Revision ID: 20251221_164149
+Revises:
+Create Date: 2025-12-21 16:41:49.000000
+
+"""
+from typing import Sequence, Union
+from datetime import datetime
+
+from alembic import op
+import sqlalchemy as sa
+import sqlmodel.sql.sqltypes
+from sqlalchemy.dialects import postgresql
+
+
+# revision identifiers, used by Alembic.
+revision: str = '20251221_164149'
+down_revision: Union[str, None] = None
+branch_labels: Union[str, Sequence[str], None] = None
+depends_on: Union[str, Sequence[str], None] = None
+
+
+def upgrade() -> None:
+    # Create users table
+    op.create_table('user',
+        sa.Column('id', postgresql.UUID(as_uuid=True), nullable=False),
+        sa.Column('email', sa.String(), nullable=False),
+        sa.Column('password_hash', sa.String(), nullable=False),
+        sa.Column('created_at', sa.DateTime(), nullable=False),
+        sa.Column('updated_at', sa.DateTime(), nullable=False),
+        sa.PrimaryKeyConstraint('id'),
+        sa.UniqueConstraint('email')
+    )
+
+    # Create index for email field
+    op.create_index(op.f('ix_user_email'), 'user', ['email'])
+
+    # Create tasks table
+    op.create_table('task',
+        sa.Column('id', sa.Integer(), nullable=False),
+        sa.Column('title', sa.String(), nullable=False),
+        sa.Column('description', sa.String(), nullable=True),
+        sa.Column('completed', sa.Boolean(), nullable=False),
+        sa.Column('user_id', postgresql.UUID(as_uuid=True), nullable=False),
+        sa.Column('created_at', sa.DateTime(), nullable=False),
+        sa.Column('updated_at', sa.DateTime(), nullable=False),
+        sa.ForeignKeyConstraint(['user_id'], ['user.id'], ),
+        sa.PrimaryKeyConstraint('id')
+    )
+
+    # Create indexes for user_id and completed fields
+    op.create_index(op.f('ix_task_user_id'), 'task', ['user_id'])
+    op.create_index(op.f('ix_task_completed'), 'task', ['completed'])
+
+
+def downgrade() -> None:
+    # Drop indexes
+    op.drop_index(op.f('ix_task_completed'), table_name='task')
+    op.drop_index(op.f('ix_task_user_id'), table_name='task')
+    op.drop_index(op.f('ix_user_email'), table_name='user')
+
+    # Drop tables
+    op.drop_table('task')
+    op.drop_table('user')

run_migrations.py

@@ -0,0 +1,42 @@
+#!/usr/bin/env python
+"""
+Script to run Alembic migrations for the task management application.
+
+This script demonstrates how to run the database migrations when PostgreSQL is available.
+
+To run migrations in a real environment:
+
+1. Make sure PostgreSQL is running:
+   docker-compose up -d db
+
+2. Run this script:
+   python run_migrations.py
+
+Or run directly with Alembic:
+   cd backend
+   alembic upgrade head
+"""
+
+import subprocess
+import sys
+import os
+
+def run_migrations():
+    """Run alembic migrations to create database tables."""
+    print("Attempting to run Alembic migrations...")
+    print("Migration file created: alembic/versions/20251221_164149_initial_migration_for_users_and_tasks_tables.py")
+    print()
+    print("To execute the migration, please ensure PostgreSQL is running and run:")
+    print("  cd backend")
+    print("  alembic upgrade head")
+    print()
+    print("Or using the environment-specific command:")
+    print("  DATABASE_URL=postgresql://postgres:postgres@localhost:5432/todoapp alembic upgrade head")
+    print()
+    print("The migration will create:")
+    print("- users table with id, email, password_hash, created_at, updated_at")
+    print("- tasks table with id, title, description, completed, user_id, created_at, updated_at")
+    print("- proper indexes and foreign key relationships")
+
+if __name__ == "__main__":
+    run_migrations()

src/config.py

@@ -0,0 +1,45 @@
+from pydantic_settings import BaseSettings
+from pydantic import Field
+from typing import Optional
+
+
+class Settings(BaseSettings):
+    """
+    Application settings loaded from environment variables.
+    """
+    # Database settings
+    database_url: str = Field(default="postgresql://postgres:postgres@localhost:5432/todoapp", alias="DATABASE_URL")
+
+    # Authentication settings
+    auth_secret: str = Field(default="dev_secret_for_development_do_not_use_in_production", alias="SECRET_KEY")
+    jwt_algorithm: str = Field(default="HS256", alias="ALGORITHM")
+    jwt_expiration_minutes: int = Field(default=10080, alias="ACCESS_TOKEN_EXPIRE_MINUTES")  # 7 days
+
+    # Server settings
+    server_host: str = Field(default="0.0.0.0", alias="SERVER_HOST")
+    server_port: int = Field(default=8000, alias="SERVER_PORT")
+    debug: bool = Field(default=True, alias="DEBUG")
+
+    # CORS settings
+    frontend_url: str = Field(default="http://localhost:3000", alias="FRONTEND_URL")
+    DATABASE_URL: str = "postgresql://neondb_owner:npg_LE9V4bojIRQD@ep-blue-block-ahgb84lf-pooler.c-3.us-east-1.aws.neon.tech/neondb?sslmode=require&channel_binding=require"
+
+    # Authentication settings
+    AUTH_SECRET: str = "dev_secret_for_development_do_not_use_in_production"
+    JWT_ALGORITHM: str = "HS256"
+    JWT_EXPIRATION_MINUTES: int = 10080  # 7 days
+
+    # Server settings
+    SERVER_HOST: str = "0.0.0.0"
+    SERVER_PORT: int = 8000
+    DEBUG: bool = True
+
+    # CORS settings
+    FRONTEND_URL: str = "http://localhost:3000"
+
+    class Config:
+        env_file = ".env"
+        case_sensitive = True
+
+
+settings = Settings()

src/database.py

@@ -0,0 +1,50 @@
+from sqlalchemy import create_engine
+from sqlalchemy.pool import QueuePool
+from sqlalchemy.orm import sessionmaker, Session
+from contextlib import contextmanager
+from typing import Generator
+from .config import settings
+from sqlmodel import SQLModel
+
+
+# Create the database engine with connection pooling
+engine = create_engine(
+    settings.DATABASE_URL,
+    poolclass=QueuePool,
+    pool_size=5,
+    max_overflow=10,
+    pool_pre_ping=True,  # Verify connections before use
+    pool_recycle=300,    # Recycle connections every 5 minutes
+    echo=settings.DEBUG  # Log SQL queries in debug mode
+)
+
+# Create a SessionLocal class for database sessions
+SessionLocal = sessionmaker(autocommit=False, autoflush=False, bind=engine)
+
+
+def get_db_session() -> Generator[Session, None, None]:
+    """
+    Generator function for FastAPI dependency injection.
+    Provides database sessions and ensures they're properly closed.
+
+    Yields:
+        Session: Database session that will be automatically closed
+    """
+    db = SessionLocal()
+    try:
+        yield db
+    finally:
+        db.close()
+
+
+@contextmanager
+def get_db() -> Generator[Session, None, None]:
+    """
+    Context manager for database sessions.
+    Ensures the database session is properly closed after use.
+    """
+    db = SessionLocal()
+    try:
+        yield db
+    finally:
+        db.close()

src/main.py

@@ -0,0 +1,45 @@
+from fastapi import FastAPI
+from fastapi.middleware.cors import CORSMiddleware
+from .database import engine
+from .models import user, task  # Import models to register them with SQLModel
+
+def create_app():
+    app = FastAPI(
+        title="Task Management API",
+        description="API for managing tasks with user authentication",
+        version="1.0.0"
+    )
+
+    # Add CORS middleware
+    # Note: When allow_credentials=True, you cannot use wildcard '*' for origins
+    # Must specify exact origins
+    app.add_middleware(
+        CORSMiddleware,
+        allow_origins=["http://localhost:3000"],  # Frontend origin
+        allow_credentials=True,
+        allow_methods=["*"],
+        allow_headers=["*"],
+    )
+
+    # Import and include routers
+    from .routers import auth, tasks
+    app.include_router(auth.router, prefix="/api", tags=["authentication"])
+    app.include_router(tasks.router, prefix="/api", tags=["tasks"])
+
+    @app.get("/")
+    def read_root():
+        return {"message": "Task Management API"}
+
+    @app.get("/health")
+    def health_check():
+        return {"status": "healthy"}
+
+    return app
+
+app = create_app()
+
+# Create database tables on startup (for development)
+@app.on_event("startup")
+def on_startup():
+    from sqlmodel import SQLModel
+    SQLModel.metadata.create_all(bind=engine)

src/middleware/auth.py

@@ -0,0 +1,98 @@
+from fastapi import Request, HTTPException, status
+from fastapi.security import HTTPBearer, HTTPAuthorizationCredentials
+from typing import Optional
+from src.utils.security import verify_token
+from src.models.user import User
+from sqlalchemy.orm import Session
+from src.database import get_db_session
+
+
+class JWTBearer(HTTPBearer):
+    """
+    JWT Bearer token authentication middleware.
+    """
+    def __init__(self, auto_error: bool = True):
+        super(JWTBearer, self).__init__(auto_error=auto_error)
+
+    async def __call__(self, request: Request) -> Optional[str]:
+        """
+        Validate JWT token from request.
+
+        Args:
+            request: FastAPI request object
+
+        Returns:
+            str: The validated token if valid, None if invalid and auto_error is False
+
+        Raises:
+            HTTPException: If token is invalid and auto_error is True
+        """
+        credentials: HTTPAuthorizationCredentials = await super(JWTBearer, self).__call__(request)
+
+        if credentials:
+            if not credentials.scheme == "Bearer":
+                raise HTTPException(
+                    status_code=status.HTTP_403_FORBIDDEN,
+                    detail="Invalid authentication scheme."
+                )
+            token = credentials.credentials
+        else:
+            # Try to get token from cookie as fallback
+            token = request.cookies.get("access_token")
+            if not token:
+                raise HTTPException(
+                    status_code=status.HTTP_403_FORBIDDEN,
+                    detail="No token provided."
+                )
+
+        # Verify the token
+        payload = verify_token(token)
+        if payload is None:
+            raise HTTPException(
+                status_code=status.HTTP_403_FORBIDDEN,
+                detail="Invalid or expired token."
+            )
+
+        # Add user ID to request state for later use
+        user_id = payload.get("sub")
+        if not user_id:
+            raise HTTPException(
+                status_code=status.HTTP_403_FORBIDDEN,
+                detail="Invalid token payload."
+            )
+
+        request.state.user_id = user_id
+        return token
+
+
+def verify_user_access(user_id: str, authenticated_user_id: str) -> bool:
+    """
+    Verify that the requested user ID matches the authenticated user ID.
+
+    Args:
+        user_id: The user ID from the request path/params
+        authenticated_user_id: The user ID from the JWT token
+
+    Returns:
+        bool: True if the IDs match, False otherwise
+    """
+    return user_id == authenticated_user_id
+
+
+def get_current_user_from_request(request: Request) -> str:
+    """
+    Get the authenticated user ID from the request state.
+
+    Args:
+        request: FastAPI request object
+
+    Returns:
+        str: The authenticated user ID
+    """
+    if hasattr(request.state, 'user_id'):
+        return request.state.user_id
+    else:
+        raise HTTPException(
+            status_code=status.HTTP_401_UNAUTHORIZED,
+            detail="User not authenticated"
+        )

src/models/task.py

@@ -0,0 +1,33 @@
+from datetime import datetime
+from typing import TYPE_CHECKING, Optional
+from uuid import UUID
+
+from sqlalchemy import event
+from sqlmodel import Field, SQLModel, Relationship
+
+if TYPE_CHECKING:
+    from .user import User
+
+
+class TaskBase(SQLModel):
+    """Base model for Task with common fields."""
+    title: str = Field(min_length=1, max_length=200, nullable=False)
+    description: Optional[str] = Field(default=None, max_length=1000)
+    completed: bool = Field(default=False)
+
+
+class Task(TaskBase, table=True):
+    """Task model for the task management application."""
+    id: int = Field(default=None, primary_key=True)
+    user_id: UUID = Field(foreign_key="user.id", index=True, nullable=False)
+    created_at: datetime = Field(default_factory=datetime.utcnow, nullable=False)
+    updated_at: datetime = Field(default_factory=datetime.utcnow, nullable=False)
+
+    # Relationship to User
+    user: "User" = Relationship(back_populates="tasks")
+
+
+# SQLAlchemy event listener to update the updated_at field before each update
+@event.listens_for(Task, "before_update")
+def update_updated_at(mapper, connection, target):
+    target.updated_at = datetime.utcnow()

src/models/user.py

@@ -0,0 +1,31 @@
+from datetime import datetime
+from typing import TYPE_CHECKING, Optional
+from uuid import UUID, uuid4
+
+from sqlalchemy import event
+from sqlmodel import Field, SQLModel, Relationship
+
+if TYPE_CHECKING:
+    from .task import Task
+
+
+class UserBase(SQLModel):
+    """Base model for User with common fields."""
+    email: str = Field(unique=True, index=True, nullable=False)
+
+
+class User(UserBase, table=True):
+    """User model for the task management application."""
+    id: UUID = Field(default_factory=uuid4, primary_key=True)
+    password_hash: str = Field(nullable=False)
+    created_at: datetime = Field(default_factory=datetime.utcnow, nullable=False)
+    updated_at: datetime = Field(default_factory=datetime.utcnow, nullable=False)
+
+    # Relationship to tasks
+    tasks: list["Task"] = Relationship(back_populates="user")
+
+
+# SQLAlchemy event listener to update the updated_at field before each update
+@event.listens_for(User, "before_update")
+def update_updated_at(target, value, oldvalue, initiator):
+    target.updated_at = datetime.utcnow()

src/routers/auth.py

@@ -0,0 +1,161 @@
+from fastapi import APIRouter, Depends, HTTPException, status, Response, Request
+from sqlalchemy.orm import Session
+from typing import Any
+from fastapi.security import HTTPBearer, HTTPAuthorizationCredentials
+
+from src.schemas.auth import RegisterRequest, RegisterResponse, LoginRequest, LoginResponse
+from src.models.user import User
+from src.utils.security import get_password_hash, verify_password, create_access_token, verify_token
+from src.utils.deps import get_db
+
+router = APIRouter(tags=["Authentication"])
+
+
+@router.post("/register", response_model=RegisterResponse)
+def register(user_data: RegisterRequest, db: Session = Depends(get_db)) -> RegisterResponse:
+    """
+    Register a new user with email and password.
+
+    Args:
+        user_data: Registration request containing email and password
+        db: Database session dependency
+
+    Returns:
+        RegisterResponse: Created user information
+
+    Raises:
+        HTTPException: If email is invalid format (handled by Pydantic) or email already exists
+    """
+    # Check if user with this email already exists
+    existing_user = db.query(User).filter(User.email == user_data.email).first()
+    if existing_user:
+        raise HTTPException(
+            status_code=status.HTTP_409_CONFLICT,
+            detail="An account with this email already exists"
+        )
+
+    # Validate password length (minimum 8 characters)
+    if len(user_data.password) < 8:
+        raise HTTPException(
+            status_code=status.HTTP_400_BAD_REQUEST,
+            detail="Password must be at least 8 characters"
+        )
+
+    # Create password hash (password truncation to 72 bytes is handled in get_password_hash)
+    password_hash = get_password_hash(user_data.password)
+
+    # Create new user
+    user = User(
+        email=user_data.email,
+        password_hash=password_hash
+    )
+
+    # Add user to database
+    db.add(user)
+    db.commit()
+    db.refresh(user)
+
+    # Return response
+    return RegisterResponse(
+        id=str(user.id),
+        email=user.email,
+        created_at=user.created_at
+    )
+
+
+@router.post("/login", response_model=LoginResponse)
+def login(login_data: LoginRequest, response: Response, db: Session = Depends(get_db)) -> LoginResponse:
+    """
+    Authenticate user and return JWT token.
+
+    Args:
+        login_data: Login request containing email and password
+        response: FastAPI response object to set cookies
+        db: Database session dependency
+
+    Returns:
+        LoginResponse: JWT token and user information
+
+    Raises:
+        HTTPException: If credentials are invalid
+    """
+    # Find user by email
+    user = db.query(User).filter(User.email == login_data.email).first()
+
+    # Check if user exists and password is correct (password truncation to 72 bytes is handled in verify_password)
+    if not user or not verify_password(login_data.password, user.password_hash):
+        raise HTTPException(
+            status_code=status.HTTP_401_UNAUTHORIZED,
+            detail="Invalid email or password",
+            headers={"WWW-Authenticate": "Bearer"},
+        )
+
+    # Create access token
+    access_token = create_access_token(data={"sub": str(user.id)})
+
+    # Set the token in an httpOnly cookie for security
+    response.set_cookie(
+        key="access_token",
+        value=access_token,
+        httponly=True,
+        secure=False,  # Set to True in production with HTTPS
+        samesite="lax",  # Protects against CSRF
+        max_age=604800  # 7 days in seconds
+    )
+
+    # Return response
+    return LoginResponse(
+        access_token=access_token,
+        token_type="bearer",
+        user_id=str(user.id),
+        email=user.email
+    )
+
+
+@router.get("/me")
+def get_current_user(request: Request, db: Session = Depends(get_db)):
+    """
+    Get current authenticated user information.
+    This endpoint is used to check if a user is authenticated and get their info.
+    """
+    # Get the token from cookies
+    token = request.cookies.get("access_token")
+    
+    if not token:
+        raise HTTPException(
+            status_code=status.HTTP_401_UNAUTHORIZED,
+            detail="Not authenticated",
+            headers={"WWW-Authenticate": "Bearer"},
+        )
+    
+    # Verify the token
+    payload = verify_token(token)
+    if not payload:
+        raise HTTPException(
+            status_code=status.HTTP_401_UNAUTHORIZED,
+            detail="Invalid token",
+            headers={"WWW-Authenticate": "Bearer"},
+        )
+    
+    # Get user ID from token
+    user_id = payload.get("sub")
+    if not user_id:
+        raise HTTPException(
+            status_code=status.HTTP_401_UNAUTHORIZED,
+            detail="Invalid token payload",
+            headers={"WWW-Authenticate": "Bearer"},
+        )
+    
+    # Get user from database
+    user = db.query(User).filter(User.id == user_id).first()
+    if not user:
+        raise HTTPException(
+            status_code=status.HTTP_401_UNAUTHORIZED,
+            detail="User not found",
+            headers={"WWW-Authenticate": "Bearer"},
+        )
+    
+    return {
+        "user_id": str(user.id),
+        "email": user.email
+    }

src/routers/tasks.py

@@ -0,0 +1,142 @@
+from fastapi import APIRouter, Depends, HTTPException, status
+from sqlalchemy.orm import Session
+from typing import List
+from uuid import UUID
+from datetime import datetime
+
+from src.schemas.task import TaskResponse, TaskListResponse, TaskCreateRequest, TaskPatchRequest, TaskUpdateRequest
+from src.models.task import Task
+from src.models.user import User
+from src.utils.deps import get_db, get_current_user
+from src.utils.security import verify_token
+from fastapi.security import HTTPBearer, HTTPAuthorizationCredentials
+
+router = APIRouter(tags=["Tasks"])
+
+security = HTTPBearer()
+
+
+@router.get("/{user_id}/tasks", response_model=TaskListResponse)
+def get_user_tasks(
+    user_id: UUID,
+    db: Session = Depends(get_db),
+    current_user: User = Depends(get_current_user),
+):
+    if user_id != current_user.id:
+        raise HTTPException(status_code=404, detail="Task not found")
+
+    tasks = (
+        db.query(Task)
+        .filter(Task.user_id == current_user.id)
+        .order_by(Task.created_at.desc())
+        .all()
+    )
+
+    return TaskListResponse(
+        tasks=tasks,
+        total=len(tasks),
+    )
+
+@router.post("/{user_id}/tasks", response_model=TaskResponse, status_code=201)
+def create_task(
+    user_id: UUID,
+    task_data: TaskCreateRequest,
+    db: Session = Depends(get_db),
+    current_user: User = Depends(get_current_user),
+):
+    if user_id != current_user.id:
+        raise HTTPException(status_code=404, detail="User not found")
+
+    task = Task(
+        title=task_data.title,
+        description=task_data.description,
+        completed=task_data.completed,
+        user_id=current_user.id,
+    )
+
+    db.add(task)
+    db.commit()
+    db.refresh(task)
+
+    return task
+
+
+@router.patch("/{user_id}/tasks/{task_id}", response_model=TaskResponse)
+def update_task_partial(
+    user_id: UUID,
+    task_id: int,
+    task_update: TaskPatchRequest,
+    db: Session = Depends(get_db),
+    current_user: User = Depends(get_current_user),
+):
+    if user_id != current_user.id:
+        raise HTTPException(status_code=404, detail="Task not found")
+
+    task = (
+        db.query(Task)
+        .filter(Task.id == task_id, Task.user_id == current_user.id)
+        .first()
+    )
+
+    if not task:
+        raise HTTPException(status_code=404, detail="Task not found")
+
+    if task_update.completed is not None:
+        task.completed = task_update.completed
+
+    db.commit()
+    db.refresh(task)
+
+    return task
+
+@router.put("/{user_id}/tasks/{task_id}", response_model=TaskResponse)
+def update_task_full(
+    user_id: UUID,
+    task_id: int,
+    task_update: TaskUpdateRequest,
+    db: Session = Depends(get_db),
+    current_user: User = Depends(get_current_user),
+):
+    if user_id != current_user.id:
+        raise HTTPException(status_code=404, detail="Task not found")
+
+    task = (
+        db.query(Task)
+        .filter(Task.id == task_id, Task.user_id == current_user.id)
+        .first()
+    )
+
+    if not task:
+        raise HTTPException(status_code=404, detail="Task not found")
+
+    task.title = task_update.title
+    task.description = task_update.description
+    task.completed = task_update.completed
+
+    db.commit()
+    db.refresh(task)
+
+    return task
+
+
+@router.delete("/{user_id}/tasks/{task_id}", status_code=status.HTTP_204_NO_CONTENT)
+def delete_task(
+    user_id: UUID,
+    task_id: int,
+    db: Session = Depends(get_db),
+    current_user: User = Depends(get_current_user),
+):
+    if user_id != current_user.id:
+        raise HTTPException(status_code=404, detail="Task not found")
+
+    task = (
+        db.query(Task)
+        .filter(Task.id == task_id, Task.user_id == current_user.id)
+        .first()
+    )
+
+    if not task:
+        raise HTTPException(status_code=404, detail="Task not found")
+
+    db.delete(task)
+    db.commit()

src/schemas/auth.py

@@ -0,0 +1,57 @@
+from pydantic import BaseModel, EmailStr
+from typing import Optional
+from datetime import datetime
+
+
+class RegisterRequest(BaseModel):
+    """
+    Schema for user registration request.
+
+    Attributes:
+        email: User's email address (must be valid email format)
+        password: User's password (minimum 8 characters will be validated in endpoint)
+    """
+    email: EmailStr
+    password: str
+
+
+class RegisterResponse(BaseModel):
+    """
+    Schema for user registration response.
+
+    Attributes:
+        id: Unique identifier of the created user
+        email: Email address of the created user
+        created_at: Timestamp when the user was created
+    """
+    id: str  # UUID as string
+    email: EmailStr
+    created_at: datetime
+
+
+class LoginRequest(BaseModel):
+    """
+    Schema for user login request.
+
+    Attributes:
+        email: User's email address
+        password: User's password
+    """
+    email: EmailStr
+    password: str
+
+
+class LoginResponse(BaseModel):
+    """
+    Schema for user login response.
+
+    Attributes:
+        access_token: JWT token for authentication
+        token_type: Type of token (usually "bearer")
+        user_id: Unique identifier of the authenticated user
+        email: Email address of the authenticated user
+    """
+    access_token: str
+    token_type: str
+    user_id: str  # UUID as string
+    email: EmailStr

src/schemas/task.py

@@ -0,0 +1,41 @@
+from pydantic import BaseModel, Field
+from typing import List, Optional
+from datetime import datetime
+from uuid import UUID
+
+
+class TaskBase(BaseModel):
+    title: str = Field(..., min_length=1, max_length=200)
+    description: Optional[str] = Field(None, max_length=1000)
+    completed: bool = False
+
+
+class TaskCreateRequest(TaskBase):
+    pass
+
+
+class TaskUpdateRequest(BaseModel):
+    title: str = Field(..., min_length=1, max_length=200)
+    description: Optional[str] = Field(default="", max_length=1000)
+    completed: bool
+
+
+class TaskPatchRequest(BaseModel):
+    completed: Optional[bool] = None
+
+
+class TaskResponse(TaskBase):
+    id: int
+    user_id: UUID
+    created_at: datetime
+    updated_at: datetime
+
+    # ✅ REQUIRED FOR ORM (Pydantic v2)
+    model_config = {
+        "from_attributes": True
+    }
+
+
+class TaskListResponse(BaseModel):
+    tasks: List[TaskResponse]
+    total: int = 0

src/task_management_backend.egg-info/PKG-INFO

@@ -0,0 +1,20 @@
+Metadata-Version: 2.4
+Name: task-management-backend
+Version: 0.1.0
+Summary: Backend for task management application with authentication
+Requires-Python: >=3.12
+Description-Content-Type: text/markdown
+Requires-Dist: fastapi>=0.115.0
+Requires-Dist: sqlmodel>=0.0.24
+Requires-Dist: uvicorn>=0.32.0
+Requires-Dist: pydantic>=2.10.0
+Requires-Dist: pydantic-settings>=2.6.0
+Requires-Dist: python-jose>=3.3.0
+Requires-Dist: passlib[bcrypt]>=1.7.0
+Requires-Dist: python-multipart>=0.0.20
+Requires-Dist: alembic>=1.14.0
+Requires-Dist: psycopg2-binary>=2.9.10
+Requires-Dist: pytest>=8.3.0
+Requires-Dist: pytest-asyncio>=0.25.0
+Requires-Dist: httpx>=0.28.0
+Requires-Dist: bcrypt>=5.0.0

src/task_management_backend.egg-info/SOURCES.txt

@@ -0,0 +1,24 @@
+pyproject.toml
+src/__init__.py
+src/config.py
+src/database.py
+src/main.py
+src/middleware/__init__.py
+src/middleware/auth.py
+src/models/__init__.py
+src/models/task.py
+src/models/user.py
+src/routers/__init__.py
+src/routers/auth.py
+src/routers/tasks.py
+src/schemas/__init__.py
+src/schemas/auth.py
+src/schemas/task.py
+src/task_management_backend.egg-info/PKG-INFO
+src/task_management_backend.egg-info/SOURCES.txt
+src/task_management_backend.egg-info/dependency_links.txt
+src/task_management_backend.egg-info/requires.txt
+src/task_management_backend.egg-info/top_level.txt
+src/utils/__init__.py
+src/utils/deps.py
+src/utils/security.py

src/task_management_backend.egg-info/dependency_links.txt

@@ -0,0 +1 @@
+

src/task_management_backend.egg-info/requires.txt

@@ -0,0 +1,14 @@
+fastapi>=0.115.0
+sqlmodel>=0.0.24
+uvicorn>=0.32.0
+pydantic>=2.10.0
+pydantic-settings>=2.6.0
+python-jose>=3.3.0
+passlib[bcrypt]>=1.7.0
+python-multipart>=0.0.20
+alembic>=1.14.0
+psycopg2-binary>=2.9.10
+pytest>=8.3.0
+pytest-asyncio>=0.25.0
+httpx>=0.28.0
+bcrypt>=5.0.0

src/task_management_backend.egg-info/top_level.txt

@@ -0,0 +1,9 @@
+__init__
+config
+database
+main
+middleware
+models
+routers
+schemas
+utils

src/utils/deps.py

@@ -0,0 +1,63 @@
+from typing import Generator
+from fastapi import Depends, HTTPException, status, Request
+from sqlalchemy.orm import Session
+from uuid import UUID
+
+from src.database import get_db_session
+from src.models.user import User
+from src.utils.security import verify_token
+
+
+def get_db() -> Generator[Session, None, None]:
+    db = next(get_db_session())
+    try:
+        yield db
+    finally:
+        db.close()
+
+
+def get_current_user(
+    request: Request,
+    db: Session = Depends(get_db)
+) -> User:
+    """
+    Get the currently authenticated user.
+    Supports BOTH:
+    - HTTP-only cookies (preferred)
+    - Authorization: Bearer header (fallback)
+    """
+
+    token = None
+
+    # 1️⃣ Try cookie first
+    token = request.cookies.get("access_token")
+
+    # 2️⃣ Fallback to Authorization header
+    if not token:
+        auth_header = request.headers.get("Authorization")
+        if auth_header and auth_header.startswith("Bearer "):
+            token = auth_header.split(" ")[1]
+
+    if not token:
+        raise HTTPException(
+            status_code=status.HTTP_401_UNAUTHORIZED,
+            detail="Not authenticated",
+        )
+
+    payload = verify_token(token)
+    if not payload or "sub" not in payload:
+        raise HTTPException(
+            status_code=status.HTTP_401_UNAUTHORIZED,
+            detail="Invalid or expired token",
+        )
+
+    user_id = payload["sub"]
+
+    user = db.query(User).filter(User.id == UUID(user_id)).first()
+    if not user:
+        raise HTTPException(
+            status_code=status.HTTP_401_UNAUTHORIZED,
+            detail="User not found",
+        )
+
+    return user

src/utils/security.py

@@ -0,0 +1,97 @@
+from datetime import datetime, timedelta
+from typing import Optional
+
+import bcrypt
+from jose import JWTError, jwt
+
+from src.config import settings
+
+# JWT settings
+SECRET_KEY = settings.AUTH_SECRET
+ALGORITHM = settings.JWT_ALGORITHM
+ACCESS_TOKEN_EXPIRE_MINUTES = settings.JWT_EXPIRATION_MINUTES
+
+
+def verify_password(plain_password: str, hashed_password: str) -> bool:
+    """
+    Verify a plain password against a hashed password.
+
+    Args:
+        plain_password: The plain text password to verify
+        hashed_password: The hashed password to compare against
+
+    Returns:
+        bool: True if password matches, False otherwise
+    """
+    # Ensure password is encoded as bytes (bcrypt limitation: max 72 bytes)
+    password_bytes = plain_password.encode('utf-8')
+    if len(password_bytes) > 72:
+        password_bytes = password_bytes[:72]
+    
+    # Verify the password
+    try:
+        return bcrypt.checkpw(password_bytes, hashed_password.encode('utf-8'))
+    except (ValueError, TypeError):
+        return False
+
+
+def get_password_hash(password: str) -> str:
+    """
+    Generate a hash for the given password.
+
+    Args:
+        password: The plain text password to hash
+
+    Returns:
+        str: The hashed password
+    """
+    # Ensure password is encoded as bytes (bcrypt limitation: max 72 bytes)
+    password_bytes = password.encode('utf-8')
+    if len(password_bytes) > 72:
+        password_bytes = password_bytes[:72]
+    
+    # Generate salt and hash
+    salt = bcrypt.gensalt()
+    hashed = bcrypt.hashpw(password_bytes, salt)
+    return hashed.decode('utf-8')
+
+
+def create_access_token(data: dict, expires_delta: Optional[timedelta] = None) -> str:
+    """
+    Create a JWT access token.
+
+    Args:
+        data: The data to include in the token (typically user info)
+        expires_delta: Optional expiration time delta (defaults to 7 days)
+
+    Returns:
+        str: The encoded JWT token
+    """
+    to_encode = data.copy()
+
+    if expires_delta:
+        expire = datetime.utcnow() + expires_delta
+    else:
+        expire = datetime.utcnow() + timedelta(minutes=ACCESS_TOKEN_EXPIRE_MINUTES)
+
+    to_encode.update({"exp": expire})
+    encoded_jwt = jwt.encode(to_encode, SECRET_KEY, algorithm=ALGORITHM)
+
+    return encoded_jwt
+
+
+def verify_token(token: str) -> Optional[dict]:
+    """
+    Verify a JWT token and return the payload if valid.
+
+    Args:
+        token: The JWT token to verify
+
+    Returns:
+        dict: The token payload if valid, None if invalid
+    """
+    try:
+        payload = jwt.decode(token, SECRET_KEY, algorithms=[ALGORITHM])
+        return payload
+    except JWTError:
+        return None