feat(auth): Implement staff mobile OTP login and restructure user management routes

.env.example

@@ -6,17 +6,18 @@ APP_VERSION=1.0.0
 DEBUG=false
 
 # MongoDB Configuration
-MONGODB_URI=mongodb+srv://username:password@cluster.mongodb.net/?retryWrites=true&w=majority
+MONGODB_URI=mongodb://localhost:27017
+# For MongoDB Atlas: mongodb+srv://username:password@cluster.mongodb.net/?retryWrites=true&w=majority
 MONGODB_DB_NAME=cuatrolabs
 
 # Redis Configuration (for caching and session management)
-REDIS_HOST=your-redis-host.com
+REDIS_HOST=localhost
 REDIS_PORT=6379
 REDIS_PASSWORD=your-redis-password
 REDIS_DB=0
 
 # JWT Configuration
-SECRET_KEY=your-secret-key-change-in-production
+SECRET_KEY=your-secret-key-here-change-in-production
 ALGORITHM=HS256
 TOKEN_EXPIRATION_HOURS=8
 REFRESH_TOKEN_EXPIRE_DAYS=7
@@ -24,16 +25,6 @@ MAX_FAILED_LOGIN_ATTEMPTS=5
 ACCOUNT_LOCK_DURATION_MINUTES=15
 REMEMBER_ME_TOKEN_HOURS=24
 
-# Password Reset Configuration
-PASSWORD_RESET_TOKEN_EXPIRATION_MINUTES=60
-PASSWORD_RESET_BASE_URL=http://localhost:3000/reset-password
-
-# Password Rotation Policy Configuration
-PASSWORD_ROTATION_DAYS=60
-PASSWORD_ROTATION_WARNING_DAYS=7
-ENFORCE_PASSWORD_ROTATION=true
-ALLOW_LOGIN_WITH_EXPIRED_PASSWORD=false
-
 # API Configuration
 MAX_PAGE_SIZE=100
 
@@ -42,14 +33,14 @@ OTP_TTL_SECONDS=600
 OTP_RATE_LIMIT_MAX=10
 OTP_RATE_LIMIT_WINDOW=600
 
-# Twilio Configuration (for SMS OTP - optional fallback)
+# Twilio Configuration (for SMS OTP)
 TWILIO_ACCOUNT_SID=
 TWILIO_AUTH_TOKEN=
 TWILIO_PHONE_NUMBER=
 
 # WATI WhatsApp API Configuration (for WhatsApp OTP)
 WATI_API_ENDPOINT=https://live-mt-server.wati.io/YOUR_TENANT_ID
-WATI_ACCESS_TOKEN=your-wati-bearer-token
+WATI_ACCESS_TOKEN=your-wati-jwt-token
 WATI_OTP_TEMPLATE_NAME=cust_otp
 WATI_STAFF_OTP_TEMPLATE_NAME=staff_otp_login
 

app/system_users/controllers/router.py

@@ -1,4 +1,3 @@
-from uuid import UUID
 from pydantic import BaseModel, Field
 from fastapi import APIRouter, Depends, HTTPException, status, Request
 from fastapi.security import HTTPAuthorizationCredentials
@@ -21,20 +20,204 @@ logger = logging.getLogger(__name__)
 
 # Router must be defined before any usage
 router = APIRouter(
-    prefix="/users",
-    tags=["User Management"]
+    prefix="/auth",
+    tags=["Authentication & User Management"]
 )
 
-# Staff mobile OTP login moved to staff_router.py
-
-
-# Login endpoint moved to auth router
+# --- Staff Mobile OTP Login ---
+class StaffMobileOTPLoginRequest(BaseModel):
+    phone: str = Field(..., description="Staff mobile number")
+    otp: str = Field(..., description="One-time password")
+
+class StaffMobileOTPLoginResponse(BaseModel):
+    access_token: str
+    token_type: str = "bearer"
+    expires_in: int
+    user_info: 'UserInfoResponse'
+
+@router.post("/staff/login/mobile-otp", response_model=StaffMobileOTPLoginResponse, summary="Staff login with mobile and OTP")
+async def staff_login_mobile_otp(
+    request: Request,
+    login_data: StaffMobileOTPLoginRequest,
+    user_service: SystemUserService = Depends(get_system_user_service)
+):
+    """
+    Staff login using mobile number and OTP (OTP hardcoded as 123456).
+    """
+    if not login_data.phone or not login_data.otp:
+        raise HTTPException(status_code=400, detail="Phone and OTP are required")
+    if login_data.otp != "123456":
+        raise HTTPException(status_code=401, detail="Invalid OTP")
+    # Find user by phone
+    user = await user_service.get_user_by_phone(login_data.phone)
+    if not user:
+        raise HTTPException(status_code=401, detail="Staff user not found for this phone number")
+    # Only allow staff/employee roles (not admin/super_admin)
+    if user.role in ("admin", "super_admin"):
+        raise HTTPException(status_code=403, detail="Admin login not allowed via staff OTP login")
+    
+    # Create access token for staff user
+    from datetime import timedelta
+    from app.core.config import settings
+    
+    access_token_expires = timedelta(hours=settings.TOKEN_EXPIRATION_HOURS)
+    access_token = user_service.create_access_token(
+        data={
+            "sub": user.user_id, 
+            "username": user.username, 
+            "role": user.role, 
+            "merchant_id": user.merchant_id,
+            "merchant_type": user.merchant_type
+        },
+        expires_delta=access_token_expires
+    )
+    
+    user_info = user_service.convert_to_user_info_response(user)
+    
+    return StaffMobileOTPLoginResponse(
+        access_token=access_token,
+        token_type="bearer",
+        expires_in=int(access_token_expires.total_seconds()),
+        user_info=user_info
+    )
+
+
+@router.post("/login", response_model=LoginResponse)
+async def login(
+    request: Request,
+    login_data: LoginRequest,
+    user_service: SystemUserService = Depends(get_system_user_service)
+):
+    """
+    Authenticate user and return access token.
+    
+    Raises:
+        HTTPException: 400 - Missing required fields
+        HTTPException: 401 - Invalid credentials or account locked
+        HTTPException: 500 - Database or server error
+    """
+    try:
+        # Validate input
+        if not login_data.email_or_phone or not login_data.email_or_phone.strip():
+            raise HTTPException(
+                status_code=status.HTTP_400_BAD_REQUEST,
+                detail="Email, phone, or username is required"
+            )
+        
+        if not login_data.password or not login_data.password.strip():
+            raise HTTPException(
+                status_code=status.HTTP_400_BAD_REQUEST,
+                detail="Password is required"
+            )
+        
+        # Get client IP and user agent
+        client_ip = request.client.host if request.client else None
+        user_agent = request.headers.get("User-Agent")
+        
+        # Authenticate user
+        try:
+            user, message = await user_service.authenticate_user(
+                email_or_phone=login_data.email_or_phone,
+                password=login_data.password,
+                ip_address=client_ip,
+                user_agent=user_agent
+            )
+        except Exception as auth_error:
+            logger.error(f"Authentication error: {auth_error}", exc_info=True)
+            raise HTTPException(
+                status_code=status.HTTP_500_INTERNAL_SERVER_ERROR,
+                detail="Authentication service error"
+            )
+        
+        if not user:
+            logger.warning(f"Login failed for {login_data.email_or_phone}: {message}")
+            raise HTTPException(
+                status_code=status.HTTP_401_UNAUTHORIZED,
+                detail=message,
+                headers={"WWW-Authenticate": "Bearer"},
+            )
+        
+        # Create access token
+        try:
+            access_token_expires = timedelta(hours=settings.TOKEN_EXPIRATION_HOURS)
+            if login_data.remember_me:
+                access_token_expires = timedelta(hours=settings.REMEMBER_ME_TOKEN_HOURS)
+            
+            access_token = user_service.create_access_token(
+                data={
+                    "sub": user.user_id, 
+                    "username": user.username, 
+                    "role": user.role, 
+                    "merchant_id": user.merchant_id,
+                    "merchant_type": user.merchant_type
+                },
+                expires_delta=access_token_expires
+            )
+        except Exception as token_error:
+            logger.error(f"Error creating token: {token_error}", exc_info=True)
+            raise HTTPException(
+                status_code=status.HTTP_500_INTERNAL_SERVER_ERROR,
+                detail="Failed to generate authentication token"
+            )
+        
+        # Convert user to response model
+        try:
+            user_info = user_service.convert_to_user_info_response(user)
+        except Exception as convert_error:
+            logger.error(f"Error converting user info: {convert_error}", exc_info=True)
+            raise HTTPException(
+                status_code=status.HTTP_500_INTERNAL_SERVER_ERROR,
+                detail="Failed to format user information"
+            )
+        
+        logger.info(f"User logged in successfully: {user.username}")
+        
+        return LoginResponse(
+            access_token=access_token,
+            token_type="bearer",
+            expires_in=int(access_token_expires.total_seconds()),
+            user_info=user_info
+        )
+        
+    except HTTPException:
+        raise
+    except Exception as e:
+        logger.error(f"Unexpected login error: {str(e)}", exc_info=True)
+        raise HTTPException(
+            status_code=status.HTTP_500_INTERNAL_SERVER_ERROR,
+            detail="An unexpected error occurred during login"
+        )
 
 
-# /me endpoint moved to auth router
+@router.get("/me", response_model=UserInfoResponse)
+async def get_current_user_info(
+    current_user: SystemUserModel = Depends(get_current_user),
+    user_service: SystemUserService = Depends(get_system_user_service)
+):
+    """
+    Get current user information.
+    
+    Raises:
+        HTTPException: 401 - Unauthorized (invalid or missing token)
+        HTTPException: 500 - Server error
+    """
+    try:
+        return user_service.convert_to_user_info_response(current_user)
+    except AttributeError as e:
+        logger.error(f"Error accessing user attributes: {e}")
+        raise HTTPException(
+            status_code=status.HTTP_500_INTERNAL_SERVER_ERROR,
+            detail="Error retrieving user information"
+        )
+    except Exception as e:
+        logger.error(f"Unexpected error getting current user info: {str(e)}", exc_info=True)
+        raise HTTPException(
+            status_code=status.HTTP_500_INTERNAL_SERVER_ERROR,
+            detail="An unexpected error occurred"
+        )
 
 
-@router.post("/", response_model=UserInfoResponse)
+@router.post("/users", response_model=UserInfoResponse)
 async def create_user(
     user_data: CreateUserRequest,
     current_user: SystemUserModel = Depends(require_admin_role),
@@ -88,7 +271,7 @@ async def create_user(
         )
 
 
-@router.get("/", response_model=UserListResponse)
+@router.get("/users", response_model=UserListResponse)
 async def list_users(
     page: int = 1,
     page_size: int = 20,
@@ -151,7 +334,7 @@ async def list_users(
         )
 
 
-@router.post("/list")
+@router.post("/users/list")
 async def list_users_with_projection(
     payload: UserListRequest,
     current_user: SystemUserModel = Depends(require_admin_role),
@@ -251,9 +434,9 @@ async def list_users_with_projection(
         )
 
 
-@router.get("/{user_id}", response_model=UserInfoResponse)
+@router.get("/users/{user_id}", response_model=UserInfoResponse)
 async def get_user_by_id(
-    user_id: UUID,
+    user_id: str,
     current_user: SystemUserModel = Depends(require_admin_role),
     user_service: SystemUserService = Depends(get_system_user_service)
 ):
@@ -295,9 +478,9 @@ async def get_user_by_id(
         )
 
 
-@router.put("/{user_id}", response_model=UserInfoResponse)
+@router.put("/users/{user_id}", response_model=UserInfoResponse)
 async def update_user(
-    user_id: UUID,
+    user_id: str,
     update_data: UpdateUserRequest,
     current_user: SystemUserModel = Depends(require_admin_role),
     user_service: SystemUserService = Depends(get_system_user_service)
@@ -579,9 +762,9 @@ async def reset_password(
         )
 
 
-@router.delete("/{user_id}", response_model=StandardResponse)
+@router.delete("/users/{user_id}", response_model=StandardResponse)
 async def deactivate_user(
-    user_id: UUID,
+    user_id: str,
     current_user: SystemUserModel = Depends(require_admin_role),
     user_service: SystemUserService = Depends(get_system_user_service)
 ):
@@ -635,7 +818,87 @@ async def deactivate_user(
         )
 
 
-# Logout endpoint moved to auth router
+@router.post("/logout", response_model=StandardResponse)
+async def logout(
+    request: Request,
+    current_user: SystemUserModel = Depends(get_current_user),
+    user_service: SystemUserService = Depends(get_system_user_service)
+):
+    """
+    Logout current user.
+    
+    Requires JWT token in Authorization header (Bearer token).
+    Logs out the user and records the logout event for audit purposes.
+    
+    **Security:**
+    - Validates JWT token before logout
+    - Records logout event with IP address, user agent, and session duration
+    - Stores audit log for compliance and security tracking
+    
+    **Note:** Since we're using stateless JWT tokens, the client is responsible for:
+    - Removing the token from local storage/cookies
+    - Clearing any cached user data
+    - Redirecting to login page
+    
+    For enhanced security in production:
+    - Consider implementing token blacklisting
+    - Use short-lived access tokens with refresh tokens
+    - Implement server-side session management if needed
+    
+    Raises:
+        HTTPException: 401 - Unauthorized (invalid or missing token)
+        HTTPException: 500 - Server error
+    """
+    try:
+        # Get client information for audit logging
+        client_ip = request.client.host if request.client else None
+        user_agent = request.headers.get("User-Agent")
+        
+        # Record logout for audit purposes
+        await user_service.record_logout(
+            user=current_user,
+            ip_address=client_ip,
+            user_agent=user_agent
+        )
+        
+        logger.info(
+            f"User logged out successfully: {current_user.username}",
+            extra={
+                "event": "logout_success",
+                "user_id": current_user.user_id,
+                "username": current_user.username,
+                "ip_address": client_ip
+            }
+        )
+        
+        return StandardResponse(
+            success=True,
+            message="Logged out successfully"
+        )
+        
+    except AttributeError as e:
+        logger.error(
+            f"Error accessing user during logout: {e}",
+            extra={"error_type": "attribute_error"},
+            exc_info=True
+        )
+        raise HTTPException(
+            status_code=status.HTTP_500_INTERNAL_SERVER_ERROR,
+            detail="Error during logout"
+        )
+    except Exception as e:
+        logger.error(
+            f"Unexpected logout error: {str(e)}",
+            extra={
+                "error_type": type(e).__name__,
+                "user_id": current_user.user_id if current_user else None
+            },
+            exc_info=True
+        )
+        raise HTTPException(
+            status_code=status.HTTP_500_INTERNAL_SERVER_ERROR,
+            detail="An unexpected error occurred during logout"
+        )
 
 
 # Create default super admin endpoint (for initial setup)