credit

app.py

@@ -6,20 +6,12 @@ decrypting it, and storing in SQLite database.
 """
 import logging
 from contextlib import asynccontextmanager
-from typing import Optional, Tuple
-
-import ipaddress
-import httpx
-from fastapi import FastAPI, Query, Request, Depends, HTTPException, status
+from fastapi import FastAPI, Request
 from fastapi.middleware.cors import CORSMiddleware
-from fastapi.responses import JSONResponse, HTMLResponse
-from fastapi.staticfiles import StaticFiles
-from sqlalchemy.ext.asyncio import AsyncSession
-from sqlalchemy import select, func
+from fastapi.responses import JSONResponse
 
-from database import get_db, init_db
-from models import BlinkData
-from encryption import decrypt_data, decrypt_multiple_blocks
+from database import init_db
+from routers import auth, blink, general
 
 # Configure logging
 logging.basicConfig(
@@ -28,43 +20,6 @@ logging.basicConfig(
 )
 logger = logging.getLogger(__name__)
 
-# User ID length constant
-USER_ID_LENGTH = 20
-
-# Geolocation API settings
-GEOLOCATION_API_URL = "http://ip-api.com/json/{ip}?fields=status,country,regionName"
-GEOLOCATION_TIMEOUT = 2.0  # seconds
-
-
-async def get_geolocation(ip_address: str) -> Tuple[Optional[str], Optional[str]]:
-    """
-    Get country and region for an IP address using ip-api.com.
-    
-    Args:
-        ip_address: IPv4 or IPv6 address
-        
-    Returns:
-        Tuple of (country, region) or (None, None) if lookup fails
-    """
-    if not ip_address:
-        return None, None
-    
-    # Skip geolocation for localhost/private IPs
-    if ip_address in ("127.0.0.1", "::1", "localhost") or ip_address.startswith(("192.168.", "10.", "172.")):
-        return None, None
-    
-    try:
-        async with httpx.AsyncClient(timeout=GEOLOCATION_TIMEOUT) as client:
-            response = await client.get(GEOLOCATION_API_URL.format(ip=ip_address))
-            if response.status_code == 200:
-                data = response.json()
-                if data.get("status") == "success":
-                    return data.get("country"), data.get("regionName")
-    except Exception as e:
-        logger.warning(f"Geolocation lookup failed for {ip_address}: {e}")
-    
-    return None, None
-
 
 @asynccontextmanager
 async def lifespan(app: FastAPI):
@@ -96,223 +51,10 @@ app.add_middleware(
     allow_headers=["*"],
 )
 
-
-@app.get("/health")
-async def health_check():
-    """
-    Health check endpoint.
-    
-    Returns:
-        Health status of the application
-    """
-    return {"status": "healthy", "service": "url-blink-api"}
-
-
-@app.get("/", response_class=HTMLResponse)
-async def root():
-    """
-    Serve the main HTML page.
-    """
-    import os
-    template_path = os.path.join(os.path.dirname(__file__), "templates", "index.html")
-    with open(template_path, "r") as f:
-        return HTMLResponse(content=f.read())
-
-
-@app.get("/api/data")
-async def get_data(
-    page: int = Query(1, ge=1, description="Page number"),
-    limit: int = Query(100, ge=1, le=500, description="Items per page"),
-    db: AsyncSession = Depends(get_db)
-):
-    """
-    Get paginated blink data.
-    
-    Args:
-        page: Page number (1-indexed)
-        limit: Number of items per page
-        db: Database session
-        
-    Returns:
-        Paginated list of blink data records
-    """
-    try:
-        offset = (page - 1) * limit
-        
-        # Get total count
-        total_result = await db.execute(select(func.count(BlinkData.id)))
-        total = total_result.scalar() or 0
-        
-        # Get unique users count
-        unique_result = await db.execute(select(func.count(func.distinct(BlinkData.user_id))))
-        unique_users = unique_result.scalar() or 0
-        
-        # Get paginated items
-        query = select(BlinkData).order_by(BlinkData.id.desc()).offset(offset).limit(limit)
-        result = await db.execute(query)
-        items = result.scalars().all()
-        
-        return {
-            "items": [
-                {
-                    "id": item.id,
-                    "user_id": item.user_id,
-                    "refer_url": item.refer_url,
-                    "ip_address": item.ip_address,
-                    "ipv4_address": item.ipv4_address,
-                    "ipv6_address": item.ipv6_address,
-                    "country": item.country,
-                    "region": item.region,
-                    "json_data": item.json_data,
-                    "created_at": item.created_at.isoformat() if item.created_at else None
-                }
-                for item in items
-            ],
-            "total": total,
-            "unique_users": unique_users,
-            "page": page,
-            "limit": limit
-        }
-    except Exception as e:
-        logger.error(f"Error fetching data: {e}")
-        raise HTTPException(
-            status_code=status.HTTP_500_INTERNAL_SERVER_ERROR,
-            detail="Error fetching data"
-        )
-
-
-@app.get("/blink")
-async def blink(
-    request: Request,
-    userid: str = Query(..., description="User ID (20 chars) + encrypted data"),
-    db: AsyncSession = Depends(get_db)
-):
-    """
-    Process blink request with encrypted user data.
-    
-    The userid parameter format:
-    - First 20 characters: User ID
-    - Remaining characters: Base64 encoded encrypted data
-    
-    Args:
-        request: FastAPI request object
-        userid: Combined user ID and encrypted data
-        db: Database session
-        
-    Returns:
-        Success response with processing status
-    """
-    try:
-        # Validate minimum length
-        if len(userid) < USER_ID_LENGTH:
-            raise HTTPException(
-                status_code=status.HTTP_400_BAD_REQUEST,
-                detail=f"Parameter 'userid' must be at least {USER_ID_LENGTH} characters"
-            )
-        
-        # Extract user_id (first 20 characters)
-        user_id = userid[:USER_ID_LENGTH]
-        
-        # Extract encrypted data (remaining characters)
-        encrypted_data = userid[USER_ID_LENGTH:]
-        
-        if not encrypted_data:
-            logger.warning(f"No encrypted data received for user: {user_id}")
-            # Still store the record with empty json_data
-            decrypted_results = []
-        else:
-            # Try to decrypt - might be single or multiple blocks
-            try:
-                decrypted_results = decrypt_multiple_blocks(encrypted_data)
-            except Exception as e:
-                logger.error(f"Decryption failed for user {user_id}: {e}")
-                # Store with error information
-                decrypted_results = [{"error": str(e), "raw_encrypted": encrypted_data[:100]}]
-        
-        # Get referer URL from headers (full URL, not just origin)
-        refer_url = request.headers.get("referer")
-        
-        # Get client IP address
-        # Check X-Forwarded-For header first (for proxies/load balancers)
-        forwarded_for = request.headers.get("x-forwarded-for")
-        if forwarded_for:
-            # X-Forwarded-For can contain multiple IPs, take the first one
-            ip_address = forwarded_for.split(",")[0].strip()
-        else:
-            # Fall back to direct client IP
-            ip_address = request.client.host if request.client else None
-        
-        # Get geolocation from IP address
-        country, region = await get_geolocation(ip_address)
-        
-        # Determine IPv4 vs IPv6
-        ipv4_address = None
-        ipv6_address = None
-        
-        if ip_address:
-            try:
-                ip_obj = ipaddress.ip_address(ip_address)
-                if isinstance(ip_obj, ipaddress.IPv4Address):
-                    ipv4_address = ip_address
-                elif isinstance(ip_obj, ipaddress.IPv6Address):
-                    ipv6_address = ip_address
-            except ValueError:
-                # Invalid IP address format, just keep it in ip_address
-                pass
-        
-        # Store each decrypted result as separate records
-        records_created = 0
-        for json_data in decrypted_results:
-            blink_record = BlinkData(
-                user_id=user_id,
-                refer_url=refer_url,
-                ip_address=ip_address,
-                ipv4_address=ipv4_address,
-                ipv6_address=ipv6_address,
-                country=country,
-                region=region,
-                json_data=json_data
-            )
-            db.add(blink_record)
-            records_created += 1
-        
-        # If no results but we have encrypted data, store a record with the raw data reference
-        if not decrypted_results and encrypted_data:
-            blink_record = BlinkData(
-                user_id=user_id,
-                refer_url=refer_url,
-                ip_address=ip_address,
-                ipv4_address=ipv4_address,
-                ipv6_address=ipv6_address,
-                country=country,
-                region=region,
-                json_data={"encrypted_length": len(encrypted_data)}
-            )
-            db.add(blink_record)
-            records_created = 1
-        
-        await db.commit()
-        
-        logger.info(f"Successfully processed blink for user: {user_id}, records: {records_created}")
-        
-        return JSONResponse(
-            status_code=status.HTTP_200_OK,
-            content={
-                "status": "success",
-                "user_id": user_id,
-                "records_created": records_created
-            }
-        )
-        
-    except HTTPException:
-        raise
-    except Exception as e:
-        logger.error(f"Error processing blink request: {e}")
-        await db.rollback()
-        raise HTTPException(
-            status_code=status.HTTP_500_INTERNAL_SERVER_ERROR,
-            detail="Internal server error processing request"
-        )
+# Include Routers
+app.include_router(general.router)
+app.include_router(auth.router)
+app.include_router(blink.router)
 
 
 @app.exception_handler(Exception)
@@ -322,7 +64,7 @@ async def global_exception_handler(request: Request, exc: Exception):
     """
     logger.error(f"Unhandled exception: {exc}")
     return JSONResponse(
-        status_code=status.HTTP_500_INTERNAL_SERVER_ERROR,
+        status_code=500,
         content={"detail": "Internal server error"}
     )
 

auth_utils.py

@@ -0,0 +1,72 @@
+import secrets
+import smtplib
+import ssl
+from email.mime.text import MIMEText
+from email.mime.multipart import MIMEMultipart
+import bcrypt
+import logging
+import os
+
+# Configure logging
+logger = logging.getLogger(__name__)
+
+# Email configuration
+SMTP_SERVER = os.getenv("SMTP_SERVER", "127.0.0.1")
+SMTP_PORT = int(os.getenv("SMTP_PORT", "1025"))
+SMTP_USERNAME = os.getenv("SMTP_USERNAME", "sender@domain.com")
+SMTP_PASSWORD = os.getenv("SMTP_PASSWORD", "yourpassword")
+SMTP_SENDER = os.getenv("SMTP_SENDER", SMTP_USERNAME)
+
+def verify_password(plain_password: str, hashed_password: str) -> bool:
+    """
+    Verify a password against a hash.
+    """
+    if isinstance(hashed_password, str):
+        hashed_password = hashed_password.encode('utf-8')
+    return bcrypt.checkpw(plain_password.encode('utf-8'), hashed_password)
+
+def get_password_hash(password: str) -> str:
+    """
+    Hash a password using bcrypt.
+    """
+    # rounds=12 as per spec
+    salt = bcrypt.gensalt(rounds=12)
+    hashed = bcrypt.hashpw(password.encode('utf-8'), salt)
+    return hashed.decode('utf-8')
+
+def generate_secret_key() -> str:
+    """
+    Generate a secure secret key starting with 'sk_'.
+    """
+    return "sk_" + secrets.token_urlsafe(32)
+
+def send_email(to_email: str, subject: str, body: str):
+    """
+    Send an email using SMTP (configured for ProtonMail Bridge).
+    This function is blocking and should be run in a background task.
+    """
+    try:
+        message = MIMEMultipart()
+        message["From"] = SMTP_SENDER
+        message["To"] = to_email
+        message["Subject"] = subject
+        
+        message.attach(MIMEText(body, "plain"))
+        
+        # Create a secure SSL context
+        context = ssl.create_default_context()
+        # Note: ProtonMail Bridge with "change smtp-security" to SSL usually uses self-signed certs or specific setup.
+        # If using localhost, we might need to bypass hostname check or trust the cert.
+        # For now, we'll try standard SSL context. If it fails on localhost self-signed, we might need check_hostname=False.
+        context.check_hostname = False
+        context.verify_mode = ssl.CERT_NONE
+
+        with smtplib.SMTP_SSL(SMTP_SERVER, SMTP_PORT, context=context) as server:
+            server.login(SMTP_USERNAME, SMTP_PASSWORD)
+            server.sendmail(SMTP_SENDER, to_email, message.as_string())
+            
+        logger.info(f"Email sent successfully to {to_email}")
+        return True
+    except Exception as e:
+        logger.error(f"Failed to send email to {to_email}: {e}")
+        return False

dependencies.py

@@ -0,0 +1,145 @@
+import logging
+from datetime import datetime, timedelta
+from typing import Optional, Tuple
+import ipaddress
+import httpx
+from fastapi import Request, Depends, HTTPException, status
+from sqlalchemy import select, and_
+from sqlalchemy.ext.asyncio import AsyncSession
+
+from database import get_db
+from models import User, RateLimit
+from auth_utils import verify_password
+
+logger = logging.getLogger(__name__)
+
+# Geolocation API settings
+GEOLOCATION_API_URL = "http://ip-api.com/json/{ip}?fields=status,country,regionName"
+GEOLOCATION_TIMEOUT = 2.0  # seconds
+
+async def check_rate_limit(
+    db: AsyncSession,
+    identifier: str,
+    endpoint: str,
+    limit: int,
+    window_minutes: int
+) -> bool:
+    """
+    Check if request is within rate limits.
+    Returns True if allowed, False if limit exceeded.
+    """
+    now = datetime.utcnow()
+    window_start = now - timedelta(minutes=window_minutes)
+    
+    # Check existing limit
+    query = select(RateLimit).where(
+        and_(
+            RateLimit.identifier == identifier,
+            RateLimit.endpoint == endpoint,
+            RateLimit.window_start >= window_start
+        )
+    )
+    result = await db.execute(query)
+    rate_limit = result.scalar_one_or_none()
+    
+    if rate_limit:
+        if rate_limit.attempts >= limit:
+            return False
+        
+        # Increment attempts
+        rate_limit.attempts += 1
+        await db.commit()
+        return True
+    else:
+        # Create new rate limit record
+        new_limit = RateLimit(
+            identifier=identifier,
+            endpoint=endpoint,
+            attempts=1,
+            window_start=now,
+            expires_at=now + timedelta(minutes=window_minutes)
+        )
+        db.add(new_limit)
+        await db.commit()
+        return True
+
+async def verify_credits(
+    req: Request,
+    db: AsyncSession = Depends(get_db)
+) -> User:
+    """
+    Dependency to validate secret key and deduct credits.
+    """
+    secret_key = req.headers.get("X-Secret-Key")
+    if not secret_key:
+        raise HTTPException(
+            status_code=status.HTTP_401_UNAUTHORIZED,
+            detail="Missing X-Secret-Key header"
+        )
+    
+    # Validate secret key format
+    if not secret_key.startswith("sk_"):
+        raise HTTPException(
+            status_code=status.HTTP_401_UNAUTHORIZED,
+            detail="Invalid secret key format"
+        )
+        
+    # Find user
+    query = select(User).where(User.is_active == True)
+    result = await db.execute(query)
+    users = result.scalars().all()
+    
+    valid_user = None
+    for user in users:
+        if verify_password(secret_key, user.secret_key_hash):
+            valid_user = user
+            break
+            
+    if not valid_user:
+        raise HTTPException(
+            status_code=status.HTTP_401_UNAUTHORIZED,
+            detail="Invalid secret key"
+        )
+        
+    # Check credits
+    if valid_user.credits <= 0:
+        raise HTTPException(
+            status_code=status.HTTP_402_PAYMENT_REQUIRED,
+            detail="Insufficient credits"
+        )
+        
+    # Deduct credit
+    valid_user.credits -= 1
+    valid_user.last_used_at = datetime.utcnow()
+    await db.commit()
+    
+    return valid_user
+
+async def get_geolocation(ip_address: str) -> Tuple[Optional[str], Optional[str]]:
+    """
+    Get country and region for an IP address using ip-api.com.
+    
+    Args:
+        ip_address: IPv4 or IPv6 address
+        
+    Returns:
+        Tuple of (country, region) or (None, None) if lookup fails
+    """
+    if not ip_address:
+        return None, None
+    
+    # Skip geolocation for localhost/private IPs
+    if ip_address in ("127.0.0.1", "::1", "localhost") or ip_address.startswith(("192.168.", "10.", "172.")):
+        return None, None
+    
+    try:
+        async with httpx.AsyncClient(timeout=GEOLOCATION_TIMEOUT) as client:
+            response = await client.get(GEOLOCATION_API_URL.format(ip=ip_address))
+            if response.status_code == 200:
+                data = response.json()
+                if data.get("status") == "success":
+                    return data.get("country"), data.get("regionName")
+    except Exception as e:
+        logger.warning(f"Geolocation lookup failed for {ip_address}: {e}")
+    
+    return None, None

models.py

@@ -1,7 +1,7 @@
 """
 SQLAlchemy models for the URL Blink application.
 """
-from sqlalchemy import Column, Integer, String, Text, DateTime, JSON
+from sqlalchemy import Column, Integer, String, Text, DateTime, JSON, Boolean
 from sqlalchemy.sql import func
 from database import Base
 
@@ -32,3 +32,54 @@ class BlinkData(Base):
 
     def __repr__(self):
         return f"<BlinkData(id={self.id}, user_id={self.user_id})>"
+
+
+class User(Base):
+    """
+    User model for credit system.
+    """
+    __tablename__ = "users"
+
+    id = Column(Integer, primary_key=True, autoincrement=True, index=True)
+    user_id = Column(String(50), unique=True, index=True, nullable=False)  # Backend generated UUID
+    temp_user_id = Column(String(50), index=True, nullable=True)  # From frontend
+    email = Column(String(255), unique=True, index=True, nullable=False)
+    secret_key_hash = Column(String(255), nullable=False)
+    credits = Column(Integer, default=100)
+    created_at = Column(DateTime(timezone=True), server_default=func.now())
+    updated_at = Column(DateTime(timezone=True), server_default=func.now(), onupdate=func.now())
+    last_used_at = Column(DateTime(timezone=True), nullable=True)
+    is_active = Column(Boolean, default=True)
+
+    def __repr__(self):
+        return f"<User(id={self.id}, email={self.email})>"
+
+
+class RateLimit(Base):
+    """
+    Rate limit tracking table.
+    """
+    __tablename__ = "rate_limits"
+
+    id = Column(Integer, primary_key=True, autoincrement=True, index=True)
+    identifier = Column(String(255), index=True, nullable=False)  # IP or email
+    endpoint = Column(String(255), index=True, nullable=False)
+    attempts = Column(Integer, default=0)
+    window_start = Column(DateTime(timezone=True), nullable=False)
+    expires_at = Column(DateTime(timezone=True), nullable=False)
+
+
+class AuditLog(Base):
+    """
+    Audit log for security events.
+    """
+    __tablename__ = "audit_logs"
+
+    id = Column(Integer, primary_key=True, autoincrement=True, index=True)
+    user_id = Column(String(50), nullable=True)
+    action = Column(String(50), nullable=False)
+    ip_address = Column(String(45), nullable=False)
+    user_agent = Column(String(255), nullable=True)
+    status = Column(String(20), nullable=False)
+    error_message = Column(Text, nullable=True)
+    timestamp = Column(DateTime(timezone=True), server_default=func.now())

pytest.ini

@@ -0,0 +1,3 @@
+[pytest]
+asyncio_mode = auto
+asyncio_default_fixture_loop_scope = function

requirements.txt

@@ -6,3 +6,6 @@ aiosqlite>=0.19.0
 cryptography>=41.0.0
 pydantic>=2.0.0
 httpx>=0.25.0
+
+passlib[bcrypt]>=1.7.4
+email-validator>=2.0.0

routers/auth.py

@@ -0,0 +1,249 @@
+from fastapi import APIRouter, Depends, HTTPException, status, Request, BackgroundTasks
+from fastapi.responses import JSONResponse
+from sqlalchemy.ext.asyncio import AsyncSession
+from sqlalchemy import select
+from datetime import datetime
+import uuid
+
+from database import get_db
+from models import User, AuditLog
+from schemas import CheckRegistrationRequest, RegisterRequest, ValidateRequest, ResetRequest
+from auth_utils import get_password_hash, verify_password, generate_secret_key, send_email
+from dependencies import check_rate_limit
+
+router = APIRouter(prefix="/auth", tags=["auth"])
+
+@router.post("/check-registration")
+async def check_registration(
+    request: CheckRegistrationRequest,
+    req: Request,
+    db: AsyncSession = Depends(get_db)
+):
+    """
+    Check if a temporary user_id has completed registration.
+    """
+    # Rate Limit: 10 requests per minute per IP
+    ip = req.client.host
+    if not await check_rate_limit(db, ip, "/auth/check-registration", 10, 1):
+        raise HTTPException(status_code=status.HTTP_429_TOO_MANY_REQUESTS, detail="Too many requests")
+
+    query = select(User).where(User.temp_user_id == request.user_id)
+    result = await db.execute(query)
+    user = result.scalar_one_or_none()
+
+    return {"is_registered": user is not None}
+
+
+@router.post("/register")
+async def register(
+    request: RegisterRequest,
+    req: Request,
+    background_tasks: BackgroundTasks,
+    db: AsyncSession = Depends(get_db)
+):
+    """
+    Register new user, generate secret key, send email.
+    """
+    # Rate Limit: 5 registrations per hour per IP
+    ip = req.client.host
+    if not await check_rate_limit(db, ip, "/auth/register", 5, 60):
+        raise HTTPException(status_code=status.HTTP_429_TOO_MANY_REQUESTS, detail="Too many registration attempts")
+
+    # Check Email Already Registered
+    query = select(User).where(User.email == request.email)
+    result = await db.execute(query)
+    if result.scalar_one_or_none():
+        raise HTTPException(status_code=status.HTTP_409_CONFLICT, detail="Email already registered")
+
+    # Check temp_user_id Already Registered
+    query = select(User).where(User.temp_user_id == request.user_id)
+    result = await db.execute(query)
+    if result.scalar_one_or_none():
+        raise HTTPException(status_code=status.HTTP_409_CONFLICT, detail="User already registered")
+
+    # Generate Secret Key
+    secret_key = generate_secret_key()
+    secret_key_hash = get_password_hash(secret_key)
+    backend_user_id = "usr_" + str(uuid.uuid4())
+
+    # Create User
+    new_user = User(
+        user_id=backend_user_id,
+        temp_user_id=request.user_id,
+        email=request.email,
+        secret_key_hash=secret_key_hash,
+        credits=100
+    )
+    db.add(new_user)
+    
+    # Log Audit
+    audit_log = AuditLog(
+        user_id=backend_user_id,
+        action="register",
+        ip_address=ip,
+        status="success"
+    )
+    db.add(audit_log)
+    
+    await db.commit()
+
+    # Send Email (Async)
+    email_body = f"""Hello,
+
+Your secret key is: {secret_key}
+
+Please save this key securely.
+You'll need it to access your credits.
+
+If you lose this key, use the 'Forgot Key'
+option with this email address.
+
+Credits: 100
+Valid from: {datetime.now().strftime('%Y-%m-%d')}
+
+Do not share this key with anyone."""
+
+    background_tasks.add_task(
+        send_email,
+        request.email,
+        "Your Secret Key - Credit System",
+        email_body
+    )
+
+    return {"success": True, "message": "Registration successful. Check your email."}
+
+
+@router.post("/validate")
+async def validate_key(
+    request: ValidateRequest,
+    req: Request,
+    db: AsyncSession = Depends(get_db)
+):
+    """
+    Validate secret key and return user info.
+    """
+    # Rate Limit: 20 validations per hour per IP
+    ip = req.client.host
+    if not await check_rate_limit(db, ip, "/auth/validate", 20, 60):
+        raise HTTPException(status_code=status.HTTP_429_TOO_MANY_REQUESTS, detail="Too many validation attempts")
+
+    query = select(User).where(User.is_active == True)
+    result = await db.execute(query)
+    users = result.scalars().all()
+    
+    valid_user = None
+    for user in users:
+        if verify_password(request.secret_key, user.secret_key_hash):
+            valid_user = user
+            break
+    
+    if valid_user:
+        # Update last_used_at
+        valid_user.last_used_at = datetime.utcnow()
+        
+        # Log Audit
+        audit_log = AuditLog(
+            user_id=valid_user.user_id,
+            action="validate",
+            ip_address=ip,
+            status="success"
+        )
+        db.add(audit_log)
+        await db.commit()
+        
+        return {
+            "valid": True,
+            "user_id": valid_user.user_id,
+            "credits": valid_user.credits,
+            "message": "Valid key"
+        }
+    else:
+        # Log Audit
+        audit_log = AuditLog(
+            user_id=None,
+            action="validate",
+            ip_address=ip,
+            status="failed",
+            error_message="Invalid key"
+        )
+        db.add(audit_log)
+        await db.commit()
+        
+        return JSONResponse(
+            status_code=status.HTTP_401_UNAUTHORIZED,
+            content={"valid": False, "message": "Invalid secret key"}
+        )
+
+
+@router.post("/reset")
+async def reset_key(
+    request: ResetRequest,
+    req: Request,
+    background_tasks: BackgroundTasks,
+    db: AsyncSession = Depends(get_db)
+):
+    """
+    Reset/recover secret key via email.
+    """
+    # Rate Limit: 3 reset attempts per hour per email
+    if not await check_rate_limit(db, request.email, "/auth/reset", 3, 60):
+        raise HTTPException(status_code=status.HTTP_429_TOO_MANY_REQUESTS, detail="Too many reset attempts")
+
+    query = select(User).where(User.email == request.email)
+    result = await db.execute(query)
+    user = result.scalar_one_or_none()
+    
+    ip = req.client.host
+
+    if user:
+        # Generate New Secret Key
+        new_secret_key = generate_secret_key()
+        new_secret_key_hash = get_password_hash(new_secret_key)
+        
+        user.secret_key_hash = new_secret_key_hash
+        user.updated_at = datetime.utcnow()
+        
+        # Log Audit
+        audit_log = AuditLog(
+            user_id=user.user_id,
+            action="reset",
+            ip_address=ip,
+            status="success"
+        )
+        db.add(audit_log)
+        await db.commit()
+        
+        # Send Email
+        email_body = f"""Hello,
+
+You requested a secret key reset.
+
+Your NEW secret key is: {new_secret_key}
+
+Your old secret key is now invalid.
+
+If you didn't request this, please
+contact support immediately.
+
+Current Credits: {user.credits}"""
+
+        background_tasks.add_task(
+            send_email,
+            request.email,
+            "Your New Secret Key",
+            email_body
+        )
+    else:
+        # Log Audit (failed/not found)
+        audit_log = AuditLog(
+            user_id=None,
+            action="reset",
+            ip_address=ip,
+            status="failed",
+            error_message="Email not found"
+        )
+        db.add(audit_log)
+        await db.commit()
+
+    # Always return success
+    return {"success": True, "message": "If this email is registered, reset instructions have been sent."}

routers/blink.py

@@ -0,0 +1,193 @@
+from fastapi import APIRouter, Depends, HTTPException, status, Query, Request
+from fastapi.responses import JSONResponse
+from sqlalchemy.ext.asyncio import AsyncSession
+from sqlalchemy import select, func
+import ipaddress
+import logging
+
+from database import get_db
+from models import BlinkData
+from encryption import decrypt_multiple_blocks
+from dependencies import get_geolocation
+
+logger = logging.getLogger(__name__)
+
+router = APIRouter()
+
+# User ID length constant
+USER_ID_LENGTH = 20
+
+@router.get("/api/data")
+async def get_data(
+    page: int = Query(1, ge=1, description="Page number"),
+    limit: int = Query(100, ge=1, le=500, description="Items per page"),
+    db: AsyncSession = Depends(get_db)
+):
+    """
+    Get paginated blink data.
+    """
+    try:
+        offset = (page - 1) * limit
+        
+        # Get total count
+        total_result = await db.execute(select(func.count(BlinkData.id)))
+        total = total_result.scalar() or 0
+        
+        # Get unique users count
+        unique_result = await db.execute(select(func.count(func.distinct(BlinkData.user_id))))
+        unique_users = unique_result.scalar() or 0
+        
+        # Get paginated items
+        query = select(BlinkData).order_by(BlinkData.id.desc()).offset(offset).limit(limit)
+        result = await db.execute(query)
+        items = result.scalars().all()
+        
+        return {
+            "items": [
+                {
+                    "id": item.id,
+                    "user_id": item.user_id,
+                    "refer_url": item.refer_url,
+                    "ip_address": item.ip_address,
+                    "ipv4_address": item.ipv4_address,
+                    "ipv6_address": item.ipv6_address,
+                    "country": item.country,
+                    "region": item.region,
+                    "json_data": item.json_data,
+                    "created_at": item.created_at.isoformat() if item.created_at else None
+                }
+                for item in items
+            ],
+            "total": total,
+            "unique_users": unique_users,
+            "page": page,
+            "limit": limit
+        }
+    except Exception as e:
+        logger.error(f"Error fetching data: {e}")
+        raise HTTPException(
+            status_code=status.HTTP_500_INTERNAL_SERVER_ERROR,
+            detail="Error fetching data"
+        )
+
+
+@router.get("/blink")
+async def blink(
+    request: Request,
+    userid: str = Query(..., description="User ID (20 chars) + encrypted data"),
+    db: AsyncSession = Depends(get_db)
+):
+    """
+    Process blink request with encrypted user data.
+    """
+    try:
+        # Validate minimum length
+        if len(userid) < USER_ID_LENGTH:
+            raise HTTPException(
+                status_code=status.HTTP_400_BAD_REQUEST,
+                detail=f"Parameter 'userid' must be at least {USER_ID_LENGTH} characters"
+            )
+        
+        # Extract user_id (first 20 characters)
+        user_id = userid[:USER_ID_LENGTH]
+        
+        # Extract encrypted data (remaining characters)
+        encrypted_data = userid[USER_ID_LENGTH:]
+        
+        if not encrypted_data:
+            logger.warning(f"No encrypted data received for user: {user_id}")
+            # Still store the record with empty json_data
+            decrypted_results = []
+        else:
+            # Try to decrypt - might be single or multiple blocks
+            try:
+                decrypted_results = decrypt_multiple_blocks(encrypted_data)
+            except Exception as e:
+                logger.error(f"Decryption failed for user {user_id}: {e}")
+                # Store with error information
+                decrypted_results = [{"error": str(e), "raw_encrypted": encrypted_data[:100]}]
+        
+        # Get referer URL from headers (full URL, not just origin)
+        refer_url = request.headers.get("referer")
+        
+        # Get client IP address
+        # Check X-Forwarded-For header first (for proxies/load balancers)
+        forwarded_for = request.headers.get("x-forwarded-for")
+        if forwarded_for:
+            # X-Forwarded-For can contain multiple IPs, take the first one
+            ip_address = forwarded_for.split(",")[0].strip()
+        else:
+            # Fall back to direct client IP
+            ip_address = request.client.host if request.client else None
+        
+        # Get geolocation from IP address
+        country, region = await get_geolocation(ip_address)
+        
+        # Determine IPv4 vs IPv6
+        ipv4_address = None
+        ipv6_address = None
+        
+        if ip_address:
+            try:
+                ip_obj = ipaddress.ip_address(ip_address)
+                if isinstance(ip_obj, ipaddress.IPv4Address):
+                    ipv4_address = ip_address
+                elif isinstance(ip_obj, ipaddress.IPv6Address):
+                    ipv6_address = ip_address
+            except ValueError:
+                # Invalid IP address format, just keep it in ip_address
+                pass
+        
+        # Store each decrypted result as separate records
+        records_created = 0
+        for json_data in decrypted_results:
+            blink_record = BlinkData(
+                user_id=user_id,
+                refer_url=refer_url,
+                ip_address=ip_address,
+                ipv4_address=ipv4_address,
+                ipv6_address=ipv6_address,
+                country=country,
+                region=region,
+                json_data=json_data
+            )
+            db.add(blink_record)
+            records_created += 1
+        
+        # If no results but we have encrypted data, store a record with the raw data reference
+        if not decrypted_results and encrypted_data:
+            blink_record = BlinkData(
+                user_id=user_id,
+                refer_url=refer_url,
+                ip_address=ip_address,
+                ipv4_address=ipv4_address,
+                ipv6_address=ipv6_address,
+                country=country,
+                region=region,
+                json_data={"encrypted_length": len(encrypted_data)}
+            )
+            db.add(blink_record)
+            records_created = 1
+        
+        await db.commit()
+        
+        logger.info(f"Successfully processed blink for user: {user_id}, records: {records_created}")
+        
+        return JSONResponse(
+            status_code=status.HTTP_200_OK,
+            content={
+                "status": "success",
+                "user_id": user_id,
+                "records_created": records_created
+            }
+        )
+        
+    except HTTPException:
+        raise
+    except Exception as e:
+        logger.error(f"Error processing blink request: {e}")
+        await db.rollback()
+        raise HTTPException(
+            status_code=status.HTTP_500_INTERNAL_SERVER_ERROR,
+            detail="Internal server error processing request"
+        )

routers/general.py

@@ -0,0 +1,29 @@
+from fastapi import APIRouter
+from fastapi.responses import HTMLResponse
+import os
+
+router = APIRouter()
+
+@router.get("/health")
+async def health_check():
+    """
+    Health check endpoint.
+    """
+    return {"status": "healthy", "service": "url-blink-api"}
+
+
+@router.get("/", response_class=HTMLResponse)
+async def root():
+    """
+    Serve the main HTML page.
+    """
+    # Note: We need to go up one level to find templates since we are in routers/
+    # But actually, app.py is in root, so templates is in root.
+    # The file path logic here needs to be robust.
+    # os.path.dirname(__file__) is routers/
+    # so we need ../templates
+    
+    base_dir = os.path.dirname(os.path.dirname(__file__))
+    template_path = os.path.join(base_dir, "templates", "index.html")
+    with open(template_path, "r") as f:
+        return HTMLResponse(content=f.read())

schemas.py

@@ -0,0 +1,15 @@
+from pydantic import BaseModel, EmailStr, Field
+
+# Pydantic Models
+class CheckRegistrationRequest(BaseModel):
+    user_id: str = Field(..., min_length=1, description="Temporary user ID from frontend")
+
+class RegisterRequest(BaseModel):
+    user_id: str = Field(..., min_length=1, description="Temporary user ID from frontend")
+    email: EmailStr = Field(..., description="User email address")
+
+class ValidateRequest(BaseModel):
+    secret_key: str = Field(..., min_length=35, description="Secret key starting with sk_")
+
+class ResetRequest(BaseModel):
+    email: EmailStr = Field(..., description="User email address")

tests/conftest.py

@@ -0,0 +1,62 @@
+import pytest
+import os
+import sys
+from fastapi.testclient import TestClient
+from sqlalchemy.ext.asyncio import create_async_engine, async_sessionmaker, AsyncSession
+
+# Add parent directory to path to allow importing app
+sys.path.append(os.path.abspath(os.path.join(os.path.dirname(__file__), "..")))
+
+from app import app
+from database import get_db, Base
+
+# Use a file-based SQLite database for testing to ensure persistence
+TEST_DATABASE_URL = "sqlite+aiosqlite:///./test_blink_data.db"
+
+@pytest.fixture(scope="session")
+def test_engine():
+    engine = create_async_engine(TEST_DATABASE_URL, echo=False)
+    yield engine
+    # Cleanup after session
+    if os.path.exists("./test_blink_data.db"):
+        os.remove("./test_blink_data.db")
+
+@pytest.fixture(scope="function")
+async def db_session(test_engine):
+    async with test_engine.begin() as conn:
+        await conn.run_sync(Base.metadata.create_all)
+    
+    async_session = async_sessionmaker(
+        test_engine,
+        class_=AsyncSession,
+        expire_on_commit=False
+    )
+    
+    async with async_session() as session:
+        yield session
+        
+    # We don't drop tables here to allow persistence if needed, 
+    # but for isolation we usually want to. 
+    # However, the previous test relied on persistence for rate limiting.
+    # Let's keep it simple: we clear data manually if needed or rely on fresh DB per run (session scope engine).
+    # Actually, for rate limiting test to work across requests, we need persistence.
+    # But for isolation between tests, we want cleanup.
+    # The previous test_app.py had cleanup_db fixture. Let's replicate that logic in the test file or here.
+    
+    # Let's just yield session here.
+
+@pytest.fixture(scope="function")
+def client(test_engine):
+    async def override_get_db():
+        async_session = async_sessionmaker(
+            test_engine,
+            class_=AsyncSession,
+            expire_on_commit=False
+        )
+        async with async_session() as session:
+            yield session
+
+    app.dependency_overrides[get_db] = override_get_db
+    with TestClient(app) as c:
+        yield c
+    app.dependency_overrides.clear()

tests/test_integration.py

@@ -0,0 +1,91 @@
+import pytest
+from unittest.mock import patch
+import os
+from sqlalchemy import text
+
+# Cleanup fixture
+@pytest.fixture(autouse=True)
+def cleanup_db():
+    if os.path.exists("./test_blink_data.db"):
+        # We can't easily delete the file if it's open by the engine in conftest.
+        # Instead, we should probably truncate tables.
+        pass
+    yield
+    # Cleanup logic if needed
+
+# We need a way to clear data between tests if we want isolation.
+# Since we are using a file-based DB shared across the session (engine),
+# we should truncate tables.
+
+@pytest.fixture(autouse=True)
+async def clear_tables(db_session):
+    # Truncate all tables
+    async with db_session.begin():
+        await db_session.execute(text("DELETE FROM users"))
+        await db_session.execute(text("DELETE FROM rate_limits"))
+        await db_session.execute(text("DELETE FROM audit_logs"))
+        await db_session.execute(text("DELETE FROM blink_data"))
+    await db_session.commit()
+
+@patch("routers.auth.send_email")
+def test_credit_system_flow(mock_send_email, client):
+    mock_send_email.return_value = True
+    
+    # 1. Register
+    response = client.post("/auth/register", json={
+        "user_id": "test-user-1",
+        "email": "test@example.com"
+    })
+    assert response.status_code == 200
+    assert response.json()["success"] == True
+    
+    # 2. Check registration
+    response = client.post("/auth/check-registration", json={"user_id": "test-user-1"})
+    assert response.status_code == 200
+    assert response.json()["is_registered"] == True
+
+    # 3. Validate with mocked key (we need to know the key)
+    # Since we can't easily get the key from the hashed DB, let's mock generate_secret_key
+    with patch("routers.auth.generate_secret_key", return_value="sk_test_key_1234567890123456789012345"):
+        # Register user 2
+        client.post("/auth/register", json={
+            "user_id": "test-user-2",
+            "email": "test2@example.com"
+        })
+        
+        # Validate
+        response = client.post("/auth/validate", json={"secret_key": "sk_test_key_1234567890123456789012345"})
+        assert response.status_code == 200
+        assert response.json()["valid"] == True
+        assert response.json()["credits"] == 100
+
+def test_blink_flow(client):
+    # Test Blink Endpoint
+    # We need a valid userid format: 20 chars + encrypted data
+    user_id = "12345678901234567890"
+    encrypted_data = "some_encrypted_data_base64"
+    userid_param = user_id + encrypted_data
+    
+    response = client.get(f"/blink?userid={userid_param}")
+    assert response.status_code == 200
+    data = response.json()
+    assert data["status"] == "success"
+    assert data["user_id"] == user_id
+    
+    # Verify data stored (via API)
+    response = client.get("/api/data")
+    assert response.status_code == 200
+    items = response.json()["items"]
+    assert len(items) > 0
+    assert items[0]["user_id"] == user_id
+
+@patch("routers.auth.send_email")
+def test_rate_limiting(mock_send_email, client):
+    # 10 requests should succeed
+    for _ in range(10):
+        response = client.post("/auth/check-registration", json={"user_id": "rate-limit-test"})
+        assert response.status_code == 200
+        
+    # 11th request should fail
+    response = client.post("/auth/check-registration", json={"user_id": "rate-limit-test"})
+    assert response.status_code == 429