Update main.py

main.py

@@ -186,14 +186,12 @@ def verify_token(req):
     """
     Verify Firebase ID token and check if user is admin.
     Automatically creates admin entry in DB if email is in ADMIN_EMAILS but UID is not found.
-    Tries to extract email from token claims or firebase identities.
+    Uses Firebase Admin SDK to get user email if not directly available in token or DB.
     Returns decoded token dict if valid admin, None otherwise.
     """
-    logger = logging.getLogger('guards_api') # Assuming logger is configured as in your full script
-
     auth_header = req.headers.get("Authorization")
     if not auth_header:
-        logger.warning("Authorization header missing.")
+        print("Authorization header missing.")
         return None
 
     try:
@@ -203,86 +201,84 @@ def verify_token(req):
         else:
             token = auth_header.strip()
 
-        # Verify the token
+        # Verify the token to get the UID
         decoded = firebase_auth.verify_id_token(token)
-        logger.debug(f"Token verified successfully. Decoded token keys: {list(decoded.keys())}")
+        # print(f"DEBUG: Token verified successfully. Decoded token keys: {list(decoded.keys())}") # Optional debug
 
         # Get user UID from decoded token
-        uid = decoded.get('uid') or decoded.get('user_id') # Fallback to 'user_id' if 'uid' is missing (though 'uid' should be standard)
-        logger.debug(f"Extracted UID: {uid}")
+        uid = decoded.get('uid') or decoded.get('user_id') # Fallback for robustness
+        # print(f"DEBUG: Extracted UID: {uid}") # Optional debug
 
         if not uid:
-            logger.error("Verified token does not contain a UID or user_id.")
+            print("Verified token does not contain a UID or user_id.")
             return None
 
-        # Attempt to get email from decoded token
-        email = decoded.get('email')
-        logger.debug(f"Direct email claim from token: {email}")
-
-        # If email not directly available, try to get it from firebase identities
-        if not email and 'firebase' in decoded and 'identities' in decoded['firebase']:
-            identities = decoded['firebase']['identities']
-            logger.debug(f"Firebase identities found: {identities}")
-            # Common provider emails (Google, etc.)
-            google_emails = identities.get('google.com', [])
-            if google_emails and isinstance(google_emails, list):
-                email = google_emails[0] # Take the first one if multiple
-                logger.debug(f"Email extracted from google.com identity: {email}")
-            # Add checks for other providers if needed (e.g., 'email', etc.)
-            # Fallback: check if there's a generic 'email' list
-            if not email:
-                generic_emails = identities.get('email', [])
-                if generic_emails and isinstance(generic_emails, list):
-                    email = generic_emails[0]
-                    logger.debug(f"Email extracted from generic 'email' identity: {email}")
-
-        logger.debug(f"Final extracted email: {email}")
-
-        # Check if user is admin by querying Firebase Realtime Database using UID
+        # --- Core Logic Change Starts Here ---
+
+        # 1. Check if user is admin by querying Firebase Realtime Database using UID first
         admins_ref = db.reference("/admins")
-        admin_data = admins_ref.child(uid).get()
-        logger.debug(f"Admin data retrieved for UID {uid}: {admin_data}")
+        admin_data_db = admins_ref.child(uid).get()
+        # print(f"DEBUG: Admin data retrieved for UID {uid}: {admin_data_db}") # Optional debug
 
-        if admin_data and admin_data.get("is_admin", False):
+        if admin_data_db and admin_data_db.get("is_admin", False):
             # User is already an admin in the database
-            logger.info(f"User {uid} ({email}) is authorized as admin (found in DB).")
+            email_for_logging = admin_data_db.get("email", "Unknown Email")
+            print(f"User {uid} ({email_for_logging}) is authorized as admin (found in DB).")
             return decoded
 
-        elif email and email in ADMIN_EMAILS:
+        # 2. If not found in DB, get the user's email using the Firebase Admin SDK
+        email = None
+        try:
+            user_record = firebase_auth.get_user(uid)
+            email = user_record.email
+            # print(f"DEBUG: Email retrieved via Firebase Admin SDK for UID {uid}: {email}") # Optional debug
+        except firebase_auth.UserNotFoundError:
+            print(f"User with UID {uid} not found in Firebase Authentication.")
+            return None
+        except Exception as e:
+            print(f"Error fetching user details for UID {uid} from Firebase Auth: {e}")
+            # Cannot reliably verify email, deny access
+            return None
+
+        # 3. Check if the retrieved email is in the approved ADMIN_EMAILS list
+        if email and email in ADMIN_EMAILS:
             # User's email is in the approved list, but UID not found in DB.
             # This is likely their first time accessing the API.
-            # Automatically create their admin entry using their UID.
-            logger.info(f"First time admin access for {email} (UID: {uid}). Creating database entry.")
+            # Automatically create their admin entry in the Realtime Database using their UID.
+            print(f"First time admin access for {email} (UID: {uid}). Creating database entry.")
             try:
                 admins_ref.child(uid).set({
                     "email": email,
                     "is_admin": True
-                    # Removed first_seen to keep it simple like original, add back if needed
                 })
-                logger.info(f"Admin entry created for UID {uid}.")
-                # Return the decoded token as they are now an admin
+                print(f"Admin entry successfully created for UID {uid}.")
+                # User is now an admin, grant access
                 return decoded
             except Exception as db_error:
-                logger.error(f"Failed to create admin entry for UID {uid} in database: {db_error}", exc_info=True)
-                # Deny access if we can't record it
+                print(f"Failed to create admin entry for UID {uid} in database: {db_error}")
+                # Failed to record admin status, deny access for security
                 return None
-
         else:
-            # User is not in the approved admin list or email not found/extractable
-            logger.warning(f"User {uid} (Email: {email}) is not in the approved admin list or email not found/extractable.")
+            # User's email is not in the approved list or email could not be retrieved/verified
+            print(f"Access denied for UID {uid}. Email '{email}' not in approved list or not retrievable.")
             return None
 
+        # --- Core Logic Change Ends Here ---
+
     except firebase_auth.InvalidIdTokenError as e:
-        logger.error(f"Invalid Firebase ID token provided: {e}")
+        print(f"Invalid Firebase ID token provided: {e}")
         return None
     except firebase_auth.ExpiredIdTokenError as e:
-        logger.error(f"Firebase ID token has expired: {e}")
+        print(f"Firebase ID token has expired: {e}")
         return None
     except firebase_auth.RevokedIdTokenError as e:
-        logger.error(f"Firebase ID token has been revoked: {e}")
+        print(f"Firebase ID token has been revoked: {e}")
         return None
     except Exception as e:
-        logger.error(f"Unexpected error during token verification: {e}", exc_info=True) # exc_info logs the full traceback
+        print(f"Unexpected error during token verification: {e}")
+        # Consider logging the full traceback in production
+        # import traceback
+        # print(traceback.format_exc())
         return None
 
 # === Admin Setup (Legacy - kept for compatibility) ===