Spaces:

sk3078
/

taskflow-api

Sleeping

suhail

good

ae8175d about 1 month ago

6.59 kB

	# """Security utilities for authentication and authorization."""
	# import jwt
	# from datetime import datetime, timedelta
	# from passlib.context import CryptContext
	# from fastapi import HTTPException, status
	# from typing import Optional

	# # Password hashing context
	# pwd_context = CryptContext(schemes=["bcrypt"], deprecated="auto")


	# def hash_password(password: str) -> str:
	# if len(password.encode("utf-8")) > 72:
	# raise HTTPException(
	# status_code=status.HTTP_400_BAD_REQUEST,
	# detail="Password must be at most 72 characters"
	# )
	# return pwd_context.hash(password)


	# def verify_password(plain_password: str, hashed_password: str) -> bool:
	# """
	# Verify a password against its hash.

	# Args:
	# plain_password: Plain text password to verify
	# hashed_password: Hashed password to compare against

	# Returns:
	# True if password matches, False otherwise
	# """
	# return pwd_context.verify(plain_password, hashed_password)


	# def create_jwt_token(user_id: int, email: str, secret: str, expiration_days: int = 7) -> str:
	# """
	# Create a JWT token for a user.

	# Args:
	# user_id: User's unique identifier
	# email: User's email address
	# secret: Secret key for signing the token
	# expiration_days: Number of days until token expires (default: 7)

	# Returns:
	# Encoded JWT token string
	# """
	# now = datetime.utcnow()
	# payload = {
	# "sub": str(user_id),
	# "email": email,
	# "iat": now,
	# "exp": now + timedelta(days=expiration_days),
	# "iss": "better-auth"
	# }
	# return jwt.encode(payload, secret, algorithm="HS256")


	# def verify_jwt_token(token: str, secret: str) -> dict:
	# """
	# Verify and decode a JWT token.

	# Args:
	# token: JWT token string to verify
	# secret: Secret key used to sign the token

	# Returns:
	# Decoded token payload as dictionary

	# Raises:
	# HTTPException: 401 if token is expired or invalid
	# """
	# try:
	# payload = jwt.decode(
	# token,
	# secret,
	# algorithms=["HS256"],
	# options={
	# "verify_signature": True,
	# "verify_exp": True,
	# "require": ["sub", "email", "iat", "exp", "iss"]
	# }
	# )

	# # Validate issuer
	# if payload.get("iss") != "better-auth":
	# raise HTTPException(
	# status_code=status.HTTP_401_UNAUTHORIZED,
	# detail="Invalid token issuer",
	# headers={"WWW-Authenticate": "Bearer"}
	# )

	# return payload

	# except jwt.ExpiredSignatureError:
	# raise HTTPException(
	# status_code=status.HTTP_401_UNAUTHORIZED,
	# detail="Token has expired",
	# headers={"WWW-Authenticate": "Bearer"}
	# )
	# except jwt.InvalidTokenError:
	# raise HTTPException(
	# status_code=status.HTTP_401_UNAUTHORIZED,
	# detail="Invalid token",
	# headers={"WWW-Authenticate": "Bearer"}
	# )
	"""
	Security utilities for authentication and authorization.
	"""
	from datetime import datetime, timedelta
	from typing import Dict, Any
	import hashlib

	import jwt
	from passlib.context import CryptContext
	from fastapi import HTTPException, status, Depends
	from fastapi.security import HTTPBearer, HTTPAuthorizationCredentials

	from src.core.config import settings

	# =========================
	# Password hashing (bcrypt-safe FINAL)
	# =========================

	pwd_context = CryptContext(
	schemes=["bcrypt"],
	deprecated="auto"
	)

	security = HTTPBearer()


	def _normalize_password(password: str) -> bytes:
	"""
	Convert password to fixed-length digest.
	This COMPLETELY avoids bcrypt 72-byte crashes.
	"""
	return hashlib.sha256(password.encode("utf-8")).digest()


	def hash_password(password: str) -> str:
	"""
	Hash password safely (SHA256 → bcrypt).
	"""
	return pwd_context.hash(_normalize_password(password))


	def verify_password(plain_password: str, hashed_password: str) -> bool:
	"""
	Verify password with AUTO migration from legacy hashes.
	"""
	try:
	# New method (SHA256 → bcrypt)
	normalized = hashlib.sha256(
	plain_password.encode("utf-8")
	).digest()

	if pwd_context.verify(normalized, hashed_password):
	return True

	except Exception:
	pass

	# 🔁 Legacy fallback (OLD system)
	try:
	legacy = hashlib.sha256(
	plain_password.encode("utf-8")
	).hexdigest()

	return pwd_context.verify(legacy, hashed_password)

	except Exception:
	return False


	# =========================
	# JWT utilities
	# =========================

	def create_jwt_token(
	user_id: int,
	email: str,
	secret: str,
	expiration_days: int = 7
	) -> str:
	now = datetime.utcnow()
	payload = {
	"sub": str(user_id),
	"email": email,
	"iat": now,
	"exp": now + timedelta(days=expiration_days),
	"iss": "better-auth",
	}
	return jwt.encode(payload, secret, algorithm="HS256")


	def verify_jwt_token(token: str, secret: str) -> dict:
	try:
	payload = jwt.decode(
	token,
	secret,
	algorithms=["HS256"],
	options={"verify_exp": True},
	)

	if payload.get("iss") != "better-auth":
	raise HTTPException(
	status_code=status.HTTP_401_UNAUTHORIZED,
	detail="Invalid token issuer"
	)

	return payload

	except jwt.ExpiredSignatureError:
	raise HTTPException(
	status_code=status.HTTP_401_UNAUTHORIZED,
	detail="Token expired"
	)
	except jwt.InvalidTokenError:
	raise HTTPException(
	status_code=status.HTTP_401_UNAUTHORIZED,
	detail="Invalid token"
	)


	# =========================
	# FastAPI dependency
	# =========================

	def get_current_user(
	credentials: HTTPAuthorizationCredentials = Depends(security)
	) -> Dict[str, Any]:
	"""
	Extract and validate JWT token from Authorization header.
	"""
	token = credentials.credentials
	payload = verify_jwt_token(token, settings.BETTER_AUTH_SECRET)

	return {
	"id": int(payload["sub"]),
	"email": payload.get("email"),
	"iat": payload.get("iat"),
	"exp": payload.get("exp"),
	}