""" Authentication endpoints for testing Clerk integration. This module provides endpoints for testing authentication functionality and retrieving user information. """ import logging from typing import Dict, Any, Optional from datetime import datetime from fastapi import APIRouter, Depends, HTTPException, status from fastapi.responses import JSONResponse from ...models.user import UserProfile, UserPermissions, UserRole, AuthResponse from ...api.dependencies import ( get_authenticated_user, get_authenticated_user_id, get_verified_user, get_optional_user, get_request_context ) from ...core.auth import clerk_manager logger = logging.getLogger(__name__) router = APIRouter(prefix="/auth", tags=["Authentication"]) @router.get("/me", response_model=UserProfile) async def get_current_user_profile( user_info: Dict[str, Any] = Depends(get_authenticated_user) ) -> UserProfile: """ Get current authenticated user profile. Returns: UserProfile: Current user's profile information """ try: # Handle potentially missing or invalid datetime fields from Clerk def parse_datetime_field(value) -> Optional[datetime]: """Parse datetime field that might be None, timestamp (ms), or string.""" if value is None: return None if isinstance(value, datetime): return value if isinstance(value, (int, float)): try: # Convert milliseconds timestamp to datetime return datetime.fromtimestamp(value / 1000) except (ValueError, OSError): return None if isinstance(value, str): try: # Handle ISO format with Z suffix return datetime.fromisoformat(value.replace('Z', '+00:00')) except (ValueError, AttributeError): return None return None # Extract actual user data from nested structure # Handle both nested ('user_info') and direct user data structures if isinstance(user_info, dict) and 'user_info' in user_info: # Nested structure from get_current_user actual_user_info = user_info['user_info'] else: # Direct user_info from get_verified_user actual_user_info = user_info # Debug logging to understand the Clerk API response structure logger.debug(f"Processing user profile for user_id: {actual_user_info.get('id', 'unknown')}") if "email_addresses" in actual_user_info: logger.debug(f"Email addresses found: {len(actual_user_info['email_addresses'])} entries") # Validate we have the required user ID if not actual_user_info.get('id'): logger.error(f"No user ID found in user_info: {user_info}") raise HTTPException( status_code=status.HTTP_401_UNAUTHORIZED, detail="Invalid user information" ) # Extract email from email_addresses array (Clerk standard structure) email = actual_user_info.get("email") email_verified = actual_user_info.get("email_verified", False) # Look for email in email_addresses array if not found directly email_addresses = actual_user_info.get("email_addresses", []) if not email and email_addresses: # Get primary email or first verified email primary_email_id = actual_user_info.get("primary_email_address_id") if primary_email_id: primary_email = next((e for e in email_addresses if e.get("id") == primary_email_id), None) if primary_email: email = primary_email.get("email_address") # Check verification status from the email object verification = primary_email.get("verification", {}) email_verified = verification.get("status") == "verified" # Fallback to first email if no primary found if not email and email_addresses: first_email = email_addresses[0] email = first_email.get("email_address") verification = first_email.get("verification", {}) email_verified = verification.get("status") == "verified" # Build full name with proper fallbacks first_name = actual_user_info.get('first_name') or '' last_name = actual_user_info.get('last_name') or '' full_name = f"{first_name} {last_name}".strip() # Fallback chain for full_name if not full_name: full_name = actual_user_info.get("username") or email or "Unknown User" # Convert Clerk user info to UserProfile user_profile = UserProfile( id=actual_user_info["id"], username=actual_user_info.get("username"), full_name=full_name, email=email, image_url=actual_user_info.get("image_url"), email_verified=email_verified, created_at=parse_datetime_field(actual_user_info.get("created_at")), last_sign_in_at=parse_datetime_field(actual_user_info.get("last_sign_in_at")) ) logger.info(f"User profile retrieved successfully for user {actual_user_info['id']}: {user_profile.dict()}") return user_profile except Exception as e: logger.error(f"Failed to get user profile: {e}", exc_info=True) raise HTTPException( status_code=status.HTTP_500_INTERNAL_SERVER_ERROR, detail="Failed to retrieve user profile" ) @router.get("/permissions") async def get_user_permissions( user_info: Dict[str, Any] = Depends(get_verified_user) ) -> UserPermissions: """ Get current user's permissions. Returns: UserPermissions: User's permissions and access levels """ try: # Extract actual user data from nested structure if isinstance(user_info, dict) and 'user_info' in user_info: # Nested structure from get_current_user actual_user_info = user_info['user_info'] else: # Direct user_info from get_verified_user actual_user_info = user_info # Validate user_info structure if not actual_user_info or not actual_user_info.get("id"): logger.error(f"Invalid user_info structure: {user_info}") raise HTTPException( status_code=status.HTTP_401_UNAUTHORIZED, detail="Invalid user information" ) # For now, assign basic user role # In a real implementation, you would check Clerk metadata or roles user_role = UserRole.USER # Check if user is admin (placeholder logic) # This would be based on Clerk metadata or roles # Extract email from email_addresses array (Clerk standard structure) user_email = actual_user_info.get("email") # Look for email in email_addresses array if not found directly email_addresses = actual_user_info.get("email_addresses", []) if not user_email and email_addresses: # Get primary email or first email primary_email_id = actual_user_info.get("primary_email_address_id") if primary_email_id: primary_email = next((e for e in email_addresses if e.get("id") == primary_email_id), None) if primary_email: user_email = primary_email.get("email_address") # Fallback to first email if no primary found if not user_email and email_addresses: first_email = email_addresses[0] user_email = first_email.get("email_address") if user_email and user_email.endswith("@admin.com"): user_role = UserRole.ADMIN permissions = UserPermissions.from_user_role( user_id=actual_user_info["id"], role=user_role ) logger.info(f"Permissions retrieved for user {actual_user_info['id']}: {user_role}") return permissions except Exception as e: logger.error(f"Failed to get user permissions: {e}") raise HTTPException( status_code=status.HTTP_500_INTERNAL_SERVER_ERROR, detail="Failed to retrieve user permissions" ) @router.get("/status") async def get_auth_status( user_info: Dict[str, Any] = Depends(get_optional_user), request_context: Dict[str, Any] = Depends(get_request_context) ) -> Dict[str, Any]: """ Get authentication status for current request. This endpoint works with or without authentication to show auth status. Returns: Dict containing authentication status and user info if authenticated """ try: # Debug logging to understand the structure logger.info(f"Auth status check - user_info type: {type(user_info)}, content: {user_info}") logger.info(f"Auth status check - request_context: {request_context}") # Extract actual user data from nested structure if isinstance(user_info, dict) and 'user_info' in user_info: # Nested structure from get_current_user actual_user_info = user_info['user_info'] elif user_info: # Direct user_info from get_verified_user actual_user_info = user_info else: actual_user_info = {} if user_info and actual_user_info.get("id"): # Extract email from email_addresses array (Clerk standard structure) email = actual_user_info.get("email") email_verified = actual_user_info.get("email_verified", False) # Look for email in email_addresses array if not found directly email_addresses = actual_user_info.get("email_addresses", []) if not email and email_addresses: # Get primary email or first email primary_email_id = actual_user_info.get("primary_email_address_id") if primary_email_id: primary_email = next((e for e in email_addresses if e.get("id") == primary_email_id), None) if primary_email: email = primary_email.get("email_address") # Check verification status from the email object verification = primary_email.get("verification", {}) email_verified = verification.get("status") == "verified" # Fallback to first email if no primary found if not email and email_addresses: first_email = email_addresses[0] email = first_email.get("email_address") verification = first_email.get("verification", {}) email_verified = verification.get("status") == "verified" return { "authenticated": True, "user_id": actual_user_info.get("id"), "email": email, "email_verified": email_verified, "username": actual_user_info.get("username"), "request_context": { "path": request_context.get("path", "unknown"), "method": request_context.get("method", "unknown"), "client_ip": request_context.get("client_ip", "unknown") } } else: return { "authenticated": False, "message": "No authentication provided", "request_context": { "path": request_context.get("path", "unknown"), "method": request_context.get("method", "unknown"), "client_ip": request_context.get("client_ip", "unknown") } } except Exception as e: logger.error(f"Failed to get auth status: {e}") return { "authenticated": False, "error": f"Failed to determine authentication status: {str(e)}", "request_context": { "path": request_context.get("path", "unknown") if request_context else "unknown", "method": request_context.get("method", "unknown") if request_context else "unknown", "client_ip": request_context.get("client_ip", "unknown") if request_context else "unknown" } } @router.post("/verify") async def verify_token( user_info: Dict[str, Any] = Depends(get_verified_user) ) -> Dict[str, Any]: """ Verify authentication token and return user information. This endpoint requires a verified user (email verified). Returns: Dict containing verification status and user information """ try: return { "verified": True, "user_id": user_info["id"], "email": user_info.get("email"), "email_verified": user_info.get("email_verified", False), "message": "Token verified successfully" } except Exception as e: logger.error(f"Token verification failed: {e}") raise HTTPException( status_code=status.HTTP_500_INTERNAL_SERVER_ERROR, detail="Token verification failed" ) @router.get("/health") async def auth_health_check() -> Dict[str, Any]: """ Check authentication service health. Returns: Dict containing authentication service health status """ try: # Check Clerk manager health clerk_health = clerk_manager.health_check() return { "status": "healthy" if clerk_health["status"] == "healthy" else "unhealthy", "clerk": clerk_health, "message": "Authentication service health check completed" } except Exception as e: logger.error(f"Auth health check failed: {e}") return { "status": "unhealthy", "error": str(e), "message": "Authentication service health check failed" } @router.get("/test-protected") async def test_protected_endpoint( user_id: str = Depends(get_authenticated_user_id) ) -> Dict[str, Any]: """ Test endpoint that requires authentication. Returns: Dict containing success message and user ID """ logger.info(f"Protected endpoint accessed by user {user_id}") return { "message": "Successfully accessed protected endpoint", "user_id": user_id, "timestamp": datetime.utcnow().isoformat() + "Z" } @router.get("/test-verified") async def test_verified_endpoint( user_info: Dict[str, Any] = Depends(get_verified_user) ) -> Dict[str, Any]: """ Test endpoint that requires verified user. Returns: Dict containing success message and user information """ logger.info(f"Verified endpoint accessed by user {user_info['id']}") return { "message": "Successfully accessed verified user endpoint", "user_id": user_info["id"], "email": user_info.get("email"), "email_verified": user_info.get("email_verified", False), "timestamp": datetime.utcnow().isoformat() + "Z" }