feat:added payslip service

requirements.txt

@@ -54,6 +54,7 @@ pydantic-settings==2.12.0
 pydantic_core==2.41.5
 pyparsing==3.2.5
 PyPDF2==3.0.1
+python-dateutil==2.9.0.post0
 python-dotenv==1.2.1
 python-jose==3.5.0
 python-multipart==0.0.20

src/payslip/googleservice.py

@@ -1,68 +1,69 @@
+# src/payslip/googleservice.py
 import base64
 import json
 import requests
-from typing import Tuple
 from fastapi import HTTPException
-
 from src.core.config import settings
 
+# TEMPORARY in-memory store
+GOOGLE_TOKENS = {}  # user_id -> refresh_token
+
 
 def exchange_code_for_tokens(code: str):
-    """
-    Exchange Google 'code' for access_token + refresh_token
-    """
+    """Exchange authorization code for access + refresh tokens."""
     data = {
-        "code": code,
         "client_id": settings.GOOGLE_CLIENT_ID,
         "client_secret": settings.GOOGLE_CLIENT_SECRET,
-        "redirect_uri": settings.GOOGLE_REDIRECT_URI,
+        "code": code,
         "grant_type": "authorization_code",
+        "redirect_uri": settings.GOOGLE_REDIRECT_URI,
     }
 
-    res = requests.post(settings.TOKEN_URL, data=data)
-    if res.status_code != 200:
-        raise HTTPException(500, f"Google token exchange error: {res.text}")
+    response = requests.post(settings.TOKEN_URL, data=data)
+    return response.json()
 
-    return res.json()
 
+def extract_email_from_id_token(id_token: str) -> str:
+    """Decode ID token to extract the email Google selected."""
+    try:
+        payload_part = id_token.split(".")[1] + "==="
+        decoded = json.loads(base64.urlsafe_b64decode(payload_part))
+        return decoded.get("email")
+    except Exception:
+        raise HTTPException(400, "Invalid ID token format")
 
-def refresh_google_access_token(refresh_token: str) -> str:
-    """
-    Input → refresh_token  
-    Output → new access_token
-    """
+
+def refresh_google_access_token(refresh_token: str):
+    """Refresh access token using refresh_token."""
     data = {
-        "refresh_token": refresh_token,
         "client_id": settings.GOOGLE_CLIENT_ID,
         "client_secret": settings.GOOGLE_CLIENT_SECRET,
+        "refresh_token": refresh_token,
         "grant_type": "refresh_token",
     }
 
-    res = requests.post(settings.TOKEN_URL, data=data)
-    if res.status_code != 200:
-        raise HTTPException(500, f"Failed to refresh access token: {res.text}")
+    response = requests.post(settings.TOKEN_URL, data=data)
+    token_data = response.json()
 
-    return res.json()["access_token"]
+    if "access_token" not in token_data:
+        raise HTTPException(400, f"Google refresh failed: {token_data}")
 
+    return token_data["access_token"]
 
-def build_email(from_email: str, to_email: str, subject: str, body: str) -> str:
-    """
-    Gmail API expects Base64URL-encoded email.
-    """
+
+def build_email(from_email: str, to_email: str, subject: str, body: str):
+    """Build raw Gmail MIME email."""
     message = (
         f"From: {from_email}\r\n"
         f"To: {to_email}\r\n"
-        f"Subject: {subject}\r\n"
-        "\r\n"
+        f"Subject: {subject}\r\n\r\n"
         f"{body}"
     )
-
-    message_bytes = message.encode("utf-8")
-    encoded = base64.urlsafe_b64encode(message_bytes).decode("utf-8")
-    return encoded
+    return base64.urlsafe_b64encode(message.encode("utf-8")).decode("utf-8")
 
 
-def send_gmail(access_token: str, raw_message: str) -> str:
+def send_gmail(access_token: str, raw_message: str):
+    """Send email through Gmail API."""
     url = "https://gmail.googleapis.com/gmail/v1/users/me/messages/send"
 
     headers = {
@@ -70,11 +71,12 @@ def send_gmail(access_token: str, raw_message: str) -> str:
         "Content-Type": "application/json",
     }
 
-    payload = {"raw": raw_message}
+    data = {"raw": raw_message}
 
-    res = requests.post(url, headers=headers, data=json.dumps(payload))
+    res = requests.post(url, headers=headers, json=data)
+    data = res.json()
 
-    if res.status_code not in (200, 202):
-        raise HTTPException(500, f"Gmail API error: {res.text}")
+    if "id" not in data:
+        raise HTTPException(400, f"Gmail send error: {data}")
 
-    return res.json().get("id")  # message_id
+    return data["id"]

src/payslip/router.py

@@ -1,21 +1,127 @@
-from fastapi import APIRouter, Depends
-from src.payslip.schemas import PayslipRequestSchema
-from src.payslip.service import process_payslip_request
-from src.auth.utils import get_current_user
+# src/payslip/router.py
+from fastapi import APIRouter, Depends, HTTPException
+from fastapi.responses import HTMLResponse
+from urllib.parse import urlencode
+import uuid
+
 from sqlalchemy.ext.asyncio import AsyncSession
+from sqlalchemy import select
+
+from src.core.config import settings
 from src.core.database import get_async_session
 from src.core.models import Users
+from src.payslip.schemas import PayslipRequestSchema
+from src.payslip.service import process_payslip_request
+from src.payslip.googleservice import (
+    exchange_code_for_tokens,
+    extract_email_from_id_token,
+)
+from src.payslip.utils import get_current_user_model
+from src.payslip.models import PayslipRequest, PayslipStatus
+
+router = APIRouter(prefix="/payslips", tags=["Payslips & Gmail"])
+
+
+@router.get("/gmail/connect-url")
+async def gmail_connect_url(user_id: uuid.UUID):
+    """
+    Returns the Google OAuth URL for the frontend to open in InAppBrowser.
+    """
+    params = {
+        "client_id": settings.GOOGLE_CLIENT_ID,
+        "redirect_uri": settings.GOOGLE_REDIRECT_URI,
+        "response_type": "code",
+        "scope": "openid email profile https://www.googleapis.com/auth/gmail.send",
+        "access_type": "offline",
+        "prompt": "consent",
+        "state": str(user_id),
+    }
+    return {"auth_url": f"{settings.AUTH_BASE}?{urlencode(params)}"}
+
+
+@router.get("/gmail/callback", response_class=HTMLResponse)
+async def gmail_callback(
+    code: str,
+    state: str,
+    session: AsyncSession = Depends(get_async_session),
+):
+    """
+    Google redirects here with ?code & ?state=user_id.
+    We:
+      - exchange code for tokens
+      - verify the Google email matches our user's email
+      - store refresh_token into payslip_requests table
+    """
+    user_id = uuid.UUID(state)
+    user = await session.get(Users, user_id)
+
+    if not user:
+        raise HTTPException(400, "User not found for given state")
+
+    token_data = exchange_code_for_tokens(code)
+    google_email = extract_email_from_id_token(token_data["id_token"])
+
+    if google_email.lower() != user.email_id.lower():
+        raise HTTPException(
+            400,
+            f"Please select your registered email: {user.email_id}",
+        )
+
+    refresh_token = token_data.get("refresh_token")
+    if not refresh_token:
+        raise HTTPException(400, "No refresh token received from Google")
+
+    # Check if this user already has any payslip row
+    q = (
+        select(PayslipRequest)
+        .where(PayslipRequest.user_id == user_id)
+        .order_by(PayslipRequest.requested_at.desc())
+    )
+    existing = (await session.execute(q)).scalar_one_or_none()
+
+    if existing:
+        # Update the latest row with new refresh token
+        existing.refresh_token = refresh_token
+        # Do NOT change requested_at or status here;
+        # this endpoint is only for (re)connecting Gmail.
+        session.add(existing)
+    else:
+        # First time ever connecting Gmail -> create a "connection row"
+        connection_row = PayslipRequest(
+            user_id=user_id,
+            refresh_token=refresh_token,
+            status=PayslipStatus.PENDING,  # not an actual request yet
+            # requested_at default is now; one_request_per_day ignores PENDING rows
+        )
+        session.add(connection_row)
+
+    await session.commit()
 
-router = APIRouter(prefix="/payslips", tags=["Payslips"])
+    return """
+    <html><body>
+        <h1>Gmail Connected Successfully ✔</h1>
+        <p>You may now request your payslip.</p>
+    </body></html>
+    """
 
 
 @router.post("/request")
-def request_payslip(
+async def request_payslip(
     payload: PayslipRequestSchema,
     session: AsyncSession = Depends(get_async_session),
-    user: Users = Depends(get_current_user),
+    user: Users = Depends(get_current_user_model),
 ):
-    entry = process_payslip_request(session, user, payload)
+    """
+    User hits this when pressing "Request Payslip" in the app.
+    We:
+      - enforce 1 request per day
+      - compute period
+      - validate join date
+      - load refresh_token from payslip_requests table
+      - send email
+      - update or create row in payslip_requests
+    """
+    entry = await process_payslip_request(session, user, payload)
     return {
         "status": entry.status,
         "requested_at": entry.requested_at,

src/payslip/service.py

@@ -1,8 +1,13 @@
-from sqlmodel import Session, select
+# src/payslip/service.py
+from datetime import datetime, date
+
 from fastapi import HTTPException
-from src.payslip.models import PayslipRequest, PayslipStatus
-from src.core.models import Users, Roles, UserTeamsRole
+from sqlalchemy.ext.asyncio import AsyncSession
+from sqlalchemy import select
 
+from src.payslip.models import PayslipRequest, PayslipStatus
+from src.core.models import Users, Roles, UserTeamsRole, Teams
+from src.payslip.schemas import PayslipRequestSchema
 from src.payslip.utils import calculate_period, validate_join_date
 from src.payslip.googleservice import (
     refresh_google_access_token,
@@ -11,79 +16,141 @@ from src.payslip.googleservice import (
 )
 
 
-def get_latest_refresh_token(session: Session, user_id):
-    stmt = (
-        select(PayslipRequest)
-        .where(
-            PayslipRequest.user_id == user_id,
-            PayslipRequest.refresh_token.is_not(None),
-        )
-        .order_by(PayslipRequest.requested_at.desc())
+async def user_team_name(session: AsyncSession, user_id):
+    """Return user's team name."""
+    q = select(UserTeamsRole).where(UserTeamsRole.user_id == user_id)
+    mapping = (await session.execute(q)).scalar_one_or_none()
+
+    if not mapping:
+        return "Unknown Team"
+
+    team = await session.get(Teams, mapping.team_id)
+    return team.name if team else "Unknown Team"
+
+
+async def one_request_per_day(session: AsyncSession, user_id):
+    """
+    Enforce: one payslip REQUEST per calendar day.
+    We count only rows where status != PENDING (i.e., actual requests),
+    so that the Gmail-connect row (status=PENDING) does NOT block.
+    """
+    today_start = datetime.combine(date.today(), datetime.min.time())
+
+    q = select(PayslipRequest).where(
+        PayslipRequest.user_id == user_id,
+        PayslipRequest.requested_at >= today_start,
+        PayslipRequest.status != PayslipStatus.PENDING,
     )
-    entry = session.exec(stmt).first()
-    return entry.refresh_token if entry else None
+
+    result = await session.execute(q)
+    if result.scalar_one_or_none():
+        raise HTTPException(400, "You already sent a payslip request today.")
 
 
-def get_hr_email(session: Session) -> str:
-    role = session.exec(select(Roles).where(Roles.name == "HR Manager")).first()
+async def get_hr_email(session: AsyncSession):
+    q = select(Roles).where(Roles.name == "HR Manager")
+    role = (await session.execute(q)).scalar_one_or_none()
     if not role:
-        raise HTTPException(500, "HR Manager role missing")
+        raise HTTPException(500, "HR role missing")
 
-    mapping = session.exec(
-        select(UserTeamsRole).where(UserTeamsRole.role_id == role.id)
-    ).first()
+    q2 = select(UserTeamsRole).where(UserTeamsRole.role_id == role.id)
+    mapping = (await session.execute(q2)).scalar_one_or_none()
 
     if not mapping:
-        raise HTTPException(500, "No HR assigned")
+        raise HTTPException(500, "No HR manager mapped")
 
-    hr_user = session.get(Users, mapping.user_id)
-    return hr_user.email_id
+    hr = await session.get(Users, mapping.user_id)
+    return hr.email_id
 
 
-def process_payslip_request(session: Session, user: Users, payload):
-    # 1. Compute period
+async def get_latest_payslip_row(session: AsyncSession, user_id):
+    """
+    Get the most recent payslip row for this user (any status).
+    We use this to get the refresh_token and to decide whether to update or insert.
+    """
+    q = (
+        select(PayslipRequest)
+        .where(PayslipRequest.user_id == user_id)
+        .order_by(PayslipRequest.requested_at.desc())
+    )
+    return (await session.execute(q)).scalar_one_or_none()
+
+
+async def process_payslip_request(
+    session: AsyncSession, user: Users, payload: PayslipRequestSchema
+):
+    # 1. Only ONE request per day (for actual payslip sends)
+    await one_request_per_day(session, user.id)
+
+    # 2. Validate period based on mode + months
     period_start, period_end = calculate_period(
-        payload.mode, payload.start_month, payload.end_month
+        payload.mode,
+        payload.start_month,
+        payload.end_month,
     )
 
-    # 2. Validate join date
+    # 3. Validate join date
     validate_join_date(user.join_date, period_start)
 
-    # 3. Find refresh_token
-    refresh_token = get_latest_refresh_token(session, user.id)
+    # 4. Get refresh_token from latest payslip row (DB)
+    latest = await get_latest_payslip_row(session, user.id)
+
+    refresh_token = latest.refresh_token if latest else None
 
     if not refresh_token:
+        # No token stored yet
         raise HTTPException(
-            400, "Please connect your Gmail before requesting a payslip."
+            400, "Please connect your Gmail account before requesting payslip."
         )
 
-    # 4. Get access token
+    # 5. Refresh access token with Google
     access_token = refresh_google_access_token(refresh_token)
 
-    # 5. Find HR email
-    hr_email = get_hr_email(session)
+    # 6. Get HR email
+    hr_email = await get_hr_email(session)
 
-    # 6. Build message
+    # 7. Get team name
+    team = await user_team_name(session, user.id)
+
+    # 8. Build email body
     subject = "Payslip Request"
     body = (
-        f"Payslip request from {user.email_id}\n"
-        f"Period: {period_start} → {period_end}"
+        f"Payslip request from {user.user_name} ({user.email_id})\n"
+        f"Team: {team}\n"
+        f"Period: {period_start} → {period_end}\n"
     )
-    raw = build_email(user.email_id, hr_email, subject, body)
-
-    # 7. Send email
-    message_id = send_gmail(access_token, raw)
 
-    # 8. Create new DB record
-    entry = PayslipRequest(
-        user_id=user.id,
-        status=PayslipStatus.SENT,
-        refresh_token=refresh_token,
-        error_message=None,
-    )
+    raw = build_email(user.email_id, hr_email, subject, body)
 
-    session.add(entry)
-    session.commit()
-    session.refresh(entry)
+    # 9. Send email via Gmail API
+    send_gmail(access_token, raw)
+
+    # 10. Decide whether to UPDATE existing row or CREATE a new one
+    now = datetime.now()
+
+    if latest and latest.status == PayslipStatus.PENDING:
+        # This is the "connection row" (created when Gmail was connected)
+        # ✅ Update this row with today's request info
+        latest.status = PayslipStatus.SENT
+        latest.requested_at = now
+        latest.error_message = None
+        latest.refresh_token = refresh_token  # keep token
+        session.add(latest)
+        await session.commit()
+        await session.refresh(latest)
+        return latest
+    else:
+        # Either no row existed, or latest is already SENT/FAILED.
+        # ✅ Create a new row for this request, copying the refresh token.
+        entry = PayslipRequest(
+            user_id=user.id,
+            status=PayslipStatus.SENT,
+            requested_at=now,
+            refresh_token=refresh_token,
+            error_message=None,
+        )
 
-    return entry
+        session.add(entry)
+        await session.commit()
+        await session.refresh(entry)
+        return entry

src/payslip/utils.py

@@ -1,57 +1,109 @@
+# src/payslip/utils.py
 from datetime import date, datetime
-from fastapi import HTTPException
+from typing import Optional
 
+from dateutil.relativedelta import relativedelta
+from fastapi import Depends, HTTPException
+from fastapi.security import HTTPBearer, HTTPAuthorizationCredentials
+from jose import jwt, JWTError
+from sqlalchemy.ext.asyncio import AsyncSession
+from sqlalchemy import select
 
-def parse_month(month_str: str) -> date:
-    """Convert YYYY-MM to a date object representing first day of the month."""
+from src.core.database import get_async_session
+from src.core.models import Users
+from src.core.config import settings
+
+bearer_scheme = HTTPBearer()
+
+SECRET_KEY = settings.SECRET_KEY
+ALGORITHM = settings.JWT_ALGORITHM
+
+
+def _parse_month(month_str: str) -> date:
+    """
+    "2024-05" -> date(2024, 5, 1)
+    """
     try:
         d = datetime.strptime(month_str, "%Y-%m")
         return date(d.year, d.month, 1)
-    except:
-        raise HTTPException(status_code=400, detail="Invalid month format. Use YYYY-MM")
+    except ValueError:
+        raise HTTPException(
+            status_code=400,
+            detail="Invalid month format. Use YYYY-MM, e.g. 2024-05",
+        )
+
+
+def validate_join_date(join_date: Optional[str], period_start: date):
+    if not join_date:
+        return
+
+    join = datetime.strptime(join_date, "%Y-%m-%d").date()
+    if period_start < join:
+        raise HTTPException(
+            400,
+            f"You joined on {join}. You cannot request payslips before joining date.",
+        )
 
 
-def calculate_period(mode: str, start: str | None, end: str | None):
+def calculate_period(mode: str, start_month: str = None, end_month: str = None):
+    """
+    mode:
+      - "3_months"
+      - "6_months"
+      - "manual" + start_month, end_month in "YYYY-MM"
+    """
     today = date.today()
-    current_month = date(today.year, today.month, 1)
 
     if mode == "3_months":
-        months = 3
-    elif mode == "6_months":
-        months = 6
-    else:  # manual mode
-        if not start or not end:
-            raise HTTPException(400, "start_month and end_month required")
-        start_date = parse_month(start)
-        end_date = parse_month(end)
+        end = today.replace(day=1)
+        start = end - relativedelta(months=3)
+        return start, end
 
-        if end_date > current_month:
-            raise HTTPException(400, "Cannot request future payslips")
-        if start_date > end_date:
-            raise HTTPException(400, "start_month cannot be after end_month")
+    if mode == "6_months":
+        end = today.replace(day=1)
+        start = end - relativedelta(months=6)
+        return start, end
 
-        return start_date, end_date
+    if mode == "manual":
+        # Validate fields
+        if not start_month or not end_month:
+            raise HTTPException(400, "Manual mode requires start_month and end_month")
 
-    # Auto period
-    end_date = current_month
-    year = end_date.year
-    mon = end_date.month - (months - 1)
+        try:
+            start = datetime.strptime(start_month, "%Y-%m").date()
+            end = datetime.strptime(end_month, "%Y-%m").date()
+        except ValueError:
+            raise HTTPException(400, "Invalid month format. Use YYYY-MM")
 
-    while mon <= 0:
-        mon += 12
-        year -= 1
+        if start > end:
+            raise HTTPException(400, "Start month cannot be after end month")
 
-    start_date = date(year, mon, 1)
-    return start_date, end_date
+        return start, end
 
+    # Invalid mode
+    raise HTTPException(400, "Invalid payslip request mode")
+
+
+async def get_current_user_model(
+    credentials: HTTPAuthorizationCredentials = Depends(bearer_scheme),
+    session: AsyncSession = Depends(get_async_session),
+):
+    token = credentials.credentials
 
-def validate_join_date(join_date_str: str, period_start: date):
-    """User cannot request payslips earlier than join date"""
     try:
-        join = datetime.strptime(join_date_str, "%Y-%m-%d").date()
-        join_month = join.replace(day=1)
-    except:
-        raise HTTPException(500, "Invalid join_date format in DB")
+        payload = jwt.decode(token, SECRET_KEY, algorithms=[ALGORITHM])
+        user_id = payload.get("sub")
+
+        if not user_id:
+            raise HTTPException(401, "Invalid token")
+
+        result = await session.execute(select(Users).where(Users.id == user_id))
+        user = result.scalar_one_or_none()
+
+        if not user:
+            raise HTTPException(401, "User not found")
+
+        return user
 
-    if period_start < join_month:
-        raise HTTPException(400, "You cannot request payslips before your joining date")
+    except JWTError:
+        raise HTTPException(401, "Invalid or expired token")