Milestone 3
This commit is contained in:
Knacky
157
backend/app/api/auth.py
Normal file
157
backend/app/api/auth.py
Normal file
@@ -0,0 +1,157 @@
|
||||
"""Authentication endpoints.
|
||||
|
||||
`POST /auth/login` returns the access token in the body and sets the refresh
|
||||
token in an HTTPOnly cookie scoped to `/api/v1/auth/`. The cookie is
|
||||
`Secure; SameSite=Strict` and only the matching paths can read it.
|
||||
"""
|
||||
|
||||
from __future__ import annotations
|
||||
|
||||
import logging
|
||||
|
||||
from flask import Blueprint, g, jsonify, make_response, request
|
||||
from pydantic import BaseModel, Field, ValidationError
|
||||
|
||||
from app.api._validation import Email
|
||||
from app.core.auth_decorators import require_auth
|
||||
from app.core.config import settings
|
||||
from app.core.rate_limit import limiter
|
||||
from app.services import auth as auth_svc
|
||||
|
||||
bp = Blueprint("auth", __name__, url_prefix="/auth")
|
||||
log = logging.getLogger("metamorph.api.auth")
|
||||
|
||||
REFRESH_COOKIE_NAME = "metamorph_refresh"
|
||||
REFRESH_COOKIE_PATH = "/api/v1/auth/"
|
||||
|
||||
|
||||
class LoginPayload(BaseModel):
|
||||
email: Email
|
||||
password: str = Field(min_length=1)
|
||||
|
||||
|
||||
class ChangePasswordPayload(BaseModel):
|
||||
current_password: str = Field(min_length=1)
|
||||
new_password: str = Field(min_length=8)
|
||||
|
||||
|
||||
def _set_refresh_cookie(resp, token: str, expires_at) -> None:
|
||||
resp.set_cookie(
|
||||
REFRESH_COOKIE_NAME,
|
||||
token,
|
||||
expires=expires_at,
|
||||
httponly=True,
|
||||
secure=True, # spec §M2; localhost is a secure context for modern browsers
|
||||
samesite="Strict",
|
||||
path=REFRESH_COOKIE_PATH,
|
||||
)
|
||||
|
||||
|
||||
def _clear_refresh_cookie(resp) -> None:
|
||||
resp.set_cookie(
|
||||
REFRESH_COOKIE_NAME,
|
||||
"",
|
||||
expires=0,
|
||||
httponly=True,
|
||||
secure=True, # spec §M2; localhost is a secure context for modern browsers
|
||||
samesite="Strict",
|
||||
path=REFRESH_COOKIE_PATH,
|
||||
)
|
||||
|
||||
|
||||
def _read_refresh_cookie() -> str | None:
|
||||
return request.cookies.get(REFRESH_COOKIE_NAME)
|
||||
|
||||
|
||||
def _serialize_pair(pair: auth_svc.TokenPair) -> dict:
|
||||
return {
|
||||
"access_token": pair.access_token,
|
||||
"token_type": "Bearer",
|
||||
"user_id": str(pair.user_id),
|
||||
}
|
||||
|
||||
|
||||
@bp.post("/login")
|
||||
@limiter.limit("10 per minute")
|
||||
def login():
|
||||
try:
|
||||
payload = LoginPayload.model_validate(request.get_json(silent=True) or {})
|
||||
except ValidationError as e:
|
||||
return jsonify({"error": "invalid_request", "details": e.errors()}), 400
|
||||
try:
|
||||
pair = auth_svc.login(payload.email, payload.password)
|
||||
except auth_svc.InvalidCredentials:
|
||||
return jsonify({"error": "invalid_credentials"}), 401
|
||||
|
||||
resp = make_response(jsonify(_serialize_pair(pair)))
|
||||
_set_refresh_cookie(resp, pair.refresh_token, pair.refresh_expires_at)
|
||||
return resp
|
||||
|
||||
|
||||
@bp.post("/refresh")
|
||||
@limiter.limit("10 per minute")
|
||||
def refresh_endpoint():
|
||||
raw = _read_refresh_cookie()
|
||||
if not raw:
|
||||
return jsonify({"error": "no_refresh_cookie"}), 401
|
||||
try:
|
||||
pair = auth_svc.refresh(raw)
|
||||
except auth_svc.TokenRevoked:
|
||||
resp = make_response(jsonify({"error": "token_revoked"}), 401)
|
||||
_clear_refresh_cookie(resp)
|
||||
return resp
|
||||
except auth_svc.InvalidCredentials:
|
||||
resp = make_response(jsonify({"error": "invalid_refresh"}), 401)
|
||||
_clear_refresh_cookie(resp)
|
||||
return resp
|
||||
|
||||
resp = make_response(jsonify(_serialize_pair(pair)))
|
||||
_set_refresh_cookie(resp, pair.refresh_token, pair.refresh_expires_at)
|
||||
return resp
|
||||
|
||||
|
||||
@bp.post("/logout")
|
||||
def logout():
|
||||
raw = _read_refresh_cookie()
|
||||
if raw:
|
||||
auth_svc.logout(raw)
|
||||
resp = make_response(jsonify({"ok": True}))
|
||||
_clear_refresh_cookie(resp)
|
||||
return resp
|
||||
|
||||
|
||||
@bp.get("/me")
|
||||
@require_auth
|
||||
def me():
|
||||
u = g.current_user
|
||||
return jsonify(
|
||||
{
|
||||
"id": str(u.id),
|
||||
"email": u.email,
|
||||
"display_name": u.display_name,
|
||||
"locale": u.locale,
|
||||
"is_admin": u.is_admin,
|
||||
"groups": sorted(u.group_names),
|
||||
"permissions": sorted(u.permissions),
|
||||
}
|
||||
)
|
||||
|
||||
|
||||
@bp.post("/change-password")
|
||||
@require_auth
|
||||
@limiter.limit("5 per minute")
|
||||
def change_password():
|
||||
try:
|
||||
payload = ChangePasswordPayload.model_validate(request.get_json(silent=True) or {})
|
||||
except ValidationError as e:
|
||||
return jsonify({"error": "invalid_request", "details": e.errors()}), 400
|
||||
try:
|
||||
auth_svc.change_password(g.current_user.id, payload.current_password, payload.new_password)
|
||||
except auth_svc.InvalidCredentials:
|
||||
return jsonify({"error": "current_password_incorrect"}), 400
|
||||
except ValueError as e:
|
||||
return jsonify({"error": "weak_password", "message": str(e)}), 400
|
||||
|
||||
resp = make_response(jsonify({"ok": True}))
|
||||
_clear_refresh_cookie(resp)
|
||||
return resp
|
||||
Reference in New Issue
Block a user