REFACTOR API gateway fix 8
This commit is contained in:
Urtzi Alfaro
@@ -56,14 +56,8 @@ async def register(
|
||||
|
||||
logger.debug(f"Input validation passed for {user_data.email}")
|
||||
|
||||
# ✅ DEBUG: Call auth service with enhanced error tracking
|
||||
result = await AuthService.register_user_with_tokens(
|
||||
email=user_data.email.strip().lower(), # Normalize email
|
||||
password=user_data.password,
|
||||
full_name=user_data.full_name.strip(),
|
||||
db=db
|
||||
)
|
||||
|
||||
result = await AuthService.register_user(user_data, db)
|
||||
|
||||
logger.info(f"Registration successful for {user_data.email}")
|
||||
|
||||
# Record successful registration
|
||||
@@ -132,11 +126,7 @@ async def login(
|
||||
)
|
||||
|
||||
# Attempt login through AuthService
|
||||
result = await AuthService.login(
|
||||
email=login_data.email.strip().lower(), # Normalize email
|
||||
password=login_data.password,
|
||||
db=db
|
||||
)
|
||||
result = await AuthService.login_user(login_data, db)
|
||||
|
||||
# Record successful login
|
||||
if metrics:
|
||||
|
||||
@@ -30,20 +30,6 @@ redis_client = redis.from_url(settings.REDIS_URL)
|
||||
class SecurityManager:
|
||||
"""Security utilities for authentication - FIXED VERSION"""
|
||||
|
||||
@staticmethod
|
||||
def hash_password(password: str) -> str:
|
||||
"""Hash password using passlib bcrypt - FIXED"""
|
||||
return pwd_context.hash(password)
|
||||
|
||||
@staticmethod
|
||||
def verify_password(password: str, hashed_password: str) -> bool:
|
||||
"""Verify password against hash using passlib - FIXED"""
|
||||
try:
|
||||
return pwd_context.verify(password, hashed_password)
|
||||
except Exception as e:
|
||||
logger.error(f"Password verification error: {e}")
|
||||
return False
|
||||
|
||||
@staticmethod
|
||||
def validate_password(password: str) -> bool:
|
||||
"""Validate password strength"""
|
||||
@@ -65,48 +51,59 @@ class SecurityManager:
|
||||
return True
|
||||
|
||||
@staticmethod
|
||||
def create_access_token(user_data: Dict[str, Any], expires_delta: Optional[timedelta] = None) -> str:
|
||||
"""Create JWT access token with PROPER validation"""
|
||||
def hash_password(password: str) -> str:
|
||||
"""Hash password using passlib bcrypt - FIXED"""
|
||||
return pwd_context.hash(password)
|
||||
|
||||
@staticmethod
|
||||
def verify_password(password: str, hashed_password: str) -> bool:
|
||||
"""Verify password against hash using passlib - FIXED"""
|
||||
try:
|
||||
return pwd_context.verify(password, hashed_password)
|
||||
except Exception as e:
|
||||
logger.error(f"Password verification error: {e}")
|
||||
return False
|
||||
|
||||
@staticmethod
|
||||
def create_access_token(user_data: Dict[str, Any]) -> str:
|
||||
"""
|
||||
Create JWT ACCESS token with proper payload structure
|
||||
✅ FIXED: Only creates access tokens
|
||||
"""
|
||||
|
||||
# ✅ FIX 1: Validate required fields BEFORE token creation
|
||||
required_fields = ["user_id", "email"]
|
||||
missing_fields = [field for field in required_fields if field not in user_data]
|
||||
# Validate required fields for access token
|
||||
if "user_id" not in user_data:
|
||||
raise ValueError("user_id required for access token creation")
|
||||
|
||||
if missing_fields:
|
||||
error_msg = f"Missing required fields for token creation: {missing_fields}"
|
||||
logger.error(f"Token creation failed: {error_msg}")
|
||||
raise ValueError(error_msg)
|
||||
|
||||
# ✅ FIX 2: Validate that required fields are not None/empty
|
||||
if not user_data.get("user_id"):
|
||||
raise ValueError("user_id cannot be empty")
|
||||
if not user_data.get("email"):
|
||||
raise ValueError("email cannot be empty")
|
||||
if "email" not in user_data:
|
||||
raise ValueError("email required for access token creation")
|
||||
|
||||
try:
|
||||
if expires_delta:
|
||||
expire = datetime.now(timezone.utc) + expires_delta
|
||||
else:
|
||||
expire = datetime.now(timezone.utc) + timedelta(minutes=settings.JWT_ACCESS_TOKEN_EXPIRE_MINUTES)
|
||||
expire = datetime.now(timezone.utc) + timedelta(minutes=settings.JWT_ACCESS_TOKEN_EXPIRE_MINUTES)
|
||||
|
||||
# ✅ FIX 3: Build payload with SAFE access to user_data
|
||||
# ✅ FIX 1: ACCESS TOKEN payload structure
|
||||
payload = {
|
||||
"sub": user_data["user_id"],
|
||||
"user_id": user_data["user_id"],
|
||||
"email": user_data["email"], # ✅ Guaranteed to exist now
|
||||
"type": "access",
|
||||
"full_name": user_data.get("full_name", ""), # Safe access with default
|
||||
"is_verified": user_data.get("is_verified", False), # Safe access with default
|
||||
"is_active": user_data.get("is_active", True), # Safe access with default
|
||||
"email": user_data["email"],
|
||||
"type": "access", # ✅ EXPLICITLY set as access token
|
||||
"exp": expire,
|
||||
"iat": datetime.now(timezone.utc),
|
||||
"iss": "bakery-auth" # Token issuer
|
||||
"iss": "bakery-auth"
|
||||
}
|
||||
|
||||
# Add optional fields for access tokens
|
||||
if "full_name" in user_data:
|
||||
payload["full_name"] = user_data["full_name"]
|
||||
if "is_verified" in user_data:
|
||||
payload["is_verified"] = user_data["is_verified"]
|
||||
if "is_active" in user_data:
|
||||
payload["is_active"] = user_data["is_active"]
|
||||
|
||||
logger.debug(f"Creating access token with payload keys: {list(payload.keys())}")
|
||||
|
||||
# ✅ FIX 4: Use jwt_handler with proper error handling
|
||||
token = jwt_handler.create_access_token(payload)
|
||||
# ✅ FIX 2: Use JWT handler to create access token
|
||||
token = jwt_handler.create_access_token_from_payload(payload)
|
||||
logger.debug(f"Access token created successfully for user {user_data['email']}")
|
||||
return token
|
||||
|
||||
@@ -116,13 +113,14 @@ class SecurityManager:
|
||||
|
||||
@staticmethod
|
||||
def create_refresh_token(user_data: Dict[str, Any]) -> str:
|
||||
"""Create JWT refresh token with FLEXIBLE validation"""
|
||||
"""
|
||||
Create JWT REFRESH token with minimal payload structure
|
||||
✅ FIXED: Only creates refresh tokens, different from access tokens
|
||||
"""
|
||||
|
||||
# ✅ FIX 1: Validate only essential fields for refresh token
|
||||
# Validate required fields for refresh token
|
||||
if "user_id" not in user_data:
|
||||
error_msg = "user_id required for refresh token creation"
|
||||
logger.error(f"Refresh token creation failed: {error_msg}")
|
||||
raise ValueError(error_msg)
|
||||
raise ValueError("user_id required for refresh token creation")
|
||||
|
||||
if not user_data.get("user_id"):
|
||||
raise ValueError("user_id cannot be empty")
|
||||
@@ -130,24 +128,31 @@ class SecurityManager:
|
||||
try:
|
||||
expire = datetime.now(timezone.utc) + timedelta(days=settings.JWT_REFRESH_TOKEN_EXPIRE_DAYS)
|
||||
|
||||
# ✅ FIX 2: Minimal payload for refresh token (email is optional)
|
||||
# ✅ FIX 3: REFRESH TOKEN payload structure (minimal, different from access)
|
||||
payload = {
|
||||
"sub": user_data["user_id"],
|
||||
"user_id": user_data["user_id"],
|
||||
"type": "refresh",
|
||||
"type": "refresh", # ✅ EXPLICITLY set as refresh token
|
||||
"exp": expire,
|
||||
"iat": datetime.now(timezone.utc),
|
||||
"iss": "bakery-auth"
|
||||
}
|
||||
|
||||
# ✅ FIX 3: Include email only if available (no longer required)
|
||||
# Add unique JTI for refresh tokens to prevent duplicates
|
||||
if "jti" in user_data:
|
||||
payload["jti"] = user_data["jti"]
|
||||
else:
|
||||
import uuid
|
||||
payload["jti"] = str(uuid.uuid4())
|
||||
|
||||
# Include email only if available (optional for refresh tokens)
|
||||
if "email" in user_data and user_data["email"]:
|
||||
payload["email"] = user_data["email"]
|
||||
|
||||
logger.debug(f"Creating refresh token with payload keys: {list(payload.keys())}")
|
||||
|
||||
# Use the same JWT handler method (it handles both access and refresh)
|
||||
token = jwt_handler.create_access_token(payload)
|
||||
# ✅ FIX 4: Use JWT handler to create REFRESH token (not access token!)
|
||||
token = jwt_handler.create_refresh_token_from_payload(payload)
|
||||
logger.debug(f"Refresh token created successfully for user {user_data['user_id']}")
|
||||
return token
|
||||
|
||||
@@ -167,6 +172,55 @@ class SecurityManager:
|
||||
logger.warning(f"Token verification failed: {e}")
|
||||
return None
|
||||
|
||||
@staticmethod
|
||||
def decode_token(token: str) -> Dict[str, Any]:
|
||||
"""Decode JWT token without verification (for refresh token handling)"""
|
||||
try:
|
||||
payload = jwt_handler.decode_token_no_verify(token)
|
||||
return payload
|
||||
except Exception as e:
|
||||
logger.error(f"Token decoding failed: {e}")
|
||||
raise ValueError("Invalid token format")
|
||||
|
||||
@staticmethod
|
||||
def generate_secure_hash(data: str) -> str:
|
||||
"""Generate secure hash for token storage"""
|
||||
return hashlib.sha256(data.encode()).hexdigest()
|
||||
|
||||
@staticmethod
|
||||
async def track_login_attempt(email: str, ip_address: str, success: bool) -> None:
|
||||
"""Track login attempts for security monitoring"""
|
||||
try:
|
||||
# This would use Redis for production
|
||||
# For now, just log the attempt
|
||||
logger.info(f"Login attempt tracked: email={email}, ip={ip_address}, success={success}")
|
||||
except Exception as e:
|
||||
logger.warning(f"Failed to track login attempt: {e}")
|
||||
|
||||
@staticmethod
|
||||
def is_token_expired(token: str) -> bool:
|
||||
"""Check if token is expired"""
|
||||
try:
|
||||
payload = SecurityManager.decode_token(token)
|
||||
exp_timestamp = payload.get("exp")
|
||||
if exp_timestamp:
|
||||
exp_datetime = datetime.fromtimestamp(exp_timestamp, tz=timezone.utc)
|
||||
return datetime.now(timezone.utc) > exp_datetime
|
||||
return True
|
||||
except Exception:
|
||||
return True
|
||||
@staticmethod
|
||||
def verify_token(token: str) -> Optional[Dict[str, Any]]:
|
||||
"""Verify JWT token with enhanced error handling"""
|
||||
try:
|
||||
payload = jwt_handler.verify_token(token)
|
||||
if payload:
|
||||
logger.debug(f"Token verified successfully for user: {payload.get('email', 'unknown')}")
|
||||
return payload
|
||||
except Exception as e:
|
||||
logger.warning(f"Token verification failed: {e}")
|
||||
return None
|
||||
|
||||
@staticmethod
|
||||
async def track_login_attempt(email: str, ip_address: str, success: bool) -> None:
|
||||
"""Track login attempts for security monitoring"""
|
||||
|
||||
@@ -5,34 +5,75 @@
|
||||
Token models for authentication service
|
||||
"""
|
||||
|
||||
from sqlalchemy import Column, String, Boolean, DateTime, Text, ForeignKey
|
||||
from sqlalchemy.dialects.postgresql import UUID
|
||||
from sqlalchemy.orm import relationship
|
||||
from datetime import datetime
|
||||
import hashlib
|
||||
import uuid
|
||||
from datetime import datetime, timezone
|
||||
from sqlalchemy import Column, String, Boolean, DateTime, Text, Index
|
||||
from sqlalchemy.dialects.postgresql import UUID
|
||||
|
||||
from shared.database.base import Base
|
||||
|
||||
class RefreshToken(Base):
|
||||
"""Refresh token model"""
|
||||
"""
|
||||
Refresh token model - FIXED to prevent duplicate constraint violations
|
||||
"""
|
||||
__tablename__ = "refresh_tokens"
|
||||
|
||||
id = Column(UUID(as_uuid=True), primary_key=True, default=uuid.uuid4)
|
||||
user_id = Column(UUID(as_uuid=True), ForeignKey("users.id", ondelete="CASCADE"), nullable=False, index=True)
|
||||
token_hash = Column(String(255), nullable=False, unique=True)
|
||||
is_active = Column(Boolean, default=True)
|
||||
expires_at = Column(DateTime, nullable=False)
|
||||
user_id = Column(UUID(as_uuid=True), nullable=False, index=True)
|
||||
|
||||
# Session metadata
|
||||
ip_address = Column(String(45))
|
||||
user_agent = Column(Text)
|
||||
device_info = Column(Text)
|
||||
# ✅ FIX 1: Use TEXT instead of VARCHAR to handle longer tokens
|
||||
token = Column(Text, nullable=False)
|
||||
|
||||
created_at = Column(DateTime, default=datetime.utcnow)
|
||||
revoked_at = Column(DateTime)
|
||||
# ✅ FIX 2: Add token hash for uniqueness instead of full token
|
||||
token_hash = Column(String(255), nullable=True, unique=True)
|
||||
|
||||
expires_at = Column(DateTime(timezone=True), nullable=False)
|
||||
is_revoked = Column(Boolean, default=False, nullable=False)
|
||||
|
||||
created_at = Column(DateTime(timezone=True), default=lambda: datetime.now(timezone.utc))
|
||||
revoked_at = Column(DateTime(timezone=True), nullable=True)
|
||||
|
||||
# ✅ FIX 3: Add indexes for better performance
|
||||
__table_args__ = (
|
||||
Index('ix_refresh_tokens_user_id_active', 'user_id', 'is_revoked'),
|
||||
Index('ix_refresh_tokens_expires_at', 'expires_at'),
|
||||
Index('ix_refresh_tokens_token_hash', 'token_hash'),
|
||||
)
|
||||
|
||||
def __init__(self, **kwargs):
|
||||
"""Initialize refresh token with automatic hash generation"""
|
||||
super().__init__(**kwargs)
|
||||
if self.token and not self.token_hash:
|
||||
self.token_hash = self._generate_token_hash(self.token)
|
||||
|
||||
@staticmethod
|
||||
def _generate_token_hash(token: str) -> str:
|
||||
"""Generate a hash of the token for uniqueness checking"""
|
||||
return hashlib.sha256(token.encode()).hexdigest()
|
||||
|
||||
def update_token(self, new_token: str):
|
||||
"""Update token and regenerate hash"""
|
||||
self.token = new_token
|
||||
self.token_hash = self._generate_token_hash(new_token)
|
||||
|
||||
@classmethod
|
||||
async def create_refresh_token(cls, user_id: uuid.UUID, token: str, expires_at: datetime):
|
||||
"""
|
||||
Create a new refresh token with proper hash generation
|
||||
"""
|
||||
return cls(
|
||||
id=uuid.uuid4(),
|
||||
user_id=user_id,
|
||||
token=token,
|
||||
token_hash=cls._generate_token_hash(token),
|
||||
expires_at=expires_at,
|
||||
is_revoked=False,
|
||||
created_at=datetime.now(timezone.utc)
|
||||
)
|
||||
|
||||
def __repr__(self):
|
||||
return f"<RefreshToken(id={self.id}, user_id={self.user_id})>"
|
||||
return f"<RefreshToken(id={self.id}, user_id={self.user_id}, expires_at={self.expires_at})>"
|
||||
|
||||
class LoginAttempt(Base):
|
||||
"""Login attempt tracking model"""
|
||||
@@ -45,7 +86,7 @@ class LoginAttempt(Base):
|
||||
success = Column(Boolean, default=False)
|
||||
failure_reason = Column(String(255))
|
||||
|
||||
created_at = Column(DateTime, default=datetime.utcnow)
|
||||
created_at = Column(DateTime(timezone=True), default=lambda: datetime.now(timezone.utc))
|
||||
|
||||
def __repr__(self):
|
||||
return f"<LoginAttempt(id={self.id}, email={self.email}, success={self.success})>"
|
||||
@@ -3,16 +3,21 @@
|
||||
Authentication Service - Updated to support registration with direct token issuance
|
||||
"""
|
||||
|
||||
from datetime import datetime, timezone, timedelta
|
||||
from sqlalchemy.ext.asyncio import AsyncSession
|
||||
from sqlalchemy import select
|
||||
from fastapi import HTTPException, status
|
||||
import hashlib
|
||||
import uuid
|
||||
from datetime import datetime, timedelta, timezone
|
||||
from typing import Dict, Any, Optional
|
||||
|
||||
from fastapi import HTTPException, status
|
||||
from sqlalchemy.ext.asyncio import AsyncSession
|
||||
from sqlalchemy import select, update
|
||||
from sqlalchemy.exc import IntegrityError
|
||||
import structlog
|
||||
|
||||
from app.models.users import User, RefreshToken
|
||||
from app.schemas.auth import UserRegistration, UserLogin
|
||||
from app.core.security import SecurityManager
|
||||
from app.services.messaging import publish_user_registered, publish_user_login, publish_user_logout
|
||||
from app.services.messaging import publish_user_registered, publish_user_login
|
||||
|
||||
logger = structlog.get_logger()
|
||||
|
||||
@@ -20,91 +25,71 @@ class AuthService:
|
||||
"""Enhanced Authentication service with unified token response"""
|
||||
|
||||
@staticmethod
|
||||
async def register_user_with_tokens(
|
||||
email: str,
|
||||
password: str,
|
||||
full_name: str,
|
||||
db: AsyncSession
|
||||
) -> Dict[str, Any]:
|
||||
"""Register new user and return tokens directly - COMPLETELY FIXED"""
|
||||
async def register_user(user_data: UserRegistration, db: AsyncSession) -> Dict[str, Any]:
|
||||
"""Register a new user with FIXED token generation"""
|
||||
try:
|
||||
# Check if user already exists
|
||||
result = await db.execute(select(User).where(User.email == email))
|
||||
existing_user = result.scalar_one_or_none()
|
||||
|
||||
if existing_user:
|
||||
existing_user = await db.execute(
|
||||
select(User).where(User.email == user_data.email)
|
||||
)
|
||||
if existing_user.scalar_one_or_none():
|
||||
raise HTTPException(
|
||||
status_code=status.HTTP_409_CONFLICT,
|
||||
status_code=status.HTTP_400_BAD_REQUEST,
|
||||
detail="User with this email already exists"
|
||||
)
|
||||
|
||||
# Create new user
|
||||
hashed_password = SecurityManager.hash_password(password)
|
||||
hashed_password = SecurityManager.hash_password(user_data.password)
|
||||
new_user = User(
|
||||
email=email,
|
||||
id=uuid.uuid4(),
|
||||
email=user_data.email,
|
||||
full_name=user_data.full_name,
|
||||
hashed_password=hashed_password,
|
||||
full_name=full_name,
|
||||
is_active=True,
|
||||
is_verified=False,
|
||||
created_at=datetime.now(timezone.utc),
|
||||
language='es', # Default language from logs
|
||||
timezone='Europe/Madrid' # Default timezone from logs
|
||||
updated_at=datetime.now(timezone.utc)
|
||||
)
|
||||
|
||||
db.add(new_user)
|
||||
await db.flush() # Get user ID without committing
|
||||
|
||||
# ✅ FIX 1: Create COMPLETE and CONSISTENT user_data for token generation
|
||||
token_user_data = {
|
||||
# ✅ FIX 1: Create SEPARATE access and refresh tokens with different payloads
|
||||
access_token_data = {
|
||||
"user_id": str(new_user.id),
|
||||
"email": new_user.email, # ✅ Ensure email is included
|
||||
"email": new_user.email,
|
||||
"full_name": new_user.full_name,
|
||||
"is_verified": new_user.is_verified,
|
||||
"is_active": new_user.is_active
|
||||
"is_active": new_user.is_active,
|
||||
"type": "access" # ✅ Explicitly mark as access token
|
||||
}
|
||||
|
||||
logger.debug(f"Creating tokens for user: {email} with data: {token_user_data}")
|
||||
|
||||
# ✅ FIX 2: Generate tokens with VALIDATED user data
|
||||
try:
|
||||
access_token = SecurityManager.create_access_token(user_data=token_user_data)
|
||||
logger.debug(f"Access token created successfully for {email}")
|
||||
except Exception as token_error:
|
||||
logger.error(f"Access token creation failed for {email}: {token_error}")
|
||||
raise HTTPException(
|
||||
status_code=status.HTTP_500_INTERNAL_SERVER_ERROR,
|
||||
detail=f"Token creation failed: {token_error}"
|
||||
)
|
||||
|
||||
# ✅ FIX 3: Create refresh token with minimal but complete data
|
||||
refresh_token_data = {
|
||||
"user_id": str(new_user.id),
|
||||
"email": new_user.email # Include email for consistency
|
||||
"email": new_user.email,
|
||||
"type": "refresh" # ✅ Explicitly mark as refresh token
|
||||
}
|
||||
|
||||
try:
|
||||
refresh_token_value = SecurityManager.create_refresh_token(user_data=refresh_token_data)
|
||||
logger.debug(f"Refresh token created successfully for {email}")
|
||||
except Exception as refresh_error:
|
||||
logger.error(f"Refresh token creation failed for {email}: {refresh_error}")
|
||||
raise HTTPException(
|
||||
status_code=status.HTTP_500_INTERNAL_SERVER_ERROR,
|
||||
detail=f"Refresh token creation failed: {refresh_error}"
|
||||
)
|
||||
logger.debug(f"Creating tokens for registration: {user_data.email}")
|
||||
|
||||
# Store refresh token in database
|
||||
# ✅ FIX 2: Generate tokens with different payloads
|
||||
access_token = SecurityManager.create_access_token(user_data=access_token_data)
|
||||
refresh_token_value = SecurityManager.create_refresh_token(user_data=refresh_token_data)
|
||||
|
||||
logger.debug(f"Tokens created successfully for {user_data.email}")
|
||||
|
||||
# ✅ FIX 3: Store ONLY the refresh token in database (not access token)
|
||||
refresh_token = RefreshToken(
|
||||
id=uuid.uuid4(),
|
||||
user_id=new_user.id,
|
||||
token=refresh_token_value,
|
||||
expires_at=datetime.now(timezone.utc) + timedelta(days=7),
|
||||
is_revoked=False
|
||||
token=refresh_token_value, # Store the actual refresh token
|
||||
expires_at=datetime.now(timezone.utc) + timedelta(days=30),
|
||||
is_revoked=False,
|
||||
created_at=datetime.now(timezone.utc)
|
||||
)
|
||||
|
||||
db.add(refresh_token)
|
||||
|
||||
# ✅ FIX 4: Only commit after ALL token creation succeeds
|
||||
await db.commit()
|
||||
await db.refresh(new_user)
|
||||
|
||||
# Publish registration event (non-blocking)
|
||||
try:
|
||||
@@ -112,14 +97,13 @@ class AuthService:
|
||||
"user_id": str(new_user.id),
|
||||
"email": new_user.email,
|
||||
"full_name": new_user.full_name,
|
||||
"registered_at": new_user.created_at.isoformat()
|
||||
"registered_at": datetime.now(timezone.utc).isoformat()
|
||||
})
|
||||
except Exception as e:
|
||||
logger.warning(f"Failed to publish registration event: {e}")
|
||||
|
||||
logger.info(f"User registered successfully with tokens: {email}")
|
||||
logger.info(f"User registered successfully: {user_data.email}")
|
||||
|
||||
# Return unified token response format
|
||||
return {
|
||||
"access_token": access_token,
|
||||
"refresh_token": refresh_token_value,
|
||||
@@ -138,111 +122,101 @@ class AuthService:
|
||||
except HTTPException:
|
||||
await db.rollback()
|
||||
raise
|
||||
except Exception as e:
|
||||
except IntegrityError as e:
|
||||
await db.rollback()
|
||||
logger.error(f"Registration with tokens failed for {email}: {e}")
|
||||
# ✅ FIX 5: Provide more specific error information
|
||||
logger.error(f"Registration failed for {user_data.email}: {e}")
|
||||
raise HTTPException(
|
||||
status_code=status.HTTP_500_INTERNAL_SERVER_ERROR,
|
||||
detail=f"Registration failed: {str(e)}"
|
||||
detail="Registration failed"
|
||||
)
|
||||
except Exception as e:
|
||||
await db.rollback()
|
||||
logger.error(f"Registration failed for {user_data.email}: {e}")
|
||||
raise HTTPException(
|
||||
status_code=status.HTTP_500_INTERNAL_SERVER_ERROR,
|
||||
detail="Registration failed"
|
||||
)
|
||||
|
||||
@staticmethod
|
||||
async def create_user(
|
||||
email: str,
|
||||
password: str,
|
||||
full_name: str,
|
||||
db: AsyncSession
|
||||
) -> User:
|
||||
"""
|
||||
Create user without tokens (LEGACY METHOD - kept for compatibility)
|
||||
Use register_user_with_tokens() for new implementations
|
||||
"""
|
||||
async def login_user(login_data: UserLogin, db: AsyncSession) -> Dict[str, Any]:
|
||||
"""Login user with FIXED token generation and SQLAlchemy syntax"""
|
||||
try:
|
||||
# Check if user already exists
|
||||
result = await db.execute(select(User).where(User.email == email))
|
||||
existing_user = result.scalar_one_or_none()
|
||||
|
||||
if existing_user:
|
||||
raise HTTPException(
|
||||
status_code=status.HTTP_409_CONFLICT,
|
||||
detail="User with this email already exists"
|
||||
)
|
||||
|
||||
# Create new user
|
||||
hashed_password = SecurityManager.hash_password(password)
|
||||
new_user = User(
|
||||
email=email,
|
||||
hashed_password=hashed_password,
|
||||
full_name=full_name,
|
||||
is_active=True,
|
||||
is_verified=False,
|
||||
created_at=datetime.now(timezone.utc)
|
||||
# Find user
|
||||
result = await db.execute(
|
||||
select(User).where(User.email == login_data.email)
|
||||
)
|
||||
|
||||
db.add(new_user)
|
||||
await db.commit()
|
||||
await db.refresh(new_user)
|
||||
|
||||
logger.info(f"User created (legacy): {email}")
|
||||
return new_user
|
||||
|
||||
except HTTPException:
|
||||
await db.rollback()
|
||||
raise
|
||||
except Exception as e:
|
||||
await db.rollback()
|
||||
logger.error(f"User creation failed for {email}: {e}")
|
||||
raise HTTPException(
|
||||
status_code=status.HTTP_500_INTERNAL_SERVER_ERROR,
|
||||
detail="User creation failed"
|
||||
)
|
||||
|
||||
@staticmethod
|
||||
async def login(email: str, password: str, db: AsyncSession) -> Dict[str, Any]:
|
||||
"""Login user and return tokens - FIXED VERSION"""
|
||||
try:
|
||||
# Get user
|
||||
result = await db.execute(select(User).where(User.email == email))
|
||||
user = result.scalar_one_or_none()
|
||||
|
||||
if not user or not SecurityManager.verify_password(password, user.hashed_password):
|
||||
if not user or not SecurityManager.verify_password(login_data.password, user.hashed_password):
|
||||
raise HTTPException(
|
||||
status_code=status.HTTP_401_UNAUTHORIZED,
|
||||
detail="Invalid credentials"
|
||||
detail="Invalid email or password"
|
||||
)
|
||||
|
||||
# ✅ FIX 1: Create COMPLETE user data for access token
|
||||
if not user.is_active:
|
||||
raise HTTPException(
|
||||
status_code=status.HTTP_403_FORBIDDEN,
|
||||
detail="Account is deactivated"
|
||||
)
|
||||
|
||||
# ✅ FIX 4: Revoke existing refresh tokens using proper SQLAlchemy ORM syntax
|
||||
logger.debug(f"Revoking existing refresh tokens for user: {user.id}")
|
||||
|
||||
# Using SQLAlchemy ORM update (more reliable than raw SQL)
|
||||
stmt = update(RefreshToken).where(
|
||||
RefreshToken.user_id == user.id,
|
||||
RefreshToken.is_revoked == False
|
||||
).values(
|
||||
is_revoked=True,
|
||||
revoked_at=datetime.now(timezone.utc)
|
||||
)
|
||||
|
||||
result = await db.execute(stmt)
|
||||
revoked_count = result.rowcount
|
||||
logger.debug(f"Revoked {revoked_count} existing refresh tokens for user: {user.id}")
|
||||
|
||||
# ✅ FIX 5: Create DIFFERENT token payloads
|
||||
access_token_data = {
|
||||
"user_id": str(user.id),
|
||||
"email": user.email, # ✅ Include email
|
||||
"email": user.email,
|
||||
"full_name": user.full_name,
|
||||
"is_verified": user.is_verified,
|
||||
"is_active": user.is_active
|
||||
"is_active": user.is_active,
|
||||
"type": "access" # ✅ Explicitly mark as access token
|
||||
}
|
||||
|
||||
# ✅ FIX 2: Create COMPLETE user data for refresh token
|
||||
refresh_token_data = {
|
||||
"user_id": str(user.id),
|
||||
"email": user.email # ✅ Include email for consistency
|
||||
"email": user.email,
|
||||
"type": "refresh", # ✅ Explicitly mark as refresh token
|
||||
"jti": str(uuid.uuid4()) # ✅ Add unique identifier for each refresh token
|
||||
}
|
||||
|
||||
logger.debug(f"Creating access token for login with data: {list(access_token_data.keys())}")
|
||||
logger.debug(f"Creating refresh token for login with data: {list(refresh_token_data.keys())}")
|
||||
|
||||
# Create tokens with complete data
|
||||
# ✅ FIX 6: Generate tokens with different payloads and expiration
|
||||
access_token = SecurityManager.create_access_token(user_data=access_token_data)
|
||||
refresh_token_value = SecurityManager.create_refresh_token(user_data=refresh_token_data)
|
||||
|
||||
# Store refresh token in database
|
||||
logger.debug(f"Access token created successfully for user {login_data.email}")
|
||||
logger.debug(f"Refresh token created successfully for user {str(user.id)}")
|
||||
|
||||
# ✅ FIX 7: Store ONLY refresh token in database with unique constraint handling
|
||||
refresh_token = RefreshToken(
|
||||
id=uuid.uuid4(),
|
||||
user_id=user.id,
|
||||
token=refresh_token_value,
|
||||
token=refresh_token_value, # This should be the refresh token, not access token
|
||||
expires_at=datetime.now(timezone.utc) + timedelta(days=30),
|
||||
is_revoked=False
|
||||
is_revoked=False,
|
||||
created_at=datetime.now(timezone.utc)
|
||||
)
|
||||
|
||||
db.add(refresh_token)
|
||||
|
||||
# Update last login
|
||||
user.last_login = datetime.now(timezone.utc)
|
||||
|
||||
await db.commit()
|
||||
|
||||
# Publish login event (non-blocking)
|
||||
@@ -255,13 +229,13 @@ class AuthService:
|
||||
except Exception as e:
|
||||
logger.warning(f"Failed to publish login event: {e}")
|
||||
|
||||
logger.info(f"User logged in successfully: {email}")
|
||||
logger.info(f"User logged in successfully: {login_data.email}")
|
||||
|
||||
return {
|
||||
"access_token": access_token,
|
||||
"refresh_token": refresh_token_value,
|
||||
"token_type": "bearer",
|
||||
"expires_in": 3600, # 1 hour
|
||||
"expires_in": 1800, # 30 minutes
|
||||
"user": {
|
||||
"id": str(user.id),
|
||||
"email": user.email,
|
||||
@@ -275,108 +249,119 @@ class AuthService:
|
||||
except HTTPException:
|
||||
await db.rollback()
|
||||
raise
|
||||
except IntegrityError as e:
|
||||
await db.rollback()
|
||||
logger.error(f"Login failed for {login_data.email}: {e}")
|
||||
raise HTTPException(
|
||||
status_code=status.HTTP_500_INTERNAL_SERVER_ERROR,
|
||||
detail="Login failed"
|
||||
)
|
||||
except Exception as e:
|
||||
await db.rollback()
|
||||
logger.error(f"Login failed for {email}: {e}")
|
||||
logger.error(f"Login failed for {login_data.email}: {e}")
|
||||
raise HTTPException(
|
||||
status_code=status.HTTP_500_INTERNAL_SERVER_ERROR,
|
||||
detail="Login failed"
|
||||
)
|
||||
|
||||
@staticmethod
|
||||
async def logout_user(user_id: str, refresh_token: str, db: AsyncSession) -> bool:
|
||||
"""Logout user by revoking refresh token"""
|
||||
try:
|
||||
# Revoke the specific refresh token using ORM
|
||||
stmt = update(RefreshToken).where(
|
||||
RefreshToken.user_id == user_id,
|
||||
RefreshToken.token == refresh_token,
|
||||
RefreshToken.is_revoked == False
|
||||
).values(
|
||||
is_revoked=True,
|
||||
revoked_at=datetime.now(timezone.utc)
|
||||
)
|
||||
|
||||
result = await db.execute(stmt)
|
||||
|
||||
if result.rowcount > 0:
|
||||
await db.commit()
|
||||
logger.info(f"User logged out successfully: {user_id}")
|
||||
return True
|
||||
|
||||
return False
|
||||
|
||||
except Exception as e:
|
||||
await db.rollback()
|
||||
logger.error(f"Logout failed for user {user_id}: {e}")
|
||||
return False
|
||||
|
||||
@staticmethod
|
||||
async def refresh_access_token(refresh_token: str, db: AsyncSession) -> Dict[str, Any]:
|
||||
"""Refresh access token using refresh token (UNCHANGED)"""
|
||||
"""Refresh access token using refresh token"""
|
||||
try:
|
||||
# Verify refresh token
|
||||
payload = SecurityManager.verify_token(refresh_token)
|
||||
if not payload:
|
||||
payload = SecurityManager.decode_token(refresh_token)
|
||||
user_id = payload.get("user_id")
|
||||
|
||||
if not user_id:
|
||||
raise HTTPException(
|
||||
status_code=status.HTTP_401_UNAUTHORIZED,
|
||||
detail="Invalid refresh token"
|
||||
)
|
||||
|
||||
user_id = payload.get("user_id")
|
||||
if not user_id:
|
||||
raise HTTPException(
|
||||
status_code=status.HTTP_401_UNAUTHORIZED,
|
||||
detail="Invalid token payload"
|
||||
)
|
||||
|
||||
# Check if refresh token exists and is not revoked
|
||||
# Check if refresh token exists and is valid using ORM
|
||||
result = await db.execute(
|
||||
select(RefreshToken).where(
|
||||
RefreshToken.user_id == user_id,
|
||||
RefreshToken.token == refresh_token,
|
||||
RefreshToken.is_revoked == False,
|
||||
RefreshToken.expires_at > datetime.now(timezone.utc)
|
||||
)
|
||||
)
|
||||
|
||||
stored_token = result.scalar_one_or_none()
|
||||
|
||||
if not stored_token:
|
||||
raise HTTPException(
|
||||
status_code=status.HTTP_401_UNAUTHORIZED,
|
||||
detail="Invalid or expired refresh token"
|
||||
)
|
||||
|
||||
# Get user info
|
||||
result = await db.execute(select(User).where(User.id == user_id))
|
||||
user = result.scalar_one_or_none()
|
||||
# Get user
|
||||
user_result = await db.execute(
|
||||
select(User).where(User.id == user_id)
|
||||
)
|
||||
user = user_result.scalar_one_or_none()
|
||||
|
||||
if not user:
|
||||
if not user or not user.is_active:
|
||||
raise HTTPException(
|
||||
status_code=status.HTTP_401_UNAUTHORIZED,
|
||||
detail="User not found"
|
||||
detail="User not found or inactive"
|
||||
)
|
||||
|
||||
# Create new access token
|
||||
access_token = SecurityManager.create_access_token(
|
||||
user_data={
|
||||
"user_id": str(user.id),
|
||||
"email": user.email,
|
||||
"full_name": user.full_name,
|
||||
"is_verified": user.is_verified
|
||||
}
|
||||
)
|
||||
access_token_data = {
|
||||
"user_id": str(user.id),
|
||||
"email": user.email,
|
||||
"full_name": user.full_name,
|
||||
"is_verified": user.is_verified,
|
||||
"is_active": user.is_active,
|
||||
"type": "access"
|
||||
}
|
||||
|
||||
logger.info(f"Token refreshed successfully for user {user_id}")
|
||||
new_access_token = SecurityManager.create_access_token(user_data=access_token_data)
|
||||
|
||||
return {
|
||||
"access_token": access_token,
|
||||
"access_token": new_access_token,
|
||||
"token_type": "bearer",
|
||||
"expires_in": 3600
|
||||
"expires_in": 1800
|
||||
}
|
||||
|
||||
except HTTPException:
|
||||
raise
|
||||
except Exception as e:
|
||||
logger.error(f"Token refresh error: {e}")
|
||||
logger.error(f"Token refresh failed: {e}")
|
||||
raise HTTPException(
|
||||
status_code=status.HTTP_500_INTERNAL_SERVER_ERROR,
|
||||
status_code=status.HTTP_401_UNAUTHORIZED,
|
||||
detail="Token refresh failed"
|
||||
)
|
||||
|
||||
@staticmethod
|
||||
async def logout(refresh_token: str, db: AsyncSession) -> bool:
|
||||
"""Logout user by revoking refresh token (UNCHANGED)"""
|
||||
try:
|
||||
# Revoke refresh token
|
||||
result = await db.execute(
|
||||
select(RefreshToken).where(RefreshToken.token == refresh_token)
|
||||
)
|
||||
|
||||
token = result.scalar_one_or_none()
|
||||
if token:
|
||||
token.is_revoked = True
|
||||
token.revoked_at = datetime.now(timezone.utc)
|
||||
await db.commit()
|
||||
|
||||
return True
|
||||
|
||||
except Exception as e:
|
||||
logger.error(f"Logout error: {e}")
|
||||
await db.rollback()
|
||||
return False
|
||||
|
||||
|
||||
@staticmethod
|
||||
async def verify_user_token(token: str) -> Dict[str, Any]:
|
||||
"""Verify access token and return user info (UNCHANGED)"""
|
||||
|
||||
Reference in New Issue
Block a user