loreal-utilisation-dept/backend/app/routers/auth.py

"""Auth endpoints: login / logout / me.

Decisions:
- Login is rate-limited 5/min/IP via slowapi keyed on the remote address.
  We wire the limiter on this single route, not globally — the rest of the
  API is auth-protected anyway.
- Both success and failure attempts are appended to /app/logs/auth.log
  via a RotatingFileHandler (5 MB × 5 backups).
- Cookie domain/path/flags handled by app.auth.session.
- We intentionally DO NOT use `from __future__ import annotations` in this
  module: slowapi wraps the handler with a decorator that breaks FastAPI's
  forward-ref resolution for the `LoginRequest` body parameter under
  Python 3.14 / pydantic 2.x.
"""

import logging
from logging.handlers import RotatingFileHandler
from pathlib import Path

from fastapi import APIRouter, Body, Depends, HTTPException, Request, Response, status
from slowapi import Limiter
from slowapi.util import get_remote_address

from app.auth.local import verify_password
from app.auth.session import clear_session_cookie, set_session_cookie
from app.config import settings
from app.deps.auth import auth_required
from app.models.schemas import LoginRequest, MeResponse


# ---- auth.log file logger ----
auth_logger = logging.getLogger("ud.auth")
if not auth_logger.handlers:
    log_dir = Path("/app/logs")
    try:
        log_dir.mkdir(parents=True, exist_ok=True)
        handler = RotatingFileHandler(
            log_dir / "auth.log",
            maxBytes=5 * 1024 * 1024,
            backupCount=5,
            encoding="utf-8",
        )
    except (PermissionError, OSError):
        # Fallback for local dev when /app/logs isn't writable.
        handler = logging.StreamHandler()
    handler.setFormatter(logging.Formatter("%(asctime)sZ %(message)s"))
    auth_logger.addHandler(handler)
    auth_logger.setLevel(logging.INFO)
    auth_logger.propagate = False


limiter = Limiter(key_func=get_remote_address)

router = APIRouter(prefix="/api/auth", tags=["auth"])


def _log_attempt(request: Request, username: str, outcome: str) -> None:
    ip = get_remote_address(request)
    auth_logger.info("ip=%s user=%s outcome=%s", ip, username, outcome)


@router.post("/login")
@limiter.limit("5/minute")
async def login(request: Request, response: Response, body: LoginRequest = Body(...)):
    if settings.DEV_AUTH_BYPASS:
        _log_attempt(request, body.username, "bypass")
        return {"ok": True, "username": "dev", "mode": "bypass", "role": settings.ADMIN_ROLE}

    if not verify_password(body.username, body.password):
        _log_attempt(request, body.username, "fail")
        raise HTTPException(status_code=status.HTTP_401_UNAUTHORIZED, detail="Invalid credentials")

    set_session_cookie(response, body.username)
    _log_attempt(request, body.username, "success")
    return {"ok": True, "username": body.username, "mode": settings.AUTH_MODE, "role": settings.ADMIN_ROLE}


@router.post("/logout", status_code=status.HTTP_204_NO_CONTENT)
async def logout(response: Response) -> Response:
    clear_session_cookie(response)
    # Explicit 204 with no body.
    response.status_code = status.HTTP_204_NO_CONTENT
    return response


@router.get("/me", response_model=MeResponse)
async def me(user: dict = Depends(auth_required)) -> MeResponse:
    return MeResponse(
        username=user["username"],
        mode=user["mode"],
        role=user.get("role", settings.ADMIN_ROLE),
    )