d3d1667a79
- Fix admin sidebar: remove duplicate Teams, add Storage nav item - Analytics: client-scoped queries, super_admin sees all (including NULL client_id) - Storage management: list/download/delete presentations with file metadata - Settings page with brand config router - AI usage tracking: new AIUsageModel, ai_usage_service, analytics endpoint - Master deck → template bridge: _register_as_template creates TemplateModel + PresentationLayoutCodeModel so parsed layouts appear in template picker - Multi-provider LLM vision in parser: Anthropic/Google/OpenAI with asyncio.to_thread - Fix PPTX upload 400: accept by .pptx extension (browser sends octet-stream) - Fix reparse FK violation: presentation_id=None for parse_master_deck jobs - Worker job_timeout increased to 1800s for LLM-heavy master deck parsing - PYTHONUNBUFFERED=1 in docker-compose worker for real-time log output - Auth: clientId in /me response, dev-login cookie improvements - Frontend: auth slice clientId, master-deck thumbnails, storage page Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
85 lines
2.6 KiB
Python
85 lines
2.6 KiB
Python
import uuid
|
|
|
|
from fastapi import Request
|
|
from starlette.middleware.base import BaseHTTPMiddleware
|
|
from starlette.responses import JSONResponse
|
|
|
|
from services.auth_service import AuthService
|
|
from services.database import async_session_maker
|
|
from models.sql.user import UserModel
|
|
|
|
# Paths that skip authentication (exact or prefix match)
|
|
PUBLIC_PATHS = [
|
|
"/api/v1/auth/dev-status",
|
|
"/api/v1/auth/dev-login",
|
|
"/api/v1/auth/login",
|
|
"/api/v1/auth/callback",
|
|
"/docs",
|
|
"/openapi.json",
|
|
"/api/health",
|
|
]
|
|
|
|
auth_service = AuthService()
|
|
|
|
|
|
class AuthMiddleware(BaseHTTPMiddleware):
|
|
async def dispatch(self, request: Request, call_next):
|
|
path = request.url.path
|
|
|
|
# Skip auth for public paths
|
|
for public_path in PUBLIC_PATHS:
|
|
if path == public_path or path.startswith(public_path + "/"):
|
|
request.state.user = None
|
|
return await call_next(request)
|
|
|
|
# Skip auth for non-API paths (Next.js frontend routes)
|
|
if not path.startswith("/api/"):
|
|
request.state.user = None
|
|
return await call_next(request)
|
|
|
|
# Extract token from cookie or Authorization header
|
|
token = request.cookies.get("session_token")
|
|
if not token:
|
|
auth_header = request.headers.get("Authorization")
|
|
if auth_header and auth_header.startswith("Bearer "):
|
|
token = auth_header[7:]
|
|
|
|
if not token:
|
|
return JSONResponse(
|
|
status_code=401,
|
|
content={"detail": "Authentication required"},
|
|
)
|
|
|
|
# Validate JWT
|
|
claims = auth_service.validate_token(token)
|
|
if not claims:
|
|
return JSONResponse(
|
|
status_code=401,
|
|
content={"detail": "Invalid or expired token"},
|
|
)
|
|
|
|
# Load user from DB
|
|
try:
|
|
user_id = uuid.UUID(claims["sub"])
|
|
async with async_session_maker() as session:
|
|
user = await session.get(UserModel, user_id)
|
|
except (ValueError, KeyError):
|
|
return JSONResponse(
|
|
status_code=401,
|
|
content={"detail": "Invalid token payload"},
|
|
)
|
|
|
|
if not user:
|
|
return JSONResponse(
|
|
status_code=401,
|
|
content={"detail": "User not found"},
|
|
)
|
|
|
|
if not user.is_active:
|
|
return JSONResponse(
|
|
status_code=401,
|
|
content={"detail": "Account deactivated"},
|
|
)
|
|
|
|
request.state.user = user
|
|
return await call_next(request)
|