70f6c6befb
get_current_user and get_current_user_optional now reject any token whose payload carries type="refresh". Access tokens carry no type field so the check is asymmetric and safe. Prevents a refresh-cookie value from being replayed as a Bearer access token. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
170 lines
5.4 KiB
Python
170 lines
5.4 KiB
Python
from typing import Optional
|
|
|
|
from fastapi import Depends, HTTPException, Request, status
|
|
from fastapi.security import HTTPAuthorizationCredentials, HTTPBearer
|
|
from motor.motor_asyncio import AsyncIOMotorDatabase
|
|
|
|
from ..models.user import User, UserRole
|
|
from .config import settings
|
|
from .database import get_database
|
|
from .security import decode_token
|
|
|
|
security = HTTPBearer()
|
|
|
|
# Roles that see all jobs (no tenant isolation)
|
|
STAFF_ROLES = {UserRole.ADMIN, UserRole.REVIEWER, UserRole.LINGUIST, UserRole.PRODUCTION}
|
|
|
|
|
|
async def get_current_user(
|
|
credentials: HTTPAuthorizationCredentials = Depends(security),
|
|
db: AsyncIOMotorDatabase = Depends(get_database),
|
|
) -> User:
|
|
token = credentials.credentials
|
|
payload = decode_token(token)
|
|
|
|
if payload.get("type") == "refresh":
|
|
raise HTTPException(
|
|
status_code=status.HTTP_401_UNAUTHORIZED,
|
|
detail="Could not validate credentials",
|
|
)
|
|
|
|
user_id: str = payload.get("sub")
|
|
|
|
if user_id is None:
|
|
raise HTTPException(
|
|
status_code=status.HTTP_401_UNAUTHORIZED,
|
|
detail="Could not validate credentials",
|
|
)
|
|
|
|
user_doc = await db.users.find_one({"_id": user_id})
|
|
if user_doc is None:
|
|
raise HTTPException(
|
|
status_code=status.HTTP_401_UNAUTHORIZED,
|
|
detail="User not found",
|
|
)
|
|
|
|
return User(**user_doc)
|
|
|
|
|
|
def require_role(required_role: UserRole):
|
|
async def role_checker(current_user: User = Depends(get_current_user)) -> User:
|
|
if current_user.role != required_role and current_user.role != UserRole.ADMIN:
|
|
raise HTTPException(
|
|
status_code=status.HTTP_403_FORBIDDEN,
|
|
detail="Insufficient permissions",
|
|
)
|
|
return current_user
|
|
|
|
return role_checker
|
|
|
|
|
|
def require_roles(*required_roles: UserRole):
|
|
async def roles_checker(current_user: User = Depends(get_current_user)) -> User:
|
|
if current_user.role not in required_roles and current_user.role != UserRole.ADMIN:
|
|
raise HTTPException(
|
|
status_code=status.HTTP_403_FORBIDDEN,
|
|
detail="Insufficient permissions",
|
|
)
|
|
return current_user
|
|
|
|
return roles_checker
|
|
|
|
|
|
async def get_current_user_optional(
|
|
request: Request,
|
|
db: AsyncIOMotorDatabase = Depends(get_database),
|
|
) -> Optional[User]:
|
|
authorization: str = request.headers.get("Authorization")
|
|
if not authorization:
|
|
return None
|
|
|
|
try:
|
|
scheme, token = authorization.split()
|
|
if scheme.lower() != "bearer":
|
|
return None
|
|
|
|
payload = decode_token(token)
|
|
if payload.get("type") == "refresh":
|
|
return None
|
|
|
|
user_id: str = payload.get("sub")
|
|
|
|
if user_id is None:
|
|
return None
|
|
|
|
user_doc = await db.users.find_one({"_id": user_id})
|
|
if user_doc is None:
|
|
return None
|
|
|
|
return User(**user_doc)
|
|
except Exception:
|
|
return None
|
|
|
|
|
|
async def get_accessible_project_ids(
|
|
user: User,
|
|
db: AsyncIOMotorDatabase,
|
|
) -> Optional[list[str]]:
|
|
"""
|
|
Returns project IDs the user may access, or None meaning "see everything".
|
|
|
|
- Staff / Admin → None (unrestricted)
|
|
- Otherwise → projects in orgs where the user holds any membership
|
|
(falls back to legacy pm_client_ids/team lookups if no memberships found)
|
|
"""
|
|
if user.role in STAFF_ROLES:
|
|
return None
|
|
|
|
# Primary path: use memberships collection (Phase 3 SaaS)
|
|
user_id = str(user.id)
|
|
membership_cursor = db.memberships.find({"user_id": user_id}, {"organization_id": 1})
|
|
org_ids = [doc["organization_id"] async for doc in membership_cursor]
|
|
|
|
if org_ids:
|
|
projects = await db.projects.find(
|
|
{"client_id": {"$in": org_ids}, "is_active": True},
|
|
{"_id": 1},
|
|
).to_list(None)
|
|
return [str(p["_id"]) for p in projects]
|
|
|
|
# Legacy fallback (pre-backfill) — keeps the app working before migration runs
|
|
if user.role == UserRole.PROJECT_MANAGER:
|
|
client_ids = user.pm_client_ids or []
|
|
if not client_ids:
|
|
return []
|
|
projects = await db.projects.find(
|
|
{"client_id": {"$in": client_ids}, "is_active": True},
|
|
{"_id": 1},
|
|
).to_list(None)
|
|
return [str(p["_id"]) for p in projects]
|
|
|
|
teams = await db.teams.find(
|
|
{"member_user_ids": user_id},
|
|
{"client_id": 1},
|
|
).to_list(None)
|
|
client_ids = list({t["client_id"] for t in teams})
|
|
if not client_ids:
|
|
return []
|
|
projects = await db.projects.find(
|
|
{"client_id": {"$in": client_ids}, "is_active": True},
|
|
{"_id": 1},
|
|
).to_list(None)
|
|
return [str(p["_id"]) for p in projects]
|
|
|
|
|
|
def require_pm_for_client(client_id_param: str = "client_id"):
|
|
"""Dependency: ensures the current user is an Admin or PM for the given client."""
|
|
async def checker(
|
|
request: Request,
|
|
current_user: User = Depends(get_current_user),
|
|
) -> User:
|
|
if current_user.role == UserRole.ADMIN:
|
|
return current_user
|
|
if current_user.role != UserRole.PROJECT_MANAGER:
|
|
raise HTTPException(status_code=403, detail="Insufficient permissions")
|
|
client_id = request.path_params.get(client_id_param)
|
|
if client_id not in (current_user.pm_client_ids or []):
|
|
raise HTTPException(status_code=403, detail="Not a manager for this client")
|
|
return current_user
|
|
|
|
return checker
|