4623b89aeb
- create_access_token gains optional org_ids: list[str] param; encodes
{exp, sub, org_ids, v:2} — org_ids is a prefilter hint only, never
used as authorization source of truth (Redis cache is authoritative)
- Login, MS login, refresh endpoints: fetch memberships and include
org_ids in issued access tokens via _get_user_org_ids() helper
- routes_invitations.py accept flow: same org_ids population on token
- get_current_user: reads org_ids from payload, attaches as transient
user.__dict__["org_ids"] — available to OrgScopedQuery for prefilter
- Force logout: rotate JWT_SECRET env var at deployment time (no code
change needed; all existing tokens immediately invalidated)
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
188 lines
6.2 KiB
Python
188 lines
6.2 KiB
Python
from typing import Optional
|
|
|
|
from fastapi import Depends, HTTPException, Request, status
|
|
from fastapi.security import HTTPAuthorizationCredentials, HTTPBearer
|
|
from motor.motor_asyncio import AsyncIOMotorDatabase
|
|
|
|
from ..models.user import User, UserRole
|
|
from .config import settings
|
|
from .database import get_database
|
|
from .security import decode_token
|
|
|
|
security = HTTPBearer()
|
|
|
|
# Only admins bypass tenant isolation; other staff are scoped by team membership
|
|
STAFF_ROLES = {UserRole.ADMIN}
|
|
|
|
|
|
async def get_current_user(
|
|
credentials: HTTPAuthorizationCredentials = Depends(security),
|
|
db: AsyncIOMotorDatabase = Depends(get_database),
|
|
) -> User:
|
|
token = credentials.credentials
|
|
payload = decode_token(token)
|
|
|
|
if payload.get("type") == "refresh":
|
|
raise HTTPException(
|
|
status_code=status.HTTP_401_UNAUTHORIZED,
|
|
detail="Could not validate credentials",
|
|
)
|
|
|
|
user_id: str = payload.get("sub")
|
|
|
|
if user_id is None:
|
|
raise HTTPException(
|
|
status_code=status.HTTP_401_UNAUTHORIZED,
|
|
detail="Could not validate credentials",
|
|
)
|
|
|
|
user_doc = await db.users.find_one({"_id": user_id})
|
|
if user_doc is None:
|
|
raise HTTPException(
|
|
status_code=status.HTTP_401_UNAUTHORIZED,
|
|
detail="User not found",
|
|
)
|
|
|
|
user = User(**user_doc)
|
|
# Attach org_ids hint from token as transient attribute (never used for authz)
|
|
token_org_ids = payload.get("org_ids", [])
|
|
if token_org_ids:
|
|
user.__dict__["org_ids"] = token_org_ids
|
|
return user
|
|
|
|
|
|
def require_role(required_role: UserRole):
|
|
async def role_checker(current_user: User = Depends(get_current_user)) -> User:
|
|
if current_user.role != required_role and current_user.role != UserRole.ADMIN:
|
|
raise HTTPException(
|
|
status_code=status.HTTP_403_FORBIDDEN,
|
|
detail="Insufficient permissions",
|
|
)
|
|
return current_user
|
|
|
|
return role_checker
|
|
|
|
|
|
def require_roles(*required_roles: UserRole):
|
|
async def roles_checker(current_user: User = Depends(get_current_user)) -> User:
|
|
if current_user.role not in required_roles and current_user.role != UserRole.ADMIN:
|
|
raise HTTPException(
|
|
status_code=status.HTTP_403_FORBIDDEN,
|
|
detail="Insufficient permissions",
|
|
)
|
|
return current_user
|
|
|
|
return roles_checker
|
|
|
|
|
|
async def get_current_user_optional(
|
|
request: Request,
|
|
db: AsyncIOMotorDatabase = Depends(get_database),
|
|
) -> Optional[User]:
|
|
authorization: str = request.headers.get("Authorization")
|
|
if not authorization:
|
|
return None
|
|
|
|
try:
|
|
scheme, token = authorization.split()
|
|
if scheme.lower() != "bearer":
|
|
return None
|
|
|
|
payload = decode_token(token)
|
|
if payload.get("type") == "refresh":
|
|
return None
|
|
|
|
user_id: str = payload.get("sub")
|
|
|
|
if user_id is None:
|
|
return None
|
|
|
|
user_doc = await db.users.find_one({"_id": user_id})
|
|
if user_doc is None:
|
|
return None
|
|
|
|
return User(**user_doc)
|
|
except Exception:
|
|
return None
|
|
|
|
|
|
async def get_accessible_project_ids(
|
|
user: User,
|
|
db: AsyncIOMotorDatabase,
|
|
) -> Optional[list[str]]:
|
|
"""
|
|
Returns project IDs the user may access, or None meaning "see everything".
|
|
|
|
- Admin → None (unrestricted)
|
|
- Staff (REVIEWER/LINGUIST/PRODUCTION) → scoped by team membership;
|
|
if not yet assigned to any team, falls back to None (see all)
|
|
so existing staff aren't locked out before teams are configured
|
|
- PM → projects in accessible orgs/clients (pm_client_ids legacy)
|
|
- CLIENT → projects in orgs where the user holds any membership
|
|
"""
|
|
if user.role in STAFF_ROLES:
|
|
return None
|
|
|
|
user_id = str(user.id)
|
|
|
|
# Primary path: use Redis-cached memberships (60s TTL, same cache as authz.py)
|
|
from .authz import _cached_memberships # local import to avoid circular dep at module level
|
|
memberships_map = await _cached_memberships(user_id, db)
|
|
org_ids = list(memberships_map.keys())
|
|
|
|
if org_ids:
|
|
projects = await db.projects.find(
|
|
{"client_id": {"$in": org_ids}, "is_active": True},
|
|
{"_id": 1},
|
|
).to_list(None)
|
|
return [str(p["_id"]) for p in projects]
|
|
|
|
# Legacy fallback: team membership (used by REVIEWER/LINGUIST/PRODUCTION and legacy CLIENT)
|
|
teams = await db.teams.find(
|
|
{"member_user_ids": user_id},
|
|
{"client_id": 1},
|
|
).to_list(None)
|
|
client_ids = list({t["client_id"] for t in teams})
|
|
|
|
if client_ids:
|
|
projects = await db.projects.find(
|
|
{"client_id": {"$in": client_ids}, "is_active": True},
|
|
{"_id": 1},
|
|
).to_list(None)
|
|
return [str(p["_id"]) for p in projects]
|
|
|
|
# PM legacy: scoped via pm_client_ids
|
|
if user.role == UserRole.PROJECT_MANAGER:
|
|
pm_client_ids = user.pm_client_ids or []
|
|
if not pm_client_ids:
|
|
return []
|
|
projects = await db.projects.find(
|
|
{"client_id": {"$in": pm_client_ids}, "is_active": True},
|
|
{"_id": 1},
|
|
).to_list(None)
|
|
return [str(p["_id"]) for p in projects]
|
|
|
|
# Staff with no team assignments → unrestricted until teams are configured
|
|
if user.role in {UserRole.REVIEWER, UserRole.LINGUIST, UserRole.PRODUCTION}:
|
|
return None
|
|
|
|
# CLIENT with no memberships and no teams → show nothing
|
|
return []
|
|
|
|
|
|
def require_pm_for_client(client_id_param: str = "client_id"):
|
|
"""Dependency: ensures the current user is an Admin or PM for the given client."""
|
|
async def checker(
|
|
request: Request,
|
|
current_user: User = Depends(get_current_user),
|
|
) -> User:
|
|
if current_user.role == UserRole.ADMIN:
|
|
return current_user
|
|
if current_user.role != UserRole.PROJECT_MANAGER:
|
|
raise HTTPException(status_code=403, detail="Insufficient permissions")
|
|
client_id = request.path_params.get(client_id_param)
|
|
if client_id not in (current_user.pm_client_ids or []):
|
|
raise HTTPException(status_code=403, detail="Not a manager for this client")
|
|
return current_user
|
|
|
|
return checker
|