Hoplin-FastAPI-Starter/apps/core/auth/context.py at main · J-Hoplin/Hoplin-FastAPI-Starter · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
from typing import Literal, Annotated

import jwt
from dependency_injector.wiring import Provide, inject
from fastapi import Depends
from fastapi.security import HTTPBearer, HTTPAuthorizationCredentials

from apps.api.user.repository import UserRepository
from apps.containers import Application
from apps.core.auth.exception import (
    TokenExpiredException,
    InvalidTokenException,
    InvalidCredentialException,
    RoleNotGrantedException,
)
from apps.core.database.models import User
from collections.abc import Iterable

"""
Parse JWT Token from authorization header.

See `__call__` magic method of OAuth2PasswordBearer class implementation
"""
bearer_scheme = HTTPBearer()


@inject
async def get_authenticated_user(
    token: Annotated[HTTPAuthorizationCredentials, Depends(bearer_scheme)],
    config: Annotated[dict, Depends(Provide[Application.config])],
    user_repository: Annotated[
        UserRepository, Depends(Provide[Application.user.repository])
    ],
) -> User:
    try:
        payload = jwt.decode(
            token.credentials,
            config.get("JWT_SECRET_KEY"),
            algorithms=[config.get("JWT_ALGORITHM")],
        )
        username: str | None = payload.get("sub")

        if username is None:
            raise InvalidCredentialException()

    except jwt.ExpiredSignatureError:
        raise TokenExpiredException()
    except jwt.InvalidTokenError:
        raise InvalidTokenException()

    user = await user_repository.retrieve_user_with_unique_clause(
        key="username", value=username, filter_is_active=True
    )

    if not user:
        raise InvalidCredentialException()
    return user


def role_granted_user(roles: Iterable[Literal["superuser", "staff"]]):
    for role in roles:
        assert role in ("superuser", "staff")

    async def allow_superuser_or_staff(
        user: Annotated[User, Depends(get_authenticated_user)]
    ):
        if not user.is_superuser or not user.is_staff:
            raise RoleNotGrantedException(expected_roles=roles)

        if user.is_superuser:
            return user

        if user.is_staff and "staff" not in roles:
            raise RoleNotGrantedException(expected_roles=roles)
        return user

    return allow_superuser_or_staff