RustamovAkrom
diff --git a/‎.pre-commit-config.yaml‎
Lines changed: 4 additions & 4 deletions b/‎.pre-commit-config.yaml‎
Lines changed: 4 additions & 4 deletions
diff --git a/‎src/api/v1/user.py‎
Lines changed: 70 additions & 1 deletion b/‎src/api/v1/user.py‎
Lines changed: 70 additions & 1 deletion
diff --git a/‎src/core/config.py‎
Lines changed: 1 addition & 0 deletions b/‎src/core/config.py‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎src/core/security.py‎
Lines changed: 49 additions & 39 deletions b/‎src/core/security.py‎
Lines changed: 49 additions & 39 deletions
diff --git a/‎src/db/crud/user.py‎
Lines changed: 22 additions & 0 deletions b/‎src/db/crud/user.py‎
Lines changed: 22 additions & 0 deletions
@@ -1,8 +1,8 @@
 repos:
-  - repo: https://github.com/pre-commit/mirrors-isort
-    rev: v5.10.1
-    hooks:
-      - id: isort
+  # - repo: https://github.com/pre-commit/mirrors-isort
+  #   rev: v5.10.1
+  #   hooks:
+  #     - id: isort
 
   - repo: https://github.com/psf/black
     rev: 24.1.0
 
@@ -1,14 +1,19 @@
-from fastapi import APIRouter, Depends
+from fastapi import APIRouter, Body, Depends
 
 from db.dependencies.auth import get_current_user, require_roles
 from db.models.users import User, UserRole
 from schemas.auth import (
+    ForgotPasswordScheme,
     LoginOutScheme,
     LoginScheme,
+    PasswordResetScheme,
+    RefreshTokenScheme,
     RegisterOutScheme,
     RegistrationScheme,
+    TokenScheme,
 )
 from schemas.user import UserCreateScheme
+from services.password_service import PasswordService
 from services.user_service import UserService
 
 router = APIRouter()
@@ -50,4 +55,68 @@ async def login_user(
     return await user_service.login(data)
 
 
+@router.post("/logout")
+async def logout_user(data: RefreshTokenScheme, user_service: UserService = Depends()):
+    """
+    Logout and invalidate refresh token
+    """
+    return await user_service.logout(data.refresh_token)
+
+
+@router.post("/forgot-password")
+async def forgot_password(
+    data: ForgotPasswordScheme, password_service: PasswordService = Depends()
+) -> dict[str, str]:
+    return await password_service.forgot_password(data)
+
+
+@router.post("/reset-password")
+async def reset_password(
+    data: PasswordResetScheme, password_service: PasswordService = Depends()
+):
+    return await password_service.reset_password(data)
+
+
+@router.post("/refresh-token")
+async def refresh_token(
+    data: RefreshTokenScheme = Body(...), user_service: UserService = Depends()
+):
+    """
+    Refresh access token using refresh token
+    """
+    return await user_service.refresh_access_token(data.refresh_token)
+
+
+@router.post("/verify-email")
+async def verify_email(
+    data: TokenScheme = Body(...), user_service: UserService = Depends()
+):
+    """
+    Verify user email via token
+    """
+    return await user_service.verify_email(data.token)
+
+
+@router.post("/verify-phone")
+async def verify_phone(
+    data: TokenScheme = Body(...), user_service: UserService = Depends()
+):
+    """
+    Verify user phone via token
+    """
+    return await user_service.verify_phone(data.token)
+
+
+@router.post("/resend-verification")
+async def resend_verification(
+    user_id: int = Body(...),
+    type_: str = Body(...),
+    user_service: UserService = Depends(),
+):
+    """
+    Resend email or phone verification token
+    """
+    return await user_service.resend_verification(user_id, type_)
+
+
 __all__ = ("router",)
@@ -28,6 +28,7 @@ class BaseAppSettings(BaseSettings):
     JWT_ALGORITHM: str = "HS256"
     JWT_ACCESS_TOKEN_EXPIRE_MINUTES: int = 60 * 24 * 8
     JWT_REFRESH_TOKEN_EXPIRES_DAYS: int = 7
+    PASSWORD_RESET_TOKEN_EXPIRE_MINUTES: int = 15
 
     # DATABASE_URL: str
     DB_ENGINE: str = "sqlite"
 
@@ -1,7 +1,8 @@
 import uuid
-from datetime import datetime, timedelta
+from datetime import datetime, timedelta, timezone
 from typing import Any, Dict, Optional, Union
 
+from fastapi import HTTPException
 from jose import ExpiredSignatureError, JWTError, jwt
 from passlib.context import CryptContext
 
@@ -22,7 +23,7 @@ def verify_password(plain_password: str, hashed_password: str) -> bool:
 
 # helpers
 def _now() -> datetime:
-    return datetime.utcnow()
+    return datetime.now(timezone.utc)
 
 
 def _jti() -> str:
@@ -36,31 +37,35 @@ def create_access_token(
     expires_delta: timedelta | None = None,
 ) -> str:
     """
-    Create access token.
+    Create access token (JWT) with proper iat and exp timestamps.
     """
 
     if isinstance(subject, dict):
-        payload_access: Dict[str, Any] = subject.copy()
+        payload: Dict[str, Any] = subject.copy()
     else:
-        payload_access: Dict[str, Any] = {"sub": str(subject)}  # type: ignore
+        payload: Dict[str, Any] = {"sub": str(subject)}  # type: ignore
 
-    payload_access.setdefault("type", "access")
-    payload_access.setdefault("jti", _jti())
-    payload_access.setdefault("iat", int(_now().timestamp()))
+    payload.setdefault("type", "access")
+    payload.setdefault("jti", _jti())
 
-    if extra:
-        payload_access.update(extra)
-
-    if expires_delta:
-        exp = _now() + expires_delta
-    else:
-        exp = _now() + timedelta(minutes=settings.JWT_ACCESS_TOKEN_EXPIRE_MINUTES or 15)
-
-    payload_access["exp"] = int(exp.timestamp())
+    now_ts = int(_now().timestamp())
+    payload["iat"] = now_ts
 
-    return jwt.encode(
-        payload_access, settings.SECRET_KEY, algorithm=settings.JWT_ALGORITHM
+    if extra:
+        payload.update(extra)
+
+    exp_ts = int(
+        (
+            _now()
+            + (
+                expires_delta
+                or timedelta(minutes=settings.PASSWORD_RESET_TOKEN_EXPIRE_MINUTES)
+            )
+        ).timestamp()
     )
+    payload["exp"] = exp_ts
+
+    return jwt.encode(payload, settings.SECRET_KEY, algorithm=settings.JWT_ALGORITHM)
 
 
 def create_refresh_token(
@@ -69,41 +74,46 @@ def create_refresh_token(
     expires_delta: timedelta | None = None,
 ) -> str:
     """
-    Create refresh token.
+    Create refresh token (JWT) with proper iat and exp timestamps.
     """
 
     if isinstance(subject, dict):
-        payload_refresh: Dict[str, Any] = subject.copy()
+        payload: Dict[str, Any] = subject.copy()
     else:
-        payload_refresh: Dict[str, Any] = {"sub": str(subject)}  # type: ignore
+        payload: Dict[str, Any] = {"sub": str(subject)}  # type: ignore
 
-    payload_refresh.setdefault("type", "refresh")
-    payload_refresh.setdefault("jti", _jti())
-    payload_refresh.setdefault("iat", int(_now().timestamp()))
+    payload.setdefault("type", "refresh")
+    payload.setdefault("jti", _jti())
+    payload["iat"] = int(_now().timestamp())
 
     if extra:
-        payload_refresh.update(extra)
+        payload.update(extra)
 
-    if expires_delta:
-        exp = _now() + expires_delta
-    else:
-        exp = _now() + timedelta(days=settings.JWT_REFRESH_TOKEN_EXPIRES_DAYS or 30)
-
-    payload_refresh["exp"] = int(exp.timestamp())
-
-    return jwt.encode(
-        payload_refresh, settings.SECRET_KEY, algorithm=settings.JWT_ALGORITHM
+    exp_ts = int(
+        (
+            _now()
+            + (expires_delta or timedelta(days=settings.JWT_REFRESH_TOKEN_EXPIRES_DAYS))
+        ).timestamp()
     )
+    payload["exp"] = exp_ts
+
+    return jwt.encode(payload, settings.SECRET_KEY, algorithm=settings.JWT_ALGORITHM)
 
 
 def decode_token(token: str) -> dict:
+    """
+    Decode JWT token. By default, disables exp verification for internal inspection.
+    Use jose.decode(token, ..., options={"verify_exp": True}) when verifying token lifetime.
+    """
     try:
         payload = jwt.decode(
-            token, settings.SECRET_KEY, algorithms=[settings.JWT_ALGORITHM]
+            token,
+            settings.SECRET_KEY,
+            algorithms=[settings.JWT_ALGORITHM],
+            options={"verify_exp": True},
         )
         return payload
     except ExpiredSignatureError:
-        raise ExpiredSignatureError("Token has expired")
-
+        raise HTTPException(status_code=400, detail="Token has expired")
     except JWTError:
-        raise JWTError("Invalid token")
+        raise HTTPException(status_code=400, detail="Invalid token")
@@ -2,6 +2,7 @@
 from sqlalchemy import select
 from sqlalchemy.ext.asyncio import AsyncSession
 
+from core.security import hash_password
 from db.dependencies.sessions import get_db_session
 from db.models.users import User
 from schemas.auth import RegistrationScheme
@@ -49,3 +50,24 @@ async def get_by_id(self, user_id: int) -> User | None:
         stmt = select(User).where(User.id == user_id)
         result = await self.session.execute(stmt)
         return result.scalars().first()
+
+    async def update_password(self, user: User, new_password) -> User:
+        user.hashed_password = hash_password(new_password)
+        self.session.add(user)
+        await self.session.commit()
+        await self.session.refresh(user)
+        return user
+
+    async def mark_email_verified(self, user: User) -> User:
+        user.is_email_verified = True
+        self.session.add(user)
+        await self.session.commit()
+        await self.session.refresh(user)
+        return user
+
+    async def mark_phone_verified(self, user: User) -> User:
+        user.is_phone_verified = True
+        self.session.add(user)
+        await self.session.commit()
+        await self.session.refresh(user)
+        return user