rewrite to new design

Signed-off-by: rafsaf <rafal.safin12@gmail.com>

Author: rafsaf

.pre-commit-config.yaml

@@ -1,16 +1,16 @@
 repos:
   - repo: https://github.com/pre-commit/pre-commit-hooks
-    rev: v5.0.0
+    rev: v6.0.0
     hooks:
       - id: check-yaml
 
   - repo: https://github.com/astral-sh/ruff-pre-commit
-    rev: v0.11.12
+    rev: v0.14.14
     hooks:
       - id: ruff-format
 
   - repo: https://github.com/astral-sh/ruff-pre-commit
-    rev: v0.11.12
+    rev: v0.14.14
     hooks:
-      - id: ruff
+      - id: ruff-check
         args: [--fix]

alembic/env.py

@@ -19,14 +19,12 @@
 # for 'autogenerate' support
 # from myapp import mymodel
 # target_metadata = mymodel.Base.metadata
-from app.models import Base  # noqa
+from app.core.models import Base  # noqa
 
 target_metadata = Base.metadata
 
-# other values from the config, defined by the needs of env.py,
-# can be acquired:
-# my_important_option = config.get_main_option("my_important_option")
-# ... etc.
+# import other models here
+import app.auth.models  # noqa
 
 
 def get_database_uri() -> str:
@@ -93,4 +91,16 @@ async def run_migrations_online() -> None:
 if context.is_offline_mode():
     run_migrations_offline()
 else:
-    asyncio.run(run_migrations_online())
+    try:
+        loop: asyncio.AbstractEventLoop | None = asyncio.get_running_loop()
+    except RuntimeError:
+        loop = None
+
+    if loop and loop.is_running():
+        # pytest-asyncio or other test runner is running the event loop
+        # so we need to use run_coroutine_threadsafe
+        future = asyncio.run_coroutine_threadsafe(run_migrations_online(), loop)
+        future.result(timeout=15)
+    else:
+        # no event loop is running, safe to use asyncio.run
+        asyncio.run(run_migrations_online())

…2_2142_initial_migration_be24780c0da0.py …260203_1616_initial_auth_683275eeb305.pyalembic/versions/20250602_2142_initial_migration_be24780c0da0.py renamed to alembic/versions/20260203_1616_initial_auth_683275eeb305.py alembic/versions/20250602_2142_initial_migration_be24780c0da0.py renamed to alembic/versions/20260203_1616_initial_auth_683275eeb305.py

@@ -1,8 +1,8 @@
-"""initial_migration
+"""initial_auth
 
-Revision ID: be24780c0da0
+Revision ID: 683275eeb305
 Revises:
-Create Date: 2025-06-02 21:42:16.031375
+Create Date: 2026-02-03 16:16:09.776977
 
 """
 
@@ -11,73 +11,59 @@
 from alembic import op
 
 # revision identifiers, used by Alembic.
-revision = "be24780c0da0"
+revision = "683275eeb305"
 down_revision = None
 branch_labels = None
 depends_on = None
 
 
-def upgrade() -> None:
+def upgrade():
     # ### commands auto generated by Alembic - please adjust! ###
     op.create_table(
-        "user_account",
-        sa.Column("user_id", sa.Uuid(as_uuid=False), nullable=False),
+        "auth_user",
+        sa.Column("user_id", sa.String(length=36), nullable=False),
         sa.Column("email", sa.String(length=256), nullable=False),
         sa.Column("hashed_password", sa.String(length=128), nullable=False),
         sa.Column(
-            "create_time",
+            "created_at",
             sa.DateTime(timezone=True),
             server_default=sa.text("now()"),
             nullable=False,
         ),
         sa.Column(
-            "update_time",
+            "updated_at",
             sa.DateTime(timezone=True),
             server_default=sa.text("now()"),
             nullable=False,
         ),
         sa.PrimaryKeyConstraint("user_id"),
     )
-    op.create_index(
-        op.f("ix_user_account_email"), "user_account", ["email"], unique=True
-    )
+    op.create_index(op.f("ix_auth_user_email"), "auth_user", ["email"], unique=True)
     op.create_table(
-        "refresh_token",
+        "auth_refresh_token",
         sa.Column("id", sa.BigInteger(), nullable=False),
         sa.Column("refresh_token", sa.String(length=512), nullable=False),
         sa.Column("used", sa.Boolean(), nullable=False),
         sa.Column("exp", sa.BigInteger(), nullable=False),
-        sa.Column("user_id", sa.Uuid(as_uuid=False), nullable=False),
-        sa.Column(
-            "create_time",
-            sa.DateTime(timezone=True),
-            server_default=sa.text("now()"),
-            nullable=False,
-        ),
-        sa.Column(
-            "update_time",
-            sa.DateTime(timezone=True),
-            server_default=sa.text("now()"),
-            nullable=False,
-        ),
-        sa.ForeignKeyConstraint(
-            ["user_id"], ["user_account.user_id"], ondelete="CASCADE"
-        ),
+        sa.Column("user_id", sa.String(length=36), nullable=False),
+        sa.ForeignKeyConstraint(["user_id"], ["auth_user.user_id"], ondelete="CASCADE"),
         sa.PrimaryKeyConstraint("id"),
     )
     op.create_index(
-        op.f("ix_refresh_token_refresh_token"),
-        "refresh_token",
+        op.f("ix_auth_refresh_token_refresh_token"),
+        "auth_refresh_token",
         ["refresh_token"],
         unique=True,
     )
     # ### end Alembic commands ###
 
 
-def downgrade() -> None:
+def downgrade():
     # ### commands auto generated by Alembic - please adjust! ###
-    op.drop_index(op.f("ix_refresh_token_refresh_token"), table_name="refresh_token")
-    op.drop_table("refresh_token")
-    op.drop_index(op.f("ix_user_account_email"), table_name="user_account")
-    op.drop_table("user_account")
+    op.drop_index(
+        op.f("ix_auth_refresh_token_refresh_token"), table_name="auth_refresh_token"
+    )
+    op.drop_table("auth_refresh_token")
+    op.drop_index(op.f("ix_auth_user_email"), table_name="auth_user")
+    op.drop_table("auth_user")
     # ### end Alembic commands ###

app/api/api_messages.py

@@ -0,0 +1,66 @@
+from typing import Any
+
+JWT_ERROR_USER_REMOVED = "User removed"
+PASSWORD_INVALID = "Incorrect email or password"
+REFRESH_TOKEN_NOT_FOUND = "Refresh token not found"
+REFRESH_TOKEN_EXPIRED = "Refresh token expired"
+REFRESH_TOKEN_ALREADY_USED = "Refresh token already used"
+EMAIL_ADDRESS_ALREADY_USED = "Cannot use this email address"
+
+
+UNAUTHORIZED_RESPONSES: dict[int | str, dict[str, Any]] = {
+    401: {
+        "description": "No `Authorization` access token header, token is invalid or user removed",
+        "content": {
+            "application/json": {
+                "examples": {
+                    "not authenticated": {
+                        "summary": "No authorization token header",
+                        "value": {"detail": "Not authenticated"},
+                    },
+                    "invalid token": {
+                        "summary": "Token validation failed, decode failed, it may be expired or malformed",
+                        "value": {"detail": "Token invalid: {detailed error msg}"},
+                    },
+                    "removed user": {
+                        "summary": JWT_ERROR_USER_REMOVED,
+                        "value": {"detail": JWT_ERROR_USER_REMOVED},
+                    },
+                }
+            }
+        },
+    }
+}
+
+ACCESS_TOKEN_RESPONSES: dict[int | str, dict[str, Any]] = {
+    400: {
+        "description": "Invalid email or password",
+        "content": {"application/json": {"example": {"detail": PASSWORD_INVALID}}},
+    },
+}
+
+REFRESH_TOKEN_RESPONSES: dict[int | str, dict[str, Any]] = {
+    400: {
+        "description": "Refresh token expired or is already used",
+        "content": {
+            "application/json": {
+                "examples": {
+                    "refresh token expired": {
+                        "summary": REFRESH_TOKEN_EXPIRED,
+                        "value": {"detail": REFRESH_TOKEN_EXPIRED},
+                    },
+                    "refresh token already used": {
+                        "summary": REFRESH_TOKEN_ALREADY_USED,
+                        "value": {"detail": REFRESH_TOKEN_ALREADY_USED},
+                    },
+                }
+            }
+        },
+    },
+    404: {
+        "description": "Refresh token does not exist",
+        "content": {
+            "application/json": {"example": {"detail": REFRESH_TOKEN_NOT_FOUND}}
+        },
+    },
+}

app/api/api_router.py

@@ -1,27 +1,21 @@
-from collections.abc import AsyncGenerator
 from typing import Annotated
 
 from fastapi import Depends, HTTPException, status
 from fastapi.security import OAuth2PasswordBearer
 from sqlalchemy import select
 from sqlalchemy.ext.asyncio import AsyncSession
 
-from app.api import api_messages
+from app.auth import api_messages
+from app.auth.jwt import verify_jwt_token
+from app.auth.models import User
 from app.core import database_session
-from app.core.security.jwt import verify_jwt_token
-from app.models import User
 
 oauth2_scheme = OAuth2PasswordBearer(tokenUrl="auth/access-token")
 
 
-async def get_session() -> AsyncGenerator[AsyncSession]:
-    async with database_session.get_async_session() as session:
-        yield session
-
-
 async def get_current_user(
     token: Annotated[str, Depends(oauth2_scheme)],
-    session: AsyncSession = Depends(get_session),
+    session: AsyncSession = Depends(database_session.new_async_session),
 ) -> User:
     token_payload = verify_jwt_token(token)
 

app/api/endpoints/__init__.py

@@ -6,8 +6,6 @@
 
 from app.core.config import get_settings
 
-JWT_ALGORITHM = "HS256"
-
 
 # Payload follows RFC 7519
 # https://www.rfc-editor.org/rfc/rfc7519#section-4.1
@@ -37,7 +35,7 @@ def create_jwt_token(user_id: str) -> JWTToken:
     access_token = jwt.encode(
         token_payload.model_dump(),
         key=get_settings().security.jwt_secret_key.get_secret_value(),
-        algorithm=JWT_ALGORITHM,
+        algorithm=get_settings().security.jwt_algorithm,
     )
 
     return JWTToken(payload=token_payload, access_token=access_token)
@@ -56,7 +54,7 @@ def verify_jwt_token(token: str) -> JWTTokenPayload:
         raw_payload = jwt.decode(
             token,
             get_settings().security.jwt_secret_key.get_secret_value(),
-            algorithms=[JWT_ALGORITHM],
+            algorithms=[get_settings().security.jwt_algorithm],
             options={"verify_signature": True},
             issuer=get_settings().security.jwt_issuer,
         )