feat: implement user authentication module

- Backend (FastAPI): - External API authentication (pj-auth-api.vercel.app) - JWT token validation with Redis session storage - RBAC with department isolation - User, Role, Department models with pjctrl_ prefix - Alembic migrations with project-specific version table - Complete test coverage (13 tests) - Frontend (React + Vite): - AuthContext for state management - Login page with error handling - Protected route component - Dashboard with user info display - OpenSpec: - 7 capability specs defined - add-user-auth change archived 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2025-12-28 23:41:37 +08:00
commit 1fda7da2c2
77 changed files with 6562 additions and 0 deletions
--- a/backend/app/services/auth_client.py
+++ b/backend/app/services/auth_client.py
@@ -0,0 +1,77 @@
+import httpx
+from typing import Optional
+from app.core.config import settings
+
+
+class AuthAPIError(Exception):
+    """Exception raised when external auth API returns an error."""
+    def __init__(self, message: str, status_code: int = 400):
+        self.message = message
+        self.status_code = status_code
+        super().__init__(self.message)
+
+
+class AuthAPIConnectionError(Exception):
+    """Exception raised when unable to connect to auth API."""
+    pass
+
+
+async def verify_credentials(email: str, password: str) -> dict:
+    """
+    Verify user credentials against the external auth API.
+
+    Args:
+        email: User's email address
+        password: User's password
+
+    Returns:
+        dict: User info from auth API if successful
+
+    Raises:
+        AuthAPIError: If credentials are invalid
+        AuthAPIConnectionError: If unable to connect to auth API
+    """
+    try:
+        async with httpx.AsyncClient(timeout=10.0) as client:
+            response = await client.post(
+                f"{settings.AUTH_API_URL}/api/auth/login",
+                json={"email": email, "password": password},
+            )
+
+            if response.status_code == 200:
+                return response.json()
+            elif response.status_code == 401:
+                raise AuthAPIError("Invalid credentials", 401)
+            else:
+                raise AuthAPIError(
+                    f"Authentication failed: {response.text}",
+                    response.status_code
+                )
+    except httpx.ConnectError:
+        raise AuthAPIConnectionError("Unable to connect to authentication service")
+    except httpx.TimeoutException:
+        raise AuthAPIConnectionError("Authentication service timeout")
+
+
+async def validate_token(token: str) -> Optional[dict]:
+    """
+    Validate a token with the external auth API.
+
+    Args:
+        token: The auth token to validate
+
+    Returns:
+        dict: Token payload if valid, None if invalid
+    """
+    try:
+        async with httpx.AsyncClient(timeout=10.0) as client:
+            response = await client.get(
+                f"{settings.AUTH_API_URL}/api/auth/validate",
+                headers={"Authorization": f"Bearer {token}"},
+            )
+
+            if response.status_code == 200:
+                return response.json()
+            return None
+    except (httpx.ConnectError, httpx.TimeoutException):
+        return None