679b89ae4c
Security Validation (enhance-security-validation): - JWT secret validation with entropy checking and pattern detection - CSRF protection middleware with token generation/validation - Frontend CSRF token auto-injection for DELETE/PUT/PATCH requests - MIME type validation with magic bytes detection for file uploads Error Resilience (add-error-resilience): - React ErrorBoundary component with fallback UI and retry functionality - ErrorBoundaryWithI18n wrapper for internationalization support - Page-level and section-level error boundaries in App.tsx Query Performance (optimize-query-performance): - Query monitoring utility with threshold warnings - N+1 query fixes using joinedload/selectinload - Optimized project members, tasks, and subtasks endpoints Bug Fixes: - WebSocket session management (P0): Return primitives instead of ORM objects - LIKE query injection (P1): Escape special characters in search queries Tests: 543 backend tests, 56 frontend tests passing Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
206 lines
6.2 KiB
Python
206 lines
6.2 KiB
Python
from fastapi import APIRouter, Depends, HTTPException, status, Request
|
|
from sqlalchemy.orm import Session
|
|
|
|
from app.core.config import settings
|
|
from app.core.database import get_db
|
|
from app.core.security import create_access_token, create_token_payload
|
|
from app.core.redis import get_redis
|
|
from app.core.rate_limiter import limiter
|
|
from app.models.user import User
|
|
from app.models.audit_log import AuditAction
|
|
from app.schemas.auth import LoginRequest, LoginResponse, UserInfo, CSRFTokenResponse
|
|
from app.services.auth_client import (
|
|
verify_credentials,
|
|
AuthAPIError,
|
|
AuthAPIConnectionError,
|
|
)
|
|
from app.services.audit_service import AuditService
|
|
from app.middleware.auth import get_current_user
|
|
from app.middleware.csrf import get_csrf_token_for_user
|
|
|
|
router = APIRouter()
|
|
|
|
|
|
@router.post("/login", response_model=LoginResponse)
|
|
@limiter.limit("5/minute")
|
|
async def login(
|
|
request: Request,
|
|
login_request: LoginRequest,
|
|
db: Session = Depends(get_db),
|
|
redis_client=Depends(get_redis),
|
|
):
|
|
"""
|
|
Authenticate user via external API and return JWT token.
|
|
"""
|
|
# Prepare metadata for audit logging
|
|
client_ip = request.client.host if request.client else "unknown"
|
|
user_agent = request.headers.get("user-agent", "unknown")
|
|
|
|
try:
|
|
# Verify credentials with external API
|
|
auth_result = await verify_credentials(login_request.email, login_request.password)
|
|
except AuthAPIConnectionError:
|
|
# Log failed login attempt due to service unavailable
|
|
AuditService.log_event(
|
|
db=db,
|
|
event_type="user.login_failed",
|
|
resource_type="user",
|
|
action=AuditAction.LOGIN,
|
|
user_id=None,
|
|
resource_id=None,
|
|
changes={"email": login_request.email, "reason": "auth_service_unavailable"},
|
|
request_metadata={"ip_address": client_ip, "user_agent": user_agent},
|
|
)
|
|
db.commit()
|
|
raise HTTPException(
|
|
status_code=status.HTTP_503_SERVICE_UNAVAILABLE,
|
|
detail="Authentication service temporarily unavailable",
|
|
)
|
|
except AuthAPIError as e:
|
|
# Log failed login attempt due to invalid credentials
|
|
AuditService.log_event(
|
|
db=db,
|
|
event_type="user.login_failed",
|
|
resource_type="user",
|
|
action=AuditAction.LOGIN,
|
|
user_id=None,
|
|
resource_id=None,
|
|
changes={"email": login_request.email, "reason": "invalid_credentials"},
|
|
request_metadata={"ip_address": client_ip, "user_agent": user_agent},
|
|
)
|
|
db.commit()
|
|
raise HTTPException(
|
|
status_code=status.HTTP_401_UNAUTHORIZED,
|
|
detail="Invalid credentials",
|
|
)
|
|
|
|
# Find or create user in local database
|
|
user = db.query(User).filter(User.email == login_request.email).first()
|
|
|
|
# Get name from auth API response (nested in data.userInfo.name)
|
|
user_info = auth_result.get("data", {}).get("userInfo", {})
|
|
auth_name = user_info.get("name", login_request.email.split("@")[0])
|
|
|
|
if not user:
|
|
# Create new user based on auth API response
|
|
user = User(
|
|
email=login_request.email,
|
|
name=auth_name,
|
|
is_active=True,
|
|
)
|
|
db.add(user)
|
|
db.commit()
|
|
db.refresh(user)
|
|
else:
|
|
# Sync user name from external auth system on each login
|
|
if user.name != auth_name:
|
|
user.name = auth_name
|
|
db.commit()
|
|
db.refresh(user)
|
|
|
|
if not user.is_active:
|
|
raise HTTPException(
|
|
status_code=status.HTTP_403_FORBIDDEN,
|
|
detail="User account is disabled",
|
|
)
|
|
|
|
# Get role name
|
|
role_name = user.role.name if user.role else None
|
|
|
|
# Create token payload
|
|
token_data = create_token_payload(
|
|
user_id=user.id,
|
|
email=user.email,
|
|
role=role_name,
|
|
department_id=user.department_id,
|
|
is_system_admin=user.is_system_admin,
|
|
)
|
|
|
|
# Create access token
|
|
access_token = create_access_token(token_data)
|
|
|
|
# Store session in Redis (sync with JWT expiry)
|
|
redis_client.setex(
|
|
f"session:{user.id}",
|
|
settings.JWT_EXPIRE_MINUTES * 60, # Convert to seconds
|
|
access_token,
|
|
)
|
|
|
|
# Log successful login
|
|
AuditService.log_event(
|
|
db=db,
|
|
event_type="user.login",
|
|
resource_type="user",
|
|
action=AuditAction.LOGIN,
|
|
user_id=user.id,
|
|
resource_id=user.id,
|
|
changes=None,
|
|
request_metadata={"ip_address": client_ip, "user_agent": user_agent},
|
|
)
|
|
db.commit()
|
|
|
|
return LoginResponse(
|
|
access_token=access_token,
|
|
user=UserInfo(
|
|
id=user.id,
|
|
email=user.email,
|
|
name=user.name,
|
|
role=role_name,
|
|
department_id=user.department_id,
|
|
is_system_admin=user.is_system_admin,
|
|
),
|
|
)
|
|
|
|
|
|
@router.post("/logout")
|
|
async def logout(
|
|
current_user: User = Depends(get_current_user),
|
|
redis_client=Depends(get_redis),
|
|
):
|
|
"""
|
|
Logout user and invalidate session.
|
|
"""
|
|
# Remove session from Redis
|
|
redis_client.delete(f"session:{current_user.id}")
|
|
|
|
return {"detail": "Successfully logged out"}
|
|
|
|
|
|
@router.get("/me", response_model=UserInfo)
|
|
async def get_current_user_info(
|
|
current_user: User = Depends(get_current_user),
|
|
):
|
|
"""
|
|
Get current authenticated user information.
|
|
"""
|
|
role_name = current_user.role.name if current_user.role else None
|
|
|
|
return UserInfo(
|
|
id=current_user.id,
|
|
email=current_user.email,
|
|
name=current_user.name,
|
|
role=role_name,
|
|
department_id=current_user.department_id,
|
|
is_system_admin=current_user.is_system_admin,
|
|
)
|
|
|
|
|
|
@router.get("/csrf-token", response_model=CSRFTokenResponse)
|
|
async def get_csrf_token(
|
|
current_user: User = Depends(get_current_user),
|
|
):
|
|
"""
|
|
Get a CSRF token for the current user.
|
|
|
|
The CSRF token should be included in the X-CSRF-Token header
|
|
for all sensitive state-changing operations (DELETE, PUT, PATCH).
|
|
|
|
Token expires after 1 hour and should be refreshed.
|
|
"""
|
|
csrf_token = get_csrf_token_for_user(current_user.id)
|
|
|
|
return CSRFTokenResponse(
|
|
csrf_token=csrf_token,
|
|
expires_in=3600, # 1 hour
|
|
)
|