| """ |
| Security components for authentication and authorization. |
| """ |
| import jwt |
| from datetime import datetime, timedelta |
| from typing import Optional, Dict, Any |
| from passlib.context import CryptContext |
| from fastapi import Depends, HTTPException, status |
| from fastapi.security import OAuth2PasswordBearer |
| from pydantic import BaseModel, ValidationError |
| from pymongo.errors import DuplicateKeyError |
| from bson import ObjectId |
|
|
| from evoagentx.app.config import settings |
| from evoagentx.app.db import Database |
| from evoagentx.app.schemas import TokenPayload, UserCreate, UserResponse |
|
|
| |
| pwd_context = CryptContext(schemes=["bcrypt"], deprecated="auto") |
|
|
| |
| oauth2_scheme = OAuth2PasswordBearer(tokenUrl=f"{settings.API_PREFIX}/auth/login") |
|
|
| |
| class UserInDB(BaseModel): |
| _id: Optional[ObjectId] = None |
| email: str |
| hashed_password: str |
| full_name: Optional[str] = None |
| is_active: bool = True |
| is_admin: bool = False |
| created_at: datetime = datetime.utcnow() |
|
|
| def verify_password(plain_password: str, hashed_password: str) -> bool: |
| """Verify a password against a hash.""" |
| return pwd_context.verify(plain_password, hashed_password) |
|
|
| def get_password_hash(password: str) -> str: |
| """Hash a password for storing.""" |
| return pwd_context.hash(password) |
|
|
| async def get_user_by_email(email: str) -> Optional[Dict[str, Any]]: |
| """Get a user by email.""" |
| return await Database.db.users.find_one({"email": email}) |
|
|
| async def authenticate_user(email: str, password: str) -> Optional[Dict[str, Any]]: |
| """Authenticate a user by email and password.""" |
| user = await get_user_by_email(email) |
| if not user: |
| return None |
| if not verify_password(password, user["hashed_password"]): |
| return None |
| if not user.get("is_active", True): |
| return None |
| return user |
|
|
| async def create_user(user_create: UserCreate) -> UserResponse: |
| """Create a new user.""" |
| |
| existing_user = await get_user_by_email(user_create.email) |
| if existing_user: |
| raise HTTPException( |
| status_code=status.HTTP_400_BAD_REQUEST, |
| detail="Email already registered" |
| ) |
| |
| |
| user_dict = user_create.dict() |
| hashed_password = get_password_hash(user_dict.pop("password")) |
| |
| new_user = { |
| "email": user_dict["email"], |
| "hashed_password": hashed_password, |
| "full_name": user_dict.get("full_name"), |
| "is_active": True, |
| "is_admin": False, |
| "created_at": datetime.utcnow() |
| } |
| |
| try: |
| insert_result = await Database.db.users.insert_one(new_user) |
| new_user["_id"] = insert_result.inserted_id |
| return UserResponse(**new_user) |
| except DuplicateKeyError: |
| raise HTTPException( |
| status_code=status.HTTP_400_BAD_REQUEST, |
| detail="Email already registered" |
| ) |
|
|
| def create_access_token(subject: str, expires_delta: Optional[timedelta] = None) -> str: |
| """Create a new JWT access token.""" |
| if expires_delta: |
| expire = datetime.utcnow() + expires_delta |
| else: |
| expire = datetime.utcnow() + timedelta(minutes=settings.ACCESS_TOKEN_EXPIRE_MINUTES) |
| |
| to_encode = {"exp": expire, "sub": subject} |
| encoded_jwt = jwt.encode(to_encode, settings.SECRET_KEY, algorithm=settings.ALGORITHM) |
| return encoded_jwt |
|
|
| async def get_current_user(token: str = Depends(oauth2_scheme)) -> Dict[str, Any]: |
| """Get the current user from a JWT token.""" |
| try: |
| payload = jwt.decode( |
| token, settings.SECRET_KEY, algorithms=[settings.ALGORITHM] |
| ) |
| token_data = TokenPayload(**payload) |
| |
| if datetime.fromtimestamp(token_data.exp) < datetime.utcnow(): |
| raise HTTPException( |
| status_code=status.HTTP_401_UNAUTHORIZED, |
| detail="Token expired", |
| headers={"WWW-Authenticate": "Bearer"}, |
| ) |
| except (jwt.PyJWTError, ValidationError): |
| raise HTTPException( |
| status_code=status.HTTP_403_FORBIDDEN, |
| detail="Could not validate credentials", |
| headers={"WWW-Authenticate": "Bearer"}, |
| ) |
| |
| user = await get_user_by_email(token_data.sub) |
| if user is None: |
| raise HTTPException( |
| status_code=status.HTTP_404_NOT_FOUND, |
| detail="User not found" |
| ) |
| |
| return user |
|
|
| async def get_current_active_user(current_user: Dict[str, Any] = Depends(get_current_user)) -> Dict[str, Any]: |
| """Get the current active user.""" |
| if not current_user.get("is_active", True): |
| raise HTTPException(status_code=400, detail="Inactive user") |
| return current_user |
|
|
| async def get_current_admin_user(current_user: Dict[str, Any] = Depends(get_current_user)) -> Dict[str, Any]: |
| """Get the current admin user.""" |
| if not current_user.get("is_admin", False): |
| raise HTTPException( |
| status_code=status.HTTP_403_FORBIDDEN, |
| detail="Not enough permissions" |
| ) |
| return current_user |
|
|
| |
| async def init_users_collection(): |
| """Initialize the users collection with indexes.""" |
| await Database.db.users.create_index("email", unique=True) |
| |
| |
| admin_email = "admin@clayx.ai" |
| admin = await get_user_by_email(admin_email) |
| if not admin: |
| admin_user = UserCreate( |
| email=admin_email, |
| password="adminpassword", |
| full_name="Admin User" |
| ) |
| user_dict = admin_user.dict() |
| hashed_password = get_password_hash(user_dict["password"]) |
| |
| new_admin = { |
| "email": admin_email, |
| "hashed_password": hashed_password, |
| "full_name": "Admin User", |
| "is_active": True, |
| "is_admin": True, |
| "created_at": datetime.utcnow() |
| } |
| |
| await Database.db.users.insert_one(new_admin) |
