Merge pull request #4 from codewithme-py/feat/Auth-security-layer

codewithme-py · web-flow · commit ccad5d438777 · 2026-02-19T21:43:23.000+03:00
feat(auth): implement basic jwt auth and password hashing
diff --git a/README.md b/README.md
@@ -1 +1,2 @@
 # FairDrop_draft
+[![Workflow Status](https://github.com/codewithme-py/FairDrop/actions/workflows/ci.yaml/badge.svg)](https://github.com/codewithme-py/FairDrop/actions/workflows/ci.yaml)
diff --git a/app/core/config.py b/app/core/config.py
@@ -16,6 +16,7 @@ class Settings(BaseSettings):
     s3_port: int = Field(alias='S3_PORT')
     minio_root_user: str = Field(alias='MINIO_ROOT_USER')
     minio_root_password: str = Field(alias='MINIO_ROOT_PASSWORD')
+    secret_key: str = Field(alias='SECRET_KEY')
     debug_mode: bool = Field(default=False, alias='DEBUG_MODE')
 
     @computed_field
diff --git a/app/core/database.py b/app/core/database.py
@@ -22,6 +22,6 @@ class Base(DeclarativeBase):
     pass
 
 
-async def get_db() -> AsyncGenerator[AsyncSession, None]:
+async def get_session() -> AsyncGenerator[AsyncSession, None]:
     async with async_session_factory() as session:
         yield session
diff --git a/app/core/exception_handlers.py b/app/core/exception_handlers.py
@@ -0,0 +1,23 @@
+from fastapi import Request, status
+from fastapi.responses import JSONResponse
+
+from .exceptions import CredentialsError, UserAlreadyExists
+
+
+async def user_already_exists_handler(
+    request: Request, exc: UserAlreadyExists
+) -> JSONResponse:
+    return JSONResponse(
+        status_code=status.HTTP_400_BAD_REQUEST,
+        content={'detail': str(exc) or 'User already exists'},
+    )
+
+
+async def credentials_error_handler(
+    request: Request, exc: CredentialsError
+) -> JSONResponse:
+    return JSONResponse(
+        status_code=status.HTTP_401_UNAUTHORIZED,
+        content={'detail': str(exc) or 'Invalid credentials'},
+        headers=getattr(exc, 'headers', None),
+    )
diff --git a/app/core/exceptions.py b/app/core/exceptions.py
@@ -0,0 +1,18 @@
+class AppError(Exception):
+    """Базовый класс для всех ошибок приложения."""
+
+    def __init__(self, message: str = '', headers: dict | None = None):
+        self.message = message
+        self.headers = headers
+        super().__init__(message)
+
+
+class UserAlreadyExists(AppError):
+    """Пользователь c таким email уже существует."""
+
+
+class CredentialsError(AppError):
+    """Неверные учетные данные."""
+
+    def __init__(self, message: str = 'Could not validate credentials'):
+        super().__init__(message=message, headers={'WWW-Authenticate': 'Bearer'})
diff --git a/app/core/security.py b/app/core/security.py
@@ -0,0 +1,28 @@
+from datetime import UTC, datetime, timedelta
+
+from jose import jwt
+from passlib.context import CryptContext
+
+from app.core.config import settings
+
+pwd_context = CryptContext(schemes=['bcrypt'], deprecated='auto')
+ALGORITHM = 'HS256'
+
+
+def verify_password(plain_password: str, hashed_password: str) -> bool:
+    return bool(pwd_context.verify(plain_password, hashed_password))
+
+
+def get_password_hash(password: str) -> str:
+    return str(pwd_context.hash(password))
+
+
+def create_access_token(data: dict, expires_delta: timedelta | None = None) -> str:
+    to_encode = data.copy()
+    if expires_delta:
+        expire = datetime.now(UTC) + expires_delta
+    else:
+        expire = datetime.now(UTC) + timedelta(minutes=30)
+    to_encode.update({'exp': expire})
+    encoded_jwt = jwt.encode(to_encode, settings.secret_key, algorithm=ALGORITHM)
+    return str(encoded_jwt)
diff --git a/app/core/setup.py b/app/core/setup.py
@@ -0,0 +1,9 @@
+from fastapi import FastAPI
+
+from .exception_handlers import credentials_error_handler, user_already_exists_handler
+from .exceptions import CredentialsError, UserAlreadyExists
+
+
+def setup_exception_handlers(app: FastAPI) -> None:
+    app.add_exception_handler(UserAlreadyExists, user_already_exists_handler)  # type: ignore[arg-type]
+    app.add_exception_handler(CredentialsError, credentials_error_handler)  # type: ignore[arg-type]
diff --git a/app/main.py b/app/main.py
@@ -2,11 +2,17 @@
 from fastapi import FastAPI
 
 from app.core.logging import setup_logging
+from app.core.setup import setup_exception_handlers
+from app.services.user.routes import router_v1
 
 setup_logging()
 logger = structlog.get_logger(__name__)
 app = FastAPI()
 
+setup_exception_handlers(app)
+
+app.include_router(router_v1, prefix='/api/v1', tags=['Users'])
+
 
 @app.get('/health')
 def health() -> dict[str, str]:
diff --git a/app/services/user/routes.py b/app/services/user/routes.py
@@ -0,0 +1,44 @@
+from typing import Annotated
+
+from fastapi import APIRouter, Depends, status
+from fastapi.security import OAuth2PasswordRequestForm
+from sqlalchemy.ext.asyncio import AsyncSession
+
+from app.core.database import get_session
+from app.core.exceptions import CredentialsError
+from app.core.security import create_access_token
+from app.services.user.models import User
+from app.services.user.schemas import Token, UserCreate, UserRead
+from app.services.user.service import UserService
+from app.shared.deps import get_current_user
+
+router_v1 = APIRouter()
+
+
+@router_v1.post('/users', status_code=status.HTTP_201_CREATED)
+async def create_user(
+    user_create: UserCreate, session: Annotated[AsyncSession, Depends(get_session)]
+) -> UserRead:
+    user = await UserService.create_user(session, user_create)
+    return UserRead.model_validate(user)
+
+
+@router_v1.post('/auth/token')
+async def login(
+    form_data: Annotated[OAuth2PasswordRequestForm, Depends()],
+    session: Annotated[AsyncSession, Depends(get_session)],
+) -> Token:
+    user = await UserService.authenticate_user(
+        session, form_data.username, form_data.password
+    )
+    if not user:
+        raise CredentialsError()
+    access_token = create_access_token(data={'sub': str(user.email)})
+    return Token(access_token=access_token, token_type='bearer')
+
+
+@router_v1.get('/users/me')
+async def read_user_me(
+    current_user: Annotated[User, Depends(get_current_user)],
+) -> UserRead:
+    return UserRead.model_validate(current_user)
diff --git a/app/services/user/schemas.py b/app/services/user/schemas.py
@@ -0,0 +1,19 @@
+from uuid import UUID
+
+from pydantic import BaseModel, ConfigDict, EmailStr
+
+
+class UserCreate(BaseModel):
+    email: EmailStr
+    password: str
+
+
+class UserRead(BaseModel):
+    model_config = ConfigDict(from_attributes=True)
+    id: UUID
+    email: EmailStr
+
+
+class Token(BaseModel):
+    access_token: str
+    token_type: str
diff --git a/app/services/user/service.py b/app/services/user/service.py
@@ -0,0 +1,33 @@
+from sqlalchemy import select
+from sqlalchemy.ext.asyncio import AsyncSession
+
+from app.core.exceptions import UserAlreadyExists
+from app.core.security import get_password_hash, verify_password
+from app.services.user.models import User
+from app.services.user.schemas import UserCreate
+
+
+class UserService:
+    @staticmethod
+    async def create_user(session: AsyncSession, user_create: UserCreate) -> User:
+        result = await session.execute(
+            select(User).where(User.email == user_create.email)
+        )
+        if result.scalar_one_or_none():
+            raise UserAlreadyExists
+        hashed_password = get_password_hash(user_create.password)
+        user = User(email=user_create.email, password_hash=hashed_password)
+        session.add(user)
+        await session.commit()
+        await session.refresh(user)
+        return user
+
+    @staticmethod
+    async def authenticate_user(
+        session: AsyncSession, email: str, password: str
+    ) -> User | None:
+        result = await session.execute(select(User).where(User.email == email))
+        user = result.scalar_one_or_none()
+        if not user or not verify_password(password, user.password_hash):
+            return None
+        return user
diff --git a/app/shared/deps.py b/app/shared/deps.py
@@ -0,0 +1,33 @@
+from typing import Annotated
+
+from fastapi import Depends
+from fastapi.security import OAuth2PasswordBearer
+from jose import JWTError, jwt
+from sqlalchemy import select
+from sqlalchemy.ext.asyncio import AsyncSession
+
+from app.core.config import settings
+from app.core.database import get_session
+from app.core.exceptions import CredentialsError
+from app.core.security import ALGORITHM
+from app.services.user.models import User
+
+oauth2_scheme = OAuth2PasswordBearer(tokenUrl='/api/v1/auth/token')
+
+
+async def get_current_user(
+    token: Annotated[str, Depends(oauth2_scheme)],
+    session: Annotated[AsyncSession, Depends(get_session)],
+) -> User:
+    try:
+        payload = jwt.decode(token, settings.secret_key, algorithms=[ALGORITHM])
+        email: str | None = payload.get('sub')
+        if email is None:
+            raise CredentialsError()
+        result = await session.execute(select(User).where(User.email == email))
+        user = result.scalar_one_or_none()
+        if user is None:
+            raise CredentialsError()
+        return user
+    except JWTError:
+        raise CredentialsError()
diff --git a/docker-compose.yaml b/docker-compose.yaml
@@ -8,7 +8,7 @@ volumes:
 services:
   postgres:
     image: postgres:15-alpine
-    container_name: fairdrop-${DB_HOST}
+    container_name: ${DB_HOST}
     healthcheck:
       test: ['CMD', 'pg_isready', '-d', '${POSTGRES_DB}', '-U', '${POSTGRES_USER}']
       interval: 10s
@@ -23,7 +23,7 @@ services:
 
   redis:
     image: redis/redis-stack-server:latest
-    container_name: fairdrop-${REDIS_HOST}
+    container_name: ${REDIS_HOST}
     healthcheck:
       test: ['CMD', 'redis-cli', 'ping']
       interval: 10s
@@ -38,7 +38,7 @@ services:
       
   s3:
     image: minio/minio:latest
-    container_name: fairdrop-${S3_HOST}
+    container_name: ${S3_HOST}
     command: server /data --console-address ':9001'
     healthcheck:
       test: ['CMD', 'curl', '-f', 'http://localhost:9000/minio/health/live']
@@ -74,7 +74,7 @@ services:
       
   gateway:
     image: nginx:alpine
-    container_name: fairdrop-${GATEWAY_HOST}
+    container_name: ${GATEWAY_HOST}
     healthcheck:
       test: ['CMD', 'curl', '-f', 'http://localhost:80/health']
       interval: 10s
diff --git a/pyproject.toml b/pyproject.toml
@@ -8,9 +8,10 @@ dependencies = [
     'alembic>=1.18.4',
     'arq>=0.27.0',
     'asyncpg>=0.31.0',
+    "bcrypt==3.2.2",
     'email-validator>=2.3.0',
     'fastapi>=0.129.0',
-    'passlib[bcrypt]>=1.7.4',
+    "passlib[bcrypt]==1.7.4",
     'prometheus-fastapi-instrumentator>=7.1.0',
     'pydantic-settings>=2.12.0',
     'python-jose[cryptography]>=3.5.0',
diff --git a/uv.lock b/uv.lock

Original file line number	Diff line number	Diff line change
`@@ -1 +1,2 @@`
`1`	`1`	`# FairDrop_draft`
	`2`	`+[![Workflow Status](https://github.com/codewithme-py/FairDrop/actions/workflows/ci.yaml/badge.svg)](https://github.com/codewithme-py/FairDrop/actions/workflows/ci.yaml)`