congsh/rssWorkFlow
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
ba6e7669e8e166143109555669ffc7bb710fc311
rssWorkFlow/backend/app/core/auth.py
T

103 lines
3.3 KiB
Python
Raw Normal View History

Initial commit: RSS platform phase 1 skeleton with code review fixes
2026-06-15 17:01:57 +08:00
"""Authentication and authorization utilities."""
from datetime import datetime, timedelta, timezone
from typing import Any
from uuid import uuid4
from jose import JWTError, jwt
from passlib.context import CryptContext
from app.core.config import settings
from app.core.redis import get_redis
pwd_context = CryptContext(schemes=["bcrypt"], deprecated="auto")
ALGORITHM = "HS256"
TOKEN_TYPE_ACCESS = "access"
TOKEN_TYPE_REFRESH = "refresh"
# Redis key for revoked JWT jti set
REVOKED_JTIS_KEY = "auth:revoked_jtis"
def verify_password(plain_password: str, hashed_password: str) -> bool:
"""Verify a plain password against a hash."""
return pwd_context.verify(plain_password, hashed_password)
def get_password_hash(password: str) -> str:
"""Hash a password."""
return pwd_context.hash(password)
def _create_token(data: dict[str, Any], expires_delta: timedelta, token_type: str) -> tuple[str, str]:
"""Create a JWT with jti/type claims. Returns (token, jti)."""
jti = str(uuid4())
to_encode = data.copy()
expire = datetime.now(timezone.utc) + expires_delta
to_encode.update({
"exp": expire,
"iat": datetime.now(timezone.utc),
"jti": jti,
"type": token_type,
})
encoded_jwt = jwt.encode(to_encode, settings.SECRET_KEY, algorithm=ALGORITHM)
return encoded_jwt, jti
def create_access_token(sub: str, role: str | None = None) -> tuple[str, str]:
"""Create a short-lived JWT access token. Returns (token, jti)."""
data: dict[str, Any] = {"sub": sub}
if role is not None:
data["role"] = role
return _create_token(
data,
timedelta(minutes=settings.ACCESS_TOKEN_EXPIRE_MINUTES),
TOKEN_TYPE_ACCESS,
)
def create_refresh_token(sub: str) -> tuple[str, str]:
"""Create a long-lived JWT refresh token. Returns (token, jti)."""
return _create_token(
{"sub": sub},
timedelta(days=settings.REFRESH_TOKEN_EXPIRE_DAYS),
TOKEN_TYPE_REFRESH,
)
def decode_token(token: str, expected_type: str = TOKEN_TYPE_ACCESS) -> dict[str, Any]:
"""Decode and validate a JWT token, checking type claim."""
try:
payload = jwt.decode(token, settings.SECRET_KEY, algorithms=[ALGORITHM])
except JWTError as exc:
raise ValueError("Invalid token") from exc
token_type = payload.get("type")
if token_type != expected_type:
raise ValueError(f"Invalid token type: expected {expected_type}, got {token_type}")
if "sub" not in payload or "jti" not in payload:
raise ValueError("Invalid token payload")
return payload
async def is_token_revoked(jti: str) -> bool:
"""Check whether a token jti has been revoked."""
redis = await get_redis()
if redis is None:
# Without Redis we cannot reliably maintain a revocation list.
return False
return await redis.sismember(REVOKED_JTIS_KEY, jti)
async def revoke_token(jti: str, expires_at: datetime) -> None:
"""Revoke a token by its jti with TTL matching token expiry."""
redis = await get_redis()
if redis is None:
return
ttl_seconds = int((expires_at - datetime.now(timezone.utc)).total_seconds())
if ttl_seconds > 0:
await redis.sadd(REVOKED_JTIS_KEY, jti)
await redis.expire(REVOKED_JTIS_KEY, ttl_seconds)
Reference in New Issue Copy Permalink