AWS-Panel/backend/api/deps.py

from dataclasses import dataclass
from typing import Iterable, Optional

from fastapi import Depends, HTTPException, status
from fastapi.security import HTTPAuthorizationCredentials, HTTPBearer
from sqlalchemy import select
from sqlalchemy.ext.asyncio import AsyncSession
from sqlalchemy.orm import selectinload

from backend.core.security import decode_token
from backend.db.session import get_session
from backend.modules.users.models import RoleName, User

security = HTTPBearer(auto_error=False)


@dataclass
class AuthUser:
    user: User
    role_name: str
    customer_id: Optional[int]
    token: str


async def get_current_user(
    credentials: HTTPAuthorizationCredentials = Depends(security),
    session: AsyncSession = Depends(get_session),
) -> AuthUser:
    if credentials is None:
        raise HTTPException(status_code=status.HTTP_401_UNAUTHORIZED, detail="Not authenticated")
    try:
        payload = decode_token(credentials.credentials)
    except ValueError:
        raise HTTPException(status_code=status.HTTP_401_UNAUTHORIZED, detail="Invalid token")
    user_id = payload.get("sub")
    if not user_id:
        raise HTTPException(status_code=status.HTTP_401_UNAUTHORIZED, detail="Invalid token payload")

    user = await session.scalar(
        select(User).where(User.id == int(user_id)).options(selectinload(User.role), selectinload(User.customer))
    )
    if not user:
        raise HTTPException(status_code=status.HTTP_401_UNAUTHORIZED, detail="User not found")
    if not user.is_active:
        raise HTTPException(status_code=status.HTTP_403_FORBIDDEN, detail="User disabled")

    role_name = payload.get("role") or (user.role.name if user.role else "")
    return AuthUser(user=user, role_name=role_name, customer_id=user.customer_id, token=credentials.credentials)


def require_roles(roles: Iterable[RoleName]):
    allowed = {r.value for r in roles}

    async def dependency(auth_user: AuthUser = Depends(get_current_user)) -> AuthUser:
        if auth_user.role_name not in allowed:
            raise HTTPException(status_code=status.HTTP_403_FORBIDDEN, detail="Insufficient role")
        return auth_user

    return dependency


def require_admin(auth_user: AuthUser = Depends(require_roles([RoleName.ADMIN]))) -> AuthUser:
    return auth_user
Initial commit 2025-12-10 12:02:17 +08:00			`from dataclasses import dataclass`
			`from typing import Iterable, Optional`

			`from fastapi import Depends, HTTPException, status`
			`from fastapi.security import HTTPAuthorizationCredentials, HTTPBearer`
			`from sqlalchemy import select`
			`from sqlalchemy.ext.asyncio import AsyncSession`
			`from sqlalchemy.orm import selectinload`

			`from backend.core.security import decode_token`
			`from backend.db.session import get_session`
			`from backend.modules.users.models import RoleName, User`

			`security = HTTPBearer(auto_error=False)`


			`@dataclass`
			`class AuthUser:`
			`user: User`
			`role_name: str`
			`customer_id: Optional[int]`
			`token: str`


			`async def get_current_user(`
			`credentials: HTTPAuthorizationCredentials = Depends(security),`
			`session: AsyncSession = Depends(get_session),`
			`) -> AuthUser:`
			`if credentials is None:`
			`raise HTTPException(status_code=status.HTTP_401_UNAUTHORIZED, detail="Not authenticated")`
			`try:`
			`payload = decode_token(credentials.credentials)`
			`except ValueError:`
			`raise HTTPException(status_code=status.HTTP_401_UNAUTHORIZED, detail="Invalid token")`
			`user_id = payload.get("sub")`
			`if not user_id:`
			`raise HTTPException(status_code=status.HTTP_401_UNAUTHORIZED, detail="Invalid token payload")`

			`user = await session.scalar(`
			`select(User).where(User.id == int(user_id)).options(selectinload(User.role), selectinload(User.customer))`
			`)`
			`if not user:`
			`raise HTTPException(status_code=status.HTTP_401_UNAUTHORIZED, detail="User not found")`
			`if not user.is_active:`
			`raise HTTPException(status_code=status.HTTP_403_FORBIDDEN, detail="User disabled")`

			`role_name = payload.get("role") or (user.role.name if user.role else "")`
			`return AuthUser(user=user, role_name=role_name, customer_id=user.customer_id, token=credentials.credentials)`


			`def require_roles(roles: Iterable[RoleName]):`
			`allowed = {r.value for r in roles}`

			`async def dependency(auth_user: AuthUser = Depends(get_current_user)) -> AuthUser:`
			`if auth_user.role_name not in allowed:`
			`raise HTTPException(status_code=status.HTTP_403_FORBIDDEN, detail="Insufficient role")`
			`return auth_user`

			`return dependency`


			`def require_admin(auth_user: AuthUser = Depends(require_roles([RoleName.ADMIN]))) -> AuthUser:`
			`return auth_user`