Initial travel knowledge graph release

2026-06-09 09:56:26 +08:00
commit 5f061295d8
402 changed files with 103877 additions and 0 deletions
--- a/app/auth.py
+++ b/app/auth.py
@@ -0,0 +1,58 @@
+"""JWT auth — DB-backed users, bcrypt password hashing, token + user dependency."""
+from __future__ import annotations
+
+from datetime import datetime, timedelta, timezone
+from typing import Annotated
+
+from fastapi import Depends, HTTPException, status
+from fastapi.security import OAuth2PasswordBearer
+from jose import JWTError, jwt
+
+from app import db
+from app.config import settings
+from app.security import verify_password
+
+oauth2_scheme = OAuth2PasswordBearer(tokenUrl="/v1/admin/auth/login")
+
+
+async def authenticate(username: str, password: str) -> dict | None:
+    """Validate credentials against the DB users table."""
+    user = await db.get_user_auth(username)
+    if not user:
+        return None
+    if user.get("status") != "active":
+        return None
+    if not verify_password(password, user.get("hashed_password") or ""):
+        return None
+    return {
+        "username": user["username"],
+        "full_name": user.get("full_name"),
+        "roles": list(user.get("roles") or []),
+    }
+
+
+def create_access_token(data: dict) -> str:
+    payload = data.copy()
+    payload["exp"] = datetime.now(timezone.utc) + timedelta(minutes=settings.auth_token_expire_minutes)
+    return jwt.encode(payload, settings.auth_secret, algorithm=settings.auth_algorithm)
+
+
+def get_current_user(token: Annotated[str, Depends(oauth2_scheme)]) -> dict:
+    """Identity is reconstructed from JWT claims (sub + roles) — no per-request DB hit."""
+    credentials_exc = HTTPException(
+        status_code=status.HTTP_401_UNAUTHORIZED,
+        detail="Could not validate credentials",
+        headers={"WWW-Authenticate": "Bearer"},
+    )
+    try:
+        payload = jwt.decode(token, settings.auth_secret, algorithms=[settings.auth_algorithm])
+        username: str = payload.get("sub", "")
+        if not username:
+            raise credentials_exc
+    except JWTError:
+        raise credentials_exc
+
+    return {"username": username, "roles": list(payload.get("roles") or [])}
+
+
+CurrentUser = Annotated[dict, Depends(get_current_user)]