163 lines
6.0 KiB
Python
163 lines
6.0 KiB
Python
"""
|
|
API endpoints for user management and session handling.
|
|
|
|
This module contains all the HTTP API endpoints for:
|
|
- User information retrieval
|
|
- User credentials management
|
|
- Session token validation and refresh
|
|
- Login/logout functionality
|
|
"""
|
|
|
|
from uuid import UUID
|
|
|
|
from fastapi import Cookie, Depends, FastAPI, Response
|
|
from fastapi.security import HTTPBearer
|
|
|
|
from passkey.util import passphrase
|
|
|
|
from .. import aaguid
|
|
from ..authsession import delete_credential, get_reset, get_session
|
|
from ..globals import db
|
|
from ..util.tokens import session_key
|
|
from . import session
|
|
|
|
bearer_auth = HTTPBearer(auto_error=True)
|
|
|
|
|
|
def register_api_routes(app: FastAPI):
|
|
"""Register all API routes on the FastAPI app."""
|
|
|
|
@app.post("/auth/validate")
|
|
async def validate_token(response: Response, auth=Cookie(None)):
|
|
"""Lightweight token validation endpoint."""
|
|
s = await get_session(auth)
|
|
return {
|
|
"valid": True,
|
|
"user_uuid": str(s.user_uuid),
|
|
}
|
|
|
|
@app.post("/auth/user-info")
|
|
async def api_user_info(response: Response, auth=Cookie(None)):
|
|
"""Get full user information for the authenticated user."""
|
|
reset = passphrase.is_well_formed(auth)
|
|
s = await (get_reset if reset else get_session)(auth)
|
|
# Session context (org, role, permissions)
|
|
ctx = await db.instance.get_session_context(session_key(auth))
|
|
# Fallback if context not available (e.g., reset session)
|
|
u = await db.instance.get_user_by_uuid(s.user_uuid)
|
|
# Get all credentials for the user
|
|
credential_ids = await db.instance.get_credentials_by_user_uuid(s.user_uuid)
|
|
|
|
credentials = []
|
|
user_aaguids = set()
|
|
|
|
for cred_id in credential_ids:
|
|
c = await db.instance.get_credential_by_id(cred_id)
|
|
|
|
# Convert AAGUID to string format
|
|
aaguid_str = str(c.aaguid)
|
|
user_aaguids.add(aaguid_str)
|
|
|
|
# Check if this is the current session credential
|
|
is_current_session = s.credential_uuid == c.uuid
|
|
|
|
credentials.append(
|
|
{
|
|
"credential_uuid": str(c.uuid),
|
|
"aaguid": aaguid_str,
|
|
"created_at": c.created_at.isoformat(),
|
|
"last_used": c.last_used.isoformat() if c.last_used else None,
|
|
"last_verified": c.last_verified.isoformat()
|
|
if c.last_verified
|
|
else None,
|
|
"sign_count": c.sign_count,
|
|
"is_current_session": is_current_session,
|
|
}
|
|
)
|
|
|
|
# Get AAGUID information for only the AAGUIDs that the user has
|
|
aaguid_info = aaguid.filter(user_aaguids)
|
|
|
|
# Sort credentials by creation date (earliest first, most recently created last)
|
|
credentials.sort(key=lambda cred: cred["created_at"])
|
|
|
|
# Permissions and roles
|
|
role_info = None
|
|
org_info = None
|
|
effective_permissions = []
|
|
is_global_admin = False
|
|
is_org_admin = False
|
|
if ctx:
|
|
role_info = {
|
|
"uuid": str(ctx.role.uuid),
|
|
"display_name": ctx.role.display_name,
|
|
"permissions": ctx.role.permissions, # IDs
|
|
}
|
|
org_info = {
|
|
"uuid": str(ctx.org.uuid),
|
|
"display_name": ctx.org.display_name,
|
|
"permissions": ctx.org.permissions, # IDs the org can grant
|
|
}
|
|
# Effective permissions are role permissions; API also returns full objects for convenience
|
|
effective_permissions = [p.id for p in (ctx.permissions or [])]
|
|
is_global_admin = "auth/admin" in role_info["permissions"]
|
|
# org admin permission is auth/org:<org_uuid>
|
|
is_org_admin = (
|
|
f"auth/org:{org_info['uuid']}" in role_info["permissions"]
|
|
if org_info
|
|
else False
|
|
)
|
|
|
|
return {
|
|
"authenticated": not reset,
|
|
"session_type": s.info["type"],
|
|
"user": {
|
|
"user_uuid": str(u.uuid),
|
|
"user_name": u.display_name,
|
|
"created_at": u.created_at.isoformat() if u.created_at else None,
|
|
"last_seen": u.last_seen.isoformat() if u.last_seen else None,
|
|
"visits": u.visits,
|
|
},
|
|
"org": org_info,
|
|
"role": role_info,
|
|
"permissions": effective_permissions,
|
|
"is_global_admin": is_global_admin,
|
|
"is_org_admin": is_org_admin,
|
|
"credentials": credentials,
|
|
"aaguid_info": aaguid_info,
|
|
}
|
|
|
|
@app.post("/auth/logout")
|
|
async def api_logout(response: Response, auth=Cookie(None)):
|
|
"""Log out the current user by clearing the session cookie and deleting from database."""
|
|
if not auth:
|
|
return {"message": "Already logged out"}
|
|
# Remove from database if possible
|
|
try:
|
|
await db.instance.delete_session(session_key(auth))
|
|
except Exception:
|
|
...
|
|
response.delete_cookie("auth")
|
|
return {"message": "Logged out successfully"}
|
|
|
|
@app.post("/auth/set-session")
|
|
async def api_set_session(response: Response, auth=Depends(bearer_auth)):
|
|
"""Set session cookie from Authorization header. Fetched after login by WebSocket."""
|
|
user = await get_session(auth.credentials)
|
|
if not user:
|
|
raise ValueError("Invalid Authorization header.")
|
|
session.set_session_cookie(response, auth.credentials)
|
|
|
|
return {
|
|
"message": "Session cookie set successfully",
|
|
"user_uuid": str(user.user_uuid),
|
|
}
|
|
|
|
@app.delete("/auth/credential/{uuid}")
|
|
async def api_delete_credential(
|
|
response: Response, uuid: UUID, auth: str = Cookie(None)
|
|
):
|
|
"""Delete a specific credential for the current user."""
|
|
await delete_credential(uuid, auth)
|
|
return {"message": "Credential deleted successfully"}
|