alexei.dolgolyov/personal-ai-assistant
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
5c651b798851ed6e1fe7dcd8dd82f874c67052e9
personal-ai-assistant/backend/app/services/auth_service.py
dolgolyov.alexei 5c651b7988 Phase 9: OAuth & Account Switching — Google + Authentik, multi-account 
Backend:
- OAuth service with pluggable provider architecture (Google + Authentik)
- Generic authorize/callback endpoints for any provider
- Authentik OIDC integration (configurable base URL)
- hashed_password made nullable for OAuth-only users
- Migration 009: nullable password column
- /auth/switch endpoint returns full AuthResponse for account switching
- OAuth-only users get clear error on password login attempt
- UserResponse includes oauth_provider + avatar_url

Frontend:
- OAuth buttons on login form (Google + Authentik)
- OAuth callback handler (/auth/callback route)
- Multi-account auth store (accounts array, addAccount, switchTo, removeAccount)
- Account switcher dropdown in header (hover to see other accounts)
- "Add another account" option
- English + Russian translations

Config:
- GOOGLE_CLIENT_ID/SECRET/REDIRECT_URI
- AUTHENTIK_CLIENT_ID/SECRET/BASE_URL/REDIRECT_URI

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-19 15:56:20 +03:00

167 lines
5.1 KiB
Python
Raw Blame History

import uuid
from datetime import datetime, timedelta, timezone
from fastapi import HTTPException, status
from sqlalchemy import select
from sqlalchemy.ext.asyncio import AsyncSession
from app.config import settings
from app.core.security import (
create_access_token,
generate_refresh_token,
hash_password,
hash_refresh_token,
verify_password,
)
from app.models.session import Session
from app.models.user import User
from app.schemas.auth import AuthResponse, RegisterRequest, TokenResponse, UserResponse
async def _create_session(
db: AsyncSession,
user: User,
remember_me: bool,
ip_address: str | None = None,
device_info: str | None = None,
) -> tuple[str, str]:
access_token = create_access_token(user.id, user.role)
refresh_token = generate_refresh_token()
if remember_me:
expires_at = datetime.now(timezone.utc) + timedelta(days=settings.REFRESH_TOKEN_EXPIRE_DAYS)
else:
expires_at = datetime.now(timezone.utc) + timedelta(hours=settings.REFRESH_TOKEN_EXPIRE_HOURS)
session = Session(
user_id=user.id,
refresh_token_hash=hash_refresh_token(refresh_token),
device_info=device_info,
ip_address=ip_address,
expires_at=expires_at,
)
db.add(session)
await db.flush()
return access_token, refresh_token
async def register_user(
db: AsyncSession,
data: RegisterRequest,
ip_address: str | None = None,
device_info: str | None = None,
) -> AuthResponse:
existing = await db.execute(
select(User).where((User.email == data.email) | (User.username == data.username))
)
if existing.scalar_one_or_none():
raise HTTPException(
status_code=status.HTTP_409_CONFLICT,
detail="User with this email or username already exists",
)
from app.services.setting_service import get_setting_value
default_max_chats = await get_setting_value(db, "default_max_chats", 10)
user = User(
email=data.email,
username=data.username,
hashed_password=hash_password(data.password),
full_name=data.full_name,
max_chats=int(default_max_chats),
)
db.add(user)
await db.flush()
access_token, refresh_token = await _create_session(db, user, remember_me=False, ip_address=ip_address, device_info=device_info)
return AuthResponse(
user=UserResponse.model_validate(user),
access_token=access_token,
refresh_token=refresh_token,
)
async def login_user(
db: AsyncSession,
email: str,
password: str,
remember_me: bool = False,
ip_address: str | None = None,
device_info: str | None = None,
) -> AuthResponse:
result = await db.execute(select(User).where(User.email == email))
user = result.scalar_one_or_none()
if not user or not user.hashed_password or not verify_password(password, user.hashed_password):
raise HTTPException(
status_code=status.HTTP_401_UNAUTHORIZED,
detail="Invalid email or password" if not user or user.hashed_password else "This account uses OAuth login. Please sign in with your provider.",
)
if not user.is_active:
raise HTTPException(
status_code=status.HTTP_403_FORBIDDEN,
detail="Account is deactivated",
)
access_token, refresh_token = await _create_session(db, user, remember_me, ip_address, device_info)
return AuthResponse(
user=UserResponse.model_validate(user),
access_token=access_token,
refresh_token=refresh_token,
)
async def refresh_tokens(db: AsyncSession, refresh_token: str) -> TokenResponse:
token_hash = hash_refresh_token(refresh_token)
result = await db.execute(
select(Session).where(Session.refresh_token_hash == token_hash)
)
session = result.scalar_one_or_none()
if not session:
raise HTTPException(
status_code=status.HTTP_401_UNAUTHORIZED,
detail="Invalid refresh token",
)
if session.expires_at < datetime.now(timezone.utc):
await db.delete(session)
raise HTTPException(
status_code=status.HTTP_401_UNAUTHORIZED,
detail="Refresh token expired",
)
result = await db.execute(select(User).where(User.id == session.user_id))
user = result.scalar_one_or_none()
if not user or not user.is_active:
await db.delete(session)
raise HTTPException(
status_code=status.HTTP_401_UNAUTHORIZED,
detail="User not found or inactive",
)
# Rotate refresh token
new_refresh_token = generate_refresh_token()
session.refresh_token_hash = hash_refresh_token(new_refresh_token)
new_access_token = create_access_token(user.id, user.role)
return TokenResponse(
access_token=new_access_token,
refresh_token=new_refresh_token,
)
async def logout_user(db: AsyncSession, refresh_token: str) -> None:
token_hash = hash_refresh_token(refresh_token)
result = await db.execute(
select(Session).where(Session.refresh_token_hash == token_hash)
)
session = result.scalar_one_or_none()
if session:
await db.delete(session)
Reference in New Issue View Git Blame Copy Permalink