freeleaps-service-hub/apps/authentication/common/token/token_manager.py

from datetime import datetime, timedelta, timezone
import uuid
from typing import Dict, List
from jose import jwt, JWTError
from common.config.app_settings import app_settings
from fastapi import Depends, HTTPException
from fastapi.security import HTTPAuthorizationCredentials, HTTPBearer

from common.constants.jwt_constants import USER_ROLE_NAMES, USER_PERMISSIONS


class CurrentUser:
    def __init__(self, user_id: str, user_role_names: List[str], user_permission_keys: List[str]):
        self.user_id = user_id
        self.user_role_names = user_role_names
        self.user_permission_keys = user_permission_keys

    def has_all_permissions(self, permissions: List[str]) -> bool:
        """Check if the user has all the specified permissions"""
        if not permissions:
            return True
        return all(p in self.user_permission_keys for p in permissions)

    def has_any_permissions(self, permissions: List[str]) -> bool:
        """Check if the user has at least one of the specified permissions"""
        if not permissions:
            return True
        return any(p in self.user_permission_keys for p in permissions)


security = HTTPBearer()


class TokenManager:
    def __init__(self):
        self.secret_key = app_settings.JWT_SECRET_KEY
        self.algorithm = app_settings.JWT_ALGORITHM
        self.access_token_expire_minutes = app_settings.ACCESS_TOKEN_EXPIRE_MINUTES
        self.refresh_token_expire_days = app_settings.REFRESH_TOKEN_EXPIRE_DAYS

    def create_access_token(self, subject: Dict[str, str]) -> str:
        """
        Generates an access token with a short expiration time.
        """
        expire = datetime.now(timezone.utc) + timedelta(
            minutes=self.access_token_expire_minutes
        )
        to_encode = {
            "exp": expire,
            "subject": subject,  # User identity information
            "type": "access",  # Indicate token type
        }
        return jwt.encode(to_encode, self.secret_key, algorithm=self.algorithm)

    def create_refresh_token(self, subject: Dict[str, str]) -> str:
        """
        Generates a refresh token with a longer expiration time.
        """
        expire = datetime.now(timezone.utc) + timedelta(
            days=self.refresh_token_expire_days
        )
        to_encode = {
            "exp": expire,
            "subject": subject,  # User identity information
            "type": "refresh",  # Indicate token type
            "jti": str(uuid.uuid4()),  # Unique identifier for the refresh token
        }
        return jwt.encode(to_encode, self.secret_key, algorithm=self.algorithm)

    def decode_token(self, token: str) -> Dict:
        """
        Decodes a JWT token and returns the payload.
        """
        try:
            payload = jwt.decode(token, self.secret_key, algorithms=[self.algorithm])
            return payload
        except JWTError:
            raise ValueError("Invalid token")

    def verify_refresh_token(self, token: str) -> bool:
        """
        Verifies a refresh token to ensure it is valid and not expired.
        """
        try:
            payload = self.decode_token(token)
            return True
        except ValueError:
            return False

    def refresh_access_token(self, refresh_token: str, subject: Dict[str, str]) -> str:
        """
        Verifies the refresh token and creates a new access token.
        """
        if self.verify_refresh_token(refresh_token):
            return self.create_access_token(subject)
        else:
            raise ValueError("Invalid refresh token")

    async def get_current_user(self, credentials: HTTPAuthorizationCredentials = Depends(security)) -> CurrentUser:
        """
        Returns the current user object for the given credentials.
        """
        try:
            payload = self.decode_token(credentials.credentials)
            user = payload.get("subject")
            if not user or "id" not in user:
                raise HTTPException(status_code=401, detail="Invalid authentication token")
            return CurrentUser(user.get("id"), user.get(USER_ROLE_NAMES), user.get(USER_PERMISSIONS))
        except JWTError:
            raise HTTPException(status_code=401, detail="Invalid authentication token")

    def has_all_permissions(self, permissions: List[str]):
        """Check if the user has all the specified permissions"""

        def inner_dependency(current_user: CurrentUser = Depends(self.get_current_user)):
            if not current_user.has_all_permissions(permissions):
                raise HTTPException(status_code=403, detail="Not allowed")
            return True

        return inner_dependency

    def has_any_permissions(self, permissions: List[str]):
        """Check if the user has at least one of the specified permissions"""

        def inner_dependency(current_user: CurrentUser = Depends(self.get_current_user)):
            if not current_user.has_any_permissions(permissions):
                raise HTTPException(status_code=403, detail="Not allowed")
            return True

        return inner_dependency