Build 2602260214: invites profiles and expiry admin controls

backend/app/auth.py

@@ -1,3 +1,4 @@
+from datetime import datetime, timezone
 from typing import Dict, Any
 
 from fastapi import Depends, HTTPException, status, Request
@@ -8,6 +9,21 @@ from .security import safe_decode_token, TokenError
 
 oauth2_scheme = OAuth2PasswordBearer(tokenUrl="/auth/login")
 
+
+def _is_expired(expires_at: str | None) -> bool:
+    if not isinstance(expires_at, str) or not expires_at.strip():
+        return False
+    candidate = expires_at.strip()
+    if candidate.endswith("Z"):
+        candidate = candidate[:-1] + "+00:00"
+    try:
+        parsed = datetime.fromisoformat(candidate)
+    except ValueError:
+        return False
+    if parsed.tzinfo is None:
+        parsed = parsed.replace(tzinfo=timezone.utc)
+    return parsed <= datetime.now(timezone.utc)
+
 def _extract_client_ip(request: Request) -> str:
     forwarded = request.headers.get("x-forwarded-for")
     if forwarded:
@@ -37,6 +53,8 @@ def get_current_user(token: str = Depends(oauth2_scheme), request: Request = Non
         raise HTTPException(status_code=status.HTTP_401_UNAUTHORIZED, detail="User not found")
     if user.get("is_blocked"):
         raise HTTPException(status_code=status.HTTP_403_FORBIDDEN, detail="User is blocked")
+    if _is_expired(user.get("expires_at")):
+        raise HTTPException(status_code=status.HTTP_403_FORBIDDEN, detail="User access has expired")
 
     if request is not None:
         ip = _extract_client_ip(request)
@@ -49,6 +67,9 @@ def get_current_user(token: str = Depends(oauth2_scheme), request: Request = Non
         "auth_provider": user.get("auth_provider", "local"),
         "jellyseerr_user_id": user.get("jellyseerr_user_id"),
         "auto_search_enabled": bool(user.get("auto_search_enabled", True)),
+        "profile_id": user.get("profile_id"),
+        "expires_at": user.get("expires_at"),
+        "is_expired": bool(user.get("is_expired", False)),
     }