from typing import Dict, Any from fastapi import Depends, HTTPException, status, Request from fastapi.security import OAuth2PasswordBearer from .db import get_user_by_username, upsert_user_activity from .security import safe_decode_token, TokenError oauth2_scheme = OAuth2PasswordBearer(tokenUrl="/auth/login") def _extract_client_ip(request: Request) -> str: forwarded = request.headers.get("x-forwarded-for") if forwarded: parts = [part.strip() for part in forwarded.split(",") if part.strip()] if parts: return parts[0] real_ip = request.headers.get("x-real-ip") if real_ip: return real_ip.strip() if request.client and request.client.host: return request.client.host return "unknown" def get_current_user(token: str = Depends(oauth2_scheme), request: Request = None) -> Dict[str, Any]: try: payload = safe_decode_token(token) except TokenError as exc: raise HTTPException(status_code=status.HTTP_401_UNAUTHORIZED, detail="Invalid token") from exc username = payload.get("sub") if not username: raise HTTPException(status_code=status.HTTP_401_UNAUTHORIZED, detail="Invalid token subject") user = get_user_by_username(username) if not user: raise HTTPException(status_code=status.HTTP_401_UNAUTHORIZED, detail="User not found") if user.get("is_blocked"): raise HTTPException(status_code=status.HTTP_403_FORBIDDEN, detail="User is blocked") if request is not None: ip = _extract_client_ip(request) user_agent = request.headers.get("user-agent", "unknown") upsert_user_activity(user["username"], ip, user_agent) return { "username": user["username"], "role": user["role"], "auth_provider": user.get("auth_provider", "local"), } def require_admin(user: Dict[str, Any] = Depends(get_current_user)) -> Dict[str, Any]: if user.get("role") != "admin": raise HTTPException(status_code=status.HTTP_403_FORBIDDEN, detail="Admin access required") return user