from typing import Optional from fastapi import Depends, HTTPException, status from fastapi.security import HTTPBearer, HTTPAuthorizationCredentials from sqlalchemy.ext.asyncio import AsyncSession from sqlalchemy import select from uuid import UUID from app.database import get_db from app.core.security import decode_token from app.core.permissions import UserRole, has_permission from app.models.user import User from app.models.tenant import Tenant security = HTTPBearer() async def get_current_user( credentials: HTTPAuthorizationCredentials = Depends(security), db: AsyncSession = Depends(get_db) ) -> User: token = credentials.credentials payload = decode_token(token) if payload is None: raise HTTPException( status_code=status.HTTP_401_UNAUTHORIZED, detail="Invalid authentication token", headers={"WWW-Authenticate": "Bearer"}, ) if payload.get("type") != "access": raise HTTPException( status_code=status.HTTP_401_UNAUTHORIZED, detail="Invalid token type", ) user_id = payload.get("sub") if user_id is None: raise HTTPException( status_code=status.HTTP_401_UNAUTHORIZED, detail="Invalid token payload", ) result = await db.execute(select(User).where(User.id == UUID(user_id))) user = result.scalar_one_or_none() if user is None: raise HTTPException( status_code=status.HTTP_404_NOT_FOUND, detail="User not found", ) if not user.is_active: raise HTTPException( status_code=status.HTTP_403_FORBIDDEN, detail="User is inactive", ) return user async def get_current_active_user( current_user: User = Depends(get_current_user) ) -> User: if not current_user.is_active: raise HTTPException( status_code=status.HTTP_403_FORBIDDEN, detail="Inactive user" ) return current_user def require_permission(permission: str): async def permission_checker( current_user: User = Depends(get_current_user) ) -> User: if not has_permission(UserRole(current_user.role), permission): raise HTTPException( status_code=status.HTTP_403_FORBIDDEN, detail=f"Permission denied: {permission}" ) return current_user return permission_checker def require_super_admin(): async def role_checker( current_user: User = Depends(get_current_user) ) -> User: if current_user.role != UserRole.SUPER_ADMIN.value: raise HTTPException( status_code=status.HTTP_403_FORBIDDEN, detail="Super admin access required" ) return current_user return role_checker def require_tenant_admin_or_above(): async def role_checker( current_user: User = Depends(get_current_user) ) -> User: if current_user.role not in [UserRole.SUPER_ADMIN.value, UserRole.TENANT_ADMIN.value]: raise HTTPException( status_code=status.HTTP_403_FORBIDDEN, detail="Tenant admin access required" ) return current_user return role_checker async def get_tenant_for_user( current_user: User = Depends(get_current_user), db: AsyncSession = Depends(get_db) ) -> Optional[Tenant]: if current_user.role == UserRole.SUPER_ADMIN.value: return None # Super admin can access all tenants if current_user.tenant_id is None: raise HTTPException( status_code=status.HTTP_403_FORBIDDEN, detail="User not assigned to a tenant" ) result = await db.execute(select(Tenant).where(Tenant.id == current_user.tenant_id)) tenant = result.scalar_one_or_none() if tenant is None or not tenant.is_active: raise HTTPException( status_code=status.HTTP_403_FORBIDDEN, detail="Tenant not found or inactive" ) return tenant