root/daily-briefing
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
daily-briefing/server/auth.py
Sam c15176bff4 fix: replace passlib with direct bcrypt to fix password hashing crash 
passlib 1.7.4 is incompatible with bcrypt>=4.1, causing a ValueError
during internal bug detection. Using bcrypt directly avoids this.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-02 16:20:36 +01:00

71 lines
2.2 KiB
Python
Raw Blame History

"""JWT authentication for admin routes."""
from __future__ import annotations
import logging
import os
import secrets
from datetime import datetime, timedelta, timezone
from typing import Optional
import bcrypt
from fastapi import Depends, HTTPException, status
from fastapi.security import HTTPAuthorizationCredentials, HTTPBearer
from jose import JWTError, jwt
logger = logging.getLogger(__name__)
JWT_SECRET = os.getenv("JWT_SECRET") or secrets.token_urlsafe(32)
JWT_ALGORITHM = "HS256"
JWT_EXPIRE_HOURS = 24
bearer_scheme = HTTPBearer(auto_error=False)
def hash_password(password: str) -> str:
"""Hash a plain-text password with bcrypt."""
return bcrypt.hashpw(password.encode("utf-8"), bcrypt.gensalt()).decode("utf-8")
def verify_password(plain: str, hashed: str) -> bool:
"""Verify a plain-text password against its bcrypt hash."""
return bcrypt.checkpw(plain.encode("utf-8"), hashed.encode("utf-8"))
def create_access_token(subject: str) -> str:
"""Create a JWT access token for the given subject (username)."""
expire = datetime.now(timezone.utc) + timedelta(hours=JWT_EXPIRE_HOURS)
return jwt.encode(
{"sub": subject, "exp": expire},
JWT_SECRET,
algorithm=JWT_ALGORITHM,
)
async def require_admin(
credentials: Optional[HTTPAuthorizationCredentials] = Depends(bearer_scheme),
) -> str:
"""FastAPI dependency that validates the JWT and returns the username.
Use as: ``admin_user: str = Depends(require_admin)``
"""
if credentials is None:
raise HTTPException(
status_code=status.HTTP_401_UNAUTHORIZED,
detail="Authentication required",
headers={"WWW-Authenticate": "Bearer"},
)
token = credentials.credentials
try:
payload = jwt.decode(token, JWT_SECRET, algorithms=[JWT_ALGORITHM])
username: Optional[str] = payload.get("sub")
if username is None:
raise HTTPException(status_code=401, detail="Invalid token payload")
return username
except JWTError:
raise HTTPException(
status_code=status.HTTP_401_UNAUTHORIZED,
detail="Invalid or expired token",
headers={"WWW-Authenticate": "Bearer"},
)
Reference in a new issue View git blame Copy permalink