base-auth

src/server/utils/auth.py

@@ -1,94 +1,92 @@
 import jwt
 from datetime import datetime, timedelta
-from pydantic import BaseModel, Field, field_validator
-
 from fastapi.security import OAuth2PasswordBearer
 from fastapi import HTTPException, status, Depends
-from pydantic import BaseModel
+from pydantic import BaseModel, Field
 from pydantic_settings import BaseSettings
-from config.logging_config import logger  # Assuming this is available
-from typing import Optional
+from config.logging_config import logger
 
-# Centralized Settings class (can be moved to a separate config file later)
 class Settings(BaseSettings):
-    api_key_secret: str = Field(..., env="API_KEY_SECRET")  # Secret key for signing JWTs
-    token_expiration_minutes: int = Field(30, env="TOKEN_EXPIRATION_MINUTES")  # Default to 30 minutes
+    api_key_secret: str = Field(..., env="API_KEY_SECRET")
+    token_expiration_minutes: int = Field(30, env="TOKEN_EXPIRATION_MINUTES")
     llm_model_name: str = "google/gemma-3-4b-it"
     max_tokens: int = 512
     host: str = "0.0.0.0"
     port: int = 7860
     chat_rate_limit: str = "100/minute"
     speech_rate_limit: str = "5/minute"
+    external_tts_url: str = Field(..., env="EXTERNAL_TTS_URL")
+    external_asr_url: str = Field(..., env="EXTERNAL_ASR_URL")
+    external_text_gen_url: str = Field(..., env="EXTERNAL_TEXT_GEN_URL")
+    external_audio_proc_url: str = Field(..., env="EXTERNAL_AUDIO_PROC_URL")
 
     class Config:
         env_file = ".env"
         env_file_encoding = "utf-8"
 
 settings = Settings()
-logger.info(f"Loaded API_KEY_SECRET at startup: {settings.api_key_secret}")  # Add this line
+logger.info(f"Loaded API_KEY_SECRET at startup: {settings.api_key_secret}")
 
-# OAuth2 scheme with Bearer token
 oauth2_scheme = OAuth2PasswordBearer(tokenUrl="/v1/token")
 
-# Model for token payload
 class TokenPayload(BaseModel):
-    sub: str  # Subject (user identifier)
-    exp: int  # Expiration timestamp
+    sub: str
+    exp: float
 
-# Model for token response
 class TokenResponse(BaseModel):
     access_token: str
     token_type: str
 
 async def create_access_token(user_id: str) -> str:
-    """
-    Create a JWT access token for a given user.
-    """
     expire = datetime.utcnow() + timedelta(minutes=settings.token_expiration_minutes)
     payload = {"sub": user_id, "exp": expire.timestamp()}
-    logger.info(f"Signing token with API_KEY_SECRET: {settings.api_key_secret}")  # Add this line
+    logger.info(f"Signing token with API_KEY_SECRET: {settings.api_key_secret}")
     token = jwt.encode(payload, settings.api_key_secret, algorithm="HS256")
     logger.info(f"Generated access token for user: {user_id}")
     return token
 
 async def get_current_user(token: str = Depends(oauth2_scheme)) -> str:
-    """
-    Validate the Bearer token and return the user ID.
-    """
     credentials_exception = HTTPException(
         status_code=status.HTTP_401_UNAUTHORIZED,
         detail="Invalid authentication credentials",
         headers={"WWW-Authenticate": "Bearer"},
     )
-    
     try:
-        logger.info(f"Verifying token with API_KEY_SECRET: {settings.api_key_secret}")  # Add this line
-        payload = jwt.decode(token, settings.api_key_secret, algorithms=["HS256"])
+        logger.info(f"Received token: {token}")
+        logger.info(f"Verifying token with API_KEY_SECRET: {settings.api_key_secret}")
+        # Decode with expiration verification disabled to avoid PyJWT bug
+        payload = jwt.decode(token, settings.api_key_secret, algorithms=["HS256"], options={"verify_exp": False})
+        logger.info(f"Decoded payload: {payload}")
         token_data = TokenPayload(**payload)
         user_id = token_data.sub
+        
         if user_id is None:
+            logger.warning("Token has no 'sub' claim")
             raise credentials_exception
-        if datetime.utcnow().timestamp() > token_data.exp:
+        
+        # Manual expiration check
+        current_time = datetime.utcnow().timestamp()
+        logger.info(f"Current time: {current_time}, Token exp: {token_data.exp}")
+        if current_time > token_data.exp:
+            logger.warning(f"Token expired: current_time={current_time}, exp={token_data.exp}")
             raise HTTPException(
                 status_code=status.HTTP_401_UNAUTHORIZED,
                 detail="Token has expired",
                 headers={"WWW-Authenticate": "Bearer"},
             )
+        
         logger.info(f"Validated token for user: {user_id}")
         return user_id
-    except jwt.InvalidTokenError:
-        logger.warning(f"Invalid token attempt: {token[:10]}...")
+    except jwt.InvalidSignatureError as e:
+        logger.error(f"Invalid signature error: {str(e)}")
+        raise credentials_exception
+    except jwt.InvalidTokenError as e:
+        logger.error(f"Other token error: {str(e)}")
         raise credentials_exception
     except Exception as e:
-        logger.error(f"Token validation error: {str(e)}")
+        logger.error(f"Unexpected token validation error: {str(e)}")
         raise credentials_exception
 
-# For demonstration purposes, a simple login function
-# In production, replace with proper user authentication (e.g., database lookup)
 async def login(user_id: str) -> TokenResponse:
-    """
-    Generate a token for a user. In production, validate credentials here.
-    """
-    # Placeholder: Assume user_id is valid; in reality, check against a database
     token = await create_access_token(user_id=user_id)
     return TokenResponse(access_token=token, token_type="bearer")