add-new table

src/server/main.py

@@ -184,13 +184,15 @@ async def refresh(credentials: HTTPAuthorizationCredentials = Depends(bearer_sch
 
 @app.post("/v1/register", 
           response_model=TokenResponse,
-          summary="Register New User (Admin)",
-          description="Create a new user account and return an access token and refresh token. Requires admin access (use 'admin' user with password 'admin54321' initially).",
+          summary="Register New User (Admin Only)",
+          description="Create a new user account in the `users` table. Only admin accounts can register new users (use 'admin' user with password 'admin54321' initially). Non-admin users are forbidden from modifying the users table.",
           tags=["Authentication"],
           responses={
               200: {"description": "User registered successfully", "model": TokenResponse},
               400: {"description": "Username already exists"},
-              403: {"description": "Admin access required"}
+              401: {"description": "Unauthorized - Valid admin token required"},
+              403: {"description": "Forbidden - Admin access required"},
+              500: {"description": "Registration failed due to server error"}
           })
 async def register_user(
     register_request: RegisterRequest,
@@ -201,7 +203,7 @@ async def register_user(
 @app.post("/v1/app/register",
           response_model=TokenResponse,
           summary="Register New App User",
-          description="Create a new user account for the mobile app using an encrypted email and device token. Returns an access token and refresh token. Rate limited to 5 requests per minute per IP. Requires X-Session-Key header.",
+          description="Create a new user account for the mobile app in the `app_users` table using an encrypted email and device token. Returns an access token and refresh token. Rate limited to 5 requests per minute per IP. Requires X-Session-Key header.",
           tags=["Authentication"],
           responses={
               200: {"description": "User registered successfully", "model": TokenResponse},

src/server/utils/auth.py

@@ -21,6 +21,7 @@ engine = create_engine(DATABASE_URL, connect_args={"check_same_thread": False})
 Base = declarative_base()
 SessionLocal = sessionmaker(autocommit=False, autoflush=False, bind=engine)
 
+# Model for admin-related users
 class User(Base):
     __tablename__ = "users"
     username = Column(String, primary_key=True, index=True)
@@ -28,6 +29,13 @@ class User(Base):
     is_admin = Column(Boolean, default=False)
     session_key = Column(String, nullable=True)  # Stores base64-encoded session key
 
+# Model for app users
+class AppUser(Base):
+    __tablename__ = "app_users"
+    username = Column(String, primary_key=True, index=True)
+    password = Column(String)  # Stores hashed passwords
+    session_key = Column(String, nullable=True)  # Stores base64-encoded session key
+
 # Ensure the /data directory exists
 os.makedirs(os.path.dirname(DATABASE_PATH), exist_ok=True)
 
@@ -61,7 +69,7 @@ class Settings(BaseSettings):
 
 settings = Settings()
 
-# Seed initial data
+# Seed initial data for users table only
 def seed_initial_data():
     db = SessionLocal()
     try:
@@ -142,9 +150,11 @@ async def get_current_user(credentials: HTTPAuthorizationCredentials = Depends(b
         user_id = token_data.sub
         
         db = SessionLocal()
+        # Check both users and app_users tables
         user = db.query(User).filter_by(username=user_id).first()
+        app_user = db.query(AppUser).filter_by(username=user_id).first()
         db.close()
-        if user_id is None or not user:
+        if user_id is None or (not user and not app_user):
             logger.warning(f"Invalid or unknown user: {user_id}")
             raise credentials_exception
         
@@ -170,14 +180,41 @@ async def get_current_user(credentials: HTTPAuthorizationCredentials = Depends(b
         raise credentials_exception
 
 async def get_current_user_with_admin(credentials: HTTPAuthorizationCredentials = Depends(bearer_scheme)) -> str:
-    user_id = await get_current_user(credentials)
-    db = SessionLocal()
-    user = db.query(User).filter_by(username=user_id).first()
-    db.close()
-    if not user or not user.is_admin:
-        logger.warning(f"User {user_id} is not authorized as admin")
-        raise HTTPException(status_code=status.HTTP_403_FORBIDDEN, detail="Admin access required")
-    return user_id
+    token = credentials.credentials
+    credentials_exception = HTTPException(
+        status_code=status.HTTP_401_UNAUTHORIZED,
+        detail="Invalid authentication credentials",
+        headers={"WWW-Authenticate": "Bearer"},
+    )
+    try:
+        payload = jwt.decode(token, settings.api_key_secret, algorithms=["HS256"])
+        token_data = TokenPayload(**payload)
+        user_id = token_data.sub
+        
+        db = SessionLocal()
+        user = db.query(User).filter_by(username=user_id).first()
+        db.close()
+        if not user:
+            logger.warning(f"User not found in users table: {user_id}")
+            raise credentials_exception
+        if not user.is_admin:
+            logger.warning(f"User {user_id} is not authorized as admin")
+            raise HTTPException(
+                status_code=status.HTTP_403_FORBIDDEN,
+                detail="Admin access required; only admin accounts can perform this action"
+            )
+        
+        logger.info(f"Validated admin user: {user_id}")
+        return user_id
+    except jwt.InvalidSignatureError as e:
+        logger.error(f"Invalid signature error: {str(e)}")
+        raise credentials_exception
+    except jwt.InvalidTokenError as e:
+        logger.error(f"Other token error: {str(e)}")
+        raise credentials_exception
+    except Exception as e:
+        logger.error(f"Unexpected admin validation error: {str(e)}")
+        raise credentials_exception
 
 async def login(login_request: LoginRequest, session_key_b64: str) -> TokenResponse:
     db = SessionLocal()
@@ -189,14 +226,23 @@ async def login(login_request: LoginRequest, session_key_b64: str) -> TokenRespo
         db.close()
         raise HTTPException(status_code=400, detail="Invalid encrypted data")
     
+    # Check both users and app_users tables
     user = db.query(User).filter_by(username=username).first()
-    if not user or not pwd_context.verify(password, user.password):
+    app_user = db.query(AppUser).filter_by(username=username).first()
+    
+    if not user and not app_user:
+        db.close()
+        logger.warning(f"Login failed for user: {username}")
+        raise HTTPException(status_code=status.HTTP_401_UNAUTHORIZED, detail="Invalid email or device token")
+    
+    target_user = user if user else app_user
+    if not pwd_context.verify(password, target_user.password):
         db.close()
         logger.warning(f"Login failed for user: {username}")
         raise HTTPException(status_code=status.HTTP_401_UNAUTHORIZED, detail="Invalid email or device token")
     
-    if user.session_key != session_key_b64:
-        user.session_key = session_key_b64
+    if target_user.session_key != session_key_b64:
+        target_user.session_key = session_key_b64
         db.commit()
     db.close()
     
@@ -205,21 +251,26 @@ async def login(login_request: LoginRequest, session_key_b64: str) -> TokenRespo
 
 async def register(register_request: RegisterRequest, current_user: str = Depends(get_current_user_with_admin)) -> TokenResponse:
     db = SessionLocal()
-    existing_user = db.query(User).filter_by(username=register_request.username).first()
-    if existing_user:
+    try:
+        existing_user = db.query(User).filter_by(username=register_request.username).first()
+        if existing_user:
+            logger.warning(f"Registration failed: Username {register_request.username} already exists")
+            raise HTTPException(status_code=status.HTTP_400_BAD_REQUEST, detail="Username already exists")
+        
+        hashed_password = pwd_context.hash(register_request.password)
+        new_user = User(username=register_request.username, password=hashed_password, is_admin=False)
+        db.add(new_user)
+        db.commit()
+        logger.info(f"Admin {current_user} successfully registered new user: {register_request.username}")
+        
+        tokens = await create_access_token(user_id=register_request.username)
+        return TokenResponse(access_token=tokens["access_token"], refresh_token=tokens["refresh_token"], token_type="bearer")
+    except Exception as e:
+        db.rollback()
+        logger.error(f"Registration error by admin {current_user}: {str(e)}")
+        raise HTTPException(status_code=status.HTTP_500_INTERNAL_SERVER_ERROR, detail=f"Registration failed: {str(e)}")
+    finally:
         db.close()
-        logger.warning(f"Registration failed: Username {register_request.username} already exists")
-        raise HTTPException(status_code=status.HTTP_400_BAD_REQUEST, detail="Username already exists")
-    
-    hashed_password = pwd_context.hash(register_request.password)
-    new_user = User(username=register_request.username, password=hashed_password, is_admin=False)
-    db.add(new_user)
-    db.commit()
-    db.close()
-    
-    tokens = await create_access_token(user_id=register_request.username)
-    logger.info(f"Registered and generated token for user: {register_request.username} by admin {current_user}")
-    return TokenResponse(access_token=tokens["access_token"], refresh_token=tokens["refresh_token"], token_type="bearer")
 
 async def app_register(register_request: RegisterRequest, session_key_b64: str) -> TokenResponse:
     db = SessionLocal()
@@ -231,15 +282,17 @@ async def app_register(register_request: RegisterRequest, session_key_b64: str)
         db.close()
         raise HTTPException(status_code=400, detail="Invalid encrypted data")
     
+    # Check both tables to prevent duplicate usernames
     existing_user = db.query(User).filter_by(username=username).first()
-    if existing_user:
+    existing_app_user = db.query(AppUser).filter_by(username=username).first()
+    if existing_user or existing_app_user:
         db.close()
         logger.warning(f"App registration failed: Email {username} already exists")
         raise HTTPException(status_code=status.HTTP_400_BAD_REQUEST, detail="Email already registered")
     
     hashed_password = pwd_context.hash(password)
-    new_user = User(username=username, password=hashed_password, is_admin=False, session_key=session_key_b64)
-    db.add(new_user)
+    new_app_user = AppUser(username=username, password=hashed_password, session_key=session_key_b64)
+    db.add(new_app_user)
     db.commit()
     db.close()
     
@@ -256,12 +309,12 @@ async def refresh_token(credentials: HTTPAuthorizationCredentials = Depends(bear
             raise HTTPException(status_code=status.HTTP_401_UNAUTHORIZED, detail="Invalid token type; refresh token required")
         user_id = token_data.sub
         db = SessionLocal()
+        # Check both users and app_users tables
         user = db.query(User).filter_by(username=user_id).first()
+        app_user = db.query(AppUser).filter_by(username=user_id).first()
         db.close()
-        if not user:
+        if not user and not app_user:
             raise HTTPException(status_code=status.HTTP_401_UNAUTHORIZED, detail="User not found")
-        if datetime.utcnow().timestamp() > token_data.exp:
-            raise HTTPException(status_code=status.HTTP_401_UNAUTHORIZED, detail="Refresh token has expired")
         tokens = await create_access_token(user_id=user_id)
         return TokenResponse(access_token=tokens["access_token"], refresh_token=tokens["refresh_token"], token_type="bearer")
     except jwt.InvalidTokenError: