2026-02-05 17:29:50 +02:00
|
|
|
"""Authentication routes for refresh token management."""
|
|
|
|
|
|
|
|
|
|
import logging
|
|
|
|
|
|
2026-02-05 17:55:21 +02:00
|
|
|
from fastapi import APIRouter, Depends, HTTPException, status
|
2026-02-05 17:29:50 +02:00
|
|
|
from sqlalchemy import select
|
|
|
|
|
|
|
|
|
|
from app.db import User, async_session_maker
|
2026-02-05 17:55:21 +02:00
|
|
|
from app.schemas.auth import (
|
|
|
|
|
LogoutAllResponse,
|
|
|
|
|
LogoutRequest,
|
|
|
|
|
LogoutResponse,
|
|
|
|
|
RefreshTokenRequest,
|
|
|
|
|
RefreshTokenResponse,
|
2026-02-05 17:29:50 +02:00
|
|
|
)
|
2026-02-05 17:55:21 +02:00
|
|
|
from app.users import current_active_user, get_jwt_strategy
|
2026-02-05 17:29:50 +02:00
|
|
|
from app.utils.refresh_tokens import (
|
|
|
|
|
revoke_all_user_tokens,
|
|
|
|
|
revoke_refresh_token,
|
|
|
|
|
rotate_refresh_token,
|
|
|
|
|
validate_refresh_token,
|
|
|
|
|
)
|
|
|
|
|
|
|
|
|
|
logger = logging.getLogger(__name__)
|
|
|
|
|
|
|
|
|
|
router = APIRouter(prefix="/auth/jwt", tags=["auth"])
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
@router.post("/refresh", response_model=RefreshTokenResponse)
|
2026-02-05 17:55:21 +02:00
|
|
|
async def refresh_access_token(request: RefreshTokenRequest):
|
2026-02-05 17:29:50 +02:00
|
|
|
"""
|
|
|
|
|
Exchange a valid refresh token for a new access token and refresh token.
|
2026-02-05 17:55:21 +02:00
|
|
|
Implements token rotation for security.
|
2026-02-05 17:29:50 +02:00
|
|
|
"""
|
2026-02-05 17:55:21 +02:00
|
|
|
token_record = await validate_refresh_token(request.refresh_token)
|
2026-02-05 17:29:50 +02:00
|
|
|
|
|
|
|
|
if not token_record:
|
|
|
|
|
raise HTTPException(
|
|
|
|
|
status_code=status.HTTP_401_UNAUTHORIZED,
|
|
|
|
|
detail="Invalid or expired refresh token",
|
|
|
|
|
)
|
|
|
|
|
|
|
|
|
|
# Get user from token record
|
|
|
|
|
async with async_session_maker() as session:
|
|
|
|
|
result = await session.execute(
|
|
|
|
|
select(User).where(User.id == token_record.user_id)
|
|
|
|
|
)
|
|
|
|
|
user = result.scalars().first()
|
|
|
|
|
|
|
|
|
|
if not user:
|
|
|
|
|
raise HTTPException(
|
|
|
|
|
status_code=status.HTTP_401_UNAUTHORIZED,
|
|
|
|
|
detail="User not found",
|
|
|
|
|
)
|
|
|
|
|
|
|
|
|
|
# Generate new access token
|
|
|
|
|
strategy = get_jwt_strategy()
|
|
|
|
|
access_token = await strategy.write_token(user)
|
|
|
|
|
|
|
|
|
|
# Rotate refresh token
|
|
|
|
|
new_refresh_token = await rotate_refresh_token(token_record)
|
|
|
|
|
|
|
|
|
|
logger.info(f"Refreshed token for user {user.id}")
|
|
|
|
|
|
|
|
|
|
return RefreshTokenResponse(
|
|
|
|
|
access_token=access_token,
|
|
|
|
|
refresh_token=new_refresh_token,
|
|
|
|
|
)
|
|
|
|
|
|
|
|
|
|
|
2026-02-05 18:56:38 +02:00
|
|
|
@router.post("/revoke", response_model=LogoutResponse)
|
|
|
|
|
async def revoke_token(request: LogoutRequest):
|
2026-02-05 17:29:50 +02:00
|
|
|
"""
|
2026-02-05 17:55:21 +02:00
|
|
|
Logout current device by revoking the provided refresh token.
|
2026-02-05 18:56:38 +02:00
|
|
|
Does not require authentication - just the refresh token.
|
2026-02-05 17:29:50 +02:00
|
|
|
"""
|
2026-02-05 18:56:38 +02:00
|
|
|
revoked = await revoke_refresh_token(request.refresh_token)
|
|
|
|
|
if revoked:
|
|
|
|
|
logger.info("User logged out from current device - token revoked")
|
|
|
|
|
else:
|
|
|
|
|
logger.warning("Logout called but no matching token found to revoke")
|
2026-02-05 17:29:50 +02:00
|
|
|
return LogoutResponse()
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
@router.post("/logout-all", response_model=LogoutAllResponse)
|
2026-02-05 17:55:21 +02:00
|
|
|
async def logout_all_devices(user: User = Depends(current_active_user)):
|
2026-02-05 17:29:50 +02:00
|
|
|
"""
|
|
|
|
|
Logout from all devices by revoking all refresh tokens for the user.
|
|
|
|
|
Requires valid access token.
|
|
|
|
|
"""
|
|
|
|
|
await revoke_all_user_tokens(user.id)
|
|
|
|
|
logger.info(f"User {user.id} logged out from all devices")
|
|
|
|
|
return LogoutAllResponse()
|
