"""Authentication router — Register, Login, Refresh, Me.""" from datetime import datetime from typing import Optional from fastapi import APIRouter, Depends, HTTPException, status from pydantic import BaseModel, Field from sqlalchemy.orm import Session from app.config import settings from app.database import get_db from app.models.user import User from app.schemas.user import UserCreate, UserLogin, UserRead from app.services.auth_service import ( create_access_token, create_refresh_token, decode_token, get_current_user, hash_password, verify_password, ) from app.utils.helpers import generate_uuid router = APIRouter() # ── Request / Response schemas ─────────────────────────────────────────── # class RefreshTokenRequest(BaseModel): refresh_token: str class AuthResponse(BaseModel): access_token: str = Field(alias="accessToken") refresh_token: str = Field(alias="refreshToken") token_type: str = Field(default="bearer", alias="tokenType") user: UserRead model_config = {"populate_by_name": True} class RefreshResponse(BaseModel): access_token: str = Field(alias="accessToken") token_type: str = Field(default="bearer", alias="tokenType") model_config = {"populate_by_name": True} # ── Endpoints ──────────────────────────────────────────────────────────── # @router.post( "/register", response_model=AuthResponse, status_code=status.HTTP_201_CREATED, summary="用户注册", ) def register(body: UserCreate, db: Session = Depends(get_db)): """Register a new user account.""" # Check for existing email existing = db.query(User).filter(User.email == body.email).first() if existing: raise HTTPException( status_code=status.HTTP_409_CONFLICT, detail="该邮箱已被注册", ) user = User( id=generate_uuid(), email=body.email, hashed_password=hash_password(body.password), display_name=body.display_name, avatar_url=body.avatar_url, is_active=True, is_admin=False, created_at=datetime.utcnow(), updated_at=datetime.utcnow(), ) db.add(user) db.commit() db.refresh(user) access_token = create_access_token(user.id) refresh_token = create_refresh_token(user.id) return AuthResponse( access_token=access_token, refresh_token=refresh_token, user=UserRead.model_validate(user), ) @router.post( "/login", response_model=AuthResponse, summary="用户登录", ) def login(body: UserLogin, db: Session = Depends(get_db)): """Authenticate a user and return tokens.""" user = db.query(User).filter(User.email == body.email).first() if not user: raise HTTPException( status_code=status.HTTP_401_UNAUTHORIZED, detail="邮箱或密码错误", ) if not user.is_active: raise HTTPException( status_code=status.HTTP_401_UNAUTHORIZED, detail="账户已被禁用", ) if not verify_password(body.password, user.hashed_password): raise HTTPException( status_code=status.HTTP_401_UNAUTHORIZED, detail="邮箱或密码错误", ) access_token = create_access_token(user.id) refresh_token = create_refresh_token(user.id) return AuthResponse( access_token=access_token, refresh_token=refresh_token, user=UserRead.model_validate(user), ) @router.post( "/refresh", response_model=RefreshResponse, summary="刷新访问令牌", ) def refresh(body: RefreshTokenRequest): """Issue a new access token using a valid refresh token.""" payload = decode_token(body.refresh_token, expected_type="refresh") user_id = payload.get("sub") if not user_id: raise HTTPException( status_code=status.HTTP_401_UNAUTHORIZED, detail="无效的刷新令牌", ) access_token = create_access_token(user_id) return RefreshResponse(access_token=access_token) @router.get( "/me", response_model=UserRead, summary="获取当前用户信息", ) def me(current_user: User = Depends(get_current_user)): """Return the currently authenticated user's profile.""" return UserRead.model_validate(current_user)