Initial InfraPulse scaffold

backend/app/auth/__init__.py

@@ -0,0 +1 @@
+"""Authentication helpers."""

backend/app/auth/dependencies.py

@@ -0,0 +1,41 @@
+from fastapi import Depends, HTTPException, status
+from fastapi.security import OAuth2PasswordBearer
+from sqlalchemy import select
+from sqlalchemy.orm import Session
+
+from app.auth.security import decode_access_token
+from app.db.session import get_db
+from app.models import User
+
+oauth2_scheme = OAuth2PasswordBearer(tokenUrl="/auth/login")
+
+ROLE_ORDER = {
+    "viewer": 10,
+    "operator": 20,
+    "admin": 30,
+    "owner": 40,
+}
+
+
+def get_current_user(token: str = Depends(oauth2_scheme), db: Session = Depends(get_db)) -> User:
+    email = decode_access_token(token)
+    if not email:
+        raise HTTPException(
+            status_code=status.HTTP_401_UNAUTHORIZED,
+            detail="Invalid authentication token",
+            headers={"WWW-Authenticate": "Bearer"},
+        )
+
+    user = db.scalar(select(User).where(User.email == email))
+    if user is None or not user.is_active:
+        raise HTTPException(status_code=status.HTTP_401_UNAUTHORIZED, detail="Inactive or missing user")
+    return user
+
+
+def require_role(minimum_role: str):
+    def dependency(user: User = Depends(get_current_user)) -> User:
+        if ROLE_ORDER.get(user.role, 0) < ROLE_ORDER[minimum_role]:
+            raise HTTPException(status_code=status.HTTP_403_FORBIDDEN, detail="Insufficient role")
+        return user
+
+    return dependency

backend/app/auth/security.py

@@ -0,0 +1,31 @@
+from datetime import UTC, datetime, timedelta
+
+from jose import JWTError, jwt
+from passlib.context import CryptContext
+
+from app.core.config import settings
+
+ALGORITHM = "HS256"
+pwd_context = CryptContext(schemes=["pbkdf2_sha256"], deprecated="auto")
+
+
+def hash_password(password: str) -> str:
+    return pwd_context.hash(password)
+
+
+def verify_password(plain_password: str, hashed_password: str) -> bool:
+    return pwd_context.verify(plain_password, hashed_password)
+
+
+def create_access_token(subject: str) -> str:
+    expires_at = datetime.now(UTC) + timedelta(minutes=settings.access_token_expire_minutes)
+    payload = {"sub": subject, "exp": expires_at}
+    return jwt.encode(payload, settings.infrapulse_secret_key, algorithm=ALGORITHM)
+
+
+def decode_access_token(token: str) -> str | None:
+    try:
+        payload = jwt.decode(token, settings.infrapulse_secret_key, algorithms=[ALGORITHM])
+        return payload.get("sub")
+    except JWTError:
+        return None