start

backend/app/api/deps.py

@@ -0,0 +1,39 @@
+from __future__ import annotations
+
+from fastapi import Depends, HTTPException, status
+from fastapi.security import OAuth2PasswordBearer
+from sqlalchemy.orm import Session
+
+from ..core.db import get_db
+from ..core.security import decode_token
+from ..models.user import User
+
+oauth2_scheme = OAuth2PasswordBearer(tokenUrl="/api/v1/auth/login")
+
+
+def get_current_user(
+    token: str = Depends(oauth2_scheme),
+    db: Session = Depends(get_db),
+) -> User:
+    try:
+        payload = decode_token(token)
+    except ValueError as exc:
+        raise HTTPException(status.HTTP_401_UNAUTHORIZED, str(exc)) from exc
+
+    if payload.get("type") != "access":
+        raise HTTPException(status.HTTP_401_UNAUTHORIZED, "wrong token type")
+
+    user_id = payload.get("sub")
+    user = db.query(User).filter(User.id == int(user_id)).first() if user_id else None
+    if not user or not user.is_active:
+        raise HTTPException(status.HTTP_401_UNAUTHORIZED, "user not found or inactive")
+    return user
+
+
+def require_role(*roles: str):
+    def _checker(user: User = Depends(get_current_user)) -> User:
+        if roles and user.role not in roles:
+            raise HTTPException(status.HTTP_403_FORBIDDEN, "insufficient permissions")
+        return user
+
+    return _checker