web-client/bff/auth.py

"""JWT auth for web users."""

import time
from typing import Optional

import jwt
from fastapi import Depends, HTTPException, Request

from config import JWT_SECRET, JWT_ALGORITHM

TOKEN_EXPIRY = 7 * 24 * 3600  # 7 days


def create_token(username: str, provider: str = "local") -> str:
    payload = {
        "sub": username,
        "name": username,
        "provider": provider,
        "iat": int(time.time()),
        "exp": int(time.time()) + TOKEN_EXPIRY,
    }
    return jwt.encode(payload, JWT_SECRET, algorithm=JWT_ALGORITHM)


def verify_token(token: str) -> Optional[dict]:
    try:
        return jwt.decode(token, JWT_SECRET, algorithms=[JWT_ALGORITHM])
    except jwt.PyJWTError:
        return None


def get_current_user(request: Request) -> dict:
    auth = request.headers.get("authorization", "")
    if not auth.startswith("Bearer "):
        raise HTTPException(401, "Not authenticated")
    payload = verify_token(auth[7:])
    if not payload:
        raise HTTPException(401, "Invalid token")
    return payload