Merge pull request #34 from Zerohertz/issue#32/refactor/oauth

[Refactor] OAuth 2.0

Author: Zerohertz

Makefile

@@ -49,3 +49,9 @@ exec:
 .PHONY: expose
 expose:
 	 kubectl expose -n fastapi po/postgresql-0 --port 5432 --type=NodePort
+
+.PHONY: swagger
+swagger:
+	curl https://unpkg.com/[email protected]/swagger-ui-bundle.js > static/swagger-ui-bundle.js
+	curl https://unpkg.com/[email protected]/swagger-ui.css > static/swagger-ui.css
+	npx prettier --write "static/*.{js,css}"

app/api/v1/endpoints/admin/users.py

@@ -2,13 +2,17 @@
 from fastapi import Depends, status
 from fastapi.responses import JSONResponse
 
-from app.core.auth import AdminDeps
+from app.core.auth import AdminAuthDeps, GitHubOAuthDeps, PasswordOAuthDeps
 from app.core.container import Container
 from app.core.router import CoreAPIRouter
 from app.schemas.users import UserPatchRequest, UserRequest, UserResponse
 from app.services.users import UserService
 
-router = CoreAPIRouter(prefix="/user", tags=["admin"], dependencies=[AdminDeps])
+router = CoreAPIRouter(
+    prefix="/user",
+    tags=["admin"],
+    dependencies=[AdminAuthDeps, PasswordOAuthDeps, GitHubOAuthDeps],
+)
 
 
 @router.get(

app/api/v1/endpoints/auth.py

@@ -1,119 +1,103 @@
+from typing import Annotated
+
 from dependency_injector.wiring import Provide, inject
-from fastapi import Depends, status
-from fastapi.responses import JSONResponse, RedirectResponse
+from fastapi import Depends, Form, status
+from fastapi.responses import JSONResponse
 
-from app.core.auth import AuthDeps
-from app.core.configs import configs
+from app.core.auth import GitHubOAuthDeps, PasswordOAuthDeps, UserAuthDeps
 from app.core.container import Container
 from app.core.router import CoreAPIRouter
-from app.schemas.auth import JwtAccessToken, JwtRefreshToken, JwtToken
-from app.schemas.users import (
-    UserOut,
-    UserPasswordRequest,
-    UserRegisterRequest,
-    UserResponse,
+from app.schemas.auth import (
+    GitHubOAuthRequest,
+    JwtToken,
+    PasswordOAuthReigsterRequest,
+    PasswordOAuthRequest,
+    RefreshOAuthRequest,
 )
+from app.schemas.users import UserOut, UserResponse
 from app.services.users import UserService
 
 router = CoreAPIRouter(prefix="/auth", tags=["auth"])
 
 
 @router.post(
     "/refresh",
-    response_model=JwtAccessToken,
+    response_model=JwtToken,
     response_class=JSONResponse,
     status_code=status.HTTP_200_OK,
-    summary="",
-    description="",
+    summary="Refresh access token",
+    description="- Refresh the access token using a valid refresh token.</br>\n"
+    "- If the refresh token is invalid or expired, authentication will fail.",
 )
 @inject
-async def post_refresh_token(
-    token: JwtRefreshToken,
+async def refresh(
+    request: Annotated[RefreshOAuthRequest, Form(...)],
     service: UserService = Depends(Provide[Container.user_service]),
 ):
-    return await service.refresh(token)
+    return await service.refresh(request)
 
 
 @router.post(
-    "/register",
+    "/register/password",
     response_model=UserResponse,
     response_class=JSONResponse,
     status_code=status.HTTP_201_CREATED,
-    summary="Register with password",
-    description="",
+    summary="Register a new account with a password",
+    description="- Create a new user account using an email and password.</br>\n"
+    "- The provided credentials will be used for authentication.",
 )
 @inject
 async def register_password(
-    request: UserRegisterRequest,
+    request: Annotated[PasswordOAuthReigsterRequest, Form(...)],
     service: UserService = Depends(Provide[Container.user_service]),
 ):
     return await service.register(request)
 
 
 @router.post(
-    "/login",
+    "/token/password",
     response_model=JwtToken,
     response_class=JSONResponse,
     status_code=status.HTTP_200_OK,
-    summary="Log in with password",
-    description="",
+    summary="Obtain an access token via password authentication",
+    description="- Authenticate using an email and password to obtain an access token.</br>\n"
+    "- This token can be used for subsequent API requests.",
 )
 @inject
 async def log_in_password(
-    request: UserPasswordRequest,
+    # NOTE: OAuth2PasswordRequestForm
+    request: Annotated[PasswordOAuthRequest, Form(...)],
     service: UserService = Depends(Provide[Container.user_service]),
 ):
     return await service.log_in_password(schema=request)
 
 
-@router.get(
-    "/oauth/login/github",
-    response_model=None,
-    response_class=RedirectResponse,
-    status_code=status.HTTP_302_FOUND,
-    summary="Log in with GitHub OAuth",
-    description="GitHub OAuth를 위해 redirection",
-)
-async def log_in_github():
-    # NOTE: &scope=repo,user
-    return RedirectResponse(
-        f"https://github.com/login/oauth/authorize?client_id={configs.GITHUB_OAUTH_CLIENT_ID}"
-    )
-
-
-@router.get(
-    "/oauth/callback/github",
+@router.post(
+    "/token/github",
     response_model=JwtToken,
     response_class=JSONResponse,
     status_code=status.HTTP_200_OK,
-    summary="Callback for GitHub OAuth",
-    description="GitHub OAuth에 의해 redirection될 endpoint",
-    include_in_schema=False,
+    summary="Obtain an access token via GitHub OAuth",
+    description="- Authenticate using GitHub OAuth and receive an access token.<br/>\n"
+    "- The client must provide an authorization code obtained from GitHub.",
 )
 @inject
-async def callback_github(
-    code: str,
+async def log_in_github(
+    request: Annotated[GitHubOAuthRequest, Form()],
     service: UserService = Depends(Provide[Container.user_service]),
 ):
-    """
-    # NOTE: Cookie 방식으로 JWT token 사용 시
-    response.set_cookie(
-        key="access_token", value=jwt_token.access_token, httponly=True, secure=True
-    )
-    response.set_cookie(
-        key="refresh_token", value=jwt_token.refresh_token, httponly=True, secure=True
-    )
-    """
-    return await service.log_in_github(code=code)
+    return await service.log_in_github(request)
 
 
 @router.get(
     "/me",
     response_model=UserOut,
     response_class=JSONResponse,
     status_code=status.HTTP_200_OK,
-    summary="",
-    description="",
+    dependencies=[PasswordOAuthDeps, GitHubOAuthDeps],
+    summary="Retrieve the current authenticated user's information",
+    description="- Returns the authenticated user's details based on the provided access token.</br>\n"
+    "- Requires a valid token obtained via password authentication or GitHub OAuth.",
 )
-async def get_me(user: AuthDeps):
+async def get_me(user: Annotated[UserOut, UserAuthDeps]):
     return user

app/api/v1/endpoints/users.py

@@ -1,11 +1,13 @@
+from typing import Annotated
+
 from dependency_injector.wiring import Provide, inject
 from fastapi import Depends, status
 from fastapi.responses import JSONResponse
 
-from app.core.auth import AuthDeps
+from app.core.auth import GitHubOAuthDeps, PasswordOAuthDeps, UserAuthDeps
 from app.core.container import Container
 from app.core.router import CoreAPIRouter
-from app.schemas.users import UserPatchRequest, UserRequest, UserResponse
+from app.schemas.users import UserOut, UserPatchRequest, UserRequest, UserResponse
 from app.services.users import UserService
 
 router = CoreAPIRouter(prefix="/user", tags=["user"])
@@ -16,13 +18,14 @@
     response_model=UserResponse,
     response_class=JSONResponse,
     status_code=status.HTTP_200_OK,
+    dependencies=[PasswordOAuthDeps, GitHubOAuthDeps],
     summary="",
     description="",
 )
 @inject
 async def put_user(
-    user: AuthDeps,
     schema: UserRequest,
+    user: Annotated[UserOut, UserAuthDeps],
     service: UserService = Depends(Provide[Container.user_service]),
 ):
     return await service.put_by_id(id=user.id, schema=schema)
@@ -33,13 +36,14 @@ async def put_user(
     response_model=UserResponse,
     response_class=JSONResponse,
     status_code=status.HTTP_200_OK,
+    dependencies=[PasswordOAuthDeps, GitHubOAuthDeps],
     summary="",
     description="",
 )
 @inject
 async def patch_user(
-    user: AuthDeps,
     schema: UserPatchRequest,
+    user: Annotated[UserOut, UserAuthDeps],
     service: UserService = Depends(Provide[Container.user_service]),
 ):
     return await service.patch_by_id(id=user.id, schema=schema)
@@ -50,12 +54,13 @@ async def patch_user(
     response_model=UserResponse,
     response_class=JSONResponse,
     status_code=status.HTTP_200_OK,
+    dependencies=[PasswordOAuthDeps, GitHubOAuthDeps],
     summary="",
     description="",
 )
 @inject
 async def delete_user(
-    user: AuthDeps,
+    user: Annotated[UserOut, UserAuthDeps],
     service: UserService = Depends(Provide[Container.user_service]),
 ):
     return await service.delete_by_id(id=user.id)

app/core/auth.py

@@ -2,8 +2,13 @@
 
 from dependency_injector.wiring import Provide, inject
 from fastapi import Depends, HTTPException, Request
-from fastapi.security import HTTPBearer
+from fastapi.security import (
+    HTTPBearer,
+    OAuth2AuthorizationCodeBearer,
+    OAuth2PasswordBearer,
+)
 
+from app.core.configs import configs, oauth_endpoints
 from app.core.container import Container
 from app.exceptions.auth import NotAuthenticated
 from app.models.enums import Role
@@ -45,17 +50,34 @@ async def get_current_user(
     access_token: Annotated[str, Depends(jwt_bearer)],
     service: UserService = Depends(Provide[Container.user_service]),
 ) -> UserOut:
-    token = JwtAccessToken(access_token=access_token)
-    return await service.verify(token=token)
+    schema = JwtAccessToken(access_token=access_token)
+    return await service.verify(schema=schema)
 
 
-AuthDeps = Annotated[UserOut, Depends(get_current_user)]
+UserAuthDeps = Depends(get_current_user)
 
 
-async def get_admin_user(user: AuthDeps) -> UserOut:
+async def get_admin_user(user: Annotated[UserOut, UserAuthDeps]) -> UserOut:
     if user.role != Role.ADMIN:
         raise NotAuthenticated
     return user
 
 
-AdminDeps = Depends(get_admin_user)
+AdminAuthDeps = Depends(get_admin_user)
+
+PasswordOAuthDeps = Depends(
+    OAuth2PasswordBearer(
+        tokenUrl=oauth_endpoints.PASSWORD, scheme_name="Password OAuth"
+    )
+)
+GitHubOAuthDeps = Depends(
+    OAuth2AuthorizationCodeBearer(
+        authorizationUrl=f"https://github.com/login/oauth/authorize?client_id={configs.GITHUB_OAUTH_CLIENT_ID}",
+        tokenUrl=oauth_endpoints.GITHUB,
+        # NOTE: https://github.com/Zerohertz/fastapi-cookbook/issues/33#issuecomment-2627994536
+        refreshUrl=None,
+        scheme_name="GitHub OAuth",
+        scopes=None,
+        # NOTE: &scope=repo,user
+    )
+)

app/core/configs.py

@@ -1,5 +1,4 @@
 from enum import Enum
-from typing import Optional
 
 from pydantic import computed_field
 from pydantic_core import MultiHostUrl
@@ -24,14 +23,14 @@ class Configs(BaseSettings):
 
     # --------- DATABASE SETTINGS --------- #
     DB_TYPE: str
-    DB_DRIVER: Optional[str]
-    DB_HOST: Optional[str]
-    DB_PORT: Optional[int] = 0
-    DB_USER: Optional[str]
-    DB_PASSWORD: Optional[str]
-    DB_NAME: Optional[str]
-    DB_ECHO: Optional[bool] = True
-    DB_TABLE_CREATE: Optional[bool] = True
+    DB_DRIVER: str
+    DB_HOST: str
+    DB_PORT: int = 0
+    DB_USER: str
+    DB_PASSWORD: str
+    DB_NAME: str
+    DB_ECHO: bool = True
+    DB_TABLE_CREATE: bool = True
 
     # --------- AUTH SETTINGS --------- #
     GITHUB_OAUTH_CLIENT_ID: str
@@ -69,3 +68,11 @@ def DATABASE_URI(self) -> str:
 
 
 configs = Configs()  # type: ignore[call-arg]
+
+
+class OAuthEndpoints(BaseSettings):
+    PASSWORD: str = f"{configs.PREFIX}/v1/auth/token/password"
+    GITHUB: str = f"{configs.PREFIX}/v1/auth/token/github"
+
+
+oauth_endpoints = OAuthEndpoints()

app/core/middlewares.py

@@ -55,6 +55,9 @@ def info(
     async def dispatch(
         self, request: Request, call_next: RequestResponseEndpoint
     ) -> Response:
+        body = await request.body()
+        if body:
+            logger.trace(f"{body=}")
         if request.headers.get("x-real-ip"):
             ip = request.headers.get("x-real-ip")
         elif request.headers.get("x-forwarded-for"):
@@ -67,22 +70,12 @@ async def dispatch(
         start_time = time.time()
         response = await call_next(request)
         end_time = time.time()
-        status = ansi_format(
-            str(response.status_code),
-            bg_color=ANSI_BG_COLOR.LIGHT_BLACK,
-            style=[ANSI_STYLE.UNDERLINE, ANSI_STYLE.BOLD],
-        )
-        elapsed_time = ansi_format(
-            f"{end_time - start_time:.3f}s",
-            bg_color=ANSI_BG_COLOR.LIGHT_BLACK,
-            style=[ANSI_STYLE.UNDERLINE, ANSI_STYLE.BOLD],
-        )
         self.info(
             ip=str(ip),
             url=str(request.url),
             method=str(request.method),
-            status=status,
-            elapsed_time=elapsed_time,
+            status=str(response.status_code),
+            elapsed_time=f"{end_time - start_time:.3f}s",
         )
         return response