feat: implemented backend changes

Author: VictoriaTskhondia

backend/pyproject.toml

@@ -17,8 +17,7 @@ dependencies = [
     "fastapi-pagination>=0.12.34",
     "bcrypt==4.0.1",
     "google-genai>=1.5.0",
-    "itsdangerous (>=2.2.0,<3.0.0)",
-    "authlib (>=1.5.2,<2.0.0)",
+    "starlette (>=0.46.2,<0.47.0)",
 ]
 
 [tool.uv]

backend/src/alembic/versions/1425c896d3ef_add_auth0_id_field_to_users_table.py

@@ -0,0 +1,37 @@
+"""Add auth0_id field to Users table
+
+Revision ID: 1425c896d3ef
+Revises: cb16ae472c1e
+Create Date: 2025-05-10 00:12:00.358973
+
+"""
+from alembic import op
+import sqlalchemy as sa
+import sqlmodel.sql.sqltypes
+
+
+# revision identifiers, used by Alembic.
+revision = '1425c896d3ef'
+down_revision = 'cb16ae472c1e'
+branch_labels = None
+depends_on = None
+
+
+def upgrade():
+    # ### commands auto generated by Alembic - please adjust! ###
+    op.alter_column('user', 'hashed_password',
+               existing_type=sa.VARCHAR(),
+               nullable=True)
+    op.drop_index('ix_user_auth0_id', table_name='user')
+    op.create_index(op.f('ix_user_auth0_id'), 'user', ['auth0_id'], unique=False)
+    # ### end Alembic commands ###
+
+
+def downgrade():
+    # ### commands auto generated by Alembic - please adjust! ###
+    op.drop_index(op.f('ix_user_auth0_id'), table_name='user')
+    op.create_index('ix_user_auth0_id', 'user', ['auth0_id'], unique=True)
+    op.alter_column('user', 'hashed_password',
+               existing_type=sa.VARCHAR(),
+               nullable=False)
+    # ### end Alembic commands ###

backend/src/auth/auth0_api.py

@@ -1,81 +1,58 @@
-from typing import Annotated, Any
-
-from fastapi import APIRouter, Depends, HTTPException, Request
-from sqlmodel import Session
-from starlette.responses import RedirectResponse
-
-from src.core.db import get_db
-from src.dependencies.auth0 import (
-    get_auth0_service,
-    get_current_user,
-    get_current_user_claims,
+from fastapi import APIRouter, Request
+from fastapi.responses import RedirectResponse
+from authlib.integrations.starlette_client import OAuth
+from src.core.config import settings
+
+router = APIRouter(tags=["auth"])
+
+oauth = OAuth()
+oauth.register(
+    name="auth0",
+    client_id=settings.AUTH0_CLIENT_ID,
+    client_secret=settings.AUTH0_CLIENT_SECRET,
+    server_metadata_url=f"https://{settings.AUTH0_DOMAIN}/.well-known/openid-configuration",
+    client_kwargs={"scope": "openid profile email"},
 )
-from src.services.auth0 import Auth0Service
-from src.users.auth0 import get_or_create_user_from_auth0
-from src.users.models import User
-from src.users.schemas import UserPublic
-
-router = APIRouter(prefix="/auth0", tags=["auth0"])
 
 
 @router.get("/login")
-async def login(
-    request: Request, auth_service: Annotated[Auth0Service, Depends(get_auth0_service)]
-) -> RedirectResponse:
-    return await auth_service.login(request)
+async def login(request: Request):
+    redirect_uri = request.url_for("auth0_callback")
+    return await oauth.auth0.authorize_redirect(
+        request,
+        redirect_uri,
+        prompt="select_account",
+        connection="google-oauth2"
+    )
 
 
-@router.get("/callback")
-async def callback(
-    request: Request,
-    session: Annotated[Session, Depends(get_db)],
-    auth_service: Annotated[Auth0Service, Depends(get_auth0_service)],
-) -> RedirectResponse:
-    try:
-        # Exchange auth code for tokens
-        token_response = await auth_service.callback(request)
-        access_token = token_response.get("access_token")
+@router.get("/callback", name="auth0_callback")
+async def auth0_callback(request: Request):
+    token = await oauth.auth0.authorize_access_token(request)
 
-        # Store access token in session for later use
-        request.session["access_token"] = access_token
+    user = token.get("userinfo") or await oauth.auth0.userinfo(token=token)
 
-        # Get user info from Auth0
-        user_info = await auth_service.get_user_info(access_token)
+    request.session["user"] = {
+        "email": user["email"],
+        "name": user.get("name"),
+        "picture": user.get("picture"),
+        "sub": user.get("sub"),
+    }
 
-        # Get or create user in our database
-        db_user = await get_or_create_user_from_auth0(session, user_info)
-
-        # Store user ID in session
-        request.session["user_id"] = str(db_user.id)
-
-        # Redirect to the frontend after successful authentication
-        return RedirectResponse(url="/")
-    except Exception as e:
-        # Log the error and redirect to error page
-        return RedirectResponse(url=f"/auth0/error?message={str(e)}")
+    return RedirectResponse(url="http://localhost:5173/collections")
 
 
 @router.get("/logout")
-async def logout(
-    auth_service: Annotated[Auth0Service, Depends(get_auth0_service)],
-) -> RedirectResponse:
-    return auth_service.logout()
-
-
-@router.get("/me", response_model=UserPublic)
-async def read_users_me(
-    current_user: Annotated[User, Depends(get_current_user)],
-) -> User:
-    return current_user
-
-
-@router.get("/validate")
-async def validate_token(
-    claims: Annotated[dict[str, Any], Depends(get_current_user_claims)],
-) -> dict[str, Any]:
-    return claims
-
-
-@router.get("/error")
-async def auth_error(message: str = "Authentication error"):
-    raise HTTPException(status_code=401, detail=message)
+async def logout(request: Request):
+    request.session.clear()
+    return RedirectResponse(
+        url=f"https://{settings.AUTH0_DOMAIN}/v2/logout"
+            f"?client_id={settings.AUTH0_CLIENT_ID}"
+            f"&returnTo=http://localhost:5173"
+    )
+
+
+@router.get("/me")
+async def me(request: Request):
+    user = request.session.get("user")
+    return {"authenticated": bool(user), "user": user}

backend/src/auth/services.py

@@ -2,17 +2,18 @@
 from typing import Annotated, Any
 
 import jwt
-from fastapi import Depends, HTTPException, status
+from fastapi import Depends, HTTPException, status, Request
 from fastapi.security import OAuth2PasswordBearer
 from jwt.exceptions import InvalidTokenError
 from passlib.context import CryptContext
 from pydantic import ValidationError
-from sqlmodel import Session
+from sqlmodel import Session, select
 
 from src.auth.schemas import TokenPayload
 from src.core.config import settings
 from src.core.db import get_db
 from src.users.models import User
+from src.users.schemas import UserPublic
 
 ALGORITHM = "HS256"
 
@@ -23,21 +24,50 @@
 TokenDep = Annotated[str, Depends(reusable_oauth2)]
 
 
-def get_current_user(session: SessionDep, token: TokenDep) -> User:
+def get_user_from_session(request: Request, session: SessionDep) -> User:
+    session_user = request.session.get("user")
+    if not session_user:
+        raise HTTPException(status_code=401, detail="Not authenticated (no session)")
+
+    user = session.exec(select(User).where(User.email == session_user["email"])).first()
+    if not user or not user.is_active:
+        raise HTTPException(status_code=401, detail="Invalid session user")
+    return UserPublic.model_validate(user)
+
+
+def get_user_from_token(
+    session: SessionDep,
+    token: Annotated[str, Depends(reusable_oauth2)],
+) -> User:
     try:
         payload = jwt.decode(token, settings.SECRET_KEY, algorithms=[ALGORITHM])
         token_data = TokenPayload(**payload)
+        user = session.get(User, token_data.sub)
+        if not user or not user.is_active:
+            raise HTTPException(status_code=401, detail="Invalid user")
+        return user
     except (InvalidTokenError, ValidationError):
-        raise HTTPException(
-            status_code=status.HTTP_403_FORBIDDEN,
-            detail="Could not validate credentials",
-        )
-    user = session.get(User, token_data.sub)
-    if not user:
-        raise HTTPException(status_code=404, detail="User not found")
-    if not user.is_active:
-        raise HTTPException(status_code=400, detail="Inactive user")
-    return user
+        raise HTTPException(status_code=403, detail="Invalid token")
+
+
+def get_current_user(
+    request: Request,
+    session: SessionDep,
+    token: Annotated[str | None, Depends(OAuth2PasswordBearer(tokenUrl=f"{settings.API_V1_STR}/tokens", auto_error=False))] = None,
+) -> User:
+    print("in get current user")
+    # Prefer session (Auth0 flow)
+    session_user = request.session.get("user")
+    if session_user:
+        print("Session user found:", session_user["email"])
+        res = get_user_from_session(request, session)
+        print("User from session:", res)
+        return res
+    # Fallback to token (JWT flow)
+    if token:
+        return get_user_from_token(session, token)
+    
+    raise HTTPException(status_code=401, detail="Not authenticated")
 
 
 CurrentUser = Annotated[User, Depends(get_current_user)]
@@ -53,8 +83,15 @@ def authenticate(*, session: Session, email: str, password: str) -> User | None:
     db_user = get_user_by_email(session=session, email=email)
     if not db_user:
         return None
+        
+    # Auth0 users may not have a password
+    if not db_user.hashed_password:
+        # Return None for users without a password when using password authentication
+        return None
+        
     if not verify_password(password, db_user.hashed_password):
         return None
+        
     return db_user
 
 
@@ -67,3 +104,15 @@ def create_access_token(subject: str | Any, expires_delta: timedelta) -> str:
 
 def get_password_hash(password: str) -> str:
     return pwd_context.hash(password)
+
+
+def get_or_create_user_by_email(session: Session, email: str, defaults: dict = {}) -> User:
+    user = session.exec(select(User).where(User.email == email)).first()
+    if user:
+        return user
+    user = User(email=email, **defaults)
+    session.add(user)
+    session.commit()
+    session.refresh(user)
+    return user
+

backend/src/core/config.py

@@ -45,18 +45,12 @@ class Settings(BaseSettings):
     POSTGRES_USER: str
     POSTGRES_PASSWORD: str
     POSTGRES_DB: str = ""
+    # Session Configuration
+    SESSION_MAX_AGE: int = 60 * 60 * 24 * 7  # 7 days
 
-    # Auth0 Configuration
     AUTH0_CLIENT_ID: str
     AUTH0_CLIENT_SECRET: str
     AUTH0_DOMAIN: str
-    AUTH0_ISSUER: str = ""  # Default empty string to make it optional
-    AUTH0_CALLBACK_URL: str
-    AUTH0_LOGOUT_URL: str = ""  # Default empty string to make it optional
-    AUTH0_AUDIENCE: str
-
-    # Session Configuration
-    SESSION_MAX_AGE: int = 60 * 60 * 24 * 7  # 7 days
 
     @computed_field  # type: ignore[misc]
     @property
@@ -107,29 +101,5 @@ def _enforce_non_default_secrets(self) -> Self:
 
         return self
 
-    @computed_field  # type: ignore[prop-decorator]
-    @property
-    def auth0_jwks_url(self) -> str:
-        """Get the JWKS URL for token validation."""
-        return f"https://{self.AUTH0_DOMAIN}/.well-known/jwks.json"
-
-    @computed_field  # type: ignore[prop-decorator]
-    @property
-    def auth0_authorization_url(self) -> str:
-        """Get the authorization URL for login."""
-        return f"https://{self.AUTH0_DOMAIN}/authorize"
-
-    @computed_field  # type: ignore[prop-decorator]
-    @property
-    def auth0_token_url(self) -> str:
-        """Get the token URL for token exchange."""
-        return f"https://{self.AUTH0_DOMAIN}/oauth/token"
-
-    @computed_field  # type: ignore[prop-decorator]
-    @property
-    def auth0_userinfo_url(self) -> str:
-        """Get the userinfo URL for fetching user data."""
-        return f"https://{self.AUTH0_DOMAIN}/userinfo"
-
 
 settings = Settings()  # type: ignore

backend/src/routers.py

@@ -13,3 +13,4 @@
 api_router.include_router(user_router, prefix="/users", tags=["users"])
 api_router.include_router(flashcards_router, tags=["flashcards"])
 api_router.include_router(stats_router, tags=["stats"])
+api_router.include_router(auth0_router, prefix="/auth0", tags=["auth0"])

backend/src/users/api.py

@@ -1,6 +1,6 @@
 from typing import Any
 
-from fastapi import APIRouter, HTTPException
+from fastapi import APIRouter, HTTPException, Request
 
 from src.auth.services import CurrentUser, SessionDep
 from src.core.config import settings
@@ -12,10 +12,11 @@
 
 
 @router.get("/me", response_model=UserPublic)
-def read_user_me(current_user: CurrentUser) -> Any:
+def read_user_me(request: Request, current_user: CurrentUser) -> Any:
     """
     Get current user.
     """
+    print("session content:", request.session)
     return current_user
 
 

backend/src/users/models.py

@@ -1,5 +1,5 @@
 import uuid
-from typing import TYPE_CHECKING
+from typing import TYPE_CHECKING, Optional
 
 from sqlmodel import Field, Relationship
 
@@ -11,7 +11,8 @@
 
 class User(UserBase, table=True):
     id: uuid.UUID = Field(default_factory=uuid.uuid4, primary_key=True)
-    hashed_password: str
+    auth0_id: Optional[str] = Field(default=None, index=True)
+    hashed_password: Optional[str] = Field(default=None)
     collections: list["Collection"] = Relationship(
         back_populates="user",
         cascade_delete=True,