cloud-api/src/auth/dependencies.py

"""
Auth dependencies

Exports:
 - org_query_user_claims_dependency: bool: Verifies user belongs to org
 - org_model_root_claim_query_dependency: org_model: verifies org exists and user is either root or su, gets org from query
 - org_model_root_claim_body_dependency: org_model: verifies org exists and user is either root or su, gets org from body
 - super_admin_dependency: user_model: verifies the user is a super admin
"""

from typing import Annotated
from fastapi import Depends

from src.exceptions import ForbiddenException
from src.user.dependencies import user_model_claims_dependency
from src.user.models import User
from src.organisation.dependencies import (
	org_model_query_dependency,
	org_model_body_dependency,
)
from src.organisation.models import Organisation as Org


async def org_query_user_claims(
	org_model: org_model_query_dependency, user_model: user_model_claims_dependency
):
	if user_model in org_model.user_rel:
		return True

	raise ForbiddenException()


org_query_user_claims_dependency = Annotated[bool, Depends(org_query_user_claims)]


async def org_query_root_claims(
	user_model: user_model_claims_dependency,
	org_model: org_model_query_dependency,
	su_emails: su_list_dependency,
):
	if org_model.root_user_id == user_model.id:
		return org_model

	try:
		if await user_model_super_admin(user_model, su_emails):
			return org_model
	except ForbiddenException:
		pass

	raise ForbiddenException(message="Must be the org's root user")


org_model_root_claim_query_dependency = Annotated[
	type[Org], Depends(org_query_root_claims)
]


async def org_body_root_claims(
	user_model: user_model_claims_dependency,
	org_model: org_model_body_dependency,
	su_emails: su_list_dependency,
):
	if org_model.root_user_id == user_model.id:
		return org_model

	try:
		if await user_model_super_admin(user_model, su_emails):
			return org_model
	except ForbiddenException:
		pass

	raise ForbiddenException(message="Must be the org's root user")


org_model_root_claim_body_dependency = Annotated[
	type[Org], Depends(org_body_root_claims)
]


def get_super_admin_list():
	return []


def empty_su_list():
	return []


def testing_su_list():
	return ["admin@test.com"]


su_list_dependency = Annotated[list[User], Depends(get_super_admin_list)]


async def user_model_super_admin(
	user_model: user_model_claims_dependency, super_admin_emails: su_list_dependency
):
	if user_model.email in super_admin_emails:
		return user_model

	raise ForbiddenException(message="Must be super admin")


super_admin_dependency = Annotated[type[User], Depends(user_model_super_admin)]
Initial commit 2026-04-06 12:41:49 +01:00			`"""`
docs: auth docstrings Issue: #13 2026-05-28 11:10:55 +01:00			`Auth dependencies`
Initial commit 2026-04-06 12:41:49 +01:00
docs: auth docstrings Issue: #13 2026-05-28 11:10:55 +01:00			`Exports:`
			`- org_query_user_claims_dependency: bool: Verifies user belongs to org`
			`- org_model_root_claim_query_dependency: org_model: verifies org exists and user is either root or su, gets org from query`
			`- org_model_root_claim_body_dependency: org_model: verifies org exists and user is either root or su, gets org from body`
			`- super_admin_dependency: user_model: verifies the user is a super admin`
feat: auth dependencies These dependencies require `user_model_claims_dependency` which requires the `claims_dependency`. This caused an import loop error and therefore they must be defined in a different file from `claims_dependency`. Resolves #6 2026-05-27 14:27:51 +01:00			`"""`
minor: ruff formatter All changes are either: - Correcting tabs - Adding/removing line breaks - Adding trailing commas 2026-06-08 15:31:37 +01:00
fix: auth dependency return values and types Return values were all labelled as dicts instead of bools. Root user dependency now returns the org for which they are root user. 2026-05-27 15:22:32 +01:00			`from typing import Annotated`
feat: custom exceptions instead of direct fastapi.httpexceptions Resolves #2 2026-05-27 14:58:10 +01:00			`from fastapi import Depends`
feat: auth dependencies These dependencies require `user_model_claims_dependency` which requires the `claims_dependency`. This caused an import loop error and therefore they must be defined in a different file from `claims_dependency`. Resolves #6 2026-05-27 14:27:51 +01:00
feat: more accurate status codes 403 Forbidden replacing many 401 Unauthorized usages. 2026-06-11 14:58:05 +01:00			`from src.exceptions import ForbiddenException`
feat: auth dependencies These dependencies require `user_model_claims_dependency` which requires the `claims_dependency`. This caused an import loop error and therefore they must be defined in a different file from `claims_dependency`. Resolves #6 2026-05-27 14:27:51 +01:00			`from src.user.dependencies import user_model_claims_dependency`
minor: type hint 2026-05-28 11:06:54 +01:00			`from src.user.models import User`
minor: ruff formatter All changes are either: - Correcting tabs - Adding/removing line breaks - Adding trailing commas 2026-06-08 15:31:37 +01:00			`from src.organisation.dependencies import (`
			`org_model_query_dependency,`
			`org_model_body_dependency,`
			`)`
fix: auth dependency return values and types Return values were all labelled as dicts instead of bools. Root user dependency now returns the org for which they are root user. 2026-05-27 15:22:32 +01:00			`from src.organisation.models import Organisation as Org`
feat: auth dependencies These dependencies require `user_model_claims_dependency` which requires the `claims_dependency`. This caused an import loop error and therefore they must be defined in a different file from `claims_dependency`. Resolves #6 2026-05-27 14:27:51 +01:00

minor: ruff formatter All changes are either: - Correcting tabs - Adding/removing line breaks - Adding trailing commas 2026-06-08 15:31:37 +01:00			`async def org_query_user_claims(`
			`org_model: org_model_query_dependency, user_model: user_model_claims_dependency`
			`):`
feat: auth dependencies These dependencies require `user_model_claims_dependency` which requires the `claims_dependency`. This caused an import loop error and therefore they must be defined in a different file from `claims_dependency`. Resolves #6 2026-05-27 14:27:51 +01:00			`if user_model in org_model.user_rel:`
			`return True`

feat: more accurate status codes 403 Forbidden replacing many 401 Unauthorized usages. 2026-06-11 14:58:05 +01:00			`raise ForbiddenException()`
feat: auth dependencies These dependencies require `user_model_claims_dependency` which requires the `claims_dependency`. This caused an import loop error and therefore they must be defined in a different file from `claims_dependency`. Resolves #6 2026-05-27 14:27:51 +01:00

fix: auth dependency return values and types Return values were all labelled as dicts instead of bools. Root user dependency now returns the org for which they are root user. 2026-05-27 15:22:32 +01:00			`org_query_user_claims_dependency = Annotated[bool, Depends(org_query_user_claims)]`
feat: auth dependencies These dependencies require `user_model_claims_dependency` which requires the `claims_dependency`. This caused an import loop error and therefore they must be defined in a different file from `claims_dependency`. Resolves #6 2026-05-27 14:27:51 +01:00

minor: ruff formatter All changes are either: - Correcting tabs - Adding/removing line breaks - Adding trailing commas 2026-06-08 15:31:37 +01:00			`async def org_query_root_claims(`
			`user_model: user_model_claims_dependency,`
			`org_model: org_model_query_dependency,`
			`su_emails: su_list_dependency,`
			`):`
feat: auth dependencies These dependencies require `user_model_claims_dependency` which requires the `claims_dependency`. This caused an import loop error and therefore they must be defined in a different file from `claims_dependency`. Resolves #6 2026-05-27 14:27:51 +01:00			`if org_model.root_user_id == user_model.id:`
fix: auth dependency return values and types Return values were all labelled as dicts instead of bools. Root user dependency now returns the org for which they are root user. 2026-05-27 15:22:32 +01:00			`return org_model`
feat: auth dependencies These dependencies require `user_model_claims_dependency` which requires the `claims_dependency`. This caused an import loop error and therefore they must be defined in a different file from `claims_dependency`. Resolves #6 2026-05-27 14:27:51 +01:00
feat: super admin handling The list of super admins now comes from a dependency, allowing it to easily be overrridden during testing. 2026-06-04 11:48:50 +01:00			`try:`
			`if await user_model_super_admin(user_model, su_emails):`
			`return org_model`
feat: more accurate status codes 403 Forbidden replacing many 401 Unauthorized usages. 2026-06-11 14:58:05 +01:00			`except ForbiddenException:`
feat: super admin handling The list of super admins now comes from a dependency, allowing it to easily be overrridden during testing. 2026-06-04 11:48:50 +01:00			`pass`
feat: root user dependencies also allow super admins 2026-05-28 10:56:08 +01:00
feat: more accurate status codes 403 Forbidden replacing many 401 Unauthorized usages. 2026-06-11 14:58:05 +01:00			`raise ForbiddenException(message="Must be the org's root user")`
feat: auth dependencies These dependencies require `user_model_claims_dependency` which requires the `claims_dependency`. This caused an import loop error and therefore they must be defined in a different file from `claims_dependency`. Resolves #6 2026-05-27 14:27:51 +01:00

minor: ruff formatter All changes are either: - Correcting tabs - Adding/removing line breaks - Adding trailing commas 2026-06-08 15:31:37 +01:00			`org_model_root_claim_query_dependency = Annotated[`
			`type[Org], Depends(org_query_root_claims)`
			`]`
feat: auth dependencies These dependencies require `user_model_claims_dependency` which requires the `claims_dependency`. This caused an import loop error and therefore they must be defined in a different file from `claims_dependency`. Resolves #6 2026-05-27 14:27:51 +01:00

minor: ruff formatter All changes are either: - Correcting tabs - Adding/removing line breaks - Adding trailing commas 2026-06-08 15:31:37 +01:00			`async def org_body_root_claims(`
			`user_model: user_model_claims_dependency,`
			`org_model: org_model_body_dependency,`
			`su_emails: su_list_dependency,`
			`):`
feat: auth dependency for root user with org in body 2026-05-27 15:34:18 +01:00			`if org_model.root_user_id == user_model.id:`
			`return org_model`

feat: super admin handling The list of super admins now comes from a dependency, allowing it to easily be overrridden during testing. 2026-06-04 11:48:50 +01:00			`try:`
			`if await user_model_super_admin(user_model, su_emails):`
			`return org_model`
feat: more accurate status codes 403 Forbidden replacing many 401 Unauthorized usages. 2026-06-11 14:58:05 +01:00			`except ForbiddenException:`
feat: super admin handling The list of super admins now comes from a dependency, allowing it to easily be overrridden during testing. 2026-06-04 11:48:50 +01:00			`pass`
feat: root user dependencies also allow super admins 2026-05-28 10:56:08 +01:00
feat: more accurate status codes 403 Forbidden replacing many 401 Unauthorized usages. 2026-06-11 14:58:05 +01:00			`raise ForbiddenException(message="Must be the org's root user")`
feat: auth dependency for root user with org in body 2026-05-27 15:34:18 +01:00

minor: ruff formatter All changes are either: - Correcting tabs - Adding/removing line breaks - Adding trailing commas 2026-06-08 15:31:37 +01:00			`org_model_root_claim_body_dependency = Annotated[`
			`type[Org], Depends(org_body_root_claims)`
			`]`
feat: auth dependency for root user with org in body 2026-05-27 15:34:18 +01:00

feat: super admin handling The list of super admins now comes from a dependency, allowing it to easily be overrridden during testing. 2026-06-04 11:48:50 +01:00			`def get_super_admin_list():`
			`return []`
tests: super admin auth tests 2026-06-03 14:36:15 +01:00
minor: ruff formatter All changes are either: - Correcting tabs - Adding/removing line breaks - Adding trailing commas 2026-06-08 15:31:37 +01:00
feat: super admin handling The list of super admins now comes from a dependency, allowing it to easily be overrridden during testing. 2026-06-04 11:48:50 +01:00			`def empty_su_list():`
			`return []`
tests: super admin auth tests 2026-06-03 14:36:15 +01:00
minor: ruff formatter All changes are either: - Correcting tabs - Adding/removing line breaks - Adding trailing commas 2026-06-08 15:31:37 +01:00
test: super admin dep override Test user super admin account added via override rather than assumed present. 2026-06-08 11:10:39 +01:00			`def testing_su_list():`
			`return ["admin@test.com"]`

minor: ruff formatter All changes are either: - Correcting tabs - Adding/removing line breaks - Adding trailing commas 2026-06-08 15:31:37 +01:00
feat: super admin handling The list of super admins now comes from a dependency, allowing it to easily be overrridden during testing. 2026-06-04 11:48:50 +01:00			`su_list_dependency = Annotated[list[User], Depends(get_super_admin_list)]`
tests: super admin auth tests 2026-06-03 14:36:15 +01:00
minor: ruff formatter All changes are either: - Correcting tabs - Adding/removing line breaks - Adding trailing commas 2026-06-08 15:31:37 +01:00
			`async def user_model_super_admin(`
			`user_model: user_model_claims_dependency, super_admin_emails: su_list_dependency`
			`):`
feat: super admin handling The list of super admins now comes from a dependency, allowing it to easily be overrridden during testing. 2026-06-04 11:48:50 +01:00			`if user_model.email in super_admin_emails:`
tests: super admin auth tests 2026-06-03 14:36:15 +01:00			`return user_model`

feat: more accurate status codes 403 Forbidden replacing many 401 Unauthorized usages. 2026-06-11 14:58:05 +01:00			`raise ForbiddenException(message="Must be super admin")`
feat: super admin handling The list of super admins now comes from a dependency, allowing it to easily be overrridden during testing. 2026-06-04 11:48:50 +01:00

			`super_admin_dependency = Annotated[type[User], Depends(user_model_super_admin)]`