cloud-api/src/auth/service.py

"""
Module specific business logic for auth module

Exports:
 - claims_dependency
"""
import json
import requests

from typing import Annotated, Any
from joserfc import jwt
from joserfc.errors import ExpiredTokenError
from joserfc.jwk import KeySet
from urllib.request import urlopen

from fastapi import Depends
from fastapi.security import OpenIdConnect

from src.auth.exceptions import UnauthorizedException
from src.auth.config import auth_settings
from src.user.service import add_user_to_db


oidc = OpenIdConnect(openIdConnectUrl=auth_settings.OIDC_CONFIG)
oidc_dependency = Annotated[str, Depends(oidc)]

def get_dev_user():
	return {"db_id": 1}


async def get_current_user(oidc_auth_string: oidc_dependency) -> dict[str, Any]:
	config_url = urlopen(auth_settings.OIDC_CONFIG)
	config = json.loads(config_url.read())
	jwks_uri = config["jwks_uri"]
	key_response = requests.get(jwks_uri)
	jwk_keys = KeySet.import_key_set(key_response.json())

	claims_options = {
		"exp": {"essential": True},
		"aud": {"essential": True, "value": "account"},
		"iss": {"essential": True, "value": auth_settings.OIDC_ISSUER},
	}

	token = jwt.decode(
		oidc_auth_string.replace("Bearer ", ""),
		jwk_keys
	)

	claims_requests = jwt.JWTClaimsRegistry(**claims_options)

	try:
		claims_requests.validate(token.claims)
	except ExpiredTokenError:
		raise UnauthorizedException(message="Token is expired")
	db_id = await add_user_to_db(token.claims)

	token.claims["db_id"] = db_id

	return token.claims


claims_dependency = Annotated[dict[str, Any], Depends(get_current_user)]
Initial commit 2026-04-06 12:41:49 +01:00			`"""`
			`Module specific business logic for auth module`

			`Exports:`
			`- claims_dependency`
			`"""`
			`import json`
feat: auth library upgrade The parts of Authlib used are now deprecated in favour of JoseRFC. 2026-05-19 09:49:27 +01:00			`import requests`
Initial commit 2026-04-06 12:41:49 +01:00
feat: auth library upgrade The parts of Authlib used are now deprecated in favour of JoseRFC. 2026-05-19 09:49:27 +01:00			`from typing import Annotated, Any`
			`from joserfc import jwt`
feat: handling for expired token Returns a 401 with "Token expired" as the detail 2026-05-20 10:50:49 +01:00			`from joserfc.errors import ExpiredTokenError`
feat: auth library upgrade The parts of Authlib used are now deprecated in favour of JoseRFC. 2026-05-19 09:49:27 +01:00			`from joserfc.jwk import KeySet`
Initial commit 2026-04-06 12:41:49 +01:00			`from urllib.request import urlopen`

feat: custom exceptions instead of direct fastapi.httpexceptions Resolves #2 2026-05-27 14:58:10 +01:00			`from fastapi import Depends`
Initial commit 2026-04-06 12:41:49 +01:00			`from fastapi.security import OpenIdConnect`

feat: custom exceptions instead of direct fastapi.httpexceptions Resolves #2 2026-05-27 14:58:10 +01:00			`from src.auth.exceptions import UnauthorizedException`
Initial commit 2026-04-06 12:41:49 +01:00			`from src.auth.config import auth_settings`
			`from src.user.service import add_user_to_db`


			`oidc = OpenIdConnect(openIdConnectUrl=auth_settings.OIDC_CONFIG)`
			`oidc_dependency = Annotated[str, Depends(oidc)]`

feat: auth bypass for dev and testing ENVIRONMENT must be "local" and DISABLE_AUTH set for this to be active. Both of these default to production values to prevent this being enabled accidentally. Resolves #5 2026-05-26 11:42:49 +01:00			`def get_dev_user():`
			`return {"db_id": 1}`

Initial commit 2026-04-06 12:41:49 +01:00
feat: auth library upgrade The parts of Authlib used are now deprecated in favour of JoseRFC. 2026-05-19 09:49:27 +01:00			`async def get_current_user(oidc_auth_string: oidc_dependency) -> dict[str, Any]:`
Initial commit 2026-04-06 12:41:49 +01:00			`config_url = urlopen(auth_settings.OIDC_CONFIG)`
			`config = json.loads(config_url.read())`
			`jwks_uri = config["jwks_uri"]`
feat: auth library upgrade The parts of Authlib used are now deprecated in favour of JoseRFC. 2026-05-19 09:49:27 +01:00			`key_response = requests.get(jwks_uri)`
			`jwk_keys = KeySet.import_key_set(key_response.json())`
Initial commit 2026-04-06 12:41:49 +01:00
			`claims_options = {`
			`"exp": {"essential": True},`
			`"aud": {"essential": True, "value": "account"},`
			`"iss": {"essential": True, "value": auth_settings.OIDC_ISSUER},`
			`}`

feat: auth library upgrade The parts of Authlib used are now deprecated in favour of JoseRFC. 2026-05-19 09:49:27 +01:00			`token = jwt.decode(`
Initial commit 2026-04-06 12:41:49 +01:00			`oidc_auth_string.replace("Bearer ", ""),`
feat: auth library upgrade The parts of Authlib used are now deprecated in favour of JoseRFC. 2026-05-19 09:49:27 +01:00			`jwk_keys`
Initial commit 2026-04-06 12:41:49 +01:00			`)`

feat: auth library upgrade The parts of Authlib used are now deprecated in favour of JoseRFC. 2026-05-19 09:49:27 +01:00			`claims_requests = jwt.JWTClaimsRegistry(**claims_options)`
Initial commit 2026-04-06 12:41:49 +01:00
feat: handling for expired token Returns a 401 with "Token expired" as the detail 2026-05-20 10:50:49 +01:00			`try:`
			`claims_requests.validate(token.claims)`
feat: org dependencies Org endpoints use query/body model dependencies to perform initial db lookups. Issue #6 Org ID path params have been replaced with either query params (get endpoints) or body values. Resolves #10 Endpoints in other modules that rely on an org model lookup have also been updated. 2026-05-27 12:21:03 +01:00			`except ExpiredTokenError:`
feat: custom exceptions instead of direct fastapi.httpexceptions Resolves #2 2026-05-27 14:58:10 +01:00			`raise UnauthorizedException(message="Token is expired")`
feat: auth library upgrade The parts of Authlib used are now deprecated in favour of JoseRFC. 2026-05-19 09:49:27 +01:00			`db_id = await add_user_to_db(token.claims)`
Initial commit 2026-04-06 12:41:49 +01:00
feat: auth library upgrade The parts of Authlib used are now deprecated in favour of JoseRFC. 2026-05-19 09:49:27 +01:00			`token.claims["db_id"] = db_id`
Initial commit 2026-04-06 12:41:49 +01:00
feat: auth library upgrade The parts of Authlib used are now deprecated in favour of JoseRFC. 2026-05-19 09:49:27 +01:00			`return token.claims`


			`claims_dependency = Annotated[dict[str, Any], Depends(get_current_user)]`