Merge pull request #6 from KayvanShah1:feat-auth-api-key-verification

Authentication: User verification

Author: KayvanShah1

.gitignore

@@ -1 +1,3 @@
-.vscode/
+.vscode/
+.coverage
+*.log

backend/app/api/v1/apikeys.py

@@ -0,0 +1,74 @@
+from __future__ import annotations
+
+import json
+
+from app.core.dependencies import get_db, require_verified_user
+from app.crud import apikey as crud
+from app.models.user import User
+from app.schemas.apikey import APIKeyCreate, APIKeyOut, APIKeySecretOut
+from fastapi import APIRouter, Depends, HTTPException, Response, status
+from sqlalchemy.ext.asyncio import AsyncSession
+
+router = APIRouter(prefix="/apikeys", tags=["API Keys"])
+
+
+@router.post("", response_model=APIKeySecretOut, status_code=status.HTTP_201_CREATED)
+async def create_api_key(
+    payload: APIKeyCreate,
+    user: User = Depends(require_verified_user),
+    db: AsyncSession = Depends(get_db),
+):
+    scopes_json = json.dumps(payload.scopes) if payload.scopes else None
+    key, display = await crud.create_api_key(
+        db, user_id=user.id, name=payload.name, scopes_json=scopes_json, expires_at=payload.expires_at
+    )
+    return APIKeySecretOut(
+        id=key.id,
+        name=key.name,
+        prefix=key.prefix,
+        scopes=payload.scopes or None,
+        expires_at=key.expires_at,
+        revoked=key.revoked,
+        created_at=key.created_at,
+        api_key=display,  # show ONCE
+    )
+
+
+@router.get("", response_model=list[APIKeyOut])
+async def list_api_keys(
+    user: User = Depends(require_verified_user),
+    db: AsyncSession = Depends(get_db),
+):
+    keys = await crud.list_api_keys(db, user.id)
+    out = []
+
+    for k in keys:
+        scopes = json.loads(k.scopes) if k.scopes else None
+        out.append(
+            APIKeyOut(
+                id=k.id,
+                name=k.name,
+                prefix=k.prefix,
+                scopes=scopes,
+                expires_at=k.expires_at,
+                revoked=k.revoked,
+                created_at=k.created_at,
+            )
+        )
+    return out
+
+
+@router.delete("/{key_id}", status_code=status.HTTP_204_NO_CONTENT, summary="Revoke or delete an API key")
+async def delete_or_revoke_api_key(
+    key_id: int,
+    hard: bool = False,
+    user: User = Depends(require_verified_user),
+    db: AsyncSession = Depends(get_db),
+):
+    if hard:
+        ok = await crud.delete_api_key(db, user.id, key_id)
+    else:
+        ok = await crud.revoke_api_key(db, user.id, key_id)
+    if not ok:
+        raise HTTPException(status_code=status.HTTP_404_NOT_FOUND, detail="Key not found or already revoked")
+    return Response(status_code=status.HTTP_204_NO_CONTENT, content="API key deleted/revoked")

backend/app/api/v1/auth_email.py

@@ -0,0 +1,82 @@
+from __future__ import annotations
+
+from app.core.config import settings
+from app.core.dependencies import get_db
+from app.core.security import hash_password
+from app.crud.email_token import consume_email_token, issue_email_token
+from app.models.user import User
+from app.schemas.email_token import CompletePasswordReset, RequestPasswordReset, RequestVerifyEmail
+from app.services.mailer import send_email
+from fastapi import APIRouter, Depends, HTTPException, status
+from sqlalchemy import select
+from sqlalchemy.ext.asyncio import AsyncSession
+
+router = APIRouter(prefix="/auth", tags=["Auth Email"])
+
+
+# 1) Send verification email (after signup or on demand)
+@router.post("/verify-email/request", status_code=status.HTTP_202_ACCEPTED)
+async def request_verify_email(
+    body: RequestVerifyEmail,
+    db: AsyncSession = Depends(get_db),
+):
+
+    res = await db.execute(select(User).where(User.email == body.email))
+    user = res.scalar_one_or_none()
+    # Always respond 202 to prevent enumeration, but only send if user exists
+    if user and not user.email_verified:
+        tok, raw = await issue_email_token(db, user_id=user.id, purpose="verify")
+        link = f"{settings.FRONTEND_ORIGIN}/auth/verify-email?token={raw}"
+        html = f"<p>Verify your Taskaza email by clicking <a href='{link}'>this link</a>. It expires in 24 hours.</p>"
+        await send_email(user.email, "Verify your Taskaza email", html)
+    return {"message": "If your email exists and is unverified, a link has been sent."}
+
+
+# 2) Complete verification
+@router.post("/verify-email/complete", status_code=status.HTTP_200_OK)
+async def complete_verify_email(
+    token: str,
+    db: AsyncSession = Depends(get_db),
+):
+    tok = await consume_email_token(db, token, purpose="verify")
+    if not tok:
+        raise HTTPException(status_code=400, detail="Invalid or expired token")
+
+    user = tok.user
+    if not user.email_verified:
+        user.email_verified = True
+        await db.commit()
+    return {"message": "Email verified successfully."}
+
+
+# 3) Request password reset
+@router.post("/password-reset/request", status_code=status.HTTP_202_ACCEPTED)
+async def request_password_reset(
+    body: RequestPasswordReset,
+    db: AsyncSession = Depends(get_db),
+):
+    res = await db.execute(select(User).where(User.email == body.email))
+    user = res.scalar_one_or_none()
+    if user:
+        tok, raw = await issue_email_token(db, user_id=user.id, purpose="reset")
+        link = f"{settings.FRONTEND_ORIGIN}/auth/reset-password?token={raw}"
+        html = f"<p>Reset your Taskaza password <a href='{link}'>here</a>. Link valid for 1 hour.</p>"
+        await send_email(user.email, "Reset your Taskaza password", html)
+    return {"message": "If the account exists, a reset link has been sent."}
+
+
+# 4) Complete password reset
+@router.post("/password-reset/complete", status_code=status.HTTP_200_OK)
+async def complete_password_reset(
+    body: CompletePasswordReset,
+    db: AsyncSession = Depends(get_db),
+):
+    tok = await consume_email_token(db, body.token, purpose="reset")
+    if not tok:
+        raise HTTPException(status_code=400, detail="Invalid or expired token")
+
+    user = tok.user
+
+    user.hashed_password = hash_password(body.new_password)
+    await db.commit()
+    return {"message": "Password reset successfully."}

backend/app/core/config.py

@@ -25,6 +25,7 @@ class Settings(BaseSettings):
     JWT_ALGORITHM: str = Field("HS256", description="JWT algorithm for signing tokens")
     JWT_ACCESS_TOKEN_EXPIRE_MINUTES: int = Field(60 * 24 * 3, description="JWT token expiration time in minutes")
     HTTP_API_KEY: str = Field("123456", description="HTTP API key for authentication")
+    API_KEY_PREFIX: str = Field("tsk", description="Prefix for API keys")
 
     # CORS settings
     BACKEND_CORS_ORIGINS: List[AnyHttpUrl | str] = Field(
@@ -34,6 +35,14 @@ class Settings(BaseSettings):
     # Database settings
     DATABASE_URL: str = Field("sqlite+aiosqlite:///./data/taskaza.db", description="Database connection URL")
 
+    # Email settings
+    FRONTEND_ORIGIN: str = Field("http://localhost:3000", description="Frontend origin for CORS and email links")
+    SMTP_HOST: str = Field("smtp.gmail.com", description="SMTP server host")
+    SMTP_PORT: int = Field(587, description="SMTP server port")
+    SMTP_USERNAME: str = Field("username", description="SMTP username")
+    SMTP_PASSWORD: str = Field("password", description="SMTP password or app password")
+    EMAIL_FROM: str = Field("Taskaza <[email protected]>", description="Default 'from' email address")
+
     # Configuration for Pydantic settings
     model_config = SettingsConfigDict(env_prefix="TSKZ_", env_file=".env", env_file_encoding="utf-8", extra="ignore")
 

backend/app/core/dependencies.py

@@ -1,14 +1,18 @@
+import hashlib
+from datetime import datetime, timezone
 from typing import AsyncGenerator
 
-from fastapi import Depends, HTTPException, status
-from fastapi.security import APIKeyHeader, OAuth2PasswordBearer
-from sqlalchemy.ext.asyncio import AsyncSession
-
 from app.core.auth import verify_access_token
-from app.core.config import settings
+from app.core.timeutils import as_aware_utc
+
+# from app.core.config import settings
+from app.crud.apikey import get_key_by_hash
 from app.crud.user import get_user_by_id
 from app.db.session import async_session
 from app.models.user import User
+from fastapi import Depends, HTTPException, status
+from fastapi.security import APIKeyHeader, OAuth2PasswordBearer
+from sqlalchemy.ext.asyncio import AsyncSession
 
 api_key_header = APIKeyHeader(name="X-API-Key", auto_error=False)
 oauth2_scheme = OAuth2PasswordBearer(tokenUrl="/token")
@@ -25,12 +29,42 @@ async def get_db() -> AsyncGenerator[AsyncSession, None]:
 # ---------------------------- #
 # Dependency: API Key Check
 # ---------------------------- #
-def verify_api_key(x_api_key: str = Depends(api_key_header)):
+# def verify_api_key(x_api_key: str = Depends(api_key_header)):
+#     if not x_api_key:
+#         raise HTTPException(status_code=status.HTTP_401_UNAUTHORIZED, detail="API Key header missing")
+#     if x_api_key != settings.HTTP_API_KEY:
+#         raise HTTPException(status_code=status.HTTP_403_FORBIDDEN, detail="Invalid API Key")
+#     return x_api_key
+
+
+async def verify_api_key(
+    x_api_key: str = Depends(api_key_header),
+    db: AsyncSession = Depends(get_db),
+):
     if not x_api_key:
-        raise HTTPException(status_code=status.HTTP_401_UNAUTHORIZED, detail="API Key header missing")
-    if x_api_key != settings.HTTP_API_KEY:
-        raise HTTPException(status_code=status.HTTP_403_FORBIDDEN, detail="Invalid API Key")
-    return x_api_key
+        raise HTTPException(status_code=status.HTTP_401_UNAUTHORIZED, detail="Missing API key")
+
+    # Expect format: "tsk_<prefix>_<secret>"
+    try:
+        scheme, prefix, secret = x_api_key.split("_", 2)
+    except ValueError:
+        raise HTTPException(status_code=status.HTTP_401_UNAUTHORIZED, detail="Invalid API key format")
+
+    if scheme != "tsk" or not prefix or not secret:
+        raise HTTPException(status_code=status.HTTP_401_UNAUTHORIZED, detail="Invalid API key")
+
+    raw = f"{prefix}.{secret}"
+    secret_hash = hashlib.sha256(raw.encode("utf-8")).hexdigest()
+    key = await get_key_by_hash(db, secret_hash)
+    if not key or key.revoked:
+        raise HTTPException(status_code=status.HTTP_401_UNAUTHORIZED, detail="API key revoked or not found")
+
+    # expiry check
+    if key.expires_at and as_aware_utc(key.expires_at) < datetime.now(timezone.utc):
+        raise HTTPException(status_code=status.HTTP_401_UNAUTHORIZED, detail="API key expired")
+
+    # You can attach scopes or the user to request state if needed
+    return key
 
 
 # ---------------------------- #
@@ -45,3 +79,12 @@ async def get_current_user(token: str = Depends(oauth2_scheme), db: AsyncSession
             detail="User not found",
         )
     return user
+
+
+# ---------------------------- #
+# Dependency: Require Verified User
+# ---------------------------- #
+async def require_verified_user(user: User = Depends(get_current_user)) -> User:
+    if not user.email_verified:
+        raise HTTPException(status_code=status.HTTP_403_FORBIDDEN, detail="Email not verified")
+    return user

backend/app/core/metadata.py

@@ -26,5 +26,7 @@
 tags_metadata = [
     {"name": "Users", "description": "User registration and login routes"},
     {"name": "Login", "description": "Authentication and token management routes"},
+    {"name": "Auth Email", "description": "Email-based authentication routes"},
+    {"name": "API Keys", "description": "API key management routes"},
     {"name": "Tasks", "description": "CRUD operations for user tasks"},
 ]

backend/app/core/security.py

@@ -1,4 +1,10 @@
+import hashlib
+import hmac
+import secrets
+from typing import Tuple
+
 from passlib.context import CryptContext
+from app.core.config import settings
 
 # ---------------------------- #
 # Password Hashing
@@ -12,3 +18,30 @@ def hash_password(password: str):
 
 def verify_password(plain_password: str, hashed_password: str):
     return pwd_context.verify(plain_password, hashed_password)
+
+
+def generate_api_key() -> Tuple[str, str, str]:
+    """
+    Returns (display_key, prefix, secret_hash).
+    display_key is what you show once: "tsk_<prefix>_<secret>"
+    Store only secret_hash in DB using SHA256.
+    """
+    prefix = secrets.token_hex(3)  # short, user-visible fragment
+    secret = secrets.token_urlsafe(32)
+    raw = f"{prefix}.{secret}"
+    secret_hash = hashlib.sha256(raw.encode("utf-8")).hexdigest()
+    display_key = f"{settings.API_KEY_PREFIX}_{prefix}_{secret}"
+    return display_key, prefix, secret_hash
+
+
+def hash_email_token(raw_token: str) -> str:
+    return hashlib.sha256(raw_token.encode("utf-8")).hexdigest()
+
+
+def generate_email_token() -> Tuple[str, str]:
+    raw = secrets.token_urlsafe(32)
+    return raw, hash_email_token(raw)
+
+
+def constant_time_equals(a: str, b: str) -> bool:
+    return hmac.compare_digest(a, b)

backend/app/core/timeutils.py

@@ -0,0 +1,7 @@
+from datetime import datetime, timezone
+
+
+def as_aware_utc(dt: datetime | None) -> datetime | None:
+    if dt is None:
+        return None
+    return dt if dt.tzinfo else dt.replace(tzinfo=timezone.utc)

backend/app/crud/apikey.py

@@ -0,0 +1,66 @@
+from __future__ import annotations
+
+from datetime import datetime, timezone
+from typing import Optional
+
+from app.core.security import generate_api_key
+from app.models.apikey import APIKey
+from sqlalchemy import select
+from sqlalchemy.ext.asyncio import AsyncSession
+
+
+async def create_api_key(
+    db: AsyncSession,
+    user_id: int,
+    name: str,
+    scopes_json: Optional[str],
+    expires_at: Optional[datetime],
+):
+    display_key, prefix, secret_hash = generate_api_key()
+    key = APIKey(
+        user_id=user_id,
+        name=name,
+        prefix=prefix,
+        secret_hash=secret_hash,
+        scopes=scopes_json,
+        expires_at=expires_at,
+        revoked=False,
+    )
+    db.add(key)
+    await db.commit()
+    await db.refresh(key)
+    return key, display_key
+
+
+async def list_api_keys(db: AsyncSession, user_id: int):
+    q = select(APIKey).where(APIKey.user_id == user_id).order_by(APIKey.created_at.desc())
+    res = await db.execute(q)
+    return list(res.scalars())
+
+
+async def revoke_api_key(db: AsyncSession, user_id: int, key_id: int) -> bool:
+    q = select(APIKey).where(APIKey.id == key_id, APIKey.user_id == user_id)
+    res = await db.execute(q)
+    key = res.scalar_one_or_none()
+    if not key or key.revoked:
+        return False
+    key.revoked = True
+    key.revoked_at = datetime.now(timezone.utc)
+    await db.commit()
+    return True
+
+
+async def get_key_by_hash(db: AsyncSession, secret_hash: str) -> Optional[APIKey]:
+    q = select(APIKey).where(APIKey.secret_hash == secret_hash)
+    res = await db.execute(q)
+    return res.scalar_one_or_none()
+
+
+async def delete_api_key(db, user_id: int, key_id: int) -> bool:
+    res = await db.execute(select(APIKey).where(APIKey.id == key_id, APIKey.user_id == user_id))
+    key = res.scalar_one_or_none()
+    if not key:
+        return False
+    await db.delete(key)
+    await db.commit()
+    return True