Promptly-Technologies-LLC
diff --git a/‎main.py
Lines changed: 23 additions & 6 deletions b/‎main.py
Lines changed: 23 additions & 6 deletions
diff --git a/‎routers/authentication.py
Lines changed: 145 additions & 8 deletions b/‎routers/authentication.py
Lines changed: 145 additions & 8 deletions
diff --git a/‎routers/organization.py
Lines changed: 2 additions & 3 deletions b/‎routers/organization.py
Lines changed: 2 additions & 3 deletions
diff --git a/‎routers/role.py
Lines changed: 0 additions & 10 deletions b/‎routers/role.py
Lines changed: 0 additions & 10 deletions
diff --git a/‎routers/user.py
Lines changed: 0 additions & 4 deletions b/‎routers/user.py
Lines changed: 0 additions & 4 deletions
diff --git a/‎templates/authentication/register.html
Lines changed: 1 addition & 2 deletions b/‎templates/authentication/register.html
Lines changed: 1 addition & 2 deletions
diff --git a/‎templates/authentication/reset_password.html
Lines changed: 1 addition & 1 deletion b/‎templates/authentication/reset_password.html
Lines changed: 1 addition & 1 deletion
diff --git a/‎templates/components/header.html
Lines changed: 5 additions & 1 deletion b/‎templates/components/header.html
Lines changed: 5 additions & 1 deletion
@@ -8,8 +8,16 @@
 from fastapi.exceptions import RequestValidationError, HTTPException, StarletteHTTPException
 from sqlmodel import Session
 from routers import authentication, organization, role, user
-from utils.auth import get_user_with_relations, get_optional_user, NeedsNewTokens, get_user_from_reset_token, PasswordValidationError, AuthenticationError
-from utils.models import User, Organization
+from utils.auth import (
+    HTML_PASSWORD_PATTERN,
+    get_user_with_relations,
+    get_optional_user,
+    NeedsNewTokens,
+    get_user_from_reset_token,
+    PasswordValidationError,
+    AuthenticationError
+)
+from utils.models import User
 from utils.db import get_session, set_up_db
 from utils.images import MAX_FILE_SIZE, MIN_DIMENSION, MAX_DIMENSION, ALLOWED_CONTENT_TYPES
 
@@ -25,7 +33,7 @@ async def lifespan(app: FastAPI):
     # Optional shutdown logic
 
 
-app = FastAPI(lifespan=lifespan)
+app: FastAPI = FastAPI(lifespan=lifespan)
 
 # Mount static files (e.g., CSS, JS)
 app.mount("/static", StaticFiles(directory="static"), name="static")
@@ -161,10 +169,12 @@ async def read_home(
 
 @app.get("/login")
 async def read_login(
-    params: dict = Depends(common_unauthenticated_parameters)
+    params: dict = Depends(common_unauthenticated_parameters),
+    email_updated: Optional[str] = "false"
 ):
     if params["user"]:
         return RedirectResponse(url="/dashboard", status_code=302)
+    params["email_updated"] = email_updated
     return templates.TemplateResponse(params["request"], "authentication/login.html", params)
 
 
@@ -174,6 +184,8 @@ async def read_register(
 ):
     if params["user"]:
         return RedirectResponse(url="/dashboard", status_code=302)
+
+    params["password_pattern"] = HTML_PASSWORD_PATTERN
     return templates.TemplateResponse(params["request"], "authentication/register.html", params)
 
 
@@ -219,6 +231,7 @@ async def read_reset_password(
 
     params["email"] = email
     params["token"] = token
+    params["password_pattern"] = HTML_PASSWORD_PATTERN
 
     return templates.TemplateResponse(params["request"], "authentication/reset_password.html", params)
 
@@ -245,14 +258,18 @@ async def read_dashboard(
 
 @app.get("/profile")
 async def read_profile(
-    params: dict = Depends(common_authenticated_parameters)
+    params: dict = Depends(common_authenticated_parameters),
+    email_update_requested: Optional[str] = "false",
+    email_updated: Optional[str] = "false"
 ):
     # Add image constraints to the template context
     params.update({
         "max_file_size_mb": MAX_FILE_SIZE / (1024 * 1024),  # Convert bytes to MB
         "min_dimension": MIN_DIMENSION,
         "max_dimension": MAX_DIMENSION,
-        "allowed_formats": list(ALLOWED_CONTENT_TYPES.keys())
+        "allowed_formats": list(ALLOWED_CONTENT_TYPES.keys()),
+        "email_update_requested": email_update_requested,
+        "email_updated": email_updated
     })
     return templates.TemplateResponse(params["request"], "users/profile.html", params)
 
 
@@ -6,7 +6,7 @@
 from fastapi.responses import RedirectResponse
 from pydantic import BaseModel, EmailStr, ConfigDict
 from sqlmodel import Session, select
-from utils.models import User, UserPassword
+from utils.models import User, UserPassword, DataIntegrityError
 from utils.auth import (
     get_session,
     get_user_from_reset_token,
@@ -18,13 +18,50 @@
     create_access_token,
     create_refresh_token,
     validate_token,
-    send_reset_email
+    send_reset_email,
+    send_email_update_confirmation,
+    get_user_from_email_update_token,
+    get_authenticated_user
 )
 
 logger = getLogger("uvicorn.error")
 
 router = APIRouter(prefix="/auth", tags=["auth"])
 
+# --- Custom Exceptions ---
+
+
+class EmailAlreadyRegisteredError(HTTPException):
+    def __init__(self):
+        super().__init__(
+            status_code=409,
+            detail="This email is already registered"
+        )
+
+
+class InvalidCredentialsError(HTTPException):
+    def __init__(self):
+        super().__init__(
+            status_code=401,
+            detail="Invalid credentials"
+        )
+
+
+class InvalidResetTokenError(HTTPException):
+    def __init__(self):
+        super().__init__(
+            status_code=401,
+            detail="Invalid or expired password reset token; please request a new one"
+        )
+
+
+class InvalidEmailUpdateTokenError(HTTPException):
+    def __init__(self):
+        super().__init__(
+            status_code=401,
+            detail="Invalid or expired email update token; please request a new one"
+        )
+
 
 # --- Server Request and Response Models ---
 
@@ -105,6 +142,17 @@ async def as_form(
         )
 
 
+class UpdateEmail(BaseModel):
+    new_email: EmailStr
+
+    @classmethod
+    async def as_form(
+        cls,
+        new_email: EmailStr = Form(...)
+    ):
+        return cls(new_email=new_email)
+
+
 # --- DB Request and Response Models ---
 
 
@@ -133,7 +181,7 @@ async def register(
         User.email == user.email)).first()
 
     if db_user:
-        raise HTTPException(status_code=400, detail="Email already registered")
+        raise EmailAlreadyRegisteredError()
 
     # Hash the password
     hashed_password = get_password_hash(user.password)
@@ -150,9 +198,20 @@ async def register(
     refresh_token = create_refresh_token(data={"sub": db_user.email})
     # Set cookie
     response = RedirectResponse(url="/", status_code=303)
-    response.set_cookie(key="access_token", value=access_token, httponly=True)
-    response.set_cookie(key="refresh_token",
-                        value=refresh_token, httponly=True)
+    response.set_cookie(
+        key="access_token",
+        value=access_token,
+        httponly=True,
+        secure=True,
+        samesite="strict"
+    )
+    response.set_cookie(
+        key="refresh_token",
+        value=refresh_token,
+        httponly=True,
+        secure=True,
+        samesite="strict"
+    )
 
     return response
 
@@ -167,7 +226,7 @@ async def login(
         User.email == user.email)).first()
 
     if not db_user or not db_user.password or not verify_password(user.password, db_user.password.hashed_password):
-        raise HTTPException(status_code=400, detail="Invalid credentials")
+        raise InvalidCredentialsError()
 
     # Create access token
     access_token = create_access_token(
@@ -296,7 +355,7 @@ async def reset_password(
         user.email, user.token, session)
 
     if not authorized_user or not reset_token:
-        raise HTTPException(status_code=400, detail="Invalid or expired token")
+        raise InvalidResetTokenError()
 
     # Update password and mark token as used
     if authorized_user.password:
@@ -320,3 +379,81 @@ def logout():
     response.delete_cookie("access_token")
     response.delete_cookie("refresh_token")
     return response
+
+
+@router.post("/update_email")
+async def request_email_update(
+    update: UpdateEmail = Depends(UpdateEmail.as_form),
+    user: User = Depends(get_authenticated_user),
+    session: Session = Depends(get_session)
+):
+    # Check if the new email is already registered
+    existing_user = session.exec(
+        select(User).where(User.email == update.new_email)
+    ).first()
+
+    if existing_user:
+        raise EmailAlreadyRegisteredError()
+
+    if not user.id:
+        raise DataIntegrityError(resource="User id")
+
+    # Send confirmation email
+    send_email_update_confirmation(
+        current_email=user.email,
+        new_email=update.new_email,
+        user_id=user.id,
+        session=session
+    )
+
+    return RedirectResponse(
+        url="/profile?email_update_requested=true",
+        status_code=303
+    )
+
+
+@router.get("/confirm_email_update")
+async def confirm_email_update(
+    user_id: int,
+    token: str,
+    new_email: str,
+    session: Session = Depends(get_session)
+):
+    user, update_token = get_user_from_email_update_token(
+        user_id, token, session
+    )
+
+    if not user or not update_token:
+        raise InvalidResetTokenError()
+
+    # Update email and mark token as used
+    user.email = new_email
+    update_token.used = True
+    session.commit()
+
+    # Create new tokens with the updated email
+    access_token = create_access_token(data={"sub": new_email, "fresh": True})
+    refresh_token = create_refresh_token(data={"sub": new_email})
+
+    # Set cookies before redirecting
+    response = RedirectResponse(
+        url="/profile?email_updated=true",
+        status_code=303
+    )
+
+    # Add secure cookie attributes
+    response.set_cookie(
+        key="access_token",
+        value=access_token,
+        httponly=True,
+        secure=True,
+        samesite="lax"
+    )
+    response.set_cookie(
+        key="refresh_token",
+        value=refresh_token,
+        httponly=True,
+        secure=True,
+        samesite="lax"
+    )
+    return response
@@ -10,6 +10,8 @@
 
 logger = getLogger("uvicorn.error")
 
+router = APIRouter(prefix="/organizations", tags=["organizations"])
+
 # --- Custom Exceptions ---
 
 
@@ -37,9 +39,6 @@ def __init__(self):
         )
 
 
-router = APIRouter(prefix="/organizations", tags=["organizations"])
-
-
 # --- Server Request and Response Models ---
 
 
 
@@ -85,16 +85,6 @@ class RoleUpdate(BaseModel):
     organization_id: int
     permissions: List[ValidPermissions]
 
-    @field_validator("id")
-    @classmethod
-    def validate_role_exists(cls, id: int, info):
-        session = info.context.get("session")
-        if session:
-            role = session.get(Role, id)
-            if not role or not role.id:
-                raise RoleNotFoundError()
-        return id
-
     @classmethod
     async def as_form(
         cls,
 
@@ -16,15 +16,13 @@
 class UpdateProfile(BaseModel):
     """Request model for updating user profile information"""
     name: str
-    email: EmailStr
     avatar_file: Optional[bytes] = None
     avatar_content_type: Optional[str] = None
 
     @classmethod
     async def as_form(
         cls,
         name: str = Form(...),
-        email: EmailStr = Form(...),
         avatar_file: Optional[UploadFile] = File(None),
     ):
         avatar_data = None
@@ -36,7 +34,6 @@ async def as_form(
 
         return cls(
             name=name,
-            email=email,
             avatar_file=avatar_data,
             avatar_content_type=avatar_content_type
         )
@@ -73,7 +70,6 @@ async def update_profile(
 
     # Update user details
     user.name = user_profile.name
-    user.email = user_profile.email
 
     if user_profile.avatar_file:
         user.avatar_data = user_profile.avatar_file
 
@@ -24,9 +24,8 @@
         <!-- Password Input -->
         <div class="mb-3">
             <label for="password" class="form-label">Password</label>
-            <!-- Make sure 9g,X*88w[6"W and ^94cPSf2^)z2^,& pass validation -->
             <input type="password" class="form-control" id="password" name="password" 
-                   pattern="(?=.*\d)(?=.*[a-z])(?=.*[A-Z])(?=.*[@$!%*?&\{\}\<\>\.\,\\\\'#\-_=\+\(\)\[\]:;\|~\/])[A-Za-z\d@$!%*?&\{\}\<\>\.\,\\\\'#\-_=\+\(\)\[\]:;\|~\/]{8,}"
+                   pattern="{{ password_pattern }}"
                    title="Must contain at least one number, one uppercase and lowercase letter, one special character, and at least 8 or more characters" 
                    placeholder="Enter your password" required
                    autocomplete="new-password">
 
@@ -19,7 +19,7 @@
         <div class="mb-3">
             <label for="new_password" class="form-label">New Password</label>
             <input type="password" class="form-control" id="new_password" name="new_password" 
-            pattern="(?=.*\d)(?=.*[a-z])(?=.*[A-Z])(?=.*[@$!%*?&\{\}\<\>\.\,\\\\'#\-_=\+\(\)\[\]:;\|~])[A-Za-z\d@$!%*?&\{\}\<\>\.\,\\\\'#\-_=\+\(\)\[\]:;\|~]{8,}" 
+                   pattern="{{ password_pattern }}" 
                    title="Must contain at least one number, one uppercase and lowercase letter, one special character, and at least 8 or more characters" 
                    required autocomplete="new-password">
             <div class="invalid-feedback">
 
@@ -24,7 +24,11 @@
                 <li class="nav-item dropdown">
                     <a class="nav-link dropdown-toggle" href="#" id="navbarDropdown" role="button" data-bs-toggle="dropdown" aria-expanded="false">
                         <button class="profile-button btn p-0 border-0 bg-transparent">
-                            {{ render_silhouette() }}
+                            {% if user.avatar_data %}
+                                <img src="{{ url_for('get_avatar') }}" alt="User Avatar" class="d-inline-block align-top" width="30" height="30" style="border-radius: 50%;">
+                            {% else %}
+                                {{ render_silhouette() }}
+                            {% endif %}
                         </button>
                     </a>
                     <ul class="dropdown-menu dropdown-menu-end" aria-labelledby="navbarDropdown">