Merge pull request #7 from Quenary/async-backend

Async backend

Author: Quenary

.env.example

@@ -20,11 +20,15 @@ ACCESS_TOKEN_LIFETIME_MIN=5
 REFRESH_TOKEN_LIFETIME_MIN=43200
 PASSWORD_RECOVERY_CODE_LIFETIME_MIN=15
 
-# Default is sqlite file located in container's /cardholder_pwa,
-# mounted to $HOME/.cardholder_pwa if using provided docker command or docker-compose
-# DB_URL=sqlite:////cardholder_pwa/cardholder_pwa.db
+# Default is sqlite file located in container's "/cardholder_pwa/cardholder_pwa.db",
+# mounted to host's "$HOME/.cardholder_pwa" if using provided docker command or docker-compose
+# DB_URL=sqlite+aiosqlite:////cardholder_pwa/cardholder_pwa.db
+# Supported drivers are:
+# "sqlite+aiosqlite:" for sqlite
+# "postgresql+asyncpg:" for postgresql
+# "mysql+asyncmy:" for mysql or mariadb
 DB_URL=
-DB_CLEANUP_INTERVAL_MIN=60
+DB_CLEANUP_INTERVAL_MIN=360
 
 # SMTP client configuration.
 # It is used to send password recovery emails.

backend/alembic/env.py

@@ -1,11 +1,6 @@
-from app.db import Base, engine
-
-
+from app.db import Base, async_engine
 from logging.config import fileConfig
-
-from sqlalchemy import engine_from_config
-from sqlalchemy import pool
-
+import asyncio
 from alembic import context
 
 # this is the Alembic Config object, which provides
@@ -53,27 +48,22 @@ def run_migrations_offline() -> None:
         context.run_migrations()
 
 
-def run_migrations_online() -> None:
-    """Run migrations in 'online' mode.
+def do_run_migrations(connection):
+    context.configure(connection=connection, target_metadata=target_metadata)
+
+    with context.begin_transaction():
+        context.run_migrations()
 
-    In this scenario we need to create an Engine
-    and associate a connection with the context.
 
-    """
-    # connectable = engine_from_config(
-    #     config.get_section(config.config_ini_section, {}),
-    #     prefix="sqlalchemy.",
-    #     poolclass=pool.NullPool,
-    # )
-    connectable = engine
-
-    with connectable.connect() as connection:
-        context.configure(
-            connection=connection, target_metadata=target_metadata
-        )
-
-        with context.begin_transaction():
-            context.run_migrations()
+async def run_migrations_async():
+    connectable = async_engine
+    async with async_engine.connect() as connection:
+        await connection.run_sync(do_run_migrations)
+    await connectable.dispose()
+
+
+def run_migrations_online() -> None:
+    asyncio.run(run_migrations_async())
 
 
 if context.is_offline_mode():

backend/app/api/admin.py

@@ -2,71 +2,91 @@
 import app.schemas as schemas, app.enums as enums
 from app.db import models
 from app.core import auth
-from sqlalchemy.orm import Session
-from app.db import get_db
+from app.db import get_async_session
 from app.core.user import delete_user
 from app.core.smtp import EmailSender
+from sqlalchemy.ext.asyncio import AsyncSession
+from sqlalchemy import select
 
 router = APIRouter(tags=["admin"], prefix="/admin")
 
 
 @router.get("/users", response_model=list[schemas.User])
-def get_users_list(
-    db: Session = Depends(get_db), admin: models.User = Depends(auth.is_user_admin)
+async def get_users_list(
+    session: AsyncSession = Depends(get_async_session),
+    _: models.User = Depends(auth.is_user_admin),
 ):
-    return db.query(models.User).all()
+    stmt = select(models.User)
+    result = await session.execute(stmt)
+    return result.scalars().all()
 
 
 @router.delete("/users/{user_id}")
-def admin_delete_user(
+async def admin_delete_user(
     user_id: int,
-    db: Session = Depends(get_db),
+    session: AsyncSession = Depends(get_async_session),
     admin: models.User = Depends(auth.is_user_admin),
 ):
     if user_id == admin.id:
         raise HTTPException(
             403, "Admin cannot delete his own account with this function."
         )
 
-    user = db.query(models.User).filter_by(id=user_id).first()
+    stmt = select(models.User).where(models.User.id == user_id).limit(1)
+    result = await session.execute(stmt)
+    user = result.scalar_one_or_none()
+
     if not user:
         raise HTTPException(404, "User not found")
 
-    return delete_user(db, user)
+    if (
+        admin.role_code == enums.EUserRole.ADMIN
+        and user.role_code == enums.EUserRole.ADMIN
+    ):
+        raise HTTPException(403, "Admin cannot delete admin.")
+
+    return await delete_user(session, user)
 
 
 @router.put(
     "/users/role", description="Change the user role. Only owner can change roles."
 )
-def owner_change_user_role(
+async def owner_change_user_role(
     user_id: int,
     role_code: enums.EUserRole,
-    db: Session = Depends(get_db),
-    admin: models.User = Depends(auth.is_user_owner),
+    session: AsyncSession = Depends(get_async_session),
+    owner: models.User = Depends(auth.is_user_owner),
 ):
+    owner_assign_error = HTTPException(403, "Owner role cannot be reassigned.")
+
     if role_code == enums.EUserRole.OWNER:
-        raise HTTPException(403, "Owner role cannot be assigned.")
+        raise owner_assign_error
 
-    if user_id == admin.id:
-        raise HTTPException(403, "Owner cannot change his own role.")
+    if user_id == owner.id:
+        raise owner_assign_error
+
+    stmt = select(models.User).where(models.User.id == user_id).limit(1)
+    result = await session.execute(stmt)
+    user = result.scalar_one_or_none()
 
-    user = db.query(models.User).filter_by(id=user_id).first()
     if not user:
         raise HTTPException(404, "User not found")
 
-    if user.role_code == enums.EUserRole.OWNER:
-        raise HTTPException(403, "Owner role cannot be reassigned.")
-
     user.role_code = role_code
-    db.commit()
+    await session.commit()
+    await session.refresh(user)
+    return {"detail": "User role has been changed"}
 
 
 @router.get("/settings", response_model=schemas.GetSettingsRequest)
-def get_system_settings(
-    db: Session = Depends(get_db), admin: models.User = Depends(auth.is_user_admin)
+async def get_system_settings(
+    session: AsyncSession = Depends(get_async_session),
+    _: models.User = Depends(auth.is_user_admin),
 ):
-    settings = db.query(models.Setting).all()
-    result = []
+    stmt = select(models.Setting)
+    result = await session.execute(stmt)
+    settings = result.scalars()
+    res = []
     for s in settings:
         val = s.value
         try:
@@ -79,7 +99,7 @@ def get_system_settings(
         except Exception:
             pass
 
-        result.append(
+        res.append(
             {
                 "key": s.key,
                 "value": val,
@@ -88,17 +108,19 @@ def get_system_settings(
             }
         )
 
-    return result
+    return res
 
 
 @router.patch("/settings")
-def change_system_settings(
+async def change_system_settings(
     request: list[schemas.PatchSettingsRequestItem],
-    db: Session = Depends(get_db),
-    admin: models.User = Depends(auth.is_user_admin),
+    session: AsyncSession = Depends(get_async_session),
+    _: models.User = Depends(auth.is_user_admin),
 ):
     for s in request:
-        setting = db.query(models.Setting).filter_by(key=s.key).first()
+        stmt = select(models.Setting).where(models.Setting.key == s.key).limit(1)
+        result = await session.execute(stmt)
+        setting = result.scalar_one_or_none()
         if not setting:
             raise HTTPException(status_code=404, detail=f"Setting '{s.key}' not found")
         if setting.value_type != type(s.value).__name__:
@@ -108,17 +130,17 @@ def change_system_settings(
 
         setting.value = str(s.value)
 
-    db.commit()
+    await session.commit()
     return {"status": "updated", "count": len(request)}
 
 
 @router.get("/smtp/status", response_model=bool)
-def get_smtp_status(_: models.User = Depends(auth.is_user_admin)):
+async def get_smtp_status(_: models.User = Depends(auth.is_user_admin)):
     return EmailSender.status()
 
 
 @router.post("/smtp/test")
-def send_test_email(admin: models.User = Depends(auth.is_user_admin)):
+async def send_test_email(admin: models.User = Depends(auth.is_user_admin)):
     EmailSender.send_email(
         admin.email,
         "Test email from Cardholder PWA",

backend/app/api/auth.py

@@ -1,63 +1,89 @@
 from fastapi import APIRouter, Depends, HTTPException, status, Request
-from sqlalchemy.orm import Session
 import app.db.models as models, app.db as db, app.schemas as schemas, app.core.auth as auth
 from fastapi.security import OAuth2PasswordRequestForm
-from typing import cast
-from starlette.datastructures import Address
 from app.helpers import now
+from sqlalchemy.ext.asyncio import AsyncSession
+from sqlalchemy import select
+from sqlalchemy.orm import selectinload
 
 router = APIRouter(tags=["auth"])
 
 
 @router.post("/token", response_model=schemas.TokenResponse)
-def login(
+async def login(
     request: Request,
     form_data: OAuth2PasswordRequestForm = Depends(),
-    db: Session = Depends(db.get_db),
+    session: AsyncSession = Depends(db.get_async_session),
 ):
-    user = auth.authenticate_user(db, form_data.username, form_data.password)
+    user = await auth.authenticate_user(session, form_data.username, form_data.password)
     if not user:
         raise HTTPException(
             status_code=status.HTTP_401_UNAUTHORIZED,
             detail="Incorrect username or password",
             headers={"WWW-Authenticate": "Bearer"},
         )
     access_token, access_exp = auth.create_access_token({"sub": user.username})
-    refresh_token = auth.create_refresh_token(
+    refresh_token = await auth.create_refresh_token(
         user.id,
-        db,
+        session,
         request.headers.get("user-agent"),
-        cast(Address, request.client).host,
+        request.client.host if request.client else None,
     )
     return auth.build_token_response(access_token, access_exp, refresh_token)
 
 
 @router.post("/token/refresh", response_model=schemas.TokenResponse)
-def refresh_token(
+async def refresh_token(
     request: Request,
     form: schemas.RefreshRequest,
-    db: Session = Depends(db.get_db),
+    session: AsyncSession = Depends(db.get_async_session),
 ):
-    db_token = (
-        db.query(models.RefreshToken)
-        .filter_by(token=form.refresh_token, revoked=False)
-        .first()
+    stmt = (
+        select(models.RefreshToken)
+        .where(
+            models.RefreshToken.token == form.refresh_token,
+            models.RefreshToken.revoked == False,
+            models.RefreshToken.expires_at > now(),
+        )
+        .options(selectinload(models.RefreshToken.user))
+        .limit(1)
     )
-    if not db_token or db_token.expires_at < now():
+    result = await session.execute(stmt)
+    db_token = result.scalar_one_or_none()
+    if not db_token:
         raise HTTPException(status_code=401, detail="Invalid or expired refresh token")
+
+    db_token.revoked = True
+    await session.commit()
+
     user = db_token.user
-    auth.revoke_refresh_token(db, db_token.token)
     access_token, access_exp = auth.create_access_token({"sub": user.username})
-    new_refresh = auth.create_refresh_token(
+    new_refresh = await auth.create_refresh_token(
         user.id,
-        db,
+        session,
         request.headers.get("user-agent"),
-        cast(Address, request.client).host,
+        request.client.host if request.client else None,
     )
     return auth.build_token_response(access_token, access_exp, new_refresh)
 
 
 @router.post("/logout")
-def logout(form: schemas.RevokeRequest, db: Session = Depends(db.get_db)):
-    auth.revoke_refresh_token(db, form.refresh_token)
+async def logout(
+    form: schemas.RevokeRequest,
+    session: AsyncSession = Depends(db.get_async_session),
+    _=Depends(auth.is_user),
+):
+    stmt = (
+        select(models.RefreshToken)
+        .where(
+            models.RefreshToken.token == form.refresh_token,
+            models.RefreshToken.revoked == False,
+        )
+        .limit(1)
+    )
+    result = await session.execute(stmt)
+    db_token = result.scalar_one_or_none()
+    if db_token:
+        db_token.revoked = True
+        await session.commit()
     return {"detail": "Logged out successfully."}