Michael Chihlas
ac89e7b2fa
Server-assigns a uuid4 id to every AI-generated node (Finding 1 showstopper:
nodes had no id but the advance protocol keys on node_id, so ai_build walks
never advanced past question 1). Replaces the hidden {"node_type":"meta"}
walked_path convention with real category/problem_text/pending_node columns on
l1_walk_sessions (migration 61dda4f615c6) — fixes junk proposals + off-by-one
depth cap (Findings 8,9), and pending_node replays the served node on re-mount
(no duplicate paid LLM call). Intake honors explicit flow_id and adhoc=True
(Findings 4,5); flow_proposals.l1_session_id FK -> CASCADE (Finding 6 time
bomb); L1 category GET is owner+admin like PATCH and require_account_owner_or_admin
delegates to User.can_manage_account (Finding 7); escalate falls back to default
recipients + filters deleted_at + warns when empty (Finding 10). Cleanups: dead
ticket_ref removed, IntakeResponse per-outcome validator, unused acknowledged
dropped, escalations partial index, restored a deleted audit assertion.
Full Phase 2A backend set: 110 passed / 0 failed.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
464 lines
15 KiB
Python
464 lines
15 KiB
Python
from typing import Annotated, Optional
|
|
from uuid import UUID
|
|
from fastapi import Depends, HTTPException, Request, status
|
|
from fastapi.security import OAuth2PasswordBearer
|
|
from sqlalchemy.ext.asyncio import AsyncSession
|
|
from sqlalchemy import select
|
|
import sentry_sdk
|
|
|
|
from app.core.database import get_db
|
|
from jose import JWTError
|
|
|
|
from app.core.security import (
|
|
IdleTokenExpired,
|
|
decode_refresh_token_strict,
|
|
decode_token,
|
|
)
|
|
from app.models.user import User
|
|
from app.models.plan_limits import PlanLimits
|
|
from app.core.tenant_context import set_current_account_id, clear_current_account_id
|
|
from app.core.admin_database import get_admin_db # noqa: F401 — re-exported for use in endpoints
|
|
|
|
# Routes that are allowed even when must_change_password is True
|
|
_PASSWORD_CHANGE_ALLOWLIST = {
|
|
"/api/v1/auth/password/change",
|
|
"/api/v1/auth/logout",
|
|
"/api/v1/auth/me",
|
|
}
|
|
|
|
oauth2_scheme = OAuth2PasswordBearer(tokenUrl="/api/v1/auth/login")
|
|
|
|
|
|
async def get_current_user(
|
|
db: Annotated[AsyncSession, Depends(get_admin_db)],
|
|
token: Annotated[str, Depends(oauth2_scheme)]
|
|
) -> User:
|
|
"""Get current authenticated user from JWT token.
|
|
|
|
Must use get_admin_db (BYPASSRLS): this dep runs before require_tenant_context
|
|
sets app.current_account_id, so the users table RLS would block the lookup.
|
|
"""
|
|
credentials_exception = HTTPException(
|
|
status_code=status.HTTP_401_UNAUTHORIZED,
|
|
detail="Could not validate credentials",
|
|
headers={"WWW-Authenticate": "Bearer"},
|
|
)
|
|
|
|
payload = decode_token(token)
|
|
if payload is None:
|
|
raise credentials_exception
|
|
|
|
token_type = payload.get("type")
|
|
if token_type != "access":
|
|
raise credentials_exception
|
|
|
|
user_id: str = payload.get("sub")
|
|
if user_id is None:
|
|
raise credentials_exception
|
|
|
|
try:
|
|
user_uuid = UUID(user_id)
|
|
except ValueError:
|
|
raise credentials_exception
|
|
|
|
result = await db.execute(select(User).where(User.id == user_uuid))
|
|
user = result.scalar_one_or_none()
|
|
|
|
if user is None:
|
|
raise credentials_exception
|
|
|
|
return user
|
|
|
|
|
|
async def get_current_user_optional(
|
|
request: Request,
|
|
db: Annotated[AsyncSession, Depends(get_admin_db)],
|
|
) -> Optional[User]:
|
|
"""Best-effort current user for endpoints that work both anonymous and authed.
|
|
|
|
Returns None on missing/invalid/expired token instead of raising. Used by
|
|
surfaces like /config/public that anonymous clients can hit but where an
|
|
authenticated user gets a tailored response (e.g. INTERNAL_TESTER_EMAILS
|
|
allowlist override).
|
|
"""
|
|
auth_header = request.headers.get("Authorization") or request.headers.get("authorization")
|
|
if not auth_header or not auth_header.lower().startswith("bearer "):
|
|
return None
|
|
token = auth_header.split(None, 1)[1].strip()
|
|
if not token:
|
|
return None
|
|
|
|
payload = decode_token(token)
|
|
if payload is None or payload.get("type") != "access":
|
|
return None
|
|
|
|
user_id = payload.get("sub")
|
|
if user_id is None:
|
|
return None
|
|
try:
|
|
user_uuid = UUID(user_id)
|
|
except ValueError:
|
|
return None
|
|
|
|
result = await db.execute(select(User).where(User.id == user_uuid))
|
|
return result.scalar_one_or_none()
|
|
|
|
|
|
async def get_refresh_token_payload(
|
|
token: Annotated[str, Depends(oauth2_scheme)]
|
|
) -> dict:
|
|
"""Extract and validate a refresh token from the Authorization header.
|
|
|
|
Returns one of three outcomes via HTTP 401 `detail`:
|
|
- `session_expired_idle` — JWT signature valid but `exp` past
|
|
- `invalid_refresh_token` — any other decode failure, or `type != "refresh"`
|
|
- (200 path) — returns the decoded payload
|
|
|
|
The frontend uses these to choose between the "your session ended for
|
|
security" banner and a plain logout redirect. See
|
|
docs/plans/2026-05-13-session-expiration-policy.md §4.10.
|
|
"""
|
|
try:
|
|
payload = decode_refresh_token_strict(token)
|
|
except IdleTokenExpired:
|
|
raise HTTPException(
|
|
status_code=status.HTTP_401_UNAUTHORIZED,
|
|
detail="session_expired_idle",
|
|
headers={"WWW-Authenticate": "Bearer"},
|
|
)
|
|
except JWTError:
|
|
raise HTTPException(
|
|
status_code=status.HTTP_401_UNAUTHORIZED,
|
|
detail="invalid_refresh_token",
|
|
headers={"WWW-Authenticate": "Bearer"},
|
|
)
|
|
if payload.get("type") != "refresh":
|
|
raise HTTPException(
|
|
status_code=status.HTTP_401_UNAUTHORIZED,
|
|
detail="invalid_refresh_token",
|
|
headers={"WWW-Authenticate": "Bearer"},
|
|
)
|
|
return payload
|
|
|
|
|
|
async def get_current_active_user(
|
|
request: Request,
|
|
current_user: Annotated[User, Depends(get_current_user)],
|
|
db: Annotated[AsyncSession, Depends(get_admin_db)],
|
|
) -> User:
|
|
"""Ensure user is active (not disabled). Enforces must_change_password —
|
|
blocks all routes except allowlist.
|
|
|
|
Trial expiry enforcement now happens via require_active_subscription in
|
|
individual routers, NOT here. This dep no longer mutates Subscription
|
|
state.
|
|
"""
|
|
if not current_user.is_active:
|
|
raise HTTPException(
|
|
status_code=status.HTTP_403_FORBIDDEN,
|
|
detail="Account has been deactivated"
|
|
)
|
|
|
|
# Enforce must_change_password (backend hard lock)
|
|
if current_user.must_change_password:
|
|
if request.url.path not in _PASSWORD_CHANGE_ALLOWLIST:
|
|
raise HTTPException(
|
|
status_code=status.HTTP_403_FORBIDDEN,
|
|
detail="password_change_required"
|
|
)
|
|
|
|
# Set Sentry user context for error attribution
|
|
sentry_sdk.set_user({"id": str(current_user.id), "email": current_user.email})
|
|
|
|
return current_user
|
|
|
|
|
|
async def require_admin(
|
|
current_user: Annotated[User, Depends(get_current_active_user)]
|
|
) -> User:
|
|
"""Require super admin access."""
|
|
if not current_user.is_super_admin:
|
|
raise HTTPException(
|
|
status_code=status.HTTP_403_FORBIDDEN,
|
|
detail="Super admin access required"
|
|
)
|
|
return current_user
|
|
|
|
|
|
async def require_engineer_or_admin(
|
|
current_user: Annotated[User, Depends(get_current_active_user)]
|
|
) -> User:
|
|
"""Require engineer, account owner, or super admin role (blocks viewers)."""
|
|
if current_user.is_super_admin:
|
|
return current_user
|
|
if current_user.account_role in ("owner", "admin", "engineer"):
|
|
return current_user
|
|
raise HTTPException(
|
|
status_code=status.HTTP_403_FORBIDDEN,
|
|
detail="Engineer or admin access required"
|
|
)
|
|
|
|
|
|
async def require_l1(
|
|
current_user: Annotated[User, Depends(get_current_active_user)]
|
|
) -> User:
|
|
"""L1 tech exact-match (with super_admin bypass for support)."""
|
|
if current_user.is_super_admin:
|
|
return current_user
|
|
if current_user.account_role != "l1_tech":
|
|
raise HTTPException(
|
|
status_code=status.HTTP_403_FORBIDDEN,
|
|
detail="L1 tech role required",
|
|
)
|
|
return current_user
|
|
|
|
|
|
async def require_l1_or_coverage(
|
|
current_user: Annotated[User, Depends(get_current_active_user)]
|
|
) -> User:
|
|
"""L1 endpoints: l1_tech, owners, super_admin, or engineers with can_cover_l1=True."""
|
|
if current_user.is_super_admin:
|
|
return current_user
|
|
role = current_user.account_role
|
|
if role == "l1_tech":
|
|
return current_user
|
|
if role == "owner":
|
|
return current_user
|
|
if role == "engineer" and current_user.can_cover_l1:
|
|
return current_user
|
|
raise HTTPException(
|
|
status_code=status.HTTP_403_FORBIDDEN,
|
|
detail="L1 access requires l1_tech role or engineer coverage flag",
|
|
)
|
|
|
|
|
|
async def require_l1_or_above(
|
|
current_user: Annotated[User, Depends(get_current_active_user)]
|
|
) -> User:
|
|
"""Any tier from l1_tech upward (l1_tech, engineer, owner, super_admin)."""
|
|
if current_user.is_super_admin:
|
|
return current_user
|
|
if current_user.account_role in ("l1_tech", "engineer", "owner"):
|
|
return current_user
|
|
raise HTTPException(
|
|
status_code=status.HTTP_403_FORBIDDEN,
|
|
detail="L1 or above required",
|
|
)
|
|
|
|
|
|
async def require_team_admin(
|
|
current_user: Annotated[User, Depends(get_current_active_user)]
|
|
) -> User:
|
|
"""Require team admin, account owner, or super admin role."""
|
|
if current_user.is_super_admin:
|
|
return current_user
|
|
if current_user.is_team_admin:
|
|
return current_user
|
|
if current_user.account_role == "owner":
|
|
return current_user
|
|
raise HTTPException(
|
|
status_code=status.HTTP_403_FORBIDDEN,
|
|
detail="Team admin access required"
|
|
)
|
|
|
|
|
|
async def require_account_owner(
|
|
current_user: Annotated[User, Depends(get_current_active_user)]
|
|
) -> User:
|
|
"""Require account owner or super admin access."""
|
|
if current_user.is_super_admin:
|
|
return current_user
|
|
if current_user.account_role == "owner":
|
|
return current_user
|
|
raise HTTPException(
|
|
status_code=status.HTTP_403_FORBIDDEN,
|
|
detail="Account owner access required"
|
|
)
|
|
|
|
|
|
async def require_account_owner_or_admin(
|
|
current_user: Annotated[User, Depends(get_current_active_user)]
|
|
) -> User:
|
|
"""Require account owner or account-admin (blocks engineers); super_admin bypass.
|
|
|
|
Delegates to ``User.can_manage_account`` so the rule lives in exactly one place.
|
|
"""
|
|
if current_user.can_manage_account:
|
|
return current_user
|
|
raise HTTPException(
|
|
status_code=status.HTTP_403_FORBIDDEN,
|
|
detail="Account owner or admin access required",
|
|
)
|
|
|
|
|
|
def get_service_account_id(request: Request) -> Optional[UUID]:
|
|
"""Return the cached ResolutionFlow service account UUID from app.state.
|
|
|
|
Returns None in test environments where lifespan startup did not run.
|
|
"""
|
|
return getattr(request.app.state, "service_account_id", None)
|
|
|
|
|
|
async def get_plan_limits_for_user(
|
|
current_user: Annotated[User, Depends(get_current_active_user)],
|
|
db: Annotated[AsyncSession, Depends(get_db)],
|
|
) -> Optional[PlanLimits]:
|
|
"""Get plan limits for the current user's account."""
|
|
from app.core.subscriptions import get_user_plan_limits
|
|
return await get_user_plan_limits(current_user.account_id, db)
|
|
|
|
|
|
async def require_tenant_context(
|
|
current_user: Annotated[User, Depends(get_current_active_user)],
|
|
):
|
|
"""Set per-request tenant context for RLS.
|
|
|
|
Raises 403 if the authenticated user has no account_id — never falls back
|
|
to PLATFORM_ACCOUNT_ID (that would grant platform-scope access to a
|
|
malformed account).
|
|
|
|
Sets the ContextVar that the SQLAlchemy transaction-begin listener reads to
|
|
issue set_config('app.current_account_id', …, true) on every transaction.
|
|
|
|
Applied to every user-facing router. NOT applied to /admin/* routers or
|
|
public endpoints (auth, shared, webhooks).
|
|
"""
|
|
if current_user.account_id is None:
|
|
raise HTTPException(
|
|
status_code=status.HTTP_403_FORBIDDEN,
|
|
detail="User account required",
|
|
)
|
|
token = set_current_account_id(current_user.account_id)
|
|
try:
|
|
yield
|
|
finally:
|
|
clear_current_account_id(token)
|
|
|
|
|
|
async def require_admin_db(
|
|
db: Annotated[AsyncSession, Depends(get_admin_db)],
|
|
current_user: Annotated[User, Depends(require_admin)],
|
|
) -> AsyncSession:
|
|
"""Return a BYPASSRLS admin DB session after verifying super_admin role.
|
|
|
|
Use on /admin/* endpoints that query RLS-protected tables. Replaces
|
|
Depends(get_db) on the db parameter of those endpoints.
|
|
The current_user dep is still declared separately on the endpoint if
|
|
the user object is needed in the handler.
|
|
"""
|
|
return db
|
|
|
|
|
|
_SUBSCRIPTION_GUARD_ALLOWLIST = {
|
|
"/api/v1/auth/me",
|
|
"/api/v1/auth/logout",
|
|
"/api/v1/auth/password/change",
|
|
"/api/v1/auth/email/send-verification",
|
|
"/api/v1/auth/email/verify",
|
|
"/api/v1/billing/state",
|
|
"/api/v1/billing/checkout-session",
|
|
"/api/v1/billing/portal-session",
|
|
"/api/v1/users/me",
|
|
"/api/v1/users/me/onboarding-step",
|
|
"/api/v1/users/me/onboarding-dismiss-rest",
|
|
}
|
|
|
|
|
|
async def require_active_subscription(
|
|
request: Request,
|
|
current_user: Annotated[User, Depends(get_current_active_user)],
|
|
db: Annotated[AsyncSession, Depends(get_admin_db)],
|
|
):
|
|
"""Returns the Subscription row when the account has access; raises 402
|
|
when locked. Mounted on routers requiring Pro entitlement.
|
|
|
|
'Locked' = (trialing AND current_period_end < now()) OR
|
|
(canceled OR incomplete OR no subscription).
|
|
Active states: active, complimentary, trialing-with-time-remaining, past_due.
|
|
"""
|
|
if request.url.path in _SUBSCRIPTION_GUARD_ALLOWLIST:
|
|
return None
|
|
|
|
from app.models.subscription import Subscription
|
|
from datetime import datetime, timezone
|
|
|
|
result = await db.execute(
|
|
select(Subscription).where(Subscription.account_id == current_user.account_id)
|
|
)
|
|
sub = result.scalar_one_or_none()
|
|
|
|
if sub is None:
|
|
raise HTTPException(
|
|
status_code=402,
|
|
detail={"error": "no_subscription", "upgrade_url": "/account/billing/select-plan"},
|
|
)
|
|
|
|
now = datetime.now(timezone.utc)
|
|
is_live = (
|
|
sub.status in ("active", "complimentary", "past_due")
|
|
or (
|
|
sub.status == "trialing"
|
|
and sub.current_period_end is not None
|
|
and sub.current_period_end > now
|
|
)
|
|
)
|
|
if not is_live:
|
|
raise HTTPException(
|
|
status_code=402,
|
|
detail={
|
|
"error": "subscription_inactive",
|
|
"status": sub.status,
|
|
"plan": sub.plan,
|
|
"current_period_end": sub.current_period_end.isoformat() if sub.current_period_end else None,
|
|
"upgrade_url": "/account/billing/select-plan",
|
|
},
|
|
)
|
|
|
|
return sub
|
|
|
|
|
|
_EMAIL_VERIFICATION_ALLOWLIST = {
|
|
"/api/v1/auth/me",
|
|
"/api/v1/auth/logout",
|
|
"/api/v1/auth/email/send-verification",
|
|
"/api/v1/auth/email/verify",
|
|
"/api/v1/auth/password/change",
|
|
"/api/v1/users/me",
|
|
"/api/v1/users/me/onboarding-step",
|
|
"/api/v1/users/me/onboarding-dismiss-rest",
|
|
"/api/v1/billing/state",
|
|
"/api/v1/billing/checkout-session",
|
|
"/api/v1/billing/portal-session",
|
|
}
|
|
|
|
VERIFICATION_GRACE_DAYS = 7
|
|
|
|
|
|
async def require_verified_email_after_grace(
|
|
request: Request,
|
|
current_user: Annotated[User, Depends(get_current_active_user)],
|
|
):
|
|
"""Enforces 'this user has verified email OR is still in 7-day grace.'
|
|
OAuth signups bypass cleanly because /auth/{google,microsoft}/callback
|
|
sets users.email_verified_at = now() (provider-attested)."""
|
|
from datetime import datetime, timezone, timedelta
|
|
|
|
if request.url.path in _EMAIL_VERIFICATION_ALLOWLIST:
|
|
return
|
|
|
|
if current_user.email_verified_at is not None:
|
|
return
|
|
|
|
grace_ends = current_user.created_at + timedelta(days=VERIFICATION_GRACE_DAYS)
|
|
if datetime.now(timezone.utc) < grace_ends:
|
|
return
|
|
|
|
raise HTTPException(
|
|
status_code=403,
|
|
detail={
|
|
"error": "email_not_verified",
|
|
"grace_ended_at": grace_ends.isoformat(),
|
|
"resend_url": "/api/v1/auth/email/send-verification",
|
|
},
|
|
)
|