Files
certificate-system/backend/app/api/deps.py

39 lines
1.4 KiB
Python

from fastapi import Depends, HTTPException, status
from fastapi.security import HTTPAuthorizationCredentials, HTTPBearer
from sqlalchemy.orm import Session
from app.core.security import decode_access_token
from app.db.session import get_db
from app.models import AdminUser
bearer_scheme = HTTPBearer(auto_error=False)
ROLE_ALIASES = {
"admin": "system_admin",
}
def get_current_admin(
credentials: HTTPAuthorizationCredentials | None = Depends(bearer_scheme),
db: Session = Depends(get_db),
) -> AdminUser:
if credentials is None:
raise HTTPException(status_code=status.HTTP_401_UNAUTHORIZED, detail="Not authenticated")
payload = decode_access_token(credentials.credentials)
if not payload:
raise HTTPException(status_code=status.HTTP_401_UNAUTHORIZED, detail="Invalid token")
admin = db.get(AdminUser, int(payload["sub"]))
if not admin or admin.status != "active":
raise HTTPException(status_code=status.HTTP_401_UNAUTHORIZED, detail="Inactive user")
return admin
def require_roles(*role_codes: str):
def checker(admin: AdminUser = Depends(get_current_admin)) -> AdminUser:
role_code = ROLE_ALIASES.get(admin.role_code, admin.role_code)
if role_code not in role_codes:
raise HTTPException(status_code=status.HTTP_403_FORBIDDEN, detail="Permission denied")
return admin
return checker