cloudcost-cli 0.1.0__py3-none-any.whl

backend/__init__.py

@@ -0,0 +1 @@
+"""CloudCost AI backend package."""

backend/app/__init__.py

@@ -0,0 +1 @@
+"""Application modules for CloudCost AI."""

backend/app/auth.py

@@ -0,0 +1,104 @@
+import base64
+import hashlib
+import hmac
+import re
+import secrets
+from datetime import UTC, datetime, timedelta
+from typing import Any
+
+from pydantic import BaseModel, Field
+
+from backend.app.config import Settings
+
+
+EMAIL_PATTERN = re.compile(r"^[^@\s]+@[^@\s]+\.[^@\s]+$")
+PASSWORD_ITERATIONS = 260_000
+
+
+class SignupRequest(BaseModel):
+    email: str
+    password: str = Field(min_length=8, max_length=256)
+    full_name: str | None = Field(default=None, max_length=160)
+    company: str | None = Field(default=None, max_length=160)
+
+
+class VerifySignupRequest(BaseModel):
+    email: str
+    code: str = Field(min_length=4, max_length=12)
+
+
+class ResendSignupOtpRequest(BaseModel):
+    email: str
+
+
+class LoginRequest(BaseModel):
+    email: str
+    password: str = Field(min_length=1, max_length=256)
+
+
+def normalize_email(email: str) -> str:
+    normalized = email.strip().lower()
+    if not EMAIL_PATTERN.match(normalized):
+        raise ValueError("Enter a valid email address.")
+    return normalized
+
+
+def utc_now() -> datetime:
+    return datetime.now(tz=UTC)
+
+
+def hash_password(password: str) -> str:
+    salt = secrets.token_bytes(16)
+    digest = hashlib.pbkdf2_hmac("sha256", password.encode("utf-8"), salt, PASSWORD_ITERATIONS)
+    return "pbkdf2_sha256${}${}${}".format(
+        PASSWORD_ITERATIONS,
+        base64.b64encode(salt).decode("ascii"),
+        base64.b64encode(digest).decode("ascii"),
+    )
+
+
+def verify_password(password: str, password_hash: str | None) -> bool:
+    if not password_hash:
+        return False
+    try:
+        scheme, iterations, salt_b64, digest_b64 = password_hash.split("$", 3)
+        if scheme != "pbkdf2_sha256":
+            return False
+        expected = base64.b64decode(digest_b64)
+        salt = base64.b64decode(salt_b64)
+        actual = hashlib.pbkdf2_hmac("sha256", password.encode("utf-8"), salt, int(iterations))
+        return hmac.compare_digest(actual, expected)
+    except (ValueError, TypeError):
+        return False
+
+
+def generate_otp_code() -> str:
+    return f"{secrets.randbelow(1_000_000):06d}"
+
+
+def hash_otp_code(settings: Settings, email: str, code: str, purpose: str) -> str:
+    payload = f"{purpose}:{email}:{code}".encode("utf-8")
+    return hmac.new(settings.require_auth_secret().encode("utf-8"), payload, hashlib.sha256).hexdigest()
+
+
+def new_session_token() -> str:
+    return secrets.token_urlsafe(48)
+
+
+def hash_session_token(settings: Settings, token: str) -> str:
+    return hmac.new(settings.require_auth_secret().encode("utf-8"), token.encode("utf-8"), hashlib.sha256).hexdigest()
+
+
+def session_expires_at(settings: Settings) -> datetime:
+    return utc_now() + timedelta(days=settings.auth_session_days)
+
+
+def public_user(user: dict[str, Any]) -> dict[str, Any]:
+    return {
+        "id": user["id"],
+        "email": user["email"],
+        "full_name": user.get("full_name"),
+        "company": user.get("company"),
+        "email_verified": bool(user.get("email_verified_at")),
+        "created_at": user.get("created_at").isoformat() if user.get("created_at") else None,
+    }