shaapi 0.1.0__py3-none-any.whl

shaapi/template/backend/common/security/rbac.py

@@ -0,0 +1,98 @@
+import casbin
+import casbin_async_sqlalchemy_adapter
+
+from fastapi import Depends, Request
+
+from backend.models.casbin_rule import CasbinRule
+from backend.common.enums import MethodType
+from backend.common.exception.errors import AuthorizationError, TokenError
+from backend.common.security.jwt import DependsJwtAuth
+from backend.core.conf import settings
+from backend.database.db_postgres import async_engine
+
+
+class RBAC:
+    @staticmethod
+    async def enforcer() -> casbin.AsyncEnforcer:
+        """
+        Get the Casbin enforcer
+
+        :return:
+        """
+        # Rule data is defined directly in the method as static data
+        _CASBIN_RBAC_MODEL_CONF_TEXT = """
+        [request_definition]
+        r = sub, obj, act
+
+        [policy_definition]
+        p = sub, obj, act
+
+        [role_definition]
+        g = _, _
+
+        [policy_effect]
+        e = some(where (p.eft == allow))
+
+        [matchers]
+        m = g(r.sub, p.sub) && (keyMatch(r.obj, p.obj) || keyMatch3(r.obj, p.obj)) && (r.act == p.act || p.act == "*")
+        """
+        adapter = casbin_async_sqlalchemy_adapter.Adapter(async_engine, db_class=CasbinRule)
+        model = casbin.AsyncEnforcer.new_model(text=_CASBIN_RBAC_MODEL_CONF_TEXT)
+        enforcer = casbin.AsyncEnforcer(model, adapter)
+        await enforcer.load_policy()
+        return enforcer
+
+    async def rbac_verify(self, request: Request, _token: str = DependsJwtAuth) -> None:
+        """
+        RBAC permission verification
+
+        :param request:
+        :param _token:
+        :return:
+        """
+        path = request.url.path
+
+        # Whitelist for authentication
+        if path in settings.TOKEN_REQUEST_PATH_EXCLUDE:
+            return
+        
+        # Enforce JWT authorization status check
+        if not request.auth.scopes:
+            raise TokenError
+        
+        # Superuser exemption from verification
+        if request.user.is_superuser:
+            return
+        
+        # Check role data permission scope
+        user_roles = request.user.roles
+        if not user_roles:
+            raise AuthorizationError(msg='User has no assigned roles, authorization failed')
+
+        method = request.method
+        if method != MethodType.GET or method != MethodType.OPTIONS:
+            if not request.user.is_staff:
+                raise AuthorizationError(msg='This user is prohibited from performing backend management operations')
+        
+        # Data permission scope
+        data_scope = any(role.data_scope == 1 for role in user_roles)
+        if data_scope:
+            return
+
+
+        for role in user_roles:
+            # Casbin permission verification
+            if (method, path) in settings.RBAC_CASBIN_EXCLUDE:
+                return
+            enforcer = await self.enforcer()
+            
+            # check if at least one of the user is allowed 
+            if enforcer.enforce(role.x_id, path, method):
+                return
+        
+        raise AuthorizationError
+
+
+rbac = RBAC()
+# RBAC authorization dependency injection
+DependsRBAC = Depends(rbac.rbac_verify)

shaapi/template/backend/common/security/sec_token.py

@@ -0,0 +1,6 @@
+import secrets
+
+
+def generate_secret_token() -> str:
+    token = secrets.token_urlsafe()
+    return token

shaapi/template/backend/common/socketio/action.py

@@ -0,0 +1,11 @@
+# from backend.common.socketio.server import sio
+
+
+# async def task_notification(msg: str):
+#     """
+#     Send notification
+
+#     :param msg:
+#     :return:
+#     """
+#     await sio.emit('task_notification', {'msg': msg})

shaapi/template/backend/common/socketio/server.py

@@ -0,0 +1,50 @@
+# import socketio
+
+# from backend.core.conf import settings
+# from backend.common.security.jwt import jwt_authentication
+# from backend.common.log import log
+
+# sio = socketio.AsyncServer(
+#     client_manager=socketio.AsyncRedisManager(
+#         f'redis://:{settings.REDIS_PASSWORD}@{settings.REDIS_HOST}:'
+#         f'{settings.REDIS_PORT}/{task_settings.CELERY_BROKER_REDIS_DATABASE}'
+#     )
+#     if task_settings.CELERY_BROKER == 'redis'
+#     else socketio.AsyncAioPikaManager(
+#         (
+#             f'amqp://{task_settings.RABBITMQ_USERNAME}:{task_settings.RABBITMQ_PASSWORD}@'
+#             f'{task_settings.RABBITMQ_HOST}:{task_settings.RABBITMQ_PORT}'
+#         )
+#     ),
+#     async_mode='asgi',
+#     cors_allowed_origins=settings.CORS_ALLOWED_ORIGINS,
+#     cors_credentials=True,
+#     namespaces=['/ws'],
+# )
+
+# @sio.event
+# async def connect(sid, environ, auth):
+#     if not auth:
+#         print('ws connection failed: no authorization')
+#         return False
+
+#     token = auth.get('token')
+#     if not token:
+#         print('ws connection failed: no token authorization')
+#         return False
+
+#     if token == 'internal':
+#         return True
+
+#     try:
+#         await jwt_authentication(token)
+#     except Exception as e:
+#         log.info(f'ws Connection failed: {e}')
+#         return False
+
+#     return True
+
+
+# @sio.event
+# async def disconnect(sid):
+#     pass

shaapi/template/backend/common/sso/base.py

@@ -0,0 +1,69 @@
+from typing import Any
+from typing import List
+
+from httpx import AsyncClient
+
+from backend.app.admin.schema.sso import OAuthCodeResponseSchema
+from backend.app.admin.schema.sso import OAuthRedirectLink
+from backend.app.admin.schema.sso import OAuthTokenResponseSchema
+from backend.app.admin.schema.sso import OAuthUserDataResponseSchema
+
+
+class OAuthBase:
+    session: AsyncClient
+    client_id: str
+    secret_key: str
+    webhook_redirect_uri: str
+
+    scope: List[str]
+    response_type: str = "code"
+
+    def __init__(
+        self,
+        session: AsyncClient,
+        client_id: str,
+        secret_key: str,
+        webhook_redirect_uri: str,
+    ) -> None:
+        self.session = session
+        self.client_id = client_id
+        self.secret_key = secret_key
+        self.webhook_redirect_uri = webhook_redirect_uri
+
+    def scope_to_str(self, delimiter: str = "%20") -> str:
+        """
+        Convert a scope list to string representation
+        Replacing spaces with encoded spaces% 20 for pydantic model validation
+        """
+
+        return f"{delimiter}".join(self.scope)
+
+    def prepare_user_data(
+        self, external_id: str, user_data: dict[Any, Any]
+    ) -> OAuthUserDataResponseSchema:
+        """Converting interface socials for the general data format of the system"""
+
+        raise NotImplementedError
+
+    def generate_link_for_code(self) -> OAuthRedirectLink:
+        """
+        Generating a link to a redirect to the service to receive a confirmation code.
+        It is necessary for the user to further enter the service and
+        receive a confirmation code from the service on Webhook.
+        """
+
+        raise NotImplementedError
+
+    async def get_token(
+        self, code: OAuthCodeResponseSchema
+    ) -> OAuthTokenResponseSchema:
+        """Exchange of a confirmation code for a user token."""
+
+        raise NotImplementedError
+
+    async def get_user_data(
+        self, token: OAuthTokenResponseSchema
+    ) -> OAuthUserDataResponseSchema:
+        """ "Getting information about a user through an access token."""
+
+        raise NotImplementedError

shaapi/template/backend/common/sso/google.py

@@ -0,0 +1,127 @@
+from typing import Any
+
+from fastapi import HTTPException
+from fastapi import status
+from httpx import AsyncClient
+from pydantic_core import Url
+
+from .base import OAuthBase
+from backend.core.conf import settings
+from backend.app.admin.schema.sso import OAuthCodeResponseSchema
+from backend.app.admin.schema.sso import OAuthRedirectLink
+from backend.app.admin.schema.sso import OAuthTokenResponseSchema
+from backend.app.admin.schema.sso import OAuthUserDataResponseSchema
+from backend.app.admin.schema.sso import SocialTypes
+
+
+class GoogleOAuth(OAuthBase):
+    """
+    Config Google
+    https://developers.google.com/identity/protocols/oauth2/web-server#httprest_3
+    """
+
+    scope = [
+        "openid",
+        "https://www.googleapis.com/auth/userinfo.email",
+        "https://www.googleapis.com/auth/userinfo.profile",
+    ]
+
+    access_type = "offline"
+    grand_type = "authorization_code"
+
+    def generate_body_for_access_token(self, code: OAuthCodeResponseSchema) -> str:
+        """
+        Generating the request body to send to the service to receive the user's token.
+        """
+
+        return (
+            f"code={code.code}&"
+            f"client_id={self.client_id}&"
+            f"client_secret={self.secret_key}&"
+            f"grant_type={self.grand_type}&"
+            f"redirect_uri={self.webhook_redirect_uri}"
+        )
+
+    def prepare_user_data(
+        self, external_id: str, user_data: dict[Any, Any]
+    ) -> OAuthUserDataResponseSchema:
+        """Converting interface socials for the general data format of the system"""
+        return OAuthUserDataResponseSchema(
+            external_id=external_id,
+            email=user_data["email"],
+            social_type=SocialTypes.google,
+            img=user_data["picture"],
+            firstname=user_data["family_name"] if "family_name" in user_data else "",
+            lastname=user_data["given_name"] if "given_name" in user_data else "",
+        )
+
+    def generate_link_for_code(self) -> OAuthRedirectLink:
+        """
+        Generating a link to a redirect to the service to receive a confirmation code.
+        It is necessary for the user to further enter the service
+        and receive a confirmation code from the service on Webhook.
+        """
+
+        url = (
+            "https://accounts.google.com/o/oauth2/v2/auth?"
+            f"scope={self.scope_to_str()}&"
+            f"access_type={self.access_type}&"
+            f"response_type={self.response_type}&"
+            f"redirect_uri={self.webhook_redirect_uri}&"
+            f"client_id={self.client_id}"
+        )
+
+        return OAuthRedirectLink(url=Url(url=url))
+
+    async def get_token(
+        self, code: OAuthCodeResponseSchema
+    ) -> OAuthTokenResponseSchema:
+        """Exchange of a confirmation code for a user token."""
+
+        response = await self.session.post(
+            url="https://oauth2.googleapis.com/token",
+            content=self.generate_body_for_access_token(code),
+            headers={"Content-Type": "application/x-www-form-urlencoded"},
+        )
+        token_data = response.json()
+        if response.status_code != status.HTTP_200_OK:
+            raise HTTPException(
+                status_code=status.HTTP_401_UNAUTHORIZED,
+                detail=token_data["error_description"],
+            )
+        token_data = response.json()
+
+        return OAuthTokenResponseSchema(token=token_data["id_token"])
+
+    async def get_user_data(
+        self, token: OAuthTokenResponseSchema
+    ) -> OAuthUserDataResponseSchema:
+        """ "Getting information about a user through an access token."""
+
+        response = await self.session.get(
+            url="https://oauth2.googleapis.com/tokeninfo",
+            params=dict(id_token=token.token),
+        )
+        user_data = response.json()
+        if response.status_code != status.HTTP_200_OK:
+            raise HTTPException(
+                status_code=status.HTTP_401_UNAUTHORIZED,
+                detail=user_data["error_description"],
+            )
+
+        return self.prepare_user_data(user_data["sub"], user_data)
+
+    async def verify_and_process(
+        self, code: OAuthCodeResponseSchema
+    ) -> OAuthUserDataResponseSchema:
+        token = await self.get_token(code=code)
+        datas = await self.get_user_data(token=token)
+        return datas
+
+
+google_oauth = GoogleOAuth(
+    session=AsyncClient(),
+    client_id=settings.GOOGLE_CLIENT_ID,
+    secret_key=settings.GOOGLE_SECRET_KEY,
+    webhook_redirect_uri=settings.GOOGLE_WEBHOOK_OAUTH_REDIRECT_URI,
+)

shaapi/template/backend/core/conf.py

@@ -0,0 +1,208 @@
+from functools import lru_cache
+import os
+from typing import Literal
+
+from pydantic_settings import BaseSettings, SettingsConfigDict
+
+from backend.core.path_conf import ApiV2Path
+
+
+class Settings(BaseSettings):
+    """Global settings.
+
+    Every field has a sane development default so the app boots out of the box
+    (e.g. ``docker-run.sh up`` with the bundled docker-compose). Override via the
+    ``.env`` file for your own setup, and ALWAYS set real secrets in production.
+    """
+
+    model_config = SettingsConfigDict(
+        env_file=f'{ApiV2Path}/.env', env_file_encoding='utf-8', extra='ignore'
+    )
+
+    APP_NAME: str = 'shaapi'
+
+    # Env Config
+    ENVIRONMENT: Literal['dev', 'preprod', 'prod'] = 'dev'
+
+    # Database schema bootstrap: in dev, tables are auto-created on startup for a
+    # zero-friction first run. In production set DB_AUTO_CREATE=false and rely on
+    # Alembic migrations (`shaapi makemigrations` / `shaapi migrate`).
+    DB_AUTO_CREATE: bool = True
+
+    # Observability (opt-in). When disabled, the OpenTelemetry/Prometheus stack
+    # is never imported, keeping the lean core lightweight.
+    OBSERVABILITY_ENABLED: bool = False
+    OTLP_GRPC_ENDPOINT: str | None = None
+
+    # Postgres
+    POSTGRES_HOST: str = 'localhost'
+    POSTGRES_PORT: int = 5432
+    POSTGRES_USER: str = 'postgres'
+    POSTGRES_PASSWORD: str = 'postgres'
+    POSTGRES_ECHO: bool = False
+    POSTGRES_DATABASE: str = 'shaapi'
+
+    CLIENT_URL: str = 'http://localhost:3000'
+
+    # Redis
+    REDIS_HOST: str = 'localhost'
+    REDIS_PORT: int = 6379
+    REDIS_PASSWORD: str | None = None
+    REDIS_DATABASE: int = 0
+    REDIS_TIMEOUT: int = 5
+
+    # Object storage (MinIO / S3-compatible)
+    MINIO_ENDPOINT: str = 'localhost:9000'
+    MINIO_PORT: int = 9000
+    MINIO_ACCESS_KEY: str = 'minioadmin'
+    MINIO_SECRET_KEY: str = 'minioadmin'
+    MINIO_BUCKET_NAME: str = 'shaapi'
+    MINIO_CLOUD_URL: str = 'http://localhost:9000'
+
+    # SMTP / email (optional: leave blank to disable outgoing mail)
+    SMTP_TLS: str = 'True'
+    SMTP_PORT: str = '587'
+    SMTP_HOST: str = ''
+    SMTP_USER: str = ''
+    EMAILS_FROM_EMAIL: str = ''
+    EMAILS_FROM_NAME: str = ''
+    SMTP_PASSWORD: str = ''
+    EMAIL_TEMPLATES_DIR: str = os.getcwd() + '/templates/build'
+
+    # Token / crypto secrets — CHANGE THESE IN PRODUCTION
+    # Generate with: python -c "import secrets; print(secrets.token_urlsafe(32))"
+    TOKEN_SECRET_KEY: str = 'dev-insecure-change-me-token-secret-key'
+    # Generate with: python -c "import os; print(os.urandom(32).hex())"
+    OPERA_LOG_ENCRYPT_SECRET_KEY: str = 'dev-insecure-change-me-opera-log-key'
+
+    # Google SSO (optional)
+    GOOGLE_CLIENT_ID: str = ''
+    GOOGLE_SECRET_KEY: str = ''
+    GOOGLE_WEBHOOK_OAUTH_REDIRECT_URI: str = ''
+
+    # FastAPI
+    FASTAPI_API_V1_PATH: str = '/api/v1'
+    FASTAPI_TITLE: str = 'shaapi'
+    FASTAPI_VERSION: str = '0.0.1'
+    FASTAPI_DESCRIPTION: str = 'A lean, batteries-included FastAPI backend.'
+    FASTAPI_DOCS_URL: str | None = f'{FASTAPI_API_V1_PATH}/docs'
+    FASTAPI_REDOCS_URL: str | None = f'{FASTAPI_API_V1_PATH}/redocs'
+    FASTAPI_OPENAPI_URL: str | None = f'{FASTAPI_API_V1_PATH}/openapi'
+    FASTAPI_STATIC_FILES: bool = False
+
+    # Token
+    TOKEN_ALGORITHM: str = 'HS256'
+    TOKEN_EXPIRE_SECONDS: int = 60 * 60 * 24 * 1  # access token lifetime
+    TOKEN_REFRESH_EXPIRE_SECONDS: int = 60 * 60 * 24 * 7  # refresh token lifetime
+    TOKEN_REDIS_PREFIX: str = 'shaapi:token'
+    USER_SECURE_TOKEN_REDIS_PREFIX: str = 'shaapi:user:token'
+    ADMIN_SECURE_TOKEN_REDIS_PREFIX: str = 'shaapi:admin:token'
+    TOKEN_REFRESH_REDIS_PREFIX: str = 'shaapi:refresh_token'
+    CAPTCHA_LOGIN_REDIS_PREFIX: str = 'shaapi:captcha:login'
+    TOKEN_REQUEST_PATH_EXCLUDE: list[str] = [  # JWT / RBAC whitelist
+        f'/admin{FASTAPI_API_V1_PATH}/auth/login',
+        f'/admin{FASTAPI_API_V1_PATH}/auth/token/new',
+    ]
+
+    # JWT
+    JWT_USER_REDIS_PREFIX: str = 'shaapi:user'
+    JWT_ADMIN_REDIS_PREFIX: str = 'shaapi:admin'
+    JWT_USER_REDIS_EXPIRE_SECONDS: int = 60 * 60 * 24 * 7
+
+    # Permission (RBAC)
+    PERMISSION_MODE: Literal['casbin', 'role-menu'] = 'casbin'
+    PERMISSION_REDIS_PREFIX: str = 'shaapi:permission'
+
+    # Casbin RBAC whitelist
+    RBAC_CASBIN_EXCLUDE: set[tuple[str, str]] = {
+        ('POST', f'/admin{FASTAPI_API_V1_PATH}/auth/logout'),
+        ('POST', f'/admin{FASTAPI_API_V1_PATH}/auth/token/new'),
+    }
+
+    # Role-Menu
+    RBAC_ROLE_MENU_EXCLUDE: list[str] = [
+        'sys:monitor:redis',
+        'sys:monitor:server',
+    ]
+
+    # Cookies
+    COOKIE_REFRESH_TOKEN_KEY: str = 'shaapi_refresh_token'
+    COOKIE_REFRESH_TOKEN_EXPIRE_SECONDS: int = TOKEN_REFRESH_EXPIRE_SECONDS
+
+    # Log
+    LOG_ROOT_LEVEL: str = 'NOTSET'
+    LOG_STD_FORMAT: str = (
+        '<green>{time:YYYY-MM-DD HH:mm:ss.SSS}</> | <lvl>{level: <8}</> | '
+        '<cyan> {correlation_id} </> | <lvl>{message}</>'
+    )
+    LOG_LOGURU_FORMAT: str = (
+        '<green>{time:YYYY-MM-DD HH:mm:ss.SSS}</> | <lvl>{level: <8}</> | '
+        '<cyan> {correlation_id} </> | <lvl>{message}</>'
+    )
+    LOG_CID_DEFAULT_VALUE: str = '-'
+    LOG_CID_UUID_LENGTH: int = 32  # must <= 32
+    LOG_STDOUT_LEVEL: str = 'INFO'
+    LOG_STDERR_LEVEL: str = 'ERROR'
+    LOG_STDOUT_FILENAME: str = 'shaapi_access.log'
+    LOG_STDERR_FILENAME: str = 'shaapi_error.log'
+
+    # Middleware
+    MIDDLEWARE_CORS: bool = True
+    MIDDLEWARE_ACCESS: bool = True
+
+    # Trace ID
+    TRACE_ID_REQUEST_HEADER_KEY: str = 'X-Request-ID'
+
+    # CORS
+    CORS_ALLOWED_ORIGINS: list[str] = [
+        'http://localhost:3000',  # Front-end address, no trailing '/'
+    ]
+    CORS_EXPOSE_HEADERS: list[str] = [
+        TRACE_ID_REQUEST_HEADER_KEY,
+    ]
+
+    # DateTime
+    DATETIME_TIMEZONE: str = 'Africa/Abidjan'
+    DATETIME_FORMAT: str = '%Y-%m-%d %H:%M:%S'
+
+    # Request limiter
+    REQUEST_LIMITER_REDIS_PREFIX: str = 'shaapi:limiter'
+
+    # Demo mode (only GET, OPTIONS requests are allowed)
+    DEMO_MODE: bool = False
+    DEMO_MODE_EXCLUDE: set[tuple[str, str]] = {
+        ('POST', f'{FASTAPI_API_V1_PATH}/auth/login'),
+        ('POST', f'{FASTAPI_API_V1_PATH}/auth/logout'),
+        ('GET', f'{FASTAPI_API_V1_PATH}/auth/captcha'),
+    }
+
+    # IP location
+    IP_LOCATION_PARSE: Literal['online', 'offline', 'false'] = 'online'
+    IP_LOCATION_REDIS_PREFIX: str = 'shaapi:ip:location'
+    IP_LOCATION_EXPIRE_SECONDS: int = 60 * 60 * 24 * 1
+
+    # Opera log
+    OPERA_LOG_PATH_EXCLUDE: list[str] = [
+        '/favicon.ico',
+        FASTAPI_DOCS_URL,
+        FASTAPI_REDOCS_URL,
+        FASTAPI_OPENAPI_URL,
+        f'{FASTAPI_API_V1_PATH}/auth/login/swagger',
+    ]
+    OPERA_LOG_ENCRYPT_TYPE: int = 1  # 0: AES; 1: md5; 2: ItsDangerous; 3: plain; other: ******
+    OPERA_LOG_ENCRYPT_KEY_INCLUDE: list[str] = [  # values to encrypt in request bodies
+        'password',
+        'old_password',
+        'new_password',
+        'confirm_password',
+    ]
+
+
+@lru_cache
+def get_settings() -> Settings:
+    """Return the cached global settings instance."""
+    return Settings()
+
+
+# Configuration instance
+settings = get_settings()

shaapi/template/backend/core/path_conf.py

@@ -0,0 +1,24 @@
+import os
+
+from pathlib import Path
+
+# Get the project root directory
+# Or use an absolute path to the backend directory, e.g. windows: BasePath = D:\git_project\fastapi_mysql\backend
+BasePath = Path(__file__).resolve().parent.parent
+
+ApiV2Path = Path(__file__).resolve().parent.parent.parent
+
+# alembic migration file storage path
+ALEMBIC_Versions_DIR = os.path.join(BasePath, 'alembic', 'versions')
+
+# Log file path
+LOG_DIR = os.path.join(BasePath, 'log')
+
+# Offline IP Database Path
+IP2REGION_XDB = os.path.join(BasePath, 'static', 'ip2region.xdb')
+
+# Mount the static directory
+STATIC_DIR = os.path.join(BasePath, 'static')
+
+# jinja2 template file path
+JINJA2_TEMPLATE_DIR = os.path.join(BasePath, 'templates')