Fase 4 & 5 Compleet: Optimalisatie, Security & Cleanup.

- Password hashing verplaatst naar threadpool (non-blocking).
- API Keys gemigreerd naar SHA256 (fix voor Bcrypt limiet).
- Pydantic V2 modernisatie (model_config, model_dump).
- SQLAlchemy 2.0 modernisatie (timezone-aware datetime).
- Tests: 100% pass, 0 warnings, >80% coverage.
- Services gebruiken nu dependency injection.

Author: parvenuprompting

app/api/deps.py

@@ -107,5 +107,15 @@ async def get_current_client(
     return db_key.client
 
 
+def get_content_service() -> "ContentService":
+    """
+    Dependency to get content service instance.
+    In a real app with more complex deps, this could initialize the service.
+    """
+    from app.services.content import ContentService, content_service as _content_service
+    return _content_service
+
+
 CurrentUser = Annotated[User, Depends(get_current_user)]
 CurrentClient = Annotated[Client, Depends(get_current_client)]
+

app/api/v1/admin/auth.py

@@ -23,7 +23,7 @@ async def login_access_token(
     OAuth2 compatible token login, get an access token for future requests.
     """
     user = await user_repo.get_by_email(session, email=form_data.username)
-    if not user or not security.verify_password(form_data.password, user.hashed_password):
+    if not user or not await security.verify_password(form_data.password, user.hashed_password):
         raise HTTPException(
             status_code=status.HTTP_400_BAD_REQUEST, detail="Incorrect email or password"
         )

app/api/v1/content/guides.py

@@ -3,44 +3,93 @@
 
 from fastapi import APIRouter, Depends, HTTPException, status
 
-from app.api.deps import SessionDep, CurrentClient
-from app.schemas.guide import GuideCreate, GuideDetailResponse, GuideListResponse, GuideUpdate
-from app.services.content import content_service
+from app.api.deps import CurrentClient, SessionDep, get_content_service
+from app.schemas.guide import (
+    GuideCreate,
+    GuideDetailResponse,
+    GuideListResponse,
+    GuideUpdate,
+)
+from app.services.content import ContentService
 
 router = APIRouter()
 
 
 @router.get("/", response_model=list[GuideListResponse])
 async def read_guides(
-    session: SessionDep, 
+    session: SessionDep,
     current_client: CurrentClient,
-    topic_id: UUID, 
-    skip: int = 0, 
-    limit: int = 100
+    skip: int = 0,
+    limit: int = 100,
+    service: ContentService = Depends(get_content_service),
 ) -> list[GuideListResponse]:
-    """Retrieve guides for a specific topic."""
-    return await content_service.get_guides(session, current_client=current_client, topic_id=topic_id, skip=skip, limit=limit)
+    """
+    Retrieve guides (Global + Private).
+    """
+    return await service.get_guides(
+        session, current_client=current_client, skip=skip, limit=limit
+    )
+
+
+@router.post("/", response_model=GuideListResponse)
+async def create_guide(
+    *,
+    session: SessionDep,
+    current_client: CurrentClient,
+    guide_in: GuideCreate,
+    service: ContentService = Depends(get_content_service),
+) -> GuideListResponse:
+    """
+    Create a new guide.
+    """
+    return await service.create_guide(
+        session, current_client=current_client, guide_in=guide_in
+    )
 
 
 @router.get("/{guide_id}", response_model=GuideDetailResponse)
 async def read_guide(
-    session: SessionDep, 
+    *,
+    session: SessionDep,
     current_client: CurrentClient,
-    guide_id: UUID
+    guide_id: UUID,
+    service: ContentService = Depends(get_content_service),
 ) -> GuideDetailResponse:
-    """Get a specific guide by ID."""
-    return await content_service.get_guide(session, current_client=current_client, guide_id=guide_id)
-
+    """
+    Get guide by ID.
+    """
+    guide = await service.get_guide(
+        session, current_client=current_client, guide_id=guide_id
+    )
+    if not guide:
+        raise HTTPException(
+            status_code=status.HTTP_404_NOT_FOUND,
+            detail="Guide not found or access denied",
+        )
+    return guide
 
-@router.post("/", response_model=GuideDetailResponse, status_code=status.HTTP_201_CREATED)
-async def create_guide(session: SessionDep, guide_in: GuideCreate) -> GuideDetailResponse:
-    """Create a new guide."""
-    return await content_service.create_guide(session, guide_in)
 
-
-@router.put("/{guide_id}", response_model=GuideDetailResponse)
+@router.put("/{guide_id}", response_model=GuideListResponse)
 async def update_guide(
-    session: SessionDep, guide_id: UUID, guide_in: GuideUpdate
-) -> GuideDetailResponse:
-    """Update a guide."""
-    return await content_service.update_guide(session, guide_id, guide_in)
+    *,
+    session: SessionDep,
+    current_client: CurrentClient,
+    guide_id: UUID,
+    guide_in: GuideUpdate,
+    service: ContentService = Depends(get_content_service),
+) -> GuideListResponse:
+    """
+    Update a guide.
+    """
+    guide = await service.update_guide(
+        session,
+        current_client=current_client,
+        guide_id=guide_id,
+        guide_in=guide_in,
+    )
+    if not guide:
+        raise HTTPException(
+            status_code=status.HTTP_404_NOT_FOUND,
+            detail="Guide not found or access denied",
+        )
+    return guide

app/api/v1/content/topics.py

@@ -3,42 +3,86 @@
 
 from fastapi import APIRouter, Depends, HTTPException, status
 
-from app.api.deps import SessionDep, CurrentClient
+from app.api.deps import CurrentClient, SessionDep, get_content_service
 from app.schemas.topic import TopicCreate, TopicDetail, TopicResponse, TopicUpdate
-from app.services.content import content_service
+from app.services.content import ContentService
 
 router = APIRouter()
 
 
 @router.get("/", response_model=list[TopicResponse])
 async def read_topics(
-    session: SessionDep, 
+    session: SessionDep,
     current_client: CurrentClient,
-    skip: int = 0, 
-    limit: int = 100
+    skip: int = 0,
+    limit: int = 100,
+    service: ContentService = Depends(get_content_service),
 ) -> list[TopicResponse]:
-    """Retrieve topics (Global + Private)."""
-    return await content_service.get_topics(session, current_client=current_client, skip=skip, limit=limit)
+    """
+    Retrieve topics.
+    Clients only see Global topics or their own Private topics.
+    """
+    return await service.get_topics(
+        session, current_client=current_client, skip=skip, limit=limit
+    )
 
 
-@router.get("/{topic_id}", response_model=TopicDetail)
-async def read_topic(
-    session: SessionDep, 
+@router.post("/", response_model=TopicResponse)
+async def create_topic(
+    *,
+    session: SessionDep,
     current_client: CurrentClient,
-    topic_id: UUID
-) -> TopicDetail:
-    """Get a specific topic by ID."""
-    return await content_service.get_topic(session, current_client=current_client, topic_id=topic_id)
+    topic_in: TopicCreate,
+    service: ContentService = Depends(get_content_service),
+) -> TopicResponse:
+    """
+    Create a new topic.
+    """
+    return await service.create_topic(
+        session, current_client=current_client, topic_in=topic_in
+    )
 
 
-# Admin routes (TODO: Add Auth dependency later for protection)
-@router.post("/", response_model=TopicResponse, status_code=status.HTTP_201_CREATED)
-async def create_topic(session: SessionDep, topic_in: TopicCreate) -> TopicResponse:
-    """Create a new topic."""
-    return await content_service.create_topic(session, topic_in)
+@router.put("/{topic_id}", response_model=TopicResponse)
+async def update_topic(
+    *,
+    session: SessionDep,
+    current_client: CurrentClient,
+    topic_id: UUID,
+    topic_in: TopicUpdate,
+    service: ContentService = Depends(get_content_service),
+) -> TopicResponse:
+    """
+    Update a topic.
+    """
+    topic = await service.update_topic(
+        session, current_client=current_client, topic_id=topic_id, topic_in=topic_in
+    )
+    if not topic:
+        raise HTTPException(
+            status_code=status.HTTP_404_NOT_FOUND,
+            detail="Topic not found or access denied",
+        )
+    return topic
 
 
-@router.put("/{topic_id}", response_model=TopicResponse)
-async def update_topic(session: SessionDep, topic_id: UUID, topic_in: TopicUpdate) -> TopicResponse:
-    """Update a topic."""
-    return await content_service.update_topic(session, topic_id, topic_in)
+@router.get("/{topic_id}", response_model=TopicDetail)
+async def read_topic(
+    *,
+    session: SessionDep,
+    current_client: CurrentClient,
+    topic_id: UUID,
+    service: ContentService = Depends(get_content_service),
+) -> TopicDetail:
+    """
+    Get topic by ID.
+    """
+    topic = await service.get_topic(
+        session, current_client=current_client, topic_id=topic_id
+    )
+    if not topic:
+        raise HTTPException(
+            status_code=status.HTTP_404_NOT_FOUND,
+            detail="Topic not found or access denied",
+        )
+    return topic

app/core/api_key.py

@@ -1,13 +1,8 @@
-"""API Key generation and validation for B2B client authentication."""
+import hashlib
 import secrets
 
-from passlib.context import CryptContext
-
 from app.core.config import settings
 
-# API Key hashing context (using bcrypt for consistency)
-api_key_context = CryptContext(schemes=["bcrypt"], deprecated="auto")
-
 
 def generate_api_key(prefix: str | None = None) -> tuple[str, str]:
     """
@@ -21,16 +16,17 @@ def generate_api_key(prefix: str | None = None) -> tuple[str, str]:
 
     Example:
         plain_key = "keng_live_abc123..."
-        hashed_key = "$2b$12$..."
+        hashed_key = "e3b0c44298..." (SHA256)
     """
     if prefix is None:
         prefix = settings.api_key_prefix
 
     random_bytes = secrets.token_urlsafe(32)
     plain_key = f"{prefix}_live_{random_bytes}"
 
-    # Hash the key for storage
-    hashed_key = str(api_key_context.hash(plain_key))
+    # Hash the key for storage using SHA256
+    # API keys are high entropy, so salt/slow-hash is less critical than for passwords
+    hashed_key = hashlib.sha256(plain_key.encode()).hexdigest()
 
     return plain_key, hashed_key
 
@@ -47,7 +43,8 @@ def verify_api_key(plain_key: str, hashed_key: str) -> bool:
         True if valid, False otherwise
     """
     try:
-        return bool(api_key_context.verify(plain_key, hashed_key))
+        compare_hash = hashlib.sha256(plain_key.encode()).hexdigest()
+        return secrets.compare_digest(compare_hash, hashed_key)
     except Exception:
         return False
 
@@ -70,4 +67,4 @@ def generate_api_key_hash(plain_key: str) -> str:
     Returns:
         Hashed version
     """
-    return str(api_key_context.hash(plain_key))
+    return hashlib.sha256(plain_key.encode()).hexdigest()

app/core/config.py

@@ -1,6 +1,6 @@
 """Core configuration using Pydantic Settings."""
 
-from pydantic import Field, field_validator
+from pydantic import Field, ValidationInfo, field_validator
 from pydantic_settings import BaseSettings, SettingsConfigDict
 
 
@@ -72,6 +72,19 @@ def parse_cors_origins(cls, v: str) -> list[str]:
         """Parse comma-separated CORS origins."""
         return [origin.strip() for origin in v.split(",")]
 
+    @field_validator("jwt_secret_key", "api_key_secret", mode="after")
+    @classmethod
+    def validate_production_secrets(cls, v: str, info: ValidationInfo) -> str:
+        """Ensure default secrets are not used in production."""
+        if info.data.get("environment") == "production":
+            # Check if value contains default insecure strings
+            if "insecure" in v:
+                name = info.field_name
+                raise ValueError(
+                    f"Production configuration error: {name} must be changed from default insecure value."
+                )
+        return v
+
     @property
     def is_production(self) -> bool:
         """Check if running in production."""

app/core/security.py

@@ -2,6 +2,7 @@
 from datetime import UTC, datetime, timedelta
 from typing import Any, cast
 
+from fastapi.concurrency import run_in_threadpool
 from jose import JWTError, jwt
 from passlib.context import CryptContext
 
@@ -11,14 +12,14 @@
 pwd_context = CryptContext(schemes=["bcrypt"], deprecated="auto")
 
 
-def get_password_hash(password: str) -> str:
-    """Hash a password using bcrypt."""
-    return str(pwd_context.hash(password))
+async def get_password_hash(password: str) -> str:
+    """Hash a password using bcrypt (non-blocking)."""
+    return await run_in_threadpool(pwd_context.hash, password)
 
 
-def verify_password(plain_password: str, hashed_password: str) -> bool:
-    """Verify a password against its hash."""
-    return bool(pwd_context.verify(plain_password, hashed_password))
+async def verify_password(plain_password: str, hashed_password: str) -> bool:
+    """Verify a password against its hash (non-blocking)."""
+    return await run_in_threadpool(pwd_context.verify, plain_password, hashed_password)
 
 
 def create_access_token(data: dict[str, Any], expires_delta: timedelta | None = None) -> str:

app/db/init_db.py

@@ -30,7 +30,7 @@ async def create_initial_admin(session: AsyncSession) -> None:
     # Create admin user
     admin = User(
         email=settings.admin_email,
-        hashed_password=get_password_hash(settings.admin_password),
+        hashed_password=await get_password_hash(settings.admin_password),
         is_active=True,
         is_superuser=True,
     )

app/main.py

@@ -65,7 +65,7 @@ async def custom_exception_handler(_request: Request, exc: BaseAPIError) -> JSON
             code=exc.__class__.__name__.replace("Exception", "").upper(),
             message=exc.message,
             details=exc.details,
-        ).dict(),
+        ).model_dump(),
     )
 
 

app/models/api_key.py

@@ -1,6 +1,6 @@
 """API Key model for B2B authentication."""
 import uuid
-from datetime import UTC, datetime
+from datetime import datetime, timezone
 from typing import TYPE_CHECKING
 from uuid import UUID
 
@@ -38,7 +38,7 @@ class APIKey(Base):
     )  # Optional name ("Production Key", etc.)
     is_active: Mapped[bool] = mapped_column(Boolean, default=True, nullable=False, index=True)
     last_used_at: Mapped[datetime | None] = mapped_column(DateTime, nullable=True)
-    created_at: Mapped[datetime] = mapped_column(DateTime, server_default=func.now())
+    created_at: Mapped[datetime] = mapped_column(DateTime, default=lambda: datetime.now(timezone.utc))
     expires_at: Mapped[datetime | None] = mapped_column(
         DateTime, nullable=True
     )  # None = no expiration