Added OTP login flow, reset password flow, email sending, user create updates

Author: Uttam Singh

backend/app/models/user.py

@@ -1,13 +1,18 @@
-from sqlalchemy import Column, Integer, String
-from app.database import Base
+# app/models/user.py (SQLAlchemy)
+from sqlalchemy import Column, Integer, String, Boolean, DateTime
+from datetime import datetime
 
 class User(Base):
     __tablename__ = "users"
-
     id = Column(Integer, primary_key=True, index=True)
-    name = Column(String(100), nullable=False)
-    email = Column(String(100), unique=True, nullable=False)
-    hashed_password = Column(String(255), nullable=False)
-    department = Column(String(100), nullable=True)
-    role = Column(String(50), nullable=False, default="auditee")
-    manager_email = Column(String(100), nullable=True)
+    name = Column(String(255))
+    email = Column(String(255), unique=True, index=True, nullable=False)
+    password = Column(String(255), nullable=False)  # hashed
+    department = Column(String(100))
+    manager_email = Column(String(255))
+    role = Column(String(50), default="auditee")
+
+    # OTP + reset fields
+    otp_code = Column(String(10), nullable=True)
+    otp_expires_at = Column(DateTime, nullable=True)
+    first_login = Column(Boolean, default=True)

backend/app/routers/auth.py

@@ -0,0 +1,38 @@
+# app/routers/auth.py
+from fastapi import APIRouter, HTTPException, Depends
+from sqlalchemy.orm import Session
+from datetime import datetime
+from app.database import get_db
+from app.models.user import User
+
+router = APIRouter()
+
+@router.post("/login-otp")
+def login_with_otp(email: str, otp: str, db: Session = Depends(get_db)):
+    user = db.query(User).filter(User.email == email).first()
+    if not user:
+        raise HTTPException(status_code=400, detail="Invalid credentials")
+    if not user.otp_code or user.otp_code != otp:
+        raise HTTPException(status_code=400, detail="Invalid OTP")
+    if not user.otp_expires_at or datetime.utcnow() > user.otp_expires_at:
+        raise HTTPException(status_code=400, detail="OTP expired")
+
+    # OTP valid -> clear otp_code (optional)
+    user.otp_code = None
+    user.otp_expires_at = None
+    db.commit()
+
+    # Return first_login so frontend knows to redirect
+    return {"ok": True, "first_login": user.first_login, "user_id": user.id}
+from app.utils.auth import hash_password
+
+@router.post("/reset-password")
+def reset_password(user_id: int, new_password: str, db: Session = Depends(get_db)):
+    user = db.get(User, user_id)
+    if not user:
+        raise HTTPException(status_code=404, detail="User not found")
+
+    user.password = hash_password(new_password)
+    user.first_login = False
+    db.commit()
+    return {"ok": True, "message": "Password updated"}

backend/app/routers/users.py

@@ -1,117 +1,51 @@
-from fastapi import APIRouter, Depends, HTTPException, Form
-from passlib.hash import bcrypt
+# app/routers/users.py (or your existing users router)
+from fastapi import APIRouter, Depends, HTTPException
 from sqlalchemy.orm import Session
 from app.database import get_db
 from app.models.user import User
+from app.utils.auth import hash_password, generate_otp, otp_expiry, send_otp_email
+from datetime import datetime
 
-# ✅ Define router (this line is crucial)
 router = APIRouter()
 
-# ✅ Create a new user
 @router.post("/")
 def create_user(
-    name: str = Form(...),
-    email: str = Form(...),
-    password: str = Form(...),
-    department: str = Form(None),
-    role: str = Form("auditee"),
-    manager_email: str = Form(None),
+    name: str,
+    email: str,
+    password: str,
+    department: str = None,
+    manager_email: str = None,
+    role: str = "auditee",
     db: Session = Depends(get_db),
 ):
+    # check exist
+    if db.query(User).filter(User.email == email).first():
+        raise HTTPException(status_code=400, detail="Email already registered")
+
+    hashed = hash_password(password)
+    otp = generate_otp()
+    expiry = otp_expiry(10)
+
+    user = User(
+        name=name,
+        email=email,
+        password=hashed,
+        department=department,
+        manager_email=manager_email,
+        role=role,
+        otp_code=otp,
+        otp_expires_at=expiry,
+        first_login=True,
+    )
+    db.add(user)
+    db.commit()
+    db.refresh(user)
+
+    # send mail (async if you prefer background task)
     try:
-        if db.query(User).filter(User.email == email).first():
-            raise HTTPException(status_code=400, detail="Email already exists")
-        user = User(
-            name=name,
-            email=email,
-            hashed_password=bcrypt.hash(password),
-            department=department,
-            role=role,
-            manager_email=manager_email,
-        )
-        db.add(user)
-        db.commit()
-        return {"ok": True, "message": "User created successfully"}
+        send_otp_email(email, otp)
     except Exception as e:
-        return {"ok": False, "error": str(e)}
+        # log error but user exists now — you can rollback if you prefer
+        print("Warning: failed to send OTP", e)
 
-# ✅ Login route
-@router.post("/login")
-def login_user(
-    email: str = Form(...),
-    password: str = Form(...),
-    db: Session = Depends(get_db)
-):
-    try:
-        user = db.query(User).filter(User.email == email).first()
-        if not user or not bcrypt.verify(password, user.hashed_password):
-            raise HTTPException(status_code=401, detail="Invalid email or password")
-        return {
-            "ok": True,
-            "message": "Login successful",
-            "user": {"id": user.id, "name": user.name, "role": user.role},
-        }
-    except Exception as e:
-        return {"ok": False, "error": str(e)}
-
-# ✅ Get all users
-@router.get("/")
-def list_users(db: Session = Depends(get_db)):
-    try:
-        return db.query(User).all()
-    except Exception as e:
-        return {"ok": False, "error": str(e)}
-
-# ✅ Delete user
-@router.delete("/{user_id}")
-def delete_user(user_id: int, db: Session = Depends(get_db)):
-    try:
-        user = db.get(User, user_id)
-        if not user:
-            raise HTTPException(status_code=404, detail="User not found")
-        db.delete(user)
-        db.commit()
-        return {"ok": True, "message": "User deleted"}
-    except Exception as e:
-        return {"ok": False, "error": str(e)}
-
-# ✅ Check Admin Users
-@router.get("/check-admin")
-def check_admin(db: Session = Depends(get_db)):
-    try:
-        users = db.query(User).all()
-        return {"count": len(users), "users": [u.email for u in users]}
-    except Exception as e:
-        return {"ok": False, "error": str(e)}
-
-# ✅ Seed Admin User (One-Time Setup) – FIXED bcrypt byte issue
-@router.post("/seed-admin")
-def seed_admin(db: Session = Depends(get_db)):
-    try:
-        email = "[email protected]"
-        existing = db.query(User).filter(User.email == email).first()
-        if existing:
-            return {"ok": True, "note": "Admin already exists"}
-
-        # --- Fix bcrypt 72-byte password limit ---
-        raw_password = "Edme@123"
-        encoded = raw_password.encode("utf-8")
-        if len(encoded) > 72:
-            encoded = encoded[:72]
-        safe_password = encoded.decode("utf-8", "ignore")
-        hashed_password = bcrypt.hash(safe_password)
-        # ------------------------------------------
-
-        admin = User(
-            name="Admin",
-            email=email,
-            hashed_password=hashed_password,
-            department="Finance",
-            role="admin",
-            manager_email=None,
-        )
-        db.add(admin)
-        db.commit()
-        return {"ok": True, "note": "Admin created successfully"}
-    except Exception as e:
-        return {"ok": False, "error": str(e)}
+    return {"ok": True, "message": "User created and OTP sent"}

backend/app/utils/auth.py

@@ -0,0 +1,53 @@
+# app/utils/auth.py
+import random
+from datetime import datetime, timedelta
+from passlib.context import CryptContext
+import os, smtplib
+from email.mime.text import MIMEText
+from email.mime.multipart import MIMEMultipart
+
+pwd_ctx = CryptContext(schemes=["bcrypt"], deprecated="auto")
+
+def hash_password(plain):
+    return pwd_ctx.hash(plain)
+
+def verify_password(plain, hashed):
+    return pwd_ctx.verify(plain, hashed)
+
+def generate_otp():
+    return f"{random.randint(100000, 999999)}"  # 6-digit string
+
+def otp_expiry(minutes=10):
+    return datetime.utcnow() + timedelta(minutes=minutes)
+
+def send_otp_email(recipient_email: str, otp: str):
+    # Configure via env vars
+    sender_email = os.getenv("SMTP_SENDER_EMAIL")
+    sender_password = os.getenv("SMTP_PASSWORD")
+    smtp_server = os.getenv("SMTP_SERVER", "smtp.office365.com")
+    smtp_port = int(os.getenv("SMTP_PORT", 587))
+
+    subject = "Your FAT-EIBL one-time password (OTP)"
+    body = f"""
+    Hello,
+
+    Use this one-time password (OTP) to sign in to FAT-EIBL: {otp}
+
+    This OTP will expire in 10 minutes.
+
+    If you didn't request this, contact your admin.
+
+    Regards,
+    FAT-EIBL
+    """
+
+    msg = MIMEMultipart()
+    msg["From"] = sender_email
+    msg["To"] = recipient_email
+    msg["Subject"] = subject
+    msg.attach(MIMEText(body, "plain"))
+
+    with smtplib.SMTP(smtp_server, smtp_port) as server:
+        server.starttls()
+        server.login(sender_email, sender_password)
+        server.send_message(msg)