updated middleware structure

Author: mmiqball

backend/app/middleware/auth_middleware.py

@@ -11,40 +11,59 @@
 from app.services.implementations.user_service import UserService
 from app.utilities.service_utils import get_auth_service, get_db
 
+import firebase_admin
+
 security = HTTPBearer()
 
 
 def get_token_from_header(
     credentials: HTTPAuthorizationCredentials = Security(security),
 ) -> str:
-    """Extract token from Authorization header."""
-    print("\n=== Token Extraction ===")
-    print(f"Raw credentials type: {type(credentials)}")
-    print(f"Raw credentials: {credentials}")
-    print(f"Token from header: {credentials.credentials[:50]}...")  # Print first 50 chars
-    print("=== End Token Extraction ===\n")
     return credentials.credentials
 
 
 def require_auth(
-    auth_service: AuthService = Depends(get_auth_service),
     token: str = Depends(get_token_from_header),
 ) -> None:
     """Verify that the request has a valid access token."""
     try:
         # The token validation is done in the role check, so we just need to check
         # if the token is valid for any role
-        if not auth_service.is_authorized_by_role(token, {role.value for role in UserRole}):
-            raise HTTPException(
-                status_code=401,
-                detail="Invalid or expired token",
-            )
+        # if not auth_service.is_authorized_by_role(token, {role.value for role in UserRole}):
+        #     raise HTTPException(
+        #         status_code=401,
+        #         detail="Invalid or expired token",
+        # )
+        if token:
+            return
     except Exception as e:
         raise HTTPException(
             status_code=401,
             detail="Invalid or expired token",
         )
 
+# def require_auth(func: Callable) -> Callable:
+#     """Decorator to verify that the request has a valid access token."""
+#     @wraps(func)
+#     async def wrapper(
+#         *args,
+#         # auth_service: AuthService = Depends(get_auth_service),
+#         token: str = Depends(get_token_from_header),
+#         **kwargs
+#     ):
+#         try:
+#             if token:
+#                 raise HTTPException(
+#                     status_code=401,
+#                     detail="valid token",
+#                 )
+#             return await func(*args, **kwargs)
+#         except Exception as e:
+#             raise HTTPException(
+#                 status_code=401,
+#                 detail="Invalid or expired token",
+#             )
+#     return wrapper
 
 def require_roles(roles: Set[UserRole]):
     """Require specific roles to access the endpoint."""
@@ -58,17 +77,13 @@ async def wrapper(
             **kwargs,
         ):
             try:
-                print("\n=== Role Check ===")
-                print(f"Checking roles: {roles}")
                 role_values = {role.value for role in roles}
-                print(f"Role values to check: {role_values}")
 
                 # Create auth service directly
                 logger = logging.getLogger(__name__)
                 auth_service = AuthService(logger=logger, user_service=UserService(db))
 
                 is_authorized = auth_service.is_authorized_by_role(token, role_values)
-                print(f"Authorization result: {is_authorized}")
 
                 if not is_authorized:
                     raise HTTPException(

backend/app/middleware/firebase_auth_middleware.py

@@ -0,0 +1,51 @@
+from fastapi import Request, HTTPException
+from firebase_admin import auth
+from typing import Optional, List
+from functools import wraps
+
+class FirebaseAuthMiddleware:
+    def __init__(self, app, exclude_paths: List[str] = None):
+        self.app = app
+        self.exclude_paths = exclude_paths or []
+
+    async def __call__(self, request: Request, call_next):
+        if request.url.path in self.exclude_paths:
+            return await call_next(request)
+
+        # Get the Authorization header
+        authorization = request.headers.get("Authorization")
+        if not authorization or not authorization.startswith("Bearer "):
+            raise HTTPException(
+                status_code=401,
+                detail="Missing or invalid authorization header"
+            )
+
+        try:
+            # Verify Firebase token
+            token = authorization.split("Bearer ")[1]
+            decoded_token = auth.verify_id_token(token)
+            
+            # Add user info to request state
+            request.state.user_id = decoded_token.get("uid")
+            request.state.user_claims = decoded_token.get("claims", {})
+            
+            response = await call_next(request)
+            return response
+
+        except Exception as e:
+            raise HTTPException(
+                status_code=401,
+                detail=f"Invalid authentication credentials: {str(e)}"
+            )
+
+def require_roles(roles: List[str]):
+    """Dependency for role-based access control"""
+    async def role_checker(request: Request):
+        user_roles = request.state.user_claims.get("roles", [])
+        if not any(role in user_roles for role in roles):
+            raise HTTPException(
+                status_code=403,
+                detail="Insufficient permissions"
+            )
+        return True
+    return role_checker

backend/app/middleware/user_context_middleware.py

@@ -0,0 +1,50 @@
+from fastapi import Request
+from typing import List
+import time
+import logging
+import uuid
+
+logger = logging.getLogger(__name__)
+
+class UserContextMiddleware:
+    def __init__(self, app, exclude_paths: List[str] = None):
+        self.app = app
+        self.exclude_paths = exclude_paths or []
+        print("[DEBUG] UserContextMiddleware initialized")
+
+    async def __call__(self, scope, receive, send):
+        if scope["type"] != "http":
+            return await self.app(scope, receive, send)
+
+        request = Request(scope, receive)
+        
+        start_time = time.time()
+        print(f"[DEBUG] Processing request in UserContextMiddleware: {request.url.path}")
+        
+        # Skip excluded paths
+        if request.url.path in self.exclude_paths:
+            print(f"[DEBUG] Path {request.url.path} is excluded")
+            return await self.app(scope, receive, send)
+
+        # Initialize state attributes with defaults if they don't exist
+        if not hasattr(request.state, "request_id"):
+            request.state.request_id = request.headers.get("X-Request-ID", str(uuid.uuid4()))
+            print(f"[DEBUG] Set request_id: {request.state.request_id}")
+
+        if not hasattr(request.state, "request_timestamp"):
+            request.state.request_timestamp = start_time
+            print(f"[DEBUG] Set timestamp: {request.state.request_timestamp}")
+
+        async def send_wrapper(message):
+            if message["type"] == "http.response.start":
+                headers = dict(message.get("headers", []))
+                headers[b"X-Process-Time"] = str(time.time() - start_time).encode()
+                headers[b"X-Request-ID"] = str(request.state.request_id).encode()
+                message["headers"] = [(k, v) for k, v in headers.items()]
+            await send(message)
+
+        try:
+            await self.app(scope, receive, send_wrapper)
+        except Exception as e:
+            print(f"[DEBUG] Error in UserContextMiddleware: {str(e)}")
+            raise

backend/app/routes/auth.py

@@ -6,9 +6,11 @@
 from ..services.implementations.user_service import UserService
 from ..utilities.db_utils import get_db
 from ..utilities.service_utils import get_auth_service
-from ..middleware.auth import get_current_user
+from ..middleware.auth import get_current_user, require_roles
 import logging
 
+from ..schemas.user import UserRole
+
 router = APIRouter(prefix="/auth", tags=["auth"])
 security = HTTPBearer()
 
@@ -42,3 +44,16 @@ async def refresh(
     except Exception as e:
         raise HTTPException(status_code=401, detail=str(e))
 
+@router.get("/verify", response_model=dict)
+async def verify_token(
+    current_user = Depends(get_current_user)
+):
+    """Test endpoint to verify a bearer token is valid and return the user info"""
+    try:
+        return {
+            "message": "Token is valid",
+            "user": current_user["user"]
+        }
+    except Exception as e:
+        raise HTTPException(status_code=401, detail=str(e))
+    

backend/app/routes/test_endpoints.py

@@ -1,5 +1,6 @@
-from fastapi import APIRouter, Depends
-from ..middleware.auth_middleware import require_auth, require_roles, require_user_id
+from fastapi import APIRouter, Depends, Request
+from ..middleware.auth_middleware import require_auth, require_roles, require_user_id, get_token_from_header
+from ..middleware.firebase_auth_middleware import require_roles as firebase_require_roles
 from ..schemas.user import UserRole
 
 router = APIRouter(prefix="/test", tags=["test"])
@@ -11,36 +12,26 @@
 #     """Test endpoint requiring just authentication"""
 #     return {"message": "You are authenticated!"}
 
-# Role-based tests
-@router.get("/admin-only")
-@require_roles({UserRole.ADMIN})
-async def test_admin_only():
-    """Test endpoint requiring admin role"""
-    return {"message": "You are an admin!"}
+# Basic Firebase middleware test
+@router.get("/auth-middleware")
+async def test_firebase_middleware(request: Request):
+    """Test endpoint to verify Firebase middleware is working"""
+    return {
+        "message": "Firebase auth successful",
+        "user_id": request.state.user_id,
+        "claims": request.state.user_claims
+    }
 
-@router.get("/volunteer-or-admin")
-@require_roles({UserRole.VOLUNTEER, UserRole.ADMIN})
-async def test_volunteer_or_admin():
-    """Test endpoint requiring volunteer or admin role"""
-    return {"message": "You are a volunteer or admin!"}
-
-@router.get("/participant-only")
-@require_roles({UserRole.PARTICIPANT})
-async def test_participant_only():
-    """Test endpoint requiring participant role"""
-    return {"message": "You are a participant!"}
-
-# User-specific tests
-@router.get("/users/{user_id}/profile")
-@require_user_id()
-async def test_user_specific(user_id: str):
-    """Test endpoint requiring specific user access"""
-    return {"message": f"You can access user {user_id}'s profile!"}
-
-# Combined tests
-@router.get("/users/{user_id}/admin-action")
-@require_roles({UserRole.ADMIN})
-@require_user_id()
-async def test_admin_user_specific(user_id: str):
-    """Test endpoint requiring both admin role and specific user access"""
-    return {"message": f"You are an admin accessing user {user_id}'s data!"} 
+# Test user context middleware
+@router.get("/context")
+async def test_context(request: Request):
+    """Test endpoint to verify user context middleware"""
+    try:
+        return {
+            "request_id": request.state.request_id,
+            "timestamp": request.state.request_timestamp,
+        }
+    except Exception as e:
+        return {
+            "error": str(e)
+        }

backend/app/server.py

@@ -4,8 +4,11 @@
 
 from dotenv import load_dotenv
 from fastapi import FastAPI
+from fastapi.middleware.cors import CORSMiddleware
 
 from app.routes import auth, email, test_endpoints
+from app.middleware.firebase_auth_middleware import FirebaseAuthMiddleware
+from app.middleware.user_context_middleware import UserContextMiddleware
 
 load_dotenv()
 
@@ -16,6 +19,16 @@
 
 log = logging.getLogger("uvicorn")
 
+# Define paths that don't require authentication
+PUBLIC_PATHS = [
+    "/",
+    "/docs",
+    "/redoc",
+    "/openapi.json",
+    "/auth/login",
+    "/auth/register",
+    "/health"
+]
 
 @asynccontextmanager
 async def lifespan(_: FastAPI):
@@ -25,10 +38,31 @@ async def lifespan(_: FastAPI):
     yield
     log.info("Shutting down...")
 
+app = FastAPI(lifespan=lifespan)
+
+# Add CORS middleware first
+# app.add_middleware(
+#     CORSMiddleware,
+#     allow_origins=["*"],  # Configure this appropriately for production
+#     allow_credentials=True,
+#     allow_methods=["*"],
+#     allow_headers=["*"],
+# )
+
+# Add our custom middleware
+# Note: Middleware is executed in reverse order (last added = first executed)
+app.add_middleware(
+    UserContextMiddleware,
+    exclude_paths=PUBLIC_PATHS
+)
+
+# app.add_middleware(
+#     FirebaseAuthMiddleware,
+#     exclude_paths=PUBLIC_PATHS
+# )
 
 # Source: https://stackoverflow.com/questions/77170361/
 # running-alembic-migrations-on-fastapi-startup
-app = FastAPI(lifespan=lifespan)
 app.include_router(auth.router)
 app.include_router(user.router)
 app.include_router(email.router)

backend/app/services/implementations/auth_service.py

@@ -55,17 +55,10 @@ def send_email_verification_link(self, email: str) -> None:
 
     def is_authorized_by_role(self, access_token: str, roles: set[str]) -> bool:
         try:
-            print("\n=== Auth Service Role Check ===")
-            # print(f"Verifying token: {access_token[:50]}...")
             decoded_token = firebase_admin.auth.verify_id_token(access_token, check_revoked=True)
-            print(f"Decoded token UID: {decoded_token.get('uid')}")
             user_role = self.user_service.get_user_role_by_auth_id(decoded_token["uid"])
-            print(f"User role from DB: {user_role}")
-            print(f"Checking against roles: {roles}")
             firebase_user = firebase_admin.auth.get_user(decoded_token["uid"])
-            print(f"Email verified: {firebase_user.email_verified}")
             result = firebase_user.email_verified and user_role in roles
-            print(f"Final authorization result: {result}")
             return result
         except Exception as e:
             print(f"Authorization error: {str(e)}")