backend/app/api/auth.py

"""登录/刷新/登出。"""
from __future__ import annotations

from datetime import datetime, timezone

from fastapi import APIRouter, Depends, HTTPException, status
from jwt.exceptions import InvalidTokenError
from sqlalchemy import select
from sqlalchemy.ext.asyncio import AsyncSession

from app.config import settings
from app.core.security import (
    create_access_token,
    create_refresh_token,
    decode_token,
    verify_password,
)
from app.database import get_session
from app.models.user import User
from app.schemas.auth import LoginRequest, RefreshRequest, TokenPair

router = APIRouter(prefix="/auth", tags=["auth"])


def _pair_for(user: User) -> TokenPair:
    access = create_access_token(user.id, extra={"role": user.role.value})
    refresh = create_refresh_token(user.id)
    return TokenPair(
        access_token=access,
        refresh_token=refresh,
        expires_in=settings.access_token_ttl_min * 60,
    )


@router.post("/login", response_model=TokenPair)
async def login(body: LoginRequest, session: AsyncSession = Depends(get_session)):
    user = (
        await session.execute(select(User).where(User.username == body.username))
        .scalars()
        .first()
    )
    if not user or not user.is_active or not verify_password(body.password, user.password_hash):
        raise HTTPException(status.HTTP_401_UNAUTHORIZED, "Invalid credentials")
    user.last_login_at = datetime.now(timezone.utc)
    await session.commit()
    return _pair_for(user)


@router.post("/refresh", response_model=TokenPair)
async def refresh(body: RefreshRequest, session: AsyncSession = Depends(get_session)):
    try:
        payload = decode_token(body.refresh_token)
        if payload.get("type") != "refresh":
            raise InvalidTokenError("wrong type")
        uid = int(payload["sub"])
    except (InvalidTokenError, KeyError, ValueError):
        raise HTTPException(status.HTTP_401_UNAUTHORIZED, "Invalid refresh token")
    user = (
        await session.execute(select(User).where(User.id == uid, User.is_active.is_(True)))
        .scalars()
        .first()
    )
    if not user:
        raise HTTPException(status.HTTP_401_UNAUTHORIZED, "User not found")
    return _pair_for(user)
feat: initial MVP - FastAPI backend + Vue3 frontend + docker-compose - backend: FastAPI + SQLAlchemy 2.0(async) + asyncpg + Alembic - 7 API routes: auth/me/articles/sources/bookmarks/subscriptions/admin - models: User/Source/Article/Bookmark/Subscription/ApiToken - services: RSS fetcher (feedparser) + Tencent TMT translator with quota + cache + local NLLB fallback - workers: APScheduler + asyncio pipeline (fetch -> dedupe -> insert -> translate) - seed scripts: create_user, seed_sources (5 RSS: Reuters/BBC/Al Jazeera/NHK/DW) - frontend: Vue 3 + Vite + Naive UI + Pinia + vue-router - pages: Login, Feed (24h), ArticleDetail, Sources, Bookmarks, AdminSources - deploy: docker-compose (postgres/redis/api/worker/frontend/caddy) - docs: README, DEPLOY, architecture, acceptance 2026-06-07 21:51:01 +08:00			`"""登录/刷新/登出。"""`
			`from __future__ import annotations`

			`from datetime import datetime, timezone`

			`from fastapi import APIRouter, Depends, HTTPException, status`
			`from jwt.exceptions import InvalidTokenError`
			`from sqlalchemy import select`
			`from sqlalchemy.ext.asyncio import AsyncSession`

			`from app.config import settings`
			`from app.core.security import (`
			`create_access_token,`
			`create_refresh_token,`
			`decode_token,`
			`verify_password,`
			`)`
			`from app.database import get_session`
			`from app.models.user import User`
			`from app.schemas.auth import LoginRequest, RefreshRequest, TokenPair`

			`router = APIRouter(prefix="/auth", tags=["auth"])`


			`def _pair_for(user: User) -> TokenPair:`
			`access = create_access_token(user.id, extra={"role": user.role.value})`
			`refresh = create_refresh_token(user.id)`
			`return TokenPair(`
			`access_token=access,`
			`refresh_token=refresh,`
			`expires_in=settings.access_token_ttl_min * 60,`
			`)`


			`@router.post("/login", response_model=TokenPair)`
			`async def login(body: LoginRequest, session: AsyncSession = Depends(get_session)):`
			`user = (`
			`await session.execute(select(User).where(User.username == body.username))`
			`.scalars()`
			`.first()`
			`)`
			`if not user or not user.is_active or not verify_password(body.password, user.password_hash):`
			`raise HTTPException(status.HTTP_401_UNAUTHORIZED, "Invalid credentials")`
			`user.last_login_at = datetime.now(timezone.utc)`
			`await session.commit()`
			`return _pair_for(user)`


			`@router.post("/refresh", response_model=TokenPair)`
			`async def refresh(body: RefreshRequest, session: AsyncSession = Depends(get_session)):`
			`try:`
			`payload = decode_token(body.refresh_token)`
			`if payload.get("type") != "refresh":`
			`raise InvalidTokenError("wrong type")`
			`uid = int(payload["sub"])`
			`except (InvalidTokenError, KeyError, ValueError):`
			`raise HTTPException(status.HTTP_401_UNAUTHORIZED, "Invalid refresh token")`
			`user = (`
			`await session.execute(select(User).where(User.id == uid, User.is_active.is_(True)))`
			`.scalars()`
			`.first()`
			`)`
			`if not user:`
			`raise HTTPException(status.HTTP_401_UNAUTHORIZED, "User not found")`
			`return _pair_for(user)`