backend/src/v1/auth/router.py

from __future__ import annotations

from typing import Annotated

from fastapi import APIRouter, Depends, Response
from fastapi import HTTPException

from core.auth.models import CurrentUser
from v1.auth.rate_limit import enforce_rate_limit
from v1.auth.dependencies import get_auth_service
from v1.users.dependencies import get_current_user
from v1.auth.schemas import (
    PasswordResetConfirmRequest,
    PasswordResetRequest,
    SessionCreateRequest,
    SessionDeleteRequest,
    SessionRefreshRequest,
    SessionResponse,
    UserByEmailResponse,
    VerificationCreateRequest,
    VerificationCreateResponse,
    VerificationResendRequest,
    VerificationVerifyRequest,
)
from v1.auth.service import AuthService


router = APIRouter(prefix="/auth", tags=["auth"])


@router.post(
    "/verifications", response_model=VerificationCreateResponse, status_code=202
)
async def create_verification(
    payload: VerificationCreateRequest,
    service: AuthService = Depends(get_auth_service),
) -> VerificationCreateResponse:
    await enforce_rate_limit(
        scope="signup_start",
        identifier=payload.email,
        limit=5,
        window_seconds=60,
    )
    return await service.create_verification(payload)


@router.post("/verifications/verify", response_model=SessionResponse)
async def verify_verification(
    payload: VerificationVerifyRequest,
    service: AuthService = Depends(get_auth_service),
) -> SessionResponse:
    await enforce_rate_limit(
        scope="signup_verify",
        identifier=payload.email,
        limit=10,
        window_seconds=600,
    )
    return await service.verify_verification(payload)


@router.post("/verifications/resend", status_code=204)
async def resend_verification(
    payload: VerificationResendRequest,
    service: AuthService = Depends(get_auth_service),
) -> Response:
    await enforce_rate_limit(
        scope="signup_resend",
        identifier=payload.email,
        limit=5,
        window_seconds=60,
    )
    await service.resend_verification(payload)
    return Response(status_code=204)


@router.post("/sessions", response_model=SessionResponse)
async def create_session(
    payload: SessionCreateRequest,
    service: AuthService = Depends(get_auth_service),
) -> SessionResponse:
    await enforce_rate_limit(
        scope="login",
        identifier=payload.email,
        limit=10,
        window_seconds=60,
    )
    return await service.create_session(payload)


@router.post("/sessions/refresh", response_model=SessionResponse)
async def refresh_session(
    payload: SessionRefreshRequest,
    service: AuthService = Depends(get_auth_service),
) -> SessionResponse:
    await enforce_rate_limit(
        scope="refresh",
        identifier=payload.refresh_token,
        limit=10,
        window_seconds=60,
    )
    return await service.refresh_session(payload)


@router.delete("/sessions", status_code=204)
async def delete_session(
    payload: SessionDeleteRequest,
    service: AuthService = Depends(get_auth_service),
) -> Response:
    await enforce_rate_limit(
        scope="logout",
        identifier=payload.refresh_token,
        limit=10,
        window_seconds=60,
    )
    await service.delete_session(payload.refresh_token)
    return Response(status_code=204)


@router.get("/users", response_model=UserByEmailResponse)
async def get_user_by_email(
    email: str,
    current_user: Annotated[CurrentUser, Depends(get_current_user)],
    service: AuthService = Depends(get_auth_service),
) -> UserByEmailResponse:
    if current_user.role != "service_role" and current_user.email != email:
        raise HTTPException(status_code=403, detail="Forbidden")
    return await service.get_user_by_email(email)


@router.post("/password-reset", status_code=204)
async def request_password_reset(
    payload: PasswordResetRequest,
    service: AuthService = Depends(get_auth_service),
) -> Response:
    await enforce_rate_limit(
        scope="password_reset_request",
        identifier=payload.email,
        limit=5,
        window_seconds=60,
    )
    await service.request_password_reset(payload)
    return Response(status_code=204)


@router.post("/password-reset/confirm", status_code=204)
async def confirm_password_reset(
    payload: PasswordResetConfirmRequest,
    service: AuthService = Depends(get_auth_service),
) -> Response:
    await enforce_rate_limit(
        scope="password_reset_confirm",
        identifier=payload.email,
        limit=10,
        window_seconds=600,
    )
    await service.confirm_password_reset(payload)
    return Response(status_code=204)
refactor: align backend layout and supabase infra 2026-02-05 15:13:06 +08:00			`from __future__ import annotations`

feat: complete auth/profile username migration and runtime safeguards 2026-02-25 10:20:43 +08:00			`from typing import Annotated`

refactor: align backend layout and supabase infra 2026-02-05 15:13:06 +08:00			`from fastapi import APIRouter, Depends, Response`
feat: complete auth/profile username migration and runtime safeguards 2026-02-25 10:20:43 +08:00			`from fastapi import HTTPException`
refactor: align backend layout and supabase infra 2026-02-05 15:13:06 +08:00
feat: complete auth/profile username migration and runtime safeguards 2026-02-25 10:20:43 +08:00			`from core.auth.models import CurrentUser`
feat(auth): switch signup to OTP verification flow 2026-02-25 13:34:02 +08:00			`from v1.auth.rate_limit import enforce_rate_limit`
refactor: align backend layout and supabase infra 2026-02-05 15:13:06 +08:00			`from v1.auth.dependencies import get_auth_service`
refactor: Phase 2 - rename routes to RESTful style 2026-02-26 13:41:32 +08:00			`from v1.users.dependencies import get_current_user`
fix: 恢复Celery配置 + 修复测试文件 2026-02-24 16:38:30 +08:00			`from v1.auth.schemas import (`
feat: 实现密码重置功能与用户搜索API，优化注册登录流程 2026-02-27 15:22:42 +08:00			`PasswordResetConfirmRequest,`
			`PasswordResetRequest,`
refactor: Phase 2 - rename routes to RESTful style 2026-02-26 13:41:32 +08:00			`SessionCreateRequest,`
			`SessionDeleteRequest,`
			`SessionRefreshRequest,`
			`SessionResponse,`
			`UserByEmailResponse,`
			`VerificationCreateRequest,`
			`VerificationCreateResponse,`
			`VerificationResendRequest,`
			`VerificationVerifyRequest,`
refactor: align backend layout and supabase infra 2026-02-05 15:13:06 +08:00			`)`
			`from v1.auth.service import AuthService`


			`router = APIRouter(prefix="/auth", tags=["auth"])`


refactor: Phase 2 - rename routes to RESTful style 2026-02-26 13:41:32 +08:00			`@router.post(`
			`"/verifications", response_model=VerificationCreateResponse, status_code=202`
			`)`
			`async def create_verification(`
			`payload: VerificationCreateRequest,`
feat(auth): switch signup to OTP verification flow 2026-02-25 13:34:02 +08:00			`service: AuthService = Depends(get_auth_service),`
refactor: Phase 2 - rename routes to RESTful style 2026-02-26 13:41:32 +08:00			`) -> VerificationCreateResponse:`
feat(auth): switch signup to OTP verification flow 2026-02-25 13:34:02 +08:00			`await enforce_rate_limit(`
			`scope="signup_start",`
			`identifier=payload.email,`
			`limit=5,`
			`window_seconds=60,`
			`)`
refactor: Phase 2 - rename routes to RESTful style 2026-02-26 13:41:32 +08:00			`return await service.create_verification(payload)`
feat(auth): switch signup to OTP verification flow 2026-02-25 13:34:02 +08:00

refactor: Phase 2 - rename routes to RESTful style 2026-02-26 13:41:32 +08:00			`@router.post("/verifications/verify", response_model=SessionResponse)`
			`async def verify_verification(`
			`payload: VerificationVerifyRequest,`
refactor: align backend layout and supabase infra 2026-02-05 15:13:06 +08:00			`service: AuthService = Depends(get_auth_service),`
refactor: Phase 2 - rename routes to RESTful style 2026-02-26 13:41:32 +08:00			`) -> SessionResponse:`
feat(auth): switch signup to OTP verification flow 2026-02-25 13:34:02 +08:00			`await enforce_rate_limit(`
			`scope="signup_verify",`
			`identifier=payload.email,`
			`limit=10,`
			`window_seconds=600,`
			`)`
refactor: Phase 2 - rename routes to RESTful style 2026-02-26 13:41:32 +08:00			`return await service.verify_verification(payload)`
feat(auth): switch signup to OTP verification flow 2026-02-25 13:34:02 +08:00

refactor: Phase 2 - rename routes to RESTful style 2026-02-26 13:41:32 +08:00			`@router.post("/verifications/resend", status_code=204)`
			`async def resend_verification(`
			`payload: VerificationResendRequest,`
feat(auth): switch signup to OTP verification flow 2026-02-25 13:34:02 +08:00			`service: AuthService = Depends(get_auth_service),`
refactor: Phase 2 - rename routes to RESTful style 2026-02-26 13:41:32 +08:00			`) -> Response:`
feat(auth): switch signup to OTP verification flow 2026-02-25 13:34:02 +08:00			`await enforce_rate_limit(`
			`scope="signup_resend",`
			`identifier=payload.email,`
fix(auth): validation toast and rate limit adjustment 2026-02-26 12:07:40 +08:00			`limit=5,`
feat(auth): switch signup to OTP verification flow 2026-02-25 13:34:02 +08:00			`window_seconds=60,`
			`)`
refactor: Phase 2 - rename routes to RESTful style 2026-02-26 13:41:32 +08:00			`await service.resend_verification(payload)`
			`return Response(status_code=204)`
refactor: align backend layout and supabase infra 2026-02-05 15:13:06 +08:00

refactor: Phase 2 - rename routes to RESTful style 2026-02-26 13:41:32 +08:00			`@router.post("/sessions", response_model=SessionResponse)`
			`async def create_session(`
			`payload: SessionCreateRequest,`
refactor: align backend layout and supabase infra 2026-02-05 15:13:06 +08:00			`service: AuthService = Depends(get_auth_service),`
refactor: Phase 2 - rename routes to RESTful style 2026-02-26 13:41:32 +08:00			`) -> SessionResponse:`
feat(agent-chat): complete core workflow and strengthen auth rate limiting 2026-02-25 16:51:12 +08:00			`await enforce_rate_limit(`
			`scope="login",`
			`identifier=payload.email,`
			`limit=10,`
			`window_seconds=60,`
			`)`
refactor: Phase 2 - rename routes to RESTful style 2026-02-26 13:41:32 +08:00			`return await service.create_session(payload)`
refactor: align backend layout and supabase infra 2026-02-05 15:13:06 +08:00

refactor: Phase 2 - rename routes to RESTful style 2026-02-26 13:41:32 +08:00			`@router.post("/sessions/refresh", response_model=SessionResponse)`
			`async def refresh_session(`
			`payload: SessionRefreshRequest,`
refactor: align backend layout and supabase infra 2026-02-05 15:13:06 +08:00			`service: AuthService = Depends(get_auth_service),`
refactor: Phase 2 - rename routes to RESTful style 2026-02-26 13:41:32 +08:00			`) -> SessionResponse:`
feat(agent-chat): complete core workflow and strengthen auth rate limiting 2026-02-25 16:51:12 +08:00			`await enforce_rate_limit(`
			`scope="refresh",`
			`identifier=payload.refresh_token,`
			`limit=10,`
			`window_seconds=60,`
			`)`
refactor: Phase 2 - rename routes to RESTful style 2026-02-26 13:41:32 +08:00			`return await service.refresh_session(payload)`
refactor: align backend layout and supabase infra 2026-02-05 15:13:06 +08:00

refactor: Phase 2 - rename routes to RESTful style 2026-02-26 13:41:32 +08:00			`@router.delete("/sessions", status_code=204)`
			`async def delete_session(`
			`payload: SessionDeleteRequest,`
refactor: align backend layout and supabase infra 2026-02-05 15:13:06 +08:00			`service: AuthService = Depends(get_auth_service),`
			`) -> Response:`
feat(agent-chat): complete core workflow and strengthen auth rate limiting 2026-02-25 16:51:12 +08:00			`await enforce_rate_limit(`
			`scope="logout",`
			`identifier=payload.refresh_token,`
			`limit=10,`
			`window_seconds=60,`
			`)`
refactor: Phase 2 - rename routes to RESTful style 2026-02-26 13:41:32 +08:00			`await service.delete_session(payload.refresh_token)`
refactor: align backend layout and supabase infra 2026-02-05 15:13:06 +08:00			`return Response(status_code=204)`
feat: complete auth/profile username migration and runtime safeguards 2026-02-25 10:20:43 +08:00

refactor: Phase 2 - rename routes to RESTful style 2026-02-26 13:41:32 +08:00			`@router.get("/users", response_model=UserByEmailResponse)`
feat: complete auth/profile username migration and runtime safeguards 2026-02-25 10:20:43 +08:00			`async def get_user_by_email(`
			`email: str,`
			`current_user: Annotated[CurrentUser, Depends(get_current_user)],`
			`service: AuthService = Depends(get_auth_service),`
refactor: Phase 2 - rename routes to RESTful style 2026-02-26 13:41:32 +08:00			`) -> UserByEmailResponse:`
feat: complete auth/profile username migration and runtime safeguards 2026-02-25 10:20:43 +08:00			`if current_user.role != "service_role" and current_user.email != email:`
			`raise HTTPException(status_code=403, detail="Forbidden")`
			`return await service.get_user_by_email(email)`
feat: 实现密码重置功能与用户搜索API，优化注册登录流程 2026-02-27 15:22:42 +08:00

			`@router.post("/password-reset", status_code=204)`
			`async def request_password_reset(`
			`payload: PasswordResetRequest,`
			`service: AuthService = Depends(get_auth_service),`
			`) -> Response:`
			`await enforce_rate_limit(`
			`scope="password_reset_request",`
			`identifier=payload.email,`
			`limit=5,`
			`window_seconds=60,`
			`)`
			`await service.request_password_reset(payload)`
			`return Response(status_code=204)`


			`@router.post("/password-reset/confirm", status_code=204)`
			`async def confirm_password_reset(`
			`payload: PasswordResetConfirmRequest,`
			`service: AuthService = Depends(get_auth_service),`
			`) -> Response:`
			`await enforce_rate_limit(`
			`scope="password_reset_confirm",`
			`identifier=payload.email,`
			`limit=10,`
			`window_seconds=600,`
			`)`
			`await service.confirm_password_reset(payload)`
			`return Response(status_code=204)`