backend/src/v1/auth/router.py

from __future__ import annotations

from typing import Annotated

from fastapi import APIRouter, Depends, Response
from fastapi import HTTPException

from core.auth.models import CurrentUser
from v1.auth.rate_limit import enforce_rate_limit
from v1.auth.dependencies import get_auth_service
from v1.profile.dependencies import get_current_user
from v1.auth.schemas import (
    AuthResendCodeResponse,
    AuthSignupStartResponse,
    AuthTokenResponse,
    AuthUserByEmailResponse,
    LoginRequest,
    LogoutRequest,
    RefreshRequest,
    SignupResendRequest,
    SignupStartRequest,
    SignupVerifyRequest,
)
from v1.auth.service import AuthService


router = APIRouter(prefix="/auth", tags=["auth"])


@router.post("/signup/start", response_model=AuthSignupStartResponse, status_code=202)
async def signup_start(
    payload: SignupStartRequest,
    service: AuthService = Depends(get_auth_service),
) -> AuthSignupStartResponse:
    await enforce_rate_limit(
        scope="signup_start",
        identifier=payload.email,
        limit=5,
        window_seconds=60,
    )
    return await service.signup_start(payload)


@router.post("/signup/verify", response_model=AuthTokenResponse)
async def signup_verify(
    payload: SignupVerifyRequest,
    service: AuthService = Depends(get_auth_service),
) -> AuthTokenResponse:
    await enforce_rate_limit(
        scope="signup_verify",
        identifier=payload.email,
        limit=10,
        window_seconds=600,
    )
    return await service.signup_verify(payload)


@router.post("/signup/resend", response_model=AuthResendCodeResponse)
async def signup_resend(
    payload: SignupResendRequest,
    service: AuthService = Depends(get_auth_service),
) -> AuthResendCodeResponse:
    await enforce_rate_limit(
        scope="signup_resend",
        identifier=payload.email,
        limit=5,
        window_seconds=60,
    )
    return await service.signup_resend(payload)


@router.post("/login", response_model=AuthTokenResponse)
async def login(
    payload: LoginRequest,
    service: AuthService = Depends(get_auth_service),
) -> AuthTokenResponse:
    await enforce_rate_limit(
        scope="login",
        identifier=payload.email,
        limit=10,
        window_seconds=60,
    )
    return await service.login(payload)


@router.post("/refresh", response_model=AuthTokenResponse)
async def refresh(
    payload: RefreshRequest,
    service: AuthService = Depends(get_auth_service),
) -> AuthTokenResponse:
    await enforce_rate_limit(
        scope="refresh",
        identifier=payload.refresh_token,
        limit=10,
        window_seconds=60,
    )
    return await service.refresh(payload)


@router.post("/logout", status_code=204)
async def logout(
    payload: LogoutRequest,
    service: AuthService = Depends(get_auth_service),
) -> Response:
    await enforce_rate_limit(
        scope="logout",
        identifier=payload.refresh_token,
        limit=10,
        window_seconds=60,
    )
    await service.logout(payload.refresh_token)
    return Response(status_code=204)


@router.get("/users/by-email", response_model=AuthUserByEmailResponse)
async def get_user_by_email(
    email: str,
    current_user: Annotated[CurrentUser, Depends(get_current_user)],
    service: AuthService = Depends(get_auth_service),
) -> AuthUserByEmailResponse:
    if current_user.role != "service_role" and current_user.email != email:
        raise HTTPException(status_code=403, detail="Forbidden")
    return await service.get_user_by_email(email)
refactor: align backend layout and supabase infra 2026-02-05 15:13:06 +08:00			`from __future__ import annotations`

feat: complete auth/profile username migration and runtime safeguards 2026-02-25 10:20:43 +08:00			`from typing import Annotated`

refactor: align backend layout and supabase infra 2026-02-05 15:13:06 +08:00			`from fastapi import APIRouter, Depends, Response`
feat: complete auth/profile username migration and runtime safeguards 2026-02-25 10:20:43 +08:00			`from fastapi import HTTPException`
refactor: align backend layout and supabase infra 2026-02-05 15:13:06 +08:00
feat: complete auth/profile username migration and runtime safeguards 2026-02-25 10:20:43 +08:00			`from core.auth.models import CurrentUser`
feat(auth): switch signup to OTP verification flow 2026-02-25 13:34:02 +08:00			`from v1.auth.rate_limit import enforce_rate_limit`
refactor: align backend layout and supabase infra 2026-02-05 15:13:06 +08:00			`from v1.auth.dependencies import get_auth_service`
feat: complete auth/profile username migration and runtime safeguards 2026-02-25 10:20:43 +08:00			`from v1.profile.dependencies import get_current_user`
fix: 恢复Celery配置 + 修复测试文件 2026-02-24 16:38:30 +08:00			`from v1.auth.schemas import (`
feat(auth): switch signup to OTP verification flow 2026-02-25 13:34:02 +08:00			`AuthResendCodeResponse,`
			`AuthSignupStartResponse,`
refactor: align backend layout and supabase infra 2026-02-05 15:13:06 +08:00			`AuthTokenResponse,`
feat: complete auth/profile username migration and runtime safeguards 2026-02-25 10:20:43 +08:00			`AuthUserByEmailResponse,`
refactor: align backend layout and supabase infra 2026-02-05 15:13:06 +08:00			`LoginRequest,`
			`LogoutRequest,`
			`RefreshRequest,`
feat(auth): switch signup to OTP verification flow 2026-02-25 13:34:02 +08:00			`SignupResendRequest,`
			`SignupStartRequest,`
			`SignupVerifyRequest,`
refactor: align backend layout and supabase infra 2026-02-05 15:13:06 +08:00			`)`
			`from v1.auth.service import AuthService`


			`router = APIRouter(prefix="/auth", tags=["auth"])`


feat(auth): switch signup to OTP verification flow 2026-02-25 13:34:02 +08:00			`@router.post("/signup/start", response_model=AuthSignupStartResponse, status_code=202)`
			`async def signup_start(`
			`payload: SignupStartRequest,`
			`service: AuthService = Depends(get_auth_service),`
			`) -> AuthSignupStartResponse:`
			`await enforce_rate_limit(`
			`scope="signup_start",`
			`identifier=payload.email,`
			`limit=5,`
			`window_seconds=60,`
			`)`
			`return await service.signup_start(payload)`


			`@router.post("/signup/verify", response_model=AuthTokenResponse)`
			`async def signup_verify(`
			`payload: SignupVerifyRequest,`
refactor: align backend layout and supabase infra 2026-02-05 15:13:06 +08:00			`service: AuthService = Depends(get_auth_service),`
			`) -> AuthTokenResponse:`
feat(auth): switch signup to OTP verification flow 2026-02-25 13:34:02 +08:00			`await enforce_rate_limit(`
			`scope="signup_verify",`
			`identifier=payload.email,`
			`limit=10,`
			`window_seconds=600,`
			`)`
			`return await service.signup_verify(payload)`


			`@router.post("/signup/resend", response_model=AuthResendCodeResponse)`
			`async def signup_resend(`
			`payload: SignupResendRequest,`
			`service: AuthService = Depends(get_auth_service),`
			`) -> AuthResendCodeResponse:`
			`await enforce_rate_limit(`
			`scope="signup_resend",`
			`identifier=payload.email,`
fix(auth): validation toast and rate limit adjustment 2026-02-26 12:07:40 +08:00			`limit=5,`
feat(auth): switch signup to OTP verification flow 2026-02-25 13:34:02 +08:00			`window_seconds=60,`
			`)`
			`return await service.signup_resend(payload)`
refactor: align backend layout and supabase infra 2026-02-05 15:13:06 +08:00

			`@router.post("/login", response_model=AuthTokenResponse)`
			`async def login(`
			`payload: LoginRequest,`
			`service: AuthService = Depends(get_auth_service),`
			`) -> AuthTokenResponse:`
feat(agent-chat): complete core workflow and strengthen auth rate limiting 2026-02-25 16:51:12 +08:00			`await enforce_rate_limit(`
			`scope="login",`
			`identifier=payload.email,`
			`limit=10,`
			`window_seconds=60,`
			`)`
refactor: align backend layout and supabase infra 2026-02-05 15:13:06 +08:00			`return await service.login(payload)`


			`@router.post("/refresh", response_model=AuthTokenResponse)`
			`async def refresh(`
			`payload: RefreshRequest,`
			`service: AuthService = Depends(get_auth_service),`
			`) -> AuthTokenResponse:`
feat(agent-chat): complete core workflow and strengthen auth rate limiting 2026-02-25 16:51:12 +08:00			`await enforce_rate_limit(`
			`scope="refresh",`
			`identifier=payload.refresh_token,`
			`limit=10,`
			`window_seconds=60,`
			`)`
refactor: align backend layout and supabase infra 2026-02-05 15:13:06 +08:00			`return await service.refresh(payload)`


			`@router.post("/logout", status_code=204)`
			`async def logout(`
			`payload: LogoutRequest,`
			`service: AuthService = Depends(get_auth_service),`
			`) -> Response:`
feat(agent-chat): complete core workflow and strengthen auth rate limiting 2026-02-25 16:51:12 +08:00			`await enforce_rate_limit(`
			`scope="logout",`
			`identifier=payload.refresh_token,`
			`limit=10,`
			`window_seconds=60,`
			`)`
refactor: align backend layout and supabase infra 2026-02-05 15:13:06 +08:00			`await service.logout(payload.refresh_token)`
			`return Response(status_code=204)`
feat: complete auth/profile username migration and runtime safeguards 2026-02-25 10:20:43 +08:00

			`@router.get("/users/by-email", response_model=AuthUserByEmailResponse)`
			`async def get_user_by_email(`
			`email: str,`
			`current_user: Annotated[CurrentUser, Depends(get_current_user)],`
			`service: AuthService = Depends(get_auth_service),`
			`) -> AuthUserByEmailResponse:`
			`if current_user.role != "service_role" and current_user.email != email:`
			`raise HTTPException(status_code=403, detail="Forbidden")`
			`return await service.get_user_by_email(email)`