step 9 complete: auth middleware, tier-aware rate limiter, and response sanitizer

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-03-02 22:18:17 +01:00
parent 4c4df7335a
commit 3e07fff958
8 changed files with 661 additions and 44 deletions
--- a/app/api/deps.py
+++ b/app/api/deps.py
@@ -1,46 +1,14 @@
 """Shared FastAPI dependencies.

-``get_current_user`` decodes the Bearer JWT and returns a ``UserProfile``.
-Step 9 will layer rate-limiting and sanitization middleware on top of this.
-Step 12 will add a DB look-up to fetch the live tier from PostgreSQL.
+``get_current_user`` and ``oauth2_scheme`` live in ``app.api.middleware.auth``
+(the canonical location per Step 9).  This module re-exports them so that all
+existing route imports (``from app.api.deps import get_current_user``) continue
+to work without modification.
+
+Step 12 will update ``get_current_user`` to fetch the live tier from PostgreSQL
+instead of reading it from the JWT payload.
 """

-from __future__ import annotations
+from app.api.middleware.auth import get_current_user, oauth2_scheme  # noqa: F401

-from fastapi import Depends, HTTPException, status
-from fastapi.security import OAuth2PasswordBearer
-from jose import JWTError, jwt
-
-from app.config.settings import settings
-from app.schemas import BillingTier, UserProfile
-
-oauth2_scheme = OAuth2PasswordBearer(tokenUrl="/api/v1/auth/login")
-
-
-async def get_current_user(
-    token: str = Depends(oauth2_scheme),
-) -> UserProfile:
-    """Validate a Bearer JWT and return the authenticated user.
-
-    Raises ``HTTP 401`` on any invalid or expired token.
-    The tier embedded in the JWT is used for feature-gating until Step 12
-    adds a live DB lookup.
-    """
-    credentials_exc = HTTPException(
-        status_code=status.HTTP_401_UNAUTHORIZED,
-        detail="Could not validate credentials",
-        headers={"WWW-Authenticate": "Bearer"},
-    )
-    try:
-        payload = jwt.decode(
-            token, settings.JWT_SECRET, algorithms=[settings.JWT_ALGORITHM]
-        )
-        user_id: str | None = payload.get("sub")
-        email: str | None = payload.get("email")
-        tier: str = payload.get("tier", "free")
-        if not user_id or not email:
-            raise credentials_exc
-    except JWTError:
-        raise credentials_exc
-
-    return UserProfile(id=user_id, email=email, tier=tier)  # type: ignore[arg-type]
+__all__ = ["get_current_user", "oauth2_scheme"]