web/auth/session.py

from fastapi import HTTPException
from fastapi.responses import RedirectResponse
from sqlalchemy.orm import Session
from starlette.requests import Request

from web.models.user import User, UserRoleEnum, UserStatusEnum


def get_session_user_id(request: Request) -> int | None:
    return request.session.get("user_id")


def get_current_user(request: Request, db: Session) -> User:
    user_id = get_session_user_id(request)
    if not user_id:
        raise HTTPException(status_code=307, headers={"Location": "/login"})
    user = db.get(User, user_id)
    if not user or user.status == UserStatusEnum.suspended:
        request.session.clear()
        raise HTTPException(status_code=307, headers={"Location": "/login"})
    return user


def get_viewed_user(request: Request, db: Session) -> tuple[User, User]:
    """Return (real_user, viewed_user).

    Admins/system users can view another user's data by having
    `viewed_user_id` set in the session (via /admin/users/{id}/view-as).
    For regular users, both values are the same.
    """
    real_user = get_current_user(request, db)
    is_admin = real_user.role in (UserRoleEnum.admin, UserRoleEnum.system)
    viewed_id = request.session.get("viewed_user_id") if is_admin else None
    if viewed_id:
        viewed = db.get(User, viewed_id)
        if viewed:
            return real_user, viewed
    return real_user, real_user


def login_redirect() -> RedirectResponse:
    return RedirectResponse("/login", status_code=303)
feat: Evotor user lifecycle, RBAC, admin panel - Receive Evotor webhooks: POST /user/create, /user/verify, /user/token - Create users in pending status; match to existing users by email/phone - Send invite link via Celery notification task; user sets password at /invite - Abstract EmailProvider/SMSProvider with ConsoleEmailProvider default - Role-based access control: role enum on users + roles/permissions tables - Admin panel: /admin/users (list, filter, search, paginate), user detail card with activate/suspend/reset-password/send-invite/edit/delete actions - Admin roles management: /admin/roles with per-role permission assignment - Extend user profile card: role, status, Evotor ID, email confirmation badge - Auth routes: register, login, logout, confirm-email, forgot/reset password - Alembic migrations 0002 (full schema + new fields) and 0003 (RBAC + seeds) - Port Pico CSS + Bootstrap Icons UI from Node.js commit (854c912) Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> 2026-04-28 12:01:25 +03:00			`from fastapi import HTTPException`
			`from fastapi.responses import RedirectResponse`
			`from sqlalchemy.orm import Session`
			`from starlette.requests import Request`

feat: remove register, add evo webhooks, admin view-as user - Remove /register route and nav links (users created via Evotor webhook) - Fix evotor_webhooks.py: use phone=None instead of phone="" to avoid unique constraint - Add admin "view as user" feature: POST /admin/users/{id}/view-as sets viewed_user_id in session; POST /admin/view-as/stop clears it - catalog, vk_catalog, sync, connections GET routes use get_viewed_user() so admins see another user's data while browsing - Orange banner shown at top when admin is viewing as another user Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> 2026-05-13 20:44:25 +03:00			`from web.models.user import User, UserRoleEnum, UserStatusEnum`
feat: Evotor user lifecycle, RBAC, admin panel - Receive Evotor webhooks: POST /user/create, /user/verify, /user/token - Create users in pending status; match to existing users by email/phone - Send invite link via Celery notification task; user sets password at /invite - Abstract EmailProvider/SMSProvider with ConsoleEmailProvider default - Role-based access control: role enum on users + roles/permissions tables - Admin panel: /admin/users (list, filter, search, paginate), user detail card with activate/suspend/reset-password/send-invite/edit/delete actions - Admin roles management: /admin/roles with per-role permission assignment - Extend user profile card: role, status, Evotor ID, email confirmation badge - Auth routes: register, login, logout, confirm-email, forgot/reset password - Alembic migrations 0002 (full schema + new fields) and 0003 (RBAC + seeds) - Port Pico CSS + Bootstrap Icons UI from Node.js commit (854c912) Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> 2026-04-28 12:01:25 +03:00

			`def get_session_user_id(request: Request) -> int \| None:`
			`return request.session.get("user_id")`


			`def get_current_user(request: Request, db: Session) -> User:`
			`user_id = get_session_user_id(request)`
			`if not user_id:`
			`raise HTTPException(status_code=307, headers={"Location": "/login"})`
			`user = db.get(User, user_id)`
			`if not user or user.status == UserStatusEnum.suspended:`
			`request.session.clear()`
			`raise HTTPException(status_code=307, headers={"Location": "/login"})`
			`return user`


feat: remove register, add evo webhooks, admin view-as user - Remove /register route and nav links (users created via Evotor webhook) - Fix evotor_webhooks.py: use phone=None instead of phone="" to avoid unique constraint - Add admin "view as user" feature: POST /admin/users/{id}/view-as sets viewed_user_id in session; POST /admin/view-as/stop clears it - catalog, vk_catalog, sync, connections GET routes use get_viewed_user() so admins see another user's data while browsing - Orange banner shown at top when admin is viewing as another user Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> 2026-05-13 20:44:25 +03:00			`def get_viewed_user(request: Request, db: Session) -> tuple[User, User]:`
			`"""Return (real_user, viewed_user).`

			`Admins/system users can view another user's data by having`
			`viewed_user_id` set in the session (via /admin/users/{id}/view-as).
			`For regular users, both values are the same.`
			`"""`
			`real_user = get_current_user(request, db)`
			`is_admin = real_user.role in (UserRoleEnum.admin, UserRoleEnum.system)`
			`viewed_id = request.session.get("viewed_user_id") if is_admin else None`
			`if viewed_id:`
			`viewed = db.get(User, viewed_id)`
			`if viewed:`
			`return real_user, viewed`
			`return real_user, real_user`


feat: Evotor user lifecycle, RBAC, admin panel - Receive Evotor webhooks: POST /user/create, /user/verify, /user/token - Create users in pending status; match to existing users by email/phone - Send invite link via Celery notification task; user sets password at /invite - Abstract EmailProvider/SMSProvider with ConsoleEmailProvider default - Role-based access control: role enum on users + roles/permissions tables - Admin panel: /admin/users (list, filter, search, paginate), user detail card with activate/suspend/reset-password/send-invite/edit/delete actions - Admin roles management: /admin/roles with per-role permission assignment - Extend user profile card: role, status, Evotor ID, email confirmation badge - Auth routes: register, login, logout, confirm-email, forgot/reset password - Alembic migrations 0002 (full schema + new fields) and 0003 (RBAC + seeds) - Port Pico CSS + Bootstrap Icons UI from Node.js commit (854c912) Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> 2026-04-28 12:01:25 +03:00			`def login_redirect() -> RedirectResponse:`
			`return RedirectResponse("/login", status_code=303)`