app/core/security.py

"""Security utilities for JWT and password hashing."""

import hashlib
import secrets
from datetime import UTC, datetime, timedelta
from typing import Any
from uuid import UUID, uuid4

import bcrypt
from jose import JWTError, jwt

from app.config import settings


def hash_password(password: str) -> str:
    """Hash a password using bcrypt."""
    return bcrypt.hashpw(password.encode(), bcrypt.gensalt()).decode()


def verify_password(plain_password: str, hashed_password: str) -> bool:
    """Verify a password against its hash."""
    return bcrypt.checkpw(plain_password.encode(), hashed_password.encode())


def create_access_token(
    sub: str,
    org_id: str,
    org_role: str,
    expires_delta: timedelta | None = None,
) -> str:
    """Create a JWT access token with org context."""
    if expires_delta is None:
        expires_delta = timedelta(minutes=settings.access_token_expire_minutes)

    now = datetime.now(UTC)
    expire = now + expires_delta

    payload = {
        "sub": sub,
        "org_id": org_id,
        "org_role": org_role,
        "iss": settings.jwt_issuer,
        "aud": settings.jwt_audience,
        "jti": str(uuid4()),
        "iat": now,
        "exp": expire,
    }

    return jwt.encode(payload, settings.jwt_secret_key, algorithm=settings.jwt_algorithm)


def decode_access_token(token: str) -> dict[str, Any]:
    """Decode and validate a JWT access token.

    Raises:
        JWTError: If token is invalid or expired.
    """
    return jwt.decode(
        token,
        settings.jwt_secret_key,
        algorithms=[settings.jwt_algorithm],
        issuer=settings.jwt_issuer,
        audience=settings.jwt_audience,
    )


def generate_refresh_token() -> str:
    """Generate a secure random refresh token."""
    return secrets.token_urlsafe(32)


def hash_token(token: str) -> str:
    """Hash a refresh token for storage."""
    return hashlib.sha256(token.encode()).hexdigest()


def get_refresh_token_expiry() -> datetime:
    """Get expiry datetime for a new refresh token."""
    return datetime.now(UTC) + timedelta(days=settings.refresh_token_expire_days)


class TokenPayload:
    """Parsed JWT token payload."""

    def __init__(self, payload: dict[str, Any]) -> None:
        self.user_id = UUID(payload["sub"])
        self.org_id = UUID(payload["org_id"])
        self.org_role = payload["org_role"]
        self.issuer = payload["iss"]
        self.audience = payload["aud"]
        self.jti = UUID(payload["jti"])
        self.issued_at = payload["iat"]
        self.expires_at = payload["exp"]


__all__ = [
    "JWTError",
    "TokenPayload",
    "create_access_token",
    "decode_access_token",
    "generate_refresh_token",
    "get_refresh_token_expiry",
    "hash_password",
    "hash_token",
    "verify_password",
]
feat: project skeleton - infra (k8s, kind, helm, docker) backbone is implemented - security: implementation + unit tests are done 2025-11-21 12:00:00 -05:00			`"""Security utilities for JWT and password hashing."""`

			`import hashlib`
			`import secrets`
			`from datetime import UTC, datetime, timedelta`
			`from typing import Any`
			`from uuid import UUID, uuid4`

			`import bcrypt`
			`from jose import JWTError, jwt`

			`from app.config import settings`


			`def hash_password(password: str) -> str:`
			`"""Hash a password using bcrypt."""`
			`return bcrypt.hashpw(password.encode(), bcrypt.gensalt()).decode()`


			`def verify_password(plain_password: str, hashed_password: str) -> bool:`
			`"""Verify a password against its hash."""`
			`return bcrypt.checkpw(plain_password.encode(), hashed_password.encode())`


			`def create_access_token(`
			`sub: str,`
			`org_id: str,`
			`org_role: str,`
			`expires_delta: timedelta \| None = None,`
			`) -> str:`
			`"""Create a JWT access token with org context."""`
			`if expires_delta is None:`
			`expires_delta = timedelta(minutes=settings.access_token_expire_minutes)`

			`now = datetime.now(UTC)`
			`expire = now + expires_delta`

			`payload = {`
			`"sub": sub,`
			`"org_id": org_id,`
			`"org_role": org_role,`
			`"iss": settings.jwt_issuer,`
			`"aud": settings.jwt_audience,`
			`"jti": str(uuid4()),`
			`"iat": now,`
			`"exp": expire,`
			`}`

			`return jwt.encode(payload, settings.jwt_secret_key, algorithm=settings.jwt_algorithm)`


			`def decode_access_token(token: str) -> dict[str, Any]:`
			`"""Decode and validate a JWT access token.`

			`Raises:`
			`JWTError: If token is invalid or expired.`
			`"""`
			`return jwt.decode(`
			`token,`
			`settings.jwt_secret_key,`
			`algorithms=[settings.jwt_algorithm],`
			`issuer=settings.jwt_issuer,`
			`audience=settings.jwt_audience,`
			`)`


			`def generate_refresh_token() -> str:`
			`"""Generate a secure random refresh token."""`
			`return secrets.token_urlsafe(32)`


			`def hash_token(token: str) -> str:`
			`"""Hash a refresh token for storage."""`
			`return hashlib.sha256(token.encode()).hexdigest()`


			`def get_refresh_token_expiry() -> datetime:`
			`"""Get expiry datetime for a new refresh token."""`
			`return datetime.now(UTC) + timedelta(days=settings.refresh_token_expire_days)`


			`class TokenPayload:`
			`"""Parsed JWT token payload."""`

			`def __init__(self, payload: dict[str, Any]) -> None:`
			`self.user_id = UUID(payload["sub"])`
			`self.org_id = UUID(payload["org_id"])`
			`self.org_role = payload["org_role"]`
			`self.issuer = payload["iss"]`
			`self.audience = payload["aud"]`
			`self.jti = UUID(payload["jti"])`
			`self.issued_at = payload["iat"]`
			`self.expires_at = payload["exp"]`


			`__all__ = [`
			`"JWTError",`
			`"TokenPayload",`
			`"create_access_token",`
			`"decode_access_token",`
			`"generate_refresh_token",`
			`"get_refresh_token_expiry",`
			`"hash_password",`
			`"hash_token",`
			`"verify_password",`
			`]`