feat: add correct keys to User interface

db.py

@@ -69,6 +69,7 @@ class User(SQLModel, table=True):
     disabled: bool | None = None
     hashed_password: str | None = None
     player_id: int | None = Field(default=None, foreign_key="player.id")
+    scopes: str = ""
 
 
 SQLModel.metadata.create_all(engine)

main.py

@@ -1,4 +1,4 @@
-from fastapi import APIRouter, Depends, FastAPI, status
+from fastapi import APIRouter, Depends, FastAPI, Security, status
 from fastapi.staticfiles import StaticFiles
 from db import Player, Team, Chemistry, MVPRanking, engine
 from sqlmodel import (
@@ -106,7 +106,8 @@ class SPAStaticFiles(StaticFiles):
 api_router.include_router(player_router)
 api_router.include_router(team_router)
 api_router.include_router(
-    analysis_router, dependencies=[Depends(get_current_active_user)]
+    analysis_router,
+    dependencies=[Security(get_current_active_user, scopes=["analysis"])],
 )
 api_router.add_api_route("/token", endpoint=login_for_access_token, methods=["POST"])
 api_router.add_api_route("/users/me/", endpoint=read_users_me, methods=["GET"])

security.py

@@ -1,12 +1,16 @@
 from datetime import timedelta, timezone, datetime
 from typing import Annotated
 from fastapi import Depends, HTTPException, Response, status
-from pydantic import BaseModel
+from pydantic import BaseModel, ValidationError
 import jwt
 from jwt.exceptions import InvalidTokenError
 from sqlmodel import Session, select
 from db import engine, User
-from fastapi.security import OAuth2PasswordBearer, OAuth2PasswordRequestForm
+from fastapi.security import (
+    OAuth2PasswordBearer,
+    OAuth2PasswordRequestForm,
+    SecurityScopes,
+)
 from pydantic_settings import BaseSettings, SettingsConfigDict
 from passlib.context import CryptContext
 from sqlalchemy.exc import OperationalError
@@ -30,12 +34,18 @@ class Token(BaseModel):
 
 class TokenData(BaseModel):
     username: str | None = None
+    scopes: list[str] = []
 
 
 pwd_context = CryptContext(schemes=["argon2"], deprecated="auto")
 
 
-oauth2_scheme = OAuth2PasswordBearer(tokenUrl="api/token")
+oauth2_scheme = OAuth2PasswordBearer(
+    tokenUrl="api/token",
+    scopes={
+        "analysis": "Access the results.",
+    },
+)
 
 
 def verify_password(plain_password, hashed_password):
@@ -77,23 +87,37 @@ def create_access_token(data: dict, expires_delta: timedelta | None = None):
     return encoded_jwt
 
 
-async def get_current_user(token: Annotated[str, Depends(oauth2_scheme)]):
+async def get_current_user(
+    security_scopes: SecurityScopes, token: Annotated[str, Depends(oauth2_scheme)]
+):
+    if security_scopes.scopes:
+        authenticate_value = f'Bearer scope="{security_scopes.scope_str}"'
+    else:
+        authenticate_value = "Bearer"
     credentials_exception = HTTPException(
         status_code=status.HTTP_401_UNAUTHORIZED,
         detail="Could not validate credentials",
-        headers={"WWW-Authenticate": "Bearer"},
+        headers={"WWW-Authenticate": authenticate_value},
     )
     try:
         payload = jwt.decode(token, config.secret_key, algorithms=["HS256"])
         username: str = payload.get("sub")
         if username is None:
             raise credentials_exception
-        token_data = TokenData(username=username)
-    except InvalidTokenError:
+        token_scopes = payload.get("scopes", [])
+        token_data = TokenData(username=username, scopes=token_scopes)
+    except (InvalidTokenError, ValidationError):
         raise credentials_exception
     user = get_user(username=token_data.username)
     if user is None:
         raise credentials_exception
+    for scope in security_scopes.scopes:
+        if scope not in token_data.scopes:
+            raise HTTPException(
+                status_code=status.HTTP_401_UNAUTHORIZED,
+                detail="Not enough permissions",
+                headers={"WWW-Authenticate": authenticate_value},
+            )
     return user
 
 
@@ -116,8 +140,11 @@ async def login_for_access_token(
             headers={"WWW-Authenticate": "Bearer"},
         )
     access_token_expires = timedelta(minutes=config.access_token_expire_minutes)
+    allowed_scopes = set(user.scopes.split())
+    requested_scopes = set(form_data.scopes)
     access_token = create_access_token(
-        data={"sub": user.username}, expires_delta=access_token_expires
+        data={"sub": user.username, "scopes": list(allowed_scopes & requested_scopes)},
+        expires_delta=access_token_expires,
     )
     response.set_cookie(
         "Authorization", value=f"Bearer {access_token}", httponly=True, samesite="none"

src/api.ts

@@ -18,46 +18,18 @@ export default async function api(path: string, data: any): Promise<any> {
   return response;
 }
 
-export async function apiAuth(path: string, data: any, method: string = "GET"): Promise<any> {
-
-  const req = new Request(`${baseUrl}api/${path}`,
-    {
-      method: method,
-      headers: {
-        "Authorization": `Bearer ${token()} `,
-        'Content-Type': 'application/json'
-      },
-      ...(data && { body: JSON.stringify(data) })
-    }
-  );
-  let resp: Response;
-  try {
-    resp = await fetch(req);
-  } catch (e) {
-    throw new Error(`request failed: ${e}`);
-  }
-
-  if (!resp.ok) {
-    if (resp.status === 401) {
-      logout()
-      throw new Error('Unauthorized');
-    }
-  }
-  return resp.json()
-}
-
-export type User = {
-  username: string;
-  fullName: string;
-}
-
-export async function currentUser(): Promise<User> {
-  if (!token()) throw new Error("you have no access token")
-  const req = new Request(`${baseUrl}api/users/me/`, {
-    method: "GET", headers: {
-      "Authorization": `Bearer ${token()} `,
-      'Content-Type': 'application/json'
-    }
+export async function apiAuth(
+  path: string,
+  data: any,
+  method: string = "GET"
+): Promise<any> {
+  const req = new Request(`${baseUrl}api/${path}`, {
+    method: method,
+    headers: {
+      Authorization: `Bearer ${token()} `,
+      "Content-Type": "application/json",
+    },
+    ...(data && { body: JSON.stringify(data) }),
   });
   let resp: Response;
   try {
@@ -68,8 +40,40 @@ export async function currentUser(): Promise<User> {
 
   if (!resp.ok) {
     if (resp.status === 401) {
-      logout()
-      throw new Error('Unauthorized');
+      logout();
+      throw new Error("Unauthorized");
+    }
+  }
+  return resp.json();
+}
+
+export type User = {
+  username: string;
+  full_name: string;
+  email: string;
+  player_id: number;
+};
+
+export async function currentUser(): Promise<User> {
+  if (!token()) throw new Error("you have no access token");
+  const req = new Request(`${baseUrl}api/users/me/`, {
+    method: "GET",
+    headers: {
+      Authorization: `Bearer ${token()} `,
+      "Content-Type": "application/json",
+    },
+  });
+  let resp: Response;
+  try {
+    resp = await fetch(req);
+  } catch (e) {
+    throw new Error(`request failed: ${e}`);
+  }
+
+  if (!resp.ok) {
+    if (resp.status === 401) {
+      logout();
+      throw new Error("Unauthorized");
     }
   }
   return resp.json() as Promise<User>;
@@ -86,11 +90,20 @@ export type Token = {
 
 export const login = (req: LoginRequest) => {
   fetch(`${baseUrl}api/token`, {
-    method: "POST", headers: {
-      'Content-Type': 'application/x-www-form-urlencoded',
-    }, body: new URLSearchParams(req).toString()
-  }).then(resp => resp.json() as Promise<Token>).then(token => token ? localStorage.setItem("access_token", token.access_token) : console.log("token not acquired")).catch((e) => console.log("catch error " + e + " in login"));
-  return Promise<void>
-}
+    method: "POST",
+    headers: {
+      "Content-Type": "application/x-www-form-urlencoded",
+    },
+    body: new URLSearchParams(req).toString(),
+  })
+    .then((resp) => resp.json() as Promise<Token>)
+    .then((token) =>
+      token
+        ? localStorage.setItem("access_token", token.access_token)
+        : console.log("token not acquired")
+    )
+    .catch((e) => console.log("catch error " + e + " in login"));
+  return Promise<void>;
+};
 
 export const logout = () => localStorage.removeItem("access_token");