galaxis-po/backend/app/core/security.py

"""
Security utilities for authentication.
"""
import hashlib
from datetime import datetime, timedelta, timezone
from typing import Optional

import bcrypt
import jwt
from jwt.exceptions import PyJWTError

from app.core.config import get_settings

settings = get_settings()


def sha256_hash(password: str) -> str:
    """SHA-256 hash a raw password (matches client-side hashing)."""
    return hashlib.sha256(password.encode()).hexdigest()


def verify_password(sha256_password: str, hashed_password: str) -> bool:
    """Verify a SHA-256 hashed password against its bcrypt hash."""
    return bcrypt.checkpw(
        sha256_password.encode(), hashed_password.encode()
    )


def get_password_hash(raw_password: str) -> str:
    """Hash a raw password: SHA-256 then bcrypt."""
    return bcrypt.hashpw(
        sha256_hash(raw_password).encode(), bcrypt.gensalt()
    ).decode()


def create_access_token(data: dict, expires_delta: Optional[timedelta] = None) -> str:
    """Create a JWT access token."""
    to_encode = data.copy()
    if expires_delta:
        expire = datetime.now(timezone.utc) + expires_delta
    else:
        expire = datetime.now(timezone.utc) + timedelta(
            minutes=settings.access_token_expire_minutes
        )
    to_encode.update({"exp": expire})
    encoded_jwt = jwt.encode(
        to_encode, settings.jwt_secret, algorithm=settings.jwt_algorithm
    )
    return encoded_jwt


def decode_access_token(token: str) -> Optional[dict]:
    """Decode and verify a JWT access token."""
    try:
        payload = jwt.decode(
            token, settings.jwt_secret, algorithms=[settings.jwt_algorithm]
        )
        return payload
    except PyJWTError:
        return None
feat: add core configuration, database, and security modules Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> 2026-02-02 23:11:27 +09:00			`"""`
			`Security utilities for authentication.`
			`"""`
feat: client-side password hashing and admin user auto-seeding - Hash passwords with SHA-256 on frontend before transmission to prevent raw password exposure in network traffic and server logs - Switch login endpoint from OAuth2 form-data to JSON body - Auto-create admin user on startup from ADMIN_USERNAME/ADMIN_PASSWORD env vars, solving login failure after registration was disabled - Update auth tests to match new SHA-256 + JSON login flow Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> 2026-02-08 22:21:36 +09:00			`import hashlib`
feat: add core configuration, database, and security modules Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> 2026-02-02 23:11:27 +09:00			`from datetime import datetime, timedelta, timezone`
			`from typing import Optional`

fix: remove passlib dependency and fix FastAPI deprecation warnings - Replace passlib with direct bcrypt usage to eliminate the 'module bcrypt has no attribute __about__' warning - Change Query(regex=) to Query(pattern=) per FastAPI deprecation Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> 2026-02-08 22:34:32 +09:00			`import bcrypt`
chore: upgrade dependencies to latest compatible versions - Node.js: 22 → 24 (Active LTS) - PostgreSQL: 15 → 18 - FastAPI: 0.115.6 → 0.128.2 - Uvicorn: 0.34.0 → 0.40.0 - SQLAlchemy: 2.0.36 → 2.0.46 - Alembic: 1.14.0 → 1.18.3 - Pydantic: 2.10.4 → 2.12.5 - pandas: 2.2.3 → 2.3.3 - pykrx: 1.0.45 → 1.2.3 - React: 19.2.3 → 19.2.4 Breaking changes: - Migrate from python-jose to PyJWT for JWT handling - numpy downgraded to 1.26.4 for pykrx compatibility Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> 2026-02-07 11:12:16 +09:00			`import jwt`
			`from jwt.exceptions import PyJWTError`
feat: add core configuration, database, and security modules Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> 2026-02-02 23:11:27 +09:00
			`from app.core.config import get_settings`

			`settings = get_settings()`


feat: client-side password hashing and admin user auto-seeding - Hash passwords with SHA-256 on frontend before transmission to prevent raw password exposure in network traffic and server logs - Switch login endpoint from OAuth2 form-data to JSON body - Auto-create admin user on startup from ADMIN_USERNAME/ADMIN_PASSWORD env vars, solving login failure after registration was disabled - Update auth tests to match new SHA-256 + JSON login flow Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> 2026-02-08 22:21:36 +09:00			`def sha256_hash(password: str) -> str:`
			`"""SHA-256 hash a raw password (matches client-side hashing)."""`
			`return hashlib.sha256(password.encode()).hexdigest()`
feat: add core configuration, database, and security modules Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> 2026-02-02 23:11:27 +09:00

feat: client-side password hashing and admin user auto-seeding - Hash passwords with SHA-256 on frontend before transmission to prevent raw password exposure in network traffic and server logs - Switch login endpoint from OAuth2 form-data to JSON body - Auto-create admin user on startup from ADMIN_USERNAME/ADMIN_PASSWORD env vars, solving login failure after registration was disabled - Update auth tests to match new SHA-256 + JSON login flow Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> 2026-02-08 22:21:36 +09:00			`def verify_password(sha256_password: str, hashed_password: str) -> bool:`
			`"""Verify a SHA-256 hashed password against its bcrypt hash."""`
fix: remove passlib dependency and fix FastAPI deprecation warnings - Replace passlib with direct bcrypt usage to eliminate the 'module bcrypt has no attribute __about__' warning - Change Query(regex=) to Query(pattern=) per FastAPI deprecation Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> 2026-02-08 22:34:32 +09:00			`return bcrypt.checkpw(`
			`sha256_password.encode(), hashed_password.encode()`
			`)`
feat: client-side password hashing and admin user auto-seeding - Hash passwords with SHA-256 on frontend before transmission to prevent raw password exposure in network traffic and server logs - Switch login endpoint from OAuth2 form-data to JSON body - Auto-create admin user on startup from ADMIN_USERNAME/ADMIN_PASSWORD env vars, solving login failure after registration was disabled - Update auth tests to match new SHA-256 + JSON login flow Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> 2026-02-08 22:21:36 +09:00

			`def get_password_hash(raw_password: str) -> str:`
			`"""Hash a raw password: SHA-256 then bcrypt."""`
fix: remove passlib dependency and fix FastAPI deprecation warnings - Replace passlib with direct bcrypt usage to eliminate the 'module bcrypt has no attribute __about__' warning - Change Query(regex=) to Query(pattern=) per FastAPI deprecation Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> 2026-02-08 22:34:32 +09:00			`return bcrypt.hashpw(`
			`sha256_hash(raw_password).encode(), bcrypt.gensalt()`
			`).decode()`
feat: add core configuration, database, and security modules Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> 2026-02-02 23:11:27 +09:00

			`def create_access_token(data: dict, expires_delta: Optional[timedelta] = None) -> str:`
			`"""Create a JWT access token."""`
			`to_encode = data.copy()`
			`if expires_delta:`
			`expire = datetime.now(timezone.utc) + expires_delta`
			`else:`
			`expire = datetime.now(timezone.utc) + timedelta(`
			`minutes=settings.access_token_expire_minutes`
			`)`
			`to_encode.update({"exp": expire})`
			`encoded_jwt = jwt.encode(`
			`to_encode, settings.jwt_secret, algorithm=settings.jwt_algorithm`
			`)`
			`return encoded_jwt`


			`def decode_access_token(token: str) -> Optional[dict]:`
			`"""Decode and verify a JWT access token."""`
			`try:`
			`payload = jwt.decode(`
			`token, settings.jwt_secret, algorithms=[settings.jwt_algorithm]`
			`)`
			`return payload`
chore: upgrade dependencies to latest compatible versions - Node.js: 22 → 24 (Active LTS) - PostgreSQL: 15 → 18 - FastAPI: 0.115.6 → 0.128.2 - Uvicorn: 0.34.0 → 0.40.0 - SQLAlchemy: 2.0.36 → 2.0.46 - Alembic: 1.14.0 → 1.18.3 - Pydantic: 2.10.4 → 2.12.5 - pandas: 2.2.3 → 2.3.3 - pykrx: 1.0.45 → 1.2.3 - React: 19.2.3 → 19.2.4 Breaking changes: - Migrate from python-jose to PyJWT for JWT handling - numpy downgraded to 1.26.4 for pykrx compatibility Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> 2026-02-07 11:12:16 +09:00			`except PyJWTError:`
feat: add core configuration, database, and security modules Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> 2026-02-02 23:11:27 +09:00			`return None`