galaxis-po/backend/app/api/deps.py

"""
API dependencies.
"""
from typing import Annotated, Optional

from fastapi import Cookie, Depends, HTTPException, Request, status
from fastapi.security import OAuth2PasswordBearer
from sqlalchemy.orm import Session

from app.core.database import get_db
from app.core.security import decode_access_token
from app.models.user import User

oauth2_scheme = OAuth2PasswordBearer(tokenUrl="/api/auth/login", auto_error=False)


async def get_current_user(
    request: Request,
    db: Annotated[Session, Depends(get_db)],
    bearer_token: Annotated[Optional[str], Depends(oauth2_scheme)] = None,
) -> User:
    """Get the current authenticated user.

    Token extraction order: httpOnly cookie first, then Authorization header fallback.
    """
    credentials_exception = HTTPException(
        status_code=status.HTTP_401_UNAUTHORIZED,
        detail="Could not validate credentials",
        headers={"WWW-Authenticate": "Bearer"},
    )

    # Cookie first, then Authorization header fallback
    token = request.cookies.get("access_token") or bearer_token
    if token is None:
        raise credentials_exception

    payload = decode_access_token(token)
    if payload is None:
        raise credentials_exception

    username: str = payload.get("sub")
    if username is None:
        raise credentials_exception

    user = db.query(User).filter(User.username == username).first()
    if user is None:
        raise credentials_exception

    return user


CurrentUser = Annotated[User, Depends(get_current_user)]
DbSession = Annotated[Session, Depends(get_db)]
feat: add authentication API with login, register, and user endpoints Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> 2026-02-02 23:20:32 +09:00			`"""`
			`API dependencies.`
			`"""`
security: migrate JWT from localStorage to httpOnly cookie Eliminates XSS token theft by storing JWT in httpOnly Secure cookie instead of localStorage. Backend sets cookie on login and clears on logout. Token extraction uses cookie-first with Authorization header fallback for backward compatibility with existing tests. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> 2026-03-18 22:30:47 +09:00			`from typing import Annotated, Optional`
feat: add authentication API with login, register, and user endpoints Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> 2026-02-02 23:20:32 +09:00
security: migrate JWT from localStorage to httpOnly cookie Eliminates XSS token theft by storing JWT in httpOnly Secure cookie instead of localStorage. Backend sets cookie on login and clears on logout. Token extraction uses cookie-first with Authorization header fallback for backward compatibility with existing tests. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> 2026-03-18 22:30:47 +09:00			`from fastapi import Cookie, Depends, HTTPException, Request, status`
feat: add authentication API with login, register, and user endpoints Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> 2026-02-02 23:20:32 +09:00			`from fastapi.security import OAuth2PasswordBearer`
			`from sqlalchemy.orm import Session`

			`from app.core.database import get_db`
			`from app.core.security import decode_access_token`
			`from app.models.user import User`

security: migrate JWT from localStorage to httpOnly cookie Eliminates XSS token theft by storing JWT in httpOnly Secure cookie instead of localStorage. Backend sets cookie on login and clears on logout. Token extraction uses cookie-first with Authorization header fallback for backward compatibility with existing tests. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> 2026-03-18 22:30:47 +09:00			`oauth2_scheme = OAuth2PasswordBearer(tokenUrl="/api/auth/login", auto_error=False)`
feat: add authentication API with login, register, and user endpoints Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> 2026-02-02 23:20:32 +09:00

			`async def get_current_user(`
security: migrate JWT from localStorage to httpOnly cookie Eliminates XSS token theft by storing JWT in httpOnly Secure cookie instead of localStorage. Backend sets cookie on login and clears on logout. Token extraction uses cookie-first with Authorization header fallback for backward compatibility with existing tests. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> 2026-03-18 22:30:47 +09:00			`request: Request,`
feat: add authentication API with login, register, and user endpoints Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> 2026-02-02 23:20:32 +09:00			`db: Annotated[Session, Depends(get_db)],`
security: migrate JWT from localStorage to httpOnly cookie Eliminates XSS token theft by storing JWT in httpOnly Secure cookie instead of localStorage. Backend sets cookie on login and clears on logout. Token extraction uses cookie-first with Authorization header fallback for backward compatibility with existing tests. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> 2026-03-18 22:30:47 +09:00			`bearer_token: Annotated[Optional[str], Depends(oauth2_scheme)] = None,`
feat: add authentication API with login, register, and user endpoints Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> 2026-02-02 23:20:32 +09:00			`) -> User:`
security: migrate JWT from localStorage to httpOnly cookie Eliminates XSS token theft by storing JWT in httpOnly Secure cookie instead of localStorage. Backend sets cookie on login and clears on logout. Token extraction uses cookie-first with Authorization header fallback for backward compatibility with existing tests. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> 2026-03-18 22:30:47 +09:00			`"""Get the current authenticated user.`

			`Token extraction order: httpOnly cookie first, then Authorization header fallback.`
			`"""`
feat: add authentication API with login, register, and user endpoints Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> 2026-02-02 23:20:32 +09:00			`credentials_exception = HTTPException(`
			`status_code=status.HTTP_401_UNAUTHORIZED,`
			`detail="Could not validate credentials",`
			`headers={"WWW-Authenticate": "Bearer"},`
			`)`

security: migrate JWT from localStorage to httpOnly cookie Eliminates XSS token theft by storing JWT in httpOnly Secure cookie instead of localStorage. Backend sets cookie on login and clears on logout. Token extraction uses cookie-first with Authorization header fallback for backward compatibility with existing tests. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> 2026-03-18 22:30:47 +09:00			`# Cookie first, then Authorization header fallback`
			`token = request.cookies.get("access_token") or bearer_token`
			`if token is None:`
			`raise credentials_exception`

feat: add authentication API with login, register, and user endpoints Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> 2026-02-02 23:20:32 +09:00			`payload = decode_access_token(token)`
			`if payload is None:`
			`raise credentials_exception`

			`username: str = payload.get("sub")`
			`if username is None:`
			`raise credentials_exception`

			`user = db.query(User).filter(User.username == username).first()`
			`if user is None:`
			`raise credentials_exception`

			`return user`


			`CurrentUser = Annotated[User, Depends(get_current_user)]`
			`DbSession = Annotated[Session, Depends(get_db)]`