Implement user authentication and permissions

app/cli.py

@@ -0,0 +1,88 @@
+import secrets
+import sys
+import os
+sys.path.append(os.path.join(os.path.dirname(__file__), ".."))
+
+import argparse
+from dotenv import load_dotenv
+
+from sqlalchemy import select
+from sqlalchemy.orm import Session
+from argon2 import PasswordHasher
+
+from app.models import *
+
+load_dotenv()
+
+from app.database import SessionLocal
+
+def __get_user_by_email(db: Session, email: str):
+    stmt = select(user.User).where(user.User.email == email)
+    result = db.execute(stmt)
+    return result.scalars().first()
+
+def create_user(args):
+    hasher = PasswordHasher(memory_cost=102400)
+    with SessionLocal() as db:
+        db_user = __get_user_by_email(db, args.email)
+        if db_user is not None:
+            print(f'Error: A user with email \'{args.email}\' already exists.')
+            sys.exit(1)
+        hashed_password = hasher.hash(args.password)
+        db_user = user.User(
+            friendly_name=args.name, email=args.email, password=hashed_password
+        )
+        db.add(db_user)
+        db.commit()
+        print(f'Success: Created user \'{args.email}\'.')
+
+def reset_password(args):
+    hasher = PasswordHasher(memory_cost=102400)
+    with SessionLocal() as db:
+        db_user = __get_user_by_email(db, args.email)
+        if db_user is None:
+            print(f'Error: No user with email \'{args.email}\' found.')
+            sys.exit(1)
+        db_user.password = hasher.hash(args.password)
+        db.commit()
+        print(f'Success: Changed password for user \'{args.email}\'.')
+
+def set_role(args):
+    with SessionLocal() as db:
+        db_user = __get_user_by_email(db, args.email)
+        if db_user is None:
+            print(f'Error: No user with email \'{args.email}\' found.')
+            sys.exit(1)
+        db_user.role = user.Role(args.role)
+        db.commit()
+        print(f'Success: Role of user \'{args.email}\' changed to \'{db_user.role}\'.')
+
+def generate_secret(args):
+    print(f'Your secret: {secrets.token_urlsafe(64)}')
+
+if __name__ == "__main__":
+    parser = argparse.ArgumentParser()
+    subparsers = parser.add_subparsers(help="subcommands", required=True)
+
+    p_create_user = subparsers.add_parser('user_create', help='Create a new user')
+    p_create_user.add_argument('--email', type=str, required=True, help='Email of the new user')
+    p_create_user.add_argument('--password', type=str, required=True, help='Password for the new user')
+    p_create_user.add_argument('--name', type=str, required=False, help='Display name of the new user')
+    p_create_user.add_argument('--role', type=str, choices=('member', 'administrator'), default='member', required=False, help='Role of the new user')
+    p_create_user.set_defaults(func=create_user)
+
+    p_reset_password = subparsers.add_parser('user_reset_password', help='Reset password for a user')
+    p_reset_password.add_argument('--email', type=str, required=True, help='Email of the user to modify')
+    p_reset_password.add_argument('--password', type=str, required=True, help='New password for the specified user')
+    p_reset_password.set_defaults(func=reset_password)
+
+    p_set_role = subparsers.add_parser('user_set_role', help='Update role of a user')
+    p_set_role.add_argument('--email', type=str, required=True, help='Email of the user to modify')
+    p_set_role.add_argument('--role', type=str, choices=('member', 'administrator'), required=True, help='New role for the specified user')
+    p_set_role.set_defaults(func=set_role)
+
+    p_set_role = subparsers.add_parser('generate_secret', help='Generate safe to use secret for token signing')
+    p_set_role.set_defaults(func=generate_secret)
+
+    args = parser.parse_args()
+    args.func(args)

app/main.py

@@ -1,19 +1,20 @@
 from dotenv import load_dotenv
-from fastapi import FastAPI
-from fastapi.openapi.utils import get_openapi
+from fastapi import APIRouter, FastAPI
 from starlette.middleware.authentication import AuthenticationMiddleware
 
 load_dotenv()
 
 from app.routers import (
+    auth_v1,
     chargepoint_v1,
     id_token_v1,
+    me_v1,
     meter_value_v1,
     ocpp_v1,
     transaction_v1,
     user_v1
 )
-from app.util.websocket_auth_backend import BasicAuthBackend
+from app.security.websocket_auth_backend import BasicAuthBackend
 
 def create_ocpp_app():
     app_ocpp = FastAPI(
@@ -24,30 +25,26 @@ def create_ocpp_app():
     
     return app_ocpp
 
-def custom_openapi():
-    if app.openapi_schema:
-        return app.openapi_schema
-    openapi_schema = get_openapi(
-        title="simple-ocpp-cs",
-        version="0.1.0",
-        summary="Simple implementation of a basic OCPP 2.0.1 compliant central system (backend) for EV charging stations",
-        routes=app.routes,
-    )
-    app.openapi_schema = openapi_schema
-    return app.openapi_schema
-
 def create_app():
     app = FastAPI(
+        title="simple-ocpp-cs",
+        summary="Simple implementation of a basic OCPP 2.0.1 compliant central system (backend) for EV charging stations",
         responses={404: {"description": "Not found"}},
     )
     
-    app.include_router(chargepoint_v1.router, prefix="/v1")
-    app.include_router(id_token_v1.router, prefix="/v1")
-    app.include_router(user_v1.router, prefix="/v1")
-    app.include_router(meter_value_v1.router, prefix="/v1")
-    app.include_router(transaction_v1.router, prefix="/v1")
+    api_v1_router = APIRouter(
+        prefix="/api/v1"
+    )
+    api_v1_router.include_router(auth_v1.router)
+    api_v1_router.include_router(chargepoint_v1.router)
+    api_v1_router.include_router(id_token_v1.router)
+    api_v1_router.include_router(me_v1.router)
+    api_v1_router.include_router(user_v1.router)
+    api_v1_router.include_router(meter_value_v1.router)
+    api_v1_router.include_router(transaction_v1.router)
+
+    app.include_router(api_v1_router)
     app.mount(path="/v1/ocpp", app=create_ocpp_app())
-    app.openapi = custom_openapi
 
     return app
 

app/models/__init__.py

@@ -4,6 +4,7 @@ __all__ = [
     "connector",
     "id_token",
     "meter_value",
+    "session",
     "transaction",
     "user"
 ]

app/models/session.py

@@ -0,0 +1,14 @@
+import uuid
+from sqlalchemy import Column, DateTime, ForeignKey, String, Uuid
+
+from app.database import Base
+
+class Session(Base):
+    __tablename__ = "sessions"
+
+    id = Column(Uuid, primary_key=True, default=uuid.uuid4)
+    name = Column(String)
+    refresh_token = Column(String, unique=True, index=True)
+    last_used = Column(DateTime(timezone=True))
+
+    user_id = Column(Uuid, ForeignKey("users.id"), index=True)

app/models/user.py

@@ -1,15 +1,19 @@
 import uuid
-from sqlalchemy import Uuid, Boolean, Column, String
+from sqlalchemy import Enum, Uuid, Boolean, Column, String
 from sqlalchemy.orm import relationship
 
 from app.database import Base
+from app.schemas.user import Role
 
 class User(Base):
     __tablename__ = "users"
 
     id = Column(Uuid, primary_key=True, default=uuid.uuid4)
-    friendly_name = Column(String, unique=True, index=True)
-    is_active = Column(Boolean, default=True)
+    friendly_name = Column(String, nullable=True)
+    is_active = Column(Boolean, nullable=False, default=True)
+    email = Column(String, nullable=False, unique=True, index=True)
+    password = Column(String, nullable=False)
+    role = Column(Enum(Role), nullable=False, default=Role.MEMBER)
     
     id_tokens = relationship("IdToken", back_populates="owner", cascade="delete, delete-orphan")
     transactions = relationship("Transaction", cascade="delete, delete-orphan")

app/routers/auth_v1.py

@@ -0,0 +1,72 @@
+from uuid import UUID
+from fastapi import APIRouter, HTTPException
+from fastapi.params import Depends
+from sqlalchemy.orm import Session
+
+from app.database import get_db
+from app.schemas.auth_token import (
+    AccessToken,
+    TokenRefreshRequest,
+    TokenResponse,
+)
+from app.schemas.user import LoginRequest
+from app.security.jwt_bearer import JWTBearer
+from app.services import session_service, token_service, user_service
+from app.util.errors import NotFoundError
+
+router = APIRouter(prefix="/auth", tags=["Authentication (v1)"])
+
+@router.post(path="/login", response_model=TokenResponse)
+async def login(
+    login_request: LoginRequest, db: Session = Depends(get_db)
+):
+    """
+    Login to a existing account. Creates a new session and returns a access and refresh token.
+    """
+    user = await user_service.validate_login(
+        db=db, login=login_request
+    )
+    if not user:
+        raise HTTPException(status_code=403, detail="invalid_email_or_password")
+    session = await session_service.create_session(db=db, user=user, useragent="")
+    token, expire = await token_service.create_access_token(
+        user=user, session_id=session.id
+    )
+    return TokenResponse(
+        access_token=token, refresh_token=session.refresh_token, not_after=expire
+    )
+
+
+@router.post(path="/logout", response_model=list[None])
+async def logout(
+    db: Session = Depends(get_db), token: AccessToken = Depends(JWTBearer())
+):
+    """
+    Remove the current session based on the access token, effectively invalidating the current refresh token.
+    """
+    await session_service.remove_session(
+        db=db, id=UUID(token.session), initiator=f"user:{token.subject}"
+    )
+    return list()
+
+@router.post(path="/refresh", response_model=TokenResponse)
+async def refresh_access_token(
+    token_request: TokenRefreshRequest,
+    db: Session = Depends(get_db),
+):
+    """
+    Use an existing refresh token to generate a new access token and a new refresh token.
+    """
+    try:
+        session = await session_service.validate_and_rotate_refresh_token(
+            db=db, refresh_token=token_request.refresh_token
+        )
+        user = await user_service.get_user(db=db, id=session.user_id)
+        token, expire = await token_service.create_access_token(
+            user=user, session_id=session.id
+        )
+        return TokenResponse(
+            access_token=token, refresh_token=session.refresh_token, not_after=expire
+        )
+    except NotFoundError:
+        raise HTTPException(status_code=403, detail="invalid_refresh_token")

app/routers/chargepoint_v1.py

@@ -2,7 +2,7 @@ import random
 import string
 from datetime import datetime, timedelta, UTC
 from uuid import UUID
-from fastapi import APIRouter, HTTPException, Security
+from fastapi import APIRouter, HTTPException
 from fastapi.params import Depends
 from sqlalchemy.orm import Session
 
@@ -10,6 +10,7 @@ from ocpp.v201.call import Reset, SetVariables
 
 from app.database import get_db
 from app.ocpp_proto import chargepoint_manager
+from app.schemas.auth_token import AccessToken
 from app.schemas.chargepoint import (
     ChargePoint,
     ChargePointCreate,
@@ -30,7 +31,7 @@ from app.schemas.chargepoint_variable import (
 from app.models.chargepoint import ChargePoint as DbChargePoint
 from app.models.user import User as DbUser
 from app.models.chargepoint_variable import ChargepointVariable as DbChargepointVariable
-from app.security import get_api_key
+from app.security.jwt_bearer import JWTBearer
 
 router = APIRouter(
     prefix="/chargepoints",
@@ -41,16 +42,16 @@ router = APIRouter(
 async def get_chargepoints(
     skip: int = 0,
     limit: int = 20,
-    api_key: str = Security(get_api_key),
-    db: Session = Depends(get_db)
+    db: Session = Depends(get_db),
+    token: AccessToken = Depends(JWTBearer()),
 ):
-    return db.query(DbChargePoint).offset(skip).limit(limit).all()
+    return db.query(DbChargePoint).order_by(DbChargePoint.identity).offset(skip).limit(limit).all()
 
 @router.get(path="/{chargepoint_id}", response_model=ChargePoint)
 async def get_chargepoint(
     chargepoint_id: UUID,
-    api_key: str = Security(get_api_key),
-    db: Session = Depends(get_db)
+    db: Session = Depends(get_db),
+    token: AccessToken = Depends(JWTBearer()),
 ):
     chargepoint = db.get(DbChargePoint, chargepoint_id)
     if chargepoint is None:
@@ -60,8 +61,8 @@ async def get_chargepoint(
 @router.get(path="/{chargepoint_id}/password", response_model=ChargePointPassword)
 async def get_chargepoint_password(
     chargepoint_id: UUID,
-    api_key: str = Security(get_api_key),
-    db: Session = Depends(get_db)
+    db: Session = Depends(get_db),
+    token: AccessToken = Depends(JWTBearer(required_roles=["administrator"])),
 ):
     chargepoint = db.get(DbChargePoint, chargepoint_id)
     if chargepoint is None:
@@ -71,8 +72,8 @@ async def get_chargepoint_password(
 @router.delete(path="/{chargepoint_id}/password", response_model=ChargePointPassword)
 async def reset_chargepoint_password(
     chargepoint_id: UUID,
-    api_key: str = Security(get_api_key),
-    db: Session = Depends(get_db)
+    db: Session = Depends(get_db),
+    token: AccessToken = Depends(JWTBearer(required_roles=["administrator"])),
 ):
     chargepoint = db.get(DbChargePoint, chargepoint_id)
     if chargepoint is None:
@@ -84,8 +85,8 @@ async def reset_chargepoint_password(
 @router.post(path="", status_code=201, response_model=ChargePoint)
 async def create_chargepoint(
     chargepoint: ChargePointCreate,
-    api_key: str = Security(get_api_key),
-    db: Session = Depends(get_db)
+    db: Session = Depends(get_db),
+    token: AccessToken = Depends(JWTBearer(required_roles=["administrator"])),
 ):
     chargepoint_db = DbChargePoint(
         identity=chargepoint.identity,
@@ -102,8 +103,8 @@ async def create_chargepoint(
 async def update_chargepoint(
     chargepoint_id: UUID,
     chargepoint_update: ChargePointUpdate,
-    api_key: str = Security(get_api_key),
-    db: Session = Depends(get_db)
+    db: Session = Depends(get_db),
+    token: AccessToken = Depends(JWTBearer(required_roles=["administrator"])),
 ):
     chargepoint = db.get(DbChargePoint, chargepoint_id)
     if chargepoint is None:
@@ -116,8 +117,8 @@ async def update_chargepoint(
 @router.delete(path="/{chargepoint_id}", response_model=None)
 async def delete_chargepoint(
     chargepoint_id: UUID,
-    api_key: str = Security(get_api_key),
-    db: Session = Depends(get_db)
+    db: Session = Depends(get_db),
+    token: AccessToken = Depends(JWTBearer(required_roles=["administrator"])),
 ):
     chargepoint = db.get(DbChargePoint, chargepoint_id)
     if chargepoint is None:
@@ -129,7 +130,7 @@ async def delete_chargepoint(
 @router.get(path="/{chargepoint_id}/status", response_model=ChargePointConnectionInfo)
 async def get_chargepoint_status(
     chargepoint_id: UUID,
-    api_key: str = Security(get_api_key)
+    token: AccessToken = Depends(JWTBearer()),
 ):
     return ChargePointConnectionInfo(
         connected=chargepoint_manager.is_connected(chargepoint_id)
@@ -139,7 +140,7 @@ async def get_chargepoint_status(
 async def reset_chargepoint(
     chargepoint_id: UUID,
     reset_request: ChargePointResetRequest,
-    api_key: str = Security(get_api_key)
+    token: AccessToken = Depends(JWTBearer(required_roles=["administrator"])),
 ):
     if chargepoint_manager.is_connected(chargepoint_id) == False:
         raise HTTPException(status_code=503, detail="Chargepoint not connected.")
@@ -156,8 +157,8 @@ async def reset_chargepoint(
 async def create_id_token_learn_request(
     chargepoint_id: UUID,
     learn_request: IdTokenLearnRequest,
-    api_key: str = Security(get_api_key),
-    db: Session = Depends(get_db)
+    db: Session = Depends(get_db),
+    token: AccessToken = Depends(JWTBearer(required_roles=["administrator"])),
 ):
     chargepoint = db.get(DbChargePoint, chargepoint_id)
     if chargepoint is None:
@@ -188,8 +189,8 @@ async def create_id_token_learn_request(
 @router.get(path="/{chargepoint_id}/token-learning", response_model=IdTokenLearnResponse)
 async def get_id_token_learn_request(
     chargepoint_id: UUID,
-    api_key: str = Security(get_api_key),
-    db: Session = Depends(get_db)
+    db: Session = Depends(get_db),
+    token: AccessToken = Depends(JWTBearer(required_roles=["administrator"])),
 ):
     chargepoint = db.get(DbChargePoint, chargepoint_id)
     if chargepoint is None:
@@ -206,8 +207,8 @@ async def get_id_token_learn_request(
 @router.delete(path="/{chargepoint_id}/token-learning", response_model=[])
 async def get_id_token_learn_request(
     chargepoint_id: UUID,
-    api_key: str = Security(get_api_key),
-    db: Session = Depends(get_db)
+    db: Session = Depends(get_db),
+    token: AccessToken = Depends(JWTBearer(required_roles=["administrator"])),
 ):
     chargepoint = db.get(DbChargePoint, chargepoint_id)
     if chargepoint is None:
@@ -225,8 +226,8 @@ async def get_id_token_learn_request(
 @router.get(path="/{chargepoint_id}/variables", response_model=list[ChargepointVariable])
 async def get_chargepoint_variables(
     chargepoint_id: UUID,
-    api_key: str = Security(get_api_key),
-    db: Session = Depends(get_db)
+    db: Session = Depends(get_db),
+    token: AccessToken = Depends(JWTBearer(required_roles=["administrator"])),
 ):
     chargepoint = db.get(DbChargePoint, chargepoint_id)
     if chargepoint is None:
@@ -239,8 +240,8 @@ async def update_chargepoint_variable(
     chargepoint_id: UUID,
     variable_id: UUID,
     variable_update: ChargepointVariableUpdate,
-    api_key: str = Security(get_api_key),
-    db: Session = Depends(get_db)
+    db: Session = Depends(get_db),
+    token: AccessToken = Depends(JWTBearer(required_roles=["administrator"])),
 ):
     chargepoint = db.get(DbChargePoint, chargepoint_id)
     if chargepoint is None:

app/routers/id_token_v1.py

@@ -1,14 +1,16 @@
 from uuid import UUID
-from fastapi import APIRouter, HTTPException, Security
-from fastapi.exceptions import RequestValidationError
+from fastapi import APIRouter, HTTPException
 from fastapi.params import Depends
+from sqlalchemy import select
 from sqlalchemy.orm import Session
 
 from app.database import get_db
+from app.schemas.auth_token import AccessToken
 from app.schemas.id_token import IdToken, IdTokenCreate, IdTokenUpdate
 from app.models.id_token import IdToken as DbIdToken
 from app.models.user import User as DbUser
-from app.security import get_api_key
+from app.schemas.user import Role
+from app.security.jwt_bearer import JWTBearer
 
 router = APIRouter(
     prefix="/id-tokens",
@@ -16,32 +18,43 @@ router = APIRouter(
 )
 
 @router.get(path="", response_model=list[IdToken])
-async def get_it_tokens(
+async def get_id_tokens(
     skip: int = 0,
     limit: int = 20,
-    api_key: str = Security(get_api_key),
-    db: Session = Depends(get_db)
+    db: Session = Depends(get_db),
+    token: AccessToken = Depends(JWTBearer()),
 ):
-    return db.query(DbIdToken).offset(skip).limit(limit).all()
+    stmt = select(Session)
+    if token.role != Role.ADMINISTRATOR:
+        stmt = stmt.where(DbIdToken.owner_id == token.subject)
+    stmt = stmt.order_by(DbIdToken.id).offset(skip).limit(limit)
+    result = db.execute(stmt)
+    return result.scalars().all()
 
 @router.get(path="/{id_token_id}", response_model=IdToken)
 async def get_id_token(
     id_token_id: UUID,
-    api_key: str = Security(get_api_key),
-    db: Session = Depends(get_db)
+    db: Session = Depends(get_db),
+    token: AccessToken = Depends(JWTBearer()),
 ):
-    id_token = db.get(DbIdToken, id_token_id)
+    stmt = select(DbIdToken).where(DbIdToken.id == id_token_id)
+    result = db.execute(stmt)
+    id_token = result.scalars().first()
     if id_token == None:
         raise HTTPException(status_code=404, detail="IdToken not found")
+    if token.role != Role.ADMINISTRATOR & id_token.owner_id != token.subject:
+        raise HTTPException(status_code=404, detail="IdToken not found")
     return id_token
 
 @router.post(path="", status_code=201, response_model=IdToken)
 async def create_id_token(
     create_id_token: IdTokenCreate,
-    api_key: str = Security(get_api_key),
-    db: Session = Depends(get_db)
+    db: Session = Depends(get_db),
+    token: AccessToken = Depends(JWTBearer(required_roles=["administrator"])),
 ):
-    owner = db.get(DbUser, create_id_token.owner_id)
+    stmt = select(DbUser).where(DbUser.id == create_id_token.owner_id)
+    result = db.execute(stmt)
+    owner = result.scalars().first()
     if owner == None:
         raise HTTPException(status_code=422, detail=[{
             "loc": ["body", "owner_id"],
@@ -63,15 +76,19 @@ async def create_id_token(
 async def update_id_token(
     id_token_id: UUID,
     id_token_update: IdTokenUpdate,
-    api_key: str = Security(get_api_key),
-    db: Session = Depends(get_db)
+    db: Session = Depends(get_db),
+    token: AccessToken = Depends(JWTBearer(required_roles=["administrator"])),
 ):
-    id_token = db.get(DbIdToken, id_token_id)
+    stmt = select(DbIdToken).where(DbIdToken.id == id_token_id)
+    result = db.execute(stmt)
+    id_token = result.scalars().first()
     if id_token is None:
         raise HTTPException(status_code=404, detail="IdToken not found")
     for key, value in id_token_update.model_dump(exclude_unset=True).items():
         if key == "owner_id":
-            owner = db.get(DbUser, value)
+            stmt = select(DbUser).where(DbUser.id == id_token_update.owner_id)
+            result = db.execute(stmt)
+            owner = result.scalars().first()
             if owner == None:
                 raise HTTPException(status_code=422, detail=[{
                     "loc": ["body", "owner_id"],
@@ -85,10 +102,12 @@ async def update_id_token(
 @router.delete(path="/{id_token_id}", response_model=None)
 async def delete_id_token(
     id_token_id: UUID,
-    api_key: str = Security(get_api_key),
-    db: Session = Depends(get_db)
+    db: Session = Depends(get_db),
+    token: AccessToken = Depends(JWTBearer(required_roles=["administrator"])),
 ):
-    id_token = db.get(DbIdToken, id_token_id)
+    stmt = select(DbIdToken).where(DbIdToken.id == id_token_id)
+    result = db.execute(stmt)
+    id_token = result.scalars().first()
     if id_token == None:
         raise HTTPException(status_code=404, detail="IdToken not found")
     db.delete(id_token)

app/routers/me_v1.py

@@ -0,0 +1,111 @@
+from uuid import UUID
+from fastapi import APIRouter, HTTPException
+from fastapi.params import Depends
+from sqlalchemy.orm import Session as DbSession
+
+from app.database import get_db
+from app.schemas.session import Session
+from app.schemas.auth_token import AccessToken
+from app.schemas.user import PasswordUpdate, UserUpdate, User
+from app.security.jwt_bearer import JWTBearer
+from app.services import session_service, user_service
+from app.util.errors import InvalidStateError, NotFoundError
+
+router = APIRouter(prefix="/me", tags=["Me (v1)"])
+
+
+@router.get(path="", response_model=User)
+async def get_myself(
+    db: DbSession = Depends(get_db), token: AccessToken = Depends(JWTBearer())
+):
+    """
+    Get the currently authenticated user.
+    """
+    user = await user_service.get_user(db=db, id=UUID(token.subject))
+    if not user:
+        raise HTTPException(status_code=404, detail="user_not_found")
+    else:
+        return user
+
+
+@router.patch(path="", response_model=User)
+async def update_myself(
+    user_update: UserUpdate,
+    db: DbSession = Depends(get_db),
+    token: AccessToken = Depends(JWTBearer()),
+):
+    """
+    Update the currently authenticated user. Changing the email address automatically marks it as not verified
+    and starts a new verification workflow.
+    """
+    try:
+        return await user_service.update_user(
+            db, UUID(token.subject), user_update
+        )
+    except NotFoundError:
+        raise HTTPException(status_code=404, detail="user_not_found")
+
+
+@router.post(path="/password", response_model=list[None])
+async def change_password(
+    update: PasswordUpdate,
+    db: DbSession = Depends(get_db),
+    token: AccessToken = Depends(JWTBearer()),
+):
+    """
+    Change the password of the currently authenticated user.
+    """
+    try:
+        await user_service.change_user_password(
+            db=db, id=UUID(token.subject), update=update
+        )
+        return list()
+    except NotFoundError:
+        raise HTTPException(status_code=404, detail="user_not_found")
+    except InvalidStateError:
+        raise HTTPException(status_code=409, detail="incorrect_password")
+
+
+@router.get(path="/sessions", response_model=list[Session])
+async def get_user_sessions(
+    db: DbSession = Depends(get_db), token: AccessToken = Depends(JWTBearer())
+):
+    """
+    List the active sessions of the currently authenticated user.
+    """
+    return await session_service.get_sessions_by_user(
+        db=db, user_id=UUID(token.subject)
+    )
+
+
+@router.delete(path="/sessions", response_model=list[None])
+async def clear_user_sessions(
+    db: DbSession = Depends(get_db), token: AccessToken = Depends(JWTBearer())
+):
+    """
+    Clear all sessions of the currently authenticated user.
+    """
+    await session_service.remove_all_sessions_for_user(
+        db=db, user_id=UUID(token.subject),
+    )
+    return list()
+
+
+@router.delete(path="/sessions/{session_id}", response_model=list[None])
+async def delete_user_session(
+    session_id: UUID,
+    db: DbSession = Depends(get_db),
+    token: AccessToken = Depends(JWTBearer()),
+):
+    """
+    Invalidate a specific session of the currently authenticated user.
+    """
+    try:
+        await session_service.remove_session_for_user(
+            db=db,
+            id=session_id,
+            user_id=UUID(token.subject),
+        )
+    except NotFoundError:
+        raise HTTPException(status_code=404, detail="session_not_found")
+    return list()

app/routers/meter_value_v1.py

@@ -1,11 +1,12 @@
 from fastapi import APIRouter, Depends
-from fastapi.params import Security
+from sqlalchemy import select
 from sqlalchemy.orm import Session
 
-from app.security import get_api_key
+from app.schemas.auth_token import AccessToken
 from app.database import get_db
 from app.schemas.meter_value import MeterValue
 from app.models.meter_value import MeterValue as DbMeterValue
+from app.security.jwt_bearer import JWTBearer
 
 router = APIRouter(
     prefix="/meter-values",
@@ -16,7 +17,9 @@ router = APIRouter(
 async def get_meter_values(
     skip: int = 0,
     limit: int = 20,
-    api_key: str = Security(get_api_key),
-    db: Session = Depends(get_db)
+    db: Session = Depends(get_db),
+    token: AccessToken = Depends(JWTBearer(required_roles=["administrator"])),
 ):
-    return db.query(DbMeterValue).offset(skip).limit(limit).all()
+    stmt = select(DbMeterValue).order_by(DbMeterValue.timestamp).offset(skip).limit(limit)
+    result = db.execute(stmt)
+    return result.scalars().all()

app/routers/transaction_v1.py

@@ -1,14 +1,18 @@
 from fastapi import APIRouter, Depends, HTTPException
-from fastapi.params import Security
+from sqlalchemy import select
 from sqlalchemy.orm import Session
 
 from ocpp.v201.call import RequestStopTransaction
 
 from app.ocpp_proto import chargepoint_manager
-from app.security import get_api_key
+from app.schemas.auth_token import AccessToken
 from app.database import get_db
+from app.schemas.meter_value import MeterValue
 from app.schemas.transaction import Transaction, RemoteTransactionStartStopResponse, TransactionStatus, RemoteTransactionStartStopStatus
 from app.models.transaction import Transaction as DbTransaction
+from app.models.meter_value import MeterValue as DbMeterValue
+from app.schemas.user import Role
+from app.security.jwt_bearer import JWTBearer
 
 router = APIRouter(
     prefix="/transactions",
@@ -19,31 +23,61 @@ router = APIRouter(
 async def get_transactions(
     skip: int = 0,
     limit: int = 20,
-    api_key: str = Security(get_api_key),
-    db: Session = Depends(get_db)
+    db: Session = Depends(get_db),
+    token: AccessToken = Depends(JWTBearer()),
 ):
-    return db.query(DbTransaction).offset(skip).limit(limit).all()
+    stmt = select(DbTransaction)
+    if (token.role != Role.ADMINISTRATOR):
+        stmt = stmt.where(DbTransaction.user_id == token.subject)
+    stmt = stmt.order_by(DbTransaction.started_at).offset(skip).limit(limit)
+    result = db.execute(stmt)
+    return result.scalars().all()
 
 @router.get(path="/{transaction_id}", response_model=Transaction)
 async def get_transaction(
     transaction_id: str,
-    api_key: str = Security(get_api_key),
-    db: Session = Depends(get_db)
+    db: Session = Depends(get_db),
+    token: AccessToken = Depends(JWTBearer()),
 ):
-    transaction = db.get(DbTransaction, transaction_id)
+    stmt = select(DbTransaction).where(DbTransaction.id == transaction_id)
+    result = db.execute(stmt)
+    transaction = result.scalars().first()
     if transaction == None:
         raise HTTPException(404, "Transaction not found")
+    if token.role != Role.ADMINISTRATOR & transaction.user_id != token.subject:
+        raise HTTPException(404, "Transaction not found")
     return transaction
 
+@router.get(path="/{transaction_id}/meter-values", response_model=list[MeterValue])
+async def get_transaction_meter_values(
+    transaction_id: str,
+    db: Session = Depends(get_db),
+    token: AccessToken = Depends(JWTBearer()),
+):
+    stmt = select(DbTransaction).where(DbTransaction.id == transaction_id)
+    result = db.execute(stmt)
+    transaction = result.scalars().first()
+    if transaction == None:
+        raise HTTPException(404, "Transaction not found")
+    if token.role != Role.ADMINISTRATOR & transaction.user_id != token.subject:
+        raise HTTPException(404, "Transaction not found")
+    stmt = select(DbMeterValue).where(DbMeterValue.transaction_id == transaction_id).order_by(DbMeterValue.timestamp)
+    result = db.execute(stmt)
+    return result.scalars().all()
+
 @router.post(path="/{transaction_id}/remote-stop", response_model=RemoteTransactionStartStopResponse)
 async def remote_stop_transaction(
     transaction_id: str,
-    api_key: str = Security(get_api_key),
-    db: Session = Depends(get_db)
+    db: Session = Depends(get_db),
+    token: AccessToken = Depends(JWTBearer()),
 ):
-    transaction = db.get(DbTransaction, transaction_id)
+    stmt = select(DbTransaction).where(DbTransaction.id == transaction_id)
+    result = db.execute(stmt)
+    transaction = result.scalars().first()
     if transaction == None:
         raise HTTPException(404, "Transaction not found")
+    if token.role != Role.ADMINISTRATOR & transaction.user_id != token.subject:
+        raise HTTPException(404, "Transaction not found")
     if transaction.status != TransactionStatus.ONGOING:
         raise HTTPException(status_code=422, detail=[{
             "loc": ["path", "transaction_id"],
@@ -51,7 +85,7 @@ async def remote_stop_transaction(
             "type": "invalid_transaction_state" 
         }])
     if chargepoint_manager.is_connected(transaction.chargepoint_id) == False:
-        raise HTTPException(status_code=503, detail="Chargepoint not connected.")
+        raise HTTPException(status_code=503, detail="chargepoint_offline")
     try:
         result = await chargepoint_manager.call(
             transaction.chargepoint_id,
@@ -63,4 +97,4 @@ async def remote_stop_transaction(
             raise HTTPException(status_code=500, detail=result.status)
         return RemoteTransactionStartStopResponse(status=result.status)
     except TimeoutError:
-        raise HTTPException(status_code=503, detail="Chargepoint didn't respond in time.")
+        raise HTTPException(status_code=503, detail="chargepoint_operation_timeout")

app/routers/user_v1.py

@@ -1,12 +1,15 @@
 from uuid import UUID
-from fastapi import APIRouter, HTTPException, Security
+from fastapi import APIRouter, HTTPException
 from fastapi.params import Depends
-from sqlalchemy.orm import Session
+from sqlalchemy.orm import Session as DbSession
 
 from app.database import get_db
+from app.schemas.session import Session
+from app.schemas.auth_token import AccessToken
 from app.schemas.user import User, UserCreate, UserUpdate
-from app.models.user import User as DbUser
-from app.security import get_api_key
+from app.security.jwt_bearer import JWTBearer
+from app.services import session_service, user_service
+from app.util.errors import NotFoundError
 
 router = APIRouter(
     prefix="/users",
@@ -15,63 +18,99 @@ router = APIRouter(
 
 @router.get(path="", response_model=list[User])
 async def get_users(
+    email: str = None,
     skip: int = 0,
     limit: int = 20,
-    api_key: str = Security(get_api_key),
-    db: Session = Depends(get_db)
+    db: DbSession = Depends(get_db),
+    token: AccessToken = Depends(JWTBearer(required_roles=["administrator"])),
 ):
-    return db.query(DbUser).offset(skip).limit(limit).all()
-
-@router.get(path="/{user_id}", response_model=User)
-async def get_user(
-    user_id: UUID,
-    api_key: str = Security(get_api_key),
-    db: Session = Depends(get_db)
-):
-    user = db.get(DbUser, user_id)
-    if user == None:
-        raise HTTPException(status_code=404, detail="User not found")
-    return user
+    return await user_service.get_users(db, skip, limit, email)
 
 @router.post(path="", status_code=201, response_model=User)
 async def create_user(
     create_user: UserCreate,
-    api_key: str = Security(get_api_key),
-    db: Session = Depends(get_db)
+    db: DbSession = Depends(get_db),
+    token: AccessToken = Depends(JWTBearer(required_roles=["administrator"])),
 ):
-    db_user = DbUser(
-        friendly_name=create_user.friendly_name,
-        is_active=create_user.is_active
+    user = await user_service.create_user(
+        db=db, user=create_user
     )
-    db.add(db_user)
-    db.commit()
-    db.refresh(db_user)
-    return db_user
+    return user
 
 @router.patch(path="/{user_id}", response_model=User)
 async def update_user(
     user_id: UUID,
     user_update: UserUpdate,
-    api_key: str = Security(get_api_key),
-    db: Session = Depends(get_db)
+    db: DbSession = Depends(get_db),
+    token: AccessToken = Depends(JWTBearer(required_roles=["administrator"])),
 ):
-    user = db.get(DbUser, user_id)
-    if user is None:
-        raise HTTPException(status_code=404, detail="User not found")
-    for key, value in user_update.model_dump(exclude_unset=True).items():
-        setattr(user, key, value)
-    db.commit()
-    return user
+    try:
+        return await user_service.update_user(
+            db, user_id, user_update
+        )
+    except NotFoundError:
+        raise HTTPException(status_code=404, detail="user_not_found")
 
 @router.delete(path="/{user_id}", response_model=None)
 async def delete_user(
     user_id: UUID,
-    api_key: str = Security(get_api_key),
-    db: Session = Depends(get_db)
+    db: DbSession = Depends(get_db),
+    token: AccessToken = Depends(JWTBearer(required_roles=["administrator"])),
 ):
-    user = db.get(DbUser, user_id)
-    if user == None:
-        raise HTTPException(status_code=404, detail="User not found")
-    db.delete(user)
-    db.commit()
-    return []
+    try:
+        await user_service.remove_user(db, user_id)
+        return list()
+    except NotFoundError:
+        raise HTTPException(status_code=404, detail="user_not_found")
+
+@router.get(
+    path="/{user_id}/sessions", response_model=list[Session]
+)
+async def get_user_sessions(
+    user_id: UUID,
+    db: DbSession = Depends(get_db),
+    token: AccessToken = Depends(JWTBearer(required_roles=["administrator"])),
+):
+    """
+    Query sessions of the specified user. Requires the "administrator" role.
+    """
+    return await session_service.get_sessions_by_user(db=db, user_id=user_id)
+
+
+@router.delete(
+    path="/{user_id}/sessions", response_model=list[None]
+)
+async def remove_all_user_session(
+    user_id: UUID,
+    db: DbSession = Depends(get_db),
+    token: AccessToken = Depends(JWTBearer(required_roles=["administrator"])),
+):
+    """
+    Delete all sessions of the specified user. Requires the "administrator" role.
+    """
+    await session_service.remove_all_sessions_for_user(
+        db=db, user_id=user_id
+    )
+    return list()
+
+
+@router.delete(
+    path="/{user_id}/sessions/{session_id}",
+    response_model=list[None],
+)
+async def remove_user_session(
+    user_id: UUID,
+    session_id: UUID,
+    db: DbSession = Depends(get_db),
+    token: AccessToken = Depends(JWTBearer(required_roles=["administrator"])),
+):
+    """
+    Delete the specified session of the specified user. Requires the "administrator" role.
+    """
+    try:
+        await session_service.remove_session_for_user(
+            db=db, id=session_id, user_id=user_id
+        )
+    except NotFoundError:
+        raise HTTPException(status_code=404, detail="session_not_found")
+    return list()

app/schemas/auth_token.py

@@ -0,0 +1,21 @@
+from dataclasses import dataclass
+from datetime import datetime
+from pydantic import BaseModel
+
+from app.schemas.user import Role
+
+
+@dataclass
+class AccessToken:
+    subject: str
+    role: Role
+    session: str
+
+class TokenRefreshRequest(BaseModel):
+    refresh_token: str
+
+
+class TokenResponse(BaseModel):
+    access_token: str
+    refresh_token: str
+    not_after: datetime

app/schemas/session.py

@@ -0,0 +1,11 @@
+from datetime import datetime
+from uuid import UUID
+from pydantic import BaseModel
+
+
+class Session(BaseModel):
+    id: UUID
+    name: str
+    last_used: datetime
+
+    model_config = {"from_attributes": True}

app/schemas/user.py

@@ -1,20 +1,39 @@
+import enum
 from typing import Optional
 from uuid import UUID
-from pydantic import BaseModel
+from pydantic import BaseModel, EmailStr, Field
+
+class Role(enum.StrEnum):
+    MEMBER = "member"
+    ADMINISTRATOR = "administrator"
 
 class UserBase(BaseModel):
+    email: EmailStr = Field(max_length=60)
     friendly_name: str
     is_active: bool
 
 class UserUpdate(BaseModel):
+    email: Optional[str] = None
     friendly_name: Optional[str] = None
+
+class AdministrativeUserUpdate(UserUpdate):
     is_active: Optional[bool] = None
 
 class UserCreate(UserBase):
+    password: str = Field(max_length=100)
     pass
 
 class User(UserBase):
     id: UUID
+    role: Role
 
     class Config:
-        from_attributes = True
+        from_attributes = True
+
+class PasswordUpdate(BaseModel):
+    old_password: str = Field(max_length=100)
+    new_password: str = Field(max_length=100)
+
+class LoginRequest(BaseModel):
+    email: EmailStr = Field(max_length=60)
+    password: str = Field(max_length=100)

app/security.py

@@ -1,34 +0,0 @@
-import os
-from fastapi import HTTPException, Security, status
-from fastapi.security import APIKeyHeader, HTTPBasic
-
-basic_auth = HTTPBasic()
-
-api_key_header = APIKeyHeader(name="X-API-Key", auto_error=False)
-
-def get_api_key(
-    api_key_header: str = Security(api_key_header),
-) -> str:
-    """Retrieve and validate an API key from the HTTP header.
-
-    Args:
-        api_key_header: The API key passed in the HTTP header.
-
-    Returns:
-        The validated API key.
-
-    Raises:
-        HTTPException: If the API key is invalid or missing.
-    """
-    api_key = os.getenv("CS_API_KEY", "default")
-    if api_key == "default":
-        raise HTTPException(
-            status_code=status.HTTP_401_UNAUTHORIZED,
-            detail="API key not set. Authentication not possible.",
-        )
-    if api_key_header == api_key:
-        return api_key_header
-    raise HTTPException(
-        status_code=status.HTTP_401_UNAUTHORIZED,
-        detail="Invalid or missing API Key",
-    )

app/security/jwt_bearer.py

@@ -0,0 +1,47 @@
+from typing import Optional
+from fastapi import Request, HTTPException
+from fastapi.params import Depends
+from fastapi.security import HTTPBearer, HTTPAuthorizationCredentials
+from sqlalchemy.ext.asyncio import AsyncSession
+
+from app.database import get_db
+from app.services import token_service
+from app.util.errors import InsufficientPermissionsError, InvalidTokenAudienceError
+from app.schemas.auth_token import AccessToken
+
+
+class JWTBearer(HTTPBearer):
+    __required_roles: list[str] | None
+
+    def __init__(
+        self, required_roles: Optional[list[str]] = None, auto_error: bool = True
+    ):
+        self.__required_roles = required_roles
+        super(JWTBearer, self).__init__(auto_error=auto_error)
+
+    async def __call__(
+        self, request: Request, db: AsyncSession = Depends(get_db)
+    ) -> AccessToken:
+        credentials: HTTPAuthorizationCredentials | None = await super(
+            JWTBearer, self
+        ).__call__(request)
+        if credentials:
+            if not credentials.scheme == "Bearer":
+                raise HTTPException(
+                    status_code=403, detail="authentication_scheme_invalid"
+                )
+            try:
+                token = await token_service.verify_access_token(
+                    credentials.credentials, self.__required_roles
+                )
+                if not token:
+                    raise HTTPException(
+                        status_code=403, detail="token_invalid_or_expired"
+                    )
+                return token
+            except InsufficientPermissionsError:
+                raise HTTPException(status_code=403, detail="insufficient_permissions")
+            except InvalidTokenAudienceError:
+                raise HTTPException(status_code=403, detail="invalid_token_audience")
+        else:
+            raise HTTPException(status_code=403, detail="authorization_code_invalid")

app/services/session_service.py

@@ -0,0 +1,83 @@
+from datetime import datetime, UTC
+import secrets
+from uuid import UUID
+from sqlalchemy import select, delete
+from sqlalchemy.orm import Session as SqlaSession
+
+from app.models.session import Session
+from app.models.user import User
+from app.util.errors import NotFoundError
+
+
+async def get_sessions(
+    db: SqlaSession, skip: int = 0, limit: int = 20
+) -> tuple[Session]:
+    stmt = select(Session).offset(skip).limit(limit)
+    result = db.execute(stmt)
+    return result.scalars().all()
+
+
+async def get_sessions_by_user(db: SqlaSession, user_id: UUID) -> tuple[Session]:
+    stmt = select(Session).where(Session.user_id == user_id)
+    result = db.execute(stmt)
+    return result.scalars().all()
+
+
+async def create_session(db: SqlaSession, user: User, useragent: str) -> Session:
+    session = Session(
+        name=useragent,
+        refresh_token=secrets.token_urlsafe(64),
+        last_used=datetime.now(UTC),
+        user_id=user.id,
+    )
+    db.add(session)
+    db.commit()
+    db.refresh(session)
+    return session
+
+
+async def remove_session(db: SqlaSession, id: UUID):
+    session = db.get(Session, id)
+    if not session:
+        raise NotFoundError
+    db.delete(session)
+    db.commit()
+
+
+async def remove_session_for_user(
+    db: SqlaSession, id: UUID, user_id: UUID
+):
+    stmt = select(Session).where(Session.id == id and Session.user_id == user_id)
+    result = db.execute(stmt)
+    session = result.scalars().first()
+    if not session:
+        raise NotFoundError
+    db.delete(session)
+    db.commit()
+
+
+async def remove_all_sessions_for_user(db: SqlaSession, user_id: UUID):
+    stmt = delete(Session).where(Session.user_id == user_id)
+    db.execute(stmt)
+    db.commit()
+
+
+async def remove_all_sessions(db: SqlaSession):
+    stmt = delete(Session)
+    db.execute(stmt)
+    db.commit()
+
+
+async def validate_and_rotate_refresh_token(
+    db: SqlaSession, refresh_token: str
+) -> Session:
+    stmt = select(Session).where(Session.refresh_token == refresh_token)
+    result = db.execute(stmt)
+    session = result.scalars().first()
+    if not session:
+        raise NotFoundError
+    session.refresh_token = secrets.token_urlsafe(64)
+    session.last_used = datetime.now(UTC)
+
+    db.commit()
+    return session

app/services/token_service.py

@@ -0,0 +1,69 @@
+import json
+import os
+import secrets
+from typing import Optional
+from uuid import UUID
+from jwcrypto import jwt, jwk
+from datetime import datetime, timedelta, UTC
+
+from app.models.user import User
+from app.schemas.auth_token import AccessToken
+from app.schemas.user import Role
+from app.util.errors import InsufficientPermissionsError, InvalidTokenAudienceError
+
+__signing_key = jwk.JWK.from_password(os.getenv("CS_TOKEN_SECRET", secrets.token_urlsafe(64)))
+
+async def __create_token(claims: dict) -> str:
+    default_claims = {
+        "iss": os.getenv("CS_TOKEN_ISSUER", "https://localhost:8000"),
+        "iat": datetime.now(UTC).timestamp(),
+    }
+    header = {"alg": "HS256", "typ": "JWT", "kid": "default"}
+    token = jwt.JWT(header=header, claims=(claims | default_claims))
+    token.make_signed_token(__signing_key)
+    return token.serialize()
+
+
+async def __verify_token(token: str, audience: str) -> dict | None:
+    try:
+        token = jwt.JWT(jwt=token, key=__signing_key)
+        claims = json.loads(token.claims)
+        if claims.get("aud") == audience:
+            return claims
+        else:
+            raise InvalidTokenAudienceError
+    except Exception:
+        return None
+
+
+async def create_access_token(
+    user: User, session_id: UUID
+) -> tuple[str, datetime]:
+    token_lifetime = float(os.getenv("CS_ACCESS_TOKEN_LIFETIME_SECONDS", "300"))
+    exp_time = datetime.now(UTC) + timedelta(seconds=token_lifetime)
+    claims = {
+        "aud": "access",
+        "sub": str(user.id),
+        "exp": exp_time.timestamp(),
+        "session": str(session_id),
+        "role": str(user.role),
+    }
+    return await __create_token(claims=claims), exp_time
+
+async def verify_access_token(
+    token: str, required_roles: Optional[list[str]] = None
+) -> AccessToken | None:
+    try:
+        claims = await __verify_token(token=token, audience="access")
+        if not claims:
+            return None
+        if not required_roles or claims.get("role") in required_roles:
+            return AccessToken(
+                subject=claims.get("sub"),
+                role=Role(claims.get("role")),
+                session=claims.get("session"),
+            )
+        else:
+            raise InsufficientPermissionsError
+    except InvalidTokenAudienceError:
+        pass

app/services/user_service.py

@@ -0,0 +1,111 @@
+from uuid import UUID
+import uuid
+
+from sqlalchemy import select
+from sqlalchemy.orm import Session
+from argon2 import PasswordHasher
+from argon2.exceptions import VerifyMismatchError
+
+from app.models.user import User
+from app.schemas.user import (
+    UserCreate,
+    UserUpdate,
+    AdministrativeUserUpdate,
+    PasswordUpdate,
+    LoginRequest,
+)
+from app.util.errors import InvalidStateError, NotFoundError
+
+hasher = PasswordHasher(memory_cost=102400)
+
+async def get_user(db: Session, id: UUID):
+    return db.get(User, id)
+
+
+async def get_user_by_email(db: Session, email: str):
+    stmt = select(User).where(User.email == email)
+    result = db.execute(stmt)
+    return result.scalars().first()
+
+
+async def get_users(
+    db: Session, skip: int = 0, limit: int = 20, email: str = None
+):
+    stmt = select(User)
+    if email is not None:
+        stmt = stmt.where(User.email.like(email))
+    stmt = stmt.offset(skip).limit(limit)
+    result = db.execute(stmt)
+    return result.scalars().all()
+
+
+async def create_user(db: Session, user: UserCreate) -> User:
+    if await get_user_by_email(db=db, email=user.email):
+        raise InvalidStateError
+    hashed_password = hasher.hash(user.password)
+    db_user = User(
+        friendly_name=user.friendly_name, email=user.email, password=hashed_password
+    )
+    db.add(db_user)
+    db.commit()
+    db.refresh(db_user)
+    return db_user
+
+
+async def update_user(
+    db: Session,
+    id: UUID,
+    update: UserUpdate | AdministrativeUserUpdate,
+) -> User:
+    db_user = await get_user(db, id)
+    if db_user is None:
+        raise NotFoundError
+
+    changed_attributes = dict()
+    for key, value in update.model_dump(exclude_unset=True).items():
+        changed_attributes[key] = {"old": getattr(db_user, key), "new": value}
+        setattr(db_user, key, value)
+    db.commit()
+    return db_user
+
+
+async def change_user_password(db: Session, id: UUID, update: PasswordUpdate):
+    db_user = await get_user(db, id)
+    if db_user is None:
+        raise NotFoundError
+    try:
+        hasher.verify(hash=db_user.password, password=update.old_password)
+        db_user.password = hasher.hash(update.new_password)
+        db.commit()
+    except VerifyMismatchError:
+        raise InvalidStateError
+
+
+async def remove_user(db: Session, id: UUID):
+    db_user = await get_user(db, id)
+    if db_user is None:
+        raise NotFoundError
+    db.delete(db_user)
+    db.commit()
+
+
+async def validate_login(db: Session, login: LoginRequest) -> User | None:
+    stmt = select(User).where(User.email == login.email)
+    result = db.execute(stmt)
+    db_user = result.scalars().first()
+    if db_user is None:
+        db.commit()
+        return None
+    try:
+        hasher.verify(hash=db_user.password, password=login.password)
+        if hasher.check_needs_rehash(db_user.password):
+            db_user.password = hasher.hash(login.password)
+        if db_user.is_active:
+            db.commit()
+            return db_user
+        else:
+            db.commit()
+            return None
+    except VerifyMismatchError:
+        db.commit()
+        return None

app/util/errors.py

@@ -0,0 +1,14 @@
+class NotFoundError(Exception):
+    pass
+
+
+class InvalidStateError(Exception):
+    pass
+
+
+class InsufficientPermissionsError(Exception):
+    pass
+
+
+class InvalidTokenAudienceError(Exception):
+    pass