Implement user authentication and permissions

2025-03-13 16:34:41 +00:00 · 2025-03-13 16:34:41 +00:00 · ac8303378a
commit ac8303378a
parent 5e9d90ed0b
26 changed files with 1182 additions and 172 deletions
--- a/app/routers/transaction_v1.py
+++ b/app/routers/transaction_v1.py
@ -1,14 +1,18 @@
 from fastapi import APIRouter, Depends, HTTPException
-from fastapi.params import Security
+from sqlalchemy import select
 from sqlalchemy.orm import Session

 from ocpp.v201.call import RequestStopTransaction

 from app.ocpp_proto import chargepoint_manager
-from app.security import get_api_key
+from app.schemas.auth_token import AccessToken
 from app.database import get_db
+from app.schemas.meter_value import MeterValue
 from app.schemas.transaction import Transaction, RemoteTransactionStartStopResponse, TransactionStatus, RemoteTransactionStartStopStatus
 from app.models.transaction import Transaction as DbTransaction
+from app.models.meter_value import MeterValue as DbMeterValue
+from app.schemas.user import Role
+from app.security.jwt_bearer import JWTBearer

 router = APIRouter(
    prefix="/transactions",
@ -19,31 +23,61 @@ router = APIRouter(
 async def get_transactions(
    skip: int = 0,
    limit: int = 20,
-    api_key: str = Security(get_api_key),
-    db: Session = Depends(get_db)
+    db: Session = Depends(get_db),
+    token: AccessToken = Depends(JWTBearer()),
 ):
-    return db.query(DbTransaction).offset(skip).limit(limit).all()
+    stmt = select(DbTransaction)
+    if (token.role != Role.ADMINISTRATOR):
+        stmt = stmt.where(DbTransaction.user_id == token.subject)
+    stmt = stmt.order_by(DbTransaction.started_at).offset(skip).limit(limit)
+    result = db.execute(stmt)
+    return result.scalars().all()

@router.get(path="/{transaction_id}", response_model=Transaction)
 async def get_transaction(
    transaction_id: str,
-    api_key: str = Security(get_api_key),
-    db: Session = Depends(get_db)
+    db: Session = Depends(get_db),
+    token: AccessToken = Depends(JWTBearer()),
 ):
-    transaction = db.get(DbTransaction, transaction_id)
+    stmt = select(DbTransaction).where(DbTransaction.id == transaction_id)
+    result = db.execute(stmt)
+    transaction = result.scalars().first()
    if transaction == None:
        raise HTTPException(404, "Transaction not found")
+    if token.role != Role.ADMINISTRATOR & transaction.user_id != token.subject:
+        raise HTTPException(404, "Transaction not found")
    return transaction

+@router.get(path="/{transaction_id}/meter-values", response_model=list[MeterValue])
+async def get_transaction_meter_values(
+    transaction_id: str,
+    db: Session = Depends(get_db),
+    token: AccessToken = Depends(JWTBearer()),
+):
+    stmt = select(DbTransaction).where(DbTransaction.id == transaction_id)
+    result = db.execute(stmt)
+    transaction = result.scalars().first()
+    if transaction == None:
+        raise HTTPException(404, "Transaction not found")
+    if token.role != Role.ADMINISTRATOR & transaction.user_id != token.subject:
+        raise HTTPException(404, "Transaction not found")
+    stmt = select(DbMeterValue).where(DbMeterValue.transaction_id == transaction_id).order_by(DbMeterValue.timestamp)
+    result = db.execute(stmt)
+    return result.scalars().all()
+
@router.post(path="/{transaction_id}/remote-stop", response_model=RemoteTransactionStartStopResponse)
 async def remote_stop_transaction(
    transaction_id: str,
-    api_key: str = Security(get_api_key),
-    db: Session = Depends(get_db)
+    db: Session = Depends(get_db),
+    token: AccessToken = Depends(JWTBearer()),
 ):
-    transaction = db.get(DbTransaction, transaction_id)
+    stmt = select(DbTransaction).where(DbTransaction.id == transaction_id)
+    result = db.execute(stmt)
+    transaction = result.scalars().first()
    if transaction == None:
        raise HTTPException(404, "Transaction not found")
+    if token.role != Role.ADMINISTRATOR & transaction.user_id != token.subject:
+        raise HTTPException(404, "Transaction not found")
    if transaction.status != TransactionStatus.ONGOING:
        raise HTTPException(status_code=422, detail=[{
            "loc": ["path", "transaction_id"],
@ -51,7 +85,7 @@ async def remote_stop_transaction(
            "type": "invalid_transaction_state" 
        }])
    if chargepoint_manager.is_connected(transaction.chargepoint_id) == False:
-        raise HTTPException(status_code=503, detail="Chargepoint not connected.")
+        raise HTTPException(status_code=503, detail="chargepoint_offline")
    try:
        result = await chargepoint_manager.call(
            transaction.chargepoint_id,
@ -63,4 +97,4 @@ async def remote_stop_transaction(
            raise HTTPException(status_code=500, detail=result.status)
        return RemoteTransactionStartStopResponse(status=result.status)
    except TimeoutError:
-        raise HTTPException(status_code=503, detail="Chargepoint didn't respond in time.")
+        raise HTTPException(status_code=503, detail="chargepoint_operation_timeout")