o l‰ÃiLã@sˆddlZddlZddlZddlmZmZddlmZddlmZm Z ddl Z ddl Z e   e ¡ZGdd„dƒZdd„Zd d „Zd d „ZdS) éN)ÚdatetimeÚ timedelta©Úwraps)ÚrequestÚjsonifyc@s*eZdZdd„Zdd„Zedd„ƒZdd„Zd d „Zd d „Z ed d„ƒZ dd„Z dEdd„Z dFdd„Z dd„ZdGdd„ZdHdd„Zdd„ZdId d!„Zd"d#„Zd$d%„Zd&d'„Zd(d)„Zd*d+„Zd,d-„ZdJd.d/„Zd0d1„ZdKd3d4„Zd5d6„Zed7d8„ƒZdId9d:„ZdJd;d<„Zd=d>„Z d?d@„Z!dAdB„Z"dCdD„Z#dS)LÚ AuthHandlerc Csž||_| d¡t| dd¡ƒ| d¡| d¡| d¡tjjdœ|_| dd ¡|_d |_d |_ z|  ¡WdSt yN}z t   d |¡WYd}~dSd}~ww) NÚDB_HOSTÚDB_PORTiê ÚDB_USERÚ DB_PASSWORDÚDB_NAME)ÚhostÚportÚuserÚpasswordÚdatabaseÚ cursorclassÚ SECRET_KEYz)your-secret-key-here-change-in-productionÚHS256ézDCould not ensure embed tables at startup (DB may be unreachable): %s)ÚconfigÚgetÚintÚpymysqlÚcursorsÚ DictCursorÚ db_configÚ jwt_secretÚ jwt_algorithmÚjwt_expiration_daysÚensure_embed_tablesÚ ExceptionÚloggerÚwarning)ÚselfrÚe©r'ú)/var/www/html/pca-backend/auth_handler.pyÚ__init__s"ú €ÿzAuthHandler.__init__cCstjdi|j¤ŽS)zGet database connectionNr')rÚconnectr)r%r'r'r(Úget_connection!szAuthHandler.get_connectioncCsd| dd¡›dS)Nú`z``)Úreplace)Ú identifierr'r'r(Ú_quote_identifier%szAuthHandler._quote_identifiercCs| d||f¡| ¡duS)NzSELECT 1 FROM information_schema.tables WHERE table_schema = %s AND table_name = %s LIMIT 1©ÚexecuteÚfetchone)r%ÚcursorÚschemaÚ table_namer'r'r(Ú _table_exists)s û zAuthHandler._table_existscCs\d|›}| d||f¡| ¡}|r|dS| d|d|›f¡| ¡}|r,|dSdS)NÚ7987_zSELECT table_name AS name FROM information_schema.tables WHERE table_schema = %s AND table_name = %s LIMIT 1Únamez³SELECT table_name AS name FROM information_schema.tables WHERE table_schema = %s AND table_name LIKE %s ORDER BY table_name LIMIT 1z%_r0)r%r3r4ÚsuffixÚ preferredÚrowr'r'r(Ú_find_template_table3s û úz AuthHandler._find_template_tablecCs t ¡}t | d¡|¡ d¡S)zHash a password using bcryptúutf-8)ÚbcryptÚgensaltÚhashpwÚencodeÚdecode)r%rÚsaltr'r'r(Ú hash_passwordKszAuthHandler.hash_passwordcCs,|rt|tƒs dS| d¡sdSt|ƒdkS)NF)z$2a$z$2b$z$2y$é2)Ú isinstanceÚstrÚ startswithÚlen)Ú password_hashr'r'r(Ú_looks_like_bcrypt_hashPs   z#AuthHandler._looks_like_bcrypt_hashcCs>| |¡sdSz t | d¡| d¡¡WStyYdSw)z"Verify a password against its hashFr=)rKr>ÚcheckpwrAÚ ValueError)r%rrJr'r'r(Úverify_passwordYs  þzAuthHandler.verify_passwordNc Cs–| ¡}zAz| ¡}| d||||||f¡| ¡Wnty7} zt dt| ƒ›¡WYd} ~ n d} ~ wwW| ¡dSW| ¡dS| ¡w)zLog user activityz¥INSERT INTO user_activity_log (user_id, username, activity_type, description, ip_address, user_agent) VALUES (%s, %s, %s, %s, %s, %s)zError logging activity: N) r+r3r1Úcommitr"r#ÚerrorrGÚclose) r%Úuser_idÚusernameÚ activity_typeÚ descriptionÚ ip_addressÚ user_agentÚconnr3r&r'r'r(Ú log_activitycs ü  €ÿÿ þzAuthHandler.log_activityFc Cs@|||||t ¡t|jdt ¡dœ}tj||j|jd}|S)z=Generate a JWT token with user info and accessible businesses)Údays)rRrSÚemailÚ businessesÚ is_masterÚexpÚiat©Ú algorithm)rÚutcnowrr ÚjwtrArr)r%rRrSr[r\r]ÚpayloadÚtokenr'r'r(Úgenerate_jwt_tokentsù zAuthHandler.generate_jwt_tokencCsHztj||j|jgd}|WStjyYdStjy#YdSw)zDecode and validate a JWT token©Ú algorithmsN)rcrBrrÚExpiredSignatureErrorÚInvalidTokenError©r%rerdr'r'r(Údecode_jwt_token‚sÿzAuthHandler.decode_jwt_tokenrc Cs.| ¡}zz_| ¡}t|pdƒ ¡ ¡}|dvr$ddidfWW| ¡S| d||f¡| ¡r|| d¡pI| d¡pId | d ¡| d ¡| d ¡rXd nd dœ ¡q|dfWW| ¡St y} zt   dt| ƒ›¡dt| ƒidfWYd} ~ W| ¡Sd} ~ ww| ¡w)z0Get users assigned to a specific business (bid).a SELECT bu.id, bu.username, bu.email, bu.full_name, bu.role, bu.is_master, bu.is_active, uba.role AS business_role FROM user_business_access uba JOIN business_users bu ON bu.id = uba.user_id WHERE uba.bid = %s AND bu.is_active = TRUE ORDER BY bu.created_at DESC rzÚrSrrr[Ú business_rolersrr]Ú is_activeÚActiveÚInactive) rrrSr[rzr8rsr]r›Ústatusr‚z!Error getting users by business: rPruN) r+r3r1rGr…rrvÚappendrQr"r#rP) r%rrXr3r—Ú normalizedÚurzrSr&r'r'r(Úget_users_by_businessÇs@ï ö ü €ü z!AuthHandler.get_users_by_businessc Cs„t|ƒ}| ¡}g}z1z¯| ¡}| d|f¡| ¡r(ddidfWW| ¡S|jd}gd¢}i} |D] } | ||| ¡} | sQdd| ›idfWW| ¡S| | | <q5|D]"} |›d | ›} | ||| ¡rzdd | ›d idfWW| ¡SqX|D]#} |›d | ›} | | } | d |  | ¡›d |  | ¡›¡|  | ¡q}| d|||f¡|  ¡|||dœdfWW| ¡St j yÔ| ¡ddidfYW| ¡Sty<} z\| ¡t dt| ƒ›¡|r%z| ¡}|D] } | d|  | ¡›¡qô|  ¡Wnty$}zt dt|ƒ›¡WYd}~nd}~wwdt| ƒidfWYd} ~ W| ¡Sd} ~ ww| ¡w)z)Create a new business (master admin only)r|rPzBusiness ID already existsrqr)Ú raw_callsÚsarvamresponseÚ callanalyticszNo template table found for ruÚ_zTable z already existsz CREATE TABLE z LIKE zdINSERT INTO businesses (bid, name, description, is_active) VALUES (%s, %s, %s, TRUE))rr8rUrtzError creating business: zDROP TABLE IF EXISTS zError cleaning up tables: N)rGr+r3r1r2rQrr<r6r/rŸrOrÚIntegrityErrorryr"r#rP)r%rr8rUrXÚcreated_tablesr3r4ÚsuffixesÚ templatesr9Útemplater5r&Úcleanup_cursorÚ cleanup_errorr'r'r(Úcreate_businessúsŠ 9 É 0 Ñ *Õÿÿ ýýü î ñÿ  €ÿ €ñ zAuthHandler.create_businessc Cs–| ¡}zAz| ¡}| d¡| ¡}|dfWW| ¡StyE}zt dt|ƒ›¡dt|ƒidfWYd}~W| ¡Sd}~ww| ¡w)zGet all businesseszrSELECT bid, name, description, is_active, created_at FROM businesses ORDER BY namer‚zError getting businesses: rPruNr„)r%rXr3r\r&r'r'r(Úget_all_businesses@s ÿ  ü €ü zAuthHandler.get_all_businessesédc CsÞ| ¡}zez;| ¡}d}g}|r|d7}| |¡|r$|d7}| |¡|d7}| |¡| ||¡| ¡}|dfWW| ¡Styi} zt dt | ƒ›¡dt | ƒidfWYd } ~ W| ¡Sd } ~ ww| ¡w) zGet activity log entriesaASELECT al.id, al.user_id, al.username, al.activity_type, al.description, al.ip_address, al.user_agent, al.created_at, bu.email, bu.full_name FROM user_activity_log al LEFT JOIN business_users bu ON al.user_id = bu.id WHERE 1=1z AND al.user_id = %sz AND al.activity_type = %sz% ORDER BY al.created_at DESC LIMIT %sr‚zError getting activity log: rPruN) r+r3rŸr1r…rQr"r#rPrG) r%ÚlimitrRrTrXr3ÚqueryÚparamsÚlogsr&r'r'r(Úget_activity_logRs0      ü €ü zAuthHandler.get_activity_logc Cs’| ¡}z?z| ¡}| d¡| ¡t d¡Wnty5}zt dt|ƒ›¡WYd}~n d}~wwW|  ¡dSW|  ¡dS|  ¡w)z/Create embed_api_keys table if it doesn't existaô CREATE TABLE IF NOT EXISTS embed_api_keys ( id INT AUTO_INCREMENT PRIMARY KEY, api_key VARCHAR(64) UNIQUE NOT NULL, bid VARCHAR(20) NOT NULL, partner_name VARCHAR(100) NOT NULL, allowed_origins TEXT DEFAULT NULL, is_active TINYINT(1) DEFAULT 1, created_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP, expires_at TIMESTAMP NULL DEFAULT NULL, last_used_at TIMESTAMP NULL DEFAULT NULL, INDEX idx_api_key (api_key), INDEX idx_bid (bid) ) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_unicode_ci zembed_api_keys table ensuredzError ensuring embed tables: N) r+r3r1rOr#Úinfor"rPrGrQ)r%rXr3r&r'r'r(r!zs  €ÿÿ þzAuthHandler.ensure_embed_tablescCsdt d¡S)z*Generate a unique API key for embed accessÚ sk_embed_é)ÚsecretsÚ token_hexr'r'r'r(Úgenerate_api_key•szAuthHandler.generate_api_keyc Csü| ¡}ztzF| ¡}| d|f¡| ¡s!ddidfWW| ¡S| ¡}| d|||||f¡| ¡|j|||||r@t|ƒnddœdfWW| ¡St yx}z!|  ¡t   d t|ƒ›¡dt|ƒid fWYd}~W| ¡Sd}~ww| ¡w) z)Create a new embed API key for a businessr|rPr}r~zINSERT INTO embed_api_keys (api_key, bid, partner_name, allowed_origins, expires_at) VALUES (%s, %s, %s, %s, %s)N)rrÚapi_keyrÚ partner_nameÚallowed_originsÚ expires_atrtzError creating embed API key: ru) r+r3r1r2rQr»rOrxrGr"ryr#rP) r%rr½r¾r¿rXr3r¼r&r'r'r(Úcreate_embed_api_keyšs> è üúù û €û z AuthHandler.create_embed_api_keyc CsÖ| ¡}zaz7| ¡}|r| d|f¡n| d¡| ¡}|D]}|d}d|dd…|d<|d=q|dfWW| ¡Stye}zt d t|ƒ›¡d t|ƒid fWYd}~W| ¡Sd}~ww| ¡w) z3List all embed API keys, optionally filtered by bida‡SELECT ek.id, ek.api_key, ek.bid, b.name as business_name, ek.partner_name, ek.allowed_origins, ek.is_active, ek.created_at, ek.expires_at, ek.last_used_at FROM embed_api_keys ek LEFT JOIN businesses b ON ek.bid = b.bid WHERE ek.bid = %s ORDER BY ek.created_at DESCaaSELECT ek.id, ek.api_key, ek.bid, b.name as business_name, ek.partner_name, ek.allowed_origins, ek.is_active, ek.created_at, ek.expires_at, ek.last_used_at FROM embed_api_keys ek LEFT JOIN businesses b ON ek.bid = b.bid ORDER BY ek.created_at DESCr¼z***iøÿÿÿNÚapi_key_maskedr‚zError listing embed API keys: rPrur„)r%rrXr3ÚkeysÚkeyÚfull_keyr&r'r'r(Úlist_embed_api_keys¿s2ø ÿ   ü €ü zAuthHandler.list_embed_api_keysc CsÈ| ¡}zZz,| ¡}| d|f¡| ¡|jdkr&ddidfWW| ¡SddidfWW| ¡Sty^}z!| ¡t  d t |ƒ›¡dt |ƒid fWYd }~W| ¡Sd }~ww| ¡w) z$Revoke (deactivate) an embed API keyz5UPDATE embed_api_keys SET is_active = 0 WHERE id = %srrPzAPI key not foundr~r€zAPI key revoked successfullyr‚zError revoking embed API key: ruNr”)r%Úkey_idrXr3r&r'r'r(Úrevoke_embed_api_keyês*þ  ù û €û z AuthHandler.revoke_embed_api_keyc Csà| ¡}zfzC| ¡}| d||f¡| ¡}|s WW| ¡dS|dr4|dt ¡kr4WW| ¡dS| d|df¡| ¡|WW| ¡Styj}zt   dt |ƒ›¡WYd}~W| ¡dSd}~ww| ¡w)z1Validate an embed API key for a specific businessz¨SELECT id, api_key, bid, partner_name, allowed_origins, expires_at FROM embed_api_keys WHERE api_key = %s AND bid = %s AND is_active = 1Nr¿z.decorated_functionr©ràrár'rßr(Ú require_authHsrãcrÕ)z(Decorator to require master admin accesscs.tj}| d¡stddiƒdfSˆ|i|¤ŽS)Nr]rPzMaster admin access requiredé“)rrÛrr)rÜrÝrrßr'r(ráes z*require_master..decorated_functionrrâr'rßr(Úrequire_mastercsråcrÕ)z=Decorator to ensure user has access to the requested businesscsp| d¡p tj d¡}tj}| d¡rˆ|i|¤ŽSdd„| dg¡Dƒ}||vr1tddiƒdfSˆ|i|¤ŽS) Nrr]cSsg|]}|d‘qS)rr')Ú.0Úbr'r'r(Ú {szGrequire_business_access..decorated_function..r\rPzAccess denied to this businessrä)rrÚ view_argsrÛr)rÜrÝrrÚuser_businessesrßr'r(ráps z3require_business_access..decorated_functionrrâr'rßr(Úrequire_business_accessnsrë)rr>rcrrÚ functoolsrrÙrrÚloggingr¹Ú getLoggerrÑr#rrãrårër'r'r'r(Ús&  A