uaiU TdZddlmZddlmZmZddlZdZd deded ed e fd Z d Z dS)u app/middleware/auth.py ====================== Middleware autenticazione - decorator per proteggere endpoints. Responsabilità: - Estrarre JWT token da header Authorization - Validare token con AuthService - Passare tenant_id e user_id alla route - Gestire errori autenticazione wraps)requestjsonifyNc<tfd}|S)aG Decorator per proteggere endpoint con JWT. Come usarlo: @app.route('/api/v1/protected') @require_auth def protected_route(tenant_id, user_id): return {'tenant': tenant_id, 'user': user_id} Flow: 1. Client invia: Authorization: Bearer 2. Decorator estrae token da header 3. Valida token con auth_service 4. Se valido: passa tenant_id e user_id a route 5. Se invalido: ritorna 401 Unauthorized Nota: auth_service DEVE essere disponibile in flask.g (vedi app.__init__.py per setup) ctjd}|stddddfS|}t |dks |ddkrtd d d d dfS|d } ddlm}|d}|stddddfS||\}}|rt|dddfS|d} |d} |d} | stddddfS || | | d|S#t$r.} tdt| dddfcYd} ~ Sd} ~ wwxYw)N AuthorizationzMissing authorization header MISSING_AUTH)errorcodeirBearerz#Invalid authorization header formatINVALID_AUTH_FORMATzAuthorization: Bearer )r r expectedg auth_servicezAuth service not initializedAUTH_SERVICE_ERRORi INVALID_TOKEN tenant_iduser_idruolozToken missing tenant_idINVALID_TOKEN_PAYLOAD)rrrzAuthentication error: AUTH_ERROR) rheadersgetrsplitlenflaskrvalidate_token Exceptionstr)argskwargs auth_headerpartstokenrrpayloadr rrrefs @/var/www/enigma.pooltech.it/enigma_inventario/middleware_auth.pydecorated_functionz(require_auth..decorated_function&slo))/::  7&  !!## u::??eAh(22>-;   a'       5500L ;0   *88??NGU "+    K00Ikk),,GKK((E 63  1di++#)++ +   :#a&&::$       s10E9-E'AE< E F#E;5F;Frr+r-s` r, require_authr/s7( 1XX????X?B HS256r( jwt_secret jwt_algorithmreturnc tj|||g}|d|ddfS#tj$rYdStj$r}dddt |fcYd}~Sd}~wwxYw)a Utility: estrai tenant_id da token senza usare decorator. Utile per logica non-Flask (es. background jobs). Args: token (str): JWT token jwt_secret (str): Secret key jwt_algorithm (str): Algoritmo JWT Returns: tuple: (tenant_id, user_id, error) Esempio: >>> tenant_id, user_id, error = get_tenant_from_token(token, 'secret') >>> if not error: ... print(f"Token for tenant {tenant_id}, user {user_id}") ) algorithmsrrN)NNz Token expiredzInvalid token: )jwtdecoderExpiredSignatureErrorInvalidTokenErrorr#)r(r2r3r)r*s r,get_tenant_from_tokenr;ks&6*UJM?KKK{{;''Y)?)?EE  $+++***  666T5SVV5555555556s$AABB%A?9B?Bc<tfd}|S)z Decorator opzionale: se token presente, valida. Se assente, lascia passare con tenant_id=None. Utile per endpoint pubblici che possono avere user loggato. Nota: Meno usato, ma utile per future feature. ctjd}d}d}|r|}t |dkr||ddkrp ddlm}|d}|rJ||d\}} | s*|d}|d }n#YnxYw |||d |S) Nr r rrrrrrr)rr)rrrrrr rr!) r$r%r&rrr'rrr)r r+s r,r-z)optional_auth..decorated_functionso))/::    %%''E5zzQ58x#7#7 ''''''#$55#8#8L#=)5)D)DU1X)N)N$=(/ K(@(@I&-kk)&<&s; 1XXHHHHXH* r0)r1) __doc__ functoolsrr rrr7r/r#tupler;r>r0r,rCs  """""""" VVVr666#6c6X]66668r0