feat(auth): implement Keycloak authentication with RBAC and pagination

Major changes: - Add Keycloak integration via token introspection endpoint - Implement RBAC system with roles: admin, user, guest - Add role-based permissions for post operations - Add pagination support (default limit: 10) to list endpoints - Add published_only filter with admin-only override for unpublished posts Security improvements: - Remove hardcoded default secrets (SECRET_KEY, KEYCLOAK_CLIENT_SECRET) - Update .env.example with proper security placeholders - Add comprehensive RBAC unit tests Infrastructure: - Add httpx dependency for HTTP client - Add KeycloakAuthClient with token caching (TTL: 60s) - Add role-based dependencies (RequireAdmin, RequireUser, etc.) - Update DI container with Keycloak provider Endpoints updated: - GET /posts: filter by published status (admin can see all) - Add pagination params (limit, offset) to list endpoints - Enforce RBAC on post operations Tests: - Add 16 auth infrastructure tests - Add 13 RBAC role tests - Update existing tests for new required settings Breaking changes: - SECRET_KEY and KEYCLOAK_CLIENT_SECRET now required (no defaults)
2026-05-02 00:43:10 +03:00
parent ddab62a883
commit 184b95969c
20 changed files with 1461 additions and 99 deletions
--- a/app/infrastructure/repositories/post.py
+++ b/app/infrastructure/repositories/post.py
@@ -105,27 +105,50 @@ class SQLAlchemyPostRepository(PostRepository):
        orm = result.scalar_one_or_none()
        return self._to_domain(orm) if orm else None

-    async def get_by_author(self, author_id: str) -> list[Post]:
+    async def get_by_author(
+        self,
+        author_id: str,
+        limit: int | None = None,
+        offset: int | None = None,
+    ) -> list[Post]:
        """Get posts by author."""
-        result = await self._session.execute(
-            select(PostORM).where(PostORM.author_id == author_id)
-        )
+        query = select(PostORM).where(PostORM.author_id == author_id)
+        if limit is not None:
+            query = query.limit(limit)
+        if offset is not None:
+            query = query.offset(offset)
+        result = await self._session.execute(query)
        orms = result.scalars().all()
        return [self._to_domain(orm) for orm in orms]

-    async def get_published(self) -> list[Post]:
+    async def get_published(
+        self,
+        limit: int | None = None,
+        offset: int | None = None,
+    ) -> list[Post]:
        """Get published posts."""
-        result = await self._session.execute(
-            select(PostORM).where(PostORM.published.is_(True))
-        )
+        query = select(PostORM).where(PostORM.published.is_(True))
+        if limit is not None:
+            query = query.limit(limit)
+        if offset is not None:
+            query = query.offset(offset)
+        result = await self._session.execute(query)
        orms = result.scalars().all()
        return [self._to_domain(orm) for orm in orms]

-    async def get_by_tag(self, tag: str) -> list[Post]:
+    async def get_by_tag(
+        self,
+        tag: str,
+        limit: int | None = None,
+        offset: int | None = None,
+    ) -> list[Post]:
        """Get posts by tag."""
-        result = await self._session.execute(
-            select(PostORM).where(PostORM.tags.contains([tag]))
-        )
+        query = select(PostORM).where(PostORM.tags.contains([tag]))
+        if limit is not None:
+            query = query.limit(limit)
+        if offset is not None:
+            query = query.offset(offset)
+        result = await self._session.execute(query)
        orms = result.scalars().all()
        return [self._to_domain(orm) for orm in orms]

@@ -136,16 +159,24 @@ class SQLAlchemyPostRepository(PostRepository):
        )
        return result.scalar_one_or_none() is not None

-    async def search(self, query: str) -> list[Post]:
+    async def search(
+        self,
+        query: str,
+        limit: int | None = None,
+        offset: int | None = None,
+    ) -> list[Post]:
        """Search posts."""
        search_pattern = f"%{query}%"
-        result = await self._session.execute(
-            select(PostORM).where(
-                or_(
-                    PostORM.title.ilike(search_pattern),
-                    PostORM.content.ilike(search_pattern),
-                )
+        stmt = select(PostORM).where(
+            or_(
+                PostORM.title.ilike(search_pattern),
+                PostORM.content.ilike(search_pattern),
            )
        )
+        if limit is not None:
+            stmt = stmt.limit(limit)
+        if offset is not None:
+            stmt = stmt.offset(offset)
+        result = await self._session.execute(stmt)
        orms = result.scalars().all()
        return [self._to_domain(orm) for orm in orms]