Sergey Vanyushkin
184b95969c
Major changes: - Add Keycloak integration via token introspection endpoint - Implement RBAC system with roles: admin, user, guest - Add role-based permissions for post operations - Add pagination support (default limit: 10) to list endpoints - Add published_only filter with admin-only override for unpublished posts Security improvements: - Remove hardcoded default secrets (SECRET_KEY, KEYCLOAK_CLIENT_SECRET) - Update .env.example with proper security placeholders - Add comprehensive RBAC unit tests Infrastructure: - Add httpx dependency for HTTP client - Add KeycloakAuthClient with token caching (TTL: 60s) - Add role-based dependencies (RequireAdmin, RequireUser, etc.) - Update DI container with Keycloak provider Endpoints updated: - GET /posts: filter by published status (admin can see all) - Add pagination params (limit, offset) to list endpoints - Enforce RBAC on post operations Tests: - Add 16 auth infrastructure tests - Add 13 RBAC role tests - Update existing tests for new required settings Breaking changes: - SECRET_KEY and KEYCLOAK_CLIENT_SECRET now required (no defaults)
35 lines
820 B
Python
35 lines
820 B
Python
"""Keycloak authentication models."""
|
|
|
|
from dataclasses import dataclass, field
|
|
from typing import Any
|
|
|
|
|
|
@dataclass(frozen=True)
|
|
class TokenInfo:
|
|
"""Information about validated token from Keycloak."""
|
|
|
|
active: bool
|
|
user_id: str = ""
|
|
username: str = ""
|
|
email: str = ""
|
|
roles: list[str] = field(default_factory=list)
|
|
raw_claims: dict[str, Any] = field(default_factory=dict, repr=False)
|
|
|
|
@property
|
|
def is_valid(self) -> bool:
|
|
"""Check if token is valid and active."""
|
|
return self.active and bool(self.user_id)
|
|
|
|
|
|
@dataclass(frozen=True)
|
|
class KeycloakUser:
|
|
"""User information from Keycloak."""
|
|
|
|
id: str
|
|
username: str
|
|
email: str
|
|
first_name: str = ""
|
|
last_name: str = ""
|
|
roles: list[str] = field(default_factory=list)
|
|
is_active: bool = True
|