Initial commit: AegisSight-Monitor (OSINT-Monitoringsystem)

2026-03-04 17:53:18 +01:00
Commit 8312d24912
--- a/src/auth.py
+++ b/src/auth.py
@@ -0,0 +1,106 @@
+"""JWT-Authentifizierung mit Magic-Link-Support und Multi-Tenancy."""
+import secrets
+import string
+from datetime import datetime, timedelta, timezone
+from jose import jwt, JWTError
+import bcrypt as _bcrypt
+from fastapi import Depends, HTTPException, status
+from fastapi.security import HTTPBearer, HTTPAuthorizationCredentials
+from config import JWT_SECRET, JWT_ALGORITHM, JWT_EXPIRE_HOURS, MAGIC_LINK_EXPIRE_MINUTES
+
+security = HTTPBearer()
+
+
+def hash_password(password: str) -> str:
+    """Passwort hashen mit bcrypt."""
+    return _bcrypt.hashpw(password.encode("utf-8"), _bcrypt.gensalt()).decode("utf-8")
+
+
+def verify_password(password: str, password_hash: str) -> bool:
+    """Passwort gegen Hash pruefen."""
+    return _bcrypt.checkpw(password.encode("utf-8"), password_hash.encode("utf-8"))
+
+
+JWT_ISSUER = "intelsight-osint"
+JWT_AUDIENCE = "intelsight-osint"
+
+
+def create_token(
+    user_id: int,
+    username: str,
+    email: str,
+    role: str = "member",
+    tenant_id: int = None,
+    org_slug: str = None,
+) -> str:
+    """JWT-Token erstellen mit Tenant-Kontext."""
+    now = datetime.now(timezone.utc)
+    expire = now + timedelta(hours=JWT_EXPIRE_HOURS)
+    payload = {
+        "sub": str(user_id),
+        "username": username,
+        "email": email,
+        "role": role,
+        "tenant_id": tenant_id,
+        "org_slug": org_slug,
+        "iss": JWT_ISSUER,
+        "aud": JWT_AUDIENCE,
+        "iat": now,
+        "exp": expire,
+    }
+    return jwt.encode(payload, JWT_SECRET, algorithm=JWT_ALGORITHM)
+
+
+def decode_token(token: str) -> dict:
+    """JWT-Token dekodieren und validieren."""
+    try:
+        payload = jwt.decode(
+            token,
+            JWT_SECRET,
+            algorithms=[JWT_ALGORITHM],
+            issuer=JWT_ISSUER,
+            audience=JWT_AUDIENCE,
+        )
+        return payload
+    except JWTError:
+        raise HTTPException(
+            status_code=status.HTTP_401_UNAUTHORIZED,
+            detail="Token ungueltig oder abgelaufen",
+        )
+
+
+async def get_current_user(
+    credentials: HTTPAuthorizationCredentials = Depends(security),
+) -> dict:
+    """FastAPI Dependency: Aktuellen Nutzer aus Token extrahieren."""
+    payload = decode_token(credentials.credentials)
+    return {
+        "id": int(payload["sub"]),
+        "username": payload["username"],
+        "email": payload.get("email", ""),
+        "role": payload.get("role", "member"),
+        "tenant_id": payload.get("tenant_id"),
+        "org_slug": payload.get("org_slug"),
+    }
+
+
+async def require_org_member(
+    current_user: dict = Depends(get_current_user),
+) -> dict:
+    """FastAPI Dependency: Erfordert Org-Mitgliedschaft."""
+    if not current_user.get("tenant_id"):
+        raise HTTPException(
+            status_code=status.HTTP_403_FORBIDDEN,
+            detail="Keine Organisation zugeordnet",
+        )
+    return current_user
+
+
+def generate_magic_token() -> str:
+    """Generiert einen 64-Zeichen URL-safe Token."""
+    return secrets.token_urlsafe(48)
+
+
+def generate_magic_code() -> str:
+    """Generiert einen 6-stelligen numerischen Code."""
+    return ''.join(secrets.choice(string.digits) for _ in range(6))