""" Security utilities for BookBeach application """ from datetime import datetime, timedelta from typing import Optional, Any import secrets import random import string from passlib.context import CryptContext from jose import JWTError, jwt from fastapi import HTTPException, status from app.core.config import settings # Password hashing pwd_context = CryptContext(schemes=["bcrypt"], deprecated="auto") def create_access_token(data: dict, expires_delta: Optional[timedelta] = None) -> str: """Create JWT access token""" to_encode = data.copy() if expires_delta: expire = datetime.utcnow() + expires_delta else: expire = datetime.utcnow() + timedelta( minutes=settings.ACCESS_TOKEN_EXPIRE_MINUTES ) to_encode.update({"exp": expire}) encoded_jwt = jwt.encode(to_encode, settings.SECRET_KEY, algorithm=settings.ALGORITHM) return encoded_jwt def create_refresh_token(data: dict) -> str: """Create JWT refresh token""" to_encode = data.copy() expire = datetime.utcnow() + timedelta(days=settings.REFRESH_TOKEN_EXPIRE_DAYS) to_encode.update({"exp": expire, "type": "refresh"}) encoded_jwt = jwt.encode(to_encode, settings.SECRET_KEY, algorithm=settings.ALGORITHM) return encoded_jwt def verify_token(token: str) -> dict: """Verify and decode JWT token""" try: payload = jwt.decode(token, settings.SECRET_KEY, algorithms=[settings.ALGORITHM]) return payload except JWTError: raise HTTPException( status_code=status.HTTP_401_UNAUTHORIZED, detail="Could not validate credentials", headers={"WWW-Authenticate": "Bearer"}, ) def verify_password(plain_password: str, hashed_password: str) -> bool: """Verify password against hash""" return pwd_context.verify(plain_password, hashed_password) def get_password_hash(password: str) -> str: """Hash password""" return pwd_context.hash(password) def generate_verification_code(length: int = 6) -> str: """Generate random verification code""" return ''.join(random.choices(string.digits, k=length)) def generate_random_string(length: int = 32) -> str: """Generate random string for tokens""" return secrets.token_urlsafe(length) def validate_password_strength(password: str) -> tuple[bool, str]: """ Validate password strength Returns: (is_valid, error_message) """ if len(password) < 8: return False, "Password must be at least 8 characters long" if not any(c.isupper() for c in password): return False, "Password must contain at least one uppercase letter" if not any(c.islower() for c in password): return False, "Password must contain at least one lowercase letter" if not any(c.isdigit() for c in password): return False, "Password must contain at least one number" special_chars = "!@#$%^&*()_+-=[]{}|;:,.<>?" if not any(c in special_chars for c in password): return False, "Password must contain at least one special character" return True, "" def generate_secure_password(length: int = 12) -> str: """Generate secure random password""" if length < 8: length = 8 # Ensure at least one character from each category lower = random.choice(string.ascii_lowercase) upper = random.choice(string.ascii_uppercase) digit = random.choice(string.digits) special = random.choice("!@#$%^&*") # Fill the rest randomly all_chars = string.ascii_letters + string.digits + "!@#$%^&*" remaining = ''.join(random.choices(all_chars, k=length - 4)) # Combine and shuffle password = lower + upper + digit + special + remaining password_list = list(password) random.shuffle(password_list) return ''.join(password_list)