Files
romm/backend/endpoints/user.py
Michael Manganiello b1ba322408 fix: Use request body for user creation and update endpoints
Stop using query parameters for user creation and update endpoints in
the API. Instead, use the request body to pass user data.

This change stops leaking sensitive information like passwords in the
URL.

Fixes #2010
2025-06-25 00:44:05 -03:00

380 lines
12 KiB
Python

import os
from pathlib import Path
from typing import Annotated, Any
from anyio import open_file
from config import ASSETS_BASE_PATH
from decorators.auth import protected_route
from endpoints.forms.identity import UserForm
from endpoints.responses import MessageResponse
from endpoints.responses.identity import InviteLinkSchema, UserSchema
from fastapi import Body, Form, HTTPException, Request, status
from handler.auth import auth_handler
from handler.auth.constants import Scope
from handler.database import db_user_handler
from handler.filesystem import fs_asset_handler
from handler.metadata import meta_ra_handler
from logger.logger import log
from models.user import Role, User
from utils.router import APIRouter
router = APIRouter(
prefix="/users",
tags=["users"],
)
@protected_route(
router.post,
"",
[],
status_code=status.HTTP_201_CREATED,
)
def add_user(
request: Request,
username: str = Body(..., embed=True),
email: str = Body(..., embed=True),
password: str = Body(..., embed=True),
role: str = Body(..., embed=True),
) -> UserSchema:
"""Create user endpoint
Args:
request (Request): Fastapi Requests object
username (str): User username
password (str): User password
email (str): User email
role (str): RomM Role object represented as string
Returns:
UserSchema: Newly created user
"""
# If there are admin users already, enforce the USERS_WRITE scope.
if (
Scope.USERS_WRITE not in request.auth.scopes
and len(db_user_handler.get_admin_users()) > 0
):
raise HTTPException(
status_code=status.HTTP_403_FORBIDDEN,
detail="Forbidden",
)
if db_user_handler.get_user_by_username(username):
msg = f"Username {username} already exists"
log.error(msg)
raise HTTPException(
status_code=status.HTTP_400_BAD_REQUEST,
detail=msg,
)
if email and db_user_handler.get_user_by_email(email):
msg = f"User with email {email} already exists"
log.error(msg)
raise HTTPException(
status_code=status.HTTP_400_BAD_REQUEST,
detail=msg,
)
user = User(
username=username.lower(),
hashed_password=auth_handler.get_password_hash(password),
email=email.lower() or None,
role=Role[role.upper()],
)
return UserSchema.model_validate(db_user_handler.add_user(user))
@protected_route(
router.post,
"/invite-link",
[],
status_code=status.HTTP_201_CREATED,
)
def create_invite_link(request: Request, role: str) -> InviteLinkSchema:
"""Create an invite link for a user.
Args:
request (Request): FastAPI Request object
role (str): The role of the user
Returns:
InviteLinkSchema: Invite link
"""
if (
Scope.USERS_WRITE not in request.auth.scopes
and len(db_user_handler.get_admin_users()) > 0
):
raise HTTPException(
status_code=status.HTTP_403_FORBIDDEN,
detail="Forbidden",
)
if role not in [r.value for r in Role]:
msg = f"Role {role} is not valid"
log.error(msg)
raise HTTPException(
status_code=status.HTTP_400_BAD_REQUEST,
detail=msg,
)
token = auth_handler.generate_invite_link_token(request.user, role=role)
return InviteLinkSchema.model_validate({"token": token})
@router.post("/register", status_code=status.HTTP_201_CREATED)
def create_user_from_invite(
username: str = Body(..., embed=True),
email: str = Body(..., embed=True),
password: str = Body(..., embed=True),
token: str = Body(..., embed=True),
) -> UserSchema:
"""Create user endpoint with invite link
Args:
username (str): User username
email (str): User email
password (str): User password
token (str): Invite link token
Returns:
UserSchema: Newly created user
"""
jti, role = auth_handler.verify_invite_link_token(token)
if db_user_handler.get_user_by_username(username):
msg = f"Username {username} already exists"
log.error(msg)
raise HTTPException(
status_code=status.HTTP_400_BAD_REQUEST,
detail=msg,
)
if email and db_user_handler.get_user_by_email(email):
msg = f"User with email {email} already exists"
log.error(msg)
raise HTTPException(
status_code=status.HTTP_400_BAD_REQUEST,
detail=msg,
)
user = User(
username=username.lower(),
hashed_password=auth_handler.get_password_hash(password),
email=email.lower() or None,
role=Role[role.upper()],
)
created_user = db_user_handler.add_user(user)
auth_handler.invalidate_invite_link_token(jti)
return UserSchema.model_validate(created_user)
@protected_route(router.get, "", [Scope.USERS_READ])
def get_users(request: Request) -> list[UserSchema]:
"""Get all users endpoint
Args:
request (Request): Fastapi Request object
Returns:
list[UserSchema]: All users stored in the RomM's database
"""
return [UserSchema.model_validate(u) for u in db_user_handler.get_users()]
@protected_route(router.get, "/me", [Scope.ME_READ])
def get_current_user(request: Request) -> UserSchema | None:
"""Get current user endpoint
Args:
request (Request): Fastapi Request object
Returns:
UserSchema | None: Current user
"""
return request.user
@protected_route(router.get, "/{id}", [Scope.USERS_READ])
def get_user(request: Request, id: int) -> UserSchema:
"""Get user endpoint
Args:
request (Request): Fastapi Request object
Returns:
UserSchem: User stored in the RomM's database
"""
user = db_user_handler.get_user(id)
if not user:
raise HTTPException(status_code=404, detail="User not found")
return UserSchema.model_validate(user)
@protected_route(router.put, "/{id}", [Scope.ME_WRITE])
async def update_user(
request: Request, id: int, form_data: Annotated[UserForm, Form()]
) -> UserSchema:
"""Update user endpoint
Args:
request (Request): Fastapi Requests object
user_id (int): User internal id
form_data (Annotated[UserUpdateForm, Depends): Form Data with user updated info
Raises:
HTTPException: User is not found in database
HTTPException: Username already in use by another user
Returns:
UserSchema: Updated user info
"""
db_user = db_user_handler.get_user(id)
if not db_user:
msg = f"Username with id {id} not found"
log.error(msg)
raise HTTPException(status_code=status.HTTP_404_NOT_FOUND, detail=msg)
# Admin users can edit any user, while other users can only edit self
if db_user.id != request.user.id and request.user.role != Role.ADMIN:
raise HTTPException(status_code=status.HTTP_403_FORBIDDEN, detail="Forbidden")
cleaned_data: dict[str, Any] = {}
if form_data.username and form_data.username != db_user.username:
if db_user_handler.get_user_by_username(form_data.username):
msg = f"Username {form_data.username} already exists"
log.error(msg)
raise HTTPException(
status_code=status.HTTP_400_BAD_REQUEST,
detail=msg,
)
cleaned_data["username"] = form_data.username.lower()
if form_data.password:
cleaned_data["hashed_password"] = auth_handler.get_password_hash(
form_data.password
)
if form_data.email is not None and form_data.email != db_user.email:
if form_data.email and db_user_handler.get_user_by_email(form_data.email):
msg = f"User with email {form_data.email} already exists"
log.error(msg)
raise HTTPException(
status_code=status.HTTP_400_BAD_REQUEST,
detail=msg,
)
cleaned_data["email"] = form_data.email.lower() or None
# You can't change your own role
if form_data.role and request.user.id != id:
cleaned_data["role"] = Role[form_data.role.upper()] # type: ignore[assignment]
# You can't disable yourself
if form_data.enabled is not None and request.user.id != id:
cleaned_data["enabled"] = form_data.enabled # type: ignore[assignment]
if form_data.ra_username:
cleaned_data["ra_username"] = form_data.ra_username # type: ignore[assignment]
if form_data.avatar is not None:
user_avatar_path = fs_asset_handler.build_avatar_path(user=db_user)
# Extract the file extension from the uploaded file
file_extension = os.path.splitext(form_data.avatar.filename)[1]
# Set the file name to "avatar" with the original extension
file_location = f"{user_avatar_path}/avatar{file_extension}"
cleaned_data["avatar_path"] = file_location
Path(f"{ASSETS_BASE_PATH}/{user_avatar_path}").mkdir(
parents=True, exist_ok=True
)
async with await open_file(
f"{ASSETS_BASE_PATH}/{file_location}", "wb+"
) as file_object:
await file_object.write(form_data.avatar.file.read())
if cleaned_data:
db_user_handler.update_user(id, cleaned_data)
# Log out the current user if username or password changed
creds_updated = cleaned_data.get("username") or cleaned_data.get(
"hashed_password"
)
if request.user.id == id and creds_updated:
request.session.clear()
db_user = db_user_handler.get_user(id)
if not db_user:
msg = f"Username with id {id} not found"
log.error(msg)
raise HTTPException(status_code=status.HTTP_404_NOT_FOUND, detail=msg)
return UserSchema.model_validate(db_user)
@protected_route(router.delete, "/{id}", [Scope.USERS_WRITE])
def delete_user(request: Request, id: int) -> MessageResponse:
"""Delete user endpoint
Args:
request (Request): Fastapi Request object
user_id (int): User internal id
Raises:
HTTPException: User is not found in database
HTTPException: User deleting itself
HTTPException: User is the last admin user
Returns:
MessageResponse: Standard message response
"""
user = db_user_handler.get_user(id)
if not user:
raise HTTPException(status_code=404, detail="User not found")
# You can't delete the user you're logged in as
if request.user.id == id:
raise HTTPException(status_code=400, detail="You cannot delete yourself")
# You can't delete the last admin user
if user.role == Role.ADMIN and len(db_user_handler.get_admin_users()) == 1:
raise HTTPException(
status_code=400, detail="You cannot delete the last admin user"
)
db_user_handler.delete_user(id)
return {"msg": "User successfully deleted"}
@protected_route(router.post, "/{id}/ra/refresh", [Scope.ME_WRITE])
async def refresh_retro_achievements(request: Request, id: int) -> MessageResponse:
user = db_user_handler.get_user(id)
if user and user.ra_username:
user_progression = await meta_ra_handler.get_user_progression(user.ra_username)
db_user_handler.update_user(
id,
{
"ra_progression": user_progression,
},
)
return {"msg": "RetroAchievements successfully refreshed"}
else:
raise HTTPException(
status_code=status.HTTP_404_NOT_FOUND,
detail="User does not have a RetroAchievements username set",
)