close dangerous api methods under api auth (#78)

* close dangerous api methods under api auth * rename access_token method
2025-12-16 21:20:39 +03:00 · 2024-01-07 20:06:02 +03:00
parent 8266342214
commit de55d873f9
12 changed files with 210 additions and 18 deletions
--- a/bot_microservice/infra/admin.py
+++ b/bot_microservice/infra/admin.py
@@ -1,8 +1,11 @@
 from typing import TYPE_CHECKING

 from sqladmin import Admin, ModelView
+from sqlalchemy import Select, desc, select
+from sqlalchemy.orm import contains_eager, load_only
+from starlette.requests import Request

-from core.auth.models.users import User
+from core.auth.models.users import AccessToken, User, UserQuestionCount
 from core.bot.models.chatgpt import ChatGptModels
 from core.utils import build_uri
 from settings.config import settings
@@ -36,10 +39,34 @@ class UserAdmin(ModelView, model=User):
        "question_count",
        User.created_at,
    ]
-    column_sortable_list = [User.created_at]
+
    column_default_sort = ("created_at", True)
    form_widget_args = {"created_at": {"readonly": True}}

+    def list_query(self, request: Request) -> Select[tuple[User]]:
+        return (
+            select(User)
+            .options(
+                load_only(
+                    User.id,
+                    User.username,
+                    User.first_name,
+                    User.last_name,
+                    User.is_active,
+                    User.created_at,
+                )
+            )
+            .outerjoin(User.user_question_count)
+            .options(contains_eager(User.user_question_count).options(load_only(UserQuestionCount.question_count)))
+        ).order_by(desc(UserQuestionCount.question_count))
+
+
+class AccessTokenAdmin(ModelView, model=AccessToken):
+    name = "API access token"
+    name_plural = "API access tokens"
+    column_list = [AccessToken.user_id, "username", AccessToken.token, AccessToken.created_at]
+    form_widget_args = {"created_at": {"readonly": True}}
+

 def create_admin(application: "Application") -> Admin:
    admin = Admin(
@@ -51,4 +78,5 @@ def create_admin(application: "Application") -> Admin:
    )
    admin.add_view(ChatGptAdmin)
    admin.add_view(UserAdmin)
+    admin.add_view(AccessTokenAdmin)
    return admin
--- a/bot_microservice/infra/database/migrations/versions/0002_create_auth_tables.py
+++ b/bot_microservice/infra/database/migrations/versions/0002_create_auth_tables.py
@@ -10,9 +10,8 @@ from datetime import datetime
 import sqlalchemy as sa
 from alembic import op
 from sqlalchemy import TIMESTAMP
-from sqlalchemy.dialects.sqlite import insert

-from core.auth.models.users import User
+from core.auth.models.users import AccessToken, User
 from core.auth.utils import create_password_hash
 from infra.database.deps import get_sync_session
 from settings.config import settings
@@ -58,8 +57,14 @@ def upgrade() -> None:
        return
    with get_sync_session() as session:
        hashed_password = create_password_hash(password.get_secret_value())
-        query = insert(User).values({"username": username, "hashed_password": hashed_password})
-        session.execute(query)
+        user = User(username=username, hashed_password=hashed_password)
+        session.add(user)
+        session.flush()
+        session.refresh(user)
+
+        access_token = AccessToken(user_id=user.id)
+        session.add(access_token)
+
        session.commit()