Authentication & Authorization¶

Core authentication and authorization dependencies for FastAPI.

class Authenticate[source]¶

Bases: object

Provides FastAPI dependency factories for authentication and authorization.

async classmethod get_current_user_for_refresh(token: str) → UserAuth[source]¶

Authenticate the user using the refresh token.

Performs critical security checks including token blacklisting. This dependency is used exclusively by the token refresh endpoint.

Parameters:

token (str) – The refresh token extracted from the cookie.
users_service (UserService) – Dependency for user service operations.

Returns:

The authenticated user with JTI attached.

Return type:

UserAuth

Raises:

UnauthorizedException – If the token is invalid, blacklisted, or the user is inactive (HTTP 401).

async classmethod get_current_user(token: str) → UserAuth[source]¶

Authenticate the user using the access token.

Parameters:

token (str) – The access token extracted from the cookie.
users_service (UserService) – Dependency for user service operations.

Returns:

The authenticated user.

Return type:

UserAuth

classmethod get_current_active_user() → Callable[[UserAuth], Awaitable[UserAuth]][source]¶

Dependency factory to ensure the user is active.

It chains with get_current_user to perform both authentication and basic authorization (account status check).

Returns:: A FastAPI dependency function.
Return type:: Callable
Raises:: UnauthorizedException – If the user is found but not active (HTTP 401).

classmethod superuser_required() → Callable[[UserAuth], Awaitable[UserAuth]][source]¶

Dependency factory requiring superuser privileges.

It chains with get_current_active_user and performs the final authorization check.

Returns:: A FastAPI dependency function.
Return type:: Callable
Raises:: PermissionDeniedException – If the user is not a superuser (HTTP 403).

classmethod trainer_required() → Callable[[UserAuth], Awaitable[UserAuth]][source]¶

Dependency factory requiring the Fitness Trainer role.

It chains with get_current_active_user and performs the final role check.

Returns:: A FastAPI dependency function.
Return type:: Callable
Raises:: PermissionDeniedException – If the user does not have the required role (HTTP 403).

classmethod get_refresh_jti(token: str) → tuple[str, float][source]¶

Extract the JWT ID (jti) and expiration (exp) from a refresh token.

Parameters:: token (str) – The refresh token string from the cookie.
Returns:: The JTI claim and expiration timestamp.
Return type:: tuple[str, float]

—

Internal Data Loading & Cache¶

async classmethod Authenticate._get_user_from_payload(users_service: app.domain.users.services.UserService, token_payload: TokenPayloadBase) → UserAuth[source]

Load UserAuth schema from the database using the JWT ‘sub’ claim.

The result of this function is aggressively cached to reduce database load.

Parameters:

users_service (UserService) – Dependency for user service operations.
token_payload (TokenPayload) – The token data.

Returns:

The authenticated user.

Return type:

UserAuth

Raises:

UnauthorizedException – If the user is not found (HTTP 401).

Note

Cache Strategy: This method is aggressively cached using Valkey to minimize database pressure. Consistency is maintained via automatic invalidation hooks triggered by:

Password updates.
Role changes.
Administrative (CRUD) modifications to user records.