chelsea
d4adbde3df
- Fix TIME object vs string comparison in scheduler preventing adaptive med reminders from ever firing (#12, #6) - Add frequency filtering to midnight schedule creation for every_n_days meds - Require start_date and interval_days for every_n_days medications - Add refresh token support (30-day) to API and bot for persistent sessions (#13) - Add "trusted device" checkbox to frontend login for long-lived sessions (#7) - Auto-refresh expired tokens in both bot (apiRequest) and frontend (api.ts) - Restore bot sessions from cache on restart using refresh tokens - Duration-aware routine scheduling conflict detection (#11) - Add conflict check when starting routine sessions against medication times - Add diagnostic logging to notification delivery channels Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
107 lines
3.3 KiB
Python
107 lines
3.3 KiB
Python
import core.users as users
|
|
import core.postgres as postgres
|
|
import bcrypt
|
|
import jwt
|
|
from jwt.exceptions import ExpiredSignatureError, InvalidTokenError
|
|
import datetime
|
|
import os
|
|
|
|
|
|
REFRESH_TOKEN_SECRET = None
|
|
|
|
|
|
def _get_refresh_secret():
|
|
global REFRESH_TOKEN_SECRET
|
|
if REFRESH_TOKEN_SECRET is None:
|
|
REFRESH_TOKEN_SECRET = os.getenv("JWT_SECRET", "") + "_refresh"
|
|
return REFRESH_TOKEN_SECRET
|
|
|
|
|
|
def verifyLoginToken(login_token, username=False, userUUID=False):
|
|
if username:
|
|
userUUID = users.getUserUUID(username)
|
|
|
|
if userUUID:
|
|
try:
|
|
decoded_token = jwt.decode(
|
|
login_token, os.getenv("JWT_SECRET"), algorithms=["HS256"]
|
|
)
|
|
if decoded_token.get("sub") == str(userUUID):
|
|
return True
|
|
return False
|
|
except (ExpiredSignatureError, InvalidTokenError):
|
|
return False
|
|
return False
|
|
|
|
|
|
def getUserpasswordHash(userUUID):
|
|
user = postgres.select_one("users", {"id": userUUID})
|
|
if user:
|
|
pw_hash = user.get("password_hashed")
|
|
if isinstance(pw_hash, memoryview):
|
|
return bytes(pw_hash)
|
|
return pw_hash
|
|
return None
|
|
|
|
|
|
def getLoginToken(username, password):
|
|
userUUID = users.getUserUUID(username)
|
|
if userUUID:
|
|
formatted_pass = password.encode("utf-8")
|
|
users_hashed_pw = getUserpasswordHash(userUUID)
|
|
if bcrypt.checkpw(formatted_pass, users_hashed_pw):
|
|
payload = {
|
|
"sub": userUUID,
|
|
"name": users.getUserFirstName(userUUID),
|
|
"exp": datetime.datetime.utcnow() + datetime.timedelta(hours=1),
|
|
}
|
|
return jwt.encode(payload, os.getenv("JWT_SECRET"), algorithm="HS256")
|
|
return False
|
|
|
|
|
|
def createRefreshToken(userUUID):
|
|
"""Create a long-lived refresh token (30 days)."""
|
|
payload = {
|
|
"sub": str(userUUID),
|
|
"type": "refresh",
|
|
"exp": datetime.datetime.utcnow() + datetime.timedelta(days=30),
|
|
}
|
|
return jwt.encode(payload, _get_refresh_secret(), algorithm="HS256")
|
|
|
|
|
|
def refreshAccessToken(refresh_token):
|
|
"""Validate a refresh token and return a new access token + user_uuid.
|
|
Returns (access_token, user_uuid) or (None, None)."""
|
|
try:
|
|
decoded = jwt.decode(
|
|
refresh_token, _get_refresh_secret(), algorithms=["HS256"]
|
|
)
|
|
if decoded.get("type") != "refresh":
|
|
return None, None
|
|
user_uuid = decoded.get("sub")
|
|
if not user_uuid:
|
|
return None, None
|
|
# Verify user still exists
|
|
user = postgres.select_one("users", {"id": user_uuid})
|
|
if not user:
|
|
return None, None
|
|
# Create new access token
|
|
payload = {
|
|
"sub": user_uuid,
|
|
"name": user.get("first_name", ""),
|
|
"exp": datetime.datetime.utcnow() + datetime.timedelta(hours=1),
|
|
}
|
|
access_token = jwt.encode(payload, os.getenv("JWT_SECRET"), algorithm="HS256")
|
|
return access_token, user_uuid
|
|
except (ExpiredSignatureError, InvalidTokenError):
|
|
return None, None
|
|
|
|
|
|
def unregisterUser(userUUID, password):
|
|
pw_hash = getUserpasswordHash(userUUID)
|
|
if not pw_hash:
|
|
return False
|
|
if bcrypt.checkpw(password.encode("utf-8"), pw_hash):
|
|
return users.deleteUser(userUUID)
|
|
return False
|