Merge pull request #62 from cuappdev/claire/auth

claiireyu · web-flow · commit 3e0881c36b6f · 2026-02-19T16:45:44.000-05:00
Add JWT authentication and user management features
diff --git a/app.py b/app.py
@@ -1,23 +1,47 @@
 import logging
 import argparse
-from flask import Flask, request, g
+import signal
+import sys
 import time
+from datetime import datetime, timedelta
+
+from dotenv import load_dotenv
+
+load_dotenv()
+
+from flask import Flask, request, g
+from flask_cors import CORS
+from flask_jwt_extended import JWTManager
 from flask_graphql import GraphQLView
 from graphene import Schema
 from src.schema import Query, Mutation
 from src.scrapers.games_scraper import fetch_game_schedule
 from src.scrapers.youtube_stats import fetch_videos
 from src.scrapers.daily_sun_scrape import fetch_news
 from src.services.article_service import ArticleService
+from src.utils.constants import JWT_SECRET_KEY
 from src.utils.team_loader import TeamLoader
-import signal
-import sys
-from dotenv import load_dotenv
-
-load_dotenv()
+from src.database import db
 
 app = Flask(__name__)
 
+# CORS: allow frontend (different origin) to call this API
+CORS(app, supports_credentials=True)
+
+# JWT config
+app.config["JWT_SECRET_KEY"] = JWT_SECRET_KEY
+app.config["JWT_ACCESS_TOKEN_EXPIRES"] = timedelta(hours=1)
+app.config["JWT_REFRESH_TOKEN_EXPIRES"] = timedelta(days=30)
+
+jwt = JWTManager(app)
+
+
+@jwt.token_in_blocklist_loader
+def check_if_token_revoked(jwt_header, jwt_payload: dict) -> bool:
+    """Reject the request if the token's jti is in the blocklist (e.g. after logout)."""
+    jti = jwt_payload["jti"]
+    return db["token_blocklist"].find_one({"jti": jti}) is not None
+
 
 @app.before_request
 def start_timer():
@@ -73,7 +97,7 @@ def log_response_time(response):
     datefmt="%Y-%m-%d %H:%M:%S",
 )
 
-schema = Schema(query=Query, mutation=Mutation)
+schema = Schema(query=Query, mutation=Mutation, auto_camelcase=True)
 
 
 def create_context():
@@ -136,6 +160,17 @@ class DefaultArgs:
     scheduler.init_app(app)
     scheduler.start()
 
+    @scheduler.task("interval", id="cleanse_token_blocklist", seconds=86400)  # 24 hours
+    def cleanse_token_blocklist():
+        """Remove expired tokens from blocklist so the collection doesn't grow forever."""
+        from datetime import timezone
+        from src.database import db
+        result = db["token_blocklist"].delete_many(
+            {"expires_at": {"$lt": datetime.now(timezone.utc)}}
+        )
+        if result.deleted_count:
+            logging.info(f"Cleansed {result.deleted_count} expired token(s) from blocklist")
+
     @scheduler.task("interval", id="scrape_schedules", seconds=43200) # 12 hours
     def scrape_schedules():
         logging.info("Scraping game schedules...")
diff --git a/requirements.txt b/requirements.txt
@@ -1,4 +1,6 @@
 Flask
+Flask-CORS
+Flask-JWT-Extended==4.7.1
 Flask-GraphQL
 graphene
 pymongo
diff --git a/src/database.py b/src/database.py
@@ -98,6 +98,9 @@ def setup_database_indexes():
             background=True
         )
 
+        # JWT blocklist: fast lookup by jti
+        db["token_blocklist"].create_index([("jti", 1)], background=True)
+
         print("✅ MongoDB indexes created successfully")
     except Exception as e:
         print(f"❌ Failed to create MongoDB indexes: {e}")
diff --git a/src/mutations/__init__.py b/src/mutations/__init__.py
@@ -1,4 +1,10 @@
 from .create_game import CreateGame
 from .create_team import CreateTeam
 from .create_youtube_video import CreateYoutubeVideo
-from .create_article import CreateArticle
+from .create_article import CreateArticle
+from .login_user import LoginUser
+from .signup_user import SignupUser
+from .refresh_access_token import RefreshAccessToken
+from .logout_user import LogoutUser
+from .add_favorite_game import AddFavoriteGame
+from .remove_favorite_game import RemoveFavoriteGame
diff --git a/src/mutations/add_favorite_game.py b/src/mutations/add_favorite_game.py
@@ -0,0 +1,25 @@
+from bson import ObjectId
+from graphql import GraphQLError
+from graphene import Mutation, String, Boolean
+
+from flask_jwt_extended import get_jwt_identity, jwt_required
+from src.database import db
+from src.services.game_service import GameService
+
+
+class AddFavoriteGame(Mutation):
+    class Arguments:
+        game_id = String(required=True, description="ID of the game to add to favorites.")
+
+    success = Boolean()
+
+    @jwt_required()
+    def mutate(self, info, game_id):
+        if not GameService.get_game_by_id(game_id):
+            raise GraphQLError("Game not found.")
+        user_id = get_jwt_identity()
+        db["users"].update_one(
+            {"_id": ObjectId(user_id)},
+            {"$addToSet": {"favorite_game_ids": game_id}},
+        )
+        return AddFavoriteGame(success=True)
diff --git a/src/mutations/login_user.py b/src/mutations/login_user.py
@@ -0,0 +1,23 @@
+from graphql import GraphQLError
+from graphene import Mutation, String, Field
+
+from flask_jwt_extended import create_access_token, create_refresh_token
+from src.database import db
+
+
+class LoginUser(Mutation):
+    class Arguments:
+        net_id = String(required=True, description="User's net ID (e.g. Cornell netid).")
+
+    access_token = String()
+    refresh_token = String()
+
+    def mutate(self, info, net_id):
+        user = db["users"].find_one({"net_id": net_id})
+        if not user:
+            raise GraphQLError("User not found.")
+        identity = str(user["_id"])
+        return LoginUser(
+            access_token=create_access_token(identity=identity),
+            refresh_token=create_refresh_token(identity=identity),
+        )
diff --git a/src/mutations/logout_user.py b/src/mutations/logout_user.py
@@ -0,0 +1,19 @@
+from datetime import datetime, timezone
+
+from graphene import Mutation, Boolean
+
+from flask_jwt_extended import get_jwt, jwt_required
+from src.database import db
+
+
+class LogoutUser(Mutation):
+    success = Boolean()
+
+    @jwt_required(verify_type=False)
+    def mutate(self, info):
+        token = get_jwt()
+        jti = token["jti"]
+        exp = token["exp"]
+        expires_at = datetime.fromtimestamp(exp, tz=timezone.utc)
+        db["token_blocklist"].insert_one({"jti": jti, "expires_at": expires_at})
+        return LogoutUser(success=True)
diff --git a/src/mutations/refresh_access_token.py b/src/mutations/refresh_access_token.py
@@ -0,0 +1,14 @@
+from graphene import Mutation, String
+
+from flask_jwt_extended import create_access_token, get_jwt_identity, jwt_required
+
+
+class RefreshAccessToken(Mutation):
+    new_access_token = String()
+
+    @jwt_required(refresh=True)
+    def mutate(self, info):
+        identity = get_jwt_identity()
+        return RefreshAccessToken(
+            new_access_token=create_access_token(identity=identity),
+        )
diff --git a/src/mutations/remove_favorite_game.py b/src/mutations/remove_favorite_game.py
@@ -0,0 +1,21 @@
+from bson import ObjectId
+from graphene import Mutation, String, Boolean
+
+from flask_jwt_extended import get_jwt_identity, jwt_required
+from src.database import db
+
+
+class RemoveFavoriteGame(Mutation):
+    class Arguments:
+        game_id = String(required=True, description="ID of the game to remove from favorites.")
+
+    success = Boolean()
+
+    @jwt_required()
+    def mutate(self, info, game_id):
+        user_id = get_jwt_identity()
+        db["users"].update_one(
+            {"_id": ObjectId(user_id)},
+            {"$pull": {"favorite_game_ids": game_id}},
+        )
+        return RemoveFavoriteGame(success=True)
diff --git a/src/mutations/signup_user.py b/src/mutations/signup_user.py
@@ -0,0 +1,33 @@
+from graphql import GraphQLError
+from graphene import Mutation, String
+
+from flask_jwt_extended import create_access_token, create_refresh_token
+from src.database import db
+
+
+class SignupUser(Mutation):
+    class Arguments:
+        net_id = String(required=True, description="User's net ID (e.g. Cornell netid).")
+        name = String(required=False, description="Display name.")
+        email = String(required=False, description="Email address.")
+
+    access_token = String()
+    refresh_token = String()
+
+    def mutate(self, info, net_id, name=None, email=None):
+        if db["users"].find_one({"net_id": net_id}):
+            raise GraphQLError("Net ID already exists.")
+        user_doc = {
+            "net_id": net_id,
+            "favorite_game_ids": [],
+        }
+        if name is not None:
+            user_doc["name"] = name
+        if email is not None:
+            user_doc["email"] = email
+        result = db["users"].insert_one(user_doc)
+        identity = str(result.inserted_id)
+        return SignupUser(
+            access_token=create_access_token(identity=identity),
+            refresh_token=create_refresh_token(identity=identity),
+        )
diff --git a/src/queries/game_query.py b/src/queries/game_query.py
@@ -1,4 +1,7 @@
+from bson import ObjectId
+from flask_jwt_extended import get_jwt_identity, jwt_required
 from graphene import ObjectType, String, Field, List, Int, DateTime
+from src.database import db
 from src.services.game_service import GameService
 from src.types import GameType
 
@@ -27,6 +30,18 @@ class GameQuery(ObjectType):
         GameType, sport=String(required=True), gender=String(required=True)
     )
     games_by_date = List(GameType, startDate=DateTime(required=True), endDate=DateTime(required=True))
+    my_favorited_games = List(GameType, description="Current user's favorited games (requires auth).")
+
+    @jwt_required()
+    def resolve_my_favorited_games(self, info):
+        user_id = get_jwt_identity()
+        user = db["users"].find_one({"_id": ObjectId(user_id)})
+        if not user:
+            return []
+        favorite_ids = user.get("favorite_game_ids") or []
+        if not favorite_ids:
+            return []
+        return GameService.get_games_by_ids(favorite_ids)
 
     def resolve_games(self, info, limit=100, offset=0):
         """
diff --git a/src/repositories/game_repository.py b/src/repositories/game_repository.py
@@ -247,6 +247,17 @@ def find_by_date(startDate, endDate):
         games = game_collection.find(query)
         return [Game.from_dict(game) for game in games]
 
+    @staticmethod
+    def find_by_ids(game_ids):
+        """
+        Fetch games from the MongoDB collection by a list of IDs.
+        """
+        if not game_ids:
+            return []
+        game_collection = db["game"]
+        cursor = game_collection.find({"_id": {"$in": game_ids}})
+        return [Game.from_dict(g) for g in cursor]
+
     @staticmethod
     def delete_games_by_ids(game_ids):
         """
diff --git a/src/schema.py b/src/schema.py
@@ -1,5 +1,24 @@
+from flask_jwt_extended import (
+    create_access_token,
+    create_refresh_token,
+    get_jwt,
+    get_jwt_identity,
+    jwt_required,
+)
 from graphene import ObjectType, Schema, Mutation
-from src.mutations import CreateGame, CreateTeam, CreateYoutubeVideo, CreateArticle
+from src.database import db
+from src.mutations import (
+    CreateGame,
+    CreateTeam,
+    CreateYoutubeVideo,
+    CreateArticle,
+    LoginUser,
+    SignupUser,
+    RefreshAccessToken,
+    LogoutUser,
+    AddFavoriteGame,
+    RemoveFavoriteGame,
+)
 from src.queries import GameQuery, TeamQuery, YoutubeVideoQuery, ArticleQuery
 
 
@@ -12,6 +31,23 @@ class Mutation(ObjectType):
     create_team = CreateTeam.Field(description="Creates a new team.")
     create_youtube_video = CreateYoutubeVideo.Field(description="Creates a new youtube video.")
     create_article = CreateArticle.Field(description="Creates a new article.")
+    login_user = LoginUser.Field(description="Login by net_id; returns access_token and refresh_token.")
+    signup_user = SignupUser.Field(
+        description="Create a new user by net_id; returns access_token and refresh_token (no separate login needed).",
+    )
+    refresh_access_token = RefreshAccessToken.Field(
+        description="Exchange a valid refresh token (in Authorization header) for a new access_token.",
+    )
+    logout_user = LogoutUser.Field(
+        description="Revoke the current token (access or refresh). Send token in Authorization header.",
+    )
+    add_favorite_game = AddFavoriteGame.Field(
+        description="Add a game to the current user's favorites (requires auth).",
+    )
+    remove_favorite_game = RemoveFavoriteGame.Field(
+        description="Remove a game from the current user's favorites (requires auth).",
+    )
 
 
-schema = Schema(query=Query, mutation=Mutation)
+# auto_camelcase=True (default): GraphQL API uses camelCase (loginUser, accessToken, refreshToken, etc.)
+schema = Schema(query=Query, mutation=Mutation, auto_camelcase=True)
diff --git a/src/services/game_service.py b/src/services/game_service.py
@@ -27,6 +27,13 @@ def get_game_by_id(game_id):
         """
         return GameRepository.find_by_id(game_id)
 
+    @staticmethod
+    def get_games_by_ids(game_ids):
+        """
+        Retrieve games by a list of IDs. Returns only games that exist; order not guaranteed.
+        """
+        return GameRepository.find_by_ids(game_ids)
+
     @staticmethod
     def create_game(data):
         """
diff --git a/src/utils/constants.py b/src/utils/constants.py
@@ -1,3 +1,8 @@
+import os
+
+# JWT 
+JWT_SECRET_KEY = os.environ["JWT_SECRET_KEY"]
+
 # Prefix for opponent image URLs
 IMAGE_PREFIX = "https://dxbhsrqyrr690.cloudfront.net/sidearm.nextgen.sites/cornellbigred.com"
 

Original file line number	Diff line number	Diff line change
`@@ -98,6 +98,9 @@ def setup_database_indexes():`
`98`	`98`	`background=True`
`99`	`99`	`)`
`100`	`100`
	`101`	`+ # JWT blocklist: fast lookup by jti`
	`102`	`+ db["token_blocklist"].create_index([("jti", 1)], background=True)`
	`103`	`+`
`101`	`104`	`print("✅ MongoDB indexes created successfully")`
`102`	`105`	`except Exception as e:`
`103`	`106`	`print(f"❌ Failed to create MongoDB indexes: {e}")`