refactor

Author: makara4code

.claude/settings.local.json

@@ -37,7 +37,8 @@
       "Bash(npm run lint)",
       "Bash(del \"c:\\\\Users\\\\makara\\\\Desktop\\\\full-stack-fastapi-template\\\\frontend\\\\src\\\\routes\\\\unauthorized.tsx\")",
       "Bash(del \"c:\\\\Users\\\\makara\\\\Desktop\\\\full-stack-fastapi-template\\\\frontend\\\\src\\\\components\\\\owasp\\\\SettingsButton.tsx\")",
-      "Bash(find:*)"
+      "Bash(find:*)",
+      "Bash(python3:*)"
     ],
     "deny": [],
     "ask": []

backend/.claude/settings.local.json

@@ -0,0 +1,9 @@
+{
+  "permissions": {
+    "allow": [
+      "Bash(mkdir:*)",
+      "Bash(python:*)",
+      "Bash(.venv/Scripts/python.exe:*)"
+    ]
+  }
+}

backend/app/core/config.py

@@ -32,10 +32,10 @@ class Settings(BaseSettings):
     )
     API_V1_STR: str = "/api/v1"
     SECRET_KEY: str = secrets.token_urlsafe(32)
-    # Access token: short-lived (15 minutes)
-    ACCESS_TOKEN_EXPIRE_MINUTES: int = 15
-    # Refresh token: long-lived (7 days)
-    REFRESH_TOKEN_EXPIRE_MINUTES: int = 60 * 24 * 7
+    # Access token: short-lived (5 minutes)
+    ACCESS_TOKEN_EXPIRE_MINUTES: int = 5
+    # Refresh token: medium-lived (15 minutes)
+    REFRESH_TOKEN_EXPIRE_MINUTES: int = 15
     FRONTEND_HOST: str = "http://localhost:5173"
     ENVIRONMENT: Literal["local", "staging", "production"] = "local"
 

backend/app/core/csrf.py

@@ -22,14 +22,14 @@
 
 # Endpoints exempt from CSRF validation
 CSRF_EXEMPT_PATHS = {
-    "/api/v1/login/access-token",
-    "/api/v1/login/google",
-    "/api/v1/login/google/callback",
-    "/api/v1/login/google/authorize",
-    "/api/v1/auth/refresh",  # Uses refresh_token cookie for validation
+    "/api/v1/auth/login",
     "/api/v1/auth/logout",
-    "/api/v1/password-recovery",
-    "/api/v1/reset-password",
+    "/api/v1/auth/refresh",  # Uses refresh_token cookie for validation
+    "/api/v1/auth/google/login",
+    "/api/v1/auth/google/callback",
+    "/api/v1/auth/google/authorize",
+    "/api/v1/auth/password/recover",
+    "/api/v1/auth/password/reset",
     "/api/v1/users/signup",
     "/docs",
     "/redoc",

backend/app/core/db/__init__.py

@@ -0,0 +1,9 @@
+# Database module
+#
+# Usage:
+#   from app.core.db import engine          # Always safe
+#   from app.core.db.init import init_db    # Import separately to avoid circular deps
+
+from app.core.db.engine import engine
+
+__all__ = ["engine"]

backend/app/core/db/engine.py

@@ -0,0 +1,5 @@
+from sqlmodel import create_engine
+
+from app.core.config import settings
+
+engine = create_engine(str(settings.SQLALCHEMY_DATABASE_URI))

backend/app/core/db.py backend/app/core/db/init.pybackend/app/core/db.py renamed to backend/app/core/db/init.py

@@ -1,32 +1,24 @@
 import logging
 
-from sqlmodel import Session, create_engine, select
+from sqlmodel import Session, select
 
 from app.core.config import settings
+from app.modules.items.models import Item
+from app.modules.rbac.models import Role
+from app.modules.rbac.service import UserRoleService
+from app.modules.users.models import User
+from app.modules.users.repository import UserRepository
+from app.modules.users.schemas import UserCreate
 
 logger = logging.getLogger(__name__)
 
-engine = create_engine(str(settings.SQLALCHEMY_DATABASE_URI))
-
-
-# make sure all SQLModel models are imported (app.modules) before initializing DB
-# otherwise, SQLModel might fail to initialize relationships properly
-# for more details: https://github.com/fastapi/full-stack-fastapi-template/issues/28
-
 
 def init_db(session: Session) -> None:
-    # Import models and repository here to avoid circular imports
-    from app.modules.items.models import Item
-    from app.modules.rbac.models import Role
-    from app.modules.rbac.service import UserRoleService
-    from app.modules.users.models import User
-    from app.modules.users.repository import UserRepository
-    from app.modules.users.schemas import UserCreate
-
     # Tables should be created with Alembic migrations
     # But if you don't want to use migrations, create
     # the tables un-commenting the next lines
     # from sqlmodel import SQLModel
+    # from app.core.db.engine import engine
     # SQLModel.metadata.create_all(engine)
 
     user = session.exec(
@@ -85,8 +77,6 @@ def init_db(session: Session) -> None:
 
 def _seed_demo_items(session: Session, admin_user, demo_user) -> None:
     """Seed demo items for OWASP A01 demonstrations."""
-    from app.modules.items.models import Item
-
     # Check if demo items already exist
     existing_items = session.exec(select(Item)).all()
     if len(existing_items) >= 6:

backend/app/initial_data.py

@@ -2,7 +2,8 @@
 
 from sqlmodel import Session
 
-from app.core.db import engine, init_db
+from app.core.db import engine
+from app.core.db.init import init_db
 
 logging.basicConfig(level=logging.INFO)
 logger = logging.getLogger(__name__)

backend/app/modules/auth/routes.py

@@ -11,7 +11,7 @@
     GoogleCallbackRequest,
     GoogleLoginRequest,
     NewPassword,
-    Token,
+    PasswordRecoveryRequest,
     TokenResponse,
 )
 from app.modules.auth.service import AuthService
@@ -23,16 +23,16 @@
 )
 from app.modules.users.schemas import UserPublic
 
-router = APIRouter(tags=["login"])
+router = APIRouter(tags=["auth"])
 
 
 def generate_csrf_token() -> str:
     """Generate a cryptographically secure CSRF token."""
     return secrets.token_urlsafe(32)
 
 
-@router.post("/login/access-token")
-def login_access_token(
+@router.post("/auth/login")
+def auth_login(
     response: Response,
     session: SessionDep,
     form_data: Annotated[OAuth2PasswordRequestForm, Depends()],
@@ -67,7 +67,7 @@ def login_access_token(
 
 
 @router.post("/auth/refresh")
-def refresh_token(
+def auth_refresh(
     response: Response,
     session: SessionDep,
     refresh_token: Annotated[str | None, Cookie()] = None,
@@ -104,7 +104,7 @@ def refresh_token(
 
 
 @router.post("/auth/logout")
-def logout(response: Response) -> Message:
+def auth_logout(response: Response) -> Message:
     """
     Logout user by clearing authentication cookies.
     """
@@ -117,45 +117,45 @@ def logout(response: Response) -> Message:
     return Message(message="Successfully logged out")
 
 
-@router.post("/login/test-token", response_model=UserPublic)
-def test_token(current_user: CurrentUser) -> Any:
-    """Test access token."""
+@router.post("/auth/verify", response_model=UserPublic)
+def auth_verify(current_user: CurrentUser) -> Any:
+    """Verify access token and return current user."""
     return current_user
 
 
-@router.post("/password-recovery/{email}")
-def recover_password(email: str, session: SessionDep) -> Message:
-    """Password recovery."""
+@router.post("/auth/password/recover")
+def auth_password_recover(session: SessionDep, body: PasswordRecoveryRequest) -> Message:
+    """Request password recovery email."""
     service = AuthService(session)
-    service.recover_password(email=email)
+    service.recover_password(email=body.email)
     return Message(message="Password recovery email sent")
 
 
-@router.post("/reset-password/")
-def reset_password(session: SessionDep, body: NewPassword) -> Message:
-    """Reset password."""
+@router.post("/auth/password/reset")
+def auth_password_reset(session: SessionDep, body: NewPassword) -> Message:
+    """Reset password with token."""
     service = AuthService(session)
     service.reset_password(token=body.token, new_password=body.new_password)
     return Message(message="Password updated successfully")
 
 
 @router.post(
-    "/password-recovery-html-content/{email}",
+    "/auth/password/recover-html",
     dependencies=[Depends(get_current_active_superuser)],
     response_class=HTMLResponse,
 )
-def recover_password_html_content(email: str, session: SessionDep) -> Any:
-    """HTML content for password recovery."""
+def auth_password_recover_html(session: SessionDep, body: PasswordRecoveryRequest) -> Any:
+    """HTML content for password recovery (admin only)."""
     service = AuthService(session)
-    html_content, subject = service.get_password_recovery_html(email=email)
+    html_content, subject = service.get_password_recovery_html(email=body.email)
     return HTMLResponse(content=html_content, headers={"subject:": subject})
 
 
-@router.post("/login/google")
-def login_google(
+@router.post("/auth/google/login")
+def auth_google_login(
     response: Response, session: SessionDep, body: GoogleLoginRequest
 ) -> TokenResponse:
-    """Google OAuth login with HttpOnly cookie tokens."""
+    """Google OAuth login with ID token. Sets HttpOnly cookie tokens."""
     try:
         service = AuthService(session)
         user, access_token, refresh_token = service.login_google(id_token=body.id_token)
@@ -185,8 +185,8 @@ def login_google(
         )
 
 
-@router.get("/login/google/authorize")
-def google_authorize() -> RedirectResponse:
+@router.get("/auth/google/authorize")
+def auth_google_authorize() -> RedirectResponse:
     """Initiate Google OAuth flow by redirecting to Google's authorization page."""
     if not settings.GOOGLE_CLIENT_ID:
         raise HTTPException(
@@ -207,11 +207,11 @@ def google_authorize() -> RedirectResponse:
     return RedirectResponse(url=auth_url)
 
 
-@router.post("/login/google/callback")
-def google_callback(
+@router.post("/auth/google/callback")
+def auth_google_callback(
     response: Response, session: SessionDep, body: GoogleCallbackRequest
 ) -> TokenResponse:
-    """Handle Google OAuth callback with HttpOnly cookie tokens."""
+    """Handle Google OAuth callback with authorization code. Sets HttpOnly cookie tokens."""
     try:
         service = AuthService(session)
         user, access_token, refresh_token = service.google_callback(code=body.code)

backend/app/modules/auth/schemas.py

@@ -29,6 +29,12 @@ class NewPassword(SQLModel):
     new_password: str = Field(min_length=8, max_length=128)
 
 
+class PasswordRecoveryRequest(SQLModel):
+    """Password recovery request."""
+
+    email: str
+
+
 class GoogleLoginRequest(SQLModel):
     """Google login with ID token request."""