Sunyata-OU
diff --git a/‎.github/workflows/ruff.yml‎
Lines changed: 1 addition & 1 deletion b/‎.github/workflows/ruff.yml‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎alembic/versions/cbf112934370_added_s3_table.py‎
Lines changed: 1 addition & 0 deletions b/‎alembic/versions/cbf112934370_added_s3_table.py‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎pyproject.toml‎
Lines changed: 2 additions & 0 deletions b/‎pyproject.toml‎
Lines changed: 2 additions & 0 deletions
diff --git a/‎src/auth.py‎
Lines changed: 62 additions & 82 deletions b/‎src/auth.py‎
Lines changed: 62 additions & 82 deletions
@@ -11,5 +11,5 @@ jobs:
   ruff:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
       - uses: chartboost/ruff-action@v1
@@ -5,6 +5,7 @@
 Create Date: 2023-11-28 22:15:10.479990
 
 """
+
 from typing import Sequence, Union
 
 import sqlalchemy as sa
 
@@ -160,8 +160,10 @@ exclude_lines = [
 dev = [
     "freezegun>=1.5.4",
     "httpx>=0.28.1",
+    "mypy>=1.17.1",
     "pytest>=8.4.1",
     "pytest-asyncio>=1.1.0",
     "pytest-cov>=6.2.1",
     "pyyaml>=6.0.2",
+    "ruff>=0.12.7",
 ]
@@ -2,16 +2,18 @@
 Authentication and authorization utilities.
 """
 
-import secrets
 import hashlib
+import secrets
+from collections import defaultdict
 from datetime import datetime, timedelta, timezone
-from typing import Any, Dict, Optional, Union
 from enum import Enum
+from time import time
+from typing import Any, Dict, Optional, Union
 
+from fastapi import Depends, HTTPException, status
+from fastapi.security import HTTPAuthorizationCredentials, HTTPBearer
 from jose import jwt
 from passlib.context import CryptContext
-from fastapi import HTTPException, status, Depends
-from fastapi.security import HTTPBearer, HTTPAuthorizationCredentials
 from sqlalchemy.ext.asyncio import AsyncSession
 
 from src.config import get_settings
@@ -27,13 +29,15 @@
 
 class UserRole(str, Enum):
     """User roles for authorization."""
+
     ADMIN = "admin"
     USER = "user"
     GUEST = "guest"
 
 
 class TokenType(str, Enum):
     """Token types."""
+
     ACCESS = "access"
     REFRESH = "refresh"
     EMAIL_VERIFY = "email_verify"
@@ -43,24 +47,28 @@ class TokenType(str, Enum):
 # Exception classes
 class AuthenticationError(HTTPException):
     """Authentication failed."""
+
     def __init__(self, detail: str = "Authentication failed"):
         super().__init__(status_code=status.HTTP_401_UNAUTHORIZED, detail=detail)
 
 
 class AuthorizationError(HTTPException):
     """Authorization failed."""
+
     def __init__(self, detail: str = "Insufficient permissions"):
         super().__init__(status_code=status.HTTP_403_FORBIDDEN, detail=detail)
 
 
 class TokenExpiredError(AuthenticationError):
     """Token has expired."""
+
     def __init__(self, detail: str = "Token has expired"):
         super().__init__(detail=detail)
 
 
 class InvalidTokenError(AuthenticationError):
     """Token is invalid."""
+
     def __init__(self, detail: str = "Invalid token"):
         super().__init__(detail=detail)
 
@@ -87,67 +95,51 @@ def create_access_token(
     expires_delta: Optional[timedelta] = None,
     user_id: Optional[int] = None,
     role: Optional[str] = None,
-    token_type: TokenType = TokenType.ACCESS
+    token_type: TokenType = TokenType.ACCESS,
 ) -> str:
     """Create a JWT access token."""
     if expires_delta:
         expire = datetime.now(timezone.utc) + expires_delta
     else:
-        expire = datetime.now(timezone.utc) + timedelta(
-            minutes=settings.access_token_expire_minutes
-        )
-    
-    to_encode = {
-        "exp": expire,
-        "iat": datetime.now(timezone.utc),
-        "sub": str(subject),
-        "type": token_type.value
-    }
-    
+        expire = datetime.now(timezone.utc) + timedelta(minutes=settings.access_token_expire_minutes)
+
+    to_encode = {"exp": expire, "iat": datetime.now(timezone.utc), "sub": str(subject), "type": token_type.value}
+
     if user_id:
         to_encode["user_id"] = user_id
     if role:
         to_encode["role"] = role
-    
+
     return jwt.encode(to_encode, settings.secret_key, algorithm=settings.algorithm)
 
 
-def create_refresh_token(
-    subject: Union[str, Any],
-    user_id: Optional[int] = None
-) -> str:
+def create_refresh_token(subject: Union[str, Any], user_id: Optional[int] = None) -> str:
     """Create a JWT refresh token."""
-    expire = datetime.now(timezone.utc) + timedelta(
-        days=settings.refresh_token_expire_days
-    )
-    
+    expire = datetime.now(timezone.utc) + timedelta(days=settings.refresh_token_expire_days)
+
     to_encode = {
         "exp": expire,
         "iat": datetime.now(timezone.utc),
         "sub": str(subject),
         "user_id": user_id,
         "type": TokenType.REFRESH.value,
-        "jti": generate_secure_token(16)  # JWT ID for invalidation
+        "jti": generate_secure_token(16),  # JWT ID for invalidation
     }
-    
+
     return jwt.encode(to_encode, settings.secret_key, algorithm=settings.algorithm)
 
 
 def verify_token(token: str, token_type: Optional[TokenType] = None) -> Dict[str, Any]:
     """Verify and decode a JWT token."""
     try:
-        payload = jwt.decode(
-            token, 
-            settings.secret_key, 
-            algorithms=[settings.algorithm]
-        )
-        
+        payload = jwt.decode(token, settings.secret_key, algorithms=[settings.algorithm])
+
         # Check token type if specified
         if token_type and payload.get("type") != token_type.value:
             raise InvalidTokenError("Invalid token type")
-        
+
         return payload
-    
+
     except jwt.ExpiredSignatureError:
         raise TokenExpiredError()
     except jwt.InvalidTokenError:
@@ -172,68 +164,66 @@ def verify_api_key(api_key: str, hashed_key: str) -> bool:
 
 # Authentication dependencies
 async def get_current_user_from_token(
-    credentials: HTTPAuthorizationCredentials = Depends(security),
-    db: AsyncSession = Depends(get_async_db)
+    credentials: HTTPAuthorizationCredentials = Depends(security), db: AsyncSession = Depends(get_async_db)
 ):
     """Get current user from JWT token."""
     from src.models.user import User  # Import here to avoid circular imports
-    
+
     try:
         payload = verify_token(credentials.credentials, TokenType.ACCESS)
         user_id: int = payload.get("user_id")
-        
+
         if user_id is None:
             raise InvalidTokenError("Token missing user_id")
-        
+
         user = await User.get(db, user_id)
         if user is None:
             raise AuthenticationError("User not found")
-        
+
         if not user.is_active:
             raise AuthenticationError("User account is disabled")
-        
+
         return user
-    
+
     except (InvalidTokenError, TokenExpiredError, AuthenticationError):
         raise
     except Exception as e:
         raise AuthenticationError(f"Authentication failed: {str(e)}")
 
 
 async def get_current_user_from_api_key(
-    credentials: HTTPAuthorizationCredentials = Depends(security),
-    db: AsyncSession = Depends(get_async_db)
+    credentials: HTTPAuthorizationCredentials = Depends(security), db: AsyncSession = Depends(get_async_db)
 ):
     """Get current user from API key."""
-    from src.models.user import User, APIKey  # Import here to avoid circular imports
-    
+    from src.models.user import APIKey, User  # Import here to avoid circular imports
+
     try:
         api_key = credentials.credentials
         if not api_key.startswith("ws_"):
             raise InvalidTokenError("Invalid API key format")
-        
+
         # Hash the provided API key
         hashed_key = hash_api_key(api_key)
-        
+
         # Find the API key in database
         api_key_obj = await APIKey.get_by_hash(db, hashed_key)
         if not api_key_obj or not api_key_obj.is_active:
             raise AuthenticationError("Invalid or inactive API key")
-        
+
         # Check expiration
         if api_key_obj.expires_at and api_key_obj.expires_at < datetime.utcnow():
             raise AuthenticationError("API key has expired")
-        
+
         # Get associated user
         user = await User.get(db, api_key_obj.user_id)
         if not user or not user.is_active:
             raise AuthenticationError("User not found or inactive")
-        
+
         # Update last used timestamp
         await api_key_obj.update(db, last_used_at=datetime.utcnow())
-        
+
         return user
-    
+
     except (InvalidTokenError, AuthenticationError):
         raise
     except Exception as e:
@@ -242,8 +232,7 @@ async def get_current_user_from_api_key(
 
 # Flexible authentication - tries both token and API key
 async def get_current_user(
-    credentials: HTTPAuthorizationCredentials = Depends(security),
-    db: AsyncSession = Depends(get_async_db)
+    credentials: HTTPAuthorizationCredentials = Depends(security), db: AsyncSession = Depends(get_async_db)
 ):
     """Get current user from either JWT token or API key."""
     try:
@@ -259,10 +248,12 @@ async def get_current_user(
 
 def require_role(required_role: UserRole):
     """Dependency to require specific role."""
-    async def role_checker(current_user = Depends(get_current_user)):
+
+    async def role_checker(current_user=Depends(get_current_user)):
         if current_user.role != required_role and current_user.role != UserRole.ADMIN:
             raise AuthorizationError(f"Role '{required_role}' required")
         return current_user
+
     return role_checker
 
 
@@ -272,61 +263,50 @@ def require_admin():
 
 
 async def get_optional_user(
-    credentials: Optional[HTTPAuthorizationCredentials] = Depends(
-        HTTPBearer(auto_error=False)
-    ),
-    db: AsyncSession = Depends(get_async_db)
+    credentials: Optional[HTTPAuthorizationCredentials] = Depends(HTTPBearer(auto_error=False)),
+    db: AsyncSession = Depends(get_async_db),
 ):
     """Get current user if authenticated, None otherwise."""
     if not credentials:
         return None
-    
+
     try:
         return await get_current_user(credentials, db)
     except (AuthenticationError, AuthorizationError):
         return None
 
 
 # Rate limiting helper (simple in-memory implementation)
-from collections import defaultdict
-from time import time
 
 _rate_limit_cache = defaultdict(list)
 
-def check_rate_limit(
-    identifier: str, 
-    max_requests: int = 100, 
-    window_seconds: int = 3600
-) -> bool:
+
+def check_rate_limit(identifier: str, max_requests: int = 100, window_seconds: int = 3600) -> bool:
     """Simple in-memory rate limiting."""
     now = time()
     window_start = now - window_seconds
-    
+
     # Clean old entries
     _rate_limit_cache[identifier] = [
-        timestamp for timestamp in _rate_limit_cache[identifier]
-        if timestamp > window_start
+        timestamp for timestamp in _rate_limit_cache[identifier] if timestamp > window_start
     ]
-    
+
     # Check if under limit
     if len(_rate_limit_cache[identifier]) >= max_requests:
         return False
-    
+
     # Add current request
     _rate_limit_cache[identifier].append(now)
     return True
 
 
 def require_rate_limit(max_requests: int = 100, window_seconds: int = 3600):
     """Dependency for rate limiting."""
-    async def rate_limiter(
-        credentials: HTTPAuthorizationCredentials = Depends(security)
-    ):
+
+    async def rate_limiter(credentials: HTTPAuthorizationCredentials = Depends(security)):
         # Use token/api key as identifier
         if not check_rate_limit(credentials.credentials, max_requests, window_seconds):
-            raise HTTPException(
-                status_code=status.HTTP_429_TOO_MANY_REQUESTS,
-                detail="Rate limit exceeded"
-            )
+            raise HTTPException(status_code=status.HTTP_429_TOO_MANY_REQUESTS, detail="Rate limit exceeded")
         return True
-    return rate_limiter
+
+    return rate_limiter