member/member-backend
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

refactor: rename idp fields to provider naming

Browse Source
This commit is contained in:
Chris
2026-04-03 01:05:01 +08:00
parent ce181ebf67
commit 388a3f461c
26 changed files with 202 additions and 199 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
app/security/admin_guard.py
View File

@@ -1,7 +1,7 @@
from fastapi import Depends, HTTPException, status
from app.core.config import get_settings
from app.schemas.auth import KeycloakPrincipal
from app.schemas.auth import ProviderPrincipal
from app.security.idp_jwt import require_authenticated_principal
@@ -21,8 +21,8 @@ def _expand_group_aliases(groups: set[str]) -> set[str]:
def require_admin_principal(
principal: KeycloakPrincipal = Depends(require_authenticated_principal),
) -> KeycloakPrincipal:
principal: ProviderPrincipal = Depends(require_authenticated_principal),
) -> ProviderPrincipal:
settings = get_settings()
required_groups = _expand_group_aliases(set(settings.admin_required_groups))

22
app/security/idp_jwt.py
View File

@@ -9,13 +9,13 @@ from fastapi import Depends, HTTPException, status
from fastapi.security import HTTPAuthorizationCredentials, HTTPBearer
from app.core.config import get_settings
from app.schemas.auth import KeycloakPrincipal
from app.schemas.auth import ProviderPrincipal
bearer_scheme = HTTPBearer(auto_error=False)
logger = logging.getLogger(__name__)
class KeycloakTokenVerifier:
class ProviderTokenVerifier:
def __init__(
self,
issuer: str | None,
@@ -99,7 +99,7 @@ class KeycloakTokenVerifier:
return base_url.rstrip("/") + "/realms/master/protocol/openid-connect/userinfo"
return None
def _enrich_from_userinfo(self, principal: KeycloakPrincipal, token: str) -> KeycloakPrincipal:
def _enrich_from_userinfo(self, principal: ProviderPrincipal, token: str) -> ProviderPrincipal:
if principal.email and (principal.name or principal.preferred_username) and principal.groups:
return principal
if not self.userinfo_endpoint:
@@ -132,7 +132,7 @@ class KeycloakTokenVerifier:
payload_groups = data.get("groups")
if isinstance(payload_groups, list):
groups = [str(g) for g in payload_groups if str(g)]
enriched = KeycloakPrincipal(
enriched = ProviderPrincipal(
sub=principal.sub,
email=email,
name=name,
@@ -169,7 +169,7 @@ class KeycloakTokenVerifier:
token = resp.json().get("access_token")
return str(token) if token else None
def _enrich_groups_from_admin(self, principal: KeycloakPrincipal) -> KeycloakPrincipal:
def _enrich_groups_from_admin(self, principal: ProviderPrincipal) -> ProviderPrincipal:
if principal.groups:
return principal
if not self.base_url or not self.realm:
@@ -204,7 +204,7 @@ class KeycloakTokenVerifier:
groups.append(name)
if not groups:
return principal
return KeycloakPrincipal(
return ProviderPrincipal(
sub=principal.sub,
email=principal.email,
name=principal.name,
@@ -212,7 +212,7 @@ class KeycloakTokenVerifier:
groups=groups,
)
def verify_access_token(self, token: str) -> KeycloakPrincipal:
def verify_access_token(self, token: str) -> ProviderPrincipal:
try:
header = jwt.get_unverified_header(token)
algorithm = str(header.get("alg", "")).upper()
@@ -255,7 +255,7 @@ class KeycloakTokenVerifier:
if not sub:
raise HTTPException(status_code=status.HTTP_401_UNAUTHORIZED, detail="token_missing_sub")
principal = KeycloakPrincipal(
principal = ProviderPrincipal(
sub=sub,
email=claims.get("email"),
name=claims.get("name"),
@@ -266,9 +266,9 @@ class KeycloakTokenVerifier:
@lru_cache
def _get_verifier() -> KeycloakTokenVerifier:
def _get_verifier() -> ProviderTokenVerifier:
settings = get_settings()
return KeycloakTokenVerifier(
return ProviderTokenVerifier(
issuer=settings.idp_issuer,
jwks_url=settings.idp_jwks_url,
audience=settings.idp_audience,
@@ -286,7 +286,7 @@ def _get_verifier() -> KeycloakTokenVerifier:
def require_authenticated_principal(
credentials: HTTPAuthorizationCredentials | None = Depends(bearer_scheme),
) -> KeycloakPrincipal:
) -> ProviderPrincipal:
if credentials is None or credentials.scheme.lower() != "bearer":
raise HTTPException(status_code=status.HTTP_401_UNAUTHORIZED, detail="missing_bearer_token")