member-backend/app/api/me.py

from fastapi import APIRouter, Depends
from sqlalchemy.exc import SQLAlchemyError
from sqlalchemy.orm import Session

from app.db.session import get_db
from app.repositories.users_repo import UsersRepository
from app.repositories.user_sites_repo import UserSitesRepository
from app.schemas.auth import KeycloakPrincipal, MeSummaryResponse
from app.schemas.permissions import RoleSnapshotResponse
from app.security.idp_jwt import require_authenticated_principal
from app.services.permission_service import PermissionService

router = APIRouter(prefix="/me", tags=["me"])


@router.get("", response_model=MeSummaryResponse)
def get_me(
    principal: KeycloakPrincipal = Depends(require_authenticated_principal),
    db: Session = Depends(get_db),
) -> MeSummaryResponse:
    try:
        users_repo = UsersRepository(db)
        user = users_repo.upsert_by_sub(
            user_sub=principal.sub,
            username=principal.preferred_username,
            email=principal.email,
            display_name=principal.name or principal.preferred_username,
            is_active=True,
            status="active",
        )
        return MeSummaryResponse(sub=user.user_sub, email=user.email, display_name=user.display_name)
    except SQLAlchemyError:
        return MeSummaryResponse(
            sub=principal.sub,
            email=principal.email,
            display_name=principal.name or principal.preferred_username,
        )


@router.get("/permissions/snapshot", response_model=RoleSnapshotResponse)
def get_my_permission_snapshot(
    principal: KeycloakPrincipal = Depends(require_authenticated_principal),
    db: Session = Depends(get_db),
) -> RoleSnapshotResponse:
    try:
        users_repo = UsersRepository(db)
        user_sites_repo = UserSitesRepository(db)

        user = users_repo.upsert_by_sub(
            user_sub=principal.sub,
            username=principal.preferred_username,
            email=principal.email,
            display_name=principal.name or principal.preferred_username,
            is_active=True,
            status="active",
        )
        rows = user_sites_repo.get_user_role_rows(user.id)
        serialized = [
            (
                site.site_key,
                site.display_name,
                company.company_key,
                company.display_name,
                system.system_key,
                system.name,
                role.role_key,
                role.name,
                role.idp_role_name,
            )
            for site, company, role, system in rows
        ]
        return PermissionService.build_role_snapshot(user_sub=principal.sub, rows=serialized)
    except SQLAlchemyError:
        return RoleSnapshotResponse(user_sub=principal.sub, roles=[])