member-backend/app/api/me.py

from fastapi import APIRouter, Depends
from sqlalchemy.exc import SQLAlchemyError
from sqlalchemy.orm import Session

from app.db.session import get_db
from app.repositories.users_repo import UsersRepository
from app.repositories.user_sites_repo import UserSitesRepository
from app.schemas.auth import ProviderPrincipal, MeSummaryResponse
from app.schemas.permissions import RoleSnapshotResponse
from app.security.idp_jwt import require_authenticated_principal
from app.services.permission_service import PermissionService
from app.services.runtime_cache import runtime_cache

router = APIRouter(prefix="/me", tags=["me"])


@router.get("", response_model=MeSummaryResponse)
def get_me(
    principal: ProviderPrincipal = Depends(require_authenticated_principal),
    db: Session = Depends(get_db),
) -> MeSummaryResponse:
    cache_key = f"me:{principal.sub}"
    cached = runtime_cache.get(cache_key)
    if isinstance(cached, MeSummaryResponse):
        return cached
    try:
        users_repo = UsersRepository(db)
        user = users_repo.upsert_by_sub(
            user_sub=principal.sub,
            username=principal.preferred_username,
            email=principal.email,
            display_name=principal.name or principal.preferred_username,
            is_active=True,
            status="active",
        )
        result = MeSummaryResponse(sub=user.user_sub, email=user.email, display_name=user.display_name)
        runtime_cache.set(cache_key, result, ttl_seconds=30)
        return result
    except SQLAlchemyError:
        result = MeSummaryResponse(
            sub=principal.sub,
            email=principal.email,
            display_name=principal.name or principal.preferred_username,
        )
        runtime_cache.set(cache_key, result, ttl_seconds=15)
        return result


@router.get("/permissions/snapshot", response_model=RoleSnapshotResponse)
def get_my_permission_snapshot(
    principal: ProviderPrincipal = Depends(require_authenticated_principal),
    db: Session = Depends(get_db),
) -> RoleSnapshotResponse:
    cache_key = f"me:permissions_snapshot:{principal.sub}"
    cached = runtime_cache.get(cache_key)
    if isinstance(cached, RoleSnapshotResponse):
        return cached
    try:
        users_repo = UsersRepository(db)
        user_sites_repo = UserSitesRepository(db)

        user = users_repo.upsert_by_sub(
            user_sub=principal.sub,
            username=principal.preferred_username,
            email=principal.email,
            display_name=principal.name or principal.preferred_username,
            is_active=True,
            status="active",
        )
        rows = user_sites_repo.get_user_role_rows(user.id)
        serialized = [
            (
                site.site_key,
                site.display_name,
                company.company_key,
                company.name,
                system.system_key,
                system.name,
                role.role_key,
                role.role_code,
                role.name,
            )
            for site, company, role, system in rows
        ]
        result = PermissionService.build_role_snapshot(user_sub=principal.sub, rows=serialized)
        runtime_cache.set(cache_key, result, ttl_seconds=30)
        return result
    except SQLAlchemyError:
        result = RoleSnapshotResponse(user_sub=principal.sub, roles=[])
        runtime_cache.set(cache_key, result, ttl_seconds=10)
        return result