member-platform/backend/app/api/auth.py

from urllib.parse import urljoin

import httpx
from fastapi import APIRouter, HTTPException, status

from app.core.config import get_settings
from app.schemas.login import LoginRequest, LoginResponse

router = APIRouter(prefix="/auth", tags=["auth"])


def _resolve_username_by_email(settings, email: str) -> str | None:
    if not settings.authentik_base_url or not settings.authentik_admin_token:
        return None

    url = urljoin(settings.authentik_base_url.rstrip("/") + "/", "api/v3/core/users/")
    try:
        resp = httpx.get(
            url,
            params={"email": email},
            timeout=10,
            verify=settings.authentik_verify_tls,
            headers={
                "Authorization": f"Bearer {settings.authentik_admin_token}",
                "Accept": "application/json",
            },
        )
    except Exception:
        return None

    if resp.status_code >= 400:
        return None

    data = resp.json()
    results = data.get("results") if isinstance(data, dict) else None
    if not isinstance(results, list) or not results:
        return None

    username = results[0].get("username")
    return username if isinstance(username, str) and username else None


@router.post("/login", response_model=LoginResponse)
def login(payload: LoginRequest) -> LoginResponse:
    settings = get_settings()
    client_id = settings.authentik_client_id or settings.authentik_audience

    if not settings.authentik_base_url or not client_id or not settings.authentik_client_secret:
        raise HTTPException(status_code=status.HTTP_503_SERVICE_UNAVAILABLE, detail="authentik_login_not_configured")

    token_endpoint = settings.authentik_token_endpoint or urljoin(
        settings.authentik_base_url.rstrip("/") + "/", "application/o/token/"
    )

    form = {
        "grant_type": "password",
        "client_id": client_id,
        "client_secret": settings.authentik_client_secret,
        "username": payload.username,
        "password": payload.password,
        "scope": "openid profile email",
    }

    def _token_request(form_data: dict[str, str]) -> httpx.Response:
        resp = httpx.post(
            token_endpoint,
            data=form_data,
            timeout=10,
            verify=settings.authentik_verify_tls,
            headers={"Content-Type": "application/x-www-form-urlencoded"},
        )
        return resp

    try:
        resp = _token_request(form)
    except Exception as exc:
        raise HTTPException(status_code=status.HTTP_502_BAD_GATEWAY, detail="authentik_unreachable") from exc

    # If user entered email, try resolving username and retry once.
    if resp.status_code >= 400 and "@" in payload.username:
        resolved = _resolve_username_by_email(settings, payload.username)
        if resolved and resolved != payload.username:
            form["username"] = resolved
            try:
                resp = _token_request(form)
            except Exception as exc:
                raise HTTPException(status_code=status.HTTP_502_BAD_GATEWAY, detail="authentik_unreachable") from exc

    if resp.status_code >= 400:
        raise HTTPException(status_code=status.HTTP_401_UNAUTHORIZED, detail="invalid_username_or_password")

    data = resp.json()
    token = data.get("access_token")
    if not token:
        raise HTTPException(status_code=status.HTTP_502_BAD_GATEWAY, detail="authentik_missing_access_token")

    return LoginResponse(
        access_token=token,
        token_type=data.get("token_type", "Bearer"),
        expires_in=data.get("expires_in"),
        scope=data.get("scope"),
    )