fix: no need to pass refresh token for validation ,only access_token

chore: bump supabase_py_async to 2.5.0

Author: AtticusZeller

.gitignore

@@ -78,3 +78,4 @@ dmypy.json
 .pyre/
 .pytype/
 cython_debug/
+/.idea

README.md

@@ -143,7 +143,8 @@ ___
     - [ ] supafunc integration
 - [x] deployment
     - [x] Full **Docker** integration (Docker based).
-
+- [ ] clone
+    - [ ] cookiecutter
 ## Release Notes 🥸
 
 ___

poetry.lock

@@ -1,6 +1,6 @@
 from fastapi import APIRouter
 
-from app.api.deps import SessionDep
+from app.api.deps import CurrentUser, SessionDep
 from app.crud import item
 from app.schemas import Item, ItemCreate, ItemUpdate
 
@@ -23,8 +23,8 @@ async def read_item_by_id(id: str, session: SessionDep) -> Item | None:
 
 
 @router.get("/get-by-owner")
-async def read_item_by_owner(session: SessionDep) -> list[Item]:
-    return await item.get_multi_by_owner(session)
+async def read_item_by_owner(session: SessionDep, user: CurrentUser) -> list[Item]:
+    return await item.get_multi_by_owner(session, user=user)
 
 
 @router.put("/update-item")

src/app/api/api_v1/endpoints/items.py

@@ -8,51 +8,66 @@
 import logging
 from typing import Annotated
 
-from fastapi import Cookie, Depends, HTTPException
+from fastapi import Depends, HTTPException
 from fastapi.security import OAuth2PasswordBearer
-from gotrue import User
 from gotrue.errors import AuthApiError
 from supabase_py_async import AsyncClient, create_client
 from supabase_py_async.lib.client_options import ClientOptions
 
 from app.core.config import settings
-from app.schemas import Token
+from app.schemas.auth import UserIn
+
+super_client: AsyncClient | None = None
+
+
+async def init_super_client() -> None:
+    """for validation access_token init at life span event"""
+    global super_client
+    super_client = await create_client(
+        settings.SUPABASE_URL,
+        settings.SUPABASE_KEY,
+        options=ClientOptions(postgrest_client_timeout=10, storage_client_timeout=10),
+    )
+    # await super_client.auth.sign_in_with_password(
+    #     {"email": settings.SUPERUSER_EMAIL, "password": settings.SUPERUSER_PASSWORD}
+    # )
+
 
 # auto get access_token from header
 reusable_oauth2 = OAuth2PasswordBearer(
     tokenUrl="please login by supabase-js to get token"
 )
 AccessTokenDep = Annotated[str, Depends(reusable_oauth2)]
-RefreshTokenDep = Annotated[str | None, Cookie()]
 
 
-async def get_token(
-    access_token: AccessTokenDep, refresh_token: RefreshTokenDep
-) -> Token | None:
-    if not access_token:
-        raise HTTPException(status_code=401, detail="No access token")
-    if not refresh_token:
-        raise HTTPException(status_code=401, detail="No refresh token")
-    return Token(access_token=access_token, refresh_token=refresh_token)
+async def get_current_user(access_token: AccessTokenDep) -> UserIn:
+    """get current user from access_token and  validate same time"""
+    if not super_client:
+        raise HTTPException(status_code=500, detail="Super client not initialized")
+
+    user_rsp = await super_client.auth.get_user(jwt=access_token)
+    if not user_rsp:
+        logging.error("User not found")
+        raise HTTPException(status_code=404, detail="User not found")
+    return UserIn(**user_rsp.user.model_dump(), access_token=access_token)
 
 
-TokenDep = Annotated[Token | None, Depends(get_token)]
+CurrentUser = Annotated[UserIn, Depends(get_current_user)]
 
 
-async def get_db(token: TokenDep) -> AsyncClient:
+async def get_db(user: CurrentUser) -> AsyncClient:
     client: AsyncClient | None = None
     try:
         client = await create_client(
             settings.SUPABASE_URL,
             settings.SUPABASE_KEY,
+            access_token=user.access_token,
             options=ClientOptions(
                 postgrest_client_timeout=10, storage_client_timeout=10
             ),
         )
         # checks all done in supabase-py !
-        if not token:
-            raise HTTPException(status_code=401, detail="Invalid authentication")
-        await client.auth.set_session(token.access_token, token.refresh_token)
+        # await client.auth.set_session(token.access_token, token.refresh_token)
         # session = await client.auth.get_session()
         yield client
 
@@ -67,14 +82,3 @@ async def get_db(token: TokenDep) -> AsyncClient:
 
 
 SessionDep = Annotated[AsyncClient, Depends(get_db)]
-
-
-async def get_current_user(session: SessionDep) -> User:
-    user = await session.auth.get_user()
-    if not user:
-        logging.error("User not found")
-        raise HTTPException(status_code=404, detail="User not found")
-    return user
-
-
-CurrentUser = Annotated[User, Depends(get_current_user)]

src/app/api/deps.py

@@ -1,2 +0,0 @@
-from .config import logger
-from .events import lifespan

src/app/core/__init__.py

@@ -7,11 +7,14 @@
 
 from fastapi import FastAPI
 
+from app.api.deps import init_super_client
+
 
 @asynccontextmanager
 async def lifespan(app: FastAPI) -> AsyncGenerator[None, None]:
     """life span events"""
     try:
+        await init_super_client()
         yield
     finally:
         logging.info("lifespan shutdown")

src/app/core/events.py

@@ -2,6 +2,7 @@
 
 from supabase_py_async import AsyncClient
 
+from app.schemas.auth import UserIn
 from app.schemas.base import CreateBase, ResponseBase, UpdateBase
 
 ModelType = TypeVar("ModelType", bound=ResponseBase)
@@ -27,14 +28,14 @@ async def get_all(self, db: AsyncClient) -> list[ModelType]:
         _, got = data
         return [self.model(**item) for item in got]
 
-    async def get_multi_by_owner(self, db: AsyncClient) -> list[ModelType]:
+    async def get_multi_by_owner(
+        self, db: AsyncClient, *, user: UserIn
+    ) -> list[ModelType]:
         """get by owner,use it  if rls failed to use"""
-        user_rps = await db.auth.get_user()
-        user_id = user_rps.user.id
         data, count = (
             await db.table(self.model.table_name)
             .select("*")
-            .eq("user_id", user_id)
+            .eq("user_id", user.id)
             .execute()
         )
         _, got = data

src/app/crud/base.py

@@ -2,6 +2,7 @@
 
 from app.crud.base import CRUDBase
 from app.schemas import Item, ItemCreate, ItemUpdate
+from app.schemas.auth import UserIn
 
 
 class CRUDItem(CRUDBase[Item, ItemCreate, ItemUpdate]):
@@ -14,8 +15,8 @@ async def get(self, db: AsyncClient, *, id: str) -> Item | None:
     async def get_all(self, db: AsyncClient) -> list[Item]:
         return await super().get_all(db)
 
-    async def get_multi_by_owner(self, db: AsyncClient) -> list[Item]:
-        return await super().get_multi_by_owner(db)
+    async def get_multi_by_owner(self, db: AsyncClient, *, user: UserIn) -> list[Item]:
+        return await super().get_multi_by_owner(db, user=user)
 
     async def update(self, db: AsyncClient, *, obj_in: ItemUpdate) -> Item:
         return await super().update(db, obj_in=obj_in)

src/app/crud/crud_item.py

@@ -10,8 +10,8 @@
 from fastapi.middleware.cors import CORSMiddleware
 
 from app.api.api_v1.api import api_router
-from app.core import lifespan
 from app.core.config import settings
+from app.core.events import lifespan
 
 
 def create_app() -> FastAPI: