Phase 3 of Migration

backend/auth/dependencies.py

@@ -1,10 +1,14 @@
 from fastapi import Depends
 from fastapi.security import HTTPBearer, HTTPAuthorizationCredentials
 from jose import JWTError
+from sqlalchemy import select
+from sqlalchemy.ext.asyncio import AsyncSession
+
 from auth.utils import decode_access_token
 from auth.models import TokenPayload, Role
+from database.postgres import get_pg_session
+from staff.orm import Staff
 from shared.exceptions import AuthenticationError, AuthorizationError
-from shared.firebase import get_db
 
 security = HTTPBearer()
 
@@ -37,18 +41,15 @@ def require_roles(*allowed_roles: Role):
     return role_checker
 
 
-async def _get_user_permissions(user: TokenPayload) -> dict:
-    """Fetch permissions from Firestore for the given user."""
+async def _get_user_permissions(user: TokenPayload, db: AsyncSession) -> dict | None:
+    """Fetch permissions from Postgres for the given user."""
     if user.role in (Role.sysadmin, Role.admin):
         return None  # Full access
-    db = get_db()
-    if not db:
+    result = await db.execute(select(Staff).where(Staff.id == user.sub).limit(1))
+    staff = result.scalar_one_or_none()
+    if staff is None:
         raise AuthorizationError()
-    doc = db.collection("admin_users").document(user.sub).get()
-    if not doc.exists:
-        raise AuthorizationError()
-    data = doc.to_dict()
-    return data.get("permissions")
+    return staff.permissions
 
 
 def require_permission(section: str, action: str):
@@ -58,17 +59,17 @@ def require_permission(section: str, action: str):
     """
     async def permission_checker(
         current_user: TokenPayload = Depends(get_current_user),
+        db: AsyncSession = Depends(get_pg_session),
     ) -> TokenPayload:
-        # sysadmin and admin have full access
         if current_user.role in (Role.sysadmin, Role.admin):
             return current_user
 
-        permissions = await _get_user_permissions(current_user)
+        permissions = await _get_user_permissions(current_user, db)
         if not permissions:
             raise AuthorizationError()
 
         if section == "mqtt":
-            if not permissions.get("mqtt", False):
+            if not permissions.get("mqtt", {}).get("access", False):
                 raise AuthorizationError()
             return current_user
 
@@ -89,11 +90,7 @@ def require_permission(section: str, action: str):
 # Pre-built convenience dependencies
 require_sysadmin = require_roles(Role.sysadmin)
 require_admin_or_above = require_roles(Role.sysadmin, Role.admin)
-
-# Staff management: only sysadmin and admin
 require_staff_management = require_roles(Role.sysadmin, Role.admin)
-
-# Viewer-level: any authenticated user (actual permission check per-action)
 require_any_authenticated = require_roles(
     Role.sysadmin, Role.admin, Role.editor, Role.user,
 )

backend/auth/router.py

@@ -1,59 +1,57 @@
-from fastapi import APIRouter
-from shared.firebase import get_db
+from fastapi import APIRouter, Depends
+from sqlalchemy import select
+from sqlalchemy.ext.asyncio import AsyncSession
+
+from database.postgres import get_pg_session
+from staff.orm import Staff
 from auth.models import LoginRequest, TokenResponse
 from auth.utils import verify_password, create_access_token
 from shared.exceptions import AuthenticationError
 
 router = APIRouter(prefix="/api/auth", tags=["auth"])
 
+_ROLE_MAP = {
+    "superadmin":     "sysadmin",
+    "melody_editor":  "editor",
+    "device_manager": "editor",
+    "user_manager":   "editor",
+    "viewer":         "user",
+    "staff":          "user",
+}
+
 
 @router.post("/login", response_model=TokenResponse)
-async def login(body: LoginRequest):
-    db = get_db()
-    if not db:
-        raise AuthenticationError("Service unavailable")
+async def login(body: LoginRequest, db: AsyncSession = Depends(get_pg_session)):
+    result = await db.execute(
+        select(Staff).where(Staff.email == body.email).limit(1)
+    )
+    staff = result.scalar_one_or_none()
 
-    users_ref = db.collection("admin_users")
-    query = users_ref.where("email", "==", body.email).limit(1).get()
-
-    if not query:
+    if staff is None:
         raise AuthenticationError("Invalid email or password")
 
-    doc = query[0]
-    user_data = doc.to_dict()
-
-    if not user_data.get("is_active", True):
+    if not staff.is_active:
         raise AuthenticationError("Account is disabled")
 
-    if not verify_password(body.password, user_data["hashed_password"]):
+    if not verify_password(body.password, staff.hashed_password):
         raise AuthenticationError("Invalid email or password")
 
-    role = user_data["role"]
-    # Map legacy roles to new roles
-    role_mapping = {
-        "superadmin": "sysadmin",
-        "melody_editor": "editor",
-        "device_manager": "editor",
-        "user_manager": "editor",
-        "viewer": "user",
-    }
-    role = role_mapping.get(role, role)
+    role = _ROLE_MAP.get(staff.role, staff.role)
 
     token = create_access_token({
-        "sub": doc.id,
-        "email": user_data["email"],
-        "role": role,
-        "name": user_data["name"],
+        "sub":   staff.id,
+        "email": staff.email,
+        "role":  role,
+        "name":  staff.name,
     })
 
-    # Get permissions for editor/user roles
     permissions = None
     if role in ("editor", "user"):
-        permissions = user_data.get("permissions")
+        permissions = staff.permissions
 
     return TokenResponse(
         access_token=token,
         role=role,
-        name=user_data["name"],
+        name=staff.name,
         permissions=permissions,
     )