u֞iQ'ZUdZddlmZddlZddlZddlmZmZmZddl m Z m Z m Z m Z mZddlmZmZddlmZmZddlmZmZdd lmZej4eZe d d g Zdad ed<d6dZ GddeZ!GddeZ"GddeZ#GddeZ$GddeZ%GddeZ&ejOde&ejPde e f d7dZ)ejOd e&d!"e e f d8d#Z*ejOd$ejVd%&e e f d9d'Z,ejOd(ejVd)&e ed*+e e f d:d,Z-ej]d-ejVd.&e ef d;d/Z/ejOd0ejVd1&e e f du Genesis Customer Auth — FastAPI Routes ======================================= Module 5, Story 5.03: Auth API router Provides all customer-facing authentication endpoints for ReceptionistAI: POST /auth/signup Register new customer POST /auth/login Email + password login POST /auth/magic-link Send magic link POST /auth/logout Invalidate session GET /auth/me Get own profile POST /auth/reset-password Request password reset PUT /auth/profile Update own profile Subscription tier hierarchy (locked, Kinan 2026-02-21): starter ($497) / professional ($997) / enterprise ($1,497) / queen ($20K+) VERIFICATION_STAMP Story: 5.03 Verified By: parallel-builder Verified At: 2026-02-25 Tests: 7/7 Coverage: 100% ) annotationsN)AnyDictOptional) APIRouterDepends HTTPExceptionRequeststatus)HTTPAuthorizationCredentials HTTPBearer) BaseModelEmailStr)get_current_user require_auth) SupabaseAuthz/authauth)prefixtagszOptional[SupabaseAuth]_authcBttjatS)zcK |j|j|jd{}|S7#t$r:}tj d|t tjdddi|d}~wwxYww)z Authenticate an existing customer. Returns user profile, full session object, and ``access_token`` at the top level for convenience. Nzlogin error: %szInvalid email or passwordzWWW-AuthenticateBearer)r=rCheaders) sign_inrr!rErFrGr r HTTP_401_UNAUTHORIZEDrIrrJrKs rloginrSsv||DJJ >> M?  &,44.'2   s0A<)646A<6 A95A44A99A<z /magic-linkzSend a magic-link login email)r=r>cK |j|jd{}|S7#t$r@}tj d|t t jt||d}~wwxYww)zk Send a passwordless magic-link (OTP) to the customer's email. Returns a confirmation message. Nzmagic_link error: %srB) sign_in_magic_linkrrErFrGr r rHr rRs r magic_linkrVsn..tzz:: M;  +S133s8  s0A7+)+A7+ A4;A//A44A7z/logoutzInvalidate the current sessionT) auto_errorcK|j} |j|d{ddiS7#t$r@}tj d|t t jt||d}~wwxYww)z Server-side session invalidation. Requires a valid ``Authorization: Bearer `` header. Returns ``{"success": true}`` on success. Nzlogout error: %srBsuccessT) credentialssign_outrErFrGr r rHr )rZrtokenrKs rlogoutr]s|  # #EmmE""" t  #  '-33s8  s0 A;/-/A;/ A8;A33A88A;z/mezGet own profilecK|Sw)z Return the authenticated customer's profile. Requires ``Authorization: Bearer `` header. Returns: id, email, subscription_tier, metadata, created_at, updated_at. r)r8s rmer_s  Ksz/reset-passwordzSend a password reset emailcK |j|jd{ddiS7#t$r#}tj d|Yd}~ddiSd}~wwxYww)z Trigger a password reset email for the given address. Always returns a success message (even if email not found) to prevent user enumeration attacks. Nz$reset_password error (non-fatal): %sr;z8If that email is registered, a reset link has been sent.)reset_passwordrrErFwarning)rIrrKs rrarasfD!!$**--- Q RR . D=sCC Q RRDs6A-+-A- AA AAAz/profilezUpdate own profilecK|j}i}i}|jd}|r|j||r||d<|s|S |j||d{}|S7#t$r*} t t jt| | d} ~ wt$r@} tjd| t t jt| | d} ~ wwxYww)z Update the authenticated customer's profile metadata. Requires ``Authorization: Bearer `` header. Allowed fields: name, subscription_tier, any extra metadata. Returns the updated user profile. T) exclude_unsetdataNrBzupdate_profile error: %s) rZ model_dumpupdate update_user ValueErrorr r rQr rErFrGrH) rIr8rZrr\updatesrA body_dataupdatedrKs rupdate_profilerms(  # #E GHd3I ""   ((88 N9 44s8    /533s8  sHACA"A A"C A"" C+%B C;CCC)returnr)rIrrrrnDict[str, Any])rIr)rrrnro)rIr,rrrnro)rZr rrrnro)r8rornro)rIr/rrrnro) rIr1r8rorZr rrrnro)3__doc__ __future__rloggingostypingrrrfastapirrr r r fastapi.securityr r pydanticrrcore.auth.middlewarerrcore.auth.supabase_clientr getLoggerr$rF auth_routerrr'rrr)r,r/r1r7postHTTP_201_CREATEDrLrS HTTP_200_OKrVr]getr_raputrmrrrrs;4# &&FFE(?2   8 $ wfX6 !%$I 9 y9&9&"9"  '' - !+    <   2!+    6 "" +!+    0  "" , 18 d8S0T +-   6  ""  ##34        "" )!+S S SS  S, "" ##3407d#1!+ , , ,.,  ,,  ,r