Working state before icon/utils fixes - Oct 22

app/api/v1/admin/auth.py

@@ -2,32 +2,42 @@
 """
 Admin authentication endpoints.
 
-This module provides:
-- Admin user login
-- Admin token validation
-- Admin-specific authentication logic
+Implements dual token storage:
+- Sets HTTP-only cookie for browser page navigation
+- Returns token in response for localStorage (API calls)
 """
 
 import logging
-from fastapi import APIRouter, Depends
+from fastapi import APIRouter, Depends, Response
 from sqlalchemy.orm import Session
 
 from app.core.database import get_db
 from app.services.auth_service import auth_service
 from app.exceptions import InvalidCredentialsException
-from models.schema.auth import LoginResponse, UserLogin
+from models.schema.auth import LoginResponse, UserLogin, UserResponse
+from models.database.user import User
+from app.api.deps import get_current_admin_user
+from app.core.config import settings
 
 router = APIRouter(prefix="/auth")
 logger = logging.getLogger(__name__)
 
 
 @router.post("/login", response_model=LoginResponse)
-def admin_login(user_credentials: UserLogin, db: Session = Depends(get_db)):
+def admin_login(
+        user_credentials: UserLogin,
+        response: Response,
+        db: Session = Depends(get_db)
+):
     """
     Admin login endpoint.
 
     Only allows users with 'admin' role to login.
     Returns JWT token for authenticated admin users.
+
+    Sets token in two places:
+    1. HTTP-only cookie (for browser page navigation)
+    2. Response body (for localStorage and API calls)
     """
     # Authenticate user
     login_result = auth_service.login_user(db=db, user_credentials=user_credentials)
@@ -39,6 +49,20 @@ def admin_login(user_credentials: UserLogin, db: Session = Depends(get_db)):
 
     logger.info(f"Admin login successful: {login_result['user'].username}")
 
+    # Set HTTP-only cookie for browser navigation
+    response.set_cookie(
+        key="admin_token",
+        value=login_result["token_data"]["access_token"],
+        httponly=True,  # JavaScript cannot access (XSS protection)
+        secure=False,  # Set to True in production (requires HTTPS)
+        samesite="lax",  # CSRF protection
+        max_age=login_result["token_data"]["expires_in"],  # Match JWT expiry
+        path="/",  # Available for all routes
+    )
+
+    logger.debug(f"Set admin_token cookie with {login_result['token_data']['expires_in']}s expiry")
+
+    # Also return token in response for localStorage (API calls)
     return LoginResponse(
         access_token=login_result["token_data"]["access_token"],
         token_type=login_result["token_data"]["token_type"],
@@ -47,12 +71,40 @@ def admin_login(user_credentials: UserLogin, db: Session = Depends(get_db)):
     )
 
 
+@router.get("/me", response_model=UserResponse)
+def get_current_admin(current_user: User = Depends(get_current_admin_user)):
+    """
+    Get current authenticated admin user.
+
+    This endpoint validates the token and ensures the user has admin privileges.
+    Returns the current user's information.
+
+    Token can come from:
+    - Authorization header (API calls)
+    - admin_token cookie (browser navigation)
+    """
+    logger.info(f"Admin user info requested: {current_user.username}")
+
+    # Pydantic will automatically serialize the User model to UserResponse
+    return current_user
+
+
 @router.post("/logout")
-def admin_logout():
+def admin_logout(response: Response):
     """
     Admin logout endpoint.
 
-    Client should remove token from storage.
-    Server-side token invalidation can be implemented here if needed.
+    Clears the admin_token cookie.
+    Client should also remove token from localStorage.
     """
+    logger.info("Admin logout")
+
+    # Clear the cookie
+    response.delete_cookie(
+        key="admin_token",
+        path="/",
+    )
+
+    logger.debug("Deleted admin_token cookie")
+
     return {"message": "Logged out successfully"}