feat: add logging, marketplace, and admin enhancements

Database & Migrations: - Add application_logs table migration for hybrid cloud logging - Add companies table migration and restructure vendor relationships Logging System: - Implement hybrid logging system (database + file) - Add log_service for centralized log management - Create admin logs page with filtering and viewing capabilities - Add init_log_settings.py script for log configuration - Enhance core logging with database integration Marketplace Integration: - Add marketplace admin page with product management - Create marketplace vendor page with product listings - Implement marketplace.js for both admin and vendor interfaces - Add marketplace integration documentation Admin Enhancements: - Add imports management page and functionality - Create settings page for admin configuration - Add vendor themes management page - Enhance vendor detail and edit pages - Improve code quality dashboard and violation details - Add logs viewing and management - Update icons guide and shared icon system Architecture & Documentation: - Document frontend structure and component architecture - Document models structure and relationships - Add vendor-in-token architecture documentation - Add vendor RBAC (role-based access control) documentation - Document marketplace integration patterns - Update architecture patterns documentation Infrastructure: - Add platform static files structure (css, img, js) - Move architecture_scan.py to proper models location - Update model imports and registrations - Enhance exception handling - Update dependency injection patterns UI/UX: - Improve vendor edit interface - Update admin user interface - Enhance page templates documentation - Add vendor marketplace interface
2025-12-01 21:51:07 +01:00
parent 915734e9b4
commit cc74970223
56 changed files with 8440 additions and 202 deletions
--- a/app/api/v1/vendor/auth.py
+++ b/app/api/v1/vendor/auth.py
@@ -142,28 +142,36 @@ def vendor_login(
        f"for vendor {vendor.vendor_code} as {vendor_role}"
    )

+    # Create vendor-scoped access token with vendor information
+    token_data = auth_service.auth_manager.create_access_token(
+        user=user,
+        vendor_id=vendor.id,
+        vendor_code=vendor.vendor_code,
+        vendor_role=vendor_role,
+    )
+
    # Set HTTP-only cookie for browser navigation
    # CRITICAL: path=/vendor restricts cookie to vendor routes only
    response.set_cookie(
        key="vendor_token",
-        value=login_result["token_data"]["access_token"],
+        value=token_data["access_token"],
        httponly=True,  # JavaScript cannot access (XSS protection)
        secure=should_use_secure_cookies(),  # HTTPS only in production/staging
        samesite="lax",  # CSRF protection
-        max_age=login_result["token_data"]["expires_in"],  # Match JWT expiry
+        max_age=token_data["expires_in"],  # Match JWT expiry
        path="/vendor",  # RESTRICTED TO VENDOR ROUTES ONLY
    )

    logger.debug(
-        f"Set vendor_token cookie with {login_result['token_data']['expires_in']}s expiry "
+        f"Set vendor_token cookie with {token_data['expires_in']}s expiry "
        f"(path=/vendor, httponly=True, secure={should_use_secure_cookies()})"
    )

-    # Return full login response
+    # Return full login response with vendor-scoped token
    return VendorLoginResponse(
-        access_token=login_result["token_data"]["access_token"],
-        token_type=login_result["token_data"]["token_type"],
-        expires_in=login_result["token_data"]["expires_in"],
+        access_token=token_data["access_token"],
+        token_type=token_data["token_type"],
+        expires_in=token_data["expires_in"],
        user={
            "id": user.id,
            "username": user.username,
--- a/app/api/v1/vendor/dashboard.py
+++ b/app/api/v1/vendor/dashboard.py
@@ -32,31 +32,29 @@ def get_vendor_dashboard_stats(
    - Total customers
    - Revenue metrics

-    Vendor is determined from the authenticated user's vendor_user association.
+    Vendor is determined from the JWT token (vendor_id claim).
    Requires Authorization header (API endpoint).
    """
-    # Get vendor from authenticated user's vendor_user record
-    from models.database.vendor import VendorUser
-
-    vendor_user = (
-        db.query(VendorUser).filter(VendorUser.user_id == current_user.id).first()
-    )
-
-    if not vendor_user:
-        from fastapi import HTTPException
+    from fastapi import HTTPException

+    # Get vendor ID from token (set by get_current_vendor_api)
+    if not hasattr(current_user, "token_vendor_id"):
        raise HTTPException(
-            status_code=403, detail="User is not associated with any vendor"
+            status_code=400,
+            detail="Token missing vendor information. Please login again.",
        )

-    vendor = vendor_user.vendor
-    if not vendor or not vendor.is_active:
-        from fastapi import HTTPException
+    vendor_id = current_user.token_vendor_id

+    # Get vendor object to include in response
+    from models.database.vendor import Vendor
+
+    vendor = db.query(Vendor).filter(Vendor.id == vendor_id).first()
+    if not vendor or not vendor.is_active:
        raise HTTPException(status_code=404, detail="Vendor not found or inactive")

    # Get vendor-scoped statistics
-    stats_data = stats_service.get_vendor_stats(db=db, vendor_id=vendor.id)
+    stats_data = stats_service.get_vendor_stats(db=db, vendor_id=vendor_id)

    return {
        "vendor": {
--- a/app/api/v1/vendor/orders.py
+++ b/app/api/v1/vendor/orders.py
@@ -11,9 +11,7 @@ from sqlalchemy.orm import Session
 from app.api.deps import get_current_vendor_api
 from app.core.database import get_db
 from app.services.order_service import order_service
-from middleware.vendor_context import require_vendor_context
 from models.database.user import User
-from models.database.vendor import Vendor
 from models.schema.order import (
    OrderDetailResponse,
    OrderListResponse,
@@ -31,7 +29,6 @@ def get_vendor_orders(
    limit: int = Query(100, ge=1, le=1000),
    status: str | None = Query(None, description="Filter by order status"),
    customer_id: int | None = Query(None, description="Filter by customer"),
-    vendor: Vendor = Depends(require_vendor_context()),
    current_user: User = Depends(get_current_vendor_api),
    db: Session = Depends(get_db),
 ):
@@ -42,11 +39,23 @@ def get_vendor_orders(
    - status: Order status (pending, processing, shipped, delivered, cancelled)
    - customer_id: Filter orders from specific customer

+    Vendor is determined from JWT token (vendor_id claim).
    Requires Authorization header (API endpoint).
    """
+    from fastapi import HTTPException
+
+    # Get vendor ID from token
+    if not hasattr(current_user, "token_vendor_id"):
+        raise HTTPException(
+            status_code=400,
+            detail="Token missing vendor information. Please login again.",
+        )
+
+    vendor_id = current_user.token_vendor_id
+
    orders, total = order_service.get_vendor_orders(
        db=db,
-        vendor_id=vendor.id,
+        vendor_id=vendor_id,
        skip=skip,
        limit=limit,
        status=status,
@@ -64,7 +73,6 @@ def get_vendor_orders(
@router.get("/{order_id}", response_model=OrderDetailResponse)
 def get_order_details(
    order_id: int,
-    vendor: Vendor = Depends(require_vendor_context()),
    current_user: User = Depends(get_current_vendor_api),
    db: Session = Depends(get_db),
 ):
@@ -73,7 +81,18 @@ def get_order_details(

    Requires Authorization header (API endpoint).
    """
-    order = order_service.get_order(db=db, vendor_id=vendor.id, order_id=order_id)
+    from fastapi import HTTPException
+
+    # Get vendor ID from token
+    if not hasattr(current_user, "token_vendor_id"):
+        raise HTTPException(
+            status_code=400,
+            detail="Token missing vendor information. Please login again.",
+        )
+
+    vendor_id = current_user.token_vendor_id
+
+    order = order_service.get_order(db=db, vendor_id=vendor_id, order_id=order_id)

    return OrderDetailResponse.model_validate(order)

@@ -82,7 +101,6 @@ def get_order_details(
 def update_order_status(
    order_id: int,
    order_update: OrderUpdate,
-    vendor: Vendor = Depends(require_vendor_context()),
    current_user: User = Depends(get_current_vendor_api),
    db: Session = Depends(get_db),
 ):
@@ -99,8 +117,19 @@ def update_order_status(

    Requires Authorization header (API endpoint).
    """
+    from fastapi import HTTPException
+
+    # Get vendor ID from token
+    if not hasattr(current_user, "token_vendor_id"):
+        raise HTTPException(
+            status_code=400,
+            detail="Token missing vendor information. Please login again.",
+        )
+
+    vendor_id = current_user.token_vendor_id
+
    order = order_service.update_order_status(
-        db=db, vendor_id=vendor.id, order_id=order_id, order_update=order_update
+        db=db, vendor_id=vendor_id, order_id=order_id, order_update=order_update
    )

    logger.info(
--- a/app/api/v1/vendor/products.py
+++ b/app/api/v1/vendor/products.py
@@ -11,9 +11,7 @@ from sqlalchemy.orm import Session
 from app.api.deps import get_current_vendor_api
 from app.core.database import get_db
 from app.services.product_service import product_service
-from middleware.vendor_context import require_vendor_context
 from models.database.user import User
-from models.database.vendor import Vendor
 from models.schema.product import (
    ProductCreate,
    ProductDetailResponse,
@@ -32,7 +30,6 @@ def get_vendor_products(
    limit: int = Query(100, ge=1, le=1000),
    is_active: bool | None = Query(None),
    is_featured: bool | None = Query(None),
-    vendor: Vendor = Depends(require_vendor_context()),
    current_user: User = Depends(get_current_vendor_api),
    db: Session = Depends(get_db),
 ):
@@ -42,10 +39,23 @@ def get_vendor_products(
    Supports filtering by:
    - is_active: Filter active/inactive products
    - is_featured: Filter featured products
+
+    Vendor is determined from JWT token (vendor_id claim).
    """
+    from fastapi import HTTPException
+
+    # Get vendor ID from token
+    if not hasattr(current_user, "token_vendor_id"):
+        raise HTTPException(
+            status_code=400,
+            detail="Token missing vendor information. Please login again.",
+        )
+
+    vendor_id = current_user.token_vendor_id
+
    products, total = product_service.get_vendor_products(
        db=db,
-        vendor_id=vendor.id,
+        vendor_id=vendor_id,
        skip=skip,
        limit=limit,
        is_active=is_active,
@@ -63,13 +73,23 @@ def get_vendor_products(
@router.get("/{product_id}", response_model=ProductDetailResponse)
 def get_product_details(
    product_id: int,
-    vendor: Vendor = Depends(require_vendor_context()),
    current_user: User = Depends(get_current_vendor_api),
    db: Session = Depends(get_db),
 ):
    """Get detailed product information including inventory."""
+    from fastapi import HTTPException
+
+    # Get vendor ID from token
+    if not hasattr(current_user, "token_vendor_id"):
+        raise HTTPException(
+            status_code=400,
+            detail="Token missing vendor information. Please login again.",
+        )
+
+    vendor_id = current_user.token_vendor_id
+
    product = product_service.get_product(
-        db=db, vendor_id=vendor.id, product_id=product_id
+        db=db, vendor_id=vendor_id, product_id=product_id
    )

    return ProductDetailResponse.model_validate(product)
@@ -78,7 +98,6 @@ def get_product_details(
@router.post("", response_model=ProductResponse)
 def add_product_to_catalog(
    product_data: ProductCreate,
-    vendor: Vendor = Depends(require_vendor_context()),
    current_user: User = Depends(get_current_vendor_api),
    db: Session = Depends(get_db),
 ):
@@ -87,13 +106,24 @@ def add_product_to_catalog(

    This publishes a MarketplaceProduct to the vendor's public catalog.
    """
+    from fastapi import HTTPException
+
+    # Get vendor ID from token
+    if not hasattr(current_user, "token_vendor_id"):
+        raise HTTPException(
+            status_code=400,
+            detail="Token missing vendor information. Please login again.",
+        )
+
+    vendor_id = current_user.token_vendor_id
+
    product = product_service.create_product(
-        db=db, vendor_id=vendor.id, product_data=product_data
+        db=db, vendor_id=vendor_id, product_data=product_data
    )

    logger.info(
        f"Product {product.id} added to catalog by user {current_user.username} "
-        f"for vendor {vendor.vendor_code}"
+        f"for vendor {current_user.token_vendor_code}"
    )

    return ProductResponse.model_validate(product)
@@ -103,18 +133,28 @@ def add_product_to_catalog(
 def update_product(
    product_id: int,
    product_data: ProductUpdate,
-    vendor: Vendor = Depends(require_vendor_context()),
    current_user: User = Depends(get_current_vendor_api),
    db: Session = Depends(get_db),
 ):
    """Update product in vendor catalog."""
+    from fastapi import HTTPException
+
+    # Get vendor ID from token
+    if not hasattr(current_user, "token_vendor_id"):
+        raise HTTPException(
+            status_code=400,
+            detail="Token missing vendor information. Please login again.",
+        )
+
+    vendor_id = current_user.token_vendor_id
+
    product = product_service.update_product(
-        db=db, vendor_id=vendor.id, product_id=product_id, product_update=product_data
+        db=db, vendor_id=vendor_id, product_id=product_id, product_update=product_data
    )

    logger.info(
        f"Product {product_id} updated by user {current_user.username} "
-        f"for vendor {vendor.vendor_code}"
+        f"for vendor {current_user.token_vendor_code}"
    )

    return ProductResponse.model_validate(product)
@@ -123,16 +163,26 @@ def update_product(
@router.delete("/{product_id}")
 def remove_product_from_catalog(
    product_id: int,
-    vendor: Vendor = Depends(require_vendor_context()),
    current_user: User = Depends(get_current_vendor_api),
    db: Session = Depends(get_db),
 ):
    """Remove product from vendor catalog."""
-    product_service.delete_product(db=db, vendor_id=vendor.id, product_id=product_id)
+    from fastapi import HTTPException
+
+    # Get vendor ID from token
+    if not hasattr(current_user, "token_vendor_id"):
+        raise HTTPException(
+            status_code=400,
+            detail="Token missing vendor information. Please login again.",
+        )
+
+    vendor_id = current_user.token_vendor_id
+
+    product_service.delete_product(db=db, vendor_id=vendor_id, product_id=product_id)

    logger.info(
        f"Product {product_id} removed from catalog by user {current_user.username} "
-        f"for vendor {vendor.vendor_code}"
+        f"for vendor {current_user.token_vendor_code}"
    )

    return {"message": f"Product {product_id} removed from catalog"}
@@ -141,7 +191,6 @@ def remove_product_from_catalog(
@router.post("/from-import/{marketplace_product_id}", response_model=ProductResponse)
 def publish_from_marketplace(
    marketplace_product_id: int,
-    vendor: Vendor = Depends(require_vendor_context()),
    current_user: User = Depends(get_current_vendor_api),
    db: Session = Depends(get_db),
 ):
@@ -150,17 +199,28 @@ def publish_from_marketplace(

    Shortcut endpoint for publishing directly from marketplace import.
    """
+    from fastapi import HTTPException
+
+    # Get vendor ID from token
+    if not hasattr(current_user, "token_vendor_id"):
+        raise HTTPException(
+            status_code=400,
+            detail="Token missing vendor information. Please login again.",
+        )
+
+    vendor_id = current_user.token_vendor_id
+
    product_data = ProductCreate(
        marketplace_product_id=marketplace_product_id, is_active=True
    )

    product = product_service.create_product(
-        db=db, vendor_id=vendor.id, product_data=product_data
+        db=db, vendor_id=vendor_id, product_data=product_data
    )

    logger.info(
        f"Marketplace product {marketplace_product_id} published to catalog "
-        f"by user {current_user.username} for vendor {vendor.vendor_code}"
+        f"by user {current_user.username} for vendor {current_user.token_vendor_code}"
    )

    return ProductResponse.model_validate(product)
@@ -169,19 +229,29 @@ def publish_from_marketplace(
@router.put("/{product_id}/toggle-active")
 def toggle_product_active(
    product_id: int,
-    vendor: Vendor = Depends(require_vendor_context()),
    current_user: User = Depends(get_current_vendor_api),
    db: Session = Depends(get_db),
 ):
    """Toggle product active status."""
-    product = product_service.get_product(db, vendor.id, product_id)
+    from fastapi import HTTPException
+
+    # Get vendor ID from token
+    if not hasattr(current_user, "token_vendor_id"):
+        raise HTTPException(
+            status_code=400,
+            detail="Token missing vendor information. Please login again.",
+        )
+
+    vendor_id = current_user.token_vendor_id
+
+    product = product_service.get_product(db, vendor_id, product_id)

    product.is_active = not product.is_active
    db.commit()
    db.refresh(product)

    status = "activated" if product.is_active else "deactivated"
-    logger.info(f"Product {product_id} {status} for vendor {vendor.vendor_code}")
+    logger.info(f"Product {product_id} {status} for vendor {current_user.token_vendor_code}")

    return {"message": f"Product {status}", "is_active": product.is_active}

@@ -189,18 +259,28 @@ def toggle_product_active(
@router.put("/{product_id}/toggle-featured")
 def toggle_product_featured(
    product_id: int,
-    vendor: Vendor = Depends(require_vendor_context()),
    current_user: User = Depends(get_current_vendor_api),
    db: Session = Depends(get_db),
 ):
    """Toggle product featured status."""
-    product = product_service.get_product(db, vendor.id, product_id)
+    from fastapi import HTTPException
+
+    # Get vendor ID from token
+    if not hasattr(current_user, "token_vendor_id"):
+        raise HTTPException(
+            status_code=400,
+            detail="Token missing vendor information. Please login again.",
+        )
+
+    vendor_id = current_user.token_vendor_id
+
+    product = product_service.get_product(db, vendor_id, product_id)

    product.is_featured = not product.is_featured
    db.commit()
    db.refresh(product)

    status = "featured" if product.is_featured else "unfeatured"
-    logger.info(f"Product {product_id} {status} for vendor {vendor.vendor_code}")
+    logger.info(f"Product {product_id} {status} for vendor {current_user.token_vendor_code}")

    return {"message": f"Product {status}", "is_featured": product.is_featured}