revamped authentication system

2025-11-02 18:40:03 +01:00
parent 9cc92e5fc4
commit e4bc438069
18 changed files with 674 additions and 636 deletions
--- a/app/routes/shop_pages.py
+++ b/app/routes/shop_pages.py
@@ -5,6 +5,14 @@ Shop/Customer HTML page routes using Jinja2 templates.
 These routes serve the public-facing shop interface for customers.
 Authentication required only for account pages.

+AUTHENTICATION:
+- Public pages (catalog, products): No auth required
+- Account pages (dashboard, orders): Requires customer authentication
+- Customer authentication accepts:
+  * customer_token cookie (path=/shop) - for page navigation
+  * Authorization header - for API calls
+- Customers CANNOT access admin or vendor routes
+
 Routes:
 - GET /shop/                      → Shop homepage / product catalog
 - GET /shop/products              → Product catalog
@@ -26,7 +34,7 @@ from fastapi.responses import HTMLResponse, RedirectResponse
 from fastapi.templating import Jinja2Templates
 from sqlalchemy.orm import Session

-from app.api.deps import get_current_customer_user, get_db
+from app.api.deps import get_current_customer_from_cookie_or_header, get_db
 from models.database.user import User

 router = APIRouter()
@@ -191,7 +199,7 @@ async def shop_account_root():
@router.get("/shop/account/dashboard", response_class=HTMLResponse, include_in_schema=False)
 async def shop_account_dashboard_page(
    request: Request,
-    current_user: User = Depends(get_current_customer_user),
+    current_user: User = Depends(get_current_customer_from_cookie_or_header),
    db: Session = Depends(get_db)
 ):
    """
@@ -211,7 +219,7 @@ async def shop_account_dashboard_page(
@router.get("/shop/account/orders", response_class=HTMLResponse, include_in_schema=False)
 async def shop_orders_page(
    request: Request,
-    current_user: User = Depends(get_current_customer_user),
+    current_user: User = Depends(get_current_customer_from_cookie_or_header),
    db: Session = Depends(get_db)
 ):
    """
@@ -232,7 +240,7 @@ async def shop_orders_page(
 async def shop_order_detail_page(
    request: Request,
    order_id: int = Path(..., description="Order ID"),
-    current_user: User = Depends(get_current_customer_user),
+    current_user: User = Depends(get_current_customer_from_cookie_or_header),
    db: Session = Depends(get_db)
 ):
    """
@@ -253,7 +261,7 @@ async def shop_order_detail_page(
@router.get("/shop/account/profile", response_class=HTMLResponse, include_in_schema=False)
 async def shop_profile_page(
    request: Request,
-    current_user: User = Depends(get_current_customer_user),
+    current_user: User = Depends(get_current_customer_from_cookie_or_header),
    db: Session = Depends(get_db)
 ):
    """
@@ -273,7 +281,7 @@ async def shop_profile_page(
@router.get("/shop/account/addresses", response_class=HTMLResponse, include_in_schema=False)
 async def shop_addresses_page(
    request: Request,
-    current_user: User = Depends(get_current_customer_user),
+    current_user: User = Depends(get_current_customer_from_cookie_or_header),
    db: Session = Depends(get_db)
 ):
    """
@@ -293,7 +301,7 @@ async def shop_addresses_page(
@router.get("/shop/account/wishlist", response_class=HTMLResponse, include_in_schema=False)
 async def shop_wishlist_page(
    request: Request,
-    current_user: User = Depends(get_current_customer_user),
+    current_user: User = Depends(get_current_customer_from_cookie_or_header),
    db: Session = Depends(get_db)
 ):
    """
@@ -313,7 +321,7 @@ async def shop_wishlist_page(
@router.get("/shop/account/settings", response_class=HTMLResponse, include_in_schema=False)
 async def shop_settings_page(
    request: Request,
-    current_user: User = Depends(get_current_customer_user),
+    current_user: User = Depends(get_current_customer_from_cookie_or_header),
    db: Session = Depends(get_db)
 ):
    """