rmi-backend/app/_archive/legacy_2026_07/supabase_oauth_router.py
cryptorugmunch 628c1d2a10
Some checks failed
CI / build (push) Failing after 3s
refactor(rmi-backend,audit): mount Wave 3 + archive 136 dead-code files (P2.3)
PHASE 2.3 (AUDIT-2026-Q3.md):

Task 1 — Wire-in Wave 3 (1 router mounted, 2 deferred):
  - app.routers.unified_scanner_router mounted at /api/v2/scanner/* (2 routes:
    POST /api/v2/scanner/token/scan, POST /api/v2/scanner/wallet/scan).
    Refactored prefix from /api/v2 -> /api/v2/scanner to avoid future conflicts
    with the v1 /api/v1/scanner/ stub.
  - app.routers.unified_wallet_scanner DEFERRED (no router APIRouter attribute;
    library module consumed by unified_scanner_router via get_wallet_scanner()).
  - app.routers.admin_extensions DEFERRED (DORMANT per audit; 25 routes at
    /api/v1/admin/* would shadow /api/v1/admin/alerts_webhook).

Task 2 — Archive 136 dead-code files to app/_archive/legacy_2026_07/:
  - 73 routers in app/routers/ (reach graph showed zero reach into mount.py).
  - 63 flat app/*.py (domain modules never imported by live code).
  - 1 file RESTORED post-archive: app/routers/x402_bridge_health.py (caught by
    tests/unit/test_bridge_health.py which directly imports it; reach graph
    considered tests/ only as transitive reach — to be patched in next cycle).

Forced-LIVE (NOT archived per user directive):
  - app/ai_pipeline_v3.py  (3 importers in audit window, importers themselves DEAD)
  - app/splade_bm25.py       (LIVE via app.rag_service)
  - app/wallet_manager_v2.py (LIVE via x402_enforcement, x402_tools, sweep_all, sweep_now)
  - app/crypto_embeddings.py (NOT in audit ARCHIVE list; heavy import graph)

Verification (forward-import closure from mount.py + main.py + factory.py + lifespan.py):
  - imports = 348 app.* modules
  - reached = 194 files reachable from roots
  - archive set = audit_dead (186) - reached - forced_live (4) - test_live (1) = 136
  - Net delta: 136 files moved, 44,932 LOC reduction, 293->295 active routes (+2 from Wave 3)

pyproject.toml updates:
  - setuptools.packages.find: added exclude for app._archive*
  - ruff.extend-exclude: added "app/_archive/"
  - mypy.exclude: added "app/_archive/"

Smoke test: pytest tests/ — 817 passed, 3 pre-existing failures unchanged
(0 new failures; 0 routes lost; all 4 forced-LIVE files still importable).

Restoration: git mv app/_archive/legacy_2026_07/<name>.py <original-path>
and add the import to app/mount.py ROUTER_MODULES.

Refs: AUDIT-2026-Q3.md /home/dev/pry/rmi-final-deadcode-2026-07-06.md
2026-07-06 20:52:31 +02:00

466 lines
14 KiB
Python

"""
Supabase OAuth Router - Social + Web3 Auth.
Supports: GitHub, Google (Gmail), Discord, X (Twitter), + Wallet (EVM/Solana).
Account linking: Connect multiple auth methods to one user account.
Supabase OAuth Providers (free tier):
- GitHub: Built-in, no approval needed
- Google: Requires OAuth consent screen
- Discord: Built-in, instant approval
- X/Twitter: Requires Twitter developer account
- Others: GitLab, Bitbucket, Slack, LinkedIn, etc.
Flow:
1. GET /oauth/{provider} → Returns Supabase OAuth URL
2. User authenticates with provider
3. Provider redirects to /oauth/callback/{provider}
4. We get Supabase session + create profile
5. Return JWT + user data
"""
import hashlib
import logging
from datetime import UTC, datetime
from fastapi import APIRouter, HTTPException, Query, Request
from pydantic import BaseModel
logger = logging.getLogger(__name__)
router = APIRouter(prefix="/api/v1/oauth", tags=["oauth"])
# ── OAuth Providers ─────────────────────────────────────────
OAUTH_PROVIDERS = {
"github": {"name": "GitHub", "icon": "github", "enabled": True},
"google": {"name": "Google", "icon": "google", "enabled": True},
"discord": {"name": "Discord", "icon": "discord", "enabled": True},
"twitter": {"name": "X (Twitter)", "icon": "twitter", "enabled": True},
"gitlab": {"name": "GitLab", "icon": "gitlab", "enabled": True},
"bitbucket": {"name": "Bitbucket", "icon": "bitbucket", "enabled": True},
# Web3-focused providers (no Slack/LinkedIn - not web3 relevant)
}
# ── Models ──────────────────────────────────────────────────
class LinkAccountRequest(BaseModel):
"""Link additional auth provider to existing account."""
provider: str
access_token: str
provider_user_id: str
email: str | None = None
class UserProfile(BaseModel):
"""Unified user profile."""
id: str
email: str | None = None
wallet_evm: str | None = None
wallet_solana: str | None = None
providers: list[str] = []
created_at: str
last_login: str
metadata: dict = {}
# ── Supabase Client ─────────────────────────────────────────
def _get_supabase():
"""Get Supabase client."""
try:
import os
from supabase import Client, create_client # noqa: F401
url = os.getenv("SUPABASE_URL", "")
key = os.getenv("SUPABASE_KEY", "")
if not url or not key:
return None
return create_client(url, key)
except ImportError:
return None
async def _get_user_by_wallet(wallet: str, chain: str) -> dict | None:
"""Get user by wallet address."""
supabase = _get_supabase()
if not supabase:
return None
result = supabase.table("users").select("*").eq("wallet_address", wallet).eq("chain", chain).execute()
return result.data[0] if result.data else None
async def _get_user_by_oauth(provider: str, provider_id: str) -> dict | None:
"""Get user by OAuth provider ID."""
supabase = _get_supabase()
if not supabase:
return None
result = (
supabase.table("user_providers")
.select("user_id")
.eq("provider", provider)
.eq("provider_user_id", provider_id)
.execute()
)
if not result.data:
return None
user_id = result.data[0]["user_id"]
user_result = supabase.table("users").select("*").eq("id", user_id).execute()
return user_result.data[0] if user_result.data else None
async def _create_user(
email: str | None = None,
wallet: str | None = None,
chain: str | None = None,
provider: str | None = None,
provider_id: str | None = None,
) -> dict:
"""Create new user with optional provider linkage."""
supabase = _get_supabase()
if not supabase:
return {}
user_id = hashlib.sha256(f"{email or wallet or provider_id}".encode()).hexdigest()[:32]
now = datetime.now(UTC).isoformat()
# Create user
user_data = {
"id": user_id,
"email": email,
"wallet_address": wallet,
"chain": chain,
"created_at": now,
"last_login": now,
"metadata": {},
}
result = supabase.table("users").insert(user_data).execute()
user = result.data[0] if result.data else user_data
# Link provider if provided
if provider and provider_id:
supabase.table("user_providers").insert(
{
"user_id": user_id,
"provider": provider,
"provider_user_id": provider_id,
"linked_at": now,
}
).execute()
return user
async def _link_provider(user_id: str, provider: str, provider_id: str, email: str | None = None) -> bool:
"""Link additional provider to existing user."""
supabase = _get_supabase()
if not supabase:
return False
# Check if already linked
existing = (
supabase.table("user_providers")
.select("*")
.eq("provider", provider)
.eq("provider_user_id", provider_id)
.execute()
)
if existing.data:
return True # Already linked
# Link
result = (
supabase.table("user_providers")
.insert(
{
"user_id": user_id,
"provider": provider,
"provider_user_id": provider_id,
"email": email,
"linked_at": datetime.now(UTC).isoformat(),
}
)
.execute()
)
# Update user email if provided
if email:
supabase.table("users").update({"email": email}).eq("id", user_id).execute()
return bool(result.data)
async def _get_user_providers(user_id: str) -> list[str]:
"""Get list of linked providers for user."""
supabase = _get_supabase()
if not supabase:
return []
result = supabase.table("user_providers").select("provider").eq("user_id", user_id).execute()
return [r["provider"] for r in result.data] if result.data else []
# ── Health & Info (must be BEFORE dynamic routes) ───────────
@router.get("/health")
async def oauth_health():
"""OAuth service health check."""
supabase = _get_supabase()
return {
"status": "ok",
"service": "supabase-oauth",
"supabase_connected": supabase is not None,
"providers_available": len([p for p in OAUTH_PROVIDERS.values() if p["enabled"]]),
"supported_providers": list(OAUTH_PROVIDERS.keys()),
}
@router.get("/")
async def oauth_root():
"""OAuth service info."""
return {
"service": "RMI OAuth",
"version": "1.0",
"providers": len(OAUTH_PROVIDERS),
"wallet_auth": True,
"account_linking": True,
"docs": "/api/v1/oauth/providers",
}
# ── Endpoints ────────────────────────────────────────────────
@router.get("/providers")
async def list_oauth_providers():
"""List available OAuth providers."""
return {
"providers": [
{
"id": pid,
"name": info["name"],
"icon": info["icon"],
"enabled": info["enabled"],
}
for pid, info in OAUTH_PROVIDERS.items()
],
"wallet_auth": {
"evm": True,
"solana": True,
},
}
@router.get("/{provider}")
async def oauth_start(provider: str, redirect_uri: str | None = None):
"""Get Supabase OAuth URL for provider.
Frontend should redirect user to this URL.
After auth, Supabase redirects to your callback URL.
"""
if provider not in OAUTH_PROVIDERS:
raise HTTPException(status_code=400, detail=f"Unknown provider: {provider}")
if not OAUTH_PROVIDERS[provider]["enabled"]:
raise HTTPException(status_code=400, detail=f"Provider {provider} is not enabled")
supabase = _get_supabase()
if not supabase:
raise HTTPException(status_code=503, detail="Supabase not configured")
try:
# Get OAuth URL from Supabase
import os
base_url = os.getenv("SUPABASE_URL", "").replace(".supabase.co", "")
project_ref = base_url.split("//")[1].split(".")[0] if base_url else ""
oauth_url = f"https://{project_ref}.supabase.co/auth/v1/authorize?provider={provider}"
if redirect_uri:
oauth_url += f"&redirect_to={redirect_uri}"
return {
"provider": provider,
"oauth_url": oauth_url,
"instructions": "Redirect user to oauth_url. After auth, they'll be redirected to your callback.",
}
except Exception as e:
raise HTTPException(status_code=500, detail=str(e)[:200]) from e
@router.post("/callback/{provider}")
async def oauth_callback(provider: str, request: Request):
"""Handle OAuth callback from Supabase.
Supabase redirects here after user authenticates with provider.
Exchange code for session, create/update user.
"""
try:
body = await request.json()
except Exception:
body = dict(request.query_params)
code = body.get("code")
error = body.get("error")
if error:
raise HTTPException(status_code=400, detail=f"OAuth error: {error}")
if not code:
raise HTTPException(status_code=400, detail="No authorization code")
supabase = _get_supabase()
if not supabase:
raise HTTPException(status_code=503, detail="Supabase not configured")
try:
# Exchange code for session
session = supabase.auth.exchange_code_for_session(code)
if not session or not session.user:
raise HTTPException(status_code=400, detail="Invalid session")
user = session.user
provider_id = user.identities[0].identity_id if user.identities else user.id
# Check if user exists
existing = await _get_user_by_oauth(provider, provider_id)
if existing:
# Update last login
supabase.table("users").update({"last_login": datetime.now(UTC).isoformat()}).eq(
"id", existing["id"]
).execute()
user_data = existing
else:
# Create new user
user_data = await _create_user(
email=user.email,
provider=provider,
provider_id=provider_id,
)
# Get linked providers
providers = await _get_user_providers(user_data["id"])
return {
"status": "ok",
"user": {
"id": user_data["id"],
"email": user_data.get("email"),
"providers": providers,
"created_at": user_data.get("created_at"),
"last_login": user_data.get("last_login"),
},
"session": {
"access_token": session.access_token,
"refresh_token": session.refresh_token,
"expires_in": session.expires_in,
},
"provider": provider,
}
except Exception as e:
logger.error(f"OAuth callback failed: {e}")
raise HTTPException(status_code=500, detail=str(e)[:200]) from e
@router.post("/link")
async def link_provider(req: LinkAccountRequest):
"""Link additional OAuth provider to existing account.
Requires authenticated session (JWT from /auth/verify or OAuth).
"""
# TODO: Add JWT verification middleware
# For now, assume user is authenticated
if req.provider not in OAUTH_PROVIDERS:
raise HTTPException(status_code=400, detail=f"Unknown provider: {req.provider}")
# Get user from session (TODO: implement JWT extraction)
user_id = "temp-user-id" # Extract from JWT header
success = await _link_provider(user_id, req.provider, req.provider_user_id, req.email)
if success:
return {"status": "ok", "message": f"Linked {req.provider} to your account"}
else:
raise HTTPException(status_code=500, detail="Failed to link provider")
@router.get("/me")
async def get_current_user(access_token: str = Query(None, description="Supabase access token")):
"""Get current authenticated user profile."""
if not access_token:
raise HTTPException(status_code=401, detail="No access token provided")
supabase = _get_supabase()
if not supabase:
raise HTTPException(status_code=503, detail="Supabase not configured")
try:
# Get user from token
user_response = supabase.auth.get_user(access_token)
user = user_response.user
if not user:
raise HTTPException(status_code=401, detail="Invalid token")
# Get our user record
db_user = await _get_user_by_oauth("google", user.id) # Try any provider
if not db_user:
# Create on the fly
db_user = await _create_user(email=user.email)
providers = await _get_user_providers(db_user["id"])
return {
"id": db_user["id"],
"email": db_user.get("email"),
"wallet_evm": db_user.get("wallet_address") if db_user.get("chain") == "evm" else None,
"wallet_solana": db_user.get("wallet_address") if db_user.get("chain") == "solana" else None,
"providers": providers,
"created_at": db_user.get("created_at"),
"last_login": db_user.get("last_login"),
}
except Exception as e:
raise HTTPException(status_code=500, detail=str(e)[:200]) from e
@router.get("/health")
async def oauth_health(): # noqa: F811
"""OAuth service health check."""
supabase = _get_supabase()
return {
"status": "ok",
"service": "supabase-oauth",
"supabase_connected": supabase is not None,
"providers_available": len([p for p in OAUTH_PROVIDERS.values() if p["enabled"]]),
"supported_providers": list(OAUTH_PROVIDERS.keys()),
}
@router.get("/")
async def oauth_root(): # noqa: F811
"""OAuth service info."""
return {
"service": "RMI OAuth",
"version": "1.0",
"providers": len(OAUTH_PROVIDERS),
"wallet_auth": True,
"account_linking": True,
"docs": "/api/v1/oauth/providers",
}