server: revamp web session

Author: frankie567

dev/setup-environment

@@ -235,7 +235,7 @@ def _write_server_env_file(github_app: dict[str, typing.Any] | None = None) -> N
             ),
             "POLAR_FRONTEND_BASE_URL": f"https://{os.environ['CODESPACE_NAME']}-8080.{os.environ['GITHUB_CODESPACES_PORT_FORWARDING_DOMAIN']}",
             "POLAR_CHECKOUT_BASE_URL": f"https://{os.environ['CODESPACE_NAME']}-8080.{os.environ['GITHUB_CODESPACES_PORT_FORWARDING_DOMAIN']}/v1/checkout-links/{{client_secret}}/redirect",
-            "POLAR_AUTH_COOKIE_DOMAIN": f"{os.environ['CODESPACE_NAME']}-8080.{os.environ['GITHUB_CODESPACES_PORT_FORWARDING_DOMAIN']}",
+            "POLAR_USER_SESSION_COOKIE_DOMAIN": f"{os.environ['CODESPACE_NAME']}-8080.{os.environ['GITHUB_CODESPACES_PORT_FORWARDING_DOMAIN']}",
         }
     if github_app is not None:
         replacements = {

render.yaml

@@ -366,7 +366,7 @@ envVarGroups:
 
   - name: backend-production
     envVars:
-      - key: POLAR_AUTH_COOKIE_DOMAIN
+      - key: POLAR_USER_SESSION_COOKIE_DOMAIN
         value: polar.sh
       - key: POLAR_BASE_URL
         value: https://api.polar.sh/v1
@@ -479,9 +479,9 @@ envVarGroups:
 
   - name: backend-sandbox
     envVars:
-      - key: POLAR_AUTH_COOKIE_KEY
+      - key: POLAR_USER_SESSION_COOKIE_KEY
         value: polar_sandbox_session
-      - key: POLAR_AUTH_COOKIE_DOMAIN
+      - key: POLAR_USER_SESSION_COOKIE_DOMAIN
         value: polar.sh
       - key: POLAR_BASE_URL
         value: https://sandbox-api.polar.sh/v1

server/.env.template

@@ -7,7 +7,8 @@ POLAR_CORS_ORIGINS='["http://localhost:3000", "http://127.0.0.1:3000", "https://
 POLAR_ALLOWED_HOSTS='["localhost:3000", "127.0.0.1:3000"]'
 POLAR_FRONTEND_BASE_URL="http://127.0.0.1:3000"
 POLAR_CHECKOUT_BASE_URL="http://127.0.0.1:8000/v1/checkout-links/{client_secret}/redirect"
-POLAR_AUTH_COOKIE_DOMAIN="127.0.0.1"
+
+POLAR_USER_SESSION_COOKIE_DOMAIN="127.0.0.1"
 
 POLAR_POSTGRES_USER=polar
 POLAR_POSTGRES_PWD=polar

server/.env.testing

@@ -12,7 +12,7 @@ POLAR_GITHUB_CLIENT_ID="Iv1.fakefakefake"
 POLAR_GITHUB_CLIENT_SECRET="fakefakefakefakefakefakefakefakefakefake"
 
 POLAR_CORS_ORIGINS='["http://127.0.0.1:3000", "http://localhost:3000", "http://test"]'
-POLAR_AUTH_COOKIE_DOMAIN="test"
+POLAR_USER_SESSION_COOKIE_DOMAIN="test"
 
 POLAR_DEBUG="false"
 POLAR_TESTING=1

server/migrations/versions/2024-11-29-1411_add_usersession.py

@@ -0,0 +1,76 @@
+"""Add UserSession
+
+Revision ID: 2daaffbdf32e
+Revises: 1769a6e618a4
+Create Date: 2024-11-29 14:11:51.513854
+
+"""
+
+import sqlalchemy as sa
+from alembic import op
+
+# Polar Custom Imports
+
+# revision identifiers, used by Alembic.
+revision = "2daaffbdf32e"
+down_revision = "1769a6e618a4"
+branch_labels: tuple[str] | None = None
+depends_on: tuple[str] | None = None
+
+
+def upgrade() -> None:
+    # ### commands auto generated by Alembic - please adjust! ###
+    op.create_table(
+        "user_sessions",
+        sa.Column("token", sa.CHAR(length=64), nullable=False),
+        sa.Column("expires_at", sa.TIMESTAMP(timezone=True), nullable=False),
+        sa.Column("user_agent", sa.Text(), nullable=False),
+        sa.Column("user_id", sa.Uuid(), nullable=False),
+        sa.Column("id", sa.Uuid(), nullable=False),
+        sa.Column("created_at", sa.TIMESTAMP(timezone=True), nullable=False),
+        sa.Column("modified_at", sa.TIMESTAMP(timezone=True), nullable=True),
+        sa.Column("deleted_at", sa.TIMESTAMP(timezone=True), nullable=True),
+        sa.ForeignKeyConstraint(
+            ["user_id"],
+            ["users.id"],
+            name=op.f("user_sessions_user_id_fkey"),
+            ondelete="cascade",
+        ),
+        sa.PrimaryKeyConstraint("id", name=op.f("user_sessions_pkey")),
+        sa.UniqueConstraint("token", name=op.f("user_sessions_token_key")),
+    )
+    op.create_index(
+        op.f("ix_user_sessions_created_at"),
+        "user_sessions",
+        ["created_at"],
+        unique=False,
+    )
+    op.create_index(
+        op.f("ix_user_sessions_deleted_at"),
+        "user_sessions",
+        ["deleted_at"],
+        unique=False,
+    )
+    op.create_index(
+        op.f("ix_user_sessions_expires_at"),
+        "user_sessions",
+        ["expires_at"],
+        unique=False,
+    )
+    op.create_index(
+        op.f("ix_user_sessions_modified_at"),
+        "user_sessions",
+        ["modified_at"],
+        unique=False,
+    )
+    # ### end Alembic commands ###
+
+
+def downgrade() -> None:
+    # ### commands auto generated by Alembic - please adjust! ###
+    op.drop_index(op.f("ix_user_sessions_modified_at"), table_name="user_sessions")
+    op.drop_index(op.f("ix_user_sessions_expires_at"), table_name="user_sessions")
+    op.drop_index(op.f("ix_user_sessions_deleted_at"), table_name="user_sessions")
+    op.drop_index(op.f("ix_user_sessions_created_at"), table_name="user_sessions")
+    op.drop_table("user_sessions")
+    # ### end Alembic commands ###

server/polar/article/tasks.py

@@ -4,7 +4,6 @@
 import structlog
 from sqlalchemy.orm import joinedload
 
-from polar.auth.service import AuthService
 from polar.config import settings
 from polar.email.sender import get_email_sender
 from polar.logging import Logger
@@ -52,7 +51,7 @@ async def articles_send_to_user(
         subject = "[TEST] " if is_test else ""
         subject += article.title
 
-        (jwt, _) = AuthService.generate_token(user)
+        (jwt, _) = "", ""
 
         # _, magic_link_token = await magic_link_service.request(
         #     session,

server/polar/auth/dependencies.py

@@ -5,9 +5,8 @@
 from makefun import with_signature
 
 from polar.auth.scope import RESERVED_SCOPES, Scope
-from polar.config import settings
 from polar.exceptions import NotPermitted, Unauthorized
-from polar.models import OAuth2Token, PersonalAccessToken
+from polar.models import OAuth2Token, PersonalAccessToken, UserSession
 from polar.oauth2.dependencies import get_optional_token
 from polar.oauth2.exceptions import InsufficientScopeError, InvalidTokenError
 from polar.personal_access_token.dependencies import get_optional_personal_access_token
@@ -24,32 +23,33 @@
     User,
     is_anonymous,
 )
-from .service import AuthService
+from .service import auth as auth_service
 
 
-async def _get_cookie_token(request: Request) -> str | None:
-    return request.cookies.get(settings.AUTH_COOKIE_KEY)
+async def get_user_session(
+    request: Request, session: AsyncSession = Depends(get_db_session)
+) -> UserSession | None:
+    return await auth_service.authenticate(session, request)
 
 
 async def get_auth_subject(
-    cookie_token: str | None = Depends(_get_cookie_token),
+    user_session: UserSession | None = Depends(get_user_session),
     oauth2_credentials: tuple[OAuth2Token | None, bool] = Depends(get_optional_token),
     personal_access_token_credentials: tuple[
         PersonalAccessToken | None, bool
     ] = Depends(get_optional_personal_access_token),
-    session: AsyncSession = Depends(get_db_session),
 ) -> AuthSubject[Subject]:
-    if cookie_token is not None:
-        user = await AuthService.get_user_from_cookie(session, cookie=cookie_token)
-        if user:
-            scopes = {Scope.web_default}
-            if user.github_username in {
-                "birkjernstrom",
-                "frankie567",
-                "emilwidlund",
-            }:
-                scopes.add(Scope.admin)
-            return AuthSubject(user, scopes, AuthMethod.COOKIE)
+    # Web session
+    if user_session is not None:
+        user = user_session.user
+        scopes = {Scope.web_default}
+        if user.github_username in {
+            "birkjernstrom",
+            "frankie567",
+            "emilwidlund",
+        }:
+            scopes.add(Scope.admin)
+        return AuthSubject(user, scopes, AuthMethod.COOKIE)
 
     oauth2_token, oauth2_authorization_set = oauth2_credentials
     personal_access_token, personal_access_token_authorization_set = (

server/polar/auth/endpoints.py

@@ -1,16 +1,21 @@
+from fastapi import Depends, Request
 from fastapi.responses import RedirectResponse
 
-from polar.config import settings
+from polar.models import UserSession as UserSession
 from polar.openapi import APITag
+from polar.postgres import AsyncSession, get_db_session
 from polar.routing import APIRouter
 
-from .service import AuthService
+from .dependencies import get_user_session
+from .service import auth as auth_service
 
 router = APIRouter(tags=["auth", APITag.private])
 
 
 @router.get("/auth/logout")
-async def logout() -> RedirectResponse:
-    response = RedirectResponse(settings.FRONTEND_BASE_URL)
-    AuthService.set_auth_cookie(response=response, value="", expires=0)
-    return response
+async def logout(
+    request: Request,
+    user_session: UserSession | None = Depends(get_user_session),
+    session: AsyncSession = Depends(get_db_session),
+) -> RedirectResponse:
+    return await auth_service.get_logout_response(session, request, user_session)