File size: 6,822 Bytes
310260a | 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 | from fastapi import APIRouter, Depends, HTTPException, status
from sqlmodel import Session, select
from typing import List, Dict
from datetime import datetime
from ..database import get_session
from ..middleware.auth import get_current_user
from ..models.task import Task
from ..schemas.task import TaskCreate, TaskUpdate, TaskResponse
router = APIRouter(prefix="/api/tasks", tags=["Tasks"])
@router.get("", response_model=List[TaskResponse], status_code=status.HTTP_200_OK)
async def list_tasks(
session: Session = Depends(get_session),
current_user: Dict = Depends(get_current_user)
):
"""
List all tasks for authenticated user.
Returns all tasks owned by the authenticated user, ordered by creation date (newest first).
User identity is extracted from JWT token.
"""
user_id = current_user["user_id"]
# Query tasks filtered by authenticated user_id
statement = select(Task).where(Task.user_id == user_id).order_by(Task.created_at.desc())
tasks = session.exec(statement).all()
return tasks
@router.post("", response_model=TaskResponse, status_code=status.HTTP_201_CREATED)
async def create_task(
task_data: TaskCreate,
session: Session = Depends(get_session),
current_user: Dict = Depends(get_current_user)
):
"""
Create a new task for authenticated user.
User ID is extracted from JWT token, never from client input.
Task starts with completed=False by default.
"""
user_id = current_user["user_id"]
# Validate title is not empty (Pydantic handles this, but double-check)
if not task_data.title or task_data.title.strip() == "":
raise HTTPException(
status_code=status.HTTP_400_BAD_REQUEST,
detail="Title is required and cannot be empty"
)
# Create task with user_id from JWT (never from client)
task = Task(
title=task_data.title,
description=task_data.description,
completed=False, # Always start as incomplete
user_id=user_id, # Set from JWT token
created_at=datetime.utcnow(),
updated_at=datetime.utcnow()
)
session.add(task)
session.commit()
session.refresh(task)
return task
@router.get("/{task_id}", response_model=TaskResponse, status_code=status.HTTP_200_OK)
async def get_task(
task_id: int,
session: Session = Depends(get_session),
current_user: Dict = Depends(get_current_user)
):
"""
Get a specific task by ID.
User must own the task. Returns 403 if task belongs to another user.
Returns 404 if task doesn't exist.
"""
user_id = current_user["user_id"]
# Fetch task by ID
task = session.get(Task, task_id)
# Return 404 if task not found
if not task:
raise HTTPException(
status_code=status.HTTP_404_NOT_FOUND,
detail="Task not found"
)
# Verify ownership - return 403 if user doesn't own this task
if task.user_id != user_id:
raise HTTPException(
status_code=status.HTTP_403_FORBIDDEN,
detail="You do not have permission to access this task"
)
return task
@router.put("/{task_id}", response_model=TaskResponse, status_code=status.HTTP_200_OK)
async def update_task(
task_id: int,
task_data: TaskUpdate,
session: Session = Depends(get_session),
current_user: Dict = Depends(get_current_user)
):
"""
Update an existing task.
User must own the task. Only provided fields are updated.
Updates the updated_at timestamp automatically.
"""
user_id = current_user["user_id"]
# Fetch task by ID
task = session.get(Task, task_id)
# Return 404 if task not found
if not task:
raise HTTPException(
status_code=status.HTTP_404_NOT_FOUND,
detail="Task not found"
)
# Verify ownership - return 403 if user doesn't own this task
if task.user_id != user_id:
raise HTTPException(
status_code=status.HTTP_403_FORBIDDEN,
detail="You do not have permission to update this task"
)
# Update only provided fields
update_data = task_data.model_dump(exclude_unset=True)
# Validate title if provided
if "title" in update_data and (not update_data["title"] or update_data["title"].strip() == ""):
raise HTTPException(
status_code=status.HTTP_400_BAD_REQUEST,
detail="Title cannot be empty"
)
for field, value in update_data.items():
setattr(task, field, value)
# Update timestamp
task.updated_at = datetime.utcnow()
session.add(task)
session.commit()
session.refresh(task)
return task
@router.delete("/{task_id}", status_code=status.HTTP_200_OK)
async def delete_task(
task_id: int,
session: Session = Depends(get_session),
current_user: Dict = Depends(get_current_user)
):
"""
Delete a task permanently.
User must own the task. Returns success message on deletion.
"""
user_id = current_user["user_id"]
# Fetch task by ID
task = session.get(Task, task_id)
# Return 404 if task not found
if not task:
raise HTTPException(
status_code=status.HTTP_404_NOT_FOUND,
detail="Task not found"
)
# Verify ownership - return 403 if user doesn't own this task
if task.user_id != user_id:
raise HTTPException(
status_code=status.HTTP_403_FORBIDDEN,
detail="You do not have permission to delete this task"
)
# Delete task
session.delete(task)
session.commit()
return {"message": "Task deleted successfully"}
@router.patch("/{task_id}/complete", response_model=TaskResponse, status_code=status.HTTP_200_OK)
async def toggle_task_completion(
task_id: int,
session: Session = Depends(get_session),
current_user: Dict = Depends(get_current_user)
):
"""
Toggle task completion status.
Flips the completed boolean (True -> False or False -> True).
User must own the task.
"""
user_id = current_user["user_id"]
# Fetch task by ID
task = session.get(Task, task_id)
# Return 404 if task not found
if not task:
raise HTTPException(
status_code=status.HTTP_404_NOT_FOUND,
detail="Task not found"
)
# Verify ownership - return 403 if user doesn't own this task
if task.user_id != user_id:
raise HTTPException(
status_code=status.HTTP_403_FORBIDDEN,
detail="You do not have permission to modify this task"
)
# Toggle completion status
task.completed = not task.completed
# Update timestamp
task.updated_at = datetime.utcnow()
session.add(task)
session.commit()
session.refresh(task)
return task
|