Implement Firebase authentication and user validation in API endpoints

Bagus-DevLab · Bagus-DevLab · commit 7a53301a66d1 · 2026-01-27T00:10:22.000+07:00
diff --git a/app/api/v1/auth.py b/app/api/v1/auth.py
@@ -0,0 +1,52 @@
+import firebase_admin
+from firebase_admin import auth, credentials
+from fastapi import Depends, HTTPException, status
+from fastapi.security import HTTPBearer, HTTPAuthorizationCredentials
+import os
+
+# Skema Bearer Token (Authorization: Bearer <token>)
+security = HTTPBearer()
+
+# Variable global biar init cuma sekali
+firebase_app = None
+
+def init_firebase():
+    """Inisialisasi Firebase Admin dengan Service Account"""
+    global firebase_app
+    
+    # Path file di dalam Docker (sesuai volume mapping kita kemarin)
+    cred_path = "/code/app/serviceAccountKey.json"
+    
+    if not os.path.exists(cred_path):
+        print(f"⚠️ WARNING: File {cred_path} tidak ditemukan! Auth tidak akan jalan.")
+        return
+
+    try:
+        if not firebase_admin._apps:
+            cred = credentials.Certificate(cred_path)
+            firebase_app = firebase_admin.initialize_app(cred)
+            print("🔥 Firebase Admin Initialized!")
+    except Exception as e:
+        print(f"❌ Error Init Firebase: {e}")
+
+def get_current_user(credentials: HTTPAuthorizationCredentials = Depends(security)):
+    """
+    Dependency untuk memvalidasi Token Firebase.
+    Mengembalikan UID user jika valid.
+    """
+    token = credentials.credentials
+    try:
+        # Minta Firebase verifikasi token ini valid atau palsu
+        decoded_token = auth.verify_id_token(token)
+        uid = decoded_token['uid']
+        return uid
+    except auth.ExpiredIdTokenError:
+        raise HTTPException(
+            status_code=status.HTTP_401_UNAUTHORIZED,
+            detail="Token Expired. Silakan login ulang di HP.",
+        )
+    except Exception as e:
+        raise HTTPException(
+            status_code=status.HTTP_401_UNAUTHORIZED,
+            detail="Token Tidak Valid / Palsu.",
+        )
diff --git a/app/api/v1/devices.py b/app/api/v1/devices.py
@@ -6,12 +6,14 @@
 # --- IMPORT RATE LIMITER ---
 from fastapi_limiter.depends import RateLimiter
 
-# --- IMPORT DATABASE ---
-from app.core.database import get_db
+# --- IMPORT AUTH (FIX PATH) ---
+from app.api.v1.auth import get_current_user  # <-- Path harus 'app.auth'
+
+# --- IMPORT DATABASE (FIX PATH) ---
+from app.core.database import get_db     # <-- Path harus 'app.db.database'
 from app.models.device import Device 
 
-# --- PERBAIKAN VITAL DISINI ---
-# Kita import 'mqtt_client' karena itu nama variabel asli di file mqtt/client.py
+# --- IMPORT MQTT ---
 from app.mqtt.client import mqtt_client 
 
 router = APIRouter()
@@ -30,11 +32,9 @@ class AutoRegisterSchema(BaseModel):
 @router.post("/claim", dependencies=[Depends(RateLimiter(times=5, seconds=60))])
 def claim_device(
     claim_data: UserClaimSchema, 
-    db: Session = Depends(get_db)
+    db: Session = Depends(get_db),
+    user_uid: str = Depends(get_current_user) # <-- Wajib Login
 ):
-    # Hardcode user sementara
-    user_uid = "TEST_USER_UID_001" 
-
     clean_id = claim_data.device_id.strip().upper()
     clean_pin = claim_data.pin_code.strip()
 
@@ -43,6 +43,7 @@ def claim_device(
     if not device:
         raise HTTPException(status_code=404, detail=f"Alat {clean_id} tidak ditemukan.")
 
+    # Cek apakah sudah ada yang punya
     if device.owner_uid:
         if device.owner_uid == user_uid:
              return {"message": "Alat ini memang sudah punya kamu kok."}
@@ -51,6 +52,7 @@ def claim_device(
     if device.pin_code != clean_pin:
         raise HTTPException(status_code=400, detail="PIN Salah!")
 
+    # SAH: Pindahkan kepemilikan
     device.owner_uid = user_uid
     device.device_name = "Alat Baru Saya"
     db.commit()
@@ -63,7 +65,8 @@ def claim_device(
 def control_relay(
     device_id: str,
     state: str,
-    db: Session = Depends(get_db)
+    db: Session = Depends(get_db),
+    user_uid: str = Depends(get_current_user) # <-- Wajib Login
 ):
     clean_id = device_id.strip().upper()
 
@@ -75,16 +78,20 @@ def control_relay(
     if not device:
         raise HTTPException(status_code=404, detail="Alat tidak ditemukan.")
 
+    # --- SECURITY CHECK (PENTING!) ---
+    # Pastikan yang request adalah pemilik alat
+    if device.owner_uid != user_uid:
+        raise HTTPException(status_code=403, detail="Eits! Bukan alat kamu, jangan iseng ya!")
+
     topic = f"alat/{clean_id}/command"
     payload = f'{{"relay": "{state}"}}'
 
-    # --- PAKAI mqtt_client YANG BENAR ---
     mqtt_client.publish(topic, payload)
 
     return {"message": "Perintah dikirim", "topic": topic, "state": state}
 
 
-# --- 3. ENDPOINT AUTO REGISTER (ESP32) ---
+# --- 3. ENDPOINT AUTO REGISTER (ESP32 - Machine to Machine) ---
 @router.post("/auto-register", dependencies=[Depends(RateLimiter(times=5, seconds=60))])
 def auto_register_device(
     data: AutoRegisterSchema,
diff --git a/app/api/v1/logs.py b/app/api/v1/logs.py
@@ -5,21 +5,46 @@
 # --- IMPORT RATE LIMITER ---
 from fastapi_limiter.depends import RateLimiter
 
-from app.core.database import get_db
+# --- IMPORT AUTH (SATPAM) ---
+from app.api.v1.auth import get_current_user  # <--- Tambah ini
+
+# --- IMPORT DATABASE & MODEL ---
+from app.core.database import get_db     # <--- Fix path ke app.db
 from app.crud import log as crud_log
 from app.schemas.log import LogResponse
+from app.models.device import Device   # <--- Import Device buat cek owner
 
 router = APIRouter()
 
-# --- TEMPELKAN DI SINI (dependencies) ---
 # times=5, seconds=10 artinya: Max 5 request dalam 10 detik.
 @router.get("/{device_id}", response_model=List[LogResponse], dependencies=[Depends(RateLimiter(times=5, seconds=10))])
 def read_device_logs(
     device_id: str, 
     limit: int = 20, 
-    db: Session = Depends(get_db)
+    db: Session = Depends(get_db),
+    user_uid: str = Depends(get_current_user) # <--- Wajib Login
 ):
-    logs = crud_log.get_logs_by_device(db, device_id=device_id, limit=limit)
+    # --- LOGIKA TAMBAHAN: CEK KEPEMILIKAN ---
+    # Biar orang iseng gak bisa intip data kandang orang lain
+    
+    # 1. Cari alatnya dulu di DB
+    # Note: Kita gunakan strip().upper() biar konsisten sama ID penyimpanan
+    clean_id = device_id.strip().upper()
+    device = db.query(Device).filter(Device.device_id == clean_id).first()
+    
+    # 2. Validasi
+    if not device:
+         # Kalau alat tidak ditemukan, return list kosong (atau 404)
+         return []
+
+    # 3. Cek apakah User yang login == Pemilik Alat
+    if device.owner_uid != user_uid:
+        raise HTTPException(status_code=403, detail="Anda tidak memiliki akses ke alat ini.")
+
+    # 4. Kalau aman, baru ambil datanya
+    logs = crud_log.get_logs_by_device(db, device_id=clean_id, limit=limit)
+    
     if not logs:
         return []
+        
     return logs
diff --git a/app/main.py b/app/main.py
@@ -2,6 +2,7 @@
 from contextlib import asynccontextmanager
 import redis.asyncio as redis
 from fastapi_limiter import FastAPILimiter
+from app.api.v1.auth import init_firebase
 
 # Import komponen buatan kita
 from app.mqtt.client import start_mqtt
@@ -19,6 +20,8 @@ async def lifespan(app: FastAPI):
     # A. Nyalakan MQTT
     start_mqtt()
     print("✅ MQTT Listener Berjalan!")
+    
+    init_firebase()
 
     # B. Konek Redis & Init Rate Limiter
     try:
