from fastapi import Depends, HTTPException, status from fastapi.security import HTTPBearer, HTTPAuthorizationCredentials from sqlalchemy.orm import Session from ..database import get_db from ..services.auth_service import decode_token, get_user_by_id bearer_scheme = HTTPBearer() def get_current_user( credentials: HTTPAuthorizationCredentials = Depends(bearer_scheme), db: Session = Depends(get_db), ): payload = decode_token(credentials.credentials) if not payload: raise HTTPException(status_code=status.HTTP_401_UNAUTHORIZED, detail="Token inválido o expirado") user_id = int(payload.get("sub", 0)) user = get_user_by_id(db, user_id) if not user or not user.is_active: raise HTTPException(status_code=status.HTTP_401_UNAUTHORIZED, detail="Usuario no encontrado") return user def require_admin(user=Depends(get_current_user)): """Solo permite acceso a usuarios con rol ADMIN.""" if user.role != "ADMIN": raise HTTPException(status_code=status.HTTP_403_FORBIDDEN, detail="Acceso denegado: requiere rol ADMIN") return user def require_staff(user=Depends(get_current_user)): """Permite acceso a EMPLEADO o ADMIN (personal del gobierno).""" if user.role not in ("EMPLEADO", "ADMIN"): raise HTTPException(status_code=status.HTTP_403_FORBIDDEN, detail="Acceso denegado: requiere rol EMPLEADO o ADMIN") return user