feat(backend): add Supabase authentication system

DevanshuNEU · DevanshuNEU · commit 7e652654f6db · 2025-11-24T19:12:45.000-05:00
- SupabaseAuthService for JWT verification and user management
- Auth middleware for protected routes (get_current_user, get_optional_user)
- Auth routes: signup, login, refresh, logout, get user info
- PyJWT dependency for token verification
- Environment variables: SUPABASE_ANON_KEY, SUPABASE_JWT_SECRET

Features:
- JWT token verification with Supabase
- User signup with email/password
- Session management with refresh tokens
- Logout with token cleanup
- Protected endpoint decorator support

Endpoints:
- POST /api/auth/signup - Create new user account
- POST /api/auth/login - Authenticate and get tokens
- POST /api/auth/refresh - Refresh access token
- POST /api/auth/logout - End session
- GET /api/auth/me - Get current user info

Ready for frontend integration with multi-tenant repository access
diff --git a/backend/.env.example b/backend/.env.example
@@ -5,7 +5,8 @@ PINECONE_INDEX_NAME=codeintel
 
 # Supabase
 SUPABASE_URL=https://your-project.supabase.co
-SUPABASE_KEY=your_supabase_anon_key_here
+SUPABASE_ANON_KEY=your_supabase_anon_key_here
+SUPABASE_JWT_SECRET=your_jwt_secret_here
 
 # Backend API
 BACKEND_API_URL=http://localhost:8000
diff --git a/backend/main.py b/backend/main.py
@@ -25,12 +25,18 @@
 from services.supabase_service import get_supabase_service
 from services.input_validator import InputValidator, CostController
 
+# Import routers
+from routes.auth import router as auth_router
+
 app = FastAPI(
     title="CodeIntel API",
     description="Codebase Intelligence API for MCP",
     version="0.2.0"
 )
 
+# Include routers
+app.include_router(auth_router)
+
 # CORS middleware
 app.add_middleware(
     CORSMiddleware,
diff --git a/backend/middleware/__init__.py b/backend/middleware/__init__.py
@@ -0,0 +1,4 @@
+"""Authentication middleware package"""
+from .auth import get_current_user, get_optional_user
+
+__all__ = ["get_current_user", "get_optional_user"]
diff --git a/backend/middleware/auth.py b/backend/middleware/auth.py
@@ -0,0 +1,56 @@
+"""
+Authentication Middleware
+Protects routes requiring authentication
+"""
+from fastapi import Depends, HTTPException, status
+from fastapi.security import HTTPBearer
+from fastapi.security.http import HTTPAuthorizationCredentials
+from typing import Dict, Any, Optional
+from services.auth import get_auth_service
+
+# HTTP Bearer token scheme
+security = HTTPBearer()
+
+
+async def get_current_user(
+    credentials: HTTPAuthorizationCredentials = Depends(security)
+) -> Dict[str, Any]:
+    """
+    Dependency to get current authenticated user from JWT token
+    
+    Usage:
+        @app.get("/protected")
+        async def protected_route(user: Dict = Depends(get_current_user)):
+            return {"user_id": user["user_id"]}
+    
+    Returns:
+        Dict with user_id, email, and metadata
+        
+    Raises:
+        HTTPException: 401 if token invalid
+    """
+    auth_service = get_auth_service()
+    return auth_service.verify_jwt(credentials.credentials)
+
+
+async def get_optional_user(
+    credentials: Optional[HTTPAuthorizationCredentials] = Depends(HTTPBearer(auto_error=False))
+) -> Optional[Dict[str, Any]]:
+    """
+    Optional authentication - returns None if no token provided
+    
+    Usage:
+        @app.get("/optional-auth")
+        async def route(user: Optional[Dict] = Depends(get_optional_user)):
+            if user:
+                return {"message": f"Hello {user['email']}"}
+            return {"message": "Hello guest"}
+    """
+    if not credentials:
+        return None
+    
+    try:
+        auth_service = get_auth_service()
+        return auth_service.verify_jwt(credentials.credentials)
+    except:
+        return None
diff --git a/backend/requirements.txt b/backend/requirements.txt
@@ -5,6 +5,7 @@ httpx>=0.27.0
 python-dotenv>=1.0.0
 pydantic>=2.0.0
 pydantic-settings>=2.0.0
+email-validator>=2.0.0  # Required for EmailStr validation
 
 # WebSocket support
 websockets>=13.0
@@ -29,6 +30,7 @@ aiofiles>=24.0.0
 
 # Supabase (postgrest-py handled as dependency)
 supabase>=2.0.0
+pyjwt>=2.8.0  # JWT token verification for Supabase Auth
 
 # Testing
 pytest>=8.0.0
diff --git a/backend/routes/__init__.py b/backend/routes/__init__.py
@@ -0,0 +1,4 @@
+"""API Routes package"""
+from .auth import router as auth_router
+
+__all__ = ["auth_router"]
diff --git a/backend/routes/auth.py b/backend/routes/auth.py
@@ -0,0 +1,106 @@
+"""
+Authentication Routes
+Handles user signup, login, and session management
+"""
+from fastapi import APIRouter, HTTPException, Depends, status
+from pydantic import BaseModel, EmailStr
+from typing import Optional, Dict, Any
+from services.auth import get_auth_service
+from middleware.auth import get_current_user
+
+# Create router
+router = APIRouter(prefix="/api/auth", tags=["Authentication"])
+
+
+# Request/Response Models
+class SignupRequest(BaseModel):
+    email: EmailStr
+    password: str
+    github_username: Optional[str] = None
+
+
+class LoginRequest(BaseModel):
+    email: EmailStr
+    password: str
+
+
+class RefreshRequest(BaseModel):
+    refresh_token: str
+
+
+class AuthResponse(BaseModel):
+    user: Dict[str, Any]
+    session: Dict[str, Any]
+
+
+# Routes
+@router.post("/signup", response_model=AuthResponse)
+async def signup(request: SignupRequest):
+    """
+    Sign up a new user with Supabase Auth
+    
+    - **email**: Valid email address
+    - **password**: Password (min 6 characters recommended)
+    - **github_username**: Optional GitHub username for profile
+    
+    Returns user data and session tokens (access_token, refresh_token)
+    """
+    auth_service = get_auth_service()
+    return await auth_service.signup(
+        email=request.email,
+        password=request.password,
+        github_username=request.github_username
+    )
+
+
+@router.post("/login", response_model=AuthResponse)
+async def login(request: LoginRequest):
+    """
+    Login with email and password
+    
+    - **email**: Registered email address
+    - **password**: User password
+    
+    Returns user data and session tokens
+    """
+    auth_service = get_auth_service()
+    return await auth_service.login(
+        email=request.email,
+        password=request.password
+    )
+
+
+@router.post("/refresh")
+async def refresh(request: RefreshRequest):
+    """
+    Refresh access token using refresh token
+    
+    - **refresh_token**: Valid refresh token from login/signup
+    
+    Returns new access token
+    """
+    auth_service = get_auth_service()
+    return await auth_service.refresh_session(request.refresh_token)
+
+
+@router.post("/logout")
+async def logout(user: Dict = Depends(get_current_user)):
+    """
+    Logout current user and invalidate session
+    
+    Requires: Valid JWT token in Authorization header
+    """
+    auth_service = get_auth_service()
+    return await auth_service.logout(token="")  # Supabase handles session
+
+
+@router.get("/me")
+async def get_current_user_info(user: Dict = Depends(get_current_user)):
+    """
+    Get current authenticated user information
+    
+    Requires: Valid JWT token in Authorization header
+    
+    Returns user profile data
+    """
+    return {"user": user}
diff --git a/backend/services/auth.py b/backend/services/auth.py
