Feat(Chore, Fix): Refractor, Half Baked Deletion + Admin Privilege

Refractor Codes into sub file/folders Admin can remove users'/members mfa/2fa, unlink account from oauth provider Admin can add/reset password Different Email (OIDC + Manual)-Same Account; (Block Linking and authorize if available)
2026-03-04 18:49:04 +05:45
parent ea1bacc794
commit 7cb522b590
63 changed files with 7896 additions and 10863 deletions
@@ -0,0 +1,65 @@
+"""OIDC userinfo endpoint logic."""
+import logging
+from typing import Dict
+
+from gatehouse_app.models import User
+from gatehouse_app.exceptions.validation_exceptions import NotFoundError
+from gatehouse_app.services.oidc_audit_service import OIDCAuditService
+
+logger = logging.getLogger(__name__)
+
+
+def get_userinfo(access_token: str, validate_access_token_fn) -> Dict:
+    logger.debug("[OIDC SERVICE] get_userinfo() called")
+
+    claims = validate_access_token_fn(access_token)
+    user_id = claims.get("sub")
+
+    user = User.query.get(user_id)
+    if not user:
+        logger.error("[OIDC SERVICE] User not found in database: user_id=%s", user_id)
+        raise NotFoundError("User not found")
+
+    scope_str = claims.get("scope", "")
+    scopes = scope_str.split() if scope_str else []
+
+    userinfo = {"sub": user_id}
+
+    if "profile" in scopes and user.full_name:
+        userinfo["name"] = user.full_name
+
+    if "email" in scopes:
+        userinfo["email"] = user.email
+        userinfo["email_verified"] = user.email_verified
+
+    if "roles" in scopes:
+        userinfo["roles"] = _get_user_roles(user)
+
+    _userinfo_client_id_str = claims.get("client_id")
+    _userinfo_client_db_id = None
+    if _userinfo_client_id_str:
+        from gatehouse_app.models import OIDCClient
+        _uc = OIDCClient.query.filter_by(client_id=_userinfo_client_id_str).first()
+        _userinfo_client_db_id = _uc.id if _uc else None
+
+    OIDCAuditService.log_userinfo_event(
+        access_token=access_token,
+        user_id=user_id,
+        client_id=_userinfo_client_db_id,
+        success=True,
+        scopes_claimed=scopes,
+    )
+
+    return userinfo
+
+
+def _get_user_roles(user: User) -> list:
+    roles = []
+    if not user or not user.organization_memberships:
+        return roles
+    for member in user.organization_memberships:
+        roles.append({
+            "organization_id": str(member.organization_id),
+            "role": member.role.value,
+        })
+    return roles