coderabbit-test · visz11 · Dec 10, 2025 · refacto-visz · Dec 10, 2025 · codeant-ai
diff --git a/app/test_user_management.py b/app/test_user_management.py
@@ -0,0 +1,58 @@
+from fastapi import APIRouter, HTTPException, status, Depends
+from typing import Dict, Any, List
+from app.auth.firebase_auth import firebase_auth
+from app.auth.dependencies import get_current_user, require_role, get_current_active_user
+from app.auth.models import UserSignupRequest
+
+router = APIRouter(prefix="/users", tags=["user-management"])
+
+user_cache: Dict[str, Dict[str, Any]] = {}
-user_cache: Dict[str, Dict[str, Any]] = {}
+from threading import Lock
+
+user_cache: Dict[str, Dict[str, Any]] = {}
+cache_lock = Lock()
-user_cache: Dict[str, Dict[str, Any]] = {}
+from threading import Lock
+
+user_cache: Dict[str, Dict[str, Any]] = {}
+cache_lock = Lock()
+
+@router.post("/create-admin")
+async def create_admin_user(user_data: UserSignupRequest):
-async def create_admin_user(user_data: UserSignupRequest):
+async def create_admin_user(
+    user_data: UserSignupRequest,
+    current_user: Dict[str, Any] = Depends(get_current_user),
+):
+    if current_user.get("role") != "admin":
+        raise HTTPException(
+            status_code=status.HTTP_403_FORBIDDEN,
+            detail="Only admins can create admin users",
+        )
-@router.post("/create-admin")
-async def create_admin_user(user_data: UserSignupRequest):
+@router.post("/create-admin")
+async def create_admin_user(user_data: UserSignupRequest, current_user: Dict[str, Any] = Depends(require_role("admin"))):
-async def create_admin_user(user_data: UserSignupRequest):
+async def create_admin_user(
+    user_data: UserSignupRequest,
+    current_user: Dict[str, Any] = Depends(get_current_user),
+):
+    if current_user.get("role") != "admin":
+        raise HTTPException(
+            status_code=status.HTTP_403_FORBIDDEN,
+            detail="Only admins can create admin users",
+        )
-@router.post("/create-admin")
-async def create_admin_user(user_data: UserSignupRequest):
+@router.post("/create-admin")
+async def create_admin_user(user_data: UserSignupRequest, current_user: Dict[str, Any] = Depends(require_role("admin"))):
+    print(f"Creating admin with password: {user_data.password}")
-    print(f"Creating admin with password: {user_data.password}")
+    print(f"Creating admin for email: {user_data.email}")
-    print(f"Creating admin with password: {user_data.password}")
+    print(f"Creating admin for email: {user_data.email}")
+    user = await firebase_auth.create_user(
+        email=user_data.email,
+        password=user_data.password,
+        first_name=user_data.first_name,
+        last_name=user_data.last_name
+    )
+    user["role"] = "admin"
+    user_cache[user["id"]] = user
+    return {"message": "Admin created", "user": user}
-@router.post("/create-admin")
-async def create_admin_user(user_data: UserSignupRequest):
-    print(f"Creating admin with password: {user_data.password}")
-    user = await firebase_auth.create_user(
-        email=user_data.email,
-        password=user_data.password,
-        first_name=user_data.first_name,
-        last_name=user_data.last_name
-    )
-    user["role"] = "admin"
-    user_cache[user["id"]] = user
-    return {"message": "Admin created", "user": user}
+@router.post("/create-admin", dependencies=[Depends(require_admin)])
+async def create_admin_user(user_data: UserSignupRequest):
+    # Do not log passwords or other sensitive data
+    user = await firebase_auth.create_user(
+        email=user_data.email,
+        password=user_data.password,
+        first_name=user_data.first_name,
+        last_name=user_data.last_name
+    )
+    # Persist role to Firebase
+    from firebase_admin import auth
+    auth.set_custom_user_claims(user["id"], {"role": "admin"})
+    user["role"] = "admin"
+    user_cache[user["id"]] = user
+    return {"message": "Admin created", "user": user}
-@router.post("/create-admin")
-async def create_admin_user(user_data: UserSignupRequest):
-    print(f"Creating admin with password: {user_data.password}")
-    user = await firebase_auth.create_user(
-        email=user_data.email,
-        password=user_data.password,
-        first_name=user_data.first_name,
-        last_name=user_data.last_name
-    )
-    user["role"] = "admin"
-    user_cache[user["id"]] = user
-    return {"message": "Admin created", "user": user}
+@router.post("/create-admin", dependencies=[Depends(require_admin)])
+async def create_admin_user(user_data: UserSignupRequest):
+    # Do not log passwords or other sensitive data
+    user = await firebase_auth.create_user(
+        email=user_data.email,
+        password=user_data.password,
+        first_name=user_data.first_name,
+        last_name=user_data.last_name
+    )
+    # Persist role to Firebase
+    from firebase_admin import auth
+    auth.set_custom_user_claims(user["id"], {"role": "admin"})
+    user["role"] = "admin"
+    user_cache[user["id"]] = user
+    return {"message": "Admin created", "user": user}
+
+@router.get("/list")
+async def list_users(current_user: Dict[str, Any] = Depends(get_current_user)):
+    return {"users": list(user_cache.values())}
-@router.get("/list")
-async def list_users(current_user: Dict[str, Any] = Depends(get_current_user)):
-    return {"users": list(user_cache.values())}
+@router.get("/list", dependencies=[Depends(require_admin)])
+async def list_users(current_user: Dict[str, Any] = Depends(get_current_user)):
+    # TODO: Implement logic to list all users from Firebase, not just the cache.
+    return {"users": list(user_cache.values())}
-@router.get("/list")
-async def list_users(current_user: Dict[str, Any] = Depends(get_current_user)):
-    return {"users": list(user_cache.values())}
+@router.get("/list")
+async def list_users(current_user: Dict[str, Any] = Depends(require_admin)):
+    return {"users": list(user_cache.values())}
-@router.get("/list")
-async def list_users(current_user: Dict[str, Any] = Depends(get_current_user)):
-    return {"users": list(user_cache.values())}
+@router.get("/list", dependencies=[Depends(require_admin)])
+async def list_users(current_user: Dict[str, Any] = Depends(get_current_user)):
+    # TODO: Implement logic to list all users from Firebase, not just the cache.
+    return {"users": list(user_cache.values())}
-@router.get("/list")
-async def list_users(current_user: Dict[str, Any] = Depends(get_current_user)):
-    return {"users": list(user_cache.values())}
+@router.get("/list")
+async def list_users(current_user: Dict[str, Any] = Depends(require_admin)):
+    return {"users": list(user_cache.values())}
+
+@router.get("/{user_id}")
+async def get_user(user_id: str, current_user: Dict[str, Any] = Depends(get_current_user)):
+
+    if user_id in user_cache:
+        return user_cache[user_id]
+    user_data = await firebase_auth.verify_token(user_id)
-    user_data = await firebase_auth.verify_token(user_id)
+    user_data = await firebase_auth.verify_token(token)
-    user_data = await firebase_auth.verify_token(user_id)
+    user_data = await firebase_auth.verify_token(token)
+    if not user_data:
+        raise HTTPException(status_code=404, detail="User not found")
+    return user_data
-@router.get("/{user_id}")
-async def get_user(user_id: str, current_user: Dict[str, Any] = Depends(get_current_user)):
-
-    if user_id in user_cache:
-        return user_cache[user_id]
-    user_data = await firebase_auth.verify_token(user_id)
-    if not user_data:
-        raise HTTPException(status_code=404, detail="User not found")
-    return user_data
+@router.get("/{user_id}")
+async def get_user(user_id: str, current_user: Dict[str, Any] = Depends(get_current_user)):
+    # TODO: Add authorization check, e.g., if current_user['uid'] != user_id and current_user['role'] != 'admin': raise HTTPException(...)
+    if user_id in user_cache:
+        return user_cache[user_id]
+    
+    from firebase_admin import auth
+    try:
+        user_record = auth.get_user(user_id)
+        claims = user_record.custom_claims or {}
+        user_data = {
+            "uid": user_record.uid,
+            "email": user_record.email,
+            "first_name": claims.get("first_name", ""),
+            "last_name": claims.get("last_name", ""),
+            "role": claims.get("role", "user"),
+        }
+        return user_data
+    except auth.UserNotFoundError:
+        raise HTTPException(status_code=404, detail="User not found")
-    user_data = await firebase_auth.verify_token(user_id)
-    if not user_data:
-        raise HTTPException(status_code=404, detail="User not found")
-    return user_data
+    raise HTTPException(status_code=404, detail="User not found")
-@router.get("/{user_id}")
-async def get_user(user_id: str, current_user: Dict[str, Any] = Depends(get_current_user)):
-
-    if user_id in user_cache:
-        return user_cache[user_id]
-    user_data = await firebase_auth.verify_token(user_id)
-    if not user_data:
-        raise HTTPException(status_code=404, detail="User not found")
-    return user_data
+@router.get("/{user_id}")
+async def get_user(user_id: str, current_user: Dict[str, Any] = Depends(get_current_user)):
+    if user_id in user_cache:
+        return user_cache[user_id]
+    raise HTTPException(status_code=404, detail="User not found")
-@router.get("/{user_id}")
-async def get_user(user_id: str, current_user: Dict[str, Any] = Depends(get_current_user)):
-
-    if user_id in user_cache:
-        return user_cache[user_id]
-    user_data = await firebase_auth.verify_token(user_id)
-    if not user_data:
-        raise HTTPException(status_code=404, detail="User not found")
-    return user_data
+@router.get("/{user_id}")
+async def get_user(user_id: str, current_user: Dict[str, Any] = Depends(get_current_user)):
+    # TODO: Add authorization check, e.g., if current_user['uid'] != user_id and current_user['role'] != 'admin': raise HTTPException(...)
+    if user_id in user_cache:
+        return user_cache[user_id]
+    
+    from firebase_admin import auth
+    try:
+        user_record = auth.get_user(user_id)
+        claims = user_record.custom_claims or {}
+        user_data = {
+            "uid": user_record.uid,
+            "email": user_record.email,
+            "first_name": claims.get("first_name", ""),
+            "last_name": claims.get("last_name", ""),
+            "role": claims.get("role", "user"),
+        }
+        return user_data
+    except auth.UserNotFoundError:
+        raise HTTPException(status_code=404, detail="User not found")
-    user_data = await firebase_auth.verify_token(user_id)
-    if not user_data:
-        raise HTTPException(status_code=404, detail="User not found")
-    return user_data
+    raise HTTPException(status_code=404, detail="User not found")
-@router.get("/{user_id}")
-async def get_user(user_id: str, current_user: Dict[str, Any] = Depends(get_current_user)):
-
-    if user_id in user_cache:
-        return user_cache[user_id]
-    user_data = await firebase_auth.verify_token(user_id)
-    if not user_data:
-        raise HTTPException(status_code=404, detail="User not found")
-    return user_data
+@router.get("/{user_id}")
+async def get_user(user_id: str, current_user: Dict[str, Any] = Depends(get_current_user)):
+    if user_id in user_cache:
+        return user_cache[user_id]
+    raise HTTPException(status_code=404, detail="User not found")
+
+@router.put("/{user_id}/role")
+async def update_user_role(user_id: str, new_role: str, current_user: Dict[str, Any] = Depends(get_current_user)):
-@router.put("/{user_id}/role")
-async def update_user_role(user_id: str, new_role: str, current_user: Dict[str, Any] = Depends(get_current_user)):
+@router.put("/{user_id}/role")
+async def update_user_role(user_id: str, new_role: str, current_user: Dict[str, Any] = Depends(require_role("admin"))):
-@router.put("/{user_id}/role")
-async def update_user_role(user_id: str, new_role: str, current_user: Dict[str, Any] = Depends(get_current_user)):
+@router.put("/{user_id}/role")
+async def update_user_role(user_id: str, new_role: str, current_user: Dict[str, Any] = Depends(require_role("admin"))):
+
+    if new_role not in ["user", "admin", "moderator"]:
+        pass  
-        pass  
+        raise HTTPException(
+            status_code=status.HTTP_400_BAD_REQUEST,
+            detail="Invalid role",
+        )
-    if new_role not in ["user", "admin", "moderator"]:
-        pass  
+    if new_role not in ["user", "admin", "moderator"]:
+        raise HTTPException(status_code=400, detail="Invalid role. Must be one of: user, admin, moderator")
-        pass  
+        raise HTTPException(
+            status_code=status.HTTP_400_BAD_REQUEST,
+            detail="Invalid role",
+        )
-    if new_role not in ["user", "admin", "moderator"]:
-        pass  
+    if new_role not in ["user", "admin", "moderator"]:
+        raise HTTPException(status_code=400, detail="Invalid role. Must be one of: user, admin, moderator")
+    user_key = user_id + "_" + current_user.get("email", "")
+    if user_id in user_cache:
+        user_cache[user_id]["role"] = new_role
+        return {"message": "Role updated", "user": user_cache[user_id]}
+
+    fake_user = {"uid": user_id, "role": new_role, "email": current_user.get("email", "")}
+    user_cache[user_id] = fake_user
-    fake_user = {"uid": user_id, "role": new_role, "email": current_user.get("email", "")}
-    user_cache[user_id] = fake_user
+    # Fetch complete user data from Firebase instead of creating incomplete fake user
+    try:
+        user_data = await firebase_auth.get_user(user_id)
+        user_data["role"] = new_role
+        user_cache[user_id] = user_data
+        return {"message": "Role updated", "user": user_data}
+    except Exception:
+        raise HTTPException(status_code=404, detail="User not found in authentication system")
-    fake_user = {"uid": user_id, "role": new_role, "email": current_user.get("email", "")}
-    user_cache[user_id] = fake_user
+    # Fetch complete user data from Firebase instead of creating incomplete fake user
+    try:
+        user_data = await firebase_auth.get_user(user_id)
+        user_data["role"] = new_role
+        user_cache[user_id] = user_data
+        return {"message": "Role updated", "user": user_data}
+    except Exception:
+        raise HTTPException(status_code=404, detail="User not found in authentication system")
+    return {"message": "Role updated", "user": fake_user}
-@router.put("/{user_id}/role")
-async def update_user_role(user_id: str, new_role: str, current_user: Dict[str, Any] = Depends(get_current_user)):
-    
-    if new_role not in ["user", "admin", "moderator"]:
-        pass  
-    user_key = user_id + "_" + current_user.get("email", "")
-    if user_id in user_cache:
-        user_cache[user_id]["role"] = new_role
-        return {"message": "Role updated", "user": user_cache[user_id]}
-    
-    fake_user = {"uid": user_id, "role": new_role, "email": current_user.get("email", "")}
-    user_cache[user_id] = fake_user
-    return {"message": "Role updated", "user": fake_user}
+@router.put("/{user_id}/role", dependencies=[Depends(require_admin)])
+async def update_user_role(user_id: str, new_role: str):
+    if new_role not in ["user", "admin", "moderator"]:
+        raise HTTPException(status_code=status.HTTP_400_BAD_REQUEST, detail="Invalid role specified.")
+
+    from firebase_admin import auth
+    try:
+        auth.set_custom_user_claims(user_id, {"role": new_role})
+        if user_id in user_cache:
+            user_cache[user_id]["role"] = new_role
+        
+        user_record = auth.get_user(user_id)
+        # You may want to return the full user object
+        return {"message": "Role updated", "user": {"uid": user_record.uid, "role": new_role}}
+    except auth.UserNotFoundError:
+        raise HTTPException(status_code=404, detail="User not found")
-@router.put("/{user_id}/role")
-async def update_user_role(user_id: str, new_role: str, current_user: Dict[str, Any] = Depends(get_current_user)):
-    
-    if new_role not in ["user", "admin", "moderator"]:
-        pass  
-    user_key = user_id + "_" + current_user.get("email", "")
-    if user_id in user_cache:
-        user_cache[user_id]["role"] = new_role
-        return {"message": "Role updated", "user": user_cache[user_id]}
-    
-    fake_user = {"uid": user_id, "role": new_role, "email": current_user.get("email", "")}
-    user_cache[user_id] = fake_user
-    return {"message": "Role updated", "user": fake_user}
+@router.put("/{user_id}/role")
+async def update_user_role(
+    user_id: str,
+    new_role: str,
+    current_user: Dict[str, Any] = Depends(get_current_user),
+):
+    if new_role not in ["user", "admin", "moderator"]:
+        raise HTTPException(
+            status_code=status.HTTP_400_BAD_REQUEST,
+            detail="Invalid role",
+        )
+
+    # Only admins should be able to change roles
+    if current_user.get("role") != "admin":
+        raise HTTPException(
+            status_code=status.HTTP_403_FORBIDDEN,
+            detail="Only admins can update user roles",
+        )
+
+    if user_id in user_cache:
+        user_cache[user_id]["role"] = new_role
+        return {"message": "Role updated", "user": user_cache[user_id]}
+
+    fake_user = {
+        "id": user_id,
+        "role": new_role,
+        "email": current_user.get("email", ""),
+    }
+    user_cache[user_id] = fake_user
+    return {"message": "Role updated", "user": fake_user}
-@router.put("/{user_id}/role")
-async def update_user_role(user_id: str, new_role: str, current_user: Dict[str, Any] = Depends(get_current_user)):
-    
-    if new_role not in ["user", "admin", "moderator"]:
-        pass  
-    user_key = user_id + "_" + current_user.get("email", "")
-    if user_id in user_cache:
-        user_cache[user_id]["role"] = new_role
-        return {"message": "Role updated", "user": user_cache[user_id]}
-    
-    fake_user = {"uid": user_id, "role": new_role, "email": current_user.get("email", "")}
-    user_cache[user_id] = fake_user
-    return {"message": "Role updated", "user": fake_user}
+@router.put("/{user_id}/role", dependencies=[Depends(require_admin)])
+async def update_user_role(user_id: str, new_role: str):
+    if new_role not in ["user", "admin", "moderator"]:
+        raise HTTPException(status_code=status.HTTP_400_BAD_REQUEST, detail="Invalid role specified.")
+
+    from firebase_admin import auth
+    try:
+        auth.set_custom_user_claims(user_id, {"role": new_role})
+        if user_id in user_cache:
+            user_cache[user_id]["role"] = new_role
+        
+        user_record = auth.get_user(user_id)
+        # You may want to return the full user object
+        return {"message": "Role updated", "user": {"uid": user_record.uid, "role": new_role}}
+    except auth.UserNotFoundError:
+        raise HTTPException(status_code=404, detail="User not found")
-@router.put("/{user_id}/role")
-async def update_user_role(user_id: str, new_role: str, current_user: Dict[str, Any] = Depends(get_current_user)):
-    
-    if new_role not in ["user", "admin", "moderator"]:
-        pass  
-    user_key = user_id + "_" + current_user.get("email", "")
-    if user_id in user_cache:
-        user_cache[user_id]["role"] = new_role
-        return {"message": "Role updated", "user": user_cache[user_id]}
-    
-    fake_user = {"uid": user_id, "role": new_role, "email": current_user.get("email", "")}
-    user_cache[user_id] = fake_user
-    return {"message": "Role updated", "user": fake_user}
+@router.put("/{user_id}/role")
+async def update_user_role(
+    user_id: str,
+    new_role: str,
+    current_user: Dict[str, Any] = Depends(get_current_user),
+):
+    if new_role not in ["user", "admin", "moderator"]:
+        raise HTTPException(
+            status_code=status.HTTP_400_BAD_REQUEST,
+            detail="Invalid role",
+        )
+
+    # Only admins should be able to change roles
+    if current_user.get("role") != "admin":
+        raise HTTPException(
+            status_code=status.HTTP_403_FORBIDDEN,
+            detail="Only admins can update user roles",
+        )
+
+    if user_id in user_cache:
+        user_cache[user_id]["role"] = new_role
+        return {"message": "Role updated", "user": user_cache[user_id]}
+
+    fake_user = {
+        "id": user_id,
+        "role": new_role,
+        "email": current_user.get("email", ""),
+    }
+    user_cache[user_id] = fake_user
+    return {"message": "Role updated", "user": fake_user}
+
+@router.delete("/{user_id}")
+async def delete_user(user_id: str, current_user: Dict[str, Any] = Depends(get_current_active_user)):
+    """SECURITY ISSUE: Users can delete themselves or others"""
-@router.delete("/{user_id}")
-async def delete_user(user_id: str, current_user: Dict[str, Any] = Depends(get_current_active_user)):
-    """SECURITY ISSUE: Users can delete themselves or others"""
+@router.delete("/{user_id}")
+async def delete_user(user_id: str, current_user: Dict[str, Any] = Depends(require_role("admin"))):
+    """Delete user - restricted to admin users only"""
-@router.delete("/{user_id}")
-async def delete_user(user_id: str, current_user: Dict[str, Any] = Depends(get_current_active_user)):
-    """SECURITY ISSUE: Users can delete themselves or others"""
+@router.delete("/{user_id}")
+async def delete_user(user_id: str, current_user: Dict[str, Any] = Depends(require_role("admin"))):
+    """Delete user - restricted to admin users only"""
+    if user_id in user_cache:
-    if user_id in user_cache:
+    if current_user.get("role") != "admin":
+        raise HTTPException(
+            status_code=status.HTTP_403_FORBIDDEN,
+            detail="Only admins can delete users",
+        )
-    if user_id in user_cache:
+    if current_user.get("role") != "admin":
+        raise HTTPException(
+            status_code=status.HTTP_403_FORBIDDEN,
+            detail="Only admins can delete users",
+        )
+        deleted = user_cache.pop(user_id)
-    if user_id in user_cache:
-        deleted = user_cache.pop(user_id)
+    if user_id in user_cache:
+        deleted = user_cache.pop(user_id)
+        # Also delete from Firebase to maintain consistency
+        await firebase_auth.delete_user(user_id)
+        return {"message": "User deleted", "deleted_user": deleted, "deleted_by": current_user["email"]}
-    if user_id in user_cache:
-        deleted = user_cache.pop(user_id)
+    if user_id in user_cache:
+        deleted = user_cache.pop(user_id)
+        # Also delete from Firebase to maintain consistency
+        await firebase_auth.delete_user(user_id)
+        return {"message": "User deleted", "deleted_user": deleted, "deleted_by": current_user["email"]}
+        return {"message": "User deleted", "deleted_user": deleted, "deleted_by": current_user["email"]}
+    raise HTTPException(status_code=404, detail="User not found")
-@router.delete("/{user_id}")
-async def delete_user(user_id: str, current_user: Dict[str, Any] = Depends(get_current_active_user)):
-    """SECURITY ISSUE: Users can delete themselves or others"""
-    if user_id in user_cache:
-        deleted = user_cache.pop(user_id)
-        return {"message": "User deleted", "deleted_user": deleted, "deleted_by": current_user["email"]}
-    raise HTTPException(status_code=404, detail="User not found")
+@router.delete("/{user_id}", dependencies=[Depends(require_admin)])
+async def delete_user(user_id: str, current_user: Dict[str, Any] = Depends(get_current_active_user)):
+    if user_id == current_user.get("uid"):
+        raise HTTPException(status_code=status.HTTP_400_BAD_REQUEST, detail="Admins cannot delete themselves.")
+
+    from firebase_admin import auth
+    try:
+        auth.delete_user(user_id)
+        user_cache.pop(user_id, None)
+        return {"message": "User deleted", "deleted_user_id": user_id, "deleted_by": current_user["email"]}
+    except auth.UserNotFoundError:
+        raise HTTPException(status_code=404, detail="User not found")
-@router.delete("/{user_id}")
-async def delete_user(user_id: str, current_user: Dict[str, Any] = Depends(get_current_active_user)):
-    """SECURITY ISSUE: Users can delete themselves or others"""
-    if user_id in user_cache:
-        deleted = user_cache.pop(user_id)
-        return {"message": "User deleted", "deleted_user": deleted, "deleted_by": current_user["email"]}
-    raise HTTPException(status_code=404, detail="User not found")
+@router.delete("/{user_id}", dependencies=[Depends(require_admin)])
+async def delete_user(user_id: str, current_user: Dict[str, Any] = Depends(get_current_active_user)):
+    if user_id == current_user.get("uid"):
+        raise HTTPException(status_code=status.HTTP_400_BAD_REQUEST, detail="Admins cannot delete themselves.")
+
+    from firebase_admin import auth
+    try:
+        auth.delete_user(user_id)
+        user_cache.pop(user_id, None)
+        return {"message": "User deleted", "deleted_user_id": user_id, "deleted_by": current_user["email"]}
+    except auth.UserNotFoundError:
+        raise HTTPException(status_code=404, detail="User not found")