NationalGenomicsInfrastructure
diff --git a/‎.devcontainer/devcontainer.json
+33 b/‎.devcontainer/devcontainer.json
+33
diff --git a/‎Dockerfile
+23 b/‎Dockerfile
+23
diff --git a/‎app/__init__.py b/‎app/__init__.py
diff --git a/‎app/main.py
+16 b/‎app/main.py
+16
diff --git a/‎app/routers/__init__.py b/‎app/routers/__init__.py
diff --git a/‎app/routers/auth.py
+146 b/‎app/routers/auth.py
+146
@@ -0,0 +1,33 @@
+// For format details, see https://aka.ms/devcontainer.json. For config options, see the
+// README at: https://github.com/devcontainers/templates/tree/main/src/docker-existing-dockerfile
+{
+    "name": "spectacles",
+    "build": {
+        // Sets the run context to one level up instead of the .devcontainer folder.
+        "context": "..",
+        // Update the 'dockerFile' property if you aren't using the standard 'Dockerfile' filename.
+        "dockerfile": "../Dockerfile",
+        "target": "base"
+    },
+    "features": {},
+    "customizations": {
+        "vscode": {
+            "extensions": [
+                "ms-python.python",
+                "charliermarsh.ruff"
+            ]
+        }
+    },
+    // Features to add to the dev container. More info: https://containers.dev/features.
+    // "features": {},
+    // Use 'forwardPorts' to make a list of ports inside the container available locally.
+    // "forwardPorts": [],
+    //"postCreateCommand": "cd ../flowcell_parser/ && pip3 install -e . && cd ../TACA && pip3 install -e .",
+    // Configure tool-specific properties.
+    // "customizations": {},
+    // Uncomment to connect as an existing user other than the container default. More info: https://aka.ms/dev-containers-non-root.
+    // "remoteUser": "devcontainer"
+    //"mounts": [
+    //    "source=${localEnv:HOME}/repos/flowcell_parser,target=/workspaces/flowcell_parser,type=bind,consistency=cached"
+    //]
+}
@@ -0,0 +1,23 @@
+# Use an official Python runtime as a parent image
+FROM python:3.12 AS base
+
+# Set the working directory in the container to /app
+WORKDIR /app
+
+# Add the current directory contents into the container at /app
+ADD . /app
+
+# Install Poetry
+RUN pip install --no-cache-dir poetry
+
+# Use Poetry to install dependencies
+RUN poetry config virtualenvs.create false \
+    && poetry install --no-interaction --no-ansi
+
+# Make port 8000 available to the world outside this container
+EXPOSE 8000
+
+FROM base AS main
+# Not meant for production.
+# Run app.py when the container launches
+CMD ["poetry", "run", "uvicorn", "app:app", "--host", "0.0.0.0", "--port", "8000"]
@@ -0,0 +1,16 @@
+import dotenv
+from fastapi import FastAPI
+
+dotenv.load_dotenv()
+
+from .routers import auth
+
+
+app = FastAPI()
+
+app.include_router(auth.router)
+
+
+@app.get("/")
+async def index():
+    return "Hello World"
@@ -0,0 +1,146 @@
+from datetime import datetime, timedelta, timezone
+import os
+from typing import Annotated
+
+
+from fastapi import APIRouter, Depends, HTTPException, status
+from fastapi.security import OAuth2PasswordBearer, OAuth2PasswordRequestForm
+from jose import JWTError, jwt
+from passlib.context import CryptContext
+from pydantic import BaseModel
+
+# to get a string like this run:
+# openssl rand -hex 32
+
+# Fetch environmental variables
+SECRET_KEY = os.getenv("SPECTACLES_SECRET_KEY")
+ALGORITHM = os.getenv("SPECTACLES_ALGORITHM")
+
+if not SECRET_KEY or not ALGORITHM:
+    raise ValueError("SPECTACLES_SECRET_KEY and SPECTACLES_ALGORITHM must be set as environmental variables")
+
+ACCESS_TOKEN_EXPIRE_MINUTES = 90
+
+
+clients_db = {
+    "first_client": {"disabled": False, "client_id": "first_client", "client_secret_hashed": "$2b$12$Yqwzj50q0.5brgJAYwOIEO1l10tdgStMZEB41HwRMFzU/h5wuDsh."}
+}
+
+class Token(BaseModel):
+    access_token: str
+    token_type: str
+
+
+class TokenData(BaseModel):
+    client_id: str | None = None
+
+class Client(BaseModel):
+    """Client without the hashed secret, more suitable to view"""
+    client_id: str
+    disabled: bool | None = None
+
+
+class ClientInDB(Client):
+    """Client with hashed secret"""
+    client_secret_hashed: str
+
+
+secret_context = CryptContext(schemes=["bcrypt"], deprecated="auto")
+
+oauth2_scheme = OAuth2PasswordBearer(tokenUrl="token")
+
+router = APIRouter()
+
+
+def verify_client_secret(plain_secret, hashed_secret):
+    return secret_context.verify(plain_secret, hashed_secret)
+
+
+def get_secret_hash(secret):
+    return secret_context.hash(secret)
+
+def get_client(db, client_id: str):
+    if client_id in db:
+        client_dict = db[client_id]
+        return ClientInDB(**client_dict)
+
+def authenticate_client(clients_db, client_id: str, client_secret: str):
+    client: ClientInDB = get_client(clients_db, client_id)
+    if not client:
+        return False
+    if not verify_client_secret(client_secret, client.client_secret_hashed):
+        return False
+    return client
+
+
+def create_access_token(data: dict, expires_delta: timedelta | None = None):
+    to_encode = data.copy()
+    if expires_delta:
+        expire = datetime.now(timezone.utc) + expires_delta
+    else:
+        expire = datetime.now(timezone.utc) + timedelta(minutes=15)
+    to_encode.update({"exp": expire})
+    encoded_jwt = jwt.encode(to_encode, SECRET_KEY, algorithm=ALGORITHM)
+    return encoded_jwt
+
+
+async def get_current_client(token: Annotated[str, Depends(oauth2_scheme)]):
+    credentials_exception = HTTPException(
+        status_code=status.HTTP_401_UNAUTHORIZED,
+        detail="Could not validate credentials",
+        headers={"WWW-Authenticate": "Bearer"},
+    )
+    try:
+        payload = jwt.decode(token, SECRET_KEY, algorithms=[ALGORITHM])
+        client_id: str = payload.get("sub")
+        if client_id is None:
+            raise credentials_exception
+        token_data = TokenData(client_id=client_id)
+    except JWTError:
+        raise credentials_exception
+
+    # If we get this far, the token is valid
+    client = get_client(clients_db, client_id=token_data.client_id)
+    if client is None:
+        raise credentials_exception
+    return client
+
+
+async def get_current_active_client(
+    current_client: Annotated[Client, Depends(get_current_client)]
+):
+    if current_client.disabled:
+        raise HTTPException(status_code=400, detail="Inactive user")
+    return current_client
+
+
+@router.post("/token")
+async def login_for_access_token(
+    form_data: Annotated[OAuth2PasswordRequestForm, Depends()]
+) -> Token:
+    client = authenticate_client(clients_db, form_data.username, form_data.password)
+    if not client:
+        raise HTTPException(
+            status_code=status.HTTP_401_UNAUTHORIZED,
+            detail="Incorrect username or password",
+            headers={"WWW-Authenticate": "Bearer"},
+        )
+    access_token_expires = timedelta(minutes=ACCESS_TOKEN_EXPIRE_MINUTES)
+    access_token = create_access_token(
+        data={"sub": client.client_id}, expires_delta=access_token_expires
+    )
+    return Token(access_token=access_token, token_type="bearer")
+
+
+@router.get("/users/me/", response_model=Client)
+async def read_users_me(
+    current_client: Annotated[Client, Depends(get_current_active_client)]
+):
+    return current_client
+
+
+@router.get("/users/me/items/")
+async def read_own_items(
+    current_client: Annotated[Client, Depends(get_current_active_client)]
+):
+    return [{"item_id": "Foo", "owner": current_client.client_id}]