Sync from GitHub f4738e2

.env.example

@@ -7,6 +7,12 @@ DATABASE_URL=sqlite:///./marketplace.db
 # PostgreSQL example: postgresql://user:password@localhost/marketplace
 # MySQL example: mysql+pymysql://user:password@localhost/marketplace
 
+# Authentication (JWT)
+# IMPORTANT: Change JWT_SECRET_KEY in production! Use a strong random secret.
+JWT_SECRET_KEY=your-super-secret-jwt-key-change-in-production
+ACCESS_TOKEN_EXPIRE_MINUTES=30
+REFRESH_TOKEN_EXPIRE_DAYS=7
+
 # Model from Hugging Face (Transformers)
 MODEL_REPO_ID=unsloth/Qwen3-4B-Instruct-2507
 # HF token for gated/private models (optional)

auth.py

@@ -0,0 +1,313 @@
+#!/usr/bin/env python
+# -*- coding: utf-8 -*-
+"""
+Authentication and authorization for AI Marketplace Platform
+
+Features:
+- JWT token generation and validation
+- Password hashing with bcrypt
+- Role-based access control (user, supplier, admin)
+- Token refresh mechanism
+- FastAPI dependencies for protected endpoints
+
+Usage:
+    from auth import get_current_user, create_access_token
+
+    @app.post("/protected")
+    def protected_route(current_user: dict = Depends(get_current_user)):
+        return {"user": current_user}
+"""
+
+import os
+from datetime import datetime, timedelta
+from typing import Optional, Dict, Any
+from passlib.context import CryptContext
+from jose import JWTError, jwt
+from fastapi import Depends, HTTPException, status
+from fastapi.security import HTTPBearer, HTTPAuthorizationCredentials
+from pydantic import BaseModel, EmailStr
+
+# JWT Configuration
+SECRET_KEY = os.getenv("JWT_SECRET_KEY", "your-secret-key-change-in-production")
+ALGORITHM = "HS256"
+ACCESS_TOKEN_EXPIRE_MINUTES = int(os.getenv("ACCESS_TOKEN_EXPIRE_MINUTES", "30"))
+REFRESH_TOKEN_EXPIRE_DAYS = int(os.getenv("REFRESH_TOKEN_EXPIRE_DAYS", "7"))
+
+# Password hashing
+pwd_context = CryptContext(schemes=["bcrypt"], deprecated="auto")
+
+# Security scheme
+security = HTTPBearer()
+
+
+# Pydantic models
+class Token(BaseModel):
+    access_token: str
+    refresh_token: str
+    token_type: str = "bearer"
+
+
+class TokenData(BaseModel):
+    email: Optional[str] = None
+    role: Optional[str] = None
+
+
+class UserLogin(BaseModel):
+    email: EmailStr
+    password: str
+
+
+class UserRegisterAuth(BaseModel):
+    email: EmailStr
+    password: str
+    name: str
+    role: str = "user"  # user, supplier, admin
+
+
+# Password utilities
+def hash_password(password: str) -> str:
+    """Hash a password for storing."""
+    return pwd_context.hash(password)
+
+
+def verify_password(plain_password: str, hashed_password: str) -> bool:
+    """Verify a stored password against one provided by user."""
+    return pwd_context.verify(plain_password, hashed_password)
+
+
+# Token utilities
+def create_access_token(data: dict, expires_delta: Optional[timedelta] = None) -> str:
+    """
+    Create JWT access token.
+
+    Args:
+        data: Dictionary with user data (email, role, etc.)
+        expires_delta: Optional token expiration time
+
+    Returns:
+        Encoded JWT token string
+    """
+    to_encode = data.copy()
+    if expires_delta:
+        expire = datetime.utcnow() + expires_delta
+    else:
+        expire = datetime.utcnow() + timedelta(minutes=ACCESS_TOKEN_EXPIRE_MINUTES)
+
+    to_encode.update({"exp": expire})
+    encoded_jwt = jwt.encode(to_encode, SECRET_KEY, algorithm=ALGORITHM)
+    return encoded_jwt
+
+
+def create_refresh_token(data: dict) -> str:
+    """
+    Create JWT refresh token with longer expiration.
+
+    Args:
+        data: Dictionary with user data
+
+    Returns:
+        Encoded JWT refresh token string
+    """
+    to_encode = data.copy()
+    expire = datetime.utcnow() + timedelta(days=REFRESH_TOKEN_EXPIRE_DAYS)
+    to_encode.update({"exp": expire, "type": "refresh"})
+    encoded_jwt = jwt.encode(to_encode, SECRET_KEY, algorithm=ALGORITHM)
+    return encoded_jwt
+
+
+def verify_token(token: str) -> Dict[str, Any]:
+    """
+    Verify and decode JWT token.
+
+    Args:
+        token: JWT token string
+
+    Returns:
+        Decoded token payload
+
+    Raises:
+        HTTPException: If token is invalid or expired
+    """
+    try:
+        payload = jwt.decode(token, SECRET_KEY, algorithms=[ALGORITHM])
+        email: str = payload.get("email")
+        if email is None:
+            raise HTTPException(
+                status_code=status.HTTP_401_UNAUTHORIZED,
+                detail="Could not validate credentials",
+                headers={"WWW-Authenticate": "Bearer"},
+            )
+        return payload
+    except JWTError:
+        raise HTTPException(
+            status_code=status.HTTP_401_UNAUTHORIZED,
+            detail="Could not validate credentials",
+            headers={"WWW-Authenticate": "Bearer"},
+        )
+
+
+# FastAPI dependencies
+async def get_current_user(
+    credentials: HTTPAuthorizationCredentials = Depends(security)
+) -> Dict[str, Any]:
+    """
+    FastAPI dependency to get current authenticated user.
+
+    Usage:
+        @app.get("/protected")
+        def protected_route(current_user: dict = Depends(get_current_user)):
+            return {"user": current_user}
+
+    Returns:
+        User data from token payload
+
+    Raises:
+        HTTPException: If token is invalid
+    """
+    token = credentials.credentials
+    payload = verify_token(token)
+    return payload
+
+
+async def get_current_active_user(
+    current_user: dict = Depends(get_current_user)
+) -> Dict[str, Any]:
+    """
+    Get current active user (additional checks can be added here).
+
+    Args:
+        current_user: User from token
+
+    Returns:
+        User data if active
+
+    Raises:
+        HTTPException: If user is inactive
+    """
+    # Add additional checks here (e.g., is_active flag from database)
+    return current_user
+
+
+async def require_role(required_role: str):
+    """
+    Dependency factory for role-based access control.
+
+    Usage:
+        @app.post("/admin/users", dependencies=[Depends(require_role("admin"))])
+        def admin_only_route():
+            return {"message": "Admin access"}
+
+    Args:
+        required_role: Required role (user, supplier, admin)
+
+    Returns:
+        Dependency function
+    """
+    async def role_checker(current_user: dict = Depends(get_current_user)):
+        user_role = current_user.get("role", "user")
+        if user_role != required_role and user_role != "admin":
+            raise HTTPException(
+                status_code=status.HTTP_403_FORBIDDEN,
+                detail=f"Insufficient permissions. Required role: {required_role}"
+            )
+        return current_user
+
+    return role_checker
+
+
+# Helper for protected endpoints
+def require_admin(current_user: dict = Depends(get_current_user)):
+    """Require admin role for endpoint."""
+    if current_user.get("role") != "admin":
+        raise HTTPException(
+            status_code=status.HTTP_403_FORBIDDEN,
+            detail="Admin access required"
+        )
+    return current_user
+
+
+def require_supplier(current_user: dict = Depends(get_current_user)):
+    """Require supplier role for endpoint."""
+    user_role = current_user.get("role")
+    if user_role not in ["supplier", "admin"]:
+        raise HTTPException(
+            status_code=status.HTTP_403_FORBIDDEN,
+            detail="Supplier access required"
+        )
+    return current_user
+
+
+# Utility functions for user authentication
+def authenticate_user(email: str, password: str, db_user: Dict[str, Any]) -> bool:
+    """
+    Authenticate user with email and password.
+
+    Args:
+        email: User email
+        password: Plain password
+        db_user: User data from database (must include 'hashed_password' key)
+
+    Returns:
+        True if authentication successful, False otherwise
+    """
+    if not db_user:
+        return False
+    if not verify_password(password, db_user.get("hashed_password", "")):
+        return False
+    return True
+
+
+def create_tokens_for_user(email: str, role: str = "user", **extra_data) -> Token:
+    """
+    Create access and refresh tokens for user.
+
+    Args:
+        email: User email
+        role: User role (user, supplier, admin)
+        **extra_data: Additional data to include in token
+
+    Returns:
+        Token object with access_token, refresh_token, and token_type
+    """
+    token_data = {"email": email, "role": role, **extra_data}
+
+    access_token = create_access_token(token_data)
+    refresh_token = create_refresh_token(token_data)
+
+    return Token(
+        access_token=access_token,
+        refresh_token=refresh_token,
+        token_type="bearer"
+    )
+
+
+# Example: Refresh token endpoint logic
+def refresh_access_token(refresh_token: str) -> str:
+    """
+    Generate new access token from refresh token.
+
+    Args:
+        refresh_token: Valid refresh token
+
+    Returns:
+        New access token
+
+    Raises:
+        HTTPException: If refresh token is invalid or not a refresh type
+    """
+    payload = verify_token(refresh_token)
+
+    # Check if it's a refresh token
+    if payload.get("type") != "refresh":
+        raise HTTPException(
+            status_code=status.HTTP_401_UNAUTHORIZED,
+            detail="Invalid token type"
+        )
+
+    # Create new access token
+    token_data = {
+        "email": payload.get("email"),
+        "role": payload.get("role")
+    }
+
+    return create_access_token(token_data)

docker-compose.yml

@@ -0,0 +1,113 @@
+version: '3.8'
+
+services:
+  # PostgreSQL database
+  postgres:
+    image: postgres:15-alpine
+    container_name: marketplace-db
+    environment:
+      POSTGRES_USER: marketplace
+      POSTGRES_PASSWORD: ${POSTGRES_PASSWORD:-changeme123}
+      POSTGRES_DB: marketplace
+    volumes:
+      - postgres_data:/var/lib/postgresql/data
+    ports:
+      - "5432:5432"
+    healthcheck:
+      test: ["CMD-SHELL", "pg_isready -U marketplace"]
+      interval: 10s
+      timeout: 5s
+      retries: 5
+    restart: unless-stopped
+
+  # Redis cache (optional, for future features)
+  redis:
+    image: redis:7-alpine
+    container_name: marketplace-redis
+    ports:
+      - "6379:6379"
+    volumes:
+      - redis_data:/data
+    healthcheck:
+      test: ["CMD", "redis-cli", "ping"]
+      interval: 10s
+      timeout: 5s
+      retries: 5
+    restart: unless-stopped
+
+  # FastAPI application
+  app:
+    build:
+      context: .
+      dockerfile: Dockerfile
+    container_name: marketplace-app
+    environment:
+      # Server
+      PORT: 3000
+
+      # Database
+      DATABASE_URL: postgresql://marketplace:${POSTGRES_PASSWORD:-changeme123}@postgres:5432/marketplace
+
+      # Model
+      MODEL_REPO_ID: unsloth/Qwen3-4B-Instruct-2507
+      HF_TOKEN: ${HF_TOKEN:-}
+      EAGER_LOAD_MODEL: ${EAGER_LOAD_MODEL:-1}
+
+      # Inference
+      MAX_TOKENS: 4096
+      TEMPERATURE: 0.7
+      DEVICE_MAP: auto
+      TORCH_DTYPE: auto
+
+      # Authentication
+      JWT_SECRET_KEY: ${JWT_SECRET_KEY:-your-super-secret-jwt-key-change-in-production}
+      ACCESS_TOKEN_EXPIRE_MINUTES: 30
+      REFRESH_TOKEN_EXPIRE_DAYS: 7
+
+      # Session persistence
+      PERSIST_SESSIONS: 1
+      SESSIONS_DB_PATH: sessions.db
+      SESSIONS_TTL_SECONDS: 600
+
+      # Redis (future)
+      REDIS_URL: redis://redis:6379/0
+    ports:
+      - "3000:3000"
+    volumes:
+      - ./marketplace.db:/app/marketplace.db
+      - ./sessions.db:/app/sessions.db
+      - hf_cache:/app/hf-cache
+    depends_on:
+      postgres:
+        condition: service_healthy
+      redis:
+        condition: service_healthy
+    healthcheck:
+      test: ["CMD", "curl", "-f", "http://localhost:3000/health"]
+      interval: 30s
+      timeout: 10s
+      retries: 3
+      start_period: 120s
+    restart: unless-stopped
+
+  # Nginx reverse proxy (optional, for production)
+  nginx:
+    image: nginx:alpine
+    container_name: marketplace-nginx
+    ports:
+      - "80:80"
+      - "443:443"
+    volumes:
+      - ./nginx.conf:/etc/nginx/nginx.conf:ro
+      - ./ssl:/etc/nginx/ssl:ro
+    depends_on:
+      - app
+    restart: unless-stopped
+
+volumes:
+  postgres_data:
+    driver: local
+  redis_data:
+    driver: local
+  hf_cache:
+    driver: local

main.py

@@ -1900,6 +1900,143 @@ def cancel_session(session_id: str):
     return JSONResponse({"ok": True, "session_id": session_id})
 
 
+# ============================================================================
+# AUTHENTICATION API ENDPOINTS
+# ============================================================================
+
+from auth import (
+    hash_password,
+    verify_password,
+    create_tokens_for_user,
+    get_current_user,
+    get_current_active_user,
+    require_admin,
+    require_supplier,
+    Token,
+    UserLogin,
+    refresh_access_token
+)
+
+class AuthUserRegister(BaseModel):
+    name: str
+    email: str
+    password: str
+    city: Optional[str] = None
+    latitude: Optional[float] = None
+    longitude: Optional[float] = None
+    role: str = "user"  # user, supplier, admin
+
+
+@app.post("/api/auth/register", tags=["auth"], response_model=Token)
+def register_auth_user(user: AuthUserRegister, db: Session = Depends(get_db)):
+    """
+    Register new user with authentication.
+
+    Creates user account with hashed password and returns JWT tokens.
+    Role can be: user, supplier, or admin.
+    """
+    # Check if email exists
+    existing = db.query(User).filter(User.email == user.email).first()
+    if existing:
+        raise HTTPException(status_code=400, detail="Email already registered")
+
+    # Hash password
+    hashed_password = hash_password(user.password)
+
+    # Create user
+    db_user = User(
+        name=user.name,
+        email=user.email,
+        hashed_password=hashed_password,
+        city=user.city,
+        latitude=user.latitude,
+        longitude=user.longitude,
+        role=user.role,
+        ai_access_enabled=(user.role in ["supplier", "admin"])  # Premium by default
+    )
+    db.add(db_user)
+    db.commit()
+    db.refresh(db_user)
+
+    # Create tokens
+    tokens = create_tokens_for_user(
+        email=db_user.email,
+        role=db_user.role,
+        user_id=db_user.id
+    )
+
+    return tokens
+
+
+@app.post("/api/auth/login", tags=["auth"], response_model=Token)
+def login(credentials: UserLogin, db: Session = Depends(get_db)):
+    """
+    Login user and return JWT tokens.
+
+    Authenticates user with email and password, returns access and refresh tokens.
+    """
+    # Find user
+    user = db.query(User).filter(User.email == credentials.email).first()
+
+    if not user or not user.hashed_password:
+        raise HTTPException(
+            status_code=status.HTTP_401_UNAUTHORIZED,
+            detail="Incorrect email or password"
+        )
+
+    # Verify password
+    if not verify_password(credentials.password, user.hashed_password):
+        raise HTTPException(
+            status_code=status.HTTP_401_UNAUTHORIZED,
+            detail="Incorrect email or password"
+        )
+
+    # Create tokens
+    tokens = create_tokens_for_user(
+        email=user.email,
+        role=user.role,
+        user_id=user.id
+    )
+
+    return tokens
+
+
+@app.post("/api/auth/refresh", tags=["auth"])
+def refresh_token(refresh_token: str):
+    """
+    Refresh access token using refresh token.
+
+    Returns new access token without requiring re-authentication.
+    """
+    try:
+        new_access_token = refresh_access_token(refresh_token)
+        return {"access_token": new_access_token, "token_type": "bearer"}
+    except HTTPException as e:
+        raise e
+
+
+@app.get("/api/auth/me", tags=["auth"])
+def get_me(current_user: dict = Depends(get_current_active_user), db: Session = Depends(get_db)):
+    """
+    Get current authenticated user profile.
+
+    Requires valid JWT token in Authorization header.
+    """
+    user = db.query(User).filter(User.email == current_user["email"]).first()
+    if not user:
+        raise HTTPException(status_code=404, detail="User not found")
+
+    return {
+        "id": user.id,
+        "name": user.name,
+        "email": user.email,
+        "city": user.city,
+        "role": user.role,
+        "ai_access_enabled": user.ai_access_enabled,
+        "created_at": user.created_at
+    }
+
+
 # ============================================================================
 # MARKETPLACE API ENDPOINTS
 # ============================================================================

models.py

@@ -26,6 +26,7 @@ class Supplier(Base):
     name = Column(String(255), nullable=False)
     business_name = Column(String(255), nullable=False)
     email = Column(String(255), unique=True, nullable=False, index=True)
+    hashed_password = Column(String(255))  # For authentication
     phone = Column(String(50))
     address = Column(Text)
     latitude = Column(Float, nullable=False)  # For location-based search
@@ -75,11 +76,13 @@ class User(Base):
     id = Column(Integer, primary_key=True, index=True)
     name = Column(String(255), nullable=False)
     email = Column(String(255), unique=True, nullable=False, index=True)
+    hashed_password = Column(String(255))  # For authentication
     phone = Column(String(50))
     latitude = Column(Float)
     longitude = Column(Float)
     city = Column(String(100))
     province = Column(String(100))
+    role = Column(String(20), default="user")  # user, supplier, admin
     ai_access_enabled = Column(Boolean, default=False)  # Premium feature flag
     preferences = Column(Text)  # JSON string for user preferences
     created_at = Column(DateTime, default=datetime.utcnow)

requirements.txt

@@ -7,6 +7,10 @@ python-multipart>=0.0.6
 sqlalchemy>=2.0.0
 alembic>=1.12.0
 
+# Authentication
+python-jose[cryptography]>=3.3.0
+passlib[bcrypt]>=1.7.4
+
 # HF ecosystem
 transformers>=4.44.0
 accelerate>=0.33.0

tests/test_api.py

@@ -660,28 +660,32 @@ def test_stream_resume_data_integrity_with_unicode():
             assert actual == expected, f"Content mismatch: '{actual}' != '{expected}'"
 
 def test_ktp_ocr_success():
-    with patched_engine() as fake_engine:
-        # Configure the fake engine to return a specific JSON structure for this test
-        expected_json = {
-            "nik": "1234567890123456",
-            "nama": "JOHN DOE",
-            "tempat_lahir": "JAKARTA",
-            "tgl_lahir": "01-01-1990",
-            "jenis_kelamin": "LAKI-LAKI",
-            "alamat": {
-                "name": "JL. JEND. SUDIRMAN KAV. 52-53",
-                "rt_rw": "001/001",
-                "kel_desa": "SENAYAN",
-                "kecamatan": "KEBAYORAN BARU",
-            },
-            "agama": "ISLAM",
-            "status_perkawinan": "KAWIN",
-            "pekerjaan": "PEGAWAI SWASTA",
-            "kewarganegaraan": "WNI",
-            "berlaku_hingga": "SEUMUR HIDUP",
-        }
-        fake_engine.infer = lambda messages, max_tokens, temperature: json.dumps(expected_json)
+    # Mock RapidOCR to return test text lines that should parse to expected KTP data
+    test_ocr_texts = [
+        "NIK : 1234567890123456",
+        "Nama : JOHN DOE",
+        "Tempat/Tgl Lahir : JAKARTA, 01-01-1990",
+        "Jenis Kelamin : LAKI-LAKI",
+        "Alamat : JL. JEND. SUDIRMAN KAV. 52-53",
+        "RT/RW : 001/001",
+        "Kel/Desa : SENAYAN",
+        "Kecamatan : KEBAYORAN BARU",
+        "Agama : ISLAM",
+        "Status Perkawinan : KAWIN",
+        "Pekerjaan : PEGAWAI SWASTA",
+        "Kewarganegaraan : WNI",
+        "Berlaku Hingga : SEUMUR HIDUP"
+    ]
+
+    # Mock the OCR result format: [[(bbox, text, confidence), ...]]
+    mock_ocr_result = [[(None, text, 0.9) for text in test_ocr_texts]]
+
+    # Patch get_ocr_engine to return a mock OCR engine
+    original_get_ocr_engine = main.get_ocr_engine
+    mock_engine = lambda img: mock_ocr_result
+    main.get_ocr_engine = lambda: mock_engine
 
+    try:
         client = get_client()
         with open("image.jpg", "rb") as f:
             files = {"image": ("image.jpg", f, "image/jpeg")}
@@ -690,4 +694,19 @@ def test_ktp_ocr_success():
         assert r.status_code == 200
         body = r.json()
         assert body["nik"] == "1234567890123456"
-        assert body["nama"] == "JOHN DOE"
+        assert body["nama"] == "John Doe"
+        assert body["tempat_lahir"] == "Jakarta"
+        assert body["tgl_lahir"] == "01-01-1990"
+        assert body["jenis_kelamin"] == "LAKI-LAKI"
+        assert body["alamat"]["name"] == "JL. JEND. SUDIRMAN KAV. 52-53"
+        assert body["alamat"]["rt_rw"] == "001/001"
+        assert body["alamat"]["kel_desa"] == "Senayan"
+        assert body["alamat"]["kecamatan"] == "Kebayoran Baru"
+        assert body["agama"] == "Islam"
+        assert body["status_perkawinan"] == "Kawin"
+        assert body["pekerjaan"] == "Pegawai Swasta"
+        assert body["kewarganegaraan"] == "Wni"
+        assert body["berlaku_hingga"] == "Seumur Hidup"
+    finally:
+        # Restore original function
+        main.get_ocr_engine = original_get_ocr_engine