fix:updated secrets

alembic/versions/a34f13019598_drop_platform_model.py

@@ -0,0 +1,35 @@
+"""drop platform model
+
+Revision ID: a34f13019598
+Revises: 3380d93055a7
+Create Date: 2025-12-07 14:22:13.166768
+
+"""
+from typing import Sequence, Union
+
+from alembic import op
+import sqlalchemy as sa
+import sqlmodel.sql.sqltypes
+
+
+# revision identifiers, used by Alembic.
+revision: str = 'a34f13019598'
+down_revision: Union[str, Sequence[str], None] = '3380d93055a7'
+branch_labels: Union[str, Sequence[str], None] = None
+depends_on: Union[str, Sequence[str], None] = None
+
+
+def upgrade() -> None:
+    """Upgrade schema."""
+    # ### commands auto generated by Alembic - please adjust! ###
+    op.drop_column('user_devices', 'platform')
+    op.drop_column('user_devices', 'device_model')
+    # ### end Alembic commands ###
+
+
+def downgrade() -> None:
+    """Downgrade schema."""
+    # ### commands auto generated by Alembic - please adjust! ###
+    op.add_column('user_devices', sa.Column('device_model', sa.VARCHAR(), autoincrement=False, nullable=False))
+    op.add_column('user_devices', sa.Column('platform', sa.VARCHAR(), autoincrement=False, nullable=False))
+    # ### end Alembic commands ###

src/notifications/schemas.py

@@ -1,6 +1,4 @@
 from pydantic import BaseModel
 
 class RegisterDeviceRequest(BaseModel):
-    device_token: str
-    platform: str
-    device_model: str
+    device_token: str

src/notifications/service.py

@@ -18,8 +18,6 @@ async def register_device(
     device = result.scalar_one_or_none()
 
     if device:
-        device.platform = body.platform
-        device.device_model = body.device_model
         device.last_seen = datetime.utcnow()
         device.updated_at = datetime.utcnow()
 
@@ -31,8 +29,6 @@ async def register_device(
     new_device = UserDevices(
         user_id=user_id,
         device_token=body.device_token,
-        platform=body.platform,
-        device_model=body.device_model,
     )
 
     session.add(new_device)
@@ -40,9 +36,11 @@ async def register_device(
     await session.refresh(new_device)
     return new_device
 
+
 from sqlalchemy import select
 from src.profile.models import UserDevices
 
+
 async def get_user_device_tokens(session, user_id):
     stmt = select(UserDevices.device_token).where(UserDevices.user_id == user_id)
     rows = (await session.execute(stmt)).all()

src/payslip/router.py

@@ -18,6 +18,8 @@ from src.payslip.googleservice import (
 )
 from src.payslip.utils import get_current_user_model
 from src.payslip.models import PayslipRequest, PayslipStatus
+from src.payslip.utils import encrypt_token
+
 
 router = APIRouter(prefix="/payslips", tags=["Payslips & Gmail"])
 
@@ -81,13 +83,13 @@ async def gmail_callback(
     existing = (await session.execute(q)).scalar_one_or_none()
 
     if existing:
-        existing.refresh_token = refresh_token
+        existing.refresh_token = encrypt_token(refresh_token)
         session.add(existing)
     else:
         session.add(
             PayslipRequest(
                 user_id=user_id,
-                refresh_token=refresh_token,
+                refresh_token=encrypt_token(refresh_token),
                 status=PayslipStatus.PENDING,
             )
         )

src/payslip/service.py

@@ -15,6 +15,9 @@ from src.payslip.googleservice import (
     send_gmail,
 )
 
+from src.payslip.utils import decrypt_token
+from src.payslip.utils import encrypt_token
+
 
 async def user_team_name(session: AsyncSession, user_id):
     """Return user's team name."""
@@ -95,7 +98,7 @@ async def process_payslip_request(
     # 4. Get refresh_token from latest payslip row (DB)
     latest = await get_latest_payslip_row(session, user.id)
 
-    refresh_token = latest.refresh_token if latest else None
+    refresh_token = decrypt_token(latest.refresh_token) if latest else None
 
     if not refresh_token:
         # No token stored yet
@@ -134,7 +137,7 @@ async def process_payslip_request(
         latest.status = PayslipStatus.SENT
         latest.requested_at = now
         latest.error_message = None
-        latest.refresh_token = refresh_token  # keep token
+        latest.refresh_token = encrypt_token(refresh_token)  # keep token
         session.add(latest)
         await session.commit()
         await session.refresh(latest)

src/payslip/utils.py

@@ -13,6 +13,23 @@ from src.core.database import get_async_session
 from src.core.models import Users
 from src.core.config import settings
 
+
+from cryptography.fernet import Fernet
+from src.core.config import settings
+
+
+fernet = Fernet(settings.FERNET_KEY.encode())
+
+
+def encrypt_token(token: str) -> str:
+    """Encrypts a refresh token before saving to DB."""
+    return fernet.encrypt(token.encode()).decode()
+
+
+def decrypt_token(token: str) -> str:
+    """Decrypts a stored refresh token when needed."""
+    return fernet.decrypt(token.encode()).decode()
+
 bearer_scheme = HTTPBearer()
 
 SECRET_KEY = settings.SECRET_KEY

src/profile/utils.py

@@ -12,17 +12,27 @@ from datetime import date
 from typing import Tuple, Optional, List
 from sqlmodel import select
 from sqlmodel.ext.asyncio.session import AsyncSession
-from src.core.models import UserTeamsRole, Roles, Users, Teams  # adjust import path if differs
+from src.core.models import (
+    UserTeamsRole,
+    Roles,
+    Users,
+    Teams,
+)  # adjust import path if differs
 from src.core.config import settings  # for FCM key if needed
 import httpx
-import math
 
-def calculate_days(from_date: date, to_date: date, include_weekends: bool = True) -> int:
+
+def calculate_days(
+    from_date: date, to_date: date, include_weekends: bool = True
+) -> int:
     """Calculate inclusive days. If you want to exclude weekends, add logic."""
     delta = (to_date - from_date).days + 1
     return max(0, delta)
 
-async def find_mentor_and_lead(session: AsyncSession, user_id) -> Tuple[Optional[dict], Optional[dict]]:
+
+async def find_mentor_and_lead(
+    session: AsyncSession, user_id
+) -> Tuple[Optional[dict], Optional[dict]]:
     """
     Return (mentor_user, lead_user) as dicts or None.
     Uses your existing UserTeamsRole and Roles tables to find role members in same team.
@@ -34,41 +44,51 @@ async def find_mentor_and_lead(session: AsyncSession, user_id) -> Tuple[Optional
         return None, None
 
     # 2) find Mentor role id
-    mentor_role = (await session.exec(select(Roles).where(Roles.name == "Mentor"))).first()
-    lead_role = (await session.exec(select(Roles).where(Roles.name == "Team Lead"))).first()
+    mentor_role = (
+        await session.exec(select(Roles).where(Roles.name == "Mentor"))
+    ).first()
+    lead_role = (
+        await session.exec(select(Roles).where(Roles.name == "Team Lead"))
+    ).first()
 
     mentor_user = None
     lead_user = None
 
     if mentor_role:
-        mentor_user = (await session.exec(
-            select(Users)
-            .join(UserTeamsRole)
-            .where(UserTeamsRole.team_id == user_team.team_id)
-            .where(UserTeamsRole.role_id == mentor_role.id)
-        )).first()
+        mentor_user = (
+            await session.exec(
+                select(Users)
+                .join(UserTeamsRole)
+                .where(UserTeamsRole.team_id == user_team.team_id)
+                .where(UserTeamsRole.role_id == mentor_role.id)
+            )
+        ).first()
 
     if lead_role:
-        lead_user = (await session.exec(
-            select(Users)
-            .join(UserTeamsRole)
-            .where(UserTeamsRole.team_id == user_team.team_id)
-            .where(UserTeamsRole.role_id == lead_role.id)
-        )).first()
+        lead_user = (
+            await session.exec(
+                select(Users)
+                .join(UserTeamsRole)
+                .where(UserTeamsRole.team_id == user_team.team_id)
+                .where(UserTeamsRole.role_id == lead_role.id)
+            )
+        ).first()
 
     return mentor_user, lead_user
 
 
-
 async def get_tokens_for_user(session: AsyncSession, user_id) -> list[str]:
     user = await session.get(Users, user_id)
     if not user:
         return []
     return user.device_tokens or []
 
+
 # Simple FCM send using legacy HTTP API (server key).
 # In production prefer FCM HTTP v1 (OAuth) or firebase-admin SDK.
-async def send_push_to_tokens(tokens: list[str], title: str, body: str, data: dict = None):
+async def send_push_to_tokens(
+    tokens: list[str], title: str, body: str, data: dict = None
+):
     if not tokens:
         return
 
@@ -97,8 +117,6 @@ async def send_push_to_tokens(tokens: list[str], title: str, body: str, data: di
             print("FCM send failed:", r.status_code, r.text)
 
 
-
-
 SMTP_HOST = settings.EMAIL_SERVER
 SMTP_PORT = settings.EMAIL_PORT
 SMTP_USER = settings.EMAIL_USERNAME