update

AzA march 2026/workforce_planner/api/routes_auth.py

@@ -0,0 +1,48 @@
+# -*- coding: utf-8 -*-
+"""Login-Endpoint – liefert JWT Token für Desktop + Web Clients."""
+
+from pydantic import BaseModel
+from fastapi import APIRouter, Depends, HTTPException
+from sqlalchemy.orm import Session
+
+from ..database import get_db
+from ..core.models import Employee
+from .auth import verify_password, create_access_token
+from ..core.schemas import EmployeeRead
+
+import datetime
+
+router = APIRouter(prefix="/auth", tags=["Authentifizierung"])
+
+
+class LoginRequest(BaseModel):
+    email: str
+    password: str
+
+
+class LoginResponse(BaseModel):
+    access_token: str
+    token_type: str = "bearer"
+    employee: EmployeeRead
+
+
+@router.post("/login", response_model=LoginResponse)
+def login(data: LoginRequest, db: Session = Depends(get_db)):
+    emp = db.query(Employee).filter(Employee.email == data.email).first()
+    if not emp or not emp.password_hash:
+        raise HTTPException(401, "E-Mail oder Passwort falsch")
+
+    if not verify_password(data.password, emp.password_hash):
+        raise HTTPException(401, "E-Mail oder Passwort falsch")
+
+    if not emp.is_active:
+        raise HTTPException(403, "Konto deaktiviert")
+
+    emp.last_login = datetime.datetime.utcnow()
+    db.commit()
+
+    token = create_access_token(emp.id, emp.role.value)
+    return LoginResponse(
+        access_token=token,
+        employee=EmployeeRead.model_validate(emp),
+    )