Skip to content

refactor: separate authentication and authorization into distinct modules#122

Merged
Besthope-Official merged 2 commits into
mainfrom
refactor/split-rbac
Feb 4, 2026
Merged

refactor: separate authentication and authorization into distinct modules#122
Besthope-Official merged 2 commits into
mainfrom
refactor/split-rbac

Conversation

@Besthope-Official
Copy link
Copy Markdown
Contributor

@Besthope-Official Besthope-Official commented Feb 4, 2026

Related Issue

Closes #120

Summary of Changes

Separated authentication (identity verification) from authorization (access control) into distinct modules following DDD principles:

Part 1: RBAC Submodule Structure

  • Created src/auth/rbac/ submodule with clear separation:

    • models.py - RBAC models (Role, Permission, UserRole, RolePermission)
    • repository.py - Database queries (PermissionRepository)
    • service.py - Business logic (PermissionService, pure - no FastAPI deps)
    • dependencies.py - FastAPI dependency factories
    • __init__.py - Public API re-exports

  • Updated src/auth/models.py - Removed RBAC models, kept User/OAuthAccount only

  • Deleted src/auth/rbac.py - Old 356-line monolithic file

  • Updated test imports in 4 test files

Part 2: Eliminated Circular Import

  • Created src/auth/dependencies.py - Extracted current_user, current_superuser, fastapi_users
  • Updated src/auth/__init__.py - Clean imports, no deferred imports
  • Updated src/auth/rbac/dependencies.py - Import from src.auth.dependencies instead of src.auth

Architecture improvements:

  • Authentication vs Authorization clearly separated
  • RBAC as plugin (submodule makes optional nature explicit)
  • Clean dependency graph (no circular imports)
  • Service layer pure (PermissionService has no framework dependencies)
  • Backward compatible (external API unchanged: from src.auth import require_permissions still works)

File changes:

  • Created: src/auth/dependencies.py, src/auth/rbac/ (4 files)
  • Deleted: src/auth/rbac.py
  • Modified: src/auth/__init__.py, src/auth/models.py, 4 test files

Breaking Changes

N/A - Backward compatible. All existing imports continue to work via re-exports in src/auth/__init__.py.

Checklist

  • Issue discussion completed before opening PR
  • Scope is small and focused (single feature/fix)
  • All functions have full type annotations
  • Async/await used for all I/O operations
  • Tests added for new behaviors (all 94 tests pass)

🤖 Generated with Claude Code

@Besthope-Official Besthope-Official added the Backend-enhanced backend enhancement label Feb 4, 2026
@Besthope-Official Besthope-Official merged commit 87c9462 into main Feb 4, 2026
3 checks passed
@Besthope-Official Besthope-Official deleted the refactor/split-rbac branch February 4, 2026 10:25
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

Backend-enhanced backend enhancement

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

refactor: separate authentication and authorization into distinct modules

1 participant

@Besthope-Official