feat(account): GET /me user endpoint only, disable cache and extra routers

Co-authored-by: Cursor <cursoragent@cursor.com>

src/infrastructure/vault/__init__.py

@@ -0,0 +1,3 @@
+from src.infrastructure.vault.utils import read_kv2_secret, create_hvac_client
+from src.infrastructure.vault.keys import JwtKeyStore
+from src.infrastructure.vault.scheduler import start_jwt_keys_scheduler

src/infrastructure/vault/keys.py

@@ -0,0 +1,113 @@
+from __future__ import annotations
+import asyncio
+from datetime import datetime, timezone
+from src.application.domain.dto import JwtPublicKeySet, JwtPublicKey
+from src.application.domain.exceptions import ApplicationException
+from src.infrastructure.vault import create_hvac_client, read_kv2_secret
+
+
+class JwtKeyStore:
+
+    _instance: 'JwtKeyStore | None' = None
+
+    def __new__(cls, *args, **kwargs):
+        if cls._instance is None:
+            cls._instance = super().__new__(cls)
+        return cls._instance
+
+    def __init__(
+        self,
+        *,
+        vault_addr: str,
+        vault_token: str,
+        mount_point: str,
+        kid_path: str = 'jwt/kid',
+        kids_prefix: str = 'jwt/kids',
+        timeout_seconds: int = 5,
+        refresh_ttl_seconds: int = 60,
+    ):
+        if getattr(self, '_initialized', False):
+            return
+
+        self._vault_addr = vault_addr
+        self._vault_token = vault_token
+        self._timeout = timeout_seconds
+
+        self._mount = mount_point
+        self._kid_path = kid_path
+        self._kids_prefix = kids_prefix
+
+        self._refresh_ttl_seconds = refresh_ttl_seconds
+
+        self._lock = asyncio.Lock()
+        self._keyset: JwtPublicKeySet | None = None
+        self._last_refresh_at: datetime | None = None
+
+        self._initialized = True
+
+    @classmethod
+    def get_instance(cls) -> 'JwtKeyStore':
+        if cls._instance is None:
+            raise ApplicationException(status_code=500, message='JwtKeyStore not initialized')
+        return cls._instance
+
+    def _read_keyset_sync(self) -> JwtPublicKeySet:
+        client = create_hvac_client(url=self._vault_addr, token=self._vault_token, timeout=self._timeout)
+
+        kids = read_kv2_secret(client=client, mount_point=self._mount, path=self._kid_path)
+        active_kid = kids.get('active')
+        previous_kid = kids.get('previous')
+
+        if not active_kid:
+            raise RuntimeError('Vault jwt/kid secret missing "active"')
+
+        active = self._read_public_key_sync(client, str(active_kid))
+
+        previous = None
+        if previous_kid and previous_kid != active_kid:
+            previous = self._read_public_key_sync(client, str(previous_kid))
+
+        return JwtPublicKeySet(active=active, previous=previous)
+
+    def _read_public_key_sync(self, client, kid: str) -> JwtPublicKey:
+        data = read_kv2_secret(
+            client=client,
+            mount_point=self._mount,
+            path=f'{self._kids_prefix}/{kid}',
+        )
+        pub = data.get('public_key')
+        if not pub:
+            raise RuntimeError(f'Vault jwt/kids/{kid} missing public_key')
+        return JwtPublicKey(kid=kid, public_key_pem=pub)
+
+    async def refresh(self) -> JwtPublicKeySet:
+        keyset = await asyncio.to_thread(self._read_keyset_sync)
+        async with self._lock:
+            self._keyset = keyset
+            self._last_refresh_at = datetime.now(timezone.utc)
+        return keyset
+
+    async def get_public_key_for_kid(self, kid: str) -> str | None:
+        ks = await self._get_or_refresh()
+        return ks.public_keys_by_kid().get(kid)
+
+    async def last_refresh_at(self) -> datetime | None:
+        async with self._lock:
+            return self._last_refresh_at
+
+    async def _get_or_refresh(self) -> JwtPublicKeySet:
+        async with self._lock:
+            ks = self._keyset
+            last = self._last_refresh_at
+
+        if ks is None:
+            return await self.refresh()
+
+        if last is None:
+            return await self.refresh()
+
+        age = (datetime.now(timezone.utc) - last).total_seconds()
+        if age >= self._refresh_ttl_seconds:
+            return await self.refresh()
+
+        return ks

src/infrastructure/vault/scheduler.py

@@ -0,0 +1,23 @@
+from __future__ import annotations
+import logging
+from apscheduler.schedulers.asyncio import AsyncIOScheduler
+from apscheduler.triggers.interval import IntervalTrigger
+from src.infrastructure.vault import JwtKeyStore
+
+logger = logging.getLogger(__name__)
+
+
+def start_jwt_keys_scheduler(store: JwtKeyStore, *, refresh_seconds: int = 3600) -> AsyncIOScheduler:
+    scheduler = AsyncIOScheduler()
+    scheduler.add_job(
+        store.refresh,
+        trigger=IntervalTrigger(seconds=refresh_seconds),
+        id="jwt_keys_refresh",
+        replace_existing=True,
+        max_instances=1,
+        coalesce=True,
+        misfire_grace_time=60,
+    )
+    scheduler.start()
+    logger.info("JWT keys scheduler started (interval=%s seconds)", refresh_seconds)
+    return scheduler

src/infrastructure/vault/utils.py

@@ -0,0 +1,17 @@
+from __future__ import annotations
+import hvac
+
+
+def create_hvac_client(*, url: str, token: str, timeout: int = 5) -> hvac.Client:
+    client = hvac.Client(url=url, token=token, timeout=timeout)
+    if not client.is_authenticated():
+        raise RuntimeError("Vault authentication failed. Check VAULT_ADDR / VAULT_TOKEN")
+    return client
+
+
+def read_kv2_secret(*, client: hvac.Client, mount_point: str, path: str) -> dict:
+    secret = client.secrets.kv.v2.read_secret_version(
+        mount_point=mount_point,
+        path=path,
+    )
+    return secret["data"]["data"]