add previous fix bug forgotting commit-push

03-apiservice/app/security/dependencies.py

@@ -1,15 +1,17 @@
 from typing import Annotated
+from collections.abc import Sequence
 
 from fastapi import Depends, HTTPException, Request, status
 from sqlalchemy import select
 from sqlalchemy.orm import Session, sessionmaker
 
-from app.db.engine import engine
+from app.db.engine import engine, supabase_engine
 from app.db.models import ApiKey
 from app.security.api_key import get_prefix, verify_api_key
 
 
 SessionLocal = sessionmaker(bind=engine, autoflush=False, autocommit=False)
+SupabaseSessionLocal = sessionmaker(bind=supabase_engine, autoflush=False, autocommit=False)
 
 
 def get_db():
@@ -20,6 +22,14 @@ def get_db():
         db.close()
 
 
+def get_supabase_db():
+    db = SupabaseSessionLocal()
+    try:
+        yield db
+    finally:
+        db.close()
+
+
 def get_bearer_token(request: Request) -> str:
     auth = request.headers.get("authorization")
     if not auth:
@@ -32,7 +42,7 @@ def get_bearer_token(request: Request) -> str:
     return parts[1].strip()
 
 
-def require_permission(permission: str):
+def require_permission(permission: str | Sequence[str]):
     def _dep(
         token: Annotated[str, Depends(get_bearer_token)],
         db: Annotated[Session, Depends(get_db)],
@@ -46,7 +56,9 @@ def require_permission(permission: str):
         if not verify_api_key(token, api_key.key_hash):
             raise HTTPException(status_code=status.HTTP_401_UNAUTHORIZED, detail="Invalid API key")
 
-        if permission not in (api_key.permissions or []):
+        allowed = set(api_key.permissions or [])
+        required = [permission] if isinstance(permission, str) else list(permission)
+        if not any(p in allowed for p in required):
             raise HTTPException(status_code=status.HTTP_403_FORBIDDEN, detail="Permission denied")
 
         return api_key