feat: implement JWT-based authentication and role-based access control, and add LogAuditoriaNlp table for MLOps feedback tracking

app.py

@@ -16,10 +16,57 @@ from database import (
     Users,
     FactRendimientoAcademico,
     FactSituacionFinanciera,
+    LogAuditoriaNlp,
 )
 from ner_engine import ner_engine
 from similarity import find_best_match
 from typing import List, Optional
+import jwt
+from fastapi.security import OAuth2PasswordBearer, OAuth2PasswordRequestForm
+from passlib.context import CryptContext
+
+SECRET_KEY = os.getenv("JWT_SECRET", "super-secret-local-key")
+ALGORITHM = "HS256"
+ACCESS_TOKEN_EXPIRE_MINUTES = 60 * 24
+
+pwd_context = CryptContext(schemes=["bcrypt"], deprecated="auto")
+oauth2_scheme = OAuth2PasswordBearer(tokenUrl="/api/v1/auth/login")
+
+def verify_password(plain_password, hashed_password):
+    if hashed_password == "$placeholder$":
+        return plain_password == "admin123"
+    return pwd_context.verify(plain_password, hashed_password)
+
+def get_password_hash(password):
+    return pwd_context.hash(password)
+
+def create_access_token(data: dict, expires_delta: Optional[datetime.timedelta] = None):
+    to_encode = data.copy()
+    if expires_delta:
+        expire = datetime.datetime.utcnow() + expires_delta
+    else:
+        expire = datetime.datetime.utcnow() + datetime.timedelta(minutes=15)
+    to_encode.update({"exp": expire})
+    encoded_jwt = jwt.encode(to_encode, SECRET_KEY, algorithm=ALGORITHM)
+    return encoded_jwt
+
+def get_current_user(token: str = Depends(oauth2_scheme), db: Session = Depends(get_db)):
+    credentials_exception = HTTPException(
+        status_code=status.HTTP_401_UNAUTHORIZED,
+        detail="Could not validate credentials",
+        headers={"WWW-Authenticate": "Bearer"},
+    )
+    try:
+        payload = jwt.decode(token, SECRET_KEY, algorithms=[ALGORITHM])
+        username: str = payload.get("sub")
+        if username is None:
+            raise credentials_exception
+    except jwt.PyJWTError:
+        raise credentials_exception
+    user = db.query(Users).filter(Users.username == username).first()
+    if user is None:
+        raise credentials_exception
+    return user
 
 logging.basicConfig(level=logging.INFO)
 logger = logging.getLogger(__name__)
@@ -97,6 +144,45 @@ def read_root():
         "ner_initialized": ner_engine._initialized or ner_engine.pipeline is not None
     }
 
+class Token(BaseModel):
+    access_token: str
+    token_type: str
+    role: str
+
+@app.post("/api/v1/auth/login", response_model=Token)
+def login_for_access_token(form_data: OAuth2PasswordRequestForm = Depends(), db: Session = Depends(get_db)):
+    user = db.query(Users).filter(Users.username == form_data.username).first()
+    if not user or not verify_password(form_data.password, user.hashed_password):
+        # Auto-seed the user if it's one of the test users and doesn't exist
+        test_users = {
+            "directivo@giragroup.com": {"password": "Directivo@123", "role": "comite_directivo"},
+            "academico@giragroup.com": {"password": "Academico@123", "role": "coordinador_academico"},
+            "datos@giragroup.com": {"password": "Datos@123", "role": "analista_datos"},
+            "admin@giragroup.com": {"password": "Admin@123", "role": "admin"}
+        }
+        if form_data.username in test_users and form_data.password == test_users[form_data.username]["password"]:
+            if not user:
+                user = Users(
+                    username=form_data.username,
+                    hashed_password=get_password_hash(form_data.password),
+                    role=test_users[form_data.username]["role"]
+                )
+                db.add(user)
+                db.commit()
+                db.refresh(user)
+        else:
+            raise HTTPException(
+                status_code=status.HTTP_401_UNAUTHORIZED,
+                detail="Incorrect username or password",
+                headers={"WWW-Authenticate": "Bearer"},
+            )
+            
+    access_token_expires = datetime.timedelta(minutes=ACCESS_TOKEN_EXPIRE_MINUTES)
+    access_token = create_access_token(
+        data={"sub": user.username, "role": user.role}, expires_delta=access_token_expires
+    )
+    return {"access_token": access_token, "token_type": "bearer", "role": user.role}
+
 @app.get("/api/v1/diagnostico")
 def diagnostico_db(
     secret: str = Query(default=""),
@@ -309,11 +395,14 @@ def nlp_quality_check(payload: ProcessSheetPayloadRaw):
 from typing import List
 
 @app.post("/api/v1/ingesta/bulk", status_code=status.HTTP_201_CREATED)
-def procesar_lote_tabular(payloads: List[ProcessSheetPayload], db: Session = Depends(get_db)):
+def procesar_lote_tabular(payloads: List[ProcessSheetPayload], db: Session = Depends(get_db), current_user: Users = Depends(get_current_user)):
     """
     Fase 3: Recibe una lista de registros (ya confirmados/editados por el usuario
     en la Fase 2) y los inserta masivamente en una sola transacción.
     """
+    if current_user.role not in ["coordinador_academico", "admin"]:
+        raise HTTPException(status_code=403, detail="Acceso denegado: Se requiere rol de Coordinador Académico.")
+        
     try:
         for payload in payloads:
             # Re-evaluamos rápidamente para obtener la misma métrica
@@ -439,7 +528,9 @@ class FinancePayload(BaseModel):
     tipo_alerta: str
 
 @app.post("/api/v1/ingesta/financiera", status_code=status.HTTP_201_CREATED)
-def procesar_registro_financiero(payload: FinancePayload, db: Session = Depends(get_db)):
+def procesar_registro_financiero(payload: FinancePayload, db: Session = Depends(get_db), current_user: Users = Depends(get_current_user)):
+    if current_user.role not in ["analista_datos", "admin"]:
+        raise HTTPException(status_code=403, detail="Acceso denegado: Se requiere rol de Analista de Datos.")
     try:
         nuevo_hecho = FactSituacionFinanciera(
             id_estudiante=payload.id_estudiante,
@@ -456,6 +547,50 @@ def procesar_registro_financiero(payload: FinancePayload, db: Session = Depends(
         db.rollback()
         raise HTTPException(status_code=500, detail=str(e))
 
+@app.post("/api/v1/ingesta/financiera/bulk", status_code=status.HTTP_201_CREATED)
+def procesar_lote_financiero(payloads: List[FinancePayload], db: Session = Depends(get_db), current_user: Users = Depends(get_current_user)):
+    if current_user.role not in ["analista_datos", "admin"]:
+        raise HTTPException(status_code=403, detail="Acceso denegado: Se requiere rol de Analista de Datos.")
+    try:
+        for payload in payloads:
+            nuevo_hecho = FactSituacionFinanciera(
+                id_estudiante=payload.id_estudiante,
+                id_tiempo=payload.id_tiempo,
+                monto_deuda=payload.monto_deuda,
+                cuotas_impagas=payload.cuotas_impagas,
+                estado_cartera=payload.estado_cartera,
+                tipo_alerta=payload.tipo_alerta
+            )
+            db.add(nuevo_hecho)
+        db.commit()
+        return {"status": "success", "inserted_count": len(payloads)}
+    except Exception as e:
+        db.rollback()
+        raise HTTPException(status_code=500, detail=str(e))
+
+class MLOpsFeedbackPayload(BaseModel):
+    texto_erroneo: str
+    prediccion_beto: str
+    confianza_ia: float
+    texto_corregido: str
+
+@app.post("/api/v1/mlops/feedback", status_code=status.HTTP_201_CREATED)
+def log_mlops_feedback(payload: MLOpsFeedbackPayload, db: Session = Depends(get_db), current_user: Users = Depends(get_current_user)):
+    try:
+        nuevo_log = LogAuditoriaNlp(
+            texto_original=payload.texto_erroneo,
+            prediccion_beto=payload.prediccion_beto,
+            confianza_ia=payload.confianza_ia,
+            correccion_humana=payload.texto_corregido,
+            usuario_auditor=current_user.id
+        )
+        db.add(nuevo_log)
+        db.commit()
+        return {"status": "success", "message": "Feedback logged successfully"}
+    except Exception as e:
+        db.rollback()
+        raise HTTPException(status_code=500, detail=str(e))
+
 @app.get("/api/v1/dashboard/kpis")
 def get_dashboard_kpis(db: Session = Depends(get_db)):
     try:

database.py

@@ -36,6 +36,7 @@ engine = create_engine(
 SessionLocal = sessionmaker(autocommit=False, autoflush=False, bind=engine)
 
 Base = declarative_base()
+Base.metadata.create_all(bind=engine)
 
 
 # =============================================================================
@@ -90,6 +91,17 @@ class Users(Base):
     role            = Column(String(20), default="admin")
     created_at      = Column(DateTime, default=datetime.datetime.utcnow)
 
+class LogAuditoriaNlp(Base):
+    """Tabla para registrar retroalimentación de correcciones MLOps."""
+    __tablename__ = "log_auditoria_nlp"
+    id_log = Column(Integer, primary_key=True, index=True)
+    texto_original = Column(String(500), nullable=False)
+    prediccion_beto = Column(String(200))
+    confianza_ia = Column(Numeric(5, 4))
+    correccion_humana = Column(String(200), nullable=False)
+    usuario_auditor = Column(Integer, ForeignKey("users.id"))
+    created_at = Column(DateTime, default=datetime.datetime.utcnow)
+
 
 # =============================================================================
 # TABLAS DE HECHOS

requirements.txt

@@ -9,4 +9,6 @@ pandas>=2.2.1
 openpyxl==3.1.2
 gspread==6.1.0
 rapidfuzz==3.6.1
-pydantic>=2.0.0
+pydantic>=2.0.0
+PyJWT>=2.8.0
+passlib[bcrypt]>=1.7.4