feat: security, JWT, API keys, validation, and auth routes

alembic.ini

@@ -1,41 +0,0 @@
-[alembic]
-script_location = backend/db/migrations
-prepend_sys_path = .
-version_path_separator = os  # Use os.linesep
-
-[post_write_hooks]
-# Post-write hooks to format auto-generated migrations
-
-[loggers]
-keys = root,sqlalchemy,alembic
-
-[handlers]
-keys = console
-
-[formatters]
-keys = generic
-
-[logger_root]
-level = WARN
-handlers = console
-qualname =
-
-[logger_sqlalchemy]
-level = WARN
-handlers =
-qualname = sqlalchemy.engine
-
-[logger_alembic]
-level = INFO
-handlers =
-qualname = alembic
-
-[handler_console]
-class = StreamHandler
-args = (sys.stderr,)
-level = NOTSET
-formatter = generic
-
-[formatter_generic]
-format = %(levelname)-5.5s [%(name)s] %(message)s
-datefmt = %H:%M:%S

backend/api/v1/routers/auth.py

@@ -0,0 +1,216 @@
+import logging
+from fastapi import APIRouter, Request, Depends, BackgroundTasks
+from fastapi.responses import JSONResponse, RedirectResponse
+from fastapi.security import OAuth2PasswordRequestForm
+from sqlalchemy.ext.asyncio import AsyncSession
+from authlib.integrations.starlette_client import OAuth, OAuthError
+
+from backend.db.session import get_db
+from backend.db.models import User
+from backend.db.utils import exists, get_or_404
+from backend.core.middleware import limiter
+from backend.core.security import (
+    validate_password_strength, hash_password, verify_password,
+    create_access_token, create_refresh_token, set_refresh_cookie, clear_auth_cookies,
+    verify_token, get_refresh_token_from_cookie, blacklist_token, generate_verification_token
+)
+from backend.core.brute_force import brute_force_protector
+from backend.core.dependencies import get_client_ip, get_current_user
+from backend.core.exceptions import (
+    ValidationError, EmailAlreadyExistsError, AuthenticationError, AccountInactiveError
+)
+from backend.api.v1.schemas.auth import (
+    RegisterRequest, TokenResponse, UserResponse, AuthResponse, MessageResponse
+)
+from backend.core.config import settings
+
+logger = logging.getLogger(__name__)
+
+oauth = OAuth()
+oauth.register(
+    name="google",
+    server_metadata_url="https://accounts.google.com/.well-known/openid-configuration",
+    client_id=settings.GOOGLE_CLIENT_ID,
+    client_secret=settings.GOOGLE_CLIENT_SECRET,
+    client_kwargs={"scope": "openid email profile"},
+)
+
+router = APIRouter()
+
+# --- Google OAuth Segment ---
+@router.get("/google/login")
+async def google_login(request: Request):
+    """Redirects to Google consent screen."""
+    redirect_uri = settings.GOOGLE_REDIRECT_URI
+    return await oauth.google.authorize_redirect(request, redirect_uri)
+
+@router.get("/google/callback")
+async def google_callback(request: Request, db: AsyncSession = Depends(get_db)):
+    """Handles Google OAuth callback."""
+    # Step 1: Exchange code for token
+    try:
+        google_token = await oauth.google.authorize_access_token(request)
+    except OAuthError as e:
+        raise AuthenticationError(f"Google OAuth failed: {e.description}")
+    
+    # Step 2: Get user info
+    user_info = google_token.get("userinfo")
+    if not user_info or not user_info.get("email_verified"):
+        raise AuthenticationError("Google email not verified")
+    
+    google_id = user_info.get("sub")
+    email = user_info.get("email")
+    full_name = user_info.get("name", "Google User")
+    picture = user_info.get("picture")
+    
+    # Step 3: Find or create user
+    user = await User.get_by_google_id(db, google_id)
+    if not user:
+        user = await User.get_by_email(db, email)
+        if user:
+            # Link existing account to Google
+            user.google_id = google_id
+            user.profile_picture_url = picture
+            user.is_active = True
+        else:
+            # Create new user
+            user = User(
+                email=email, full_name=full_name,
+                google_id=google_id, profile_picture_url=picture,
+                is_active=True, is_verified=True
+            )
+            db.add(user)
+    
+    await db.commit()
+    await db.refresh(user)
+    
+    # Step 4: Issue tokens
+    access_token = create_access_token(user.id)
+    refresh_token = create_refresh_token(user.id)
+    
+    # Step 5: Redirect to frontend
+    response = RedirectResponse(
+        url=f"{settings.FRONTEND_URL}/auth/callback?token={access_token}"
+    )
+    set_refresh_cookie(response, refresh_token)
+    return response
+
+# --- Email/Password Segment ---
+async def send_verification_email(email: str, token: str):
+    # TODO: Implement actual email sending logic
+    logger.info(f"MOCK EMAIL to {email}: Your verification token is {token}")
+
+async def update_login_stats(user_id: str, ip: str):
+    # TODO: Update last_login_at in DB
+    pass
+
+@router.post("/register", response_model=MessageResponse)
+@limiter.limit("3/hour")
+async def register(
+    request: Request,
+    body: RegisterRequest,
+    background_tasks: BackgroundTasks,
+    db: AsyncSession = Depends(get_db)
+):
+    failures = validate_password_strength(body.password)
+    if failures:
+        raise ValidationError(f"Password too weak: {'; '.join(failures)}")
+        
+    if await exists(db, User, email=body.email):
+        raise EmailAlreadyExistsError()
+        
+    user = User(
+        email=body.email,
+        full_name=body.full_name,
+        hashed_password=hash_password(body.password),
+        is_active=False # Requires email verification
+    )
+    db.add(user)
+    await db.commit()
+    await db.refresh(user)
+    
+    plain_token, token_hash = generate_verification_token()
+    background_tasks.add_task(send_verification_email, user.email, plain_token)
+    
+    logger.info("User registered", extra={"user_id": str(user.id), "email": user.email})
+    return MessageResponse(message="Account created. Check your email to verify.")
+
+@router.post("/login", response_model=AuthResponse)
+@limiter.limit("5/minute")
+async def login(
+    request: Request,
+    background_tasks: BackgroundTasks,
+    form_data: OAuth2PasswordRequestForm = Depends(),
+    db: AsyncSession = Depends(get_db),
+    client_ip: str = Depends(get_client_ip)
+):
+    await brute_force_protector.check_and_record_failure(client_ip)
+    
+    user = await User.get_by_email(db, form_data.username)
+    if not user or not user.hashed_password or not verify_password(form_data.password, user.hashed_password):
+        await brute_force_protector.check_and_record_failure(client_ip)
+        raise AuthenticationError("Invalid email or password")
+        
+    if not user.is_active:
+        raise AccountInactiveError("Please verify your email before logging in")
+        
+    brute_force_protector.record_success(client_ip)
+    
+    access_token = create_access_token(user.id)
+    refresh_token = create_refresh_token(user.id)
+    
+    response = JSONResponse(content=AuthResponse(
+        token=TokenResponse(access_token=access_token, token_type="bearer", 
+                           expires_in=settings.ACCESS_TOKEN_EXPIRE_MINUTES * 60),
+        user=UserResponse.model_validate(user)
+    ).model_dump())
+    
+    set_refresh_cookie(response, refresh_token)
+    background_tasks.add_task(update_login_stats, user.id, client_ip)
+    
+    logger.info("User logged in", extra={"user_id": str(user.id)})
+    return response
+
+@router.post("/logout")
+async def logout(
+    request: Request,
+    current_user: User = Depends(get_current_user)
+):
+    auth_header = request.headers.get("Authorization", "")
+    token = auth_header.replace("Bearer ", "")
+    if token:
+        try:
+            payload = verify_token(token, "access")
+            await blacklist_token(payload.jti, payload.exp)
+        except Exception:
+            pass # Ignore errors on logout
+            
+    response = JSONResponse(content={"message": "Logged out successfully"})
+    clear_auth_cookies(response)
+    logger.info("User logged out", extra={"user_id": str(current_user.id)})
+    return response
+
+@router.post("/refresh", response_model=TokenResponse)
+async def refresh(request: Request, db: AsyncSession = Depends(get_db)):
+    raw_refresh = get_refresh_token_from_cookie(request)
+    payload = verify_token(raw_refresh, "refresh")
+    
+    user = await get_or_404(db, User, payload.sub)
+    if not user.is_active:
+        raise AccountInactiveError()
+        
+    new_access_token = create_access_token(user.id)
+    new_refresh_token = create_refresh_token(user.id)
+    
+    await blacklist_token(payload.jti, payload.exp)
+    
+    response = JSONResponse(content=TokenResponse(
+        access_token=new_access_token, token_type="bearer",
+        expires_in=settings.ACCESS_TOKEN_EXPIRE_MINUTES * 60
+    ).model_dump())
+    set_refresh_cookie(response, new_refresh_token)
+    return response
+
+@router.get("/me", response_model=UserResponse)
+async def get_me(current_user: User = Depends(get_current_user)):
+    return UserResponse.model_validate(current_user)

backend/core/api_keys.py

@@ -0,0 +1,56 @@
+import hashlib
+import secrets
+from datetime import datetime, UTC
+from sqlalchemy import select
+from sqlalchemy.ext.asyncio import AsyncSession
+from backend.db.models import APIKey
+
+def generate_api_key() -> tuple[str, str]:
+    """Returns (plain_key, hashed_key)"""
+    prefix = "ms_live"
+    random_part = secrets.token_hex(32)
+    plain_key = f"{prefix}_{random_part}"
+    hashed = hashlib.sha256(plain_key.encode()).hexdigest()
+    return plain_key, hashed
+
+def hash_api_key(plain_key: str) -> str:
+    return hashlib.sha256(plain_key.encode()).hexdigest()
+
+async def verify_api_key(plain_key: str, db: AsyncSession) -> APIKey | None:
+    hashed = hash_api_key(plain_key)
+    result = await db.execute(
+        select(APIKey).where(APIKey.key_hash == hashed, APIKey.is_active == True)
+    )
+    api_key = result.scalar_one_or_none()
+    
+    if not api_key:
+        return None
+    if api_key.expires_at and api_key.expires_at < datetime.now(UTC).replace(tzinfo=None):
+        return None
+        
+    return api_key
+
+class APIKeyRateLimiter:
+    """In-memory rate limiter for API Keys."""
+    def __init__(self):
+        self._counters: dict[str, dict] = {}
+        
+    async def check_and_increment(self, key_id: str, limit: int) -> bool:
+        current_hour = datetime.now(UTC).strftime("%Y-%m-%dT%H")
+        
+        if key_id not in self._counters or self._counters[key_id]["hour"] != current_hour:
+            self._counters[key_id] = {"hour": current_hour, "count": 0}
+            
+        if self._counters[key_id]["count"] >= limit:
+            return False
+            
+        self._counters[key_id]["count"] += 1
+        return True
+        
+    def get_remaining(self, key_id: str, limit: int) -> int:
+        current_hour = datetime.now(UTC).strftime("%Y-%m-%dT%H")
+        if key_id not in self._counters or self._counters[key_id]["hour"] != current_hour:
+            return limit
+        return max(0, limit - self._counters[key_id]["count"])
+
+api_key_limiter = APIKeyRateLimiter()

backend/core/brute_force.py

@@ -0,0 +1,56 @@
+import asyncio
+import logging
+from datetime import datetime, timedelta, UTC
+from backend.core.exceptions import AccountLockedError
+
+logger = logging.getLogger(__name__)
+
+class BruteForceProtector:
+    """In-memory brute force protection for login attempts"""
+    
+    THRESHOLDS = [
+        (3, 30),    # 3 failures -> 30 second lockout
+        (5, 300),   # 5 failures -> 5 minute lockout
+        (10, 3600), # 10 failures -> 1 hour lockout
+    ]
+    
+    def __init__(self):
+        self._attempts: dict[str, list[datetime]] = {}
+        self._lockouts: dict[str, datetime] = {}
+        
+    async def check_and_record_failure(self, ip: str):
+        now = datetime.now(UTC)
+        
+        if ip in self._lockouts and self._lockouts[ip] > now:
+            remaining = int((self._lockouts[ip] - now).total_seconds())
+            raise AccountLockedError(f"Too many failed attempts. Try in {remaining}s")
+            
+        if ip not in self._attempts:
+            self._attempts[ip] = []
+            
+        # Clean old attempts
+        self._attempts[ip] = [t for t in self._attempts[ip] if (now - t).seconds < 3600]
+        self._attempts[ip].append(now)
+        
+        count = len(self._attempts[ip])
+        for threshold, lockout_seconds in reversed(self.THRESHOLDS):
+            if count >= threshold:
+                self._lockouts[ip] = now + timedelta(seconds=lockout_seconds)
+                logger.warning(f"Login lockout: {ip}, attempts: {count}, lockout: {lockout_seconds}s")
+                raise AccountLockedError(f"Account locked for {lockout_seconds}s")
+                
+    def record_success(self, ip: str):
+        self._attempts.pop(ip, None)
+        self._lockouts.pop(ip, None)
+        
+    def is_locked(self, ip: str) -> bool:
+        return ip in self._lockouts and self._lockouts[ip] > datetime.now(UTC)
+        
+    async def cleanup(self):
+        now = datetime.now(UTC)
+        expired = [ip for ip, until in self._lockouts.items() if until < now]
+        for ip in expired:
+            del self._lockouts[ip]
+            self._attempts.pop(ip, None)
+
+brute_force_protector = BruteForceProtector()

backend/core/middleware.py

@@ -1,26 +1,33 @@
-from fastapi import Request
-from starlette.middleware.base import BaseHTTPMiddleware
-from slowapi import Limiter, _rate_limit_exceeded_handler
-from slowapi.util import get_remote_address
+from fastapi import Request, Response
+from fastapi.responses import JSONResponse
+from slowapi import Limiter
+from slowapi.errors import RateLimitExceeded
 
-# Setup rate limiter
-limiter = Limiter(key_func=get_remote_address)
-rate_limit_handler = _rate_limit_exceeded_handler
+def get_rate_limit_key(request: Request) -> str:
+    user_id = getattr(request.state, "user_id", None)
+    if user_id:
+        return f"user:{user_id}"
+    
+    forwarded_for = request.headers.get("X-Forwarded-For")
+    if forwarded_for:
+        return f"ip:{forwarded_for.split(',')[0].strip()}"
+    return f"ip:{request.client.host}"
 
-class RequestIDMiddleware(BaseHTTPMiddleware):
-    async def dispatch(self, request: Request, call_next):
-        # Stub implementation
-        response = await call_next(request)
-        return response
+limiter = Limiter(
+    key_func=get_rate_limit_key,
+    default_limits=["1000/minute"],
+    storage_uri="memory://"
+)
 
-class SecurityHeadersMiddleware(BaseHTTPMiddleware):
-    async def dispatch(self, request: Request, call_next):
-        # Stub implementation
-        response = await call_next(request)
-        return response
-
-class AccessLogMiddleware(BaseHTTPMiddleware):
-    async def dispatch(self, request: Request, call_next):
-        # Stub implementation
-        response = await call_next(request)
-        return response
+async def rate_limit_handler(request: Request, exc: RateLimitExceeded) -> Response:
+    retry_after = exc.retry_after if hasattr(exc, "retry_after") else 60
+    return JSONResponse(
+        status_code=429,
+        content={
+            "error_code": "RATE_LIMIT_EXCEEDED",
+            "message": f"Too many requests. Try again in {retry_after} seconds.",
+            "retry_after_seconds": retry_after,
+            "limit": str(exc.limit)
+        },
+        headers={"Retry-After": str(retry_after)}
+    )

backend/core/security.py

@@ -0,0 +1,145 @@
+import hashlib
+import secrets
+import asyncio
+import re
+from datetime import datetime, timedelta, UTC
+from typing import Literal, Tuple, List, Dict
+from jose import jwt, JWTError, ExpiredSignatureError
+from passlib.context import CryptContext
+from pydantic import BaseModel
+from fastapi import Response, Request
+
+from backend.core.config import settings
+from backend.core.exceptions import (
+    ExpiredTokenError, InvalidTokenError, BlacklistedTokenError, AuthenticationError
+)
+
+# 1. Password Context
+pwd_context = CryptContext(
+    schemes=["bcrypt"],
+    deprecated="auto",
+    bcrypt__rounds=12
+)
+
+def hash_password(plain: str) -> str:
+    return pwd_context.hash(plain)
+
+def verify_password(plain: str, hashed: str) -> bool:
+    return pwd_context.verify(plain, hashed)
+
+def validate_password_strength(password: str) -> List[str]:
+    """Returns list of failure reasons. Empty list = strong password."""
+    failures = []
+    if len(password) < 8:
+        failures.append("Must be at least 8 characters long")
+    if not re.search(r"[A-Z]", password):
+        failures.append("Must contain at least one uppercase letter")
+    if not re.search(r"[a-z]", password):
+        failures.append("Must contain at least one lowercase letter")
+    if not re.search(r"\d", password):
+        failures.append("Must contain at least one number")
+    if not re.search(r"[!@#$%^&*(),.?\":{}|<>]", password):
+        failures.append("Must contain at least one special character")
+    return failures
+
+# 2. Token Payload Model
+class TokenPayload(BaseModel):
+    sub: str          # user_id
+    type: Literal["access", "refresh"]
+    jti: str          # unique token ID
+    iat: datetime
+    exp: datetime
+
+# 3 & 4. Token Creation
+def create_token(user_id: str, token_type: Literal["access", "refresh"], extra_claims: dict = None) -> str:
+    claims = extra_claims or {}
+    now = datetime.now(UTC)
+    
+    if token_type == "access":
+        expires_delta = timedelta(minutes=settings.ACCESS_TOKEN_EXPIRE_MINUTES)
+    else:
+        expires_delta = timedelta(days=settings.REFRESH_TOKEN_EXPIRE_DAYS)
+
+    payload = {
+        "sub": str(user_id),
+        "type": token_type,
+        "jti": secrets.token_hex(16),
+        "iat": now,
+        "exp": now + expires_delta,
+        **claims
+    }
+    return jwt.encode(payload, settings.JWT_SECRET_KEY, algorithm=settings.JWT_ALGORITHM)
+
+def create_access_token(user_id: str, extra_claims: dict = None) -> str:
+    return create_token(user_id, "access", extra_claims)
+
+def create_refresh_token(user_id: str) -> str:
+    return create_token(user_id, "refresh")
+
+# 5. Token Verification
+def verify_token(token: str, expected_type: Literal["access", "refresh"]) -> TokenPayload:
+    try:
+        payload = jwt.decode(token, settings.JWT_SECRET_KEY, algorithms=[settings.JWT_ALGORITHM])
+    except ExpiredSignatureError:
+        raise ExpiredTokenError("Token has expired")
+    except JWTError:
+        raise InvalidTokenError("Token is invalid")
+    
+    if payload.get("type") != expected_type:
+        raise InvalidTokenError(f"Expected {expected_type} token")
+    
+    if is_token_blacklisted(payload.get("jti")):
+        raise BlacklistedTokenError()
+    
+    return TokenPayload(**payload)
+
+# 6. In-Memory Blacklist
+_blacklist: Dict[str, datetime] = {}
+_blacklist_lock = asyncio.Lock()
+
+async def blacklist_token(jti: str, expires_at: datetime):
+    async with _blacklist_lock:
+        _blacklist[jti] = expires_at
+
+def is_token_blacklisted(jti: str) -> bool:
+    return jti in _blacklist
+
+async def cleanup_expired_blacklist() -> int:
+    """Call hourly from scheduler. Returns count of removed entries."""
+    now = datetime.now(UTC)
+    async with _blacklist_lock:
+        expired = [jti for jti, exp in _blacklist.items() if exp < now]
+        for jti in expired:
+            del _blacklist[jti]
+    return len(expired)
+
+# 7, 8 & 9. Cookie Management
+def set_refresh_cookie(response: Response, token: str):
+    response.set_cookie(
+        key="refresh_token",
+        value=token,
+        max_age=settings.REFRESH_TOKEN_EXPIRE_DAYS * 86400,
+        httponly=True,
+        secure=settings.is_production,
+        samesite="lax",
+        path="/api/v1/auth/refresh"
+    )
+
+def clear_auth_cookies(response: Response):
+    response.delete_cookie("refresh_token", path="/api/v1/auth/refresh")
+
+def get_refresh_token_from_cookie(request: Request) -> str:
+    token = request.cookies.get("refresh_token")
+    if not token:
+        raise AuthenticationError("No refresh token found")
+    return token
+
+# 10 & 11. Security Utilities
+def generate_verification_token() -> Tuple[str, str]:
+    plain = secrets.token_urlsafe(32)
+    hashed = hashlib.sha256(plain.encode()).hexdigest()
+    return plain, hashed
+
+def verify_token_hash(plain: str, stored_hash: str) -> bool:
+    computed = hashlib.sha256(plain.encode()).hexdigest()
+    return secrets.compare_digest(computed, stored_hash)

backend/utils/validators.py

@@ -0,0 +1,122 @@
+import io
+import re
+import uuid
+import logging
+import unicodedata
+from pathlib import Path
+from dataclasses import dataclass
+from fastapi import UploadFile
+import magic
+from PIL import Image
+
+from backend.core.config import settings
+from backend.core.exceptions import (
+    FileTooLargeError, InvalidFileTypeError, InvalidFileError, 
+    SecurityError, PromptInjectionError, ValidationError, PathTraversalError
+)
+
+logger = logging.getLogger(__name__)
+
+@dataclass
+class ImageMetadata:
+    filename: str
+    size_bytes: int
+    mime_type: str
+    width: int
+    height: int
+    mode: str
+    content: bytes
+
+class ImageValidator:
+    ALLOWED_MIME_TYPES = {"image/jpeg", "image/png", "image/dicom"}
+    MAX_SIZE_BYTES = 10 * 1024 * 1024
+    MIN_DIMENSION = 64
+    MAX_DIMENSION = 4096
+    
+    @staticmethod
+    async def validate(file: UploadFile) -> ImageMetadata:
+        content = await file.read(ImageValidator.MAX_SIZE_BYTES + 1)
+        if len(content) > ImageValidator.MAX_SIZE_BYTES:
+            raise FileTooLargeError(f"Max file size is {ImageValidator.MAX_SIZE_BYTES//1024//1024}MB")
+        await file.seek(0)
+        
+        # Verify Mime via Magic Bytes
+        mime = magic.from_buffer(content[:2048], mime=True)
+        if mime not in ImageValidator.ALLOWED_MIME_TYPES:
+            raise InvalidFileTypeError(f"File type '{mime}' not supported. Allowed: {', '.join(ImageValidator.ALLOWED_MIME_TYPES)}")
+            
+        try:
+            with Image.open(io.BytesIO(content)) as img:
+                width, height = img.size
+                mode = img.mode
+        except Exception:
+            raise InvalidFileError("File is corrupted or cannot be read as an image")
+            
+        if width < ImageValidator.MIN_DIMENSION or height < ImageValidator.MIN_DIMENSION:
+            raise InvalidFileError(f"Image too small (min {ImageValidator.MIN_DIMENSION}px)")
+        if width > ImageValidator.MAX_DIMENSION or height > ImageValidator.MAX_DIMENSION:
+            raise InvalidFileError(f"Image too large (max {ImageValidator.MAX_DIMENSION}px)")
+            
+        # EXIF script injection check
+        first_2kb = content[:2048].decode('utf-8', errors='ignore').lower()
+        if any(bad in first_2kb for bad in ["<script", "javascript:", "eval("]):
+            logger.error("Security alert: Script payload detected in image bytes")
+            raise SecurityError("Invalid file content detected")
+            
+        return ImageMetadata(
+            filename=file.filename or "unknown.png", size_bytes=len(content),
+            mime_type=mime, width=width, height=height, mode=mode, content=content
+        )
+
+def sanitize_symptoms_text(text: str) -> str:
+    if not text:
+        return ""
+    text = text.replace("\x00", "")
+    text = unicodedata.normalize("NFKC", text)
+    text = re.sub(r"<[^>]+>", "", text)
+    
+    INJECTION_PATTERNS = [
+        r"ignore\s+(previous|all|above)\s+instructions",
+        r"you\s+are\s+now\s+(a|an)",
+        r"system\s*:",
+        r"assistant\s*:",
+        r"jailbreak",
+        r"DAN\s+mode",
+        r"pretend\s+you\s+are"
+    ]
+    for pattern in INJECTION_PATTERNS:
+        if re.search(pattern, text, re.IGNORECASE):
+            logger.warning(f"Prompt injection detected in input", extra={"pattern": pattern})
+            raise PromptInjectionError("Input contains disallowed content. Please describe symptoms naturally.")
+            
+    MAX_LENGTH = 2000
+    if len(text) > MAX_LENGTH:
+        text = text[:MAX_LENGTH]
+        
+    return " ".join(text.split()).strip()
+
+def validate_patient_id(patient_id: str) -> str:
+    if not patient_id:
+        return ""
+    if not re.match(r"^[a-zA-Z0-9_-]{1,50}$", patient_id):
+        raise ValidationError("Patient ID must be 1-50 characters: letters, numbers, hyphens, underscores only")
+    return patient_id
+
+def validate_chat_message(message: str) -> str:
+    if not message or not message.strip():
+        raise ValidationError("Message cannot be empty")
+    if len(message) > 500:
+        raise ValidationError("Message too long (max 500 characters)")
+    return sanitize_symptoms_text(message)
+
+def safe_temp_path(filename: str) -> Path:
+    safe_name = re.sub(r"[^a-zA-Z0-9._-]", "_", Path(filename).name)
+    unique_name = f"{uuid.uuid4().hex}_{safe_name}"
+    temp_path = settings.TEMP_DIR / unique_name
+    
+    resolved = temp_path.resolve()
+    temp_dir_resolved = settings.TEMP_DIR.resolve()
+    if not str(resolved).startswith(str(temp_dir_resolved)):
+        raise PathTraversalError(f"Invalid path detected: {filename}")
+        
+    return temp_path

frontend/components/auth/GoogleLoginButton.jsx

@@ -0,0 +1,31 @@
+'use client';
+import { useState } from 'react';
+
+export default function GoogleLoginButton() {
+    const [loading, setLoading] = useState(false);
+
+    const handleGoogleLogin = () => {
+        setLoading(true);
+        window.location.href = `${process.env.NEXT_PUBLIC_API_URL}/api/v1/auth/google/login`;
+    };
+
+    return (
+        <button
+            onClick={handleGoogleLogin}
+            disabled={loading}
+            className="flex items-center justify-center w-full px-4 py-2 space-x-2 bg-white border border-gray-300 rounded focus:outline-none focus:ring-2 focus:ring-offset-1 focus:ring-gray-200 hover:shadow disabled:opacity-50"
+        >
+            {loading ? (
+                <div className="w-5 h-5 border-2 border-gray-300 border-t-gray-600 rounded-full animate-spin" />
+            ) : (
+                <svg className="w-5 h-5" viewBox="0 0 24 24">
+                    <path fill="#4285F4" d="M22.56 12.25c0-.78-.07-1.53-.2-2.25H12v4.26h5.92c-.26 1.37-1.04 2.53-2.21 3.31v2.77h3.57c2.08-1.92 3.28-4.74 3.28-8.09z" />
+                    <path fill="#34A853" d="M12 23c2.97 0 5.46-.98 7.28-2.66l-3.57-2.77c-.98.66-2.23 1.06-3.71 1.06-2.86 0-5.29-1.93-6.16-4.53H2.18v2.84C3.99 20.53 7.7 23 12 23z" />
+                    <path fill="#FBBC05" d="M5.84 14.09c-.22-.66-.35-1.36-.35-2.09s.13-1.43.35-2.09V7.07H2.18C1.43 8.55 1 10.22 1 12s.43 3.45 1.18 4.93l2.85-2.22.81-.62z" />
+                    <path fill="#EA4335" d="M12 5.38c1.62 0 3.06.56 4.21 1.64l3.15-3.15C17.45 2.09 14.97 1 12 1 7.7 1 3.99 3.47 2.18 7.07l3.66 2.84c.87-2.6 3.3-4.53 6.16-4.53z" />
+                </svg>
+            )}
+            <span className="text-sm font-medium text-gray-700">Continue with Google</span>
+        </button>
+    );
+}