From 696793c84fcffac68060f819c5a97d22236eff1d Mon Sep 17 00:00:00 2001
From: Mondo Diaz <armando.m.diaz@boeing.com>
Date: Thu, 8 Jan 2026 15:14:54 -0600
Subject: [PATCH] Fix auth datetime comparison and bcrypt dependency

- Use timezone-aware datetimes (datetime.now(timezone.utc)) for session expiry comparison
- Add explicit bcrypt==4.0.1 dependency for passlib bcrypt backend
---
 backend/app/auth.py      | 16 ++++++++--------
 backend/requirements.txt |  1 +
 2 files changed, 9 insertions(+), 8 deletions(-)

diff --git a/backend/app/auth.py b/backend/app/auth.py
index 01bcab6..ce8169f 100644
--- a/backend/app/auth.py
+++ b/backend/app/auth.py
@@ -5,7 +5,7 @@ Handles password hashing, session management, and API key operations.
 
 import hashlib
 import secrets
-from datetime import datetime, timedelta
+from datetime import datetime, timedelta, timezone
 from typing import Optional
 from passlib.context import CryptContext
 from sqlalchemy.orm import Session
@@ -113,7 +113,7 @@ class AuthService:
 
     def update_last_login(self, user: User) -> None:
         """Update the user's last login timestamp."""
-        user.last_login = datetime.utcnow()
+        user.last_login = datetime.now(timezone.utc)
         self.db.commit()
 
     def list_users(self, include_inactive: bool = False) -> list[User]:
@@ -159,7 +159,7 @@ class AuthService:
         session = UserSession(
             user_id=user.id,
             token_hash=token_hash,
-            expires_at=datetime.utcnow() + timedelta(hours=SESSION_DURATION_HOURS),
+            expires_at=datetime.now(timezone.utc) + timedelta(hours=SESSION_DURATION_HOURS),
             user_agent=user_agent,
             ip_address=ip_address,
         )
@@ -184,14 +184,14 @@ class AuthService:
         if not session:
             return None
 
-        if session.expires_at < datetime.utcnow():
+        if session.expires_at < datetime.now(timezone.utc):
             # Session has expired, delete it
             self.db.delete(session)
             self.db.commit()
             return None
 
         # Update last accessed time
-        session.last_accessed = datetime.utcnow()
+        session.last_accessed = datetime.now(timezone.utc)
         self.db.commit()
 
         return session
@@ -213,7 +213,7 @@ class AuthService:
         """Delete all expired sessions. Returns count of deleted sessions."""
         count = (
             self.db.query(UserSession)
-            .filter(UserSession.expires_at < datetime.utcnow())
+            .filter(UserSession.expires_at < datetime.now(timezone.utc))
             .delete()
         )
         self.db.commit()
@@ -268,11 +268,11 @@ class AuthService:
             return None
 
         # Check expiration
-        if api_key.expires_at and api_key.expires_at < datetime.utcnow():
+        if api_key.expires_at and api_key.expires_at < datetime.now(timezone.utc):
             return None
 
         # Update last used time
-        api_key.last_used = datetime.utcnow()
+        api_key.last_used = datetime.now(timezone.utc)
         self.db.commit()
 
         return api_key
diff --git a/backend/requirements.txt b/backend/requirements.txt
index 67a4138..bcc4060 100644
--- a/backend/requirements.txt
+++ b/backend/requirements.txt
@@ -9,6 +9,7 @@ pydantic==2.5.3
 pydantic-settings==2.1.0
 python-jose[cryptography]==3.3.0
 passlib[bcrypt]==1.7.4
+bcrypt==4.0.1
 
 # Test dependencies
 pytest>=7.4.0