greatmengqi
27b66d6753
Introduce an always-on auth layer with auto-created admin on first boot, multi-tenant isolation for threads/stores, and a full setup/login flow. Backend - JWT access tokens with `ver` field for stale-token rejection; bump on password/email change - Password hashing, HttpOnly+Secure cookies (Secure derived from request scheme at runtime) - CSRF middleware covering both REST and LangGraph routes - IP-based login rate limiting (5 attempts / 5-min lockout) with bounded dict growth and X-Forwarded-For bypass fix - Multi-worker-safe admin auto-creation (single DB write, WAL once) - needs_setup + token_version on User model; SQLite schema migration - Thread/store isolation by owner; orphan thread migration on first admin registration - thread_id validated as UUID to prevent log injection - CLI tool to reset admin password - Decorator-based authz module extracted from auth core Frontend - Login and setup pages with SSR guard for needs_setup flow - Account settings page (change password / email) - AuthProvider + route guards; skips redirect when no users registered - i18n (en-US / zh-CN) for auth surfaces - Typed auth API client; parseAuthError unwraps FastAPI detail envelope Infra & tooling - Unified `serve.sh` with gateway mode + auto dep install - Public PyPI uv.toml pin for CI compatibility - Regenerated uv.lock with public index Tests - HTTP vs HTTPS cookie security tests - Auth middleware, rate limiter, CSRF, setup flow coverage
88 lines
2.9 KiB
Python
88 lines
2.9 KiB
Python
"""Local email/password authentication provider."""
|
|
|
|
from app.gateway.auth.models import User
|
|
from app.gateway.auth.password import hash_password_async, verify_password_async
|
|
from app.gateway.auth.providers import AuthProvider
|
|
from app.gateway.auth.repositories.base import UserRepository
|
|
|
|
|
|
class LocalAuthProvider(AuthProvider):
|
|
"""Email/password authentication provider using local database."""
|
|
|
|
def __init__(self, repository: UserRepository):
|
|
"""Initialize with a UserRepository.
|
|
|
|
Args:
|
|
repository: UserRepository implementation (SQLite)
|
|
"""
|
|
self._repo = repository
|
|
|
|
async def authenticate(self, credentials: dict) -> User | None:
|
|
"""Authenticate with email and password.
|
|
|
|
Args:
|
|
credentials: dict with 'email' and 'password' keys
|
|
|
|
Returns:
|
|
User if authentication succeeds, None otherwise
|
|
"""
|
|
email = credentials.get("email")
|
|
password = credentials.get("password")
|
|
|
|
if not email or not password:
|
|
return None
|
|
|
|
user = await self._repo.get_user_by_email(email)
|
|
if user is None:
|
|
return None
|
|
|
|
if user.password_hash is None:
|
|
# OAuth user without local password
|
|
return None
|
|
|
|
if not await verify_password_async(password, user.password_hash):
|
|
return None
|
|
|
|
return user
|
|
|
|
async def get_user(self, user_id: str) -> User | None:
|
|
"""Get user by ID."""
|
|
return await self._repo.get_user_by_id(user_id)
|
|
|
|
async def create_user(self, email: str, password: str | None = None, system_role: str = "user", needs_setup: bool = False) -> User:
|
|
"""Create a new local user.
|
|
|
|
Args:
|
|
email: User email address
|
|
password: Plain text password (will be hashed)
|
|
system_role: Role to assign ("admin" or "user")
|
|
needs_setup: If True, user must complete setup on first login
|
|
|
|
Returns:
|
|
Created User instance
|
|
"""
|
|
password_hash = await hash_password_async(password) if password else None
|
|
user = User(
|
|
email=email,
|
|
password_hash=password_hash,
|
|
system_role=system_role,
|
|
needs_setup=needs_setup,
|
|
)
|
|
return await self._repo.create_user(user)
|
|
|
|
async def get_user_by_oauth(self, provider: str, oauth_id: str) -> User | None:
|
|
"""Get user by OAuth provider and ID."""
|
|
return await self._repo.get_user_by_oauth(provider, oauth_id)
|
|
|
|
async def count_users(self) -> int:
|
|
"""Return total number of registered users."""
|
|
return await self._repo.count_users()
|
|
|
|
async def update_user(self, user: User) -> User:
|
|
"""Update an existing user."""
|
|
return await self._repo.update_user(user)
|
|
|
|
async def get_user_by_email(self, email: str) -> User | None:
|
|
"""Get user by email."""
|
|
return await self._repo.get_user_by_email(email)
|