projects-dashboard/auth.py at master · tilman-d/projects-dashboard · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
"""Authentication dependencies and utilities."""

from fastapi import Request, HTTPException, Depends
from fastapi.responses import RedirectResponse
from config import DASHBOARD_TOKEN
from oauth import verify_session_token, SESSION_COOKIE_NAME

# URL prefix for reverse proxy
URL_PREFIX = "/projects"


def verify_token(token: str) -> bool:
    """Verify API token."""
    return token == DASHBOARD_TOKEN


async def get_token_from_request(request: Request) -> str | None:
    """Extract token from request (header or query param)."""
    auth_header = request.headers.get("Authorization")
    if auth_header and auth_header.startswith("Bearer "):
        return auth_header[7:]
    return request.query_params.get("token")


def is_authenticated(request: Request) -> bool:
    """Check if request has valid session cookie."""
    session_token = request.cookies.get(SESSION_COOKIE_NAME)
    if session_token:
        return verify_session_token(session_token)
    return False


async def require_auth(request: Request):
    """Dependency that requires authentication."""
    # Check session cookie (browser)
    if is_authenticated(request):
        request.state.authenticated = True
        return True

    # Check API token (programmatic access)
    token = await get_token_from_request(request)
    if token and verify_token(token):
        request.state.token = token
        request.state.authenticated = True
        return True

    # Not authenticated
    accept = request.headers.get("accept", "")
    if accept.startswith("text/html"):
        raise HTTPException(
            status_code=302,
            headers={"Location": f"{URL_PREFIX}/login"}
        )

    raise HTTPException(
        status_code=401,
        detail="Authentication required"
    )


async def require_auth_html(request: Request):
    """Dependency that requires authentication for HTML pages (redirects to login)."""
    if is_authenticated(request):
        request.state.authenticated = True
        return True

    token = await get_token_from_request(request)
    if token and verify_token(token):
        request.state.token = token
        request.state.authenticated = True
        return True

    raise HTTPException(
        status_code=302,
        headers={"Location": f"{URL_PREFIX}/login"}
    )


async def require_auth_api(request: Request):
    """Dependency that requires authentication for API endpoints (returns 401)."""
    if is_authenticated(request):
        request.state.authenticated = True
        return True

    token = await get_token_from_request(request)
    if token and verify_token(token):
        request.state.token = token
        request.state.authenticated = True
        return True

    raise HTTPException(
        status_code=401,
        detail="Authentication required"
    )