Add web frontend with JWT auth, RBAC, SSE dashboard, and config editor
- FastAPI + htmx + Jinja2 web frontend, started with --web flag - JWT HS256 auth (WEB_SECRET_KEY) with httpOnly cookies; access (15 min) + refresh (7 day) tokens; refresh rotation + JTI revocation in data/web.db - RBAC: superadmin > admin > reader enforced per route - Live SSE dashboard fed by tui/events broadcast queue - Config editor: keyword groups and channel list saved to data/runtime_config.json and hot-reloaded in-process (scorer.reload_from_config, signal_channel_changed) - config.py migrated to load groups/channels from runtime_config.json; falls back to hardcoded defaults when file absent - tui/events.py: subscribe/unsubscribe broadcast, set_bot_context/signal_channel_changed - utils/scorer.py: import config as _config (fixes local binding); reload_from_config() - utils/database.py: count_by_severity, recent_for_domains, count_by_severity_for_domains - 53 new tests (events bus, JWT lifecycle, web DB CRUD, RBAC enforcement, config round-trip); total 141 passing
This commit is contained in:
76
web/auth.py
Normal file
76
web/auth.py
Normal file
@@ -0,0 +1,76 @@
|
||||
"""
|
||||
web/auth.py — JWT signing/verification and bcrypt password helpers.
|
||||
|
||||
Tokens:
|
||||
access — HS256, 15 min TTL, payload: {sub, role, type:"access"}
|
||||
refresh — HS256, 7 day TTL, payload: {sub, jti, type:"refresh"}
|
||||
|
||||
Both tokens live in httpOnly SameSite=Strict cookies.
|
||||
The `type` claim prevents an access token being used as a refresh token.
|
||||
|
||||
Secret: WEB_SECRET_KEY env var (required; no hardcoded default).
|
||||
"""
|
||||
|
||||
import os
|
||||
import uuid
|
||||
from datetime import datetime, timedelta, timezone
|
||||
|
||||
import bcrypt as _bcrypt_lib
|
||||
from jose import JWTError, jwt
|
||||
|
||||
_SECRET_KEY = os.environ.get("WEB_SECRET_KEY", "")
|
||||
_ALGORITHM = "HS256"
|
||||
|
||||
ACCESS_TOKEN_EXPIRE_MINUTES = 15
|
||||
REFRESH_TOKEN_EXPIRE_DAYS = 7
|
||||
|
||||
|
||||
def _secret() -> str:
|
||||
if not _SECRET_KEY:
|
||||
raise RuntimeError("WEB_SECRET_KEY env var is required.")
|
||||
return _SECRET_KEY
|
||||
|
||||
|
||||
def hash_password(plain: str) -> str:
|
||||
return _bcrypt_lib.hashpw(plain.encode("utf-8"), _bcrypt_lib.gensalt()).decode("utf-8")
|
||||
|
||||
|
||||
def verify_password(plain: str, hashed: str) -> bool:
|
||||
return _bcrypt_lib.checkpw(plain.encode("utf-8"), hashed.encode("utf-8"))
|
||||
|
||||
|
||||
def create_access_token(user_id: str, role: str) -> str:
|
||||
expire = datetime.now(timezone.utc) + timedelta(minutes=ACCESS_TOKEN_EXPIRE_MINUTES)
|
||||
payload = {"sub": user_id, "role": role, "type": "access", "exp": expire}
|
||||
return jwt.encode(payload, _secret(), algorithm=_ALGORITHM)
|
||||
|
||||
|
||||
def create_refresh_token(user_id: str) -> tuple[str, str, datetime]:
|
||||
"""Returns (encoded_token, jti, expires_at)."""
|
||||
jti = str(uuid.uuid4())
|
||||
expires_at = datetime.now(timezone.utc) + timedelta(days=REFRESH_TOKEN_EXPIRE_DAYS)
|
||||
payload = {"sub": user_id, "jti": jti, "type": "refresh", "exp": expires_at}
|
||||
token = jwt.encode(payload, _secret(), algorithm=_ALGORITHM)
|
||||
return token, jti, expires_at
|
||||
|
||||
|
||||
def decode_access_token(token: str) -> dict | None:
|
||||
"""Returns payload dict or None if invalid/expired."""
|
||||
try:
|
||||
payload = jwt.decode(token, _secret(), algorithms=[_ALGORITHM])
|
||||
if payload.get("type") != "access":
|
||||
return None
|
||||
return payload
|
||||
except JWTError:
|
||||
return None
|
||||
|
||||
|
||||
def decode_refresh_token(token: str) -> dict | None:
|
||||
"""Returns payload dict or None if invalid/expired."""
|
||||
try:
|
||||
payload = jwt.decode(token, _secret(), algorithms=[_ALGORITHM])
|
||||
if payload.get("type") != "refresh":
|
||||
return None
|
||||
return payload
|
||||
except JWTError:
|
||||
return None
|
||||
Reference in New Issue
Block a user