Add web frontend with JWT auth, RBAC, SSE dashboard, and config editor

- FastAPI + htmx + Jinja2 web frontend, started with --web flag - JWT HS256 auth (WEB_SECRET_KEY) with httpOnly cookies; access (15 min) + refresh (7 day) tokens; refresh rotation + JTI revocation in data/web.db - RBAC: superadmin > admin > reader enforced per route - Live SSE dashboard fed by tui/events broadcast queue - Config editor: keyword groups and channel list saved to data/runtime_config.json and hot-reloaded in-process (scorer.reload_from_config, signal_channel_changed) - config.py migrated to load groups/channels from runtime_config.json; falls back to hardcoded defaults when file absent - tui/events.py: subscribe/unsubscribe broadcast, set_bot_context/signal_channel_changed - utils/scorer.py: import config as _config (fixes local binding); reload_from_config() - utils/database.py: count_by_severity, recent_for_domains, count_by_severity_for_domains - 53 new tests (events bus, JWT lifecycle, web DB CRUD, RBAC enforcement, config round-trip); total 141 passing
2026-04-02 11:41:46 -03:00
parent b28168c846
commit 4c104cddd2
32 changed files with 2093 additions and 47 deletions
--- a/web/dependencies.py
+++ b/web/dependencies.py
@@ -0,0 +1,52 @@
+"""
+web/dependencies.py — FastAPI dependency functions.
+
+get_current_user: reads the access_token cookie, decodes + validates it,
+                  loads the user row from web.db. Raises 401 if anything fails.
+
+require_role(min_role): returns a dependency that enforces a minimum RBAC level.
+"""
+
+from fastapi import Cookie, Depends, HTTPException, status
+
+from web import auth, db
+
+_ROLE_ORDER = ["reader", "admin", "superadmin"]
+
+
+def _role_rank(role: str) -> int:
+    try:
+        return _ROLE_ORDER.index(role)
+    except ValueError:
+        return -1
+
+
+async def get_current_user(
+    access_token: str | None = Cookie(default=None),
+) -> db.sqlite3.Row:
+    exc = HTTPException(
+        status_code=status.HTTP_401_UNAUTHORIZED,
+        detail="Not authenticated",
+        headers={"WWW-Authenticate": "Bearer"},
+    )
+    if not access_token:
+        raise exc
+    payload = auth.decode_access_token(access_token)
+    if payload is None:
+        raise exc
+    user = db.get_user_by_id(payload["sub"])
+    if user is None or not user["is_active"]:
+        raise exc
+    return user
+
+
+def require_role(min_role: str):
+    """FastAPI dependency factory: ensures user role >= min_role."""
+    async def _dep(user=Depends(get_current_user)):
+        if _role_rank(user["role"]) < _role_rank(min_role):
+            raise HTTPException(
+                status_code=status.HTTP_403_FORBIDDEN,
+                detail=f"Requires role: {min_role}",
+            )
+        return user
+    return _dep