Implement mandatory authentication and usage tracking for OpenAI API protection

- Enable strict authentication requirement for all users
- Add comprehensive usage tracking middleware
- Monitor OpenAI API calls with detailed logging
- Create beautiful login page explaining security requirements
- Add usage summary endpoint for monitoring
- Protect against abuse and track costs

backend/app.py

@@ -14,6 +14,7 @@ from fastapi.middleware.cors import CORSMiddleware
 from starlette.middleware.sessions import SessionMiddleware
 from fastapi.responses import RedirectResponse, HTMLResponse
 from backend.middleware.auth import ConditionalAuthMiddleware
+from backend.middleware.usage_tracker import UsageTrackingMiddleware
 from utils.environment import should_enable_auth, debug_environment
 
 
@@ -51,6 +52,9 @@ app.add_middleware(
     max_age=86400,  # 24 hours
 )
 
+# Add usage tracking middleware (before auth, to track all requests)
+app.add_middleware(UsageTrackingMiddleware)
+
 # Add conditional authentication middleware
 app.add_middleware(ConditionalAuthMiddleware)
 

backend/middleware/__init__.py

@@ -3,5 +3,6 @@ Middleware package for AgentGraph backend.
 """
 
 from .auth import ConditionalAuthMiddleware
+from .usage_tracker import UsageTrackingMiddleware
 
-__all__ = ["ConditionalAuthMiddleware"]
+__all__ = ["ConditionalAuthMiddleware", "UsageTrackingMiddleware"]

backend/middleware/auth.py

@@ -75,20 +75,25 @@ class ConditionalAuthMiddleware(BaseHTTPMiddleware):
         # Check user authentication
         user = await self._get_current_user(request)
         if not user:
-            # In HF Spaces, if OAuth is configured but user is not authenticated,
-            # we can still allow access but with limited functionality
-            # This makes the auth "optional" rather than "required"
+            # 🔐 MANDATORY AUTHENTICATION: Protect OpenAI API usage
+            # All users must be authenticated to prevent abuse of OpenAI resources
             
-            # For now, let's allow access but log the unauthenticated state
-            logger.info(f"Unauthenticated access to {request.url.path} in HF Spaces")
+            logger.warning(f"🚫 Unauthorized access attempt to {request.url.path} from {request.client.host if request.client else 'unknown'}")
             
-            # You can uncomment these lines to make auth strictly required:
-            # if request.url.path.startswith("/api/"):
-            #     return JSONResponse(
-            #         status_code=401,
-            #         content={"error": "Authentication required", "login_url": "/auth/login"}
-            #     )
-            # return RedirectResponse(url="/auth/login", status_code=302)
+            # For API calls, return JSON error with login instructions
+            if request.url.path.startswith("/api/"):
+                return JSONResponse(
+                    status_code=401,
+                    content={
+                        "error": "Authentication required to access OpenAI-powered features",
+                        "message": "Please log in with your Hugging Face account to use this service",
+                        "login_url": "/auth/login",
+                        "reason": "API access requires user authentication for security and usage tracking"
+                    }
+                )
+            
+            # For web requests, redirect to login page
+            return RedirectResponse(url="/auth/login-page", status_code=302)
         
         # Add user info to request state
         request.state.user = user

backend/middleware/usage_tracker.py

@@ -0,0 +1,134 @@
+"""
+Usage Tracking Middleware
+
+Tracks user API usage for security and monitoring purposes.
+Especially important for OpenAI API calls which cost money.
+"""
+
+import logging
+import time
+from typing import Dict, Any, Optional
+from fastapi import Request, Response
+from starlette.middleware.base import BaseHTTPMiddleware
+from utils.environment import is_huggingface_space
+import json
+from datetime import datetime
+
+logger = logging.getLogger(__name__)
+
+
+class UsageTrackingMiddleware(BaseHTTPMiddleware):
+    """
+    Middleware to track user API usage, especially for OpenAI-powered endpoints.
+    """
+    
+    def __init__(self, app):
+        super().__init__(app)
+        
+        # Endpoints that use OpenAI API (and thus cost money)
+        self.openai_endpoints = [
+            "/api/knowledge-graphs/extract",
+            "/api/knowledge-graphs/analyze", 
+            "/api/methods/",
+            "/api/traces/analyze",
+            "/api/causal/",
+        ]
+        
+        # Endpoints that should be monitored for usage patterns
+        self.monitored_endpoints = self.openai_endpoints + [
+            "/api/traces/",
+            "/api/tasks/",
+            "/api/perturbation/",
+        ]
+    
+    async def dispatch(self, request: Request, call_next):
+        """Track API usage and log user activity."""
+        start_time = time.time()
+        
+        # Get user info from request state (set by auth middleware)
+        user = getattr(request.state, "user", None)
+        user_id = user.get("username", "anonymous") if user else "anonymous"
+        user_auth_method = user.get("auth_method", "none") if user else "none"
+        
+        # Track the request
+        should_track = any(
+            request.url.path.startswith(endpoint) 
+            for endpoint in self.monitored_endpoints
+        )
+        
+        is_openai_call = any(
+            request.url.path.startswith(endpoint)
+            for endpoint in self.openai_endpoints
+        )
+        
+        # Log the request if it's being tracked
+        if should_track:
+            client_ip = request.client.host if request.client else "unknown"
+            logger.info(
+                f"📊 API Usage: {user_id} ({user_auth_method}) -> "
+                f"{request.method} {request.url.path} from {client_ip} "
+                f"{'💰 [OpenAI]' if is_openai_call else ''}"
+            )
+        
+        # Process the request
+        response = await call_next(request)
+        
+        # Calculate duration
+        duration = time.time() - start_time
+        
+        # Log completion for important endpoints
+        if should_track:
+            status_emoji = "✅" if response.status_code < 400 else "❌"
+            cost_warning = " 💸 COST INCURRED" if is_openai_call and response.status_code < 400 else ""
+            
+            logger.info(
+                f"{status_emoji} API Complete: {user_id} -> "
+                f"{request.method} {request.url.path} "
+                f"[{response.status_code}] in {duration:.2f}s{cost_warning}"
+            )
+            
+            # Log detailed usage for OpenAI calls
+            if is_openai_call:
+                self._log_openai_usage(user_id, user_auth_method, request, response, duration)
+        
+        return response
+    
+    def _log_openai_usage(
+        self, 
+        user_id: str, 
+        auth_method: str, 
+        request: Request, 
+        response: Response, 
+        duration: float
+    ):
+        """Log detailed information about OpenAI API usage."""
+        
+        usage_record = {
+            "timestamp": datetime.now().isoformat(),
+            "user_id": user_id,
+            "auth_method": auth_method,
+            "endpoint": request.url.path,
+            "method": request.method,
+            "status_code": response.status_code,
+            "duration_seconds": round(duration, 2),
+            "client_ip": request.client.host if request.client else "unknown",
+            "user_agent": request.headers.get("User-Agent", "unknown"),
+            "environment": "hf_spaces" if is_huggingface_space() else "local",
+        }
+        
+        # Log as structured data for easy parsing/analysis
+        logger.warning(
+            f"💰 OPENAI_USAGE: {json.dumps(usage_record, separators=(',', ':'))}"
+        )
+        
+        # Also log a human-readable summary
+        if response.status_code >= 400:
+            logger.error(
+                f"🚨 OpenAI API Error: User {user_id} got {response.status_code} "
+                f"on {request.url.path} - potential abuse or misconfiguration"
+            )
+        else:
+            logger.info(
+                f"💰 OpenAI API Success: User {user_id} used {request.url.path} "
+                f"({duration:.2f}s) - track costs and usage patterns"
+            )

backend/routers/auth.py

@@ -28,7 +28,7 @@ async def auth_status(request: Request):
         "auth_enabled": should_enable_auth(),
         "environment": "huggingface_spaces" if is_huggingface_space() else "local_development",
         "oauth_available": bool(config),
-        "login_required": False,  # Set to optional for now
+        "login_required": True,  # Mandatory for OpenAI API protection
         "user_authenticated": bool(user),
         "user_info": {
             "auth_method": user.get("auth_method") if user else None,
@@ -189,7 +189,7 @@ async def get_current_user(request: Request):
 @router.get("/login-page")
 async def login_page(request: Request):
     """
-    Serve a simple login page for environments where auth is required.
+    Serve a login page explaining why authentication is required.
     """
     if not should_enable_auth():
         return RedirectResponse(url="/", status_code=302)
@@ -198,18 +198,56 @@ async def login_page(request: Request):
     <!DOCTYPE html>
     <html>
     <head>
-        <title>AgentGraph - Login Required</title>
+        <title>AgentGraph - Authentication Required</title>
         <style>
-            body { font-family: Arial, sans-serif; text-align: center; margin-top: 100px; }
-            .login-container { max-width: 400px; margin: 0 auto; padding: 20px; border: 1px solid #ddd; border-radius: 8px; }
-            .login-btn { background: #ff6b35; color: white; padding: 12px 24px; text-decoration: none; border-radius: 6px; font-weight: bold; }
+            body { 
+                font-family: 'Segoe UI', Tahoma, Geneva, Verdana, sans-serif; 
+                background: linear-gradient(135deg, #667eea 0%, #764ba2 100%);
+                margin: 0; padding: 0; min-height: 100vh; display: flex; align-items: center; justify-content: center;
+            }
+            .login-container { 
+                background: white; max-width: 500px; margin: 0 auto; padding: 40px; 
+                border-radius: 12px; box-shadow: 0 10px 30px rgba(0,0,0,0.3); text-align: center;
+            }
+            .login-btn { 
+                background: #ff6b35; color: white; padding: 14px 28px; text-decoration: none; 
+                border-radius: 8px; font-weight: bold; display: inline-block; margin-top: 20px;
+                transition: background 0.3s ease;
+            }
+            .login-btn:hover { background: #e55a2b; }
+            .icon { font-size: 48px; margin-bottom: 20px; }
+            .subtitle { color: #666; margin: 20px 0; line-height: 1.6; }
+            .security-note { 
+                background: #f8f9fa; padding: 15px; border-radius: 8px; margin: 20px 0;
+                border-left: 4px solid #ff6b35; text-align: left; font-size: 14px;
+            }
         </style>
     </head>
     <body>
         <div class="login-container">
+            <div class="icon">🔐</div>
             <h1>🕸️ AgentGraph</h1>
-            <p>Please log in with your Hugging Face account to access AgentGraph.</p>
-            <a href="/auth/login" class="login-btn">Login with Hugging Face</a>
+            <h2>Authentication Required</h2>
+            <p class="subtitle">
+                AgentGraph uses advanced AI models (OpenAI GPT) to provide knowledge graph extraction 
+                and analysis capabilities. To ensure responsible usage and prevent abuse, 
+                we require user authentication.
+            </p>
+            
+            <div class="security-note">
+                <strong>🛡️ Why authentication is required:</strong><br>
+                • Prevents unauthorized access to AI resources<br>
+                • Enables usage tracking and abuse prevention<br>
+                • Ensures fair access for all legitimate users<br>
+                • Maintains service quality and availability
+            </div>
+            
+            <p>Please log in with your Hugging Face account to continue.</p>
+            <a href="/auth/login" class="login-btn">🚀 Login with Hugging Face</a>
+            
+            <p style="margin-top: 30px; font-size: 12px; color: #888;">
+                By logging in, you agree to use this service responsibly and in accordance with our usage policies.
+            </p>
         </div>
     </body>
     </html>

backend/routers/observability.py

@@ -883,6 +883,39 @@ async def get_environment():
     }
 
 
+@router.get("/usage-summary")
+async def get_usage_summary(request: Request):
+    """
+    Get a summary of recent API usage for monitoring purposes.
+    This helps track OpenAI API costs and detect potential abuse.
+    """
+    # Only authenticated users can see usage data
+    user = getattr(request.state, "user", None)
+    if not user:
+        raise HTTPException(status_code=401, detail="Authentication required")
+    
+    # In a production system, you'd query a database or log aggregation service
+    # For now, we'll return a summary based on recent log entries
+    
+    return {
+        "message": "Usage tracking is active",
+        "tracking_enabled": True,
+        "openai_endpoints_monitored": [
+            "/api/knowledge-graphs/extract",
+            "/api/knowledge-graphs/analyze", 
+            "/api/methods/",
+            "/api/traces/analyze",
+            "/api/causal/",
+        ],
+        "current_user": {
+            "username": user.get("username", "unknown"),
+            "auth_method": user.get("auth_method", "unknown"),
+        },
+        "note": "Detailed usage logs are available in the application logs for administrator review",
+        "timestamp": datetime.now().isoformat()
+    }
+
+
 @router.get("/health-check")
 async def health_check():
     """Comprehensive health check for the system."""