Spaces:

lovelymango
/

eodi-mcp

Running

App Files Files Community

eodi-mcp / src /auth /routes.py

lovelymango

Upload 12 files

2310db1 verified 3 months ago

raw

history blame contribute delete

20.2 kB

	"""
	Authentication HTTP Routes
	==========================

	OAuth2 및 Magic Link 인증 엔드포인트.
	server_streamable.py의 routes에 확장됩니다.
	"""

	import logging
	from urllib.parse import urlencode

	from starlette.routing import Route
	from starlette.requests import Request
	from starlette.responses import JSONResponse, RedirectResponse, HTMLResponse

	from .oauth_provider import get_oauth_provider
	from .magic_link import get_magic_link_auth
	from .config import SERVER_BASE_URL, SUPABASE_URL

	logger = logging.getLogger("eodi.auth.routes")


	# =============================================================================
	# OAuth2 엔드포인트 (GPTs용)
	# =============================================================================

	async def oauth_authorize(request: Request) -> RedirectResponse:
	"""
	GET /oauth/authorize

	GPTs OAuth 시작점. 로그인 페이지로 리다이렉트.
	"""
	oauth_provider = get_oauth_provider()

	if not oauth_provider.is_configured:
	return JSONResponse({
	"error": "OAuth not configured",
	"message": "OAUTH_CLIENT_SECRET 환경변수가 설정되지 않았습니다."
	}, status_code=503)

	redirect_uri = request.query_params.get("redirect_uri")
	scope = request.query_params.get("scope", "profile")
	gpts_state = request.query_params.get("state", "")

	if not redirect_uri:
	return JSONResponse({"error": "redirect_uri is required"}, status_code=400)

	# 내부 state 생성 (redirect_uri 저장용)
	auth_url, internal_state = oauth_provider.get_authorization_url(redirect_uri, scope)

	# GPTs state도 함께 전달
	if gpts_state:
	auth_url += f"&gpts_state={gpts_state}"

	logger.info("OAuth authorize: redirect to login page")
	return RedirectResponse(auth_url, status_code=302)


	async def oauth_callback(request: Request):
	"""
	GET /oauth/callback

	(내부 엔드포인트 - 직접 사용되지 않음)
	"""
	return JSONResponse({"message": "Use /auth/callback instead"})


	async def oauth_token(request: Request) -> JSONResponse:
	"""
	POST /oauth/token

	Authorization code → Access token 교환.
	"""
	oauth_provider = get_oauth_provider()

	if not oauth_provider.is_configured:
	return JSONResponse({"error": "OAuth not configured"}, status_code=503)

	# form-urlencoded 또는 JSON 바디 처리
	content_type = request.headers.get("content-type", "")

	if "application/x-www-form-urlencoded" in content_type:
	form = await request.form()
	grant_type = form.get("grant_type")
	code = form.get("code")
	redirect_uri = form.get("redirect_uri")
	client_id = form.get("client_id")
	client_secret = form.get("client_secret")
	refresh_token = form.get("refresh_token")
	else:
	try:
	body = await request.json()
	grant_type = body.get("grant_type")
	code = body.get("code")
	redirect_uri = body.get("redirect_uri")
	client_id = body.get("client_id")
	client_secret = body.get("client_secret")
	refresh_token = body.get("refresh_token")
	except Exception:
	return JSONResponse({"error": "invalid_request"}, status_code=400)

	if grant_type == "authorization_code":
	if not code or not redirect_uri:
	return JSONResponse({"error": "invalid_request"}, status_code=400)

	success, token_response, error = await oauth_provider.exchange_code_for_token(
	code=code,
	redirect_uri=redirect_uri,
	client_id=client_id,
	client_secret=client_secret
	)

	if success:
	return JSONResponse(token_response)
	else:
	return JSONResponse(
	{"error": "invalid_grant", "error_description": error},
	status_code=400
	)

	elif grant_type == "refresh_token":
	success, token_response, error = await oauth_provider.refresh_token(
	refresh_token=refresh_token,
	client_id=client_id,
	client_secret=client_secret
	)

	if success:
	return JSONResponse(token_response)
	else:
	return JSONResponse(
	{"error": "invalid_grant", "error_description": error},
	status_code=400
	)

	else:
	return JSONResponse({"error": "unsupported_grant_type"}, status_code=400)


	# =============================================================================
	# Magic Link 엔드포인트 (MCP 클라이언트용)
	# =============================================================================

	async def auth_login_page(request: Request) -> HTMLResponse:
	"""
	GET /auth/login

	로그인 페이지. 이메일 입력 → Magic Link 발송.
	"""
	redirect_uri = request.query_params.get("redirect_uri", "")
	state = request.query_params.get("state", "")
	gpts_state = request.query_params.get("gpts_state", "")

	html = f"""
	<!DOCTYPE html>
	<html>
	<head>
	<title>Eodi 로그인</title>
	<meta charset="utf-8">
	<meta name="viewport" content="width=device-width, initial-scale=1">
	<style>
	body {{
	font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, sans-serif;
	max-width: 400px;
	margin: 50px auto;
	padding: 20px;
	background: linear-gradient(135deg, #667eea 0%, #764ba2 100%);
	min-height: 100vh;
	box-sizing: border-box;
	}}
	.container {{
	background: white;
	padding: 40px 30px;
	border-radius: 16px;
	box-shadow: 0 10px 40px rgba(0,0,0,0.2);
	}}
	h1 {{
	color: #333;
	font-size: 28px;
	margin-bottom: 8px;
	text-align: center;
	}}
	.subtitle {{
	color: #666;
	text-align: center;
	margin-bottom: 30px;
	}}
	input[type="email"] {{
	width: 100%;
	padding: 14px;
	border: 2px solid #e0e0e0;
	border-radius: 10px;
	font-size: 16px;
	margin-bottom: 16px;
	box-sizing: border-box;
	transition: border-color 0.2s;
	}}
	input[type="email"]:focus {{
	outline: none;
	border-color: #667eea;
	}}
	button {{
	width: 100%;
	padding: 14px;
	background: linear-gradient(135deg, #667eea 0%, #764ba2 100%);
	color: white;
	border: none;
	border-radius: 10px;
	font-size: 16px;
	font-weight: 600;
	cursor: pointer;
	transition: transform 0.2s, box-shadow 0.2s;
	}}
	button:hover {{
	transform: translateY(-2px);
	box-shadow: 0 5px 20px rgba(102, 126, 234, 0.4);
	}}
	button:disabled {{
	background: #ccc;
	transform: none;
	box-shadow: none;
	}}
	.message {{ margin-top: 16px; text-align: center; }}
	.success {{ color: #10b981; }}
	.error {{ color: #ef4444; }}
	.info {{
	color: #6b7280;
	font-size: 13px;
	margin-top: 20px;
	text-align: center;
	}}
	</style>
	</head>
	<body>
	<div class="container">
	<h1>🏨 Eodi</h1>
	<p class="subtitle">여행 혜택의 모든 것</p>

	<form id="loginForm">
	<input type="hidden" name="redirect_uri" value="{redirect_uri}">
	<input type="hidden" name="state" value="{state}">
	<input type="hidden" name="gpts_state" value="{gpts_state}">
	<input type="email" name="email" placeholder="이메일 주소" required>
	<button type="submit" id="submitBtn">로그인 링크 받기</button>
	</form>

	<div id="message"></div>
	<p class="info">로그인 링크는 10분간 유효합니다.</p>
	</div>

	<script>
	document.getElementById('loginForm').addEventListener('submit', async (e) => {{
	e.preventDefault();
	const form = e.target;
	const email = form.email.value;
	const button = document.getElementById('submitBtn');
	const messageDiv = document.getElementById('message');

	button.disabled = true;
	button.textContent = '전송 중...';
	messageDiv.innerHTML = '';

	try {{
	const response = await fetch('/auth/send-link', {{
	method: 'POST',
	headers: {{'Content-Type': 'application/json'}},
	body: JSON.stringify({{
	email: email,
	redirect_uri: form.redirect_uri.value,
	state: form.state.value,
	gpts_state: form.gpts_state.value
	}})
	}});

	const data = await response.json();

	if (data.success) {{
	messageDiv.innerHTML = '<p class="message success">✅ 이메일을 확인해주세요!</p>';
	button.textContent = '전송 완료';
	}} else {{
	messageDiv.innerHTML = '<p class="message error">❌ ' + data.error + '</p>';
	button.disabled = false;
	button.textContent = '로그인 링크 받기';
	}}
	}} catch (err) {{
	messageDiv.innerHTML = '<p class="message error">❌ 오류가 발생했습니다.</p>';
	button.disabled = false;
	button.textContent = '로그인 링크 받기';
	}}
	}});
	</script>
	</body>
	</html>
	"""
	return HTMLResponse(html)


	async def auth_send_link(request: Request) -> JSONResponse:
	"""
	POST /auth/send-link

	Magic Link 발송 API.
	"""
	magic_link_auth = get_magic_link_auth()

	try:
	body = await request.json()
	email = body.get("email")

	if not email:
	return JSONResponse(
	{"success": False, "error": "이메일을 입력해주세요."},
	status_code=400
	)

	success, error = await magic_link_auth.send_magic_link(email)

	if success:
	return JSONResponse({"success": True})
	else:
	return JSONResponse({"success": False, "error": error}, status_code=400)

	except Exception as e:
	logger.error(f"Magic Link 발송 오류: {e}")
	return JSONResponse({"success": False, "error": str(e)}, status_code=500)


	async def auth_callback_page(request: Request) -> HTMLResponse:
	"""
	GET /auth/callback

	Magic Link 클릭 후 랜딩 페이지.
	Supabase가 URL fragment에 토큰을 포함.
	"""
	html = """
	<!DOCTYPE html>
	<html>
	<head>
	<title>Eodi 인증 완료</title>
	<meta charset="utf-8">
	<meta name="viewport" content="width=device-width, initial-scale=1">
	<style>
	body {
	font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, sans-serif;
	max-width: 400px;
	margin: 50px auto;
	padding: 20px;
	background: linear-gradient(135deg, #667eea 0%, #764ba2 100%);
	min-height: 100vh;
	box-sizing: border-box;
	}
	.container {
	background: white;
	padding: 40px 30px;
	border-radius: 16px;
	box-shadow: 0 10px 40px rgba(0,0,0,0.2);
	text-align: center;
	}
	h1 { color: #333; font-size: 28px; margin-bottom: 10px; }
	h2 { color: #333; font-size: 22px; margin-bottom: 10px; }
	.code {
	font-size: 42px;
	font-weight: bold;
	letter-spacing: 10px;
	color: #667eea;
	margin: 24px 0;
	padding: 20px;
	background: linear-gradient(135deg, #f0f4ff 0%, #e8ecff 100%);
	border-radius: 12px;
	}
	.instruction {
	color: #4b5563;
	margin: 16px 0;
	line-height: 1.6;
	}
	.timer {
	color: #9ca3af;
	font-size: 14px;
	margin-top: 16px;
	}
	.error { color: #ef4444; }
	.loading { color: #6b7280; }
	</style>
	</head>
	<body>
	<div class="container">
	<h1>🏨 Eodi</h1>
	<div id="content">
	<p class="loading">인증 처리 중...</p>
	</div>
	</div>

	<script>
	async function processAuth() {
	const contentDiv = document.getElementById('content');

	// URL fragment에서 토큰 추출
	const hash = window.location.hash.substring(1);
	const params = new URLSearchParams(hash);

	const accessToken = params.get('access_token');
	const refreshToken = params.get('refresh_token') \|\| '';

	if (!accessToken) {
	contentDiv.innerHTML = `
	<h2 class="error">❌ 인증 실패</h2>
	<p class="instruction">링크가 만료되었거나 잘못되었습니다.<br>다시 시도해주세요.</p>
	`;
	return;
	}

	try {
	const response = await fetch('/auth/process-token', {
	method: 'POST',
	headers: {'Content-Type': 'application/json'},
	body: JSON.stringify({
	access_token: accessToken,
	refresh_token: refreshToken
	})
	});

	const data = await response.json();

	if (data.success) {
	contentDiv.innerHTML = `
	<h2>✅ 인증 완료!</h2>
	<p class="instruction">아래 코드를 입력해주세요</p>
	<div class="code">${data.code}</div>
	<p class="instruction">GPT 또는 Claude로 돌아가서<br>이 코드를 입력하세요.</p>
	<p class="timer">⏱️ 코드는 3분간 유효합니다</p>
	`;
	} else {
	contentDiv.innerHTML = `
	<h2 class="error">❌ 오류 발생</h2>
	<p class="instruction">${data.error}</p>
	`;
	}
	} catch (err) {
	contentDiv.innerHTML = `
	<h2 class="error">❌ 오류 발생</h2>
	<p class="instruction">잠시 후 다시 시도해주세요.</p>
	`;
	}
	}

	processAuth();
	</script>
	</body>
	</html>
	"""
	return HTMLResponse(html)


	async def auth_process_token(request: Request) -> JSONResponse:
	"""
	POST /auth/process-token

	Supabase 토큰으로 인증 코드 생성.
	"""
	magic_link_auth = get_magic_link_auth()

	try:
	body = await request.json()
	access_token = body.get("access_token")
	refresh_token = body.get("refresh_token", "")

	if not access_token:
	return JSONResponse(
	{"success": False, "error": "토큰이 없습니다."},
	status_code=400
	)

	# 토큰에서 사용자 정보 추출
	import httpx

	async with httpx.AsyncClient(timeout=30) as client:
	response = await client.get(
	f"{SUPABASE_URL}/auth/v1/user",
	headers={"Authorization": f"Bearer {access_token}"}
	)

	if response.status_code != 200:
	return JSONResponse(
	{"success": False, "error": "사용자 정보를 가져올 수 없습니다."},
	status_code=400
	)

	user_data = response.json()
	user_id = user_data.get("id")
	email = user_data.get("email")

	# 인증 코드 생성
	code = magic_link_auth.generate_auth_code(
	user_id=user_id,
	email=email,
	access_token=access_token,
	refresh_token=refresh_token
	)

	return JSONResponse({"success": True, "code": code})

	except Exception as e:
	logger.error(f"토큰 처리 오류: {e}")
	return JSONResponse({"success": False, "error": str(e)}, status_code=500)


	async def auth_verify_code_api(request: Request) -> JSONResponse:
	"""
	POST /auth/verify-code

	인증 코드 검증 API (REST용).
	"""
	magic_link_auth = get_magic_link_auth()

	try:
	body = await request.json()
	code = body.get("code")

	if not code:
	return JSONResponse(
	{"success": False, "error": "코드를 입력해주세요."},
	status_code=400
	)

	# 클라이언트 IP
	client_ip = request.headers.get(
	"X-Forwarded-For",
	request.client.host if request.client else "unknown"
	)
	if "," in client_ip:
	client_ip = client_ip.split(",")[0].strip()

	success, session_token, email_masked, error = magic_link_auth.verify_auth_code(
	code, client_ip
	)

	if success:
	return JSONResponse({
	"success": True,
	"session_token": session_token,
	"email_masked": email_masked,
	"message": f"인증 완료! {email_masked}"
	})
	else:
	return JSONResponse({"success": False, "error": error}, status_code=400)

	except Exception as e:
	logger.error(f"코드 검증 오류: {e}")
	return JSONResponse({"success": False, "error": str(e)}, status_code=500)


	# =============================================================================
	# 라우트 목록
	# =============================================================================

	auth_routes = [
	# OAuth2 (GPTs용)
	Route("/oauth/authorize", oauth_authorize, methods=["GET"]),
	Route("/oauth/callback", oauth_callback, methods=["GET"]),
	Route("/oauth/token", oauth_token, methods=["POST"]),

	# Magic Link (MCP 클라이언트용)
	Route("/auth/login", auth_login_page, methods=["GET"]),
	Route("/auth/send-link", auth_send_link, methods=["POST"]),
	Route("/auth/callback", auth_callback_page, methods=["GET"]),
	Route("/auth/process-token", auth_process_token, methods=["POST"]),
	Route("/auth/verify-code", auth_verify_code_api, methods=["POST"]),
	]