Hugging Face's logo

Spaces:
ohmyapi
/
claude-bridge
Paused

App Files Community
claude-bridge / core /api /auth.py
ohmyapi's picture
ohmyapi
feat: align hosted Space deployment with latest upstream
c2fc3c5
raw
history blame contribute delete
14.6 kB
"""
API 与配置页鉴权。
- auth.api_key: 保护 /{type}/v1/*
- auth.config_secret: 保护 /config 与 /api/config、/api/types
全局鉴权设置优先级:数据库 > 环境变量回退 > YAML > 默认值。
config_secret 在文件模式下会回写为带前缀的 PBKDF2 哈希;环境变量回退模式下仅在内存中哈希。
"""
from __future__ import annotations
import base64
import hashlib
import hmac
import os
import re
import secrets
import time
from dataclasses import dataclass, field
from functools import lru_cache
from typing import Any, Literal
from fastapi import HTTPException, Request, status
from core.config.repository import (
 APP_SETTING_AUTH_API_KEY,
 APP_SETTING_AUTH_CONFIG_SECRET_HASH,
 ConfigRepository,
)
from core.config.settings import (
 get,
 get_config_path,
 has_env_override,
 load_config,
 reset_cache,
)
API_AUTH_REALM = "Bearer"
CONFIG_SECRET_PREFIX = "web2api_pbkdf2_sha256"
CONFIG_SECRET_ITERATIONS = 600_000
ADMIN_SESSION_COOKIE = "web2api_admin_session"
DEFAULT_ADMIN_SESSION_TTL_SECONDS = 7 * 24 * 60 * 60
DEFAULT_ADMIN_LOGIN_MAX_FAILURES = 5
DEFAULT_ADMIN_LOGIN_LOCK_SECONDS = 10 * 60
AuthSource = Literal["env", "db", "yaml", "default"]
@dataclass(frozen=True)
class EffectiveAuthSettings:
 api_key_text: str
 api_key_source: AuthSource
 config_secret_hash: str
 config_secret_source: AuthSource
@property
 def api_keys(self) -> list[str]:
 return parse_api_keys(self.api_key_text)
@property
 def api_key_env_managed(self) -> bool:
 return False
@property
 def config_secret_env_managed(self) -> bool:
 return False
@property
 def config_login_enabled(self) -> bool:
 return bool(self.config_secret_hash)
def parse_api_keys(raw: Any) -> list[str]:
 if isinstance(raw, list):
 return [str(item).strip() for item in raw if str(item).strip()]
 if raw is None:
 return []
 text = str(raw).replace("\n", ",")
 return [part.strip() for part in text.split(",") if part.strip()]
def normalize_api_key_text(raw: Any) -> str:
 if isinstance(raw, list):
 return "\n".join(str(item).strip() for item in raw if str(item).strip())
 return str(raw or "").strip()
def _yaml_auth_config() -> dict[str, Any]:
 auth_cfg = load_config().get("auth") or {}
 return auth_cfg if isinstance(auth_cfg, dict) else {}
def _normalize_config_secret_hash(value: Any) -> str:
 secret = str(value or "").strip()
 if not secret:
 return ""
 return secret if _is_hashed_config_secret(secret) else hash_config_secret(secret)
@lru_cache(maxsize=1)
def _hosted_config_secret_hash() -> str:
 return _normalize_config_secret_hash(get("auth", "config_secret", ""))
def build_effective_auth_settings(
 repo: ConfigRepository | None = None,
) -> EffectiveAuthSettings:
 stored = repo.load_app_settings() if repo is not None else {}
 yaml_auth = _yaml_auth_config()
if APP_SETTING_AUTH_API_KEY in stored:
 api_key_text = normalize_api_key_text(stored.get(APP_SETTING_AUTH_API_KEY, ""))
 api_key_source: AuthSource = "db"
 elif has_env_override("auth", "api_key"):
 api_key_text = normalize_api_key_text(get("auth", "api_key", ""))
 api_key_source = "env"
 elif "api_key" in yaml_auth:
 api_key_text = normalize_api_key_text(yaml_auth.get("api_key", ""))
 api_key_source = "yaml"
 else:
 api_key_text = ""
 api_key_source = "default"
if APP_SETTING_AUTH_CONFIG_SECRET_HASH in stored:
 config_secret_hash = _normalize_config_secret_hash(
 stored.get(APP_SETTING_AUTH_CONFIG_SECRET_HASH, "")
 )
 config_secret_source: AuthSource = "db"
 elif has_env_override("auth", "config_secret"):
 config_secret_hash = _hosted_config_secret_hash()
 config_secret_source = "env"
 elif "config_secret" in yaml_auth:
 config_secret_hash = _normalize_config_secret_hash(yaml_auth.get("config_secret", ""))
 config_secret_source = "yaml"
 else:
 config_secret_hash = ""
 config_secret_source = "default"
return EffectiveAuthSettings(
 api_key_text=api_key_text,
 api_key_source=api_key_source,
 config_secret_hash=config_secret_hash,
 config_secret_source=config_secret_source,
 )
def refresh_runtime_auth_settings(app: Any) -> EffectiveAuthSettings:
 repo = getattr(app.state, "config_repo", None)
 settings = build_effective_auth_settings(repo)
 app.state.auth_settings = settings
 return settings
def get_effective_auth_settings(request: Request | None = None) -> EffectiveAuthSettings:
 if request is not None:
 settings = getattr(request.app.state, "auth_settings", None)
 if isinstance(settings, EffectiveAuthSettings):
 return settings
 repo = getattr(request.app.state, "config_repo", None)
 return build_effective_auth_settings(repo)
 return build_effective_auth_settings()
def configured_api_keys(repo: ConfigRepository | None = None) -> list[str]:
 return build_effective_auth_settings(repo).api_keys
def _extract_request_api_key(request: Request) -> str:
 key = (request.headers.get("x-api-key") or "").strip()
 if key:
 return key
 authorization = (request.headers.get("authorization") or "").strip()
 if authorization.lower().startswith("bearer "):
 return authorization[7:].strip()
 return ""
def require_api_key(request: Request) -> None:
 expected_keys = get_effective_auth_settings(request).api_keys
 if not expected_keys:
 return
 provided = _extract_request_api_key(request)
 if provided:
 for expected in expected_keys:
 if secrets.compare_digest(provided, expected):
 return
 raise HTTPException(
 status_code=status.HTTP_401_UNAUTHORIZED,
 detail="Unauthorized. Provide a valid API key.",
 headers={"WWW-Authenticate": API_AUTH_REALM},
 )
def _is_hashed_config_secret(value: str) -> bool:
 return value.startswith(f"{CONFIG_SECRET_PREFIX}$")
def configured_config_secret_hash(repo: ConfigRepository | None = None) -> str:
 return build_effective_auth_settings(repo).config_secret_hash
def config_login_enabled(request: Request | None = None) -> bool:
 return get_effective_auth_settings(request).config_login_enabled
def configured_config_login_max_failures() -> int:
 raw = get("auth", "config_login_max_failures", DEFAULT_ADMIN_LOGIN_MAX_FAILURES)
 try:
 return max(1, int(raw))
 except Exception:
 return DEFAULT_ADMIN_LOGIN_MAX_FAILURES
def configured_config_login_lock_seconds() -> int:
 raw = get("auth", "config_login_lock_seconds", DEFAULT_ADMIN_LOGIN_LOCK_SECONDS)
 try:
 return max(1, int(raw))
 except Exception:
 return DEFAULT_ADMIN_LOGIN_LOCK_SECONDS
def hash_config_secret(secret: str) -> str:
 salt = os.urandom(16)
 digest = hashlib.pbkdf2_hmac(
 "sha256",
 secret.encode("utf-8"),
 salt,
 CONFIG_SECRET_ITERATIONS,
 )
 return (
 f"{CONFIG_SECRET_PREFIX}"
 f"${CONFIG_SECRET_ITERATIONS}"
 f"${base64.urlsafe_b64encode(salt).decode('ascii')}"
 f"${base64.urlsafe_b64encode(digest).decode('ascii')}"
 )
def verify_config_secret(secret: str, encoded: str) -> bool:
 try:
 prefix, iterations_s, salt_b64, digest_b64 = encoded.split("$", 3)
 except ValueError:
 return False
 if prefix != CONFIG_SECRET_PREFIX:
 return False
 try:
 iterations = int(iterations_s)
 salt = base64.urlsafe_b64decode(salt_b64.encode("ascii"))
 expected = base64.urlsafe_b64decode(digest_b64.encode("ascii"))
 except Exception:
 return False
 actual = hashlib.pbkdf2_hmac(
 "sha256",
 secret.encode("utf-8"),
 salt,
 iterations,
 )
 return hmac.compare_digest(actual, expected)
def ensure_config_secret_hashed(repo: ConfigRepository | None = None) -> None:
 if has_env_override("auth", "config_secret"):
 _hosted_config_secret_hash()
 return
 if repo is not None and repo.get_app_setting(APP_SETTING_AUTH_CONFIG_SECRET_HASH) is not None:
 return
 cfg = load_config()
 auth_cfg = cfg.get("auth")
 if not isinstance(auth_cfg, dict):
 return
 raw_value = auth_cfg.get("config_secret")
 secret = str(raw_value or "").strip()
 if not secret or _is_hashed_config_secret(secret):
 return
 encoded = hash_config_secret(secret)
 config_path = get_config_path()
 if not config_path.exists():
 return
 original = config_path.read_text(encoding="utf-8")
 pattern = re.compile(r"^([ \t]*)config_secret\s*:\s*.*$", re.MULTILINE)
 replacement = None
 for line in original.splitlines():
 match = pattern.match(line)
 if match:
 replacement = f"{match.group(1)}config_secret: '{encoded}'"
 break
 updated: str
 if replacement is not None:
 updated, count = pattern.subn(replacement, original, count=1)
 if count != 1:
 return
 else:
 auth_pattern = re.compile(r"^auth\s*:\s*$", re.MULTILINE)
 match = auth_pattern.search(original)
 if match:
 insert_at = match.end()
 updated = (
 original[:insert_at]
 + "\n"
 + f" config_secret: '{encoded}'"
 + original[insert_at:]
 )
 else:
 suffix = "" if original.endswith("\n") or not original else "\n"
 updated = (
 original
 + suffix
 + "auth:\n"
 + f" config_secret: '{encoded}'\n"
 )
 tmp_path = config_path.with_suffix(config_path.suffix + ".tmp")
 tmp_path.write_text(updated, encoding="utf-8")
 tmp_path.replace(config_path)
 reset_cache()
 load_config()
@dataclass
class AdminSessionStore:
 ttl_seconds: int = DEFAULT_ADMIN_SESSION_TTL_SECONDS
 _sessions: dict[str, float] = field(default_factory=dict)
def create(self) -> str:
 token = secrets.token_urlsafe(32)
 self._sessions[token] = time.time() + self.ttl_seconds
 return token
def is_valid(self, token: str) -> bool:
 if not token:
 return False
 self.cleanup()
 expires_at = self._sessions.get(token)
 if expires_at is None:
 return False
 if expires_at < time.time():
 self._sessions.pop(token, None)
 return False
 return True
def revoke(self, token: str) -> None:
 if token:
 self._sessions.pop(token, None)
def cleanup(self) -> None:
 now = time.time()
 expired = [token for token, expires_at in self._sessions.items() if expires_at < now]
 for token in expired:
 self._sessions.pop(token, None)
@dataclass
class LoginAttemptState:
 failures: int = 0
 locked_until: float = 0.0
 last_seen: float = 0.0
@dataclass
class AdminLoginAttemptStore:
 max_failures: int = DEFAULT_ADMIN_LOGIN_MAX_FAILURES
 lock_seconds: int = DEFAULT_ADMIN_LOGIN_LOCK_SECONDS
 _attempts: dict[str, LoginAttemptState] = field(default_factory=dict)
def is_locked(self, client_ip: str) -> int:
 self.cleanup()
 state = self._attempts.get(client_ip)
 if state is None:
 return 0
 remaining = int(state.locked_until - time.time())
 if remaining <= 0:
 return 0
 return remaining
def record_failure(self, client_ip: str) -> int:
 now = time.time()
 state = self._attempts.setdefault(client_ip, LoginAttemptState())
 if state.locked_until > now:
 state.last_seen = now
 return int(state.locked_until - now)
 state.failures += 1
 state.last_seen = now
 if state.failures >= self.max_failures:
 state.failures = 0
 state.locked_until = now + self.lock_seconds
 return self.lock_seconds
 return 0
def record_success(self, client_ip: str) -> None:
 self._attempts.pop(client_ip, None)
def cleanup(self) -> None:
 now = time.time()
 stale_before = now - max(self.lock_seconds * 2, 3600)
 expired = [
 ip
 for ip, state in self._attempts.items()
 if state.locked_until <= now and state.last_seen < stale_before
 ]
 for ip in expired:
 self._attempts.pop(ip, None)
def _admin_store(request: Request) -> AdminSessionStore:
 store = getattr(request.app.state, "admin_sessions", None)
 if store is None:
 raise HTTPException(status_code=503, detail="Admin session store is unavailable")
 return store
def _admin_login_attempt_store(request: Request) -> AdminLoginAttemptStore:
 store = getattr(request.app.state, "admin_login_attempts", None)
 if store is None:
 raise HTTPException(status_code=503, detail="Login rate limiter is unavailable")
 return store
def client_ip_of(request: Request) -> str:
 client = getattr(request, "client", None)
 host = getattr(client, "host", None)
 return str(host or "unknown")
def check_admin_login_rate_limit(request: Request) -> None:
 remaining = _admin_login_attempt_store(request).is_locked(client_ip_of(request))
 if remaining > 0:
 raise HTTPException(
 status_code=status.HTTP_429_TOO_MANY_REQUESTS,
 detail=f"Too many failed login attempts. Try again in {remaining} seconds.",
 )
def record_admin_login_failure(request: Request) -> int:
 return _admin_login_attempt_store(request).record_failure(client_ip_of(request))
def record_admin_login_success(request: Request) -> None:
 _admin_login_attempt_store(request).record_success(client_ip_of(request))
def admin_logged_in(request: Request) -> bool:
 if not config_login_enabled(request):
 return False
 token = (request.cookies.get(ADMIN_SESSION_COOKIE) or "").strip()
 return _admin_store(request).is_valid(token)
def require_config_login_enabled(request: Request | None = None) -> None:
 if not config_login_enabled(request):
 raise HTTPException(status_code=404, detail="Config dashboard is disabled")
def require_config_login(request: Request) -> None:
 require_config_login_enabled(request)
 if admin_logged_in(request):
 return
 raise HTTPException(status_code=401, detail="Please sign in to access the config dashboard")