| from __future__ import annotations |
|
|
| import os |
| import secrets |
| from collections.abc import Iterable |
| from typing import Any |
|
|
| from fastapi import HTTPException, Request, status |
|
|
| SENSITIVE_ENV_SUFFIXES = ("KEY", "TOKEN", "SECRET", "PASSWORD", "PASS", "CREDENTIAL", "CREDENTIALS") |
|
|
|
|
| def authenticate(request: Request) -> None: |
| if not request.session.get("authenticated"): |
| raise HTTPException(status_code=status.HTTP_401_UNAUTHORIZED, detail="Login required") |
|
|
|
|
| def constant_time_equal(a: str, b: str) -> bool: |
| return secrets.compare_digest(a.encode("utf-8"), b.encode("utf-8")) |
|
|
|
|
| def known_secret_values(extra_values: Iterable[str | None] = ()) -> list[str]: |
| values: list[str] = [] |
| for key, value in os.environ.items(): |
| upper = key.upper() |
| if value and len(value) >= 4 and any(upper.endswith(suffix) or suffix in upper for suffix in SENSITIVE_ENV_SUFFIXES): |
| values.append(value) |
| for value in extra_values: |
| if value and len(value) >= 4: |
| values.append(value) |
| return sorted(set(values), key=len, reverse=True) |
|
|
|
|
| def redact_text(text: str | None, extra_values: Iterable[str | None] = ()) -> str: |
| if text is None: |
| return "" |
| safe = str(text) |
| for value in known_secret_values(extra_values): |
| safe = safe.replace(value, "[REDACTED]") |
| return safe |
|
|
|
|
| def redact_obj(value: Any) -> Any: |
| if isinstance(value, str): |
| return redact_text(value) |
| if isinstance(value, list): |
| return [redact_obj(item) for item in value] |
| if isinstance(value, dict): |
| return {key: redact_obj(item) for key, item in value.items()} |
| return value |
|
|
