Spaces:

yzwwxm
/

cp

Sleeping

App Files Files Community

yzwwxm commited on Mar 6

Commit

890931a

verified ·

1 Parent(s): c4a7303

Upload 3 files

Browse files

Files changed (3) hide show

Dockerfile +7 -2
auth.py +108 -0
entrypoint.sh +20 -0

Dockerfile CHANGED Viewed

@@ -1,3 +1,8 @@
 FROM agentscope/copaw:latest
-ENV COPAW_PORT=7860
-EXPOSE 7860

 FROM agentscope/copaw:latest
+RUN pip install --no-cache-dir python-multipart
+COPY auth.py /app/auth.py
+COPY entrypoint.sh /entrypoint.sh
+RUN chmod +x /entrypoint.sh
+ENV COPAW_PASSWORD="" COPAW_SESSION_SECRET="" COPAW_SESSION_MAX_AGE="86400"
+EXPOSE 8088
+CMD ["/entrypoint.sh"]

auth.py ADDED Viewed

	@@ -0,0 +1,108 @@

+import os, secrets, hashlib, hmac, time
+from fastapi import FastAPI, Form, Request
+from fastapi.responses import HTMLResponse, JSONResponse, RedirectResponse
+from starlette.middleware.base import BaseHTTPMiddleware
+PWD = os.environ.get("COPAW_PASSWORD", "")
+SEC = os.environ.get("COPAW_SESSION_SECRET", "") or (secrets.token_hex(32) if PWD else "")
+MAX = int(os.environ.get("COPAW_SESSION_MAX_AGE", "86400"))
+ON = bool(PWD)
+SKIP = {"/auth/login", "/auth/logout", "/health"}
+EXTS = (".js", ".css", ".png", ".svg", ".ico", ".woff", ".woff2", ".ttf", ".jpg", ".gif", ".wasm")
+def _mk():
+    t = str(int(time.time()))
+    k = secrets.token_urlsafe(32)
+    s = hmac.new(SEC.encode(), f"{k}:{t}".encode(), hashlib.sha256).hexdigest()
+    return f"{k}:{t}:{s}"
+def _ok(v):
+    if not v:
+        return False
+    try:
+        k, t, s = v.split(":")
+        expected = hmac.new(SEC.encode(), f"{k}:{t}".encode(), hashlib.sha256).hexdigest()
+        return hmac.compare_digest(s, expected) and time.time() - int(t) <= MAX
+    except:
+        return False
+LOGIN_HTML = """<!DOCTYPE html>
+<html><head><meta charset="UTF-8"><meta name="viewport" content="width=device-width,initial-scale=1"><title>Login</title>
+<style>
+*{box-sizing:border-box}
+body{font-family:-apple-system,BlinkMacSystemFont,'Segoe UI',Roboto,sans-serif;background:linear-gradient(135deg,#667eea,#764ba2);min-height:100vh;display:flex;align-items:center;justify-content:center;margin:0}
+.b{background:#fff;padding:40px;border-radius:12px;box-shadow:0 10px 40px rgba(0,0,0,.2);width:100%;max-width:360px;text-align:center}
+h1{margin:0 0 24px;color:#333}input{width:100%;padding:12px;margin:8px 0;border:1px solid #ddd;border-radius:6px;font-size:16px}
+button{width:100%;padding:14px;background:linear-gradient(135deg,#667eea,#764ba2);color:#fff;border:none;border-radius:6px;font-size:16px;cursor:pointer}
+.e{color:#c00;margin:12px 0;display:none}
+</style></head>
+<body><div class="b"><h1>CoPaw</h1><form id="f"><input type="password" id="p" placeholder="Password" required autofocus><button>Sign In</button></form><p class="e" id="e"></p></div>
+<script>
+document.getElementById('f').onsubmit=async function(ev){
+  ev.preventDefault();
+  var r = await fetch('/auth/login',{
+    method:'POST',
+    headers:{'Content-Type':'application/x-www-form-urlencoded'},
+    body:'password='+encodeURIComponent(document.getElementById('p').value)
+  });
+  if(r.ok){location='/';}
+  else{document.getElementById('e').textContent='Invalid password';document.getElementById('e').style.display='block';}
+};
+</script></body></html>
+"""
+class AuthMiddleware(BaseHTTPMiddleware):
+    async def dispatch(self, req, call_next):
+        path = req.url.path
+        # 直接在中间件处理 auth 路由（避免被 catch-all 拦截）
+        if path == "/auth/login":
+            if req.method == "GET":
+                return HTMLResponse(content=LOGIN_HTML)
+            elif req.method == "POST":
+                # 解析 form 数据
+                form = await req.form()
+                password = form.get("password", "")
+                if ON and secrets.compare_digest(password, PWD):
+                    r = JSONResponse({"ok": True, "redirect": "/"})
+                    r.set_cookie("copaw_session", _mk(), max_age=MAX, httponly=True, samesite="lax")
+                    return r
+                return JSONResponse({"error": "Invalid password"}, status_code=401)
+        if path == "/auth/logout":
+            r = RedirectResponse(url="/auth/login", status_code=302)
+            r.delete_cookie("copaw_session")
+            return r
+        if path == "/auth/status":
+            return JSONResponse({"authenticated": _ok(req.cookies.get("copaw_session")), "auth_required": ON})
+        # 未启用鉴权则直接放行
+        if not ON:
+            return await call_next(req)
+        # 静态资源放行
+        if any(path.endswith(e) for e in EXTS):
+            return await call_next(req)
+        # 已登录则放行
+        if _ok(req.cookies.get("copaw_session")):
+            return await call_next(req)
+        # API 返回 401，其他跳转登录
+        if path.startswith("/api"):
+            return JSONResponse({"error": "Unauthorized"}, status_code=401)
+        return RedirectResponse(f"/auth/login?next={path}", status_code=302)
+def setup_auth(app: FastAPI):
+    if ON:
+        print(f"[Auth] ENABLED - password protected")
+    else:
+        print(f"[Auth] DISABLED - no COPAW_PASSWORD set")
+    app.add_middleware(AuthMiddleware)

entrypoint.sh ADDED Viewed

	@@ -0,0 +1,20 @@

+#!/bin/sh
+set -e
+export COPAW_PORT="${COPAW_PORT:-8088}"
+if [ -n "$COPAW_PASSWORD" ]; then
+    echo "=== CoPaw Auth ENABLED ==="
+else
+    echo "=== CoPaw Auth DISABLED ==="
+fi
+cd /app
+exec python3 -c "
+import sys
+sys.path.insert(0, '/app')
+from copaw.app._app import app
+from auth import setup_auth
+setup_auth(app)
+import uvicorn
+uvicorn.run(app, host='0.0.0.0', port=int('${COPAW_PORT}'), log_level='info')
+"