init

2025-11-21 12:50:29 -06:00 · 2025-11-21 12:50:29 -06:00 · 1e11c8ca5e
commit 1e11c8ca5e
12 changed files with 579 additions and 0 deletions
--- a/main_auth.py
+++ b/main_auth.py
@ -0,0 +1,72 @@
+#!/usr/bin/env -S uv run --script
+# /// script
+# requires-python = ">=3.12"
+# dependencies = [
+#     "fastapi",
+#     "uvicorn[standard]",
+# ]
+# ///
+from fastapi import FastAPI, Request, Response, HTTPException, Depends
+from fastapi.responses import RedirectResponse, PlainTextResponse
+from fastapi.staticfiles import StaticFiles
+from fastapi.security import HTTPBasic, HTTPBasicCredentials
+import secrets
+
+app = FastAPI()
+security = HTTPBasic()
+
+USERS = {
+    "admin": {"password": "admin", "role": "admin"},
+    "reader": {"password": "reader", "role": "reader"},
+}
+
+# Cookie format: session=username
+def get_current_user(request: Request):
+    session = request.cookies.get("session")
+    if session and session in USERS:
+        return session
+    return None
+
+def get_current_role(user: str):
+    return USERS[user]["role"]
+
+@app.post("/login")
+async def login(credentials: HTTPBasicCredentials = Depends(security)):
+    user = credentials.username
+    pwd = credentials.password
+    if user in USERS and secrets.compare_digest(USERS[user]['password'], pwd):
+        resp = Response("OK", status_code=200)
+        resp.set_cookie("session", user, httponly=True, samesite='lax', path="/")
+        # Ensure login response isn't cached
+        resp.headers["Cache-Control"] = "no-store, no-cache, must-revalidate, proxy-revalidate, max-age=0"
+        resp.headers["Pragma"] = "no-cache"
+        return resp
+    raise HTTPException(status_code=401, detail="Invalid credentials")
+
+@app.get("/logout")
+def logout():
+    resp = RedirectResponse("/")
+    resp.delete_cookie("session")
+    # Ensure logout response isn't cached
+    resp.headers["Cache-Control"] = "no-store, no-cache, must-revalidate, proxy-revalidate, max-age=0"
+    resp.headers["Pragma"] = "no-cache"
+    resp.headers["Expires"] = "Thu, 01 Jan 1970 00:00:00 GMT"
+    return resp
+
+@app.get("/authz")
+def authz(request: Request):
+    session = request.cookies.get("session")
+    path = request.headers.get("X-Original-URI")
+    if not session or session not in USERS:
+        return Response("Not authenticated", status_code=401)
+    user_role = USERS[session]['role']
+    # Only admin may access /admin
+    if path and path.startswith("/admin") and user_role != 'admin':
+        return Response("Forbidden", status_code=403)
+    # Everything else: allowed
+    return Response("OK", status_code=200)
+
+if __name__ == "__main__":
+    import uvicorn
+    app.mount("/static", StaticFiles(directory="static"), name="static")
+    uvicorn.run(app, host="localhost", port=5115)