72 lines
2.5 KiB
Python
Executable file
72 lines
2.5 KiB
Python
Executable file
#!/usr/bin/env -S uv run --script
|
|
# /// script
|
|
# requires-python = ">=3.12"
|
|
# dependencies = [
|
|
# "fastapi",
|
|
# "uvicorn[standard]",
|
|
# ]
|
|
# ///
|
|
from fastapi import FastAPI, Request, Response, HTTPException, Depends
|
|
from fastapi.responses import RedirectResponse, PlainTextResponse
|
|
from fastapi.staticfiles import StaticFiles
|
|
from fastapi.security import HTTPBasic, HTTPBasicCredentials
|
|
import secrets
|
|
|
|
app = FastAPI()
|
|
security = HTTPBasic()
|
|
|
|
USERS = {
|
|
"admin": {"password": "admin", "role": "admin"},
|
|
"reader": {"password": "reader", "role": "reader"},
|
|
}
|
|
|
|
# Cookie format: session=username
|
|
def get_current_user(request: Request):
|
|
session = request.cookies.get("session")
|
|
if session and session in USERS:
|
|
return session
|
|
return None
|
|
|
|
def get_current_role(user: str):
|
|
return USERS[user]["role"]
|
|
|
|
@app.post("/login")
|
|
async def login(credentials: HTTPBasicCredentials = Depends(security)):
|
|
user = credentials.username
|
|
pwd = credentials.password
|
|
if user in USERS and secrets.compare_digest(USERS[user]['password'], pwd):
|
|
resp = Response("OK", status_code=200)
|
|
resp.set_cookie("session", user, httponly=True, samesite='lax', path="/")
|
|
# Ensure login response isn't cached
|
|
resp.headers["Cache-Control"] = "no-store, no-cache, must-revalidate, proxy-revalidate, max-age=0"
|
|
resp.headers["Pragma"] = "no-cache"
|
|
return resp
|
|
raise HTTPException(status_code=401, detail="Invalid credentials")
|
|
|
|
@app.get("/logout")
|
|
def logout():
|
|
resp = RedirectResponse("/")
|
|
resp.delete_cookie("session")
|
|
# Ensure logout response isn't cached
|
|
resp.headers["Cache-Control"] = "no-store, no-cache, must-revalidate, proxy-revalidate, max-age=0"
|
|
resp.headers["Pragma"] = "no-cache"
|
|
resp.headers["Expires"] = "Thu, 01 Jan 1970 00:00:00 GMT"
|
|
return resp
|
|
|
|
@app.get("/authz")
|
|
def authz(request: Request):
|
|
session = request.cookies.get("session")
|
|
path = request.headers.get("X-Original-URI")
|
|
if not session or session not in USERS:
|
|
return Response("Not authenticated", status_code=401)
|
|
user_role = USERS[session]['role']
|
|
# Only admin may access /admin
|
|
if path and path.startswith("/admin") and user_role != 'admin':
|
|
return Response("Forbidden", status_code=403)
|
|
# Everything else: allowed
|
|
return Response("OK", status_code=200)
|
|
|
|
if __name__ == "__main__":
|
|
import uvicorn
|
|
app.mount("/static", StaticFiles(directory="static"), name="static")
|
|
uvicorn.run(app, host="localhost", port=5115)
|