New secrets system and quotas (#35)

2023-11-25 17:50:09 +01:00
parent b2146b965a
commit 0f423166f1
10 changed files with 97 additions and 13 deletions
--- a/modules/app.py
+++ b/modules/app.py
@@ -1,7 +1,7 @@
 from fastapi import FastAPI
 from fastapi.openapi.docs import get_redoc_html, get_swagger_ui_html

-app = FastAPI(title="END PLAY Photos", docs_url=None, redoc_url=None, version="0.5")
+app = FastAPI(title="END PLAY Photos", docs_url=None, redoc_url=None, version="0.6")


@app.get("/docs", include_in_schema=False)
--- a/modules/security.py
+++ b/modules/security.py
@@ -1,4 +1,5 @@
 from datetime import datetime, timedelta, timezone
+from os import getenv
 from typing import List, Union

 from fastapi import Depends, HTTPException, Security, status
@@ -8,9 +9,26 @@ from passlib.context import CryptContext
 from pydantic import BaseModel, ValidationError

 from modules.database import col_users
+from modules.utils import configGet
+
+try:
+    configGet("secret")
+except KeyError as exc:
+    raise KeyError(
+        "PhotosAPI secret is not set. Secret key handling has changed in PhotosAPI 0.6.0, so you need to add the config key 'secret' to your config file."
+    ) from exc
+
+if configGet("secret") == "" and getenv("PHOTOSAPI_SECRET") is None:
+    raise KeyError(
+        "PhotosAPI secret is not set. Set the config key 'secret' or provide the environment variable 'PHOTOSAPI_SECRET' containing a secret string."
+    )
+
+SECRET_KEY = (
+    getenv("PHOTOSAPI_SECRET")
+    if getenv("PHOTOSAPI_SECRET") is not None
+    else configGet("secret")
+)

-with open("secret_key", "r", encoding="utf-8") as f:
-    SECRET_KEY = f.read()
 ALGORITHM = "HS256"
 ACCESS_TOKEN_EXPIRE_DAYS = 180

@@ -28,6 +46,7 @@ class TokenData(BaseModel):
 class User(BaseModel):
    user: str
    email: Union[str, None] = None
+    quota: Union[int, None] = None
    disabled: Union[bool, None] = None


@@ -71,6 +90,7 @@ async def get_user(user: str) -> UserInDB:
    return UserInDB(
        user=found_user["user"],
        email=found_user["email"],
+        quota=found_user["quota"],
        disabled=found_user["disabled"],
        hash=found_user["hash"],
    )
@@ -87,13 +107,16 @@ def create_access_token(
    data: dict, expires_delta: Union[timedelta, None] = None
 ) -> str:
    to_encode = data.copy()
+
    if expires_delta:
        expire = datetime.now(tz=timezone.utc) + expires_delta
    else:
        expire = datetime.now(tz=timezone.utc) + timedelta(
            days=ACCESS_TOKEN_EXPIRE_DAYS
        )
+
    to_encode["exp"] = expire
+
    return jwt.encode(to_encode, SECRET_KEY, algorithm=ALGORITHM)


@@ -114,8 +137,10 @@ async def get_current_user(
    try:
        payload = jwt.decode(token, SECRET_KEY, algorithms=[ALGORITHM])
        user: str = payload.get("sub")
+
        if user is None:
            raise credentials_exception
+
        token_scopes = payload.get("scopes", [])
        token_data = TokenData(scopes=token_scopes, user=user)
    except (JWTError, ValidationError) as exc:
@@ -133,6 +158,7 @@ async def get_current_user(
                detail="Not enough permissions",
                headers={"WWW-Authenticate": authenticate_value},
            )
+
    return user_record


@@ -141,4 +167,5 @@ async def get_current_active_user(
 ):
    if current_user.disabled:
        raise HTTPException(status_code=400, detail="Inactive user")
+
    return current_user