ccproxy-api 0.1.0__py3-none-any.whl → 0.1.1__py3-none-any.whl

ccproxy/_version.py

@@ -17,5 +17,5 @@ __version__: str
 __version_tuple__: VERSION_TUPLE
 version_tuple: VERSION_TUPLE
 
-__version__ = version = '0.1.0'
-__version_tuple__ = version_tuple = (0, 1, 0)
+__version__ = version = '0.1.1'
+__version_tuple__ = version_tuple = (0, 1, 1)

ccproxy/api/app.py

@@ -2,6 +2,7 @@
 
 from collections.abc import AsyncGenerator
 from contextlib import asynccontextmanager
+from datetime import UTC, datetime
 from typing import Any
 
 from fastapi import FastAPI, HTTPException
@@ -23,11 +24,13 @@ from ccproxy.api.routes.metrics import (
     prometheus_router,
 )
 from ccproxy.api.routes.proxy import router as proxy_router
+from ccproxy.auth.exceptions import CredentialsNotFoundError
 from ccproxy.auth.oauth.routes import router as oauth_router
 from ccproxy.config.settings import Settings, get_settings
 from ccproxy.core.logging import setup_logging
 from ccproxy.observability.storage.duckdb_simple import SimpleDuckDBStorage
 from ccproxy.scheduler.manager import start_scheduler, stop_scheduler
+from ccproxy.services.credentials import CredentialsManager
 
 
 logger = get_logger(__name__)
@@ -58,6 +61,73 @@ async def lifespan(app: FastAPI) -> AsyncGenerator[None, None]:
             "claude_cli_search_paths", paths=settings.claude.get_searched_paths()
         )
 
+    # Validate authentication token at startup
+    try:
+        credentials_manager = CredentialsManager()
+        validation = await credentials_manager.validate()
+
+        if validation.valid and not validation.expired:
+            credentials = validation.credentials
+            oauth_token = credentials.claude_ai_oauth if credentials else None
+
+            if oauth_token and oauth_token.expires_at_datetime:
+                hours_until_expiry = int(
+                    (
+                        oauth_token.expires_at_datetime - datetime.now(UTC)
+                    ).total_seconds()
+                    / 3600
+                )
+                logger.info(
+                    "auth_token_valid",
+                    expires_in_hours=hours_until_expiry,
+                    subscription_type=oauth_token.subscription_type,
+                    credentials_path=str(validation.path) if validation.path else None,
+                )
+            else:
+                logger.info("auth_token_valid", credentials_path=str(validation.path))
+        elif validation.expired:
+            logger.warning(
+                "auth_token_expired",
+                message="Authentication token has expired. Please run 'ccproxy auth login' to refresh.",
+                credentials_path=str(validation.path) if validation.path else None,
+            )
+        else:
+            logger.warning(
+                "auth_token_invalid",
+                message="Authentication token is invalid. Please run 'ccproxy auth login'.",
+                credentials_path=str(validation.path) if validation.path else None,
+            )
+    except CredentialsNotFoundError:
+        logger.warning(
+            "auth_token_not_found",
+            message="No authentication credentials found. Please run 'ccproxy auth login' to authenticate.",
+            searched_paths=settings.auth.storage.storage_paths,
+        )
+    except Exception as e:
+        logger.error(
+            "auth_token_validation_error",
+            error=str(e),
+            message="Failed to validate authentication token. The server will continue without authentication.",
+        )
+
+    # Validate Claude binary at startup
+    claude_path, found_in_path = settings.claude.find_claude_cli()
+    if claude_path:
+        logger.info(
+            "claude_binary_found",
+            path=claude_path,
+            found_in_path=found_in_path,
+            message=f"Claude CLI binary found at: {claude_path}",
+        )
+    else:
+        searched_paths = settings.claude.get_searched_paths()
+        logger.warning(
+            "claude_binary_not_found",
+            message="Claude CLI binary not found. Please install Claude CLI to use SDK features.",
+            searched_paths=searched_paths,
+            install_command="npm install -g @anthropic-ai/claude-code",
+        )
+
     # Start scheduler system
     try:
         scheduler = await start_scheduler(settings)

ccproxy/api/routes/claude.py

@@ -173,9 +173,3 @@ async def list_models(
         raise HTTPException(
             status_code=500, detail=f"Internal server error: {str(e)}"
         ) from e
-
-
-@router.get("/status")
-async def claude_sdk_status() -> dict[str, str]:
-    """Get Claude SDK status."""
-    return {"status": "claude sdk endpoint available", "service": "direct"}

ccproxy/api/routes/proxy.py

@@ -11,6 +11,7 @@ from starlette.background import BackgroundTask
 from ccproxy.adapters.openai.adapter import OpenAIAdapter
 from ccproxy.api.dependencies import ProxyServiceDep
 from ccproxy.api.responses import ProxyResponse
+from ccproxy.auth.conditional import ConditionalAuthDep
 from ccproxy.core.errors import ProxyHTTPException
 
 
@@ -22,6 +23,7 @@ router = APIRouter(tags=["proxy"])
 async def create_openai_chat_completion(
     request: Request,
     proxy_service: ProxyServiceDep,
+    auth: ConditionalAuthDep,
 ) -> StreamingResponse | Response:
     """Create a chat completion using Claude AI with OpenAI-compatible format.
 
@@ -98,6 +100,9 @@ async def create_openai_chat_completion(
                     media_type=response_headers.get("content-type", "application/json"),
                 )
 
+    except HTTPException:
+        # Re-raise HTTPException as-is (including 401 auth errors)
+        raise
     except Exception as e:
         raise HTTPException(
             status_code=500, detail=f"Internal server error: {str(e)}"
@@ -108,6 +113,7 @@ async def create_openai_chat_completion(
 async def create_anthropic_message(
     request: Request,
     proxy_service: ProxyServiceDep,
+    auth: ConditionalAuthDep,
 ) -> StreamingResponse | Response:
     """Create a message using Claude AI with Anthropic format.
 
@@ -180,6 +186,9 @@ async def create_anthropic_message(
                     media_type=response_headers.get("content-type", "application/json"),
                 )
 
+    except HTTPException:
+        # Re-raise HTTPException as-is (including 401 auth errors)
+        raise
     except Exception as e:
         raise HTTPException(
             status_code=500, detail=f"Internal server error: {str(e)}"
@@ -190,6 +199,7 @@ async def create_anthropic_message(
 async def list_models(
     request: Request,
     proxy_service: ProxyServiceDep,
+    auth: ConditionalAuthDep,
 ) -> Response:
     """List available models using the proxy service.
 
@@ -226,13 +236,10 @@ async def list_models(
             media_type=response_headers.get("content-type", "application/json"),
         )
 
+    except HTTPException:
+        # Re-raise HTTPException as-is (including 401 auth errors)
+        raise
     except Exception as e:
         raise HTTPException(
             status_code=500, detail=f"Internal server error: {str(e)}"
         ) from e
-
-
-@router.get("/status")
-async def proxy_status() -> dict[str, str]:
-    """Get proxy status."""
-    return {"status": "proxy API available", "version": "1.0.0"}

ccproxy/auth/conditional.py

@@ -0,0 +1,84 @@
+"""Conditional authentication dependencies."""
+
+from typing import Annotated
+
+from fastapi import Depends, HTTPException, Request, status
+from fastapi.security import HTTPAuthorizationCredentials, HTTPBearer
+
+from ccproxy.auth.bearer import BearerTokenAuthManager
+from ccproxy.auth.exceptions import AuthenticationError
+from ccproxy.auth.manager import AuthManager
+from ccproxy.config.settings import Settings, get_settings
+
+
+# FastAPI security scheme for bearer tokens
+bearer_scheme = HTTPBearer(auto_error=False)
+
+
+async def get_conditional_auth_manager(
+    request: Request,
+    credentials: Annotated[
+        HTTPAuthorizationCredentials | None, Depends(bearer_scheme)
+    ] = None,
+    settings: Annotated[Settings | None, Depends(get_settings)] = None,
+) -> AuthManager | None:
+    """Get authentication manager only if auth is required.
+
+    This dependency checks if authentication is configured and validates
+    the token if required. If no auth is configured, returns None.
+
+    Args:
+        request: The FastAPI request object
+        credentials: HTTP authorization credentials
+        settings: Application settings
+
+    Returns:
+        AuthManager instance if authenticated, None if no auth required
+
+    Raises:
+        HTTPException: If auth is required but credentials are invalid
+    """
+    # Check if auth is required for this configuration
+    if settings is None or not settings.security.auth_token:
+        # No auth configured, return None
+        return None
+
+    # Auth is required, validate credentials
+    if not credentials or not credentials.credentials:
+        raise HTTPException(
+            status_code=status.HTTP_401_UNAUTHORIZED,
+            detail="Authentication required",
+            headers={"WWW-Authenticate": "Bearer"},
+        )
+
+    # Validate the token
+    if credentials.credentials != settings.security.auth_token:
+        raise HTTPException(
+            status_code=status.HTTP_401_UNAUTHORIZED,
+            detail="Invalid authentication credentials",
+            headers={"WWW-Authenticate": "Bearer"},
+        )
+
+    # Create and return auth manager
+    try:
+        bearer_auth = BearerTokenAuthManager(credentials.credentials)
+        if await bearer_auth.is_authenticated():
+            return bearer_auth
+        else:
+            raise HTTPException(
+                status_code=status.HTTP_401_UNAUTHORIZED,
+                detail="Authentication failed",
+                headers={"WWW-Authenticate": "Bearer"},
+            )
+    except (AuthenticationError, ValueError) as e:
+        raise HTTPException(
+            status_code=status.HTTP_401_UNAUTHORIZED,
+            detail=str(e),
+            headers={"WWW-Authenticate": "Bearer"},
+        ) from e
+
+
+# Type alias for conditional auth dependency
+ConditionalAuthDep = Annotated[
+    AuthManager | None, Depends(get_conditional_auth_manager)
+]

ccproxy/cli/commands/auth.py

@@ -4,7 +4,7 @@ import asyncio
 import json
 from datetime import UTC, datetime, timezone
 from pathlib import Path
-from typing import Optional
+from typing import Annotated, Optional
 
 import typer
 from rich import box
@@ -52,16 +52,20 @@ def get_docker_credential_paths() -> list[Path]:
 
 @app.command(name="validate")
 def validate_credentials(
-    docker: bool = typer.Option(
-        False,
-        "--docker",
-        help="Use Docker credential paths (from get_claude_docker_home_dir())",
-    ),
-    credential_file: str | None = typer.Option(
-        None,
-        "--credential-file",
-        help="Path to specific credential file to validate",
-    ),
+    docker: Annotated[
+        bool,
+        typer.Option(
+            "--docker",
+            help="Use Docker credential paths (from get_claude_docker_home_dir())",
+        ),
+    ] = False,
+    credential_file: Annotated[
+        str | None,
+        typer.Option(
+            "--credential-file",
+            help="Path to specific credential file to validate",
+        ),
+    ] = None,
 ) -> None:
     """Validate Claude CLI credentials.
 
@@ -176,16 +180,20 @@ def validate_credentials(
 
 @app.command(name="info")
 def credential_info(
-    docker: bool = typer.Option(
-        False,
-        "--docker",
-        help="Use Docker credential paths (from get_claude_docker_home_dir())",
-    ),
-    credential_file: str | None = typer.Option(
-        None,
-        "--credential-file",
-        help="Path to specific credential file to display info for",
-    ),
+    docker: Annotated[
+        bool,
+        typer.Option(
+            "--docker",
+            help="Use Docker credential paths (from get_claude_docker_home_dir())",
+        ),
+    ] = False,
+    credential_file: Annotated[
+        str | None,
+        typer.Option(
+            "--credential-file",
+            help="Path to specific credential file to display info for",
+        ),
+    ] = None,
 ) -> None:
     """Display detailed credential information.
 
@@ -376,16 +384,20 @@ def credential_info(
 
 @app.command(name="login")
 def login_command(
-    docker: bool = typer.Option(
-        False,
-        "--docker",
-        help="Use Docker credential paths (from get_claude_docker_home_dir())",
-    ),
-    credential_file: str | None = typer.Option(
-        None,
-        "--credential-file",
-        help="Path to specific credential file to save to",
-    ),
+    docker: Annotated[
+        bool,
+        typer.Option(
+            "--docker",
+            help="Use Docker credential paths (from get_claude_docker_home_dir())",
+        ),
+    ] = False,
+    credential_file: Annotated[
+        str | None,
+        typer.Option(
+            "--credential-file",
+            help="Path to specific credential file to save to",
+        ),
+    ] = None,
 ) -> None:
     """Login to Claude using OAuth authentication.
 
@@ -470,18 +482,22 @@ def login_command(
 
 @app.command()
 def renew(
-    docker: bool = typer.Option(
-        False,
-        "--docker",
-        "-d",
-        help="Renew credentials for Docker environment",
-    ),
-    credential_file: Path | None = typer.Option(
-        None,
-        "--credential-file",
-        "-f",
-        help="Path to custom credential file",
-    ),
+    docker: Annotated[
+        bool,
+        typer.Option(
+            "--docker",
+            "-d",
+            help="Renew credentials for Docker environment",
+        ),
+    ] = False,
+    credential_file: Annotated[
+        Path | None,
+        typer.Option(
+            "--credential-file",
+            "-f",
+            help="Path to custom credential file",
+        ),
+    ] = None,
 ) -> None:
     """Force renew Claude credentials without checking expiration.
 

ccproxy/cli/commands/config/commands.py

@@ -361,7 +361,7 @@ def generate_token(
 
         # Show environment variable commands - server first, then clients
         console.print("[bold]Server Environment Variables:[/bold]")
-        console.print(f"[cyan]export AUTH_TOKEN={token}[/cyan]")
+        console.print(f"[cyan]export SECURITY__AUTH_TOKEN={token}[/cyan]")
         console.print()
 
         console.print("[bold]Client Environment Variables:[/bold]")
@@ -380,7 +380,7 @@ def generate_token(
         console.print()
 
         console.print("[bold]For .env file:[/bold]")
-        console.print(f"[cyan]AUTH_TOKEN={token}[/cyan]")
+        console.print(f"[cyan]SECURITY__AUTH_TOKEN={token}[/cyan]")
         console.print()
 
         console.print("[bold]Usage with curl (using environment variables):[/bold]")