ccproxy-api 0.1.6__py3-none-any.whl → 0.2.0__py3-none-any.whl

ccproxy/auth/oauth/templates.py

@@ -0,0 +1,342 @@
+"""Centralized HTML templates for OAuth responses."""
+
+from enum import Enum
+from typing import Any
+
+from fastapi.responses import HTMLResponse
+
+
+class OAuthProvider(Enum):
+    """OAuth provider types."""
+
+    CLAUDE = "Claude"
+    OPENAI = "OpenAI"
+    GENERIC = "OAuth Provider"
+
+
+class OAuthTemplates:
+    """Centralized HTML templates for OAuth responses.
+
+    This class provides consistent HTML responses across all OAuth providers,
+    reducing code duplication and ensuring a uniform user experience.
+    """
+
+    # Base HTML template with common styling
+    _BASE_TEMPLATE = """
+    <!DOCTYPE html>
+    <html lang="en">
+    <head>
+        <meta charset="UTF-8">
+        <meta name="viewport" content="width=device-width, initial-scale=1.0">
+        <title>{title}</title>
+        <style>
+            body {{
+                font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, 'Helvetica Neue', Arial, sans-serif;
+                background: linear-gradient(135deg, #667eea 0%, #764ba2 100%);
+                display: flex;
+                justify-content: center;
+                align-items: center;
+                height: 100vh;
+                margin: 0;
+                padding: 20px;
+                box-sizing: border-box;
+            }}
+            .container {{
+                background: white;
+                border-radius: 12px;
+                box-shadow: 0 20px 60px rgba(0, 0, 0, 0.3);
+                padding: 40px;
+                max-width: 500px;
+                width: 100%;
+                text-align: center;
+            }}
+            h1 {{
+                color: {header_color};
+                margin: 0 0 20px 0;
+                font-size: 28px;
+                font-weight: 600;
+            }}
+            .icon {{
+                font-size: 48px;
+                margin-bottom: 20px;
+            }}
+            p {{
+                color: #4a5568;
+                font-size: 16px;
+                line-height: 1.6;
+                margin: 10px 0;
+            }}
+            .error-detail {{
+                background-color: #fef2f2;
+                border: 1px solid #fecaca;
+                border-radius: 6px;
+                padding: 12px;
+                margin-top: 20px;
+                color: #991b1b;
+                font-family: 'Courier New', Courier, monospace;
+                font-size: 14px;
+                text-align: left;
+                word-wrap: break-word;
+            }}
+            .success-message {{
+                background-color: #f0fdf4;
+                border: 1px solid #86efac;
+                border-radius: 6px;
+                padding: 12px;
+                margin-top: 20px;
+                color: #166534;
+            }}
+            .countdown {{
+                color: #6b7280;
+                font-size: 14px;
+                margin-top: 20px;
+            }}
+            .action-hint {{
+                color: #9ca3af;
+                font-size: 14px;
+                margin-top: 15px;
+            }}
+        </style>
+    </head>
+    <body>
+        <div class="container">
+            {content}
+        </div>
+        {script}
+    </body>
+    </html>
+    """
+
+    # Success content template
+    _SUCCESS_CONTENT = """
+        <div class="icon">✅</div>
+        <h1>Authentication Successful!</h1>
+        <p>You have successfully authenticated with {provider}.</p>
+        <div class="success-message">
+            Your credentials have been saved securely.
+        </div>
+        <p class="action-hint">You can close this window and return to the terminal.</p>
+        <div class="countdown" id="countdown">This window will close automatically in 3 seconds...</div>
+    """
+
+    # Error content template
+    _ERROR_CONTENT = """
+        <div class="icon">❌</div>
+        <h1>{title}</h1>
+        <p>{message}</p>
+        {error_detail}
+        <p class="action-hint">You can close this window and try again.</p>
+        <div class="countdown" id="countdown">This window will close automatically in 5 seconds...</div>
+    """
+
+    # Auto-close script
+    _AUTO_CLOSE_SCRIPT = """
+    <script>
+        let seconds = {seconds};
+        const countdownEl = document.getElementById('countdown');
+
+        const updateCountdown = () => {{
+            if (seconds > 0) {{
+                countdownEl.textContent = `This window will close automatically in ${{seconds}} second${{seconds === 1 ? '' : 's'}}...`;
+                seconds--;
+                setTimeout(updateCountdown, 1000);
+            }} else {{
+                countdownEl.textContent = 'Closing window...';
+                window.close();
+            }}
+        }};
+
+        updateCountdown();
+
+        // Try to close even if countdown doesn't work
+        setTimeout(() => {{
+            window.close();
+        }}, {milliseconds});
+    </script>
+    """
+
+    @classmethod
+    def success(
+        cls,
+        provider: OAuthProvider = OAuthProvider.GENERIC,
+        auto_close_seconds: int = 3,
+        **kwargs: Any,
+    ) -> HTMLResponse:
+        """Generate success HTML response.
+
+        Args:
+            provider: OAuth provider name
+            auto_close_seconds: Seconds before auto-closing window
+            **kwargs: Additional template variables
+
+        Returns:
+            HTML response for successful authentication
+        """
+        content = cls._SUCCESS_CONTENT.format(provider=provider.value, **kwargs)
+
+        script = cls._AUTO_CLOSE_SCRIPT.format(
+            seconds=auto_close_seconds, milliseconds=auto_close_seconds * 1000
+        )
+
+        html = cls._BASE_TEMPLATE.format(
+            title="Authentication Successful",
+            header_color="#10b981",
+            content=content,
+            script=script,
+        )
+
+        return HTMLResponse(content=html, status_code=200)
+
+    @classmethod
+    def error(
+        cls,
+        error_message: str,
+        title: str = "Authentication Failed",
+        error_detail: str | None = None,
+        status_code: int = 400,
+        auto_close_seconds: int = 5,
+        **kwargs: Any,
+    ) -> HTMLResponse:
+        """Generate error HTML response.
+
+        Args:
+            error_message: Main error message to display
+            title: Page and header title
+            error_detail: Optional detailed error information
+            status_code: HTTP status code
+            auto_close_seconds: Seconds before auto-closing window
+            **kwargs: Additional template variables
+
+        Returns:
+            HTML response for failed authentication
+        """
+        error_detail_html = ""
+        if error_detail:
+            # Sanitize error detail to prevent XSS
+            safe_detail = cls._sanitize_html(error_detail)
+            error_detail_html = f'<div class="error-detail">{safe_detail}</div>'
+
+        content = cls._ERROR_CONTENT.format(
+            title=title,
+            message=error_message,
+            error_detail=error_detail_html,
+            **kwargs,
+        )
+
+        script = cls._AUTO_CLOSE_SCRIPT.format(
+            seconds=auto_close_seconds, milliseconds=auto_close_seconds * 1000
+        )
+
+        html = cls._BASE_TEMPLATE.format(
+            title=title, header_color="#ef4444", content=content, script=script
+        )
+
+        return HTMLResponse(content=html, status_code=status_code)
+
+    @classmethod
+    def callback_error(
+        cls,
+        error: str | None = None,
+        error_description: str | None = None,
+        provider: OAuthProvider = OAuthProvider.GENERIC,
+        **kwargs: Any,
+    ) -> HTMLResponse:
+        """Generate error response for OAuth callback errors.
+
+        Args:
+            error: OAuth error code
+            error_description: OAuth error description
+            provider: OAuth provider name
+            **kwargs: Additional template variables
+
+        Returns:
+            HTML response for callback errors
+        """
+        if error == "access_denied":
+            return cls.error(
+                error_message=f"You denied access to {provider.value}.",
+                title="Access Denied",
+                error_detail=error_description,
+                **kwargs,
+            )
+        elif error == "invalid_request":
+            return cls.error(
+                error_message="The authentication request was invalid.",
+                title="Invalid Request",
+                error_detail=error_description
+                or "The OAuth request parameters were incorrect.",
+                **kwargs,
+            )
+        elif error == "unauthorized_client":
+            return cls.error(
+                error_message="This application is not authorized.",
+                title="Unauthorized Application",
+                error_detail=error_description
+                or "The client is not authorized to use this grant type.",
+                **kwargs,
+            )
+        elif error == "unsupported_response_type":
+            return cls.error(
+                error_message="The authorization server does not support this response type.",
+                title="Unsupported Response Type",
+                error_detail=error_description,
+                **kwargs,
+            )
+        elif error == "invalid_scope":
+            return cls.error(
+                error_message="The requested scope is invalid or unknown.",
+                title="Invalid Scope",
+                error_detail=error_description,
+                **kwargs,
+            )
+        elif error == "server_error":
+            return cls.error(
+                error_message=f"The {provider.value} server encountered an error.",
+                title="Server Error",
+                error_detail=error_description or "Please try again later.",
+                status_code=500,
+                **kwargs,
+            )
+        elif error == "temporarily_unavailable":
+            return cls.error(
+                error_message=f"The {provider.value} service is temporarily unavailable.",
+                title="Service Unavailable",
+                error_detail=error_description or "Please try again later.",
+                status_code=503,
+                **kwargs,
+            )
+        else:
+            # Generic error
+            return cls.error(
+                error_message=error_description
+                or error
+                or "An unknown error occurred.",
+                title="Authentication Error",
+                error_detail=f"Error code: {error}" if error else None,
+                **kwargs,
+            )
+
+    @classmethod
+    def _sanitize_html(cls, text: str) -> str:
+        """Sanitize text for safe HTML display.
+
+        Args:
+            text: Text to sanitize
+
+        Returns:
+            Sanitized text safe for HTML display
+        """
+        # Basic HTML entity escaping
+        replacements = {
+            "&": "&amp;",
+            "<": "&lt;",
+            ">": "&gt;",
+            '"': "&quot;",
+            "'": "&#x27;",
+            "/": "&#x2F;",
+        }
+
+        for char, entity in replacements.items():
+            text = text.replace(char, entity)
+
+        return text

ccproxy/auth/storage/__init__.py

@@ -1,12 +1,9 @@
 """Token storage implementations for authentication."""
 
-from ccproxy.auth.storage.base import TokenStorage
-from ccproxy.auth.storage.json_file import JsonFileTokenStorage
-from ccproxy.auth.storage.keyring import KeyringTokenStorage
+from ccproxy.auth.storage.base import BaseJsonStorage, TokenStorage
 
 
 __all__ = [
     "TokenStorage",
-    "JsonFileTokenStorage",
-    "KeyringTokenStorage",
+    "BaseJsonStorage",
 ]

ccproxy/auth/storage/base.py

@@ -1,15 +1,33 @@
 """Abstract base class for token storage."""
 
+import asyncio
+import contextlib
+import json
+import shutil
 from abc import ABC, abstractmethod
+from datetime import datetime
+from pathlib import Path
+from typing import Any, Generic, TypeVar
 
-from ccproxy.auth.models import ClaudeCredentials
+from ccproxy.auth.exceptions import CredentialsInvalidError, CredentialsStorageError
+from ccproxy.auth.models.credentials import BaseCredentials
+from ccproxy.core.logging import get_logger
 
 
-class TokenStorage(ABC):
-    """Abstract interface for token storage operations."""
+logger = get_logger(__name__)
+
+CredentialsT = TypeVar("CredentialsT", bound=BaseCredentials)
+
+
+class TokenStorage(ABC, Generic[CredentialsT]):
+    """Abstract interface for token storage operations.
+
+    This is a generic interface that can work with any credential type
+    that extends BaseModel (e.g., ClaudeCredentials, OpenAICredentials).
+    """
 
     @abstractmethod
-    async def load(self) -> ClaudeCredentials | None:
+    async def load(self) -> CredentialsT | None:
         """Load credentials from storage.
 
         Returns:
@@ -18,7 +36,7 @@ class TokenStorage(ABC):
         pass
 
     @abstractmethod
-    async def save(self, credentials: ClaudeCredentials) -> bool:
+    async def save(self, credentials: CredentialsT) -> bool:
         """Save credentials to storage.
 
         Args:
@@ -55,3 +73,259 @@ class TokenStorage(ABC):
             Human-readable description of where credentials are stored
         """
         pass
+
+
+class BaseJsonStorage(TokenStorage[CredentialsT], Generic[CredentialsT]):
+    """Base class for JSON file storage implementations.
+
+    This class provides common JSON read/write operations with error handling,
+    atomic writes, and proper permission management.
+
+    This is a generic class that can work with any credential type.
+    """
+
+    def __init__(self, file_path: Path, enable_backups: bool = True):
+        """Initialize JSON storage.
+
+        Args:
+            file_path: Path to JSON file for storage
+            enable_backups: Whether to create backups before overwriting
+        """
+        self.file_path = file_path
+        self.enable_backups = enable_backups
+
+    async def _read_json(self) -> dict[str, Any]:
+        """Read JSON data from file with error handling.
+
+        Returns:
+            Parsed JSON data or empty dict if file doesn't exist
+
+        Raises:
+            CredentialsInvalidError: If JSON is invalid
+            CredentialsStorageError: If file cannot be read
+        """
+        if not await self.exists():
+            return {}
+
+        try:
+            # Run file I/O in thread pool to avoid blocking
+            def read_file() -> dict[str, Any]:
+                with self.file_path.open("r") as f:
+                    return json.load(f)  # type: ignore[no-any-return]
+
+            data = await asyncio.to_thread(read_file)
+            return data
+
+        except json.JSONDecodeError as e:
+            logger.warning(
+                "json_decode_error",
+                path=str(self.file_path),
+                error=str(e),
+                line=e.lineno,
+                category="auth",
+            )
+            raise CredentialsInvalidError(
+                f"Invalid JSON in {self.file_path}: {e}"
+            ) from e
+
+        except FileNotFoundError:
+            # File was deleted between exists() check and read
+            return {}
+
+        except PermissionError as e:
+            logger.error(
+                "permission_denied",
+                path=str(self.file_path),
+                error=str(e),
+                exc_info=e,
+            )
+            raise CredentialsStorageError(f"Permission denied: {self.file_path}") from e
+
+        except OSError as e:
+            logger.error(
+                "file_read_error",
+                path=str(self.file_path),
+                error=str(e),
+                exc_info=e,
+            )
+            raise CredentialsStorageError(f"Error reading {self.file_path}: {e}") from e
+
+    async def _create_backup(self) -> bool:
+        """Create a timestamped backup of the current file.
+
+        Returns:
+            True if backup was created successfully, False otherwise
+        """
+        if not await self.exists():
+            return False
+
+        try:
+            # Generate backup filename with timestamp
+            timestamp = datetime.now().strftime("%Y%m%d-%H%M%S")
+            backup_name = f"{self.file_path.name}.{timestamp}.bak"
+            backup_path = self.file_path.parent / backup_name
+
+            # Copy file to backup location
+            await asyncio.to_thread(shutil.copy2, self.file_path, backup_path)
+
+            logger.debug(
+                "backup_created",
+                original=str(self.file_path),
+                backup=str(backup_path),
+                category="auth",
+            )
+            return True
+
+        except Exception as e:
+            logger.warning(
+                "backup_failed",
+                path=str(self.file_path),
+                error=str(e),
+                exc_info=e,
+                category="auth",
+            )
+            return False
+
+    async def _write_json(self, data: dict[str, Any]) -> None:
+        """Write JSON data to file atomically with error handling.
+
+        This method performs atomic writes by writing to a temporary file
+        first, then renaming it to the target file. If backups are enabled
+        and the file exists, a backup will be created before overwriting.
+
+        Args:
+            data: Data to write as JSON
+
+        Raises:
+            CredentialsStorageError: If file cannot be written
+        """
+        # Create backup if enabled and file exists
+        if self.enable_backups and await self.exists():
+            await self._create_backup()
+
+        temp_path = self.file_path.with_suffix(".tmp")
+
+        try:
+            # Ensure parent directory exists
+            await asyncio.to_thread(
+                self.file_path.parent.mkdir,
+                parents=True,
+                exist_ok=True,
+            )
+
+            # Run file I/O in thread pool to avoid blocking
+            def write_file() -> None:
+                # Write to temporary file
+                with temp_path.open("w") as f:
+                    json.dump(data, f, indent=2)
+
+                # Set restrictive permissions (read/write for owner only)
+                temp_path.chmod(0o600)
+
+                # Atomic rename
+                temp_path.replace(self.file_path)
+
+            await asyncio.to_thread(write_file)
+
+            logger.debug(
+                "json_write_success",
+                path=str(self.file_path),
+                size=len(json.dumps(data)),
+            )
+
+        except (TypeError, ValueError) as e:
+            logger.error(
+                "json_encode_error",
+                path=str(self.file_path),
+                error=str(e),
+                exc_info=e,
+            )
+            raise CredentialsStorageError(f"Failed to encode JSON: {e}") from e
+
+        except PermissionError as e:
+            logger.error(
+                "permission_denied",
+                path=str(self.file_path),
+                error=str(e),
+                exc_info=e,
+            )
+            raise CredentialsStorageError(f"Permission denied: {self.file_path}") from e
+
+        except OSError as e:
+            logger.error(
+                "file_write_error",
+                path=str(self.file_path),
+                error=str(e),
+                exc_info=e,
+            )
+            raise CredentialsStorageError(f"Error writing {self.file_path}: {e}") from e
+
+        finally:
+            # Clean up temp file if it exists
+            if temp_path.exists():
+                with contextlib.suppress(Exception):
+                    temp_path.unlink()
+
+    async def exists(self) -> bool:
+        """Check if credentials file exists.
+
+        Returns:
+            True if file exists, False otherwise
+        """
+        # Run file system check in thread pool for consistency
+        file_exists = await asyncio.to_thread(
+            lambda: self.file_path.exists() and self.file_path.is_file()
+        )
+
+        logger.debug(
+            "auth_file_existence_check",
+            file_path=str(self.file_path),
+            exists=file_exists,
+            category="auth",
+        )
+
+        return file_exists
+
+    async def delete(self) -> bool:
+        """Delete credentials file.
+
+        Returns:
+            True if deleted successfully, False if file didn't exist
+
+        Raises:
+            CredentialsStorageError: If file cannot be deleted
+        """
+        try:
+            if await self.exists():
+                await asyncio.to_thread(self.file_path.unlink)
+                logger.debug("file_deleted", path=str(self.file_path))
+                return True
+            return False
+
+        except PermissionError as e:
+            logger.error(
+                "permission_denied",
+                path=str(self.file_path),
+                error=str(e),
+                exc_info=e,
+            )
+            raise CredentialsStorageError(f"Permission denied: {self.file_path}") from e
+
+        except OSError as e:
+            logger.error(
+                "file_delete_error",
+                path=str(self.file_path),
+                error=str(e),
+                exc_info=e,
+            )
+            raise CredentialsStorageError(
+                f"Error deleting {self.file_path}: {e}"
+            ) from e
+
+    def get_location(self) -> str:
+        """Get the storage location description.
+
+        Returns:
+            Path to the JSON file
+        """
+        return str(self.file_path)