cista 1.2.1__tar.gz → 1.4.0__tar.gz

{cista-1.2.1 → cista-1.4.0}/.gitignore

@@ -4,5 +4,5 @@
 __pycache__/
 *.egg-info/
 /cista/_version.py
-/cista/wwwroot/*
+/cista/frontend-build/
 /dist

{cista-1.2.1 → cista-1.4.0}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: cista
-Version: 1.2.1
+Version: 1.4.0
 Summary: Dropbox-like file server with modern web interface
 Project-URL: Homepage, https://git.zi.fi/Vasanko/cista-storage
 Author: Vasanko
@@ -17,6 +17,10 @@ Requires-Dist: argon2-cffi>=25.1.0
 Requires-Dist: av>=15.0.0
 Requires-Dist: blake3>=1.0.5
 Requires-Dist: docopt>=0.6.2
+Requires-Dist: fastapi-vue>=0.5.1
+Requires-Dist: fastapi[standard]>=0.128.0
+Requires-Dist: html5tagger>=1.3.0
+Requires-Dist: httpx>=0.28.0
 Requires-Dist: inotify>=0.2.12
 Requires-Dist: msgspec>=0.19.0
 Requires-Dist: natsort>=8.4.0
@@ -26,7 +30,7 @@ Requires-Dist: pillow-heif>=1.1.0
 Requires-Dist: pillow>=11.3.0
 Requires-Dist: pyjwt>=2.10.1
 Requires-Dist: pymupdf>=1.26.3
-Requires-Dist: sanic>=25.3.0
+Requires-Dist: sanic>=25.12.0
 Requires-Dist: setproctitle>=1.3.6
 Requires-Dist: stream-zip>=0.0.83
 Requires-Dist: tomli-w>=1.2.0

{cista-1.2.1 → cista-1.4.0}/cista/__main__.py

@@ -42,13 +42,17 @@ Options:
   --import-droppy   Import Droppy config from ~/.droppy/config
   --dev             Developer mode (reloads, friendlier crashes, more logs)
 
-Listen address, path and imported options are preserved in config, and only
-custom config dir and dev mode need to be specified on subsequent runs.
+Listen address and path are preserved in config,
+and only config dir and dev mode need to be specified on subsequent runs.
 
 User management:
   --user NAME       Create or modify user
   --privileged      Give the user full admin rights
   --password        Reset password
+
+Environment:
+  PASKIA_BACKEND_URL   Paskia single sign-on (e.g. http://localhost:4401)
+                       https://git.zi.fi/leovasanko/paskia
 """
 
 first_time_help = """\
@@ -107,6 +111,7 @@ def _main():
                 f"Importing Droppy: First remove the existing configuration:\n  rm {config.conffile}",
             )
         settings = droppy.readconf()
+        # Droppy's public flag is kept as-is (same name in our config)
     if path:
         settings["path"] = path
     elif not exists:
@@ -115,9 +120,6 @@ def _main():
         settings["listen"] = listen
     elif not exists:
         settings["listen"] = ":8000"
-    if not exists and not import_droppy:
-        # We have no users, so make it public
-        settings["public"] = True
     operation = config.update_config(settings)
     sys.stderr.write(f"Config {operation}: {config.conffile}\n")
     # Prepare to serve

{cista-1.2.1 → cista-1.4.0}/cista/_version.py

@@ -1,2 +1,2 @@
 # This file is automatically generated by hatch build.
-__version__ = '1.2.1'
+__version__ = '1.4.0'

{cista-1.2.1 → cista-1.4.0}/cista/api.py

@@ -3,9 +3,10 @@ import typing
 from secrets import token_bytes
 
 import msgspec
-from sanic import Blueprint
+from sanic import Blueprint, json
+from sanic.exceptions import BadRequest
 
-from cista import __version__, config, watching
+from cista import __version__, auth, config, sso, watching
 from cista.fileio import FileServer
 from cista.protocol import ControlTypes, FileRange, StatusMsg
 from cista.util.apphelpers import asend, websocket_wrapper
@@ -15,12 +16,12 @@ fileserver = FileServer()
 
 
 @bp.before_server_start
-async def start_fileserver(app, _):
+async def start_fileserver(app):
     await fileserver.start()
 
 
 @bp.after_server_stop
-async def stop_fileserver(app, _):
+async def stop_fileserver(app):
     await fileserver.stop()
 
 
@@ -92,6 +93,23 @@ async def control(req, ws):
 @bp.websocket("watch")
 @websocket_wrapper
 async def watch(req, ws):
+    # Build user info from either built-in auth or SSO
+    user_info = None
+    if sso_user := getattr(req.ctx, "sso_user", None):
+        # SSO auth (paskia mode): extract from validation response
+        ctx = sso_user.get("ctx", {})
+        perms = ctx.get("permissions", [])
+        user_info = {
+            "username": ctx.get("user", {}).get("display_name", ""),
+            "privileged": "cista:admin" in perms,
+        }
+    elif req.ctx.user:
+        # Built-in auth: use local user database
+        user_info = {
+            "username": req.ctx.username,
+            "privileged": req.ctx.user.privileged,
+        }
+
     await ws.send(
         msgspec.json.encode(
             {
@@ -99,13 +117,9 @@ async def watch(req, ws):
                     "name": config.config.name or config.config.path.name,
                     "version": __version__,
                     "public": config.config.public,
+                    "paskia": sso.paskia_enabled(),
                 },
-                "user": {
-                    "username": req.ctx.username,
-                    "privileged": req.ctx.user.privileged,
-                }
-                if req.ctx.user
-                else None,
+                "user": user_info,
             }
         ).decode()
     )
@@ -136,3 +150,18 @@ def subscribe(uuid, ws):
             watching.format_space(watching.state.space),
             watching.format_root(watching.state.root),
         )
+
+
+@bp.put("config/public")
+async def update_public(request):
+    await auth.verify(request, privileged=True)
+    try:
+        public = request.json["public"]
+        if not isinstance(public, bool):
+            raise ValueError("public must be a boolean")
+    except KeyError:
+        raise BadRequest("Missing public field") from None
+    except ValueError as e:
+        raise BadRequest(str(e)) from None
+    config.update_config({"public": public})
+    return json({"message": "Public access setting updated", "public": public})

{cista-1.2.1 → cista-1.4.0}/cista/app.py

@@ -18,7 +18,7 @@ from setproctitle import setproctitle
 from stream_zip import ZIP_AUTO, stream_zip
 from zstandard import ZstdCompressor
 
-from cista import auth, config, preview, session, watching
+from cista import auth, config, preview, session, sso, watching
 from cista.api import bp
 from cista.util.apphelpers import handle_sanic_exception
 
@@ -26,7 +26,11 @@ from cista.util.apphelpers import handle_sanic_exception
 sanic.helpers._ENTITY_HEADERS = frozenset()
 
 app = Sanic("cista", strict_slashes=True)
-app.blueprint(auth.bp)
+# Register either SSO proxy or built-in auth routes based on PASKIA_BACKEND_URL
+if sso.paskia_enabled():
+    app.blueprint(sso.bp)  # SSO proxy for /auth/* routes
+else:
+    app.blueprint(auth.bp)  # Built-in auth routes
 app.blueprint(preview.bp)
 app.blueprint(bp)
 app.exception(Exception)(handle_sanic_exception)
@@ -36,22 +40,23 @@ setproctitle("cista-main")
 
 
 @app.before_server_start
-async def main_start(app, loop):
+async def main_start(app):
     config.load_config()
     setproctitle(f"cista {config.config.path.name}")
     workers = max(2, min(8, cpu_count()))
     app.ctx.threadexec = ThreadPoolExecutor(
         max_workers=workers, thread_name_prefix="cista-ioworker"
     )
-    watching.start(app, loop)
+    watching.start(app)
 
 
 # Sanic sometimes fails to execute after_server_stop, so we do it before instead (potentially interrupting handlers)
 @app.before_server_stop
-async def main_stop(app, loop):
+async def main_stop(app):
     quit.set()
     watching.stop(app)
     app.ctx.threadexec.shutdown()
+    await sso.close_client()
     logger.debug("Cista worker threads all finished")
 
 
@@ -74,10 +79,23 @@ async def use_session(req):
         raise Forbidden("Invalid origin: Cross-Site requests not permitted")
 
 
+@app.on_response
+async def forward_sso_cookies(req, res):
+    """Forward Set-Cookie headers from SSO validation to client."""
+    if cookies := getattr(req.ctx, "sso_cookies", None):
+        for cookie in cookies:
+            res.headers.add("set-cookie", cookie)
+
+
 @app.before_server_start
-def http_fileserver(app, _):
+def http_fileserver(app):
     bp = Blueprint("fileserver")
-    bp.on_request(auth.verify)
+
+    @bp.on_request
+    async def verify_fileserver(request):
+        """Verify access to file server routes."""
+        await auth.verify(request)
+
     bp.static(
         "/files/",
         config.config.path,
@@ -93,9 +111,9 @@ www = {}
 
 def _load_wwwroot(www):
     wwwnew = {}
-    base = Path(__file__).with_name("wwwroot")
+    base = Path(__file__).with_name("frontend-build")
     paths = [PurePath()]
-    zstd = ZstdCompressor(level=10)
+    zstd = ZstdCompressor(level=18)
     while paths:
         path = paths.pop(0)
         current = base / path
@@ -211,7 +229,7 @@ async def wwwroot(req, path=""):
 @app.route("/favicon.ico", methods=["GET", "HEAD"])
 async def favicon(req):
     # Browsers keep asking for it when viewing files (not HTML with icon link)
-    return redirect("/assets/logo-97d1d7eb.svg", status=308)
+    return redirect("/assets/logo-ctv8tVwU.svg", status=308)
 
 
 def get_files(wanted: set) -> list[tuple[PurePosixPath, Path]]:
@@ -239,6 +257,10 @@ def get_files(wanted: set) -> list[tuple[PurePosixPath, Path]]:
 @app.get("/zip/<keys>/<zipfile:ext=zip>")
 async def zip_download(req, keys, zipfile, ext):
     """Download a zip archive of the given keys"""
+    if config.config.authentication == "paskia":
+        await auth.verify_sso(req)
+    else:
+        auth.verify(req)
 
     wanted = set(keys.split("+"))
     files = get_files(wanted)