cista 1.3.0__tar.gz → 1.4.0__tar.gz

{cista-1.3.0 → cista-1.4.0}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: cista
-Version: 1.3.0
+Version: 1.4.0
 Summary: Dropbox-like file server with modern web interface
 Project-URL: Homepage, https://git.zi.fi/Vasanko/cista-storage
 Author: Vasanko
@@ -17,6 +17,10 @@ Requires-Dist: argon2-cffi>=25.1.0
 Requires-Dist: av>=15.0.0
 Requires-Dist: blake3>=1.0.5
 Requires-Dist: docopt>=0.6.2
+Requires-Dist: fastapi-vue>=0.5.1
+Requires-Dist: fastapi[standard]>=0.128.0
+Requires-Dist: html5tagger>=1.3.0
+Requires-Dist: httpx>=0.28.0
 Requires-Dist: inotify>=0.2.12
 Requires-Dist: msgspec>=0.19.0
 Requires-Dist: natsort>=8.4.0

{cista-1.3.0 → cista-1.4.0}/cista/__main__.py

@@ -42,13 +42,17 @@ Options:
   --import-droppy   Import Droppy config from ~/.droppy/config
   --dev             Developer mode (reloads, friendlier crashes, more logs)
 
-Listen address, path and imported options are preserved in config, and only
-custom config dir and dev mode need to be specified on subsequent runs.
+Listen address and path are preserved in config,
+and only config dir and dev mode need to be specified on subsequent runs.
 
 User management:
   --user NAME       Create or modify user
   --privileged      Give the user full admin rights
   --password        Reset password
+
+Environment:
+  PASKIA_BACKEND_URL   Paskia single sign-on (e.g. http://localhost:4401)
+                       https://git.zi.fi/leovasanko/paskia
 """
 
 first_time_help = """\
@@ -107,6 +111,7 @@ def _main():
                 f"Importing Droppy: First remove the existing configuration:\n  rm {config.conffile}",
             )
         settings = droppy.readconf()
+        # Droppy's public flag is kept as-is (same name in our config)
     if path:
         settings["path"] = path
     elif not exists:
@@ -115,9 +120,6 @@ def _main():
         settings["listen"] = listen
     elif not exists:
         settings["listen"] = ":8000"
-    if not exists and not import_droppy:
-        # We have no users, so make it public
-        settings["public"] = True
     operation = config.update_config(settings)
     sys.stderr.write(f"Config {operation}: {config.conffile}\n")
     # Prepare to serve

{cista-1.3.0 → cista-1.4.0}/cista/_version.py

@@ -1,2 +1,2 @@
 # This file is automatically generated by hatch build.
-__version__ = '1.3.0'
+__version__ = '1.4.0'

{cista-1.3.0 → cista-1.4.0}/cista/api.py

@@ -3,9 +3,10 @@ import typing
 from secrets import token_bytes
 
 import msgspec
-from sanic import Blueprint
+from sanic import Blueprint, json
+from sanic.exceptions import BadRequest
 
-from cista import __version__, config, watching
+from cista import __version__, auth, config, sso, watching
 from cista.fileio import FileServer
 from cista.protocol import ControlTypes, FileRange, StatusMsg
 from cista.util.apphelpers import asend, websocket_wrapper
@@ -92,6 +93,23 @@ async def control(req, ws):
 @bp.websocket("watch")
 @websocket_wrapper
 async def watch(req, ws):
+    # Build user info from either built-in auth or SSO
+    user_info = None
+    if sso_user := getattr(req.ctx, "sso_user", None):
+        # SSO auth (paskia mode): extract from validation response
+        ctx = sso_user.get("ctx", {})
+        perms = ctx.get("permissions", [])
+        user_info = {
+            "username": ctx.get("user", {}).get("display_name", ""),
+            "privileged": "cista:admin" in perms,
+        }
+    elif req.ctx.user:
+        # Built-in auth: use local user database
+        user_info = {
+            "username": req.ctx.username,
+            "privileged": req.ctx.user.privileged,
+        }
+
     await ws.send(
         msgspec.json.encode(
             {
@@ -99,13 +117,9 @@ async def watch(req, ws):
                     "name": config.config.name or config.config.path.name,
                     "version": __version__,
                     "public": config.config.public,
+                    "paskia": sso.paskia_enabled(),
                 },
-                "user": {
-                    "username": req.ctx.username,
-                    "privileged": req.ctx.user.privileged,
-                }
-                if req.ctx.user
-                else None,
+                "user": user_info,
             }
         ).decode()
     )
@@ -136,3 +150,18 @@ def subscribe(uuid, ws):
             watching.format_space(watching.state.space),
             watching.format_root(watching.state.root),
         )
+
+
+@bp.put("config/public")
+async def update_public(request):
+    await auth.verify(request, privileged=True)
+    try:
+        public = request.json["public"]
+        if not isinstance(public, bool):
+            raise ValueError("public must be a boolean")
+    except KeyError:
+        raise BadRequest("Missing public field") from None
+    except ValueError as e:
+        raise BadRequest(str(e)) from None
+    config.update_config({"public": public})
+    return json({"message": "Public access setting updated", "public": public})

{cista-1.3.0 → cista-1.4.0}/cista/app.py

@@ -18,7 +18,7 @@ from setproctitle import setproctitle
 from stream_zip import ZIP_AUTO, stream_zip
 from zstandard import ZstdCompressor
 
-from cista import auth, config, preview, session, watching
+from cista import auth, config, preview, session, sso, watching
 from cista.api import bp
 from cista.util.apphelpers import handle_sanic_exception
 
@@ -26,7 +26,11 @@ from cista.util.apphelpers import handle_sanic_exception
 sanic.helpers._ENTITY_HEADERS = frozenset()
 
 app = Sanic("cista", strict_slashes=True)
-app.blueprint(auth.bp)
+# Register either SSO proxy or built-in auth routes based on PASKIA_BACKEND_URL
+if sso.paskia_enabled():
+    app.blueprint(sso.bp)  # SSO proxy for /auth/* routes
+else:
+    app.blueprint(auth.bp)  # Built-in auth routes
 app.blueprint(preview.bp)
 app.blueprint(bp)
 app.exception(Exception)(handle_sanic_exception)
@@ -52,6 +56,7 @@ async def main_stop(app):
     quit.set()
     watching.stop(app)
     app.ctx.threadexec.shutdown()
+    await sso.close_client()
     logger.debug("Cista worker threads all finished")
 
 
@@ -74,10 +79,23 @@ async def use_session(req):
         raise Forbidden("Invalid origin: Cross-Site requests not permitted")
 
 
+@app.on_response
+async def forward_sso_cookies(req, res):
+    """Forward Set-Cookie headers from SSO validation to client."""
+    if cookies := getattr(req.ctx, "sso_cookies", None):
+        for cookie in cookies:
+            res.headers.add("set-cookie", cookie)
+
+
 @app.before_server_start
 def http_fileserver(app):
     bp = Blueprint("fileserver")
-    bp.on_request(auth.verify)
+
+    @bp.on_request
+    async def verify_fileserver(request):
+        """Verify access to file server routes."""
+        await auth.verify(request)
+
     bp.static(
         "/files/",
         config.config.path,
@@ -211,7 +229,7 @@ async def wwwroot(req, path=""):
 @app.route("/favicon.ico", methods=["GET", "HEAD"])
 async def favicon(req):
     # Browsers keep asking for it when viewing files (not HTML with icon link)
-    return redirect("/assets/logo-97d1d7eb.svg", status=308)
+    return redirect("/assets/logo-ctv8tVwU.svg", status=308)
 
 
 def get_files(wanted: set) -> list[tuple[PurePosixPath, Path]]:
@@ -239,6 +257,10 @@ def get_files(wanted: set) -> list[tuple[PurePosixPath, Path]]:
 @app.get("/zip/<keys>/<zipfile:ext=zip>")
 async def zip_download(req, keys, zipfile, ext):
     """Download a zip archive of the given keys"""
+    if config.config.authentication == "paskia":
+        await auth.verify_sso(req)
+    else:
+        auth.verify(req)
 
     wanted = set(keys.split("+"))
     files = get_files(wanted)

cista-1.4.0/cista/auth.py

@@ -0,0 +1,498 @@
+import hmac
+import re
+from time import time
+from unicodedata import normalize
+
+import argon2
+import msgspec
+from html5tagger import Document
+from sanic import Blueprint, html, json, redirect
+from sanic.exceptions import BadRequest, Forbidden, Unauthorized
+
+from cista import config, session
+from cista.util import pwgen
+
+_LOGIN_PAGE_CSS = """\
+/* ===========================================
+   LOGIN PAGE STYLES
+   Must match ModalDialog.vue global styles.
+   =========================================== */
+* { box-sizing: border-box; }
+body {
+    font-family: 'Roboto', system-ui, -apple-system, sans-serif;
+    font-size: 1rem;
+    margin: 0;
+    min-height: 100vh;
+    display: flex;
+    align-items: center;
+    justify-content: center;
+    background: transparent;
+}
+.login-card {
+    background: #ddd;
+    color: #000;
+    border-radius: 0.5rem;
+    box-shadow: 0 0 1rem #0008;
+    width: 100%;
+    max-width: 320px;
+}
+h1 {
+    background: #146;
+    color: #fff;
+    margin: 0;
+    padding: 0.5rem 1rem;
+    font-size: 1.2rem;
+    font-weight: normal;
+    border-radius: 0.5rem 0.5rem 0 0;
+}
+.content {
+    padding: 1rem;
+}
+.message {
+    color: #444;
+    margin: 0 0 0.5rem 0;
+    font-size: 0.875rem;
+}
+form {
+    display: grid;
+    grid-template-columns: auto 1fr;
+    gap: 0.5rem 1rem;
+    align-items: center;
+}
+label {
+    font-size: 1rem;
+}
+input[type="text"],
+input[type="password"] {
+    font: inherit;
+    font-size: 1rem;
+    padding: 0.5rem;
+    border: 2px solid #888;
+    border-radius: 0.25rem;
+    background: #fff;
+    color: #000;
+    min-width: 0;
+}
+input:focus {
+    outline: none;
+    border-color: #f80;
+}
+.button-row {
+    grid-column: 1 / -1;
+    display: flex;
+    justify-content: flex-end;
+    margin-top: 0.5rem;
+}
+button {
+    font: inherit;
+    font-size: 1rem;
+    padding: 0.5rem 1rem;
+    background: #146;
+    color: #fff;
+    border: none;
+    border-radius: 0.25rem;
+    cursor: pointer;
+}
+button:hover { background: #f80; }
+button:disabled {
+    background: #888;
+    cursor: not-allowed;
+}
+.error {
+    grid-column: 1 / -1;
+    color: #c00;
+    font-size: 0.875rem;
+    min-height: 1.2em;
+    margin: 0;
+}
+"""
+
+_LOGIN_PAGE_JS = """\
+const form = document.getElementById('loginForm');
+const error = document.getElementById('error');
+const submitBtn = document.getElementById('submitBtn');
+const usernameField = document.getElementById('username');
+const passwordField = document.getElementById('password');
+const isInIframe = window.parent !== window;
+
+// Focus username field on load
+usernameField.focus();
+
+const showError = (msg) => {
+    error.textContent = msg;
+    submitBtn.disabled = false;
+    submitBtn.textContent = 'Log in';
+    // Focus and select the relevant field
+    if (msg.toLowerCase().includes('password')) {
+        passwordField.focus();
+        passwordField.select();
+    } else {
+        usernameField.focus();
+        usernameField.select();
+    }
+};
+
+form.onsubmit = async (e) => {
+    e.preventDefault();
+    error.textContent = '';
+    submitBtn.disabled = true;
+    submitBtn.textContent = 'Logging in...';
+
+    try {
+        const res = await fetch('/auth/login', {
+            method: 'POST',
+            headers: {
+                'Content-Type': 'application/json',
+                'Accept': 'application/json'
+            },
+            body: JSON.stringify({
+                username: usernameField.value,
+                password: passwordField.value
+            })
+        });
+
+        if (res.ok) {
+            if (isInIframe) {
+                window.parent.postMessage({type: 'auth-success'}, '*');
+            } else {
+                window.location.href = '/';
+            }
+        } else {
+            const data = await res.json();
+            showError(data.message || data.detail || 'Login failed');
+        }
+    } catch (err) {
+        showError('Connection error. Please try again.');
+    }
+};
+"""
+
+# Import for SSO validation (lazily loaded to avoid circular imports)
+_sso_module = None
+
+
+def _get_sso():
+    global _sso_module
+    if _sso_module is None:
+        from cista import sso
+
+        _sso_module = sso
+    return _sso_module
+
+
+_argon = argon2.PasswordHasher()
+_droppyhash = re.compile(r"^([a-f0-9]{64})\$([a-f0-9]{8})$")
+
+
+def _pwnorm(password):
+    return normalize("NFC", password).strip().encode()
+
+
+def login(username: str, password: str):
+    un = _pwnorm(username)
+    pw = _pwnorm(password)
+    try:
+        u = config.config.users[un.decode()]
+    except KeyError:
+        raise ValueError("Invalid username") from None
+    # Verify password
+    need_rehash = False
+    if not u.hash:
+        raise ValueError("Account disabled")
+    if (m := _droppyhash.match(u.hash)) is not None:
+        h, s = m.groups()
+        h2 = hmac.digest(pw + s.encode() + un, b"", "sha256").hex()
+        if not hmac.compare_digest(h, h2):
+            raise ValueError("Invalid password")
+        # Droppy hashes are weak, do a hash update
+        need_rehash = True
+    else:
+        try:
+            _argon.verify(u.hash, pw)
+        except Exception:
+            raise ValueError("Invalid password") from None
+        if _argon.check_needs_rehash(u.hash):
+            need_rehash = True
+    # Login successful
+    if need_rehash:
+        set_password(u, password)
+    now = int(time())
+    u.lastSeen = now
+    return u
+
+
+def set_password(user: config.User, password: str):
+    user.hash = _argon.hash(_pwnorm(password))
+
+
+class LoginResponse(msgspec.Struct):
+    user: str = ""
+    privileged: bool = False
+    error: str = ""
+
+
+async def verify(request, *, privileged=False):
+    """Verify that the request is authorized.
+
+    For paskia mode (PASKIA_BACKEND_URL set), validates against the SSO backend.
+    For built-in mode, checks session-based authentication.
+    For public mode (config.public=True), allows all requests.
+
+    All 401/403 responses include auth.iframe URL for consistent frontend handling
+    via the paskia library's showAuthIframe().
+
+    Args:
+        request: The Sanic request object
+        privileged: If True, requires admin privileges
+
+    Raises:
+        Unauthorized: If authentication is required
+        Forbidden: If access is denied
+    """
+    sso = _get_sso()
+    if sso.paskia_enabled():
+        # SSO validation against auth backend
+        # Always check cista:login; privileged flag comes from response perm list
+        perm = "cista:admin" if privileged else "cista:login"
+        await sso.validate_sso_request(request, perm=perm)
+        return
+
+    user = getattr(request.ctx, "user", None)
+    if privileged:
+        if user:
+            if user.privileged:
+                return
+            raise Forbidden(
+                "Access Forbidden: Only for privileged users",
+                quiet=True,
+            )
+    elif config.config.public or user:
+        return
+    # Return iframe URL for paskia library to show login dialog
+    raise Unauthorized(
+        f"Login required for {request.path}",
+        "cookie",
+        context={"auth": {"iframe": "/auth/restricted"}},
+        quiet=True,
+    )
+
+
+# Blueprint for built-in auth (only registered when paskia is NOT enabled)
+bp = Blueprint("auth", url_prefix="/auth")
+
+
+@bp.get("/restricted")
+async def login_page(request):
+    """Login page that works both standalone and in paskia iframe."""
+    s = session.get(request)
+
+    # Check if already logged in
+    if s:
+        # Already authenticated - signal success if in iframe
+        return html(_login_success_page(s["username"]))
+
+    doc = Document("Cista - Login")
+    # Add paskia-compatible styling and scripts
+    doc.style(_LOGIN_PAGE_CSS)
+    with doc.div(class_="login-card"):
+        doc.h1("Authentication Required")
+        with doc.div(class_="content"):
+            with doc.form(method="POST", id="loginForm", autocomplete="on"):
+                doc.label("Username:", for_="username")
+                doc.input(
+                    type="text",
+                    id="username",
+                    name="username",
+                    autocomplete="username webauthn",
+                    required=True,
+                )
+                doc.label("Password:", for_="password")
+                doc.input(
+                    type="password",
+                    id="password",
+                    name="password",
+                    autocomplete="current-password webauthn",
+                    required=True,
+                )
+                with doc.div(class_="button-row"):
+                    doc.button("Log in", type="submit", id="submitBtn")
+                doc.p("", class_="error", id="error")
+
+    # JavaScript for AJAX login and postMessage communication
+    doc.script_(_LOGIN_PAGE_JS)
+
+    res = html(doc)
+    if s is False:
+        session.delete(res)
+    return res
+
+
+def _login_success_page(username: str) -> str:
+    """Minimal page that signals auth-success to parent iframe."""
+    return str(
+        Document().script_("window.parent.postMessage({type:'auth-success'},'*')")
+    )
+
+
+@bp.post("/login")
+async def login_post(request):
+    try:
+        if request.headers.content_type == "application/json":
+            username = request.json["username"]
+            password = request.json["password"]
+        else:
+            username = request.form["username"][0]
+            password = request.form["password"][0]
+        if not username or not password:
+            raise KeyError
+    except KeyError:
+        raise BadRequest(
+            "Missing username or password",
+            context={"redirect": "/login"},
+        ) from None
+    try:
+        user = login(username, password)
+    except ValueError as e:
+        raise Forbidden(str(e), context={"redirect": "/login"}) from e
+
+    if "text/html" in request.headers.accept:
+        res = redirect("/")
+        session.flash(res, "Logged in")
+    else:
+        res = json({"data": {"username": username, "privileged": user.privileged}})
+    session.create(res, username)
+    return res
+
+
+@bp.post("/api/logout")
+async def logout_post(request):
+    s = request.ctx.session
+    msg = "Logged out" if s else "Not logged in"
+    if "text/html" in request.headers.accept:
+        res = redirect("/login")
+        res.cookies.add_cookie("flash", msg, max_age=5)
+    else:
+        res = json({"message": msg})
+    session.delete(res)
+    return res
+
+
+@bp.post("/password-change")
+async def change_password(request):
+    try:
+        if request.headers.content_type == "application/json":
+            username = request.json["username"]
+            pwchange = request.json["passwordChange"]
+            password = request.json["password"]
+        else:
+            username = request.form["username"][0]
+            pwchange = request.form["passwordChange"][0]
+            password = request.form["password"][0]
+        if not username or not password:
+            raise KeyError
+    except KeyError:
+        raise BadRequest(
+            "Missing username, passwordChange or password",
+        ) from None
+    try:
+        user = login(username, password)
+        set_password(user, pwchange)
+    except ValueError as e:
+        raise Forbidden(str(e), context={"redirect": "/login"}) from e
+
+    if "text/html" in request.headers.accept:
+        res = redirect("/")
+        session.flash(res, "Password updated")
+    else:
+        res = json({"message": "Password updated"})
+    session.create(res, username)
+    return res
+
+
+@bp.get("/users")
+async def list_users(request):
+    await verify(request, privileged=True)
+    users = []
+    for name, user in config.config.users.items():
+        users.append(
+            {
+                "username": name,
+                "privileged": user.privileged,
+                "lastSeen": user.lastSeen,
+            }
+        )
+    return json({"users": users})
+
+
+@bp.post("/users")
+async def create_user(request):
+    await verify(request, privileged=True)
+    try:
+        if request.headers.content_type == "application/json":
+            username = request.json["username"]
+            password = request.json.get("password")
+            privileged = request.json.get("privileged", False)
+        else:
+            username = request.form["username"][0]
+            password = request.form.get("password", [None])[0]
+            privileged = request.form.get("privileged", ["false"])[0].lower() == "true"
+        if not username or not username.isidentifier():
+            raise ValueError("Invalid username")
+    except (KeyError, ValueError) as e:
+        raise BadRequest(str(e)) from e
+    if username in config.config.users:
+        raise BadRequest("User already exists")
+    if not password:
+        password = pwgen.generate()
+    changes = {"privileged": privileged}
+    changes["hash"] = _argon.hash(_pwnorm(password))
+    try:
+        config.update_user(username, changes)
+    except Exception as e:
+        raise BadRequest(str(e)) from e
+    return json({"message": f"User {username} created", "password": password})
+
+
+@bp.put("/users/<username>")
+async def update_user(request, username):
+    await verify(request, privileged=True)
+    try:
+        if request.headers.content_type == "application/json":
+            changes = request.json
+        else:
+            changes = {}
+            if "password" in request.form:
+                changes["password"] = request.form["password"][0]
+            if "privileged" in request.form:
+                changes["privileged"] = request.form["privileged"][0].lower() == "true"
+    except KeyError as e:
+        raise BadRequest("Missing fields") from e
+    password_response = None
+    if "password" in changes:
+        if changes["password"] == "":
+            changes["password"] = pwgen.generate()
+        password_response = changes["password"]
+        changes["hash"] = _argon.hash(_pwnorm(changes["password"]))
+        del changes["password"]
+    if not changes:
+        return json({"message": "No changes"})
+    try:
+        config.update_user(username, changes)
+    except Exception as e:
+        raise BadRequest(str(e)) from e
+    response = {"message": f"User {username} updated"}
+    if password_response:
+        response["password"] = password_response
+    return json(response)
+
+
+@bp.delete("/users/<username>")
+async def delete_user(request, username):
+    await verify(request, privileged=True)
+    if username not in config.config.users:
+        raise BadRequest("User does not exist")
+    try:
+        config.del_user(username)
+    except Exception as e:
+        raise BadRequest(str(e)) from e
+    return json({"message": f"User {username} deleted"})