cista 1.3.0__tar.gz → 1.4.1__tar.gz

{cista-1.3.0 → cista-1.4.1}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: cista
-Version: 1.3.0
+Version: 1.4.1
 Summary: Dropbox-like file server with modern web interface
 Project-URL: Homepage, https://git.zi.fi/Vasanko/cista-storage
 Author: Vasanko
@@ -17,6 +17,10 @@ Requires-Dist: argon2-cffi>=25.1.0
 Requires-Dist: av>=15.0.0
 Requires-Dist: blake3>=1.0.5
 Requires-Dist: docopt>=0.6.2
+Requires-Dist: fastapi-vue>=0.5.1
+Requires-Dist: fastapi[standard]>=0.128.0
+Requires-Dist: html5tagger>=1.3.0
+Requires-Dist: httpx>=0.28.0
 Requires-Dist: inotify>=0.2.12
 Requires-Dist: msgspec>=0.19.0
 Requires-Dist: natsort>=8.4.0
@@ -85,6 +89,39 @@ pip install cista --break-system-packages
 
 The server remembers its settings in the config folder (default `~/.local/share/cista/`), including the listen port and directory, for future runs without arguments.
 
+## Authentication
+
+Cista supports three authentication modes:
+
+### Built-in Authentication (default)
+
+User accounts are managed directly by Cista. Create users with the `--user` flag:
+
+```fish
+uvx cista --user admin --privileged  # Create admin user
+uvx cista --user guest               # Create regular user
+```
+
+Privileged users can manage other users and change settings via the Admin Settings menu.
+
+### Public Mode
+
+In public mode, anyone can read, send and even delete files without without logging in. Privileged users can still log in via the menu to access admin settings, from where the public mode can be toggled on or off.
+
+### Paskia SSO Authentication
+
+For centralized authentication, Cista can integrate with [Paskia](https://git.zi.fi/LeoVasanko/paskia) SSO server. Set the `PASKIA_BACKEND_URL` environment variable:
+
+```fish
+PASKIA_BACKEND_URL=http://localhost:4401 uvx cista
+```
+
+In Paskia mode:
+- All `/auth/*` requests are proxied to the Paskia backend
+- Users with `cista:login` permission can access files
+- Users with `cista:admin` permission get privileged access (Admin Settings)
+- Public mode works with Paskia: unauthenticated users can browse, while the menu has option to login
+
 ### Internet Access
 
 Most admins find the [Caddy](https://caddyserver.com/) web server convenient for its auto TLS certificates and all. A proxy also allows running multiple web services or Cista instances on the same IP address but different (sub)domains.

{cista-1.3.0 → cista-1.4.1}/README.md

@@ -38,6 +38,39 @@ pip install cista --break-system-packages
 
 The server remembers its settings in the config folder (default `~/.local/share/cista/`), including the listen port and directory, for future runs without arguments.
 
+## Authentication
+
+Cista supports three authentication modes:
+
+### Built-in Authentication (default)
+
+User accounts are managed directly by Cista. Create users with the `--user` flag:
+
+```fish
+uvx cista --user admin --privileged  # Create admin user
+uvx cista --user guest               # Create regular user
+```
+
+Privileged users can manage other users and change settings via the Admin Settings menu.
+
+### Public Mode
+
+In public mode, anyone can read, send and even delete files without without logging in. Privileged users can still log in via the menu to access admin settings, from where the public mode can be toggled on or off.
+
+### Paskia SSO Authentication
+
+For centralized authentication, Cista can integrate with [Paskia](https://git.zi.fi/LeoVasanko/paskia) SSO server. Set the `PASKIA_BACKEND_URL` environment variable:
+
+```fish
+PASKIA_BACKEND_URL=http://localhost:4401 uvx cista
+```
+
+In Paskia mode:
+- All `/auth/*` requests are proxied to the Paskia backend
+- Users with `cista:login` permission can access files
+- Users with `cista:admin` permission get privileged access (Admin Settings)
+- Public mode works with Paskia: unauthenticated users can browse, while the menu has option to login
+
 ### Internet Access
 
 Most admins find the [Caddy](https://caddyserver.com/) web server convenient for its auto TLS certificates and all. A proxy also allows running multiple web services or Cista instances on the same IP address but different (sub)domains.

{cista-1.3.0 → cista-1.4.1}/cista/__main__.py

@@ -42,13 +42,17 @@ Options:
   --import-droppy   Import Droppy config from ~/.droppy/config
   --dev             Developer mode (reloads, friendlier crashes, more logs)
 
-Listen address, path and imported options are preserved in config, and only
-custom config dir and dev mode need to be specified on subsequent runs.
+Listen address and path are preserved in config,
+and only config dir and dev mode need to be specified on subsequent runs.
 
 User management:
   --user NAME       Create or modify user
   --privileged      Give the user full admin rights
   --password        Reset password
+
+Environment:
+  PASKIA_BACKEND_URL   Paskia single sign-on (e.g. http://localhost:4401)
+                       https://git.zi.fi/leovasanko/paskia
 """
 
 first_time_help = """\
@@ -107,6 +111,7 @@ def _main():
                 f"Importing Droppy: First remove the existing configuration:\n  rm {config.conffile}",
             )
         settings = droppy.readconf()
+        # Droppy's public flag is kept as-is (same name in our config)
     if path:
         settings["path"] = path
     elif not exists:
@@ -115,9 +120,6 @@ def _main():
         settings["listen"] = listen
     elif not exists:
         settings["listen"] = ":8000"
-    if not exists and not import_droppy:
-        # We have no users, so make it public
-        settings["public"] = True
     operation = config.update_config(settings)
     sys.stderr.write(f"Config {operation}: {config.conffile}\n")
     # Prepare to serve

{cista-1.3.0 → cista-1.4.1}/cista/_version.py

@@ -1,2 +1,2 @@
 # This file is automatically generated by hatch build.
-__version__ = '1.3.0'
+__version__ = '1.4.1'

{cista-1.3.0 → cista-1.4.1}/cista/api.py

@@ -3,9 +3,10 @@ import typing
 from secrets import token_bytes
 
 import msgspec
-from sanic import Blueprint
+from sanic import Blueprint, json
+from sanic.exceptions import BadRequest
 
-from cista import __version__, config, watching
+from cista import __version__, auth, config, sso, watching
 from cista.fileio import FileServer
 from cista.protocol import ControlTypes, FileRange, StatusMsg
 from cista.util.apphelpers import asend, websocket_wrapper
@@ -92,6 +93,28 @@ async def control(req, ws):
 @bp.websocket("watch")
 @websocket_wrapper
 async def watch(req, ws):
+    # Build user info from either built-in auth or SSO
+    user_info = None
+    if sso.paskia_enabled():
+        # SSO auth: call validation to get user info (don't enforce auth in public mode)
+        try:
+            await sso.validate_sso_request(req)
+        except Exception:
+            pass  # Ignore auth errors, user_info stays None
+        if sso_user := getattr(req.ctx, "sso_user", None):
+            ctx = sso_user.get("ctx", {})
+            perms = ctx.get("permissions", [])
+            user_info = {
+                "username": ctx.get("user", {}).get("display_name", ""),
+                "privileged": "cista:admin" in perms,
+            }
+    elif req.ctx.user:
+        # Built-in auth: use local user database
+        user_info = {
+            "username": req.ctx.username,
+            "privileged": req.ctx.user.privileged,
+        }
+
     await ws.send(
         msgspec.json.encode(
             {
@@ -99,13 +122,9 @@ async def watch(req, ws):
                     "name": config.config.name or config.config.path.name,
                     "version": __version__,
                     "public": config.config.public,
+                    "paskia": sso.paskia_enabled(),
                 },
-                "user": {
-                    "username": req.ctx.username,
-                    "privileged": req.ctx.user.privileged,
-                }
-                if req.ctx.user
-                else None,
+                "user": user_info,
             }
         ).decode()
     )
@@ -136,3 +155,18 @@ def subscribe(uuid, ws):
             watching.format_space(watching.state.space),
             watching.format_root(watching.state.root),
         )
+
+
+@bp.put("config/public")
+async def update_public(request):
+    await auth.verify(request, privileged=True)
+    try:
+        public = request.json["public"]
+        if not isinstance(public, bool):
+            raise ValueError("public must be a boolean")
+    except KeyError:
+        raise BadRequest("Missing public field") from None
+    except ValueError as e:
+        raise BadRequest(str(e)) from None
+    config.update_config({"public": public})
+    return json({"message": "Public access setting updated", "public": public})

{cista-1.3.0 → cista-1.4.1}/cista/app.py

@@ -18,7 +18,7 @@ from setproctitle import setproctitle
 from stream_zip import ZIP_AUTO, stream_zip
 from zstandard import ZstdCompressor
 
-from cista import auth, config, preview, session, watching
+from cista import auth, config, preview, session, sso, watching
 from cista.api import bp
 from cista.util.apphelpers import handle_sanic_exception
 
@@ -26,7 +26,11 @@ from cista.util.apphelpers import handle_sanic_exception
 sanic.helpers._ENTITY_HEADERS = frozenset()
 
 app = Sanic("cista", strict_slashes=True)
-app.blueprint(auth.bp)
+# Register either SSO proxy or built-in auth routes based on PASKIA_BACKEND_URL
+if sso.paskia_enabled():
+    app.blueprint(sso.bp)  # SSO proxy for /auth/* routes
+else:
+    app.blueprint(auth.bp)  # Built-in auth routes
 app.blueprint(preview.bp)
 app.blueprint(bp)
 app.exception(Exception)(handle_sanic_exception)
@@ -52,6 +56,7 @@ async def main_stop(app):
     quit.set()
     watching.stop(app)
     app.ctx.threadexec.shutdown()
+    await sso.close_client()
     logger.debug("Cista worker threads all finished")
 
 
@@ -74,10 +79,23 @@ async def use_session(req):
         raise Forbidden("Invalid origin: Cross-Site requests not permitted")
 
 
+@app.on_response
+async def forward_sso_cookies(req, res):
+    """Forward Set-Cookie headers from SSO validation to client."""
+    if cookies := getattr(req.ctx, "sso_cookies", None):
+        for cookie in cookies:
+            res.headers.add("set-cookie", cookie)
+
+
 @app.before_server_start
 def http_fileserver(app):
     bp = Blueprint("fileserver")
-    bp.on_request(auth.verify)
+
+    @bp.on_request
+    async def verify_fileserver(request):
+        """Verify access to file server routes."""
+        await auth.verify(request)
+
     bp.static(
         "/files/",
         config.config.path,
@@ -211,7 +229,7 @@ async def wwwroot(req, path=""):
 @app.route("/favicon.ico", methods=["GET", "HEAD"])
 async def favicon(req):
     # Browsers keep asking for it when viewing files (not HTML with icon link)
-    return redirect("/assets/logo-97d1d7eb.svg", status=308)
+    return redirect("/assets/logo-ctv8tVwU.svg", status=308)
 
 
 def get_files(wanted: set) -> list[tuple[PurePosixPath, Path]]:
@@ -239,6 +257,7 @@ def get_files(wanted: set) -> list[tuple[PurePosixPath, Path]]:
 @app.get("/zip/<keys>/<zipfile:ext=zip>")
 async def zip_download(req, keys, zipfile, ext):
     """Download a zip archive of the given keys"""
+    await auth.verify(req)
 
     wanted = set(keys.split("+"))
     files = get_files(wanted)

{cista-1.3.0 → cista-1.4.1}/cista/auth.py

@@ -12,6 +12,174 @@ from sanic.exceptions import BadRequest, Forbidden, Unauthorized
 from cista import config, session
 from cista.util import pwgen
 
+_LOGIN_PAGE_CSS = """\
+/* ===========================================
+   LOGIN PAGE STYLES
+   Must match ModalDialog.vue global styles.
+   =========================================== */
+* { box-sizing: border-box; }
+body {
+    font-family: 'Roboto', system-ui, -apple-system, sans-serif;
+    font-size: 1rem;
+    margin: 0;
+    min-height: 100vh;
+    display: flex;
+    align-items: center;
+    justify-content: center;
+    background: transparent;
+}
+.login-card {
+    background: #ddd;
+    color: #000;
+    border-radius: 0.5rem;
+    box-shadow: 0 0 1rem #0008;
+    width: 100%;
+    max-width: 320px;
+}
+h1 {
+    background: #146;
+    color: #fff;
+    margin: 0;
+    padding: 0.5rem 1rem;
+    font-size: 1.2rem;
+    font-weight: normal;
+    border-radius: 0.5rem 0.5rem 0 0;
+}
+.content {
+    padding: 1rem;
+}
+.message {
+    color: #444;
+    margin: 0 0 0.5rem 0;
+    font-size: 0.875rem;
+}
+form {
+    display: grid;
+    grid-template-columns: auto 1fr;
+    gap: 0.5rem 1rem;
+    align-items: center;
+}
+label {
+    font-size: 1rem;
+}
+input[type="text"],
+input[type="password"] {
+    font: inherit;
+    font-size: 1rem;
+    padding: 0.5rem;
+    border: 2px solid #888;
+    border-radius: 0.25rem;
+    background: #fff;
+    color: #000;
+    min-width: 0;
+}
+input:focus {
+    outline: none;
+    border-color: #f80;
+}
+.button-row {
+    grid-column: 1 / -1;
+    display: flex;
+    justify-content: flex-end;
+    margin-top: 0.5rem;
+}
+button {
+    font: inherit;
+    font-size: 1rem;
+    padding: 0.5rem 1rem;
+    background: #146;
+    color: #fff;
+    border: none;
+    border-radius: 0.25rem;
+    cursor: pointer;
+}
+button:hover { background: #f80; }
+button:disabled {
+    background: #888;
+    cursor: not-allowed;
+}
+.error {
+    grid-column: 1 / -1;
+    color: #c00;
+    font-size: 0.875rem;
+    min-height: 1.2em;
+    margin: 0;
+}
+"""
+
+_LOGIN_PAGE_JS = """\
+const form = document.getElementById('loginForm');
+const error = document.getElementById('error');
+const submitBtn = document.getElementById('submitBtn');
+const usernameField = document.getElementById('username');
+const passwordField = document.getElementById('password');
+const isInIframe = window.parent !== window;
+
+// Focus username field on load
+usernameField.focus();
+
+const showError = (msg) => {
+    error.textContent = msg;
+    submitBtn.disabled = false;
+    submitBtn.textContent = 'Log in';
+    // Focus and select the relevant field
+    if (msg.toLowerCase().includes('password')) {
+        passwordField.focus();
+        passwordField.select();
+    } else {
+        usernameField.focus();
+        usernameField.select();
+    }
+};
+
+form.onsubmit = async (e) => {
+    e.preventDefault();
+    error.textContent = '';
+    submitBtn.disabled = true;
+    submitBtn.textContent = 'Logging in...';
+
+    try {
+        const res = await fetch('/auth/login', {
+            method: 'POST',
+            headers: {
+                'Content-Type': 'application/json',
+                'Accept': 'application/json'
+            },
+            body: JSON.stringify({
+                username: usernameField.value,
+                password: passwordField.value
+            })
+        });
+
+        if (res.ok) {
+            if (isInIframe) {
+                window.parent.postMessage({type: 'auth-success'}, '*');
+            } else {
+                window.location.href = '/';
+            }
+        } else {
+            const data = await res.json();
+            showError(data.message || data.detail || 'Login failed');
+        }
+    } catch (err) {
+        showError('Connection error. Please try again.');
+    }
+};
+"""
+
+# Import for SSO validation (lazily loaded to avoid circular imports)
+_sso_module = None
+
+
+def _get_sso():
+    global _sso_module
+    if _sso_module is None:
+        from cista import sso
+
+        _sso_module = sso
+    return _sso_module
+
+
 _argon = argon2.PasswordHasher()
 _droppyhash = re.compile(r"^([a-f0-9]{64})\$([a-f0-9]{8})$")
 
@@ -63,62 +231,106 @@ class LoginResponse(msgspec.Struct):
     error: str = ""
 
 
-def verify(request, *, privileged=False):
-    """Raise Unauthorized or Forbidden if the request is not authorized"""
+async def verify(request, *, privileged=False):
+    """Verify that the request is authorized.
+
+    For paskia mode (PASKIA_BACKEND_URL set), validates against the SSO backend.
+    For built-in mode, checks session-based authentication.
+    For public mode (config.public=True), skips auth unless privileged is required.
+
+    Args:
+        request: The Sanic request object
+        privileged: If True, requires admin privileges (always enforced even in public mode)
+
+    Raises:
+        Unauthorized: If authentication is required
+        Forbidden: If access is denied
+    """
+    # Public mode: skip auth unless privileged access is required
+    if config.config.public and not privileged:
+        return
+
+    sso = _get_sso()
+    if sso.paskia_enabled():
+        perm = "cista:admin" if privileged else "cista:login"
+        await sso.validate_sso_request(request, perm=perm)
+        return
+
+    user = getattr(request.ctx, "user", None)
     if privileged:
-        if request.ctx.user:
-            if request.ctx.user.privileged:
-                return
-            raise Forbidden("Access Forbidden: Only for privileged users", quiet=True)
-    elif config.config.public or request.ctx.user:
+        if user and user.privileged:
+            return
+        raise Forbidden(
+            "Access Forbidden: Only for privileged users",
+            quiet=True,
+        )
+    if user:
         return
-    raise Unauthorized(f"Login required for {request.path}", "cookie", quiet=True)
+    raise Unauthorized(
+        f"Login required for {request.path}",
+        "cookie",
+        context={"auth": {"iframe": "/auth/restricted"}},
+        quiet=True,
+    )
 
 
-bp = Blueprint("auth")
+# Blueprint for built-in auth (only registered when paskia is NOT enabled)
+bp = Blueprint("auth", url_prefix="/auth")
 
 
-@bp.get("/login")
+@bp.get("/restricted")
 async def login_page(request):
-    doc = Document("Cista Login")
-    with doc.div(id="login"):
-        with doc.form(method="POST", autocomplete="on"):
-            doc.h1("Login")
-            doc.input(
-                name="username",
-                placeholder="Username",
-                autocomplete="username",
-                required=True,
-            ).br
-            doc.input(
-                type="password",
-                name="password",
-                placeholder="Password",
-                autocomplete="current-password",
-                required=True,
-            ).br
-            doc.input(type="submit", value="Login")
-        s = session.get(request)
-        if s:
-            name = s["username"]
-            with doc.form(method="POST", action="/logout"):
-                doc.input(type="submit", value=f"Logout {name}")
-    flash = request.cookies.message
-    if flash:
-        doc.dialog(
-            flash,
-            id="flash",
-            open=True,
-            style="position: fixed; top: 0; left: 0; width: 100%; opacity: .8",
-        )
+    """Login page that works both standalone and in paskia iframe."""
+    s = session.get(request)
+
+    # Check if already logged in
+    if s:
+        # Already authenticated - signal success if in iframe
+        return html(_login_success_page(s["username"]))
+
+    doc = Document("Cista - Login")
+    # Add paskia-compatible styling and scripts
+    doc.style(_LOGIN_PAGE_CSS)
+    with doc.div(class_="login-card"):
+        doc.h1("Authentication Required")
+        with doc.div(class_="content"):
+            with doc.form(method="POST", id="loginForm", autocomplete="on"):
+                doc.label("Username:", for_="username")
+                doc.input(
+                    type="text",
+                    id="username",
+                    name="username",
+                    autocomplete="username webauthn",
+                    required=True,
+                )
+                doc.label("Password:", for_="password")
+                doc.input(
+                    type="password",
+                    id="password",
+                    name="password",
+                    autocomplete="current-password webauthn",
+                    required=True,
+                )
+                with doc.div(class_="button-row"):
+                    doc.button("Log in", type="submit", id="submitBtn")
+                doc.p("", class_="error", id="error")
+
+    # JavaScript for AJAX login and postMessage communication
+    doc.script_(_LOGIN_PAGE_JS)
+
     res = html(doc)
-    if flash:
-        res.cookies.delete_cookie("flash")
     if s is False:
         session.delete(res)
     return res
 
 
+def _login_success_page(username: str) -> str:
+    """Minimal page that signals auth-success to parent iframe."""
+    return str(
+        Document().script_("window.parent.postMessage({type:'auth-success'},'*')")
+    )
+
+
 @bp.post("/login")
 async def login_post(request):
     try:
@@ -149,7 +361,7 @@ async def login_post(request):
     return res
 
 
-@bp.post("/logout")
+@bp.post("/api/logout")
 async def logout_post(request):
     s = request.ctx.session
     msg = "Logged out" if s else "Not logged in"
@@ -196,7 +408,7 @@ async def change_password(request):
 
 @bp.get("/users")
 async def list_users(request):
-    verify(request, privileged=True)
+    await verify(request, privileged=True)
     users = []
     for name, user in config.config.users.items():
         users.append(
@@ -211,7 +423,7 @@ async def list_users(request):
 
 @bp.post("/users")
 async def create_user(request):
-    verify(request, privileged=True)
+    await verify(request, privileged=True)
     try:
         if request.headers.content_type == "application/json":
             username = request.json["username"]
@@ -240,7 +452,7 @@ async def create_user(request):
 
 @bp.put("/users/<username>")
 async def update_user(request, username):
-    verify(request, privileged=True)
+    await verify(request, privileged=True)
     try:
         if request.headers.content_type == "application/json":
             changes = request.json
@@ -273,7 +485,7 @@ async def update_user(request, username):
 
 @bp.delete("/users/<username>")
 async def delete_user(request, username):
-    verify(request, privileged=True)
+    await verify(request, privileged=True)
     if username not in config.config.users:
         raise BadRequest("User does not exist")
     try:
@@ -281,14 +493,3 @@ async def delete_user(request, username):
     except Exception as e:
         raise BadRequest(str(e)) from e
     return json({"message": f"User {username} deleted"})
-
-
-@bp.put("/config/public")
-async def update_public(request):
-    verify(request, privileged=True)
-    try:
-        public = request.json["public"]
-    except KeyError:
-        raise BadRequest("Missing public field") from None
-    config.update_config({"public": public})
-    return json({"message": "Public setting updated"})

{cista-1.3.0 → cista-1.4.1}/cista/config.py

@@ -152,7 +152,15 @@ def modifies_config(
 def load_config():
     global config
     init_confdir()
-    config = msgspec.toml.decode(conffile.read_bytes(), type=Config, dec_hook=dec_hook)
+    raw = conffile.read_bytes()
+    config = msgspec.toml.decode(raw, type=Config, dec_hook=dec_hook)
+    # Migrate from old authentication field if present
+    raw_dict = msgspec.toml.decode(raw)
+    if "authentication" in raw_dict and "public" not in raw_dict:
+        # Old config with authentication mode: migrate to public bool
+        new_public = raw_dict["authentication"] == "none"
+        config = msgspec.structs.replace(config, public=new_public)
+        update_config({})  # Save the migrated config
 
 
 @modifies_config