flowforge-io 1.1.0__py3-none-any.whl

flowforge/__init__.py

@@ -0,0 +1 @@
+__version__ = '0.1.0'

flowforge/api/app.py

@@ -0,0 +1,233 @@
+"""Flask application factory."""
+import ipaddress
+import logging
+import os
+from datetime import UTC
+from pathlib import Path
+
+from flask import Flask, jsonify, request, send_from_directory
+from flask_cors import CORS
+from flask_limiter import Limiter
+from flask_limiter.util import get_remote_address
+from werkzeug.middleware.proxy_fix import ProxyFix
+
+from flowforge.db.models import db
+
+limiter = Limiter(key_func=get_remote_address, default_limits=[])
+
+# ── constants ──
+_NOT_FOUND = 'Not found'
+
+_DIST = Path(__file__).parent.parent.parent / 'frontend' / 'dist'
+_DOCS = Path(__file__).parent.parent.parent / 'docs'
+
+
+def create_app(config: dict | None = None) -> Flask:
+    # Configure root logger from LOG_LEVEL env var — no-op if CLI already called basicConfig.
+    _level = getattr(logging, os.environ.get('LOG_LEVEL', 'INFO').upper(), logging.INFO)
+    logging.basicConfig(level=_level, format='%(asctime)s %(levelname)s %(name)s — %(message)s')
+
+    app = Flask(__name__)
+
+    app.config['SQLALCHEMY_DATABASE_URI'] = os.environ.get(
+        'FLOWFORGE_DB_URL', 'postgresql://flowforge:flowforge@localhost:5432/flowforge'  # NOSONAR
+    )
+    app.config['SQLALCHEMY_TRACK_MODIFICATIONS'] = False
+    app.config['MAX_CONTENT_LENGTH'] = 16 * 1024 * 1024  # 16 MB — prevents OOM on large POST bodies
+
+    # Connection pool tuning — tune via env vars for multi-worker Gunicorn deployments.
+    # Rule of thumb: POOL_SIZE × gunicorn_workers ≤ max_connections on PostgreSQL side.
+    app.config['SQLALCHEMY_POOL_SIZE']    = int(os.environ.get('SQLALCHEMY_POOL_SIZE',    '5'))
+    app.config['SQLALCHEMY_MAX_OVERFLOW'] = int(os.environ.get('SQLALCHEMY_MAX_OVERFLOW', '10'))
+    app.config['SQLALCHEMY_POOL_TIMEOUT'] = int(os.environ.get('SQLALCHEMY_POOL_TIMEOUT', '30'))
+    app.config['SQLALCHEMY_POOL_RECYCLE'] = int(os.environ.get('SQLALCHEMY_POOL_RECYCLE', '1800'))
+
+    # AES-256 encryption key — used exclusively by flowforge/crypto.py
+    app.config['SECRET_KEY'] = os.environ.get('FLOWFORGE_SECRET_KEY', '')  # NOSONAR
+
+    # JWT signing secret — separate from the encryption key (SEC-2)
+    # Falls back to SECRET_KEY for backward compatibility; set FLOWFORGE_JWT_SECRET in production.
+    jwt_secret = os.environ.get('FLOWFORGE_JWT_SECRET', '')
+    if not jwt_secret:
+        jwt_secret = app.config['SECRET_KEY']
+        if jwt_secret and not (config or {}).get('TESTING'):
+            import warnings
+            warnings.warn(
+                'FLOWFORGE_JWT_SECRET is not set — falling back to FLOWFORGE_SECRET_KEY for JWT '
+                'signing. Set a separate FLOWFORGE_JWT_SECRET in production.',
+                stacklevel=2,
+            )
+    app.config['JWT_SECRET'] = jwt_secret
+    app.config['JWT_ALGORITHM'] = 'HS256'
+    app.config['JWT_EXPIRY_HOURS'] = 24
+
+    if config:
+        app.config.update(config)
+
+    # ProxyFix — unwraps X-Forwarded-For so the rate limiter sees the real client IP (SEC-3)
+    # Set FLOWFORGE_TRUSTED_PROXIES=1 when running behind nginx/Traefik/ALB/etc.
+    num_proxies = int(os.environ.get('FLOWFORGE_TRUSTED_PROXIES', '0'))
+    if num_proxies > 0:
+        app.wsgi_app = ProxyFix(app.wsgi_app, x_for=num_proxies, x_proto=num_proxies, x_host=num_proxies)
+
+    db.init_app(app)
+    limiter.init_app(app)
+
+    if os.environ.get('FLOWFORGE_REDIS_URL'):
+        from flowforge.celery_app import init_celery
+        init_celery(app)
+
+    # CORS — warn loudly if FLOWFORGE_CORS_ORIGIN is not set in production (SEC-6)
+    cors_origin = os.environ.get('FLOWFORGE_CORS_ORIGIN', '')
+    if not cors_origin:
+        flask_env = os.environ.get('FLASK_ENV', 'development')
+        is_testing = (config or {}).get('TESTING', False)
+        if flask_env == 'production' and not is_testing:
+            app.logger.warning(
+                'SECURITY: FLOWFORGE_CORS_ORIGIN is not set. '
+                'All cross-origin browser requests to /api/* will be blocked. '
+                'Set FLOWFORGE_CORS_ORIGIN=https://your-domain.com in production.'
+            )
+        cors_origin = 'http://localhost:5173'  # dev/test fallback only
+    CORS(app, resources={r'/api/*': {'origins': cors_origin}})
+
+    _register_blueprints(app)
+    _register_error_handlers(app)
+    _register_ip_allowlist(app)
+
+    with app.app_context():
+        _sweep_stuck_runs(app)
+
+    return app
+
+
+def _register_ip_allowlist(app: Flask) -> None:
+    """If FLOWFORGE_ALLOWED_IPS is set, reject /api/* requests from non-listed IPs."""
+    raw = os.environ.get('FLOWFORGE_ALLOWED_IPS', '').strip()
+    if not raw:
+        return
+
+    networks: list[ipaddress.IPv4Network | ipaddress.IPv6Network] = []
+    for cidr in raw.split(','):
+        cidr = cidr.strip()
+        if not cidr:
+            continue
+        try:
+            networks.append(ipaddress.ip_network(cidr, strict=False))
+        except ValueError:
+            app.logger.warning('FLOWFORGE_ALLOWED_IPS: invalid CIDR %r — skipped', cidr)
+
+    if not networks:
+        return
+
+    @app.before_request
+    def _check_ip():
+        if not request.path.startswith('/api/'):
+            return None
+        client_ip = request.remote_addr or ''
+        try:
+            addr = ipaddress.ip_address(client_ip)
+            if not any(addr in net for net in networks):
+                return jsonify({'error': 'Access denied: your IP is not allowed'}), 403
+        except ValueError:
+            return jsonify({'error': 'Access denied: invalid client IP'}), 403
+        return None
+
+
+def _sweep_stuck_runs(app: Flask) -> None:
+    """Mark any pipeline runs left in 'running' state as failed (interrupted by restart)."""
+    try:
+        from datetime import datetime
+
+        from flowforge.db.models import PipelineRun
+        stuck = db.session.query(PipelineRun).filter_by(status='running').all()
+        if not stuck:
+            return
+        for run in stuck:
+            run.status = 'failed'
+            run.error_message = 'Run interrupted by server restart'
+            if not run.finished_at:
+                run.finished_at = datetime.now(UTC)
+        db.session.commit()
+        app.logger.warning('Swept %d stuck pipeline run(s) left from previous session.', len(stuck))
+    except Exception:
+        pass  # Migrations not yet applied or DB unreachable — skip silently
+
+
+def _register_blueprints(app: Flask) -> None:
+    from flowforge.api.routes.ai import bp as ai_bp
+    from flowforge.api.routes.audit import bp as audit_bp
+    from flowforge.api.routes.auth import bp as auth_bp
+    from flowforge.api.routes.bulk_loads import bp as bulk_loads_bp
+    from flowforge.api.routes.connections import bp as connections_bp
+    from flowforge.api.routes.emails import bp as emails_bp
+    from flowforge.api.routes.metrics import bp as metrics_bp
+    from flowforge.api.routes.mfa import bp as mfa_bp
+    from flowforge.api.routes.password_reset import bp as password_reset_bp
+    from flowforge.api.routes.pipelines import bp as pipelines_bp
+    from flowforge.api.routes.projects import bp as projects_bp
+    from flowforge.api.routes.providers import bp as providers_bp
+    from flowforge.api.routes.recipients import bp as recipients_bp
+    from flowforge.api.routes.reports import bp as reports_bp
+    from flowforge.api.routes.runs import bp as runs_bp
+    from flowforge.api.routes.setup import bp as setup_bp
+    from flowforge.api.routes.sso import bp as sso_bp
+    from flowforge.api.routes.steps import bp as steps_bp
+    from flowforge.api.routes.users import bp as users_bp
+
+    for blueprint in (
+        ai_bp, audit_bp, auth_bp, bulk_loads_bp, connections_bp, emails_bp, metrics_bp,
+        mfa_bp, password_reset_bp, pipelines_bp, projects_bp, providers_bp, recipients_bp,
+        reports_bp, runs_bp, setup_bp, sso_bp, steps_bp, users_bp,
+    ):
+        app.register_blueprint(blueprint, url_prefix='/api')
+
+    @app.get('/api/health')
+    def health():
+        return jsonify({'status': 'ok'})
+
+    @app.get('/api/docs/<path:filename>')
+    def serve_doc(filename):
+        if not _DOCS.is_dir():
+            return jsonify({'error': 'Docs not found'}), 404
+        file_path = (_DOCS / filename).resolve()
+        if not str(file_path).startswith(str(_DOCS.resolve())):
+            return jsonify({'error': _NOT_FOUND}), 404
+        if not file_path.is_file():
+            return jsonify({'error': _NOT_FOUND}), 404
+        return send_from_directory(_DOCS, filename, mimetype='text/plain; charset=utf-8')
+
+    if _DIST.is_dir():
+        @app.get('/', defaults={'path': ''})
+        @app.get('/<path:path>')
+        def serve_spa(path):
+            file_path = _DIST / path
+            if path and file_path.is_file():
+                return send_from_directory(_DIST, path)
+            return send_from_directory(_DIST, 'index.html')
+
+
+def _register_error_handlers(app: Flask) -> None:
+    @app.errorhandler(429)
+    def rate_limited(e):
+        return jsonify({'error': 'Too many login attempts. Try again in a minute.'}), 429
+
+    @app.errorhandler(400)
+    def bad_request(e):
+        return jsonify({'error': str(e)}), 400
+
+    @app.errorhandler(401)
+    def unauthorized(e):
+        return jsonify({'error': 'Unauthorized'}), 401
+
+    @app.errorhandler(403)
+    def forbidden(e):
+        return jsonify({'error': 'Forbidden'}), 403
+
+    @app.errorhandler(404)
+    def not_found(e):
+        return jsonify({'error': _NOT_FOUND}), 404
+
+    @app.errorhandler(500)
+    def server_error(e):
+        return jsonify({'error': 'Internal server error'}), 500

flowforge/api/auth.py

@@ -0,0 +1,153 @@
+"""JWT authentication — single-user v1 / multi-user v2 with optional MFA."""
+import uuid as _uuid_mod
+from datetime import UTC, datetime, timedelta
+from functools import wraps
+
+import bcrypt
+import jwt
+from flask import current_app, g, jsonify, request
+
+from flowforge.db.models import TokenBlocklist, User, db
+
+
+def _algorithm() -> str:
+    return current_app.config.get('JWT_ALGORITHM', 'HS256')
+
+
+def _secret() -> str:
+    # SEC-2: use JWT_SECRET (separate from the AES encryption key)
+    return current_app.config.get('JWT_SECRET') or current_app.config['SECRET_KEY']
+
+
+def _expiry_hours() -> int:
+    return current_app.config.get('JWT_EXPIRY_HOURS', 24)
+
+
+def generate_token(user: User) -> str:
+    payload = {
+        'sub': user.username,
+        'uid': user.id,
+        'role': user.role,
+        'jti': str(_uuid_mod.uuid4()),
+        'iat': datetime.now(UTC),
+        'exp': datetime.now(UTC) + timedelta(hours=_expiry_hours()),
+    }
+    return jwt.encode(payload, _secret(), algorithm=_algorithm())
+
+
+def generate_mfa_token(user: User) -> str:
+    """Short-lived (5 min) challenge token issued when password is correct but MFA pending."""
+    payload = {
+        'sub': user.username,
+        'uid': user.id,
+        'role': user.role,
+        'jti': str(_uuid_mod.uuid4()),
+        'mfa_step': True,
+        'iat': datetime.now(UTC),
+        'exp': datetime.now(UTC) + timedelta(minutes=5),
+    }
+    return jwt.encode(payload, _secret(), algorithm=_algorithm())
+
+
+def verify_mfa_token(token: str) -> dict | None:
+    """Verify a MFA challenge token. Returns payload if valid and un-revoked, else None."""
+    try:
+        payload = jwt.decode(token, _secret(), algorithms=[_algorithm()])
+        if not payload.get('mfa_step'):
+            return None
+        jti = payload.get('jti')
+        if jti and db.session.get(TokenBlocklist, jti) is not None:
+            return None
+        return payload
+    except jwt.PyJWTError:
+        return None
+
+
+def verify_token(token: str) -> dict | None:
+    """Return the payload if the token is valid and not revoked, else None."""
+    try:
+        payload = jwt.decode(token, _secret(), algorithms=[_algorithm()])
+        # Reject MFA challenge tokens from being used as full session tokens.
+        if payload.get('mfa_step'):
+            return None
+        jti = payload.get('jti')
+        if jti and db.session.get(TokenBlocklist, jti) is not None:
+            return None
+        return payload
+    except jwt.PyJWTError:
+        return None
+
+
+def revoke_token(token: str) -> str | None:
+    """Add the token's jti to the blocklist. Returns the username on success, None if invalid.
+
+    Tokens issued before jti was added (no jti claim) are not blocklisted — the client
+    must still clear its local storage; the token will expire naturally within 24h.
+    """
+    try:
+        payload = jwt.decode(token, _secret(), algorithms=[_algorithm()])
+    except jwt.PyJWTError:
+        return None
+    jti = payload.get('jti')
+    exp = payload.get('exp')
+    if jti:
+        expires_at = datetime.fromtimestamp(exp, tz=UTC) if exp else datetime.now(UTC)
+        db.session.merge(TokenBlocklist(jti=jti, expires_at=expires_at))
+        db.session.commit()
+    return payload.get('sub')
+
+
+def login(username: str, password: str) -> 'str | dict | None':
+    """Verify credentials.
+
+    Returns:
+        str  — full JWT (MFA not enabled or not configured)
+        dict — {'mfa_required': True, 'mfa_token': '...'} when MFA is enabled
+        None — invalid credentials
+    """
+    user = db.session.query(User).filter_by(username=username).first()
+    if not user:
+        return None
+    if not bcrypt.checkpw(password.encode(), user.password_hash.encode()):
+        return None
+    if user.mfa_enabled:
+        return {'mfa_required': True, 'mfa_token': generate_mfa_token(user)}
+    return generate_token(user)
+
+
+def require_auth(f):
+    """Decorator: require a valid Bearer JWT in the Authorization header.
+    Stores the user payload in flask.g.user_token.
+    """
+    @wraps(f)
+    def wrapper(*args, **kwargs):
+        header = request.headers.get('Authorization', '')
+        if not header.startswith('Bearer '):
+            return jsonify({'error': 'Missing or invalid Authorization header'}), 401
+        token = header[len('Bearer '):]
+        payload = verify_token(token)
+        if not payload:
+            return jsonify({'error': 'Invalid or expired token'}), 401
+        g.user_token = payload
+        g.current_user_id = payload.get('uid')
+        return f(*args, **kwargs)
+    return wrapper
+
+
+def require_role(roles: str | list[str]):
+    """Decorator: require the user to have one of the specified roles."""
+    if isinstance(roles, str):
+        roles = [roles]
+
+    def decorator(f):
+        @wraps(f)
+        @require_auth
+        def wrapper(*args, **kwargs):
+            user_role = g.user_token.get('role', 'viewer')
+            if 'admin' == user_role:  # admins can do everything
+                return f(*args, **kwargs)
+            if user_role not in roles:
+                return jsonify({'error': f'Access denied: required role in {roles}'}), 403
+            return f(*args, **kwargs)
+        return wrapper
+    return decorator