iatoolkit 0.56.0__tar.gz → 0.57.0__tar.gz

{iatoolkit-0.56.0 → iatoolkit-0.57.0}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: iatoolkit
-Version: 0.56.0
+Version: 0.57.0
 Summary: IAToolkit
 Author: Fernando Libedinsky
 License-Expression: MIT

{iatoolkit-0.56.0 → iatoolkit-0.57.0}/pyproject.toml

@@ -4,7 +4,7 @@ build-backend = "setuptools.build_meta"
 
 [project]
 name = "iatoolkit"
-version = "0.56.0"
+version = "0.57.0"
 requires-python = ">=3.12"
 description = "IAToolkit"
 readme = "readme.md"

{iatoolkit-0.56.0 → iatoolkit-0.57.0}/src/iatoolkit/iatoolkit.py

@@ -19,7 +19,7 @@ from werkzeug.middleware.proxy_fix import ProxyFix
 from injector import Binder, singleton, Injector
 from importlib.metadata import version as _pkg_version, PackageNotFoundError
 
-IATOOLKIT_VERSION = "0.56.0"
+IATOOLKIT_VERSION = "0.57.0"
 
 # global variable for the unique instance of IAToolkit
 _iatoolkit_instance: Optional['IAToolkit'] = None

{iatoolkit-0.56.0 → iatoolkit-0.57.0}/src/iatoolkit/repositories/models.py

@@ -3,9 +3,10 @@
 #
 # IAToolkit is open source software.
 
-from sqlalchemy import Column, Integer, String, DateTime, Enum, Text, JSON, Boolean, ForeignKey, Table
+from sqlalchemy import Column, Integer, BigInteger, String, DateTime, Enum, Text, JSON, Boolean, ForeignKey, Table
 from sqlalchemy.orm import DeclarativeBase
 from sqlalchemy.orm import relationship, class_mapper, declarative_base
+from sqlalchemy.sql import func
 from datetime import datetime
 from pgvector.sqlalchemy import Vector
 from enum import Enum as PyEnum
@@ -307,3 +308,27 @@ class Prompt(Base):
 
     company = relationship("Company", back_populates="prompts")
     category = relationship("PromptCategory", back_populates="prompts")
+
+class AccessLog(Base):
+    # Modelo ORM para registrar cada intento de acceso a la plataforma.
+    __tablename__ = 'iat_access_log'
+
+    id = Column(BigInteger, primary_key=True)
+
+    timestamp = Column(DateTime(timezone=True), server_default=func.now(), nullable=False, index=True)
+    company_short_name = Column(String(100), nullable=False, index=True)
+    user_identifier = Column(String(255), index=True)
+
+    # Cómo y el Resultado
+    auth_type = Column(String(20), nullable=False) # 'local', 'external_api', 'redeem_token', etc.
+    outcome = Column(String(10), nullable=False)   # 'success' o 'failure'
+    reason_code = Column(String(50))               # Causa de fallo, ej: 'INVALID_CREDENTIALS'
+
+    # Contexto de la Petición
+    source_ip = Column(String(45), nullable=False)
+    user_agent_hash = Column(String(16))           # Hash corto del User-Agent
+    request_path = Column(String(255), nullable=False)
+
+    def __repr__(self):
+        return (f"<AccessLog(id={self.id}, company='{self.company_short_name}', "
+                f"user='{self.user_identifier}', outcome='{self.outcome}')>")

iatoolkit-0.57.0/src/iatoolkit/services/auth_service.py

@@ -0,0 +1,181 @@
+# Copyright (c) 2024 Fernando Libedinsky
+# Product: IAToolkit
+#
+# IAToolkit is open source software.
+
+from flask import request
+from injector import inject
+from iatoolkit.services.profile_service import ProfileService
+from iatoolkit.services.jwt_service import JWTService
+from iatoolkit.repositories.database_manager import DatabaseManager
+from iatoolkit.repositories.models import AccessLog
+from flask import request
+import logging
+import hashlib
+
+
+class AuthService:
+    """
+    Centralized service for handling authentication for all incoming requests.
+    It determines the user's identity based on either a Flask session cookie or an API Key.
+    """
+
+    @inject
+    def __init__(self, profile_service: ProfileService,
+                 jwt_service: JWTService,
+                 db_manager: DatabaseManager
+                 ):
+        self.profile_service = profile_service
+        self.jwt_service = jwt_service
+        self.db_manager = db_manager
+
+    def login_local_user(self, company_short_name: str, email: str, password: str) -> dict:
+        # try to autenticate a local user, register the event and return the result
+        auth_response = self.profile_service.login(
+            company_short_name=company_short_name,
+            email=email,
+            password=password
+        )
+
+        if not auth_response.get('success'):
+            self.log_access(
+                company_short_name=company_short_name,
+                user_identifier=email,
+                auth_type='local',
+                outcome='failure',
+                reason_code='INVALID_CREDENTIALS',
+            )
+        else:
+            self.log_access(
+                company_short_name=company_short_name,
+                auth_type='local',
+                outcome='success',
+                user_identifier=auth_response.get('user_identifier')
+            )
+
+        return auth_response
+
+    def redeem_token_for_session(self, company_short_name: str, token: str) -> dict:
+        # redeem a token for a session, register the event and return the result
+        payload = self.jwt_service.validate_chat_jwt(token)
+
+        if not payload:
+            self.log_access(
+                company_short_name=company_short_name,
+                auth_type='redeem_token',
+                outcome='failure',
+                reason_code='JWT_INVALID'
+            )
+            return {'success': False, 'error': 'Token inválido o expirado'}
+
+        # 2. if token is valid, extract the user_identifier
+        user_identifier = payload.get('user_identifier')
+        try:
+            # create the Flask session
+            self.profile_service.set_session_for_user(company_short_name, user_identifier)
+            self.log_access(
+                company_short_name=company_short_name,
+                auth_type='redeem_token',
+                outcome='success',
+                user_identifier=user_identifier
+            )
+            return {'success': True, 'user_identifier': user_identifier}
+        except Exception as e:
+            logging.error(f"Error al crear la sesión desde token para {user_identifier}: {e}")
+            self.log_access(
+                company_short_name=company_short_name,
+                auth_type='redeem_token',
+                outcome='failure',
+                reason_code='SESSION_CREATION_FAILED',
+                user_identifier=user_identifier
+            )
+            return {'success': False, 'error': 'No se pudo crear la sesión del usuario'}
+
+    def verify(self) -> dict:
+        """
+        Verifies the current request and identifies the user.
+
+        Returns a dictionary with:
+        - success: bool
+        - user_identifier: str (if successful)
+        - company_short_name: str (if successful)
+        - error_message: str (on failure)
+        - status_code: int (on failure)
+        """
+        # --- Priority 1: Check for a valid Flask web session ---
+        session_info = self.profile_service.get_current_session_info()
+        if session_info and session_info.get('user_identifier'):
+            # User is authenticated via a web session cookie.
+            return {
+                "success": True,
+                "company_short_name": session_info['company_short_name'],
+                "user_identifier": session_info['user_identifier']
+            }
+
+        # --- Priority 2: Check for a valid API Key in headers ---
+        api_key = None
+        auth = request.headers.get('Authorization', '')
+        if isinstance(auth, str) and auth.lower().startswith('bearer '):
+            api_key =  auth.split(' ', 1)[1].strip()
+
+        if api_key:
+            api_key_entry = self.profile_service.get_active_api_key_entry(api_key)
+            if not api_key_entry:
+                logging.info(f"Invalid or inactive API Key {api_key}")
+                return {"success": False, "error": "Invalid or inactive API Key", "status_code": 401}
+
+            # obtain the company from the api_key_entry
+            company = api_key_entry.company
+
+            # For API calls, the external_user_id must be provided in the request.
+            user_identifier = ''
+            if request.is_json:
+                data = request.get_json() or {}
+                user_identifier = data.get('user_identifier', '')
+
+            return {
+                "success": True,
+                "company_short_name": company.short_name,
+                "user_identifier": user_identifier
+            }
+
+        # --- Failure: No valid credentials found ---
+        logging.info(f"Authentication required. No session cookie or API Key provided.")
+        return {"success": False, "error": "Authentication required. No session cookie or API Key provided.",
+                "status_code": 402}
+
+    def log_access(self,
+                   company_short_name: str,
+                   auth_type: str,
+                   outcome: str,
+                   user_identifier: str = None,
+                   reason_code: str = None):
+        """
+        Registra un intento de acceso en la base de datos.
+        Es "best-effort" y no debe interrumpir el flujo de autenticación.
+        """
+        session = self.db_manager.scoped_session()
+        try:
+            # Capturar datos del contexto de la petición de Flask
+            source_ip = request.headers.get('X-Forwarded-For', request.remote_addr)
+            path = request.path
+            ua = request.headers.get('User-Agent', '')
+            ua_hash = hashlib.sha256(ua.encode()).hexdigest()[:16] if ua else None
+
+            # Crear la entrada de log
+            log_entry = AccessLog(
+                company_short_name=company_short_name,
+                user_identifier=user_identifier,
+                auth_type=auth_type,
+                outcome=outcome,
+                reason_code=reason_code,
+                source_ip=source_ip,
+                user_agent_hash=ua_hash,
+                request_path=path,
+            )
+            session.add(log_entry)
+            session.commit()
+
+        except Exception as e:
+            logging.error(f"Fallo al escribir en AccessLog: {e}", exc_info=False)
+            session.rollback()

{iatoolkit-0.56.0 → iatoolkit-0.57.0}/src/iatoolkit/views/base_login_view.py

@@ -8,6 +8,7 @@ from flask.views import MethodView
 from flask import render_template, url_for
 from injector import inject
 from iatoolkit.services.profile_service import ProfileService
+from iatoolkit.services.auth_service import AuthService
 from iatoolkit.services.query_service import QueryService
 from iatoolkit.services.branding_service import BrandingService
 from iatoolkit.services.onboarding_service import OnboardingService
@@ -23,6 +24,7 @@ class BaseLoginView(MethodView):
     @inject
     def __init__(self,
                  profile_service: ProfileService,
+                 auth_service: AuthService,
                  jwt_service: JWTService,
                  branding_service: BrandingService,
                  prompt_service: PromptService,
@@ -30,6 +32,7 @@ class BaseLoginView(MethodView):
                  query_service: QueryService
                  ):
         self.profile_service = profile_service
+        self.auth_service = auth_service
         self.jwt_service = jwt_service
         self.branding_service = branding_service
         self.prompt_service = prompt_service

iatoolkit-0.57.0/src/iatoolkit/views/external_login_view.py

@@ -0,0 +1,67 @@
+# Copyright (c) 2024 Fernando Libedinsky
+# Product: IAToolkit
+#
+# IAToolkit is open source software.
+
+import os
+import logging
+from flask import request, jsonify
+from injector import inject
+from iatoolkit.views.base_login_view import BaseLoginView
+
+# Importar los servicios que necesita la clase base
+from iatoolkit.services.profile_service import ProfileService
+from iatoolkit.services.jwt_service import JWTService
+
+class ExternalLoginView(BaseLoginView):
+    """
+    Handles login for external users via API.
+    Authenticates and then delegates the path decision (fast/slow) to the base class.
+    """
+    def post(self, company_short_name: str):
+        data = request.get_json()
+        if not data or 'user_identifier' not in data:
+            return jsonify({"error": "Falta user_identifier"}), 400
+
+        company = self.profile_service.get_company_by_short_name(company_short_name)
+        if not company:
+            return jsonify({"error": "Empresa no encontrada"}), 404
+
+        user_identifier = data.get('user_identifier')
+        if not user_identifier:
+            return jsonify({"error": "missing user_identifier"}), 404
+
+        # 1. Authenticate the API call.
+        auth_response = self.auth_service.verify()
+        if not auth_response.get("success"):
+            return jsonify(auth_response), 401
+
+        # 2. Create the external user session.
+        self.profile_service.create_external_user_session(company, user_identifier)
+
+        # 3. Delegate the path decision to the centralized logic.
+        try:
+            return self._handle_login_path(company_short_name, user_identifier, company)
+        except Exception as e:
+            logging.exception(f"Error processing external login path for {company_short_name}/{user_identifier}: {e}")
+            return jsonify({"error": f"Internal server error while starting chat. {str(e)}"}), 500
+
+
+class RedeemTokenApiView(BaseLoginView):
+    # this endpoint is only used ONLY by chat_main.js to redeem a chat token
+    def post(self, company_short_name: str):
+        data = request.get_json()
+        if not data or 'token' not in data:
+            return jsonify({"error": "Falta token de validación"}), 400
+
+        # get the token and validate with auth service
+        token = data.get('token')
+        redeem_result = self.auth_service.redeem_token_for_session(
+            company_short_name=company_short_name,
+            token=token
+        )
+
+        if not redeem_result['success']:
+            return {"error": redeem_result['error']}, 401
+
+        return {"status": "ok"}, 200

{iatoolkit-0.56.0 → iatoolkit-0.57.0}/src/iatoolkit/views/login_view.py

@@ -7,6 +7,7 @@ from flask.views import MethodView
 from flask import request, redirect, render_template, url_for
 from injector import inject
 from iatoolkit.services.profile_service import ProfileService
+from iatoolkit.services.auth_service import AuthService
 from iatoolkit.services.jwt_service import JWTService
 from iatoolkit.services.query_service import QueryService
 from iatoolkit.services.prompt_manager_service import PromptService
@@ -21,7 +22,6 @@ class LoginView(BaseLoginView):
     Handles login for local users.
     Authenticates and then delegates the path decision (fast/slow) to the base class.
     """
-
     def post(self, company_short_name: str):
         company = self.profile_service.get_company_by_short_name(company_short_name)
         if not company:
@@ -30,8 +30,8 @@ class LoginView(BaseLoginView):
         email = request.form.get('email')
         password = request.form.get('password')
 
-        # 1. Authenticate user and create the session for internal user
-        auth_response = self.profile_service.login(
+        # 1. Authenticate internal user
+        auth_response = self.auth_service.login_local_user(
             company_short_name=company_short_name,
             email=email,
             password=password
@@ -67,6 +67,7 @@ class FinalizeContextView(MethodView):
     @inject
     def __init__(self,
                  profile_service: ProfileService,
+                 auth_service: AuthService,
                  query_service: QueryService,
                  prompt_service: PromptService,
                  branding_service: BrandingService,

{iatoolkit-0.56.0 → iatoolkit-0.57.0}/src/iatoolkit.egg-info/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: iatoolkit
-Version: 0.56.0
+Version: 0.57.0
 Summary: IAToolkit
 Author: Fernando Libedinsky
 License-Expression: MIT

iatoolkit-0.56.0/src/iatoolkit/services/auth_service.py

@@ -1,77 +0,0 @@
-# Copyright (c) 2024 Fernando Libedinsky
-# Product: IAToolkit
-#
-# IAToolkit is open source software.
-
-from flask import request
-from injector import inject
-from iatoolkit.services.profile_service import ProfileService
-from flask import request
-import logging
-
-
-class AuthService:
-    """
-    Centralized service for handling authentication for all incoming requests.
-    It determines the user's identity based on either a Flask session cookie or an API Key.
-    """
-
-    @inject
-    def __init__(self, profile_service: ProfileService):
-        """
-        Injects ProfileService to access session information and validate API keys.
-        """
-        self.profile_service = profile_service
-
-    def verify(self) -> dict:
-        """
-        Verifies the current request and identifies the user.
-
-        Returns a dictionary with:
-        - success: bool
-        - user_identifier: str (if successful)
-        - company_short_name: str (if successful)
-        - error_message: str (on failure)
-        - status_code: int (on failure)
-        """
-        # --- Priority 1: Check for a valid Flask web session ---
-        session_info = self.profile_service.get_current_session_info()
-        if session_info and session_info.get('user_identifier'):
-            # User is authenticated via a web session cookie.
-            return {
-                "success": True,
-                "company_short_name": session_info['company_short_name'],
-                "user_identifier": session_info['user_identifier']
-            }
-
-        # --- Priority 2: Check for a valid API Key in headers ---
-        api_key = None
-        auth = request.headers.get('Authorization', '')
-        if isinstance(auth, str) and auth.lower().startswith('bearer '):
-            api_key =  auth.split(' ', 1)[1].strip()
-
-        if api_key:
-            api_key_entry = self.profile_service.get_active_api_key_entry(api_key)
-            if not api_key_entry:
-                logging.info(f"Invalid or inactive API Key {api_key}")
-                return {"success": False, "error": "Invalid or inactive API Key", "status_code": 401}
-
-            # obtain the company from the api_key_entry
-            company = api_key_entry.company
-
-            # For API calls, the external_user_id must be provided in the request.
-            user_identifier = ''
-            if request.is_json:
-                data = request.get_json() or {}
-                user_identifier = data.get('user_identifier', '')
-
-            return {
-                "success": True,
-                "company_short_name": company.short_name,
-                "user_identifier": user_identifier
-            }
-
-        # --- Failure: No valid credentials found ---
-        logging.info(f"Authentication required. No session cookie or API Key provided.")
-        return {"success": False, "error": "Authentication required. No session cookie or API Key provided.",
-                "status_code": 402}

iatoolkit-0.56.0/src/iatoolkit/views/external_login_view.py

@@ -1,110 +0,0 @@
-# Copyright (c) 2024 Fernando Libedinsky
-# Product: IAToolkit
-#
-# IAToolkit is open source software.
-
-import os
-import logging
-from flask import request, jsonify
-from flask.views import MethodView
-from injector import inject
-from iatoolkit.services.auth_service import AuthService
-from iatoolkit.views.base_login_view import BaseLoginView
-
-# Importar los servicios que necesita la clase base
-from iatoolkit.services.profile_service import ProfileService
-from iatoolkit.services.jwt_service import JWTService
-from iatoolkit.services.branding_service import BrandingService
-from iatoolkit.services.onboarding_service import OnboardingService
-from iatoolkit.services.query_service import QueryService
-from iatoolkit.services.prompt_manager_service import PromptService
-
-class ExternalLoginView(BaseLoginView):
-    """
-    Handles login for external users via API.
-    Authenticates and then delegates the path decision (fast/slow) to the base class.
-    """
-    @inject
-    def __init__(self,
-                 iauthentication: AuthService,
-                 jwt_service: JWTService,
-                 profile_service: ProfileService,
-                 branding_service: BrandingService,
-                 prompt_service: PromptService,
-                 onboarding_service: OnboardingService,
-                 query_service: QueryService):
-        # Pass the dependencies for the base class to its __init__
-        super().__init__(
-            profile_service=profile_service,
-            jwt_service=jwt_service,
-            branding_service=branding_service,
-            onboarding_service=onboarding_service,
-            query_service=query_service,
-            prompt_service=prompt_service,
-        )
-        # Handle the dependency specific to this child class
-        self.iauthentication = iauthentication
-
-    def post(self, company_short_name: str):
-        data = request.get_json()
-        if not data or 'user_identifier' not in data:
-            return jsonify({"error": "Falta user_identifier"}), 400
-
-        company = self.profile_service.get_company_by_short_name(company_short_name)
-        if not company:
-            return jsonify({"error": "Empresa no encontrada"}), 404
-
-        user_identifier = data.get('user_identifier')
-        if not user_identifier:
-            return jsonify({"error": "missing user_identifier"}), 404
-
-        # 1. Authenticate the API call.
-        iaut = self.iauthentication.verify()
-        if not iaut.get("success"):
-            return jsonify(iaut), 401
-
-        # 2. Create the external user session.
-        self.profile_service.create_external_user_session(company, user_identifier)
-
-        # 3. Delegate the path decision to the centralized logic.
-        try:
-            return self._handle_login_path(company_short_name, user_identifier, company)
-        except Exception as e:
-            logging.exception(f"Error processing external login path for {company_short_name}/{user_identifier}: {e}")
-            return jsonify({"error": f"Internal server error while starting chat. {str(e)}"}), 500
-
-
-class RedeemTokenApiView(MethodView):
-    # this endpoint is only used ONLY by chat_main.js to redeem a chat token
-    @inject
-    def __init__(self,
-                 profile_service: ProfileService,
-                 jwt_service: JWTService):
-        self.profile_service = profile_service
-        self.jwt_service = jwt_service
-
-    def post(self, company_short_name: str):
-        data = request.get_json()
-        if not data or 'token' not in data:
-            return jsonify({"error": "Falta token de validación"}), 400
-
-        # 1. validate the token
-        token = data.get('token')
-        payload = self.jwt_service.validate_chat_jwt(token)
-        if not payload:
-            logging.warning("Intento de canjear un token inválido o expirado.")
-            return {"error": "Token inválido o expirado."}, 401
-
-        # 2. if token is valid, extract the user_identifier
-        user_identifier = payload.get('user_identifier')
-
-        try:
-            # 3. create the Flask session
-            self.profile_service.set_session_for_user(company_short_name, user_identifier)
-            logging.info(f"Token de sesión canjeado exitosamente para {user_identifier}.")
-
-            return {"status": "ok"}, 200
-
-        except Exception as e:
-            logging.error(f"Error al crear la sesión desde token para {user_identifier}: {e}")
-            return {"error": "No se pudo crear la sesión del usuario."}, 500