paskia 0.8.1__py3-none-any.whl → 0.9.1__py3-none-any.whl

paskia/fastapi/api.py

@@ -1,6 +1,6 @@
 import logging
 from contextlib import suppress
-from datetime import datetime, timedelta, timezone
+from datetime import UTC, datetime, timedelta
 
 from fastapi import (
     Depends,
@@ -14,20 +14,16 @@ from fastapi.responses import JSONResponse
 from fastapi.security import HTTPBearer
 
 from paskia import db
-from paskia.authsession import (
-    EXPIRES,
-    get_reset,
-    get_session,
-    refresh_session_token,
-)
+from paskia.authsession import EXPIRES, expires, get_reset
 from paskia.fastapi import authz, session, user
+from paskia.fastapi.response import MsgspecResponse
 from paskia.fastapi.session import AUTH_COOKIE, AUTH_COOKIE_NAME
 from paskia.globals import passkey as global_passkey
 from paskia.util import hostutil, htmlutil, passphrase, userinfo, vitedev
 
 bearer_auth = HTTPBearer(auto_error=True)
 
-app = FastAPI()
+app = FastAPI(docs_url=None, redoc_url=None, openapi_url=None)
 
 app.mount("/user", user.app)
 
@@ -78,12 +74,7 @@ async def validate_token(
     max_age: str | None = Query(None),
     auth=AUTH_COOKIE,
 ):
-    """Validate the current session and extend its expiry.
-
-    Always refreshes the session (sliding expiration) and re-sets the cookie with a
-    renewed max-age. This keeps active users logged in without needing a separate
-    refresh endpoint.
-    """
+    """Validate session and return context. Refreshes session expiry."""
     try:
         ctx = await authz.verify(
             auth,
@@ -96,26 +87,23 @@ async def validate_token(
         raise
     renewed = False
     if auth:
-        consumed = EXPIRES - (ctx.session.expiry - datetime.now(timezone.utc))
+        consumed = EXPIRES - (ctx.session.expiry - datetime.now(UTC))
         if not timedelta(0) < consumed < _REFRESH_INTERVAL:
-            try:
-                await refresh_session_token(
-                    auth,
-                    ip=request.client.host if request.client else "",
-                    user_agent=request.headers.get("user-agent") or "",
-                )
-                session.set_session_cookie(response, auth)
-                renewed = True
-            except ValueError:
-                # Session disappeared, e.g. due to concurrent logout; global handler will clear
-                raise authz.AuthException(
-                    status_code=401, detail="Session expired", mode="login"
-                )
-    return {
-        "valid": True,
-        "user_uuid": str(ctx.session.user_uuid),
-        "renewed": renewed,
-    }
+            db.update_session(
+                auth,
+                ip=request.client.host if request.client else "",
+                user_agent=request.headers.get("user-agent") or "",
+                expiry=expires(),
+            )
+            session.set_session_cookie(response, auth)
+            renewed = True
+    return MsgspecResponse(
+        {
+            "valid": True,
+            "renewed": renewed,
+            "ctx": userinfo.build_session_context(ctx),
+        }
+    )
 
 
 @app.get("/forward")
@@ -144,9 +132,10 @@ async def forward_authentication(
         ctx = await authz.verify(
             auth, perm, host=request.headers.get("host"), max_age=max_age
         )
-        role_permissions = set(ctx.role.permissions or [])
-        if ctx.permissions:
-            role_permissions.update(permission.scope for permission in ctx.permissions)
+        # Build permission scopes for Remote-Groups header
+        role_permissions = (
+            {p.scope for p in ctx.permissions} if ctx.permissions else set()
+        )
 
         remote_headers: dict[str, str] = {
             "Remote-User": str(ctx.user.uuid),
@@ -157,15 +146,13 @@ async def forward_authentication(
             "Remote-Role": str(ctx.role.uuid),
             "Remote-Role-Name": ctx.role.display_name,
             "Remote-Session-Expires": (
-                ctx.session.expiry.astimezone(timezone.utc)
-                .isoformat()
-                .replace("+00:00", "Z")
+                ctx.session.expiry.astimezone(UTC).isoformat().replace("+00:00", "Z")
                 if ctx.session.expiry.tzinfo
-                else ctx.session.expiry.replace(tzinfo=timezone.utc)
+                else ctx.session.expiry.replace(tzinfo=UTC)
                 .isoformat()
                 .replace("+00:00", "Z")
             ),
-            "Remote-Credential": str(ctx.session.credential_uuid),
+            "Remote-Credential": str(ctx.session.credential),
         }
         return Response(status_code=204, headers=remote_headers)
     except authz.AuthException as e:
@@ -207,92 +194,61 @@ async def get_settings():
     }
 
 
-@app.get("/token-info")
-async def api_token_info(token: str):
-    """Get information about a reset token.
-
-    Returns:
-        - type: "reset"
-        - user_name: display name of the user
-        - token_type: type of reset token
-    """
-    if not passphrase.is_well_formed(token):
-        raise HTTPException(status_code=404, detail="Invalid token")
-
-    # Check if this is a reset token
-    try:
-        reset_token = await get_reset(token)
-        user = db.get_user_by_uuid(reset_token.user_uuid)
-        return {
-            "type": "reset",
-            "user_name": user.display_name,
-            "token_type": reset_token.token_type,
-        }
-    except (ValueError, Exception):
-        raise HTTPException(status_code=404, detail="Token not found or expired")
-
-
 @app.post("/user-info")
 async def api_user_info(
     request: Request,
     response: Response,
-    reset: str | None = None,
     auth=AUTH_COOKIE,
 ):
-    """Get user information including credentials, sessions, and permissions.
+    """Get full user profile including credentials and sessions."""
+    if auth is None:
+        raise authz.AuthException(
+            status_code=401,
+            detail="Authentication required",
+            mode="login",
+        )
+    ctx = db.data().session_ctx(auth, request.headers.get("host"))
+    if not ctx:
+        raise HTTPException(401, "Session expired")
+
+    return MsgspecResponse(
+        await userinfo.build_user_info(
+            user_uuid=ctx.user.uuid,
+            auth=auth,
+            session_record=ctx.session,
+            request_host=request.headers.get("host"),
+        )
+    )
 
-    Can be called with either:
-    - A session cookie (auth) for authenticated users
-    - A reset token for users in password reset flow
-    """
-    authenticated = False
-    session_record = None
-    reset_token = None
+
+@app.get("/token-info")
+async def token_info(credentials=Depends(bearer_auth)):
+    """Get reset/device-add token info. Pass token via Bearer header."""
+    token = credentials.credentials
+    if not passphrase.is_well_formed(token):
+        raise HTTPException(400, "Invalid token format")
     try:
-        if reset:
-            if not passphrase.is_well_formed(reset):
-                raise ValueError("Invalid reset token")
-            reset_token = await get_reset(reset)
-            target_user_uuid = reset_token.user_uuid
-        else:
-            if auth is None:
-                raise authz.AuthException(
-                    status_code=401,
-                    detail="Authentication required",
-                    mode="login",
-                )
-            session_record = await get_session(auth, host=request.headers.get("host"))
-            authenticated = True
-            target_user_uuid = session_record.user_uuid
+        reset_token = get_reset(token)
     except ValueError as e:
         raise HTTPException(401, str(e))
 
-    # Return minimal response for reset tokens
-    if not authenticated and reset_token:
-        return await userinfo.format_reset_user_info(target_user_uuid, reset_token)
-
-    # Return full user info for authenticated users
-    assert auth is not None
-    assert session_record is not None
-
-    return await userinfo.format_user_info(
-        user_uuid=target_user_uuid,
-        auth=auth,
-        session_record=session_record,
-        request_host=request.headers.get("host"),
-    )
+    u = reset_token.user
+    return {
+        "token_type": reset_token.token_type,
+        "display_name": u.display_name,
+    }
 
 
 @app.post("/logout")
 async def api_logout(request: Request, response: Response, auth=AUTH_COOKIE):
     if not auth:
         return {"message": "Already logged out"}
-    try:
-        _s = await get_session(auth, host=request.headers.get("host"))
-    except ValueError:
+    host = request.headers.get("host")
+    ctx = db.data().session_ctx(auth, host)
+    if not ctx:
         return {"message": "Already logged out"}
     with suppress(Exception):
-        db.delete_session(auth)
+        db.delete_session(auth, ctx=ctx)
     session.clear_session_cookie(response)
     return {"message": "Logged out successfully"}
 
@@ -301,9 +257,11 @@ async def api_logout(request: Request, response: Response, auth=AUTH_COOKIE):
 async def api_set_session(
     request: Request, response: Response, auth=Depends(bearer_auth)
 ):
-    user = await get_session(auth.credentials, host=request.headers.get("host"))
+    ctx = db.data().session_ctx(auth.credentials, request.headers.get("host"))
+    if not ctx:
+        raise HTTPException(401, "Session expired")
     session.set_session_cookie(response, auth.credentials)
     return {
         "message": "Session cookie set successfully",
-        "user_uuid": str(user.user_uuid),
+        "user": str(ctx.user.uuid),
     }

paskia/fastapi/logging.py

@@ -0,0 +1,218 @@
+"""Custom access logging middleware for FastAPI/Uvicorn."""
+
+import logging
+import sys
+import time
+from ipaddress import IPv6Address
+
+from starlette.middleware.base import BaseHTTPMiddleware
+from starlette.requests import Request
+from starlette.responses import Response
+
+logger = logging.getLogger("paskia.access")
+
+_RESET = "\033[0m"
+_STATUS_INFO = "\033[32m"  # 1xx (green)
+_STATUS_OK = "\033[92m"  # 2xx (bright green)
+_STATUS_REDIRECT = "\033[32m"  # 3xx (green)
+_STATUS_CLIENT_ERR = "\033[0;31m"  # 4xx (red)
+_STATUS_SERVER_ERR = "\033[1;31m"  # 5xx (bright red)
+_METHOD_READ = "\033[0;34m"  # GET, HEAD, OPTIONS (blue)
+_METHOD_WRITE = "\033[1;34m"  # POST, PUT, DELETE, PATCH (bright blue)
+_HOST = "\033[1;30m"  # hostname (dark grey)
+_PATH = "\033[0m"  # path (default)
+_TIMING = "\033[2m"  # timing (dim)
+_WS_OPEN = "\033[1;33m"  # WebSocket connect (bright yellow)
+_WS_CLOSE = "\033[0;33m"  # WebSocket disconnect (yellow)
+_WS_STATUS = "\033[1;30m"  # WebSocket close status (dark grey)
+
+
+def format_ipv6_network(ip: str) -> str:
+    """Format IPv6 address to show only network part (first 64 bits)."""
+    try:
+        addr = IPv6Address(ip)
+        # Get the integer representation and mask to first 64 bits
+        network_int = int(addr) >> 64
+        # Format as IPv6 with trailing ::
+        # Split into 4 groups of 16 bits
+        groups = []
+        for _ in range(4):
+            groups.insert(0, format(network_int & 0xFFFF, "x"))
+            network_int >>= 16
+        # Compress consecutive zero groups
+        result = ":".join(groups) + "::"
+        # Simplify leading zeros in groups and compress
+        return str(IPv6Address(result + "0"))
+    except Exception:
+        return ip
+
+
+def format_client_ip(ip: str) -> str:
+    """Format client IP, compressing IPv6 to network part only."""
+    if not ip or ip == "-":
+        return "-"
+    if ":" in ip:
+        return format_ipv6_network(ip)
+    return ip
+
+
+def status_color(status: int) -> str:
+    """Return color code based on HTTP status."""
+    if status < 200:
+        return _STATUS_INFO
+    if status < 300:
+        return _STATUS_OK
+    if status < 400:
+        return _STATUS_REDIRECT
+    if status < 500:
+        return _STATUS_CLIENT_ERR
+    return _STATUS_SERVER_ERR
+
+
+def method_color(method: str) -> str:
+    """Return color code based on HTTP method."""
+    if method in ("GET", "HEAD", "OPTIONS"):
+        return _METHOD_READ
+    return _METHOD_WRITE
+
+
+def format_access_log(
+    client: str, status: int, method: str, host: str, path: str, duration_ms: float
+) -> str:
+    """Format access log line with colors and aligned fields."""
+    use_color = sys.stderr.isatty()
+
+    # Format components with fixed widths for alignment
+    ip = format_client_ip(client).ljust(15)  # IPv4 max 15 chars
+    timing = f"{duration_ms:.0f}ms"
+    method_padded = method.ljust(7)  # Longest method is OPTIONS (7)
+
+    if use_color:
+        status_str = f"{status_color(status)}{status}{_RESET}"
+        timing_str = f"{_TIMING}{timing}{_RESET}"
+        method_str = f"{method_color(method)}{method_padded}{_RESET}"
+        host_str = f"{_HOST}{host}{_RESET}"
+        path_str = f"{_PATH}{path}{_RESET}"
+    else:
+        status_str = str(status)
+        timing_str = timing
+        method_str = method_padded
+        host_str = host
+        path_str = path
+
+    # Format: "IP STATUS METHOD host path TIMING"
+    return f"{ip} {status_str} {method_str} {host_str}{path_str} {timing_str}"
+
+
+# WebSocket connection counter (mod 100)
+_ws_counter = 0
+
+
+def _next_ws_id() -> int:
+    """Get next WebSocket connection ID (0-99)."""
+    global _ws_counter
+    ws_id = _ws_counter
+    _ws_counter = (_ws_counter + 1) % 100
+    return ws_id
+
+
+def log_ws_open(client: str, host: str, path: str) -> int:
+    """Log WebSocket connection open. Returns connection ID for use in close."""
+    use_color = sys.stderr.isatty()
+    ws_id = _next_ws_id()
+
+    ip = format_client_ip(client).ljust(15)
+    id_str = f"{ws_id:02d}".ljust(7)  # Align with method field (7 chars)
+
+    if use_color:
+        # 🔌 aligned with status (takes ~2 char width), ID aligned with method
+        prefix = f"🔌  {_WS_OPEN}{id_str}{_RESET}"
+        host_str = f"{_HOST}{host}{_RESET}"
+        path_str = f"{_PATH}{path}{_RESET}"
+    else:
+        prefix = f"WS+ {id_str}"
+        host_str = host
+        path_str = path
+
+    logger.info(f"{ip} {prefix} {host_str}{path_str}")
+    return ws_id
+
+
+# WebSocket close codes to human-readable status
+WS_CLOSE_CODES = {
+    1000: "ok",
+    1001: "going away",
+    1002: "protocol error",
+    1003: "unsupported",
+    1005: "no status",
+    1006: "abnormal",
+    1007: "invalid data",
+    1008: "policy violation",
+    1009: "too large",
+    1010: "extension required",
+    1011: "server error",
+    1012: "restarting",
+    1013: "try again",
+    1014: "bad gateway",
+    1015: "tls error",
+}
+
+
+def log_ws_close(
+    client: str, ws_id: int, close_code: int | None, duration_ms: float
+) -> None:
+    """Log WebSocket connection close with duration and status."""
+    use_color = sys.stderr.isatty()
+
+    ip = format_client_ip(client).ljust(15)
+    id_str = f"{ws_id:02d}".ljust(7)  # Align with method field (7 chars)
+    timing = f"{duration_ms:.0f}ms"
+
+    # Convert close code to status text
+    if close_code is None:
+        status = "closed"
+    else:
+        status = WS_CLOSE_CODES.get(close_code, f"code {close_code}")
+
+    if use_color:
+        # 🔌 aligned with status, ID aligned with method
+        prefix = f"🔌  {_WS_CLOSE}{id_str}{_RESET}"
+        status_str = f"{_WS_STATUS}{status}{_RESET}"
+        timing_str = f"{_TIMING}{timing}{_RESET}"
+    else:
+        prefix = f"WS- {id_str}"
+        status_str = status
+        timing_str = timing
+
+    logger.info(f"{ip} {prefix} {status_str} {timing_str}")
+
+
+class AccessLogMiddleware(BaseHTTPMiddleware):
+    """Middleware that logs HTTP requests with custom format."""
+
+    async def dispatch(self, request: Request, call_next) -> Response:
+        start = time.perf_counter()
+        response = await call_next(request)
+        duration_ms = (time.perf_counter() - start) * 1000
+
+        client = request.client.host if request.client else "-"
+        host = request.headers.get("host", "-")
+        method = request.method
+        path = request.url.path
+        if request.url.query:
+            path = f"{path}?{request.url.query}"
+        status = response.status_code
+
+        line = format_access_log(client, status, method, host, path, duration_ms)
+        logger.info(line)
+
+        return response
+
+
+def configure_access_logging():
+    """Configure the access logger to output to stderr."""
+    handler = logging.StreamHandler(sys.stderr)
+    handler.setFormatter(logging.Formatter("%(message)s"))
+    logger.addHandler(handler)
+    logger.setLevel(logging.INFO)
+    logger.propagate = False

paskia/fastapi/mainapp.py

@@ -1,3 +1,4 @@
+import json
 import logging
 import os
 from contextlib import asynccontextmanager
@@ -7,13 +8,21 @@ from fastapi import FastAPI, HTTPException, Request, Response
 from fastapi.responses import FileResponse, RedirectResponse
 from fastapi_vue import Frontend
 
+from paskia import globals
+from paskia.db import start_background, stop_background
+from paskia.db.logging import configure_db_logging
 from paskia.fastapi import admin, api, auth_host, ws
+from paskia.fastapi.logging import AccessLogMiddleware, configure_access_logging
 from paskia.fastapi.session import AUTH_COOKIE
 from paskia.util import hostutil, passphrase, vitedev
 
+# Configure custom logging
+configure_access_logging()
+configure_db_logging()
+
 # Vue Frontend static files
 frontend = Frontend(
-    Path(__file__).with_name("frontend-build"),
+    Path(__file__).parent.parent / "frontend-build",
     cached=["/auth/assets/"],
 )
 
@@ -30,10 +39,6 @@ async def lifespan(app: FastAPI):  # pragma: no cover - startup path
     so that uvicorn reload / multiprocess workers inherit the settings.
     All keys are guaranteed to exist; values are already normalized by __main__.py.
     """
-    import json
-
-    from paskia import globals
-
     config = json.loads(os.environ["PASKIA_CONFIG"])
 
     try:
@@ -49,16 +54,28 @@ async def lifespan(app: FastAPI):  # pragma: no cover - startup path
         # Re-raise to fail fast
         raise
 
-    # Restore info level logging after startup (suppressed during uvicorn init in dev mode)
+    # Restore uvicorn info logging (suppressed during startup in dev mode)
+    # Keep uvicorn.error at WARNING to suppress WebSocket "connection open/closed" messages
     if frontend.devmode:
         logging.getLogger("uvicorn").setLevel(logging.INFO)
-        logging.getLogger("uvicorn.access").setLevel(logging.INFO)
+    logging.getLogger("uvicorn.error").setLevel(logging.WARNING)
 
     await frontend.load()
+    await start_background()
     yield
+    await stop_background()
 
 
-app = FastAPI(lifespan=lifespan, redirect_slashes=False)
+app = FastAPI(
+    lifespan=lifespan,
+    redirect_slashes=False,
+    docs_url=None,
+    redoc_url=None,
+    openapi_url=None,
+)
+
+# Custom access logging (uvicorn's access_log is disabled)
+app.add_middleware(AccessLogMiddleware)
 
 # Apply redirections to auth-host if configured (deny access to restricted endpoints, remove /auth/)
 app.middleware("http")(auth_host.redirect_middleware)

paskia/fastapi/remote.py

@@ -16,13 +16,14 @@ import base64url
 from fastapi import FastAPI, WebSocket, WebSocketDisconnect
 
 from paskia import db, remoteauth
+from paskia.authsession import expires
 from paskia.fastapi.session import infodict
+from paskia.fastapi.wschat import authenticate_chat
 from paskia.fastapi.wsutil import validate_origin, websocket_error_handler
-from paskia.globals import passkey
-from paskia.util import passphrase, pow
+from paskia.util import hostutil, passphrase, pow, useragent
 
 # Create a FastAPI subapp for remote auth WebSocket endpoints
-app = FastAPI()
+app = FastAPI(docs_url=None, redoc_url=None, openapi_url=None)
 
 
 @app.websocket("/request")
@@ -179,7 +180,7 @@ async def websocket_remote_auth_request(ws: WebSocket):
                         ):
                             response = {
                                 "status": "authenticated",
-                                "user_uuid": str(result_data["user_uuid"]),
+                                "user": str(result_data["user_uuid"]),
                             }
                             if result_data.get("session_token"):
                                 response["session_token"] = result_data["session_token"]
@@ -268,7 +269,6 @@ async def websocket_remote_auth_permit(ws: WebSocket):
     6. Client sends WebAuthn response
     7. Server sends {status: "success", message: "..."}
     """
-    from paskia.util import useragent
 
     origin = validate_origin(ws)
 
@@ -289,7 +289,6 @@ async def websocket_remote_auth_permit(ws: WebSocket):
     )
 
     request = None
-    webauthn_challenge = None
     explicitly_denied = False
 
     try:
@@ -311,43 +310,21 @@ async def websocket_remote_auth_permit(ws: WebSocket):
 
             # Handle authenticate request (no PoW needed - already validated during lookup)
             if msg.get("authenticate") and request is not None:
-                # Generate authentication options
-                options, webauthn_challenge = passkey.instance.auth_generate_options(
-                    credential_ids=None
-                )
-                await ws.send_json({"optionsJSON": options})
-
-                # Wait for WebAuthn response
-                credential = passkey.instance.auth_parse(await ws.receive_json())
-
-                # Fetch and verify credential
-                try:
-                    stored_cred = db.get_credential_by_id(credential.raw_id)
-                except ValueError:
-                    raise ValueError(
-                        f"This passkey is no longer registered with {passkey.instance.rp_name}"
-                    )
-
-                # Verify the credential
-                passkey.instance.auth_verify(
-                    credential, webauthn_challenge, stored_cred, origin
-                )
+                cred, new_sign_count = await authenticate_chat(ws, origin)
 
                 # Create a session for the REQUESTING device
-                assert stored_cred.uuid is not None
+                assert cred.uuid is not None
 
                 session_token = None
                 reset_token = None
 
                 if request.action == "register":
                     # For registration, create a reset token for device addition
-                    from paskia.authsession import expires
-                    from paskia.util import hostutil
 
                     token_str = passphrase.generate()
                     expiry = expires()
                     db.create_reset_token(
-                        user_uuid=stored_cred.user_uuid,
+                        user_uuid=cred.user_uuid,
                         passphrase=token_str,
                         expiry=expiry,
                         token_type="device addition",
@@ -356,8 +333,9 @@ async def websocket_remote_auth_permit(ws: WebSocket):
                     # Also create a session so the device is logged in
                     normalized_host = hostutil.normalize_host(request.host)
                     session_token = db.login(
-                        user_uuid=stored_cred.user_uuid,
-                        credential=stored_cred,
+                        user_uuid=cred.user_uuid,
+                        credential_uuid=cred.uuid,
+                        sign_count=new_sign_count,
                         host=normalized_host,
                         ip=request.ip,
                         user_agent=request.user_agent,
@@ -365,13 +343,12 @@ async def websocket_remote_auth_permit(ws: WebSocket):
                     )
                 else:
                     # Default login action
-                    from paskia.authsession import expires
-                    from paskia.util import hostutil
 
                     normalized_host = hostutil.normalize_host(request.host)
                     session_token = db.login(
-                        user_uuid=stored_cred.user_uuid,
-                        credential=stored_cred,
+                        user_uuid=cred.user_uuid,
+                        credential_uuid=cred.uuid,
+                        sign_count=new_sign_count,
                         host=normalized_host,
                         ip=request.ip,
                         user_agent=request.user_agent,
@@ -382,8 +359,8 @@ async def websocket_remote_auth_permit(ws: WebSocket):
                 completed = await remoteauth.instance.complete_request(
                     token=request.key,
                     session_token=session_token,
-                    user_uuid=stored_cred.user_uuid,
-                    credential_uuid=stored_cred.uuid,
+                    user_uuid=cred.user_uuid,
+                    credential_uuid=cred.uuid,
                     reset_token=reset_token,
                 )