pycafe-server 0.0.7__py3-none-any.whl

pycafe_server/__about__.py

@@ -0,0 +1,4 @@
+# SPDX-FileCopyrightText: 2024-present Maarten A. Breddels <maartenbreddels@gmail.com>
+#
+# SPDX-License-Identifier: MIT
+__version__ = "0.0.7"

pycafe_server/__init__.py

@@ -0,0 +1,3 @@
+# SPDX-FileCopyrightText: 2024-present Maarten A. Breddels <maartenbreddels@gmail.com>
+#
+# SPDX-License-Identifier: MIT

pycafe_server/asgi.py

@@ -0,0 +1,345 @@
+import json
+import logging
+import os
+from pathlib import Path
+import sys
+import typing
+import subprocess
+
+from starlette.applications import Starlette
+from starlette.staticfiles import StaticFiles
+from starlette.responses import PlainTextResponse, JSONResponse, Response
+from starlette.routing import Route
+from starlette.requests import Request
+from starlette.types import Receive, Scope, Send
+from starlette.responses import RedirectResponse
+from starlette.applications import Starlette
+from starlette.middleware import Middleware
+from .session import SessionMiddleware
+from starlette.middleware.cors import CORSMiddleware
+from starlette.middleware.authentication import AuthenticationMiddleware
+from starlette.middleware import Middleware
+from .uv_util import _run_resolve
+from . import database
+
+import uvicorn
+
+from . import config
+from . import auth
+from . import license
+from . import sign
+
+HERE = Path(__file__).parent
+
+logger = logging.getLogger(__name__)
+trialmode = False
+from .cookie import Cookie
+
+
+session_cookie = Cookie(
+    "pycafe_session",
+    same_site="none",
+    secure=True,
+    secret_key=config.PYCAFE_SESSION_SECRET_KEY,
+)
+middleware = []
+if os.environ.get("ENV", "dev") == "dev":
+    middleware = [
+        Middleware(
+            CORSMiddleware,
+            allow_origins=["localhost"],
+        ),
+    ]
+middleware += [
+    Middleware(
+        SessionMiddleware,
+        cookie=session_cookie,
+    ),
+    Middleware(AuthenticationMiddleware, backend=auth.AuthBackend()),
+]
+app = Starlette(middleware=middleware)
+
+
+static_dir = (HERE / "static").resolve()
+print("static assets in", static_dir)
+
+
+class StaticFilesNextJs(StaticFiles):
+    async def __call__(self, scope: Scope, receive: Receive, send: Send) -> None:
+        request = Request(scope, receive=receive)
+        if (
+            config.auth_is_configured()
+            and config.PYCAFE_SERVER_PRE_AUTH
+            and not request.user.is_authenticated
+        ):
+            # redirect to /_login
+            # TODO: url encode etc
+            redirect_uri = str(request.url)
+            url = f"/_login?next_url={redirect_uri}"
+            await RedirectResponse(url)(scope, receive, send)
+        else:
+            await super().__call__(scope, receive, send)
+
+    def lookup_path(
+        self, path: str
+    ) -> typing.Tuple[str, typing.Optional[os.stat_result]]:
+        attempt1 = super().lookup_path(path)
+        if attempt1[1] is not None:
+            return attempt1
+        # a path like /snippet/solara/v1 should be resolved to /snippet/solara/v1.html
+        attempt2 = super().lookup_path(path + ".html")
+        return attempt2
+
+    def file_response(self, *args, **kwargs) -> Response:
+        response = super().file_response(*args, **kwargs)
+        # we don't want to cache html pages, since if we logout, it
+        # should always fetch from the server, instead of using the cache
+        response.headers["cache-control"] = "no-cache"
+        return response
+
+
+async def resolve_uv(request: Request):
+    body = await request.body()
+    args = json.loads(body)
+    requirements = args["requirements"]
+    constraints = args["constraints"]
+    python_version = args["python_version"]
+    overrides = args["overrides"]
+    universal = args["universal"] == "true"
+
+    try:
+        result = _run_resolve(
+            requirements, constraints, overrides, python_version, universal=universal
+        )
+    except subprocess.CalledProcessError as e:
+        print("Failed to resolve", e.stderr)
+        return e.stderr, 500
+    return PlainTextResponse(result, status_code=200)
+
+
+def get_user_id(userinfo):
+    id_field = config.get("PYCAFE_SERVER_USER_ID_FIELD", default="email")
+    if id_field not in userinfo:
+        logger.error(
+            f"no value found in userinfo with key PYCAFE_SERVER_USER_ID_FIELD={id_field}, possible fields are {list(userinfo.keys())}"
+        )
+        return JSONResponse(
+            {
+                "error": "Could not find a field in the auth data to uniquely describe the user, see server logs and configuration"
+            },
+            status_code=500,
+        )
+    return userinfo[id_field]
+
+
+async def logins(request: Request):
+    # only admins can see logins
+
+    if not trialmode:
+        userinfo = auth.get_userinfo(request)
+        if userinfo is None:
+            return JSONResponse({"error": "Not authenticated"}, status_code=401)
+
+        user_id = get_user_id(userinfo)
+        is_admin = user_is_admin(user_id)
+        if not is_admin:
+            return JSONResponse({"error": "Not authorized"}, status_code=403)
+
+    try:
+        logins_db = database.get_logins()
+        logins = [
+            {
+                "user_id": login.user_id,
+                "datetime": login.datetime.isoformat(),
+                "email": login.email,
+                "is_editor": login.is_editor,
+                "is_admin": login.is_admin,
+                # "userinfo": login.userinfo,
+            }
+            for login in logins_db
+        ]
+
+        return JSONResponse({"logins": logins})
+    except Exception:
+        logger.exception("Failed to get logins")
+        return JSONResponse({"error": "Failed to get logins"}, status_code=500)
+
+
+async def info(request: Request):
+    userinfo = auth.get_userinfo(request)
+    # we should reply with the following type from types.ts
+    """
+    export type UserInfo = {
+        user_id: string;
+        full_name: string;
+        username: string;
+        email: string;
+        avatar: string;
+        is_editor: boolean;
+        is_admin: boolean;
+        meta: { maxFileSize: number } | null;
+    };
+    """
+
+    settings = config.get_settings()
+    settings["trialmode"] = trialmode
+    if trialmode:
+        settings["message"] = (
+            "Auth is not configured, please set up auth, running in trial mode"
+        )
+
+    if userinfo is None:
+        # if we do not have auth, we will always show the instance_id
+        if not config.auth_is_configured():
+            settings["instanceId"] = database.instance_id
+        return JSONResponse({"user": None, "settings": settings})
+    else:
+        user_id = get_user_id(userinfo)
+        is_editor = user_is_editor(user_id)
+        is_admin = user_is_admin(user_id)
+
+        if is_admin:
+            settings["instanceId"] = database.instance_id
+        try:
+            email = userinfo.get("email", "")
+            database.log_login(user_id, email, is_editor, is_admin, userinfo)
+        except Exception:
+            logger.exception(f"Failed to log login")
+
+        return JSONResponse(
+            {
+                "user": {
+                    "user_id": user_id,
+                    "full_name": userinfo.get("name", ""),
+                    "username": userinfo.get("preferred_username", ""),
+                    "email": userinfo.get("email", ""),
+                    "avatar": userinfo.get("picture", ""),
+                    "is_editor": is_editor,
+                    "is_admin": is_admin,
+                    "meta": None,
+                },
+                "settings": settings,
+            }
+        )
+
+
+def user_is_editor(user_id: str) -> bool:
+    if trialmode and not config.PYCAFE_SERVER_EDITORS:
+        logger.debug(
+            f"user {user_id} is an editor, because we are in trialmode and PYCAFE_SERVER_EDITOR is not set"
+        )
+        return True
+    is_editor = user_id in config.PYCAFE_SERVER_EDITORS
+    if is_editor:
+        logger.debug(
+            f"user {user_id} is an editor, because they are in PYCAFE_SERVER_EDITORS"
+        )
+    else:
+        logger.debug(
+            f"user {user_id} is not an editor, because they are not in PYCAFE_SERVER_EDITORS"
+        )
+    return is_editor
+
+
+def user_is_admin(user_id: str) -> bool:
+    is_admin = user_id in config.PYCAFE_SERVER_ADMINS
+    if is_admin:
+        logger.debug(
+            f"user {user_id} is an admin, because they are in PYCAFE_SERVER_ADMINS"
+        )
+    else:
+        logger.debug(
+            f"user {user_id} is not an admin, because they are not in PYCAFE_SERVER_ADMINS"
+        )
+    return is_admin
+
+
+async def sign_hash(request: Request):
+    # ensure login?
+    # we only support ?hash=<hash> for now
+
+    userinfo = auth.get_userinfo(request)
+    user_id = get_user_id(userinfo) if userinfo is not None else None
+    if not trialmode:
+        if userinfo is None:
+            return JSONResponse(
+                {"error": "Not authenticated, please login"}, status_code=401
+            )
+        user_id = get_user_id(userinfo)
+        if not user_is_editor(user_id):
+            return JSONResponse(
+                {"error": "Not authorized, not an editor"}, status_code=403
+            )
+    else:
+        if user_id is None:
+            user_id = "trailmode"  # just make it work in trial mode
+    hash = request.query_params.get("hash")
+    if hash is None:
+        return JSONResponse({"error": "No hash provided"}, status_code=500)
+    signature_jwt = sign.sign_hash(hash, user_id)
+    return JSONResponse({"signatureJwt": signature_jwt})
+
+
+app.add_route("/api/resolve", resolve_uv, methods=["POST"])
+app.add_route("/api/info", info)
+app.add_route("/api/logins", logins)
+app.add_route("/api/sign", sign_hash)
+# starlette does not seem to merge multiple routes at the common path
+# so we manually add all routes from the auth app
+for route in auth.app.routes:
+    app.add_route(route.path, route.endpoint)
+app.mount("/", StaticFilesNextJs(directory=static_dir, html=True), name="static")
+
+
+if not config.PYCAFE_SERVER_INSECURE_MODE_DONT_USE_IN_PRODUCTION:
+    if not config.auth_is_configured() and not config.auth_using_proxy():
+        print(
+            "ERROR: Insecure mode is not enabled, and auth is not configured. Please set up auth.",
+            file=sys.stderr,
+        )
+        sys.exit(1)
+    if config.PYCAFE_SERVER_ENABLE_EXPORT and not config.signing_is_configured():
+        print(
+            "ERROR: Insecure mode is not enabled, and signing is not configured. Please set up signing.",
+            file=sys.stderr,
+        )
+        sys.exit(1)
+else:
+    print(
+        "WARNING: Insecure mode is enabled. Do not use in production.", file=sys.stderr
+    )
+
+if license.license:
+    if not config.auth_is_configured():
+        print(
+            "ERROR: Valid license found, but not auth is setup. Please set up auth. Entering trial mode",
+            file=sys.stderr,
+        )
+        trialmode = True
+    if license.license.sub != database.instance_id:
+        print(
+            f"ERROR: License is for {license.license.sub}, but this instance has id {database.instance_id}. Please obtain a new license.",
+            file=sys.stderr,
+        )
+        if config.PYCAFE_SERVER_INSECURE_MODE_DONT_USE_IN_PRODUCTION:
+            trialmode = True
+            print("Entering trial mode.")
+        else:
+            sys.exit(1)
+    if len(config.PYCAFE_SERVER_EDITORS) > license.license.max_editors:
+        print(
+            f"ERROR: License does not allow {len(config.PYCAFE_SERVER_EDITORS)} editors, only {license.license.max_editors}.",
+            file=sys.stderr,
+        )
+        if config.PYCAFE_SERVER_INSECURE_MODE_DONT_USE_IN_PRODUCTION:
+            trialmode = True
+            print("Entering trial mode.")
+        else:
+            sys.exit(1)
+else:
+    print("No license found, entering trial mode.", file=sys.stderr)
+    trialmode = True
+
+
+if __name__ == "__main__":
+    uvicorn.run(app, host="127.0.0.1", port=8001)

pycafe_server/auth.py

@@ -0,0 +1,311 @@
+from functools import cache
+import json
+import logging
+import sys
+import jwt
+import typing
+import requests
+from starlette.authentication import (
+    AuthCredentials,
+    AuthenticationBackend,
+    AuthenticationError,
+    SimpleUser,
+)
+from starlette.routing import Router
+from starlette.requests import HTTPConnection
+from starlette.types import ASGIApp, Receive, Scope, Send
+from authlib.integrations.starlette_client import OAuth, StarletteOAuth2App
+from starlette.datastructures import MutableHeaders
+
+
+from starlette.responses import (
+    PlainTextResponse,
+    Response,
+    RedirectResponse,
+    JSONResponse,
+)
+from starlette.authentication import UnauthenticatedUser
+from starlette.requests import Request
+from cryptography.hazmat.primitives.asymmetric import rsa
+from cryptography.hazmat.primitives import serialization
+from cryptography.hazmat.backends import default_backend
+import base64
+
+from .cookie import Cookie
+from . import config
+
+logger = logging.getLogger(__name__)
+
+access_token_cookie = Cookie(
+    "pycafe_access_token",
+    same_site="none",
+    secure=True,
+    secret_key=config.PYCAFE_SESSION_SECRET_KEY,
+)
+id_token_cookie = Cookie(
+    "pycafe_id_token",
+    same_site="none",
+    secure=True,
+    secret_key=config.PYCAFE_SESSION_SECRET_KEY,
+)
+refresh_token_cookie = Cookie(
+    "pycafe_refresh_token",
+    same_site="none",
+    secure=True,
+    secret_key=config.PYCAFE_SESSION_SECRET_KEY,
+)
+userinfo_cookie = Cookie(
+    "pycafe_userinfo",
+    same_site="none",
+    secure=True,
+    secret_key=config.PYCAFE_SESSION_SECRET_KEY,
+)
+
+
+def load_rsa_key(n, e):
+    """Construct an RSA public key from modulus and exponent in JWKS format."""
+    modulus = int.from_bytes(base64.urlsafe_b64decode(n + "=="), "big")
+    exponent = int.from_bytes(base64.urlsafe_b64decode(e + "=="), "big")
+    public_key = rsa.RSAPublicNumbers(exponent, modulus).public_key(default_backend())
+    return public_key
+
+
+@cache
+def get_aws_alb_public_key(kid: str, region: str) -> str:
+    url = "https://public-keys.auth.elb." + region + ".amazonaws.com/" + kid
+    req = requests.get(url)
+    pub_key = req.text
+    return pub_key
+
+
+def decode_jwt_on_alb(encoded_jwt: str, region=config.PYCAFE_SERVER_AWS_REGION):
+    # Step 1: Validate the signer
+    expected_alb_arn = "arn:aws:elasticloadbalancing:region-code:account-id:loadbalancer/app/load-balancer-name/load-balancer-id"
+
+    jwt_headers = encoded_jwt.split(".")[0]
+    decoded_jwt_headers_bytes = base64.b64decode(jwt_headers + "==")
+    decoded_jwt_headers = decoded_jwt_headers_bytes.decode("utf-8")
+    decoded_json = json.loads(decoded_jwt_headers)
+    received_alb_arn = decoded_json["signer"]
+
+    # TODO: we need to verify the signer
+    # assert expected_alb_arn == received_alb_arn, "Invalid Signer"
+
+    # Step 2: Get the key id from JWT headers (the kid field)
+    kid = decoded_json["kid"]
+
+    # Step 3: Get the public key from regional endpoint
+    pub_key = get_aws_alb_public_key(kid, region)
+
+    # Step 4: Get the payload
+    # TODO: we want to know if aud and iss are set in the jwt
+    return jwt.decode(
+        encoded_jwt,
+        pub_key,
+        algorithms=["ES256", "RS256"],
+        options={"verify_aud": False, "verify_iss": False},
+    )
+
+
+def decode_jwt(token):
+    rsa_key = {}
+    headers = jwt.get_unverified_header(token)
+    if config.jwks_client is None:
+        raise ValueError(
+            "No JWKS client available to verify the token, please set PYCAFE_SERVER_JWKS_URL"
+        )
+    for key in config.jwks_client["keys"]:
+        if key["kid"] == headers["kid"]:
+            rsa_key = load_rsa_key(key["n"], key["e"])
+            break
+
+    if not rsa_key:
+        raise ValueError("Public key not found for the provided token.")
+
+    # Decode the JWT and verify its claims
+    decoded = jwt.decode(
+        token,
+        rsa_key,
+        algorithms=["RS256"],
+        audience=config.PYCAFE_SERVER_CLIENT_ID,
+    )
+    return decoded
+
+
+def get_userinfo(request: HTTPConnection) -> dict | None:
+    if config.auth_using_proxy():
+        headers = request.headers
+
+        identity: str | None = None
+        email: str | None = None
+        userinfo: dict | None = None
+
+        if config.PYCAFE_SERVER_PROXY_AUTH_HEADER_IDENTITY:
+            identity = headers.get(config.PYCAFE_SERVER_PROXY_AUTH_HEADER_IDENTITY)
+            if identity is None:
+                print(
+                    f"No header {config.PYCAFE_SERVER_PROXY_AUTH_HEADER_IDENTITY} found, possible headers are {list(headers.keys())}",
+                    file=sys.stderr,
+                )
+
+        if config.PYCAFE_SERVER_PROXY_AUTH_HEADER_EMAIL:
+            email = headers.get(config.PYCAFE_SERVER_PROXY_AUTH_HEADER_EMAIL)
+            if email is None:
+                print(
+                    f"No header {config.PYCAFE_SERVER_PROXY_AUTH_HEADER_EMAIL} found, possible headers are {list(headers.keys())}",
+                    file=sys.stderr,
+                )
+
+        if config.PYCAFE_SERVER_PROXY_AUTH_HEADER_USER_JWT:
+            jwt_data = headers.get(config.PYCAFE_SERVER_PROXY_AUTH_HEADER_USER_JWT)
+            if jwt_data is None:
+                print(
+                    f"No header {config.PYCAFE_SERVER_PROXY_AUTH_HEADER_USER_JWT} found, possible headers are {list(headers.keys())}",
+                    file=sys.stderr,
+                )
+            if jwt_data:
+                if jwt_data.startswith("Bearer "):
+                    jwt_data = jwt_data[7:].strip()
+                userinfo = decode_jwt(jwt_data)
+
+        if userinfo is None:
+            if identity is None:
+                raise ValueError(
+                    "No identity found in headers or PYCAFE_SERVER_PROXY_AUTH_HEADER_IDENTITY not configured, and not userinfo found or PYCAFE_SERVER_PROXY_AUTH_HEADER_USER_JWT not configured"
+                )
+            else:
+                userinfo = {
+                    "user_id": identity,
+                    "email": email,
+                }
+    else:
+        userinfo = userinfo_cookie.get_dict(request)
+        if userinfo is None:
+            return None
+        else:
+            client_id = request.session.get("client_id")
+            # if we changed the oauth provider, we should not use the old user
+            if client_id is not None and client_id != config.PYCAFE_SERVER_CLIENT_ID:
+                logger.error(
+                    "OIDC error, client id mismatch (%s != %s), did you change the oauth provider? We are assuming you are not logged in now",
+                    client_id,
+                    config.PYCAFE_SERVER_CLIENT_ID,
+                )
+                userinfo = None
+            assert userinfo is not None
+            aud = userinfo.get("aud")
+            if aud is not None and aud != config.PYCAFE_SERVER_CLIENT_ID:
+                logger.error(
+                    "OIDC error, audience mismatch (%s != %s), did you change the oauth provider? We are assuming you are not logged in now",
+                    aud,
+                    config.PYCAFE_SERVER_CLIENT_ID,
+                )
+                userinfo = None
+
+    return userinfo
+
+
+# only provides request.user.is_authenticated
+class AuthBackend(AuthenticationBackend):
+    async def authenticate(self, conn: HTTPConnection):
+        userinfo = get_userinfo(conn)
+        if userinfo is None:
+            return AuthCredentials(), UnauthenticatedUser()
+        else:
+            username = "noname"
+            return AuthCredentials(["authenticated"]), SimpleUser(username)
+
+
+oauth = OAuth(config)
+oauth.register(name="pycafe_server")
+
+app = Router()
+
+
+@app.route("/_login")
+async def login_via_pycafe(request: Request):
+    if "next_url" in request.query_params:
+        request.session["next_url"] = request.query_params["next_url"]
+    client: StarletteOAuth2App = oauth.create_client("pycafe_server")
+    redirect_uri = request.url_for("authorize_pycafe")
+    # we send the client id, since that might change during testing, and that means
+    # get_userinfo should not return a userinfo if the client id does not match
+    request.session["client_id"] = config.PYCAFE_SERVER_CLIENT_ID
+    return await client.authorize_redirect(request, redirect_uri)
+
+
+@app.route("/_authorize")
+async def authorize_pycafe(request: Request):
+    client: StarletteOAuth2App = oauth.create_client("pycafe_server")
+    base_url = str(request.base_url)
+    org_url = request.session.pop("next_url", base_url)
+    token = await client.authorize_access_token(request)
+    headers = MutableHeaders(scope=request.scope)
+
+    id_token = token.get("id_token")
+    if id_token is None:
+        raise ValueError("No id_token found in token")
+    id_token_cookie.set_dict(headers, id_token)
+    access_token = token.get("access_token")
+    if access_token is None:
+        raise ValueError("No access_token found in token")
+    access_token_cookie.set_dict(headers, access_token)
+    refresh_token = token.get("refresh_token")
+    if refresh_token is None:
+        refresh_token_cookie.clear(headers)
+    else:
+        refresh_token_cookie.set_dict(headers, refresh_token)
+    # we might be able to skip the userinfo, but we'd have to look into
+    # what authorize_access_token does exactly
+    userinfo = token.get("userinfo")
+    if userinfo is None:
+        raise ValueError(
+            "No userinfo found in token, did you forgot to configure PYCAFE_SERVER_CLIENT_KWARGS?"
+        )
+    userinfo_cookie.set_dict(headers, userinfo)
+    id_field = config.get("PYCAFE_SERVER_USER_ID_FIELD", default="email")
+    user_id = userinfo.get(id_field)
+    if user_id is None:
+        print(
+            f"no value found in userinfo with key PYCAFE_SERVER_USER_ID_FIELD={id_field}, possible fields are {list(userinfo.keys())}"
+        )
+        return JSONResponse(
+            {
+                "error": "Could not find a field in the auth data to uniquely describe the user, see server logs and configuration"
+            },
+            status_code=500,
+        )
+    else:
+        return RedirectResponse(url=org_url, headers=headers)
+
+
+@app.route("/_logout")
+async def logout(request: Request):
+    client_id = config.PYCAFE_SERVER_CLIENT_ID
+    logout_url = (
+        config.PYCAFE_SERVER_OAUTH_BASE_URL + config.PYCAFE_SERVER_OAUTH_LOGOUT_PATH
+    )
+    if "next_url" in request.query_params:
+        request.session["next_url"] = request.query_params["next_url"]
+    redirect_uri = request.url_for("logout_callback")
+    # there is no standard for logout urls, so we
+    # use the most common url parameters to get back to the /_logout_return endpoint
+    # works for auth0 and fief, maybe more?
+    return RedirectResponse(
+        f"{logout_url}?returnTo={redirect_uri}&redirect_uri={redirect_uri}&post_logout_redirect_uri={redirect_uri}&client_id={client_id}"
+    )
+
+
+@app.route("/_logout_callback")
+async def logout_callback(request: Request):
+    next_url = request.session.pop("next_url", "/")
+    # ideally, we only remove these:
+    headers = MutableHeaders()
+    access_token_cookie.clear(headers)
+    id_token_cookie.clear(headers)
+    refresh_token_cookie.clear(headers)
+    userinfo_cookie.clear(headers)
+    # authlib sometimes leaves some stuff in the session on failed logins
+    # so we clear it all
+    request.session.clear()
+    return RedirectResponse(next_url, headers=headers)