remdb 0.3.14__py3-none-any.whl → 0.3.157__py3-none-any.whl

rem/auth/middleware.py

@@ -2,14 +2,36 @@
 OAuth Authentication Middleware for FastAPI.
 
 Protects API endpoints by requiring valid session.
-Redirects unauthenticated requests to login page.
+Supports anonymous access with rate limiting when allow_anonymous=True.
+MCP endpoints are always protected unless explicitly disabled.
 
 Design Pattern:
+- Check X-API-Key header first (if API key auth enabled)
 - Check session for user on protected paths
-- Return 401 for API calls (JSON)
-- Redirect to login for browser requests (HTML)
+- Check Bearer token for dev token (non-production only)
+- MCP paths always require authentication (protected service)
+- If allow_anonymous=True: Allow unauthenticated requests (marked as ANONYMOUS tier)
+- If allow_anonymous=False: Return 401 for API calls, redirect browsers to login
 - Exclude auth endpoints and public paths
 
+Access Modes (configured in settings.auth):
+- enabled=true, allow_anonymous=true: Auth available, anonymous gets rate-limited access
+- enabled=true, allow_anonymous=false: Auth required for all requests
+- enabled=false: Middleware not loaded, all requests pass through
+- mcp_requires_auth=true (default): MCP always requires login regardless of allow_anonymous
+- mcp_requires_auth=false: MCP follows normal allow_anonymous rules (dev only)
+
+API Key Authentication (configured in settings.api):
+- api_key_enabled=true: Require X-API-Key header for protected endpoints
+- api_key: The secret key to validate against
+- Provides simple programmatic access without OAuth flow
+- X-API-Key header takes precedence over session auth
+
+Dev Token Support (non-production only):
+- GET /api/auth/dev/token returns a Bearer token for test-user
+- Include as: Authorization: Bearer dev_<signature>
+- Only works when ENVIRONMENT != "production"
+
 Usage:
     from rem.auth.middleware import AuthMiddleware
 
@@ -17,6 +39,8 @@ Usage:
         AuthMiddleware,
         protected_paths=["/api/v1"],
         excluded_paths=["/api/auth", "/health"],
+        allow_anonymous=settings.auth.allow_anonymous,
+        mcp_requires_auth=settings.auth.mcp_requires_auth,
     )
 """
 
@@ -25,6 +49,8 @@ from starlette.requests import Request
 from starlette.responses import JSONResponse, RedirectResponse
 from loguru import logger
 
+from ..settings import settings
+
 
 class AuthMiddleware(BaseHTTPMiddleware):
     """
@@ -32,6 +58,8 @@ class AuthMiddleware(BaseHTTPMiddleware):
 
     Checks for valid user session on protected paths.
     Compatible with OAuth flows from auth router.
+    Supports anonymous access with rate limiting.
+    MCP endpoints are always protected unless explicitly disabled.
     """
 
     def __init__(
@@ -39,6 +67,9 @@ class AuthMiddleware(BaseHTTPMiddleware):
         app,
         protected_paths: list[str] | None = None,
         excluded_paths: list[str] | None = None,
+        allow_anonymous: bool = True,
+        mcp_requires_auth: bool = True,
+        mcp_path: str = "/api/v1/mcp",
     ):
         """
         Initialize auth middleware.
@@ -47,10 +78,85 @@ class AuthMiddleware(BaseHTTPMiddleware):
             app: ASGI application
             protected_paths: Paths that require authentication
             excluded_paths: Paths to exclude from auth check
+            allow_anonymous: Allow unauthenticated requests (rate-limited)
+            mcp_requires_auth: Always require auth for MCP (protected service)
+            mcp_path: Path prefix for MCP endpoints
         """
         super().__init__(app)
         self.protected_paths = protected_paths or ["/api/v1"]
         self.excluded_paths = excluded_paths or ["/api/auth", "/health", "/docs", "/openapi.json"]
+        self.allow_anonymous = allow_anonymous
+        self.mcp_requires_auth = mcp_requires_auth
+        self.mcp_path = mcp_path
+
+    def _check_api_key(self, request: Request) -> dict | None:
+        """
+        Check for valid X-API-Key header.
+
+        Returns:
+            API key user dict if valid, None otherwise
+        """
+        # Only check if API key auth is enabled
+        if not settings.api.api_key_enabled:
+            return None
+
+        # Check for X-API-Key header
+        api_key = request.headers.get("x-api-key")
+        if not api_key:
+            return None
+
+        # Validate against configured API key
+        if settings.api.api_key and api_key == settings.api.api_key:
+            logger.debug("X-API-Key authenticated")
+            return {
+                "id": "api-key-user",
+                "email": "api@rem.local",
+                "name": "API Key User",
+                "provider": "api-key",
+                "tenant_id": "default",
+                "tier": "pro",  # API key users get full access
+                "roles": ["user"],
+            }
+
+        # Invalid API key
+        logger.warning("Invalid X-API-Key provided")
+        return None
+
+    def _check_dev_token(self, request: Request) -> dict | None:
+        """
+        Check for valid dev token in Authorization header (non-production only).
+
+        Returns:
+            Test user dict if valid dev token, None otherwise
+        """
+        if settings.environment == "production":
+            return None
+
+        auth_header = request.headers.get("authorization", "")
+        if not auth_header.startswith("Bearer "):
+            return None
+
+        token = auth_header[7:]  # Strip "Bearer "
+
+        # Only check dev tokens (start with "dev_")
+        if not token.startswith("dev_"):
+            return None
+
+        # Verify dev token
+        from ..api.routers.dev import verify_dev_token
+        if verify_dev_token(token):
+            logger.debug("Dev token authenticated as test-user")
+            return {
+                "id": "test-user",
+                "email": "test@rem.local",
+                "name": "Test User",
+                "provider": "dev",
+                "tenant_id": "default",
+                "tier": "pro",  # Give test user pro tier for full access
+                "roles": ["admin"],
+            }
+
+        return None
 
     async def dispatch(self, request: Request, call_next):
         """
@@ -61,7 +167,7 @@ class AuthMiddleware(BaseHTTPMiddleware):
             call_next: Next middleware in chain
 
         Returns:
-            Response (401/redirect if unauthorized, normal response if authorized)
+            Response (401/redirect if unauthorized, normal response if authorized/anonymous)
         """
         path = request.url.path
 
@@ -69,32 +175,90 @@ class AuthMiddleware(BaseHTTPMiddleware):
         is_protected = any(path.startswith(p) for p in self.protected_paths)
         is_excluded = any(path.startswith(p) for p in self.excluded_paths)
 
+        # Check if this is an MCP path (paid service, always requires auth)
+        is_mcp_path = path.startswith(self.mcp_path)
+
         # Skip auth check for excluded paths
         if not is_protected or is_excluded:
             return await call_next(request)
 
-        # Check for valid session
-        user = request.session.get("user")
-        if not user:
-            logger.warning(f"Unauthorized access attempt: {path}")
+        # Check for X-API-Key header first (if enabled)
+        api_key_user = self._check_api_key(request)
+        if api_key_user:
+            request.state.user = api_key_user
+            request.state.is_anonymous = False
+            return await call_next(request)
 
-            # Return 401 for API requests (JSON)
-            # Check Accept header to determine if client expects JSON
-            accept = request.headers.get("accept", "")
-            if "application/json" in accept or path.startswith("/api/"):
+        # If API key auth is enabled but no valid key provided, reject immediately
+        if settings.api.api_key_enabled:
+            # Check if X-API-Key header was provided but invalid
+            if request.headers.get("x-api-key"):
+                logger.warning(f"Invalid X-API-Key for: {path}")
                 return JSONResponse(
                     status_code=401,
-                    content={"detail": "Authentication required"},
-                    headers={
-                        "WWW-Authenticate": 'Bearer realm="REM API"',
-                    },
+                    content={"detail": "Invalid API key"},
+                    headers={"WWW-Authenticate": 'ApiKey realm="REM API"'},
                 )
+            # No API key provided when required
+            logger.debug(f"Missing X-API-Key for: {path}")
+            return JSONResponse(
+                status_code=401,
+                content={"detail": "API key required. Include X-API-Key header."},
+                headers={"WWW-Authenticate": 'ApiKey realm="REM API"'},
+            )
+
+        # Check for dev token (non-production only)
+        dev_user = self._check_dev_token(request)
+        if dev_user:
+            request.state.user = dev_user
+            request.state.is_anonymous = False
+            return await call_next(request)
+
+        # Check for valid session
+        user = request.session.get("user")
+
+        if user:
+            # Authenticated user - add to request state
+            request.state.user = user
+            request.state.is_anonymous = False
+            return await call_next(request)
+
+        # No user session - check if MCP path requires auth
+        if is_mcp_path and self.mcp_requires_auth:
+            # MCP is a protected service - always require authentication
+            logger.warning(f"Unauthorized MCP access attempt: {path}")
+            return JSONResponse(
+                status_code=401,
+                content={
+                    "detail": "Authentication required for MCP. Please login to use this service.",
+                    "code": "MCP_AUTH_REQUIRED",
+                },
+                headers={
+                    "WWW-Authenticate": 'Bearer realm="REM MCP"',
+                },
+            )
+
+        # No user session - handle anonymous access for non-MCP paths
+        if self.allow_anonymous:
+            # Allow anonymous access - rate limiting handled downstream
+            request.state.user = None
+            request.state.is_anonymous = True
+            logger.debug(f"Anonymous access: {path}")
+            return await call_next(request)
 
-            # Redirect to login for browser requests
-            # TODO: Store original URL for post-login redirect
-            return RedirectResponse(url="/api/auth/google/login", status_code=302)
+        # Anonymous not allowed - require authentication
+        logger.warning(f"Unauthorized access attempt: {path}")
 
-        # Add user to request state for downstream handlers
-        request.state.user = user
+        # Return 401 for API requests (JSON)
+        accept = request.headers.get("accept", "")
+        if "application/json" in accept or path.startswith("/api/"):
+            return JSONResponse(
+                status_code=401,
+                content={"detail": "Authentication required"},
+                headers={
+                    "WWW-Authenticate": 'Bearer realm="REM API"',
+                },
+            )
 
-        return await call_next(request)
+        # Redirect to login for browser requests
+        return RedirectResponse(url="/api/auth/google/login", status_code=302)

rem/auth/providers/__init__.py

@@ -1,6 +1,7 @@
-"""OAuth provider implementations."""
+"""Authentication provider implementations."""
 
 from .base import OAuthProvider, OAuthTokens, OAuthUserInfo
+from .email import EmailAuthProvider, EmailAuthResult
 from .google import GoogleOAuthProvider
 from .microsoft import MicrosoftOAuthProvider
 
@@ -8,6 +9,8 @@ __all__ = [
     "OAuthProvider",
     "OAuthTokens",
     "OAuthUserInfo",
+    "EmailAuthProvider",
+    "EmailAuthResult",
     "GoogleOAuthProvider",
     "MicrosoftOAuthProvider",
 ]

rem/auth/providers/email.py

@@ -0,0 +1,215 @@
+"""
+Email Authentication Provider.
+
+Passwordless authentication using email verification codes.
+Unlike OAuth providers, this handles the full flow internally.
+
+Flow:
+1. User requests login with email address
+2. System generates code, upserts user, sends email
+3. User enters code
+4. System verifies code and creates session
+
+Design:
+- Uses EmailService for sending codes
+- Creates users with deterministic UUID from email hash
+- Stores challenge in user metadata
+- No external OAuth dependencies
+"""
+
+from typing import TYPE_CHECKING
+from pydantic import BaseModel, Field
+from loguru import logger
+
+from ...services.email import EmailService
+
+if TYPE_CHECKING:
+    from ...services.postgres import PostgresService
+
+
+class EmailAuthResult(BaseModel):
+    """Result of email authentication operations."""
+
+    success: bool = Field(description="Whether operation succeeded")
+    email: str = Field(description="Email address")
+    user_id: str | None = Field(default=None, description="User ID if authenticated")
+    error: str | None = Field(default=None, description="Error message if failed")
+    message: str | None = Field(default=None, description="User-friendly message")
+
+
+class EmailAuthProvider:
+    """
+    Email-based passwordless authentication provider.
+
+    Handles the complete email login flow:
+    1. send_code() - Generate and send verification code
+    2. verify_code() - Verify code and return user info
+    """
+
+    def __init__(
+        self,
+        email_service: EmailService | None = None,
+        template_kwargs: dict | None = None,
+    ):
+        """
+        Initialize EmailAuthProvider.
+
+        Args:
+            email_service: EmailService instance (creates new one if not provided)
+            template_kwargs: Customization for email templates (colors, branding, etc.)
+        """
+        self._email_service = email_service or EmailService()
+        self._template_kwargs = template_kwargs or {}
+
+    @property
+    def is_configured(self) -> bool:
+        """Check if email auth is properly configured."""
+        return self._email_service.is_configured
+
+    async def send_code(
+        self,
+        email: str,
+        db: "PostgresService",
+        tenant_id: str = "default",
+    ) -> EmailAuthResult:
+        """
+        Send a verification code to an email address.
+
+        Creates user if not exists (using deterministic UUID from email).
+        Stores code in user metadata.
+
+        Args:
+            email: Email address to send code to
+            db: PostgresService instance
+            tenant_id: Tenant identifier
+
+        Returns:
+            EmailAuthResult with success status
+        """
+        if not self.is_configured:
+            return EmailAuthResult(
+                success=False,
+                email=email,
+                error="Email service not configured",
+                message="Email login is not available. Please try another method.",
+            )
+
+        try:
+            result = await self._email_service.send_login_code(
+                email=email,
+                db=db,
+                tenant_id=tenant_id,
+                template_kwargs=self._template_kwargs,
+            )
+
+            if result["success"]:
+                return EmailAuthResult(
+                    success=True,
+                    email=email,
+                    user_id=result["user_id"],
+                    message=f"Verification code sent to {email}. Check your inbox.",
+                )
+            else:
+                return EmailAuthResult(
+                    success=False,
+                    email=email,
+                    error=result.get("error", "Failed to send code"),
+                    message="Failed to send verification code. Please try again.",
+                )
+
+        except Exception as e:
+            logger.error(f"Error sending login code: {e}")
+            return EmailAuthResult(
+                success=False,
+                email=email,
+                error=str(e),
+                message="An error occurred. Please try again.",
+            )
+
+    async def verify_code(
+        self,
+        email: str,
+        code: str,
+        db: "PostgresService",
+        tenant_id: str = "default",
+    ) -> EmailAuthResult:
+        """
+        Verify a login code and authenticate user.
+
+        Args:
+            email: Email address
+            code: 6-digit verification code
+            db: PostgresService instance
+            tenant_id: Tenant identifier
+
+        Returns:
+            EmailAuthResult with user_id if successful
+        """
+        try:
+            result = await self._email_service.verify_login_code(
+                email=email,
+                code=code,
+                db=db,
+                tenant_id=tenant_id,
+            )
+
+            if result["valid"]:
+                return EmailAuthResult(
+                    success=True,
+                    email=email,
+                    user_id=result["user_id"],
+                    message="Successfully authenticated!",
+                )
+            else:
+                error = result.get("error", "Invalid code")
+                # User-friendly error messages
+                if error == "Login code expired":
+                    message = "Your code has expired. Please request a new one."
+                elif error == "Invalid login code":
+                    message = "Invalid code. Please check and try again."
+                elif error == "No login code requested":
+                    message = "No code was requested for this email. Please request a new code."
+                elif error == "User not found":
+                    message = "Email not found. Please request a login code first."
+                else:
+                    message = "Verification failed. Please try again."
+
+                return EmailAuthResult(
+                    success=False,
+                    email=email,
+                    error=error,
+                    message=message,
+                )
+
+        except Exception as e:
+            logger.error(f"Error verifying login code: {e}")
+            return EmailAuthResult(
+                success=False,
+                email=email,
+                error=str(e),
+                message="An error occurred. Please try again.",
+            )
+
+    def get_user_dict(self, email: str, user_id: str) -> dict:
+        """
+        Create a user dict for session storage.
+
+        Compatible with OAuth user format for consistent session handling.
+
+        Args:
+            email: User's email
+            user_id: User's UUID
+
+        Returns:
+            User dict for session
+        """
+        return {
+            "id": user_id,
+            "email": email,
+            "email_verified": True,  # Email is verified through code
+            "name": email.split("@")[0],  # Use email prefix as name
+            "provider": "email",
+            "tenant_id": "default",
+            "tier": "free",  # Email users start at free tier
+            "roles": ["user"],
+        }