skrift 0.1.0a12__py3-none-any.whl

skrift/setup/middleware.py

@@ -0,0 +1,89 @@
+"""Setup wizard middleware for redirecting users to the setup wizard."""
+
+from litestar.response import Redirect
+from litestar.types import ASGIApp, Receive, Scope, Send
+
+# Paths that should be accessible during setup
+SETUP_ALLOWED_PATHS = (
+    "/setup",
+    "/static",
+    "/auth",  # Needed for OAuth callbacks during admin creation
+)
+
+
+class SetupMiddleware:
+    """ASGI middleware to redirect users to setup wizard if not configured."""
+
+    def __init__(self, app: ASGIApp, setup_complete: bool = False, use_app_state: bool = False) -> None:
+        """Initialize the middleware.
+
+        Args:
+            app: The ASGI application
+            setup_complete: Whether setup has been completed (static mode)
+            use_app_state: Whether to check app.state.setup_complete at runtime
+        """
+        self.app = app
+        self._setup_complete = setup_complete
+        self._use_app_state = use_app_state
+
+    async def __call__(self, scope: Scope, receive: Receive, send: Send) -> None:
+        """Process the request."""
+        if scope["type"] != "http":
+            await self.app(scope, receive, send)
+            return
+
+        path = scope["path"]
+
+        # Check setup complete status - either from app state (dynamic) or instance var (static)
+        setup_complete = self._setup_complete
+        if self._use_app_state and "app" in scope:
+            litestar_app = scope["app"]
+            setup_complete = getattr(litestar_app.state, "setup_complete", self._setup_complete)
+
+        # If setup is complete, block access to /setup
+        if setup_complete:
+            if path.startswith("/setup"):
+                # Redirect setup routes to home after setup is complete
+                response = Redirect(path="/")
+                await response(scope, receive, send)
+                return
+            await self.app(scope, receive, send)
+            return
+
+        # Setup not complete - check if path is allowed
+        if any(path.startswith(allowed) for allowed in SETUP_ALLOWED_PATHS):
+            await self.app(scope, receive, send)
+            return
+
+        # Redirect to setup wizard
+        response = Redirect(path="/setup")
+        await response(scope, receive, send)
+
+
+def create_setup_middleware_factory(setup_complete: bool):
+    """Create a middleware factory for the setup middleware (static mode).
+
+    Args:
+        setup_complete: Whether setup has been completed
+
+    Returns:
+        Middleware factory function
+    """
+
+    def factory(app: ASGIApp) -> SetupMiddleware:
+        return SetupMiddleware(app, setup_complete=setup_complete)
+
+    return factory
+
+
+def create_dynamic_setup_middleware_factory():
+    """Create a middleware factory that checks app state at runtime.
+
+    Returns:
+        Middleware factory function
+    """
+
+    def factory(app: ASGIApp) -> SetupMiddleware:
+        return SetupMiddleware(app, setup_complete=False, use_app_state=True)
+
+    return factory

skrift/setup/providers.py

@@ -0,0 +1,214 @@
+"""OAuth provider definitions and configuration for the setup wizard."""
+
+from dataclasses import dataclass
+
+DUMMY_PROVIDER_KEY = "dummy"
+
+
+@dataclass
+class OAuthProviderInfo:
+    """Information about an OAuth provider."""
+
+    name: str
+    auth_url: str
+    token_url: str
+    userinfo_url: str
+    scopes: list[str]
+    console_url: str
+    fields: list[dict]
+    instructions: str
+    icon: str = ""
+
+
+OAUTH_PROVIDERS = {
+    "google": OAuthProviderInfo(
+        name="Google",
+        auth_url="https://accounts.google.com/o/oauth2/v2/auth",
+        token_url="https://oauth2.googleapis.com/token",
+        userinfo_url="https://www.googleapis.com/oauth2/v2/userinfo",
+        scopes=["openid", "email", "profile"],
+        console_url="https://console.cloud.google.com/apis/credentials",
+        fields=[
+            {"key": "client_id", "label": "Client ID", "type": "text"},
+            {"key": "client_secret", "label": "Client Secret", "type": "password"},
+        ],
+        instructions="""
+1. Go to the Google Cloud Console
+2. Create a new project or select an existing one
+3. Enable the Google+ API
+4. Go to Credentials → Create Credentials → OAuth Client ID
+5. Choose "Web application"
+6. Add the redirect URI shown below
+7. Copy the Client ID and Client Secret
+        """.strip(),
+        icon="google",
+    ),
+    "github": OAuthProviderInfo(
+        name="GitHub",
+        auth_url="https://github.com/login/oauth/authorize",
+        token_url="https://github.com/login/oauth/access_token",
+        userinfo_url="https://api.github.com/user",
+        scopes=["read:user", "user:email"],
+        console_url="https://github.com/settings/developers",
+        fields=[
+            {"key": "client_id", "label": "Client ID", "type": "text"},
+            {"key": "client_secret", "label": "Client Secret", "type": "password"},
+        ],
+        instructions="""
+1. Go to GitHub Settings → Developer settings → OAuth Apps
+2. Click "New OAuth App"
+3. Fill in the application details
+4. Add the redirect URI shown below as the callback URL
+5. Copy the Client ID and generate a Client Secret
+        """.strip(),
+        icon="github",
+    ),
+    "microsoft": OAuthProviderInfo(
+        name="Microsoft",
+        auth_url="https://login.microsoftonline.com/{tenant}/oauth2/v2.0/authorize",
+        token_url="https://login.microsoftonline.com/{tenant}/oauth2/v2.0/token",
+        userinfo_url="https://graph.microsoft.com/v1.0/me",
+        scopes=["openid", "email", "profile"],
+        console_url="https://portal.azure.com/#blade/Microsoft_AAD_RegisteredApps/ApplicationsListBlade",
+        fields=[
+            {"key": "client_id", "label": "Client (Application) ID", "type": "text"},
+            {"key": "client_secret", "label": "Client Secret", "type": "password"},
+            {
+                "key": "tenant_id",
+                "label": "Tenant ID",
+                "type": "text",
+                "placeholder": "common",
+                "optional": True,
+            },
+        ],
+        instructions="""
+1. Go to Azure Portal → App registrations
+2. Click "New registration"
+3. Enter a name and select the account types you want to support
+4. Add the redirect URI shown below (Web platform)
+5. Under Certificates & secrets, create a new client secret
+6. Copy the Application (client) ID and secret value
+7. For Tenant ID: use "common" for any Microsoft account, or your specific tenant ID
+        """.strip(),
+        icon="microsoft",
+    ),
+    "discord": OAuthProviderInfo(
+        name="Discord",
+        auth_url="https://discord.com/api/oauth2/authorize",
+        token_url="https://discord.com/api/oauth2/token",
+        userinfo_url="https://discord.com/api/users/@me",
+        scopes=["identify", "email"],
+        console_url="https://discord.com/developers/applications",
+        fields=[
+            {"key": "client_id", "label": "Client ID", "type": "text"},
+            {"key": "client_secret", "label": "Client Secret", "type": "password"},
+        ],
+        instructions="""
+1. Go to Discord Developer Portal
+2. Create a new application
+3. Go to OAuth2 → General
+4. Add the redirect URI shown below
+5. Copy the Client ID and Client Secret
+        """.strip(),
+        icon="discord",
+    ),
+    "facebook": OAuthProviderInfo(
+        name="Facebook",
+        auth_url="https://www.facebook.com/v18.0/dialog/oauth",
+        token_url="https://graph.facebook.com/v18.0/oauth/access_token",
+        userinfo_url="https://graph.facebook.com/me?fields=id,name,email,picture",
+        scopes=["email", "public_profile"],
+        console_url="https://developers.facebook.com/apps/",
+        fields=[
+            {"key": "client_id", "label": "App ID", "type": "text"},
+            {"key": "client_secret", "label": "App Secret", "type": "password"},
+        ],
+        instructions="""
+1. Go to Meta for Developers
+2. Create a new app (Consumer type)
+3. Add Facebook Login product
+4. Go to Settings → Basic to find App ID and Secret
+5. Add the redirect URI shown below in Facebook Login settings
+        """.strip(),
+        icon="facebook",
+    ),
+    "twitter": OAuthProviderInfo(
+        name="X (Twitter)",
+        auth_url="https://twitter.com/i/oauth2/authorize",
+        token_url="https://api.twitter.com/2/oauth2/token",
+        userinfo_url="https://api.twitter.com/2/users/me",
+        scopes=["users.read", "tweet.read"],
+        console_url="https://developer.twitter.com/en/portal/dashboard",
+        fields=[
+            {"key": "client_id", "label": "Client ID", "type": "text"},
+            {"key": "client_secret", "label": "Client Secret", "type": "password"},
+        ],
+        instructions="""
+1. Go to X Developer Portal
+2. Create a new project and app
+3. Enable OAuth 2.0 in User authentication settings
+4. Add the redirect URI shown below
+5. Copy the Client ID and Client Secret (OAuth 2.0)
+        """.strip(),
+        icon="twitter",
+    ),
+    DUMMY_PROVIDER_KEY: OAuthProviderInfo(
+        name="Dummy (Development Only)",
+        auth_url="",
+        token_url="",
+        userinfo_url="",
+        scopes=[],
+        console_url="",
+        fields=[],
+        instructions="Development-only provider. DO NOT use in production.",
+        icon="dummy",
+    ),
+}
+
+
+def get_provider_info(provider: str) -> OAuthProviderInfo | None:
+    """Get provider info by key."""
+    return OAUTH_PROVIDERS.get(provider)
+
+
+def get_all_providers() -> dict[str, OAuthProviderInfo]:
+    """Get all available OAuth providers (excluding dev-only providers)."""
+    return {k: v for k, v in OAUTH_PROVIDERS.items() if k != DUMMY_PROVIDER_KEY}
+
+
+def validate_no_dummy_auth_in_production() -> None:
+    """Exit process if dummy auth is configured in production."""
+    import os
+    import signal
+    import sys
+
+    from skrift.config import get_environment, load_raw_app_config
+
+    if get_environment() != "production":
+        return
+
+    config = load_raw_app_config()
+    if config is None:
+        return
+
+    providers = config.get("auth", {}).get("providers", {})
+    if DUMMY_PROVIDER_KEY in providers:
+        # Only print if we haven't already (use env var as cross-process flag)
+        if not os.environ.get("_SKRIFT_DUMMY_ERROR_PRINTED"):
+            os.environ["_SKRIFT_DUMMY_ERROR_PRINTED"] = "1"
+            sys.stderr.write(
+                "\n"
+                "======================================================================\n"
+                "SECURITY ERROR: Dummy auth provider is configured in production.\n"
+                "Remove 'dummy' from auth.providers in app.yaml.\n"
+                "Server will NOT start.\n"
+                "======================================================================\n\n"
+            )
+            sys.stderr.flush()
+
+        # Kill parent process (uvicorn reloader) to stop respawning
+        try:
+            os.kill(os.getppid(), signal.SIGTERM)
+        except (ProcessLookupError, PermissionError):
+            pass
+        os._exit(1)

skrift/setup/state.py

@@ -0,0 +1,315 @@
+"""Setup state detection for the Skrift setup wizard.
+
+This module implements a two-tier detection strategy:
+1. Pre-database check: Can we connect to a database?
+2. Post-database check: Is setup complete (check for setup_completed_at setting)?
+
+Smart step detection: If config is already present, skip to the first incomplete step.
+"""
+
+import os
+import subprocess
+from enum import Enum
+from pathlib import Path
+import yaml
+from sqlalchemy import text
+from sqlalchemy.ext.asyncio import AsyncSession, create_async_engine
+
+# Track if migrations have been run this session to avoid running multiple times
+_migrations_run = False
+
+
+def reset_migrations_flag() -> None:
+    """Reset the migrations flag to allow re-running migrations.
+
+    Call this when starting the configuring page to ensure migrations run fresh.
+    """
+    global _migrations_run
+    _migrations_run = False
+
+from skrift.config import get_config_path
+from skrift.db.services.setting_service import (
+    SETUP_COMPLETED_AT_KEY,
+    SITE_NAME_KEY,
+    get_setting,
+)
+
+
+class SetupStep(Enum):
+    """Wizard steps."""
+
+    DATABASE = "database"
+    AUTH = "auth"
+    SITE = "site"
+    ADMIN = "admin"
+    COMPLETE = "complete"
+
+
+def app_yaml_exists() -> bool:
+    """Check if app.yaml exists in the current working directory."""
+    return get_config_path().exists()
+
+
+def get_database_url_from_yaml() -> str | None:
+    """Try to get the database URL from app.yaml, returning None if not configured.
+
+    If the URL is an env var reference that isn't set, falls back to checking
+    for local SQLite database files.
+    """
+    import yaml
+
+    config_path = get_config_path()
+    if not config_path.exists():
+        return None
+
+    try:
+        with open(config_path, "r") as f:
+            config = yaml.safe_load(f)
+
+        if not config or "db" not in config:
+            return None
+
+        db_url = config["db"].get("url")
+        if not db_url:
+            return None
+
+        # If it's an env var reference, try to resolve it
+        if db_url.startswith("$"):
+            env_var = db_url[1:]
+            resolved = os.environ.get(env_var)
+            if resolved:
+                return resolved
+
+            # Fallback: check for local SQLite database files
+            for db_file in ["./app.db", "./data.db", "./skrift.db"]:
+                if Path(db_file).exists():
+                    return f"sqlite+aiosqlite:///{db_file}"
+
+            return None
+
+        return db_url
+    except Exception:
+        return None
+
+
+async def can_connect_to_database() -> tuple[bool, str | None]:
+    """Test if we can connect to the database.
+
+    Returns:
+        Tuple of (success, error_message)
+    """
+    db_url = get_database_url_from_yaml()
+    if not db_url:
+        return False, "Database URL not configured"
+
+    try:
+        engine = create_async_engine(db_url)
+        async with engine.connect() as conn:
+            await conn.execute(text("SELECT 1"))
+        await engine.dispose()
+        return True, None
+    except Exception as e:
+        return False, str(e)
+
+
+async def is_setup_complete(db_session: AsyncSession) -> bool:
+    """Check if setup has been completed by looking for the setup_completed_at setting."""
+    try:
+        value = await get_setting(db_session, SETUP_COMPLETED_AT_KEY)
+        return value is not None
+    except Exception:
+        # Table might not exist yet
+        return False
+
+
+def is_auth_configured() -> bool:
+    """Check if at least one OAuth provider is fully configured in app.yaml.
+
+    A provider is considered configured if it has both client_id and client_secret.
+
+    Returns:
+        True if at least one provider is configured, False otherwise.
+    """
+    config_path = get_config_path()
+    if not config_path.exists():
+        return False
+
+    try:
+        with open(config_path, "r") as f:
+            config = yaml.safe_load(f)
+
+        if not config:
+            return False
+
+        auth = config.get("auth", {})
+        providers = auth.get("providers", {})
+
+        for _, provider_config in providers.items():
+            if not isinstance(provider_config, dict):
+                continue
+            # Check if provider has both client_id and client_secret (even as env var refs)
+            client_id = provider_config.get("client_id", "")
+            client_secret = provider_config.get("client_secret", "")
+            if client_id and client_secret:
+                return True
+
+        return False
+    except Exception:
+        return False
+
+
+def run_migrations_if_needed() -> tuple[bool, str | None]:
+    """Run database migrations if they haven't been run this session.
+
+    This ensures the database schema is up to date before checking for
+    settings or other database-dependent configuration.
+
+    Returns:
+        Tuple of (success, error_message)
+    """
+    global _migrations_run
+    if _migrations_run:
+        return True, None
+
+    try:
+        # Try skrift-db first
+        result = subprocess.run(
+            ["skrift-db", "upgrade", "head"],
+            capture_output=True,
+            text=True,
+            cwd=Path.cwd(),
+            timeout=60,
+        )
+        if result.returncode == 0:
+            _migrations_run = True
+            return True, None
+        # If skrift-db fails, try alembic directly
+    except (subprocess.TimeoutExpired, FileNotFoundError):
+        pass
+
+    try:
+        result = subprocess.run(
+            ["alembic", "upgrade", "head"],
+            capture_output=True,
+            text=True,
+            cwd=Path.cwd(),
+            timeout=60,
+        )
+        if result.returncode == 0:
+            _migrations_run = True
+            return True, None
+        return False, result.stderr
+    except subprocess.TimeoutExpired:
+        return False, "Migration timed out"
+    except FileNotFoundError:
+        return False, "Neither skrift-db nor alembic found"
+    except Exception as e:
+        return False, str(e)
+
+
+async def is_site_configured() -> bool:
+    """Check if site settings have been configured in the database.
+
+    The site step is considered complete if site_name has been set.
+    Returns False if the settings table doesn't exist yet (pre-migration).
+
+    Returns:
+        True if site is configured, False otherwise.
+    """
+    db_url = get_database_url_from_yaml()
+    if not db_url:
+        return False
+
+    engine = None
+    try:
+        engine = create_async_engine(db_url)
+        from sqlalchemy.ext.asyncio import async_sessionmaker
+
+        async_session = async_sessionmaker(engine, expire_on_commit=False)
+        async with async_session() as session:
+            try:
+                site_name = await get_setting(session, SITE_NAME_KEY)
+                return site_name is not None
+            except Exception:
+                # Table might not exist yet (before migration)
+                return False
+    except Exception:
+        return False
+    finally:
+        if engine:
+            await engine.dispose()
+
+
+async def get_first_incomplete_step() -> SetupStep:
+    """Determine the first incomplete step in the setup wizard.
+
+    This function checks configuration completeness for each step and returns
+    the first step that needs to be completed. Use this to skip already-configured
+    steps when the user is forced back into the setup wizard.
+
+    If database is configured and connectable, runs migrations to ensure
+    all tables exist before checking database-dependent configuration.
+
+    Returns:
+        The first setup step that needs user input.
+    """
+    # Step 1: Database - check if we can connect
+    if not app_yaml_exists():
+        return SetupStep.DATABASE
+
+    db_url = get_database_url_from_yaml()
+    if not db_url:
+        return SetupStep.DATABASE
+
+    can_connect, _ = await can_connect_to_database()
+    if not can_connect:
+        return SetupStep.DATABASE
+
+    # Database is configured and connectable - run migrations to ensure tables exist
+    migration_success, _ = run_migrations_if_needed()
+    if not migration_success:
+        # If migrations fail, go back to database step to show the error
+        return SetupStep.DATABASE
+
+    # Step 2: Auth - check if at least one provider is configured
+    if not is_auth_configured():
+        return SetupStep.AUTH
+
+    # Step 3: Site - check if site settings exist in DB
+    if not await is_site_configured():
+        return SetupStep.SITE
+
+    # Step 4: Admin - always go here if setup not complete
+    return SetupStep.ADMIN
+
+
+async def get_setup_step(db_session: AsyncSession | None = None) -> SetupStep:
+    """Determine which setup step the user should be on.
+
+    Args:
+        db_session: Database session if available
+
+    Returns:
+        The appropriate setup step
+    """
+    # Pre-database check
+    if not app_yaml_exists():
+        return SetupStep.DATABASE
+
+    db_url = get_database_url_from_yaml()
+    if not db_url:
+        return SetupStep.DATABASE
+
+    can_connect, _ = await can_connect_to_database()
+    if not can_connect:
+        return SetupStep.DATABASE
+
+    # Post-database check - need a session
+    if db_session is None:
+        return SetupStep.DATABASE
+
+    if not await is_setup_complete(db_session):
+        # Check wizard progress stored in session (handled by controller)
+        return SetupStep.AUTH
+
+    return SetupStep.COMPLETE