$jG=UdZddlmZddlZddlmZmZddlmZddl m Z m Z m Z ddl mZddlmZmZdd lmZmZdd lmZdd lmZejeZd Zd ed<d!dZd"dZd#dZ d"dZ!d$dZ"d%dZ#d&d Z$dS)'aAuth-gate middleware for the dashboard. Engaged when ``app.state.auth_required is True``. The gate's job: 1. Allow a small set of routes through unauthenticated (login page, ``/auth/*`` OAuth round trip, ``/api/auth/providers``, static assets). 2. For everything else, demand a valid session cookie and attach the verified :class:`Session` to ``request.state.session``. 3. On HTML routes, redirect missing/invalid cookies to ``/login``. On ``/api/*`` routes, return 401 JSON. The middleware is a no-op when ``auth_required`` is False (loopback mode); the legacy ``_SESSION_TOKEN`` ``auth_middleware`` handles those binds. ) annotationsN) AwaitableCallable)Request) JSONResponseRedirectResponseResponse)list_providers) AuditEvent audit_log) ProviderErrorRefreshExpiredError)read_session_cookies)PUBLIC_API_PATHS) z /auth/loginz/auth/callbackz/auth/password-loginz /auth/logout/loginz/api/auth/providersz/assets/z /favicon.icoz /ds-assets/z/fonts/z/fonts-terminal/ztuple[str, ...]_GATE_PUBLIC_PREFIXESpathstrreturnboolcZtvrdStfdtDS)uTrue if ``path`` bypasses the OAuth auth gate. Two sources of public-ness: * :data:`PUBLIC_API_PATHS` — the shared ``/api/*`` allowlist that the legacy ``_SESSION_TOKEN`` middleware also honours. Matched exactly (no prefix expansion) so adding ``/api/status`` doesn't accidentally expose ``/api/status/secret-extension``. * :data:`_GATE_PUBLIC_PREFIXES` — auth-bootstrap routes and static mounts. Prefix-matched so ``/assets/foo.css`` lights up via ``/assets/``. Tc3NK|]}|kp|V dSN startswith).0prefixrs C/usr/local/lib/hermes-agent/hermes_cli/dashboard_auth/middleware.py z"_path_is_public..DsL  1$//&11)ranyr)rs`r_path_is_publicr"5sN t +  r requestrc|jdd}|r-|ddS|jr |jjndS)Nzx-forwarded-for,r)headersgetsplitstripclienthost)r#fwds r _client_ipr.JsZ /  / 4 4C )yy~~a &&((("). 87>  b8r reasonr cddlm}|jj}t |}||}|r|d|n|d}|dr |dkrdnd}t |d ||d d St|d S)uAPI routes → 401 JSON with ``login_url``; HTML routes → 302 → /login. The JSON envelope carries a ``login_url`` field with a ``next=`` query string so the SPA's global 401 handler can drop the user back where they were after re-auth. The contract is intentionally simple so any fetch-wrapper can implement the redirect without parsing details: if response.status === 401 && body.error in ("unauthenticated", "session_expired"): window.location.assign(body.login_url); HTML redirects also carry the ``next=`` query string so direct navigation to ``/sessions`` (etc.) without a cookie comes back to ``/sessions`` after login. Under a reverse proxy with ``X-Forwarded-Prefix: /hermes``, the ``login_url`` is prefixed (``/hermes/login?next=...``) so the browser's window.location.assign / Location: follow lands on the proxied login page rather than the bare ``/login`` (which the proxy doesn't route to the dashboard). rprefix_from_requestz /login?next=r/api/invalid_or_expired_sessionsession_expiredunauthenticated Unauthorized)errordetailr/ login_urli status_codei.)urlr<) hermes_cli.dashboard_auth.prefixr2r=r_safe_next_targetrrr)r#r/r2r next_paramrr: error_codes r_unauth_responserBQs,EDDDDD ; D"7++J  ) )F/9 6++z+++     w 555  "  #( &          s ; ; ;;r c@|jjr*drdrdStfddDrdSdksdrdS|jj}|rd|n}d d lm}||d S) uOBuild the URL-encoded ``next`` query value, or empty string. Only same-origin relative paths are accepted; absolute URLs or ``//evil.com`` open-redirect attempts are silently dropped. The empty string return means the caller produces a bare ``/login`` URL — fine, user lands at the dashboard root after re-auth. /z//r%c3NK|]}|kp|V dSrr)rprs rrz$_safe_next_target..sL     'T__Q''      r )rz/auth/z /api/auth/z/apir3?r)quote)safe)r=rrr!query urllib.parserH)r#rJtargetrHrs @rr?r?s ; D ts++tt/D/Dr     3   r v~~11~r K E"' 1  u   TF"""""" 5b ! ! !!r call_next(Callable[[Request], Awaitable[Response]]c Kt|jjdds||d{VS|jj}t |r||d{VSt |\}}|s|st|dSd}|rd}tD]} | |}np#t$rc}t d|j |ttj|j dt#| ||j }Yd}~d}~wwxYw|n||t%d d |d id S| t'||} | | \} } | |j_||d{V} ddlm} m}ddlm}|| | j| jt9| | |||ttj| | jt#|| Sttjdt#|t|d} ddlm}ddlm}|| ||| S||j_||d{VS)zEngaged only when ``app.state.auth_required is True``. No-op pass-through in loopback mode so the legacy auth_middleware can handle those binds via ``_SESSION_TOKEN``. auth_requiredFN no_cookie)r/) access_tokenz9dashboard-auth: provider %r unreachable during verify: %sprovider_unreachableproviderr/ipr9zAuth provider z unreachableir; refresh_tokenr) detect_httpsset_session_cookiesr1)rRrXaccess_token_expires_in use_httpsr)rUuser_idrVno_provider_recognises)r/rVr4)clear_session_cookies)r) getattrappstater=rr"rrBr verify_sessionr _logwarningnamer r SESSION_VERIFY_FAILUREr.r_attempt_refreshsession!hermes_cli.dashboard_auth.cookiesrYrZr>r2rRrX_expires_in_secondsREFRESH_SUCCESSr]r_)r#rMrat_rtriunreachable_providerrUe refreshed new_sessionrefreshing_providerresponserYrZr2r_s rgated_auth_middlewarerus 7;$ou = =(Yw''''''''' ; Dt(Yw'''''''''"7++GB =c=  <<<< G + ,0&((  H "11r1BB    OM15%]1!'**  (/+3=( "# ?3? P,@PPPQ   %WC@@@  /8 ,K,$/GM !&Yw////////H          M L L L L L  (5)7(;K(H(H&,w//**733      *,#+g&&      O  -+'""    $G4PQQQ LKKKKKHHHHHHh/B/B7/K/KLLLL#GM7## # # # # # ##sB00 D:ADDintcddl}tdt|jt|z S)a%Seconds until the access token's ``exp``, floored at 60. Mirrors the auth-route's ``max(60, exp - now)`` so the access-token cookie's Max-Age tracks the token lifetime even on a slightly skewed clock. ``time`` imported locally to keep the module's import surface minimal. rN<)timemaxrv expires_at)rirys rrkrk9s=KKK r3w)**S-=-== > >>r c |sdStD]} ||}n#t$r4ttj|jdt|YdSt$r\}t d|j|ttj|jdt|Yd}~dSd}~wwxYw| ||jfcSdS)uNTry to rotate an expired session via the refresh token. Returns ``(new_session, provider_name)`` on success, or ``None`` if there's no RT or every provider's ``refresh_session`` failed with ``RefreshExpiredError`` (dead/revoked/reuse-detected RT → force re-login). A ``ProviderError`` (Portal unreachable) is NOT swallowed into a re-login here — re-raising would 500 the request; instead we log and return None so the caller forces a clean re-login, which is the safer UX than a hard error on a transient network blip during the narrow refresh window. NrWrefresh_expiredrTz:dashboard-auth: provider %r unreachable during refresh: %srS) r refresh_sessionrr r REFRESH_FAILURErfr.r rdre)r#rXrUrrrps rrhrhFs9 t"$$.. "222OOKK"    *!(g&&      444    LLL q    *!-g&&      444444   " - - - - # 4s-9C* C3AC  C)rrrr)r#rrr)r#rr/rrr )r#rrMrNrr )rrv)r#r)%__doc__ __future__rloggingtypingrrfastapirfastapi.responsesrrr hermes_cli.dashboard_authr hermes_cli.dashboard_auth.auditr r hermes_cli.dashboard_auth.baser rrjr&hermes_cli.dashboard_auth.public_pathsr getLogger__name__rdr__annotations__r"r.rBr?rurkrhr rrs #"""""&&&&&&&&FFFFFFFFFF444444AAAAAAAAMMMMMMMMBBBBBBCCCCCCw"" *    *99993<3<3<3