$jXUdZddlmZddlZddlZddlZddlmZmZddl m Z m Z m Z m Z ddlmZmZmZddlmZmZmZddlmZdd lmZmZdd lmZmZdd lmZm Z m!Z!dd l"m#Z#m$Z$m%Z%m&Z&m'Z'm(Z(m)Z)dd l*m+Z+ej,e-Z.eZ/dEdZ0dEdZ1dEdZ2e/3dddFdZ4e/3dddGdZ5e/3dddHdId#Z6e/3d$d% dJdKd*Z7dLd,Z8d-Z9d.Z:eeZ;d/edMd3Z?dNd5Z@Gd6d7eZAe/Bd8d9dOd;ZCe/BdZDe/3d?d@dPdAZEe/BdBdCdPdDZFdS)QuHTTP routes for the dashboard-auth OAuth round trip. Mounted at root (no prefix) by ``web_server.py``. The router does not auto-gate; gating is performed by ``gated_auth_middleware``, which allowlists everything under ``/auth/*`` and ``/api/auth/providers``. The routes: GET /login → server-rendered login page GET /auth/login?provider=N → 302 to IDP, sets PKCE cookie GET /auth/callback?code,state → completes login, sets session cookies POST /auth/logout → clears cookies, best-effort revoke GET /api/auth/providers → list registered providers (login bootstrap) GET /api/auth/me → current Session as JSON (auth-required) ) annotationsN) defaultdictdeque)AnyDequeDictTuple) APIRouter HTTPExceptionRequest) HTMLResponse JSONResponseRedirectResponse) BaseModel) get_providerlist_providers) AuditEvent audit_log)InvalidCodeErrorInvalidCredentialsError ProviderError)clear_pkce_cookieclear_session_cookies detect_httpsread_pkce_cookieread_session_cookiesset_pkce_cookieset_session_cookies)render_login_htmlrequestr returnstrc ddlm}m}ddlm}m}|}|r|dSt |d}||}|s|S||}||||j S)uReconstruct the absolute callback URL the IDP redirects back to. Three resolution tiers: 1. ``HERMES_DASHBOARD_PUBLIC_URL`` env var or ``dashboard.public_url`` in config.yaml — when set, this is the complete authority (scheme + host + optional path prefix) and we append ``/auth/callback`` verbatim. ``X-Forwarded-Prefix`` is IGNORED on this code path because the operator has declared the public URL — we no longer need to guess from proxy headers, and stacking the prefix on top would double-prefix the common case where the prefix is already baked into ``public_url``. Relief valve for deploys behind reverse proxies whose forwarded headers aren't reliable. 2. ``X-Forwarded-Prefix: /hermes`` (Mission Control deploys) — we prepend the prefix to the path FastAPI's ``url_for`` produces (it doesn't natively honour this header — it isn't part of the Starlette/uvicorn proxy_headers set). 3. Bare ``request.url_for("auth_callback")`` — under uvicorn's ``proxy_headers=True`` this picks up the public https URL from ``X-Forwarded-Host`` plus ``X-Forwarded-Proto``. Fly.io's default path. r)urlparse urlunparse)prefix_from_requestresolve_public_url/auth/callback auth_callback)path) urllib.parser$r% hermes_cli.dashboard_auth.prefixr&r'r"url_for_replacer*) r r$r%r&r' public_urlbaseprefixparseds ?/usr/local/lib/hermes-agent/hermes_cli/dashboard_auth/routes.py _redirect_urir46s421111111 $#%%J- ,,,, w// 0 0D  ) )F  Xd^^F :foof+Cfk+C+CoDD E EEc|jdd}|r-|ddS|jr |jjndS)Nzx-forwarded-for,r)headersgetsplitstripclienthost)r fwds r3 _client_ipr@jsZ /  / 4 4C )yy~~a &&((("). 87>  b8r5c$ddlm}||S)aAResolve the X-Forwarded-Prefix header for the active request. Local indirection so the routes pass a consistent value to the cookie helpers (cookie name + Path attribute) and the gate's redirect builders (login_url construction). See ``hermes_cli.dashboard_auth.prefix`` for the normalisation rules. r)r&)r,r&)r r&s r3_prefixrBqs(EDDDDD  w ' ''r5/login login_page)namer cKt|jdd}tt |ddiS)Nnextr7) next_pathz Cache-Controlz#no-store, no-cache, must-revalidate)r9)_validate_post_login_target query_paramsr:r r)r rHs r3rDrDs] ,  ,,I I... "GH   r5z/api/auth/providersauth_providersrchKt}|stddidSdd|DiS)Ndetailzno auth providers registered) status_code providersc fg|].}|j|jtt|ddd/S)supports_passwordF)rE display_namerR)rErSboolgetattr).0ps r3 z&api_auth_providers..sX      !%)A2E::&&      r5)rr)rPs r3api_auth_providersrYsi  I   5 6             r5z /auth/login auth_loginr7providerrGc Kt|}|tdd| |t|}nP#t$rC}t t j|dt|tdd|d}~wwxYwt t j |t| t|j d }|j d d }d|vr|rd|d|nd|}t|}|rddlm} |d| |d }t#||t%|t'||S)NzUnknown provider: rOrM) redirect_uriprovider_unreachabler[reasoniprNProvider unreachable: )r[rc.urlrOhermes_session_pkcer7z provider=;r)quotez;next=)safe)payload use_httpsr1)rr start_loginr4rrr LOGIN_FAILUREr@ LOGIN_STARTr redirect_urlcookie_payloadr:rIr+rjrrrB) r r[rGrWlseresppkce safe_nextrjs r3rZrZsXAy444     ]] g(>(>] ? ?       $)'""     /A//       g   S A A AD   !6 ; ;D$04P,8,,d,,,:Ph:P:P,D11I:&&&&&&99eeIB77799 dl7&;&;w Ks#A B>BBr(r)codestateerrorerror_descriptionc \Kt|}|s:ttjdt |t ddt d|dD}|dd }|d d }|d d } |d d } t|} | t dd ||rCttj|d|t |t dd|d|d|r||kr;ttj|dt |t dd | ||| t|} n#t$rC} ttj|dt |t dd| d} ~ wt$rC} ttj|dt |t dd| d} ~ wwxYwttj|| j| j| jt |t%d| jt)t+jz }t-| pd}t/|d }t1|| j| j|t7|t9|!t;|t9|"|S)#Nmissing_pkce_cookie)rbrcizMissing PKCE state cookier^c3JK|]}d|v|ddVdS)=N)r;)rVsegs r3 z auth_callback..s=!C3JJ #qJJJJr5rir[r7ryverifierrGzUnknown provider in cookie: idp_error)r[rbrzrczOAuth error from provider: z ()state_mismatchraz(OAuth state mismatch (CSRF check failed))rxry code_verifierr_ invalid_codezInvalid code: r`rNrdr[user_idemailorg_idrc</rerf access_token refresh_tokenaccess_token_expires_inrmr1r1)rrrror@r dictr;r:rcomplete_loginr4rr LOGIN_SUCCESSrrrmax expires_atinttimerIrrrrrrBr)r rxryrzr{pkce_rawparts provider_nameexpected_staternext_from_cookierWsessionrt expires_inlandingrus r3r)r)s ((H     $('""    .     %-^^C%8%8  EIIj"--MYYw++NyyR((H yy,,]##AyC-CC        $"'""     NNN:KNNN      E^++  $"#'""     =     """&w// #   JJJ  $"!'""     4HQ4H4HIIII       $")'""     /A//       m~ g   R+c$)++.>.>>??J**:;;BsG S 9 9 9D )+ *w''w d77#3#34444 Ks$&F'' H?1>G// H?<>H::H?rawc|sdSddlm}||drdrdStfddDrdSdksd rdSS) uReturn ``raw`` if it's a safe same-origin path, else empty string. The ``next`` query param survives a full OAuth round trip — the gate encodes it into the /login redirect, the login page emits it back into /auth/login, and the IDP preserves it across /authorize/callback. We have to re-validate here because the value came back in via the URL (an attacker could craft a /auth/callback URL with their own ``next=https://evil.example``). r7r)unquoterz//c3NK|]}|kp|V dS)N) startswith)rVrWdecodeds r3rz._validate_post_login_target..usN    1 -**1--      r5)rCz/auth/z /api/auth/z/apiz/api/)r+rrany)rrrs @r3rIrIds r$$$$$$gcllG   c " "g&8&8&>&>r     3   r&G..w77r Nr5 gN@zDict[str, Deque[float]] _pw_attemptsrcrTcztj}|tz }|pd}t5t|}|r.|d|kr"||r |d|k"t |tkr ddddS|| ddddS#1swxYwYdS)uiTrue if ``ip`` has exceeded the password-login attempt budget. Sliding window: prune attempts older than the window, then check the count. Records the attempt timestamp when allowed. An empty IP (no discernible client) shares a single bucket — fail-safe toward throttling rather than letting unattributable traffic through unmetered. _unknown_rNTF) r monotonic_PW_RATE_WINDOW_SEC_pw_attempts_lockrpopleftlen_PW_RATE_MAX_ATTEMPTSappend)rcnowcutoffkeybuckets r3_password_rate_limitedrs, .  C & &F  C c" V++ NN    V++ v;;/ / /   csAB0 B00B47B4Nonecxt5tddddS#1swxYwYdS)z(Test-only: clear all rate-limit buckets.N)rrclearr5r3_reset_password_rate_limitrs~ s /33c<eZdZUded<ded<ded<dZded<dS)_PasswordLoginBodyr"r[usernamepasswordr7rGN)__name__ __module__ __qualname____annotations__rGrr5r3rrs8MMMMMMMMMDNNNNNNr5rz/auth/password-loginauth_password_loginbodyc vKt|}t|r3ttj|jd|t ddt|j}|t|dds3ttj|jd |t d d  | |j |j }n#t$r4ttj|jd |t ddt$rt ddt$r;}ttj|jd|t dd|d}~wwxYwttj|j|j|j|j|t'd|jt+t-jz }t/|jpd}t3d|d}t5||j|j|t;|t=||S)uAuthenticate a username/password against a password provider. Mirrors the cookie-minting tail of ``/auth/callback`` but skips the PKCE/state/code machinery (those are OAuth-only). On success sets the session cookies and returns JSON ``{"ok": true, "next": }`` — the credential form POSTs via fetch and navigates client-side, so a 302 (which fetch follows opaquely) is the wrong shape here. Failure modes, all deliberately generic so the endpoint can't be used as a username oracle or a provider-enumeration oracle: * unknown provider / provider lacks password support → 404 * bad credentials → 401 ("Invalid credentials") * backing store unreachable → 503 * too many attempts from this IP → 429 rate_limitedraiz+Too many login attempts. Try again shortly.r^NrRFunknown_password_providerr]zUnknown provider)rrinvalid_credentialszInvalid credentialsizProvider misconfiguredr`rNrdrrrT)okrGr)r@rrrror[r rrUcomplete_password_loginrrrNotImplementedErrorrrrrrrrrrrIrGrrrrrrB) r rrcrWrrtrrrus r3rrs" G  Bb!!    $]!     @    T]##Ay#6>>y   $].     4FGGGGR++]T],   #KKK  $](     4IJJJJ NNN4LMMMM RRR  $])     4PQ4P4PQQQQR m~ R+c$)++.>.>>??J)$)44;G tW55 6 6D )+ *w''w  Ks/!CA E,16E''E,z /auth/logout auth_logoutc Kt|\}}|r`tD]Q} ||#t$r+}td|j|Yd}~Jd}~wwxYwt|jdd}ttj |r|j nd|r|j ndt|t|}t!|dd }t#|| t%|| |S) N)rz'dashboard-auth: revoke on %r failed: %srunknownr7r[rrcrCrerfr)rrrevoke_session Exception_logwarningrErUryrrLOGOUTr[rr@rBrrr)r _atrtr[rtsessr1rus r3rrs["7++GC '((  H ''b'9999    =M1  7=)T 2 2D #'6$--Y!%-2 g   W  F 6 1 1 1s C C CD$v....d6**** Ks? A4 !A//A4z /api/auth/meauth_mecKt|jdd}|tdd|j|j|j|j|j|jdS)zCReturn the verified session as JSON. Auth-required (gate enforces).rNr Unauthorizedr^)rrrSrr[r) rUryr rrrSrr[r)r rs r3 api_auth_mer<sa 7=)T 2 2D |NCCCC<)+Mo   r5z/api/auth/ws-ticketauth_ws_ticketcKt|jdd}|tddddlm}m}||j|j}ttj |j|jt| ||d S) aMint a short-lived single-use ticket for the authenticated session. Browsers cannot set ``Authorization`` on a WebSocket upgrade, so in gated mode the SPA POSTs this endpoint to get a ``?ticket=`` value to append to ``/api/pty``, ``/api/ws``, ``/api/pub``, or ``/api/events``. The ticket has a 30-second TTL and is single-use. Calling this endpoint multiple times in quick succession (e.g. one ticket per WS) is the expected pattern. rNrrr^r) TTL_SECONDS mint_ticket)rr[r)ticket ttl_seconds) rUryr $hermes_cli.dashboard_auth.ws_ticketsrrrr[rrWS_TICKET_MINTEDr@)r rrrrs r3api_auth_ws_ticketrQs 7=)T 2 2D |NCCCCNMMMMMMM [ F F FF # g    [ 9 99r5)r r r!r")r r r!r )r!r)r7)r r r[r"rGr")r7r7r7r7) r r rxr"ryr"rzr"r{r")rr"r!r")rcr"r!rT)r!r)r r rr)r r )G__doc__ __future__rlogging threadingr collectionsrrtypingrrrr fastapir r r fastapi.responsesr rrpydanticrhermes_cli.dashboard_authrrhermes_cli.dashboard_auth.auditrrhermes_cli.dashboard_auth.baserrr!hermes_cli.dashboard_auth.cookiesrrrrrrr$hermes_cli.dashboard_auth.login_pager getLoggerrrrouterr4r@rBr:rDrYrZr)rIrrrrLockrrrrpostrrrrrr5r3rsq#""""" ********************5555555555JJJJJJJJJJBAAAAAAA CBBBBBw"" 1F1F1F1Fh9999 ( ( ( ("H<((   )( & !(899:96M --1111.-1h ?33 yyyy43yx`(3 E(:(: ::::"IN$$,  #*?@@WWWA@Wt^-0010FN++   ,+ ( ")9:::::;::::r5