$jPUdZddlmZddlZddlZddlZddlmZmZm Z m Z dZ ej Z iZded<daded <d Zd ZGd d eZddZddZddZddZddZddZdS) uWS-upgrade auth credentials for gated mode. Browsers cannot set ``Authorization`` on a WebSocket upgrade. In loopback mode the legacy ``?token=<_SESSION_TOKEN>`` query param works because the token is injected into the SPA bundle. In gated mode there is no injected token — so this module provides two credential shapes: 1. **Single-use browser tickets** (``mint_ticket`` / ``consume_ticket``). The SPA gets a fresh ticket via the authenticated REST endpoint ``POST /api/auth/ws-ticket`` and passes it as ``?ticket=`` on the WS upgrade. Single-use, TTL = 30 seconds — a leaked ticket is uninteresting. 2. **A process-lifetime internal credential** (``internal_ws_credential`` / ``consume_internal_credential``). This authenticates *server-spawned* WS clients — specifically the embedded-TUI PTY child, which attaches to ``/api/ws`` (JSON-RPC gateway) and ``/api/pub`` (event sidecar) over loopback. A single-use 30s ticket is the wrong shape for that link: the child reads its attach URL once at startup and **reuses it on every reconnect**, and on a slow cold boot the child may not dial within 30s. The internal credential is minted once per process, never expires, is multi-use, and — critically — is **never injected into any HTML/SPA**: it only ever leaves the process via the spawned child's environment, so browser-side XSS cannot read it. A leaked internal credential grants no more than a single-use ticket already does (the same two internal WS endpoints), and the same Origin / host guards still apply downstream. In-memory; the dashboard is a single process so no distributed coordination is needed. The module exposes a small functional API rather than a class so tests can patch ``time.time`` cleanly. ) annotationsN)AnyDictOptionalTuplez%Dict[str, Tuple[int, Dict[str, Any]]]_ticketsz Optional[str]_internal_credentialzserver-internalceZdZdZdS) TicketInvalidz-Ticket missing, expired, or already consumed.N)__name__ __module__ __qualname____doc__C/usr/local/lib/hermes-agent/hermes_cli/dashboard_auth/ws_tickets.pyr r :s7777rr user_idstrproviderreturnc4tjd}||ttjd}t5ttjt z|ft |<tdddn #1swxYwY|S)aGenerate a one-shot ticket bound to this user identity. The returned token is base64url, 43 bytes of entropy (32-byte random seed). Stash returns the ``info`` dict to the caller on consume so the WS handler can carry the identity forward into its session log. )rr minted_atN)secrets token_urlsafeinttime_lock TTL_SECONDSr _gc_expired_locked)rrticketinfos r mint_ticketr$>s "2 & &F%%  D  ,,{:DA MsAB  BBr"Dict[str, Any]c<ttj}t5t|d}|#|r |dddznd}t d||\}}||krt d|cdddS#1swxYwYdS)uValidate and consume. Raises :class:`TicketInvalid` on missing/expired/used. Single-use semantics: a successful consume immediately removes the ticket from the store, so a second call with the same value raises ``TicketInvalid("unknown ticket: …")``. Nu…zzunknown ticket: expired)rrrr popr )r"nowentry truncated expires_atr#s rconsume_ticketr.Qs dikk  C    VT** =17Ee++II >9 > >?? ?  D    ** *                  sABBBNonecttjfdtD}|D]}t|ddS)z1Drop expired tickets. Caller must hold ``_lock``.c,g|]\}\}}|k|Srr).0texp_r*s r z&_gc_expired_locked..is&BBB[Qac q rN)rrr itemsr))r(r3r*s @rr!r!fsi dikk  CBBBBHNN$4$4BBBG  Qrct5ttjdatcdddS#1swxYwYdS)uUReturn the process-lifetime internal WS credential, minting it once. Used by the server to authenticate WS clients it spawns itself (the embedded-TUI PTY child). The value is stable for the life of the process, multi-use, and never expires — so a server-spawned child can reconnect its ``/api/ws`` / ``/api/pub`` sockets indefinitely without re-minting. The credential is never injected into the SPA HTML or returned over any REST endpoint; it is only ever passed to a child process via its environment. See the module docstring for the threat-model rationale. Nr)rr rrrrrinternal_ws_credentialr9ns $$  '#*#8#<#< #$$$$$$$$$$$$$$$$$$s "7;;valuec"t5t}dddn #1swxYwY|r|tdtj||stdt tdS)uValidate an internal credential. Raises :class:`TicketInvalid` on mismatch. Unlike :func:`consume_ticket` this is **not** single-use — the value is not removed on success, so a server-spawned child can present it on every (re)connect. Returns the fixed server-internal identity ``info`` dict (``{user_id, provider}``), mirroring the ``info`` shape ``consume_ticket`` returns, so a caller that wants to record the connecting identity can; the current ``_ws_auth_ok`` caller validates for the boolean outcome only and discards the dict. A constant-time compare against the (lazily-minted) credential avoids leaking length / prefix information on mismatch. If no internal credential has been minted yet, any value is rejected. Nzno internal credentialzinternal credential mismatch)rr)rr r rcompare_digestencodeINTERNAL_USER_IDINTERNAL_PROVIDER)r:expecteds rconsume_internal_credentialrAs (('((((((((((((((( 6H$4555  !%,,..(//2C2C D D<:;;;#%  s   c|t5tdaddddS#1swxYwYdS)z8Test-only: drop all tickets and the internal credential.N)rr clearr rrr_reset_for_testsrDs $$#$$$$$$$$$$$$$$$$$$s 155)rrrrrr)r"rrr%)rr/)rr)r:rrr%)r __future__rr threadingrtypingrrrrr Lockrr __annotations__r r>r? Exceptionr r$r.r!r9rArDrrrrKs_>#""""" ------------   244444 '+****%%88888I888&*$$$$&6$$$$$$r