Fj!UdZddlmZddlZddlmZmZddlmZddl m Z m Z m Z ddl mZddlmZmZdd lmZdd lmZdd lmZejeZd Zd ed<ddZddZd dZddZ d!dZ!dS)"aAuth-gate middleware for the dashboard. Engaged when ``app.state.auth_required is True``. The gate's job: 1. Allow a small set of routes through unauthenticated (login page, ``/auth/*`` OAuth round trip, ``/api/auth/providers``, static assets). 2. For everything else, demand a valid session cookie and attach the verified :class:`Session` to ``request.state.session``. 3. On HTML routes, redirect missing/invalid cookies to ``/login``. On ``/api/*`` routes, return 401 JSON. The middleware is a no-op when ``auth_required`` is False (loopback mode); the legacy ``_SESSION_TOKEN`` ``auth_middleware`` handles those binds. ) annotationsN) AwaitableCallable)Request) JSONResponseRedirectResponseResponse)list_providers) AuditEvent audit_log) ProviderError)read_session_cookies)PUBLIC_API_PATHS) z /auth/loginz/auth/callbackz /auth/logout/loginz/api/auth/providersz/assets/z /favicon.icoz /ds-assets/z/fonts/z/fonts-terminal/ztuple[str, ...]_GATE_PUBLIC_PREFIXESpathstrreturnboolcZtvrdStfdtDS)uTrue if ``path`` bypasses the OAuth auth gate. Two sources of public-ness: * :data:`PUBLIC_API_PATHS` — the shared ``/api/*`` allowlist that the legacy ``_SESSION_TOKEN`` middleware also honours. Matched exactly (no prefix expansion) so adding ``/api/status`` doesn't accidentally expose ``/api/status/secret-extension``. * :data:`_GATE_PUBLIC_PREFIXES` — auth-bootstrap routes and static mounts. Prefix-matched so ``/assets/foo.css`` lights up via ``/assets/``. Tc3NK|]}|kp|V dSN startswith).0prefixrs C/usr/local/lib/hermes-agent/hermes_cli/dashboard_auth/middleware.py z"_path_is_public..CsL  1$//&11)ranyr)rs`r_path_is_publicr!4sN t +  rrequestrc|jdd}|r-|ddS|jr |jjndS)Nzx-forwarded-for,r)headersgetsplitstripclienthost)r"fwds r _client_ipr-IsZ /  / 4 4C )yy~~a &&((("). 87>  b8rreasonr cddlm}|jj}t |}||}|r|d|n|d}|dr |dkrdnd}t |d ||d d St|d S)uAPI routes → 401 JSON with ``login_url``; HTML routes → 302 → /login. The JSON envelope carries a ``login_url`` field with a ``next=`` query string so the SPA's global 401 handler can drop the user back where they were after re-auth. The contract is intentionally simple so any fetch-wrapper can implement the redirect without parsing details: if response.status === 401 && body.error in ("unauthenticated", "session_expired"): window.location.assign(body.login_url); HTML redirects also carry the ``next=`` query string so direct navigation to ``/sessions`` (etc.) without a cookie comes back to ``/sessions`` after login. Under a reverse proxy with ``X-Forwarded-Prefix: /hermes``, the ``login_url`` is prefixed (``/hermes/login?next=...``) so the browser's window.location.assign / Location: follow lands on the proxied login page rather than the bare ``/login`` (which the proxy doesn't route to the dashboard). rprefix_from_requestz /login?next=rz/api/invalid_or_expired_sessionsession_expiredunauthenticated Unauthorized)errordetailr. login_urli status_codei.)urlr:) hermes_cli.dashboard_auth.prefixr1r;r_safe_next_targetrrr)r"r.r1r next_paramrr8 error_codes r_unauth_responser@Ps,EDDDDD ; D"7++J  ) )F/9 6++z+++     w 555  "  #( &          s ; ; ;;rc|jjr*drdrdStfddDrdS|jj}|rd|n}ddlm}||d S) uOBuild the URL-encoded ``next`` query value, or empty string. Only same-origin relative paths are accepted; absolute URLs or ``//evil.com`` open-redirect attempts are silently dropped. The empty string return means the caller produces a bare ``/login`` URL — fine, user lands at the dashboard root after re-auth. /z//r$c3NK|]}|kp|V dSrr)rprs rrz$_safe_next_target..sL     'T__Q''      r)rz/auth/z /api/auth/?r)quote)safe)r;rrr query urllib.parserF)r"rHtargetrFrs @rr=r=s ; D ts++tt/D/Dr     3   r K E"' 1  u   TF"""""" 5b ! ! !!r call_next(Callable[[Request], Awaitable[Response]]c bKt|jjdds||d{VS|jj}t |r||d{VSt |\}}|st|dSd}tD]} | |}n#t$rx}t d|j |ttj|j dt#| t%d d |j d id cYd}~cSd}~wwxYw|n|^ttjdt#|t|d}ddlm} ddlm} | || ||S||j_||d{VS)zEngaged only when ``app.state.auth_required is True``. No-op pass-through in loopback mode so the legacy auth_middleware can handle those binds via ``_SESSION_TOKEN``. auth_requiredFN no_cookie)r.) access_tokenz9dashboard-auth: provider %r unreachable during verify: %sprovider_unreachable)providerr.ipr7zAuth provider z unreachableir9no_provider_recognises)r.rSr2r)clear_session_cookiesr0)r)getattrappstater;rr!rr@r verify_sessionr _logwarningnamer r SESSION_VERIFY_FAILUREr-r!hermes_cli.dashboard_auth.cookiesrUr<r1session) r"rKrat_rtr_rReresponserUr1s rgated_auth_middlewarerds} 7;$ou = =(Yw''''''''' ; Dt(Yw'''''''''"7++GB = <<<< G"$$ --2->>GG    LLK q    1!-g&&       IHMIIIJ            E   -+'""    $G4PQQQ LKKKKKHHHHHHh/B/B7/K/KLLLL#GM7## # # # # # ##sB** D,4A+D'D,'D,)rrrr)r"rrr)r"rr.rrr )r"rrKrLrr )"__doc__ __future__rloggingtypingrrfastapirfastapi.responsesrrr hermes_cli.dashboard_authr hermes_cli.dashboard_auth.auditr r hermes_cli.dashboard_auth.baser r^r&hermes_cli.dashboard_auth.public_pathsr getLogger__name__rZr__annotations__r!r-r@r=rdrrrss| #"""""&&&&&&&&FFFFFFFFFF444444AAAAAAAA888888BBBBBBCCCCCCw"" *    *99993<3<3<3