j0@dZddlmZddlZddlZddlmZddlmZm Z m Z ddl m Z m Z mZddlmZmZddlmZmZdd lmZmZdd lmZmZmZmZmZmZmZdd l m!Z!ej"e#Z$eZ%d4dZ&d4dZ'd4dZ(e%)ddd5dZ*e%)ddd6dZ+e%)ddd7d8d!Z,e%)d"d# d9d:d(Z-d;d*Z.e%/d+d,d  b8r.c$ddlm}||S)aAResolve the X-Forwarded-Prefix header for the active request. Local indirection so the routes pass a consistent value to the cookie helpers (cookie name + Path attribute) and the gate's redirect builders (login_url construction). See ``hermes_cli.dashboard_auth.prefix`` for the normalisation rules. r)r)r%r)rrs r,_prefixr;ms(EDDDDD  w ' ''r./login login_page)namercKt|jdd}tt |ddiS)Nnextr0) next_pathz Cache-Controlz#no-store, no-cache, must-revalidate)r2)_validate_post_login_target query_paramsr3rr)rrAs r,r=r=~s] ,  ,,I I... "GH   r.z/api/auth/providersauth_providersrchKt}|stddidSdd|DiS)Ndetailzno auth providers registered) status_code providersc,g|]}|j|jdS)r> display_namerK).0ps r, z&api_auth_providers..s4   VQ^ < <   r.)r r )rIs r,api_auth_providersrPsg  I   5 6          r.z /auth/login auth_loginr0providerr@c Kt|}|tdd| |t|}nP#t$rC}t t j|dt|tdd|d}~wwxYwt t j |t| t|j d }|j d d }d|vr|rd|d|nd|}t|}|rddlm} |d| |d }t#||t%|t'||S)NizUnknown provider: rHrF) redirect_uriprovider_unreachablerRreasoniprGProvider unreachable: )rRrY.urlrHhermes_session_pkcer0z provider=;r)quotez;next=)safe)payload use_httpsr*)r r start_loginr-rrr LOGIN_FAILUREr9 LOGIN_STARTr redirect_urlcookie_payloadr3rBr$r`rrr;) rrRr@rNlseresppkce safe_nextr`s r,rQrQsXAy444     ]] g(>(>] ? ?       $)'""     /A//       g   S A A AD   !6 ; ;D$04P,8,,d,,,:Ph:P:P,D11I:&&&&&&99eeIB77799 dl7&;&;w Ks#A B>BBr!r"codestateerrorerror_descriptionc \Kt|}|s:ttjdt |t ddt d|dD}|dd }|d d }|d d } |d d } t|} | t dd ||rCttj|d|t |t dd|d|d|r||kr;ttj|dt |t dd | ||| t|} n#t$rC} ttj|dt |t dd| d} ~ wt$rC} ttj|dt |t dd| d} ~ wwxYwttj|| j| j| jt |t%d| jt)t+jz }t-| pd}t/|d }t1|| j| j|t7|t9|!t;|t9|"|S)#Nmissing_pkce_cookie)rXrYizMissing PKCE state cookierTc3JK|]}d|v|ddVdS)=N)r4)rMsegs r, z auth_callback..s=!C3JJ #qJJJJr.r_rRr0roverifierr@zUnknown provider in cookie: idp_error)rRrXrprYzOAuth error from provider: z ()state_mismatchrWz(OAuth state mismatch (CSRF check failed))rnro code_verifierrU invalid_codezInvalid code: rVrGrZ)rRuser_idemailorg_idrY</r[r\) access_token refresh_tokenaccess_token_expires_inrcr*r*)rrr rer9rdictr4r3r complete_loginr-rr LOGIN_SUCCESSrrrmax expires_atinttimerBr rrrrr;r)rrnrorprqpkce_rawparts provider_nameexpected_staterynext_from_cookierNsessionrj expires_inlandingrks r,r"r"s ((H     $('""    .     %-^^C%8%8  EIIj"--MYYw++NyyR((H yy,,]##AyC-CC        $"'""     NNN:KNNN      E^++  $"#'""     =     """&w// #   JJJ  $"!'""     4HQ4H4HIIII       $")'""     /A//       m~ g   R+c$)++.>.>>??J**:;;BsG S 9 9 9D )+ *w''w d77#3#34444 Ks$&F'' H?1>G// H?<>H::H?rawc|sdSddlm}||drdrdStfddDrdSS)uReturn ``raw`` if it's a safe same-origin path, else empty string. The ``next`` query param survives a full OAuth round trip — the gate encodes it into the /login redirect, the login page emits it back into /auth/login, and the IDP preserves it across /authorize/callback. We have to re-validate here because the value came back in via the URL (an attacker could craft a /auth/callback URL with their own ``next=https://evil.example``). r0r)unquoterz//c3NK|]}|kp|V dS)N) startswith)rMrNdecodeds r,rxz._validate_post_login_target..ksN    1 -**1--      r.)r<z/auth/z /api/auth/)r$rrany)rrrs @r,rBrBZs r$$$$$$gcllG   c " "g&8&8&>&>r     3   r Nr.z /auth/logout auth_logoutc Kt|\}}|r`tD]Q} ||#t$r+}td|j|Yd}~Jd}~wwxYwt|jdd}ttj |r|j nd|r|j ndt|t|}t!|dd }t#|| t%|| |S) N)rz'dashboard-auth: revoke on %r failed: %srunknownr0rRrrYr<r[r\r)rr revoke_session Exception_logwarningr>getattrrorr LOGOUTrRrr9r;r rr)r_atrtrRrjsessr*rks r,rrss["7++GC '((  H ''b'9999    =M1  7=)T 2 2D #'6$--Y!%-2 g   W  F 6 1 1 1s C C CD$v....d6**** Ks? A4 !A//A4z /api/auth/meauth_mecKt|jdd}|tdd|j|j|j|j|j|jdS)zCReturn the verified session as JSON. Auth-required (gate enforces).rN UnauthorizedrT)rrrLrrRr) rrorrrrLrrRr)rrs r, api_auth_mersa 7=)T 2 2D |NCCCC<)+Mo   r.z/api/auth/ws-ticketauth_ws_ticketcKt|jdd}|tddddlm}m}||j|j}ttj |j|jt| ||d S) aMint a short-lived single-use ticket for the authenticated session. Browsers cannot set ``Authorization`` on a WebSocket upgrade, so in gated mode the SPA POSTs this endpoint to get a ``?ticket=`` value to append to ``/api/pty``, ``/api/ws``, ``/api/pub``, or ``/api/events``. The ticket has a 30-second TTL and is single-use. Calling this endpoint multiple times in quick succession (e.g. one ticket per WS) is the expected pattern. rNrrrTr) TTL_SECONDS mint_ticket)rrRr)ticket ttl_seconds) rror$hermes_cli.dashboard_auth.ws_ticketsrrrrRrr WS_TICKET_MINTEDr9)rrrrrs r,api_auth_ws_ticketrs 7=)T 2 2D |NCCCCNMMMMMMM [ F F FF # g    [ 9 99r.)rrrr)rrrr)rr)r0)rrrRrr@r)r0r0r0r0) rrrnrrorrprrqr)rrrr)rr)3__doc__ __future__rloggingrtypingrfastapirrrfastapi.responsesrr r hermes_cli.dashboard_authr r hermes_cli.dashboard_auth.auditr rhermes_cli.dashboard_auth.baserr!hermes_cli.dashboard_auth.cookiesrrrrrrr$hermes_cli.dashboard_auth.login_pager getLogger__name__rrouterr-r9r;r3r=rPrQr"rBpostrrrr.r,rsU#""""" 5555555555JJJJJJJJJJBAAAAAAACBBBBBw"" 1F1F1F1Fh9999 ( ( ( ("H<((   )( & !(899   :9 *M --1111.-1h ?33 yyyy43yx2^-0010FN++   ,+ ( ")9:::::;::::r.