| | """ |
| | Authentication and Authorization System |
| | Implements JWT-based authentication for production deployments |
| | """ |
| |
|
| | import os |
| | import secrets |
| | from datetime import datetime, timedelta |
| | from typing import Optional, Dict, Any |
| | import hashlib |
| | import logging |
| | from functools import wraps |
| |
|
| | try: |
| | import jwt |
| | JWT_AVAILABLE = True |
| | except ImportError: |
| | JWT_AVAILABLE = False |
| | logging.warning("PyJWT not installed. Authentication disabled. Install with: pip install PyJWT") |
| |
|
| | logger = logging.getLogger(__name__) |
| |
|
| | |
| | SECRET_KEY = os.getenv('SECRET_KEY', secrets.token_urlsafe(32)) |
| | ALGORITHM = "HS256" |
| | ACCESS_TOKEN_EXPIRE_MINUTES = int(os.getenv('ACCESS_TOKEN_EXPIRE_MINUTES', '60')) |
| | ENABLE_AUTH = os.getenv('ENABLE_AUTH', 'false').lower() == 'true' |
| |
|
| |
|
| | class AuthManager: |
| | """ |
| | Authentication manager for API endpoints and dashboard access |
| | Supports JWT tokens and basic API key authentication |
| | """ |
| |
|
| | def __init__(self): |
| | self.users_db: Dict[str, str] = {} |
| | self.api_keys_db: Dict[str, Dict[str, Any]] = {} |
| | self._load_credentials() |
| |
|
| | def _load_credentials(self): |
| | """Load credentials from environment variables""" |
| | |
| | admin_user = os.getenv('ADMIN_USERNAME', 'admin') |
| | admin_pass = os.getenv('ADMIN_PASSWORD') |
| |
|
| | if admin_pass: |
| | self.users_db[admin_user] = self._hash_password(admin_pass) |
| | logger.info(f"Loaded admin user: {admin_user}") |
| |
|
| | |
| | api_keys_str = os.getenv('API_KEYS', '') |
| | if api_keys_str: |
| | for key in api_keys_str.split(','): |
| | key = key.strip() |
| | if key: |
| | self.api_keys_db[key] = { |
| | 'created_at': datetime.utcnow(), |
| | 'name': 'env_key', |
| | 'active': True |
| | } |
| | logger.info(f"Loaded {len(self.api_keys_db)} API keys") |
| |
|
| | @staticmethod |
| | def _hash_password(password: str) -> str: |
| | """Hash password using SHA-256""" |
| | return hashlib.sha256(password.encode()).hexdigest() |
| |
|
| | def verify_password(self, username: str, password: str) -> bool: |
| | """ |
| | Verify username and password |
| | |
| | Args: |
| | username: Username |
| | password: Plain text password |
| | |
| | Returns: |
| | True if valid, False otherwise |
| | """ |
| | if username not in self.users_db: |
| | return False |
| |
|
| | hashed = self._hash_password(password) |
| | return secrets.compare_digest(self.users_db[username], hashed) |
| |
|
| | def create_access_token( |
| | self, |
| | username: str, |
| | expires_delta: Optional[timedelta] = None |
| | ) -> str: |
| | """ |
| | Create JWT access token |
| | |
| | Args: |
| | username: Username |
| | expires_delta: Token expiration time |
| | |
| | Returns: |
| | JWT token string |
| | """ |
| | if not JWT_AVAILABLE: |
| | raise RuntimeError("PyJWT not installed") |
| |
|
| | if expires_delta is None: |
| | expires_delta = timedelta(minutes=ACCESS_TOKEN_EXPIRE_MINUTES) |
| |
|
| | expire = datetime.utcnow() + expires_delta |
| | payload = { |
| | 'sub': username, |
| | 'exp': expire, |
| | 'iat': datetime.utcnow() |
| | } |
| |
|
| | token = jwt.encode(payload, SECRET_KEY, algorithm=ALGORITHM) |
| | return token |
| |
|
| | def verify_token(self, token: str) -> Optional[str]: |
| | """ |
| | Verify JWT token and extract username |
| | |
| | Args: |
| | token: JWT token string |
| | |
| | Returns: |
| | Username if valid, None otherwise |
| | """ |
| | if not JWT_AVAILABLE: |
| | return None |
| |
|
| | try: |
| | payload = jwt.decode(token, SECRET_KEY, algorithms=[ALGORITHM]) |
| | username: str = payload.get('sub') |
| | return username |
| | except jwt.ExpiredSignatureError: |
| | logger.warning("Token expired") |
| | return None |
| | except jwt.JWTError as e: |
| | logger.warning(f"Invalid token: {e}") |
| | return None |
| |
|
| | def verify_api_key(self, api_key: str) -> bool: |
| | """ |
| | Verify API key |
| | |
| | Args: |
| | api_key: API key string |
| | |
| | Returns: |
| | True if valid and active, False otherwise |
| | """ |
| | if api_key not in self.api_keys_db: |
| | return False |
| |
|
| | key_data = self.api_keys_db[api_key] |
| | return key_data.get('active', False) |
| |
|
| | def create_api_key(self, name: str) -> str: |
| | """ |
| | Create new API key |
| | |
| | Args: |
| | name: Descriptive name for the key |
| | |
| | Returns: |
| | Generated API key |
| | """ |
| | api_key = secrets.token_urlsafe(32) |
| | self.api_keys_db[api_key] = { |
| | 'created_at': datetime.utcnow(), |
| | 'name': name, |
| | 'active': True, |
| | 'usage_count': 0 |
| | } |
| | logger.info(f"Created API key: {name}") |
| | return api_key |
| |
|
| | def revoke_api_key(self, api_key: str) -> bool: |
| | """ |
| | Revoke API key |
| | |
| | Args: |
| | api_key: API key to revoke |
| | |
| | Returns: |
| | True if revoked, False if not found |
| | """ |
| | if api_key in self.api_keys_db: |
| | self.api_keys_db[api_key]['active'] = False |
| | logger.info(f"Revoked API key: {self.api_keys_db[api_key]['name']}") |
| | return True |
| | return False |
| |
|
| | def track_usage(self, api_key: str): |
| | """Track API key usage""" |
| | if api_key in self.api_keys_db: |
| | self.api_keys_db[api_key]['usage_count'] = \ |
| | self.api_keys_db[api_key].get('usage_count', 0) + 1 |
| |
|
| |
|
| | |
| | auth_manager = AuthManager() |
| |
|
| |
|
| | |
| |
|
| |
|
| | def require_auth(func): |
| | """ |
| | Decorator to require authentication for endpoints |
| | Checks for JWT token in Authorization header or API key in X-API-Key header |
| | """ |
| | @wraps(func) |
| | async def wrapper(*args, **kwargs): |
| | if not ENABLE_AUTH: |
| | |
| | return await func(*args, **kwargs) |
| |
|
| | |
| | |
| | |
| | |
| | |
| | |
| |
|
| | |
| | raise NotImplementedError("Integrate with your web framework") |
| |
|
| | return wrapper |
| |
|
| |
|
| | def require_api_key(func): |
| | """Decorator to require API key authentication""" |
| | @wraps(func) |
| | async def wrapper(*args, **kwargs): |
| | if not ENABLE_AUTH: |
| | return await func(*args, **kwargs) |
| |
|
| | |
| | raise NotImplementedError("Integrate with your web framework") |
| |
|
| | return wrapper |
| |
|
| |
|
| | |
| |
|
| |
|
| | def authenticate_user(username: str, password: str) -> Optional[str]: |
| | """ |
| | Authenticate user and return JWT token |
| | |
| | Args: |
| | username: Username |
| | password: Password |
| | |
| | Returns: |
| | JWT token if successful, None otherwise |
| | """ |
| | if not ENABLE_AUTH: |
| | logger.warning("Authentication disabled") |
| | return None |
| |
|
| | if auth_manager.verify_password(username, password): |
| | return auth_manager.create_access_token(username) |
| |
|
| | return None |
| |
|
| |
|
| | def verify_request_auth( |
| | authorization: Optional[str] = None, |
| | api_key: Optional[str] = None |
| | ) -> bool: |
| | """ |
| | Verify request authentication |
| | |
| | Args: |
| | authorization: Authorization header (Bearer token) |
| | api_key: X-API-Key header |
| | |
| | Returns: |
| | True if authenticated, False otherwise |
| | """ |
| | if not ENABLE_AUTH: |
| | return True |
| |
|
| | |
| | if api_key and auth_manager.verify_api_key(api_key): |
| | auth_manager.track_usage(api_key) |
| | return True |
| |
|
| | |
| | if authorization and authorization.startswith('Bearer '): |
| | token = authorization.split(' ')[1] |
| | username = auth_manager.verify_token(token) |
| | if username: |
| | return True |
| |
|
| | return False |
| |
|
