add: backend api auth by apikey/apikey gen/apikey revoke

2025-05-06 18:54:10 +01:00
parent 85d8124a0c
commit 1a160c9415
3 changed files with 109 additions and 7 deletions
--- a/api/init.py
+++ b/api/init.py
@@ -1,22 +1,25 @@
-import base64
-import os
-import pkgutil
 from functools import wraps
-
+from datetime import datetime, UTC
 from cryptography import x509
 from cryptography.hazmat.primitives import serialization
 from flask import jsonify, Blueprint, request, make_response
 from flask_limiter import Limiter
 from flask_limiter.util import get_remote_address
 from jwt import decode, ExpiredSignatureError, InvalidTokenError, get_unverified_header
-import importlib
-import requests
 from threading import Lock
+from db.models.APIKey import APIKey
+from db import get_db

+import base64
+import os
+import pkgutil
+import secrets
+import string
 import env_provider
 import hashlib
 import json
-
+import importlib
+import requests

 _public_key_cache = {}
 _lock = Lock()
@@ -96,18 +99,42 @@ def require_auth(roles=[]):
        def wrapper(*args, **kwargs):
            if request.method == "OPTIONS":
                return '', 200
+
            auth_header = request.headers.get('Authorization')
+            api_key_header = request.headers.get('X-API-Key')
+
+            if auth_header and api_key_header:
+                return jsonify({"error": "Cannot use both Bearer token and API Key authentication"}), 403
+            
+            if api_key_header:
+                api_key = get_api_key(api_key_header)
+                if not api_key:
+                    return jsonify({"error": "Invalid API key"}), 401
+
+                expire_time = api_key.expire.replace(tzinfo=UTC) if api_key.expire.tzinfo is None else api_key.expire
+                if datetime.now(UTC) > expire_time:
+                    return jsonify({"error": "API key has expired"}), 401
+
+                if roles and not (set(roles) & set(api_key.roles)):
+                    return jsonify({"error": "Forbidden, permission denied"}), 403
+
+                update_last_used(api_key)
+                return func(*args, **kwargs)
+
            if not auth_header or not auth_header.startswith('Bearer'):
                return jsonify({"error": "Unauthorized"}), 401
+
            token = auth_header.split(" ")[1]

            decoded = verify_token(token)
            if not decoded:
                return jsonify({"error": "Invalid or expired token"}), 401
+
            user_roles = decoded.get("resource_access", {}).get(env_provider.KC_CLIENT_ID, {}).get("roles", [])
            if roles and not (set(roles) & set(user_roles)):
                print("auth failed")
                return jsonify({"error": "Forbidden, permission denied"}), 403
+
            print("auth success")
            return func(*args, **kwargs)
        return wrapper
@@ -169,3 +196,17 @@ def etag_response(f):
                return resp
        return response
    return decorator
+
+
+def generate_api_key(length=32):
+    alphabet = string.ascii_letters + string.digits
+    return ''.join(secrets.choice(alphabet) for _ in range(length))
+
+def get_api_key(key):
+    with get_db() as session:
+        return session.query(APIKey).filter_by(key=key, is_active=True).first()
+
+def update_last_used(api_key):
+    with get_db() as session:
+        api_key.last_used_at = datetime.now(UTC)
+        session.commit()