hzhang
94155614f5
- Generic OIDC (Authlib discovery) Authorization Code flow; backend
issues the existing HS256 JWT on success. Unbound identities are
rejected (no auto-provisioning).
- User.oidc_issuer/oidc_subject (unique together) + startup migration.
- PUT/DELETE /users/{id}/oidc-binding (admin or account-manager;
JWT or API key; 409 on conflict). Self-link /auth/oidc/link
(non-OIDC_ONLY only). Public GET /auth/config.
- HARBORFORGE_OIDC_ONLY: /auth/token rejected, create/update ignore
password (passwordless users; API keys + OIDC still work).
- Dockerfile ARG/ENV HARBORFORGE_OIDC_ONLY; authlib+itsdangerous deps;
SessionMiddleware for OIDC state. Fixed _user_response to expose
the new binding fields.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
90 lines
3.1 KiB
Python
90 lines
3.1 KiB
Python
import os
|
|
import json
|
|
from sqlalchemy import create_engine
|
|
from sqlalchemy.ext.declarative import declarative_base
|
|
from sqlalchemy.orm import sessionmaker
|
|
from pydantic_settings import BaseSettings
|
|
from typing import Optional
|
|
|
|
|
|
def _resolve_db_url(env_url: str) -> str:
|
|
"""Read DB config from wizard config volume if available, else use env."""
|
|
config_dir = os.getenv("CONFIG_DIR", "/config")
|
|
config_file = os.getenv("CONFIG_FILE", "harborforge.json")
|
|
config_path = os.path.join(config_dir, config_file)
|
|
|
|
if os.path.exists(config_path):
|
|
try:
|
|
with open(config_path, "r") as f:
|
|
cfg = json.load(f)
|
|
db_cfg = cfg.get("database")
|
|
if db_cfg:
|
|
host = db_cfg.get("host", "mysql")
|
|
port = db_cfg.get("port", 3306)
|
|
user = db_cfg.get("user", "harborforge")
|
|
password = db_cfg.get("password", "harborforge_pass")
|
|
database = db_cfg.get("database", "harborforge")
|
|
return f"mysql+pymysql://{user}:{password}@{host}:{port}/{database}"
|
|
except Exception:
|
|
pass
|
|
|
|
return env_url
|
|
|
|
|
|
class Settings(BaseSettings):
|
|
DATABASE_URL: str = "mysql+pymysql://harborforge:harborforge_pass@mysql:3306/harborforge"
|
|
SECRET_KEY: str = "change-me-in-production"
|
|
LOG_LEVEL: str = "INFO"
|
|
ALGORITHM: str = "HS256"
|
|
ACCESS_TOKEN_EXPIRE_MINUTES: int = 30
|
|
|
|
# --- OIDC (generic, OpenID Connect discovery) ---
|
|
OIDC_ENABLED: bool = False
|
|
OIDC_ISSUER: str = "" # e.g. https://idp.example.com (we use {issuer}/.well-known/openid-configuration)
|
|
OIDC_CLIENT_ID: str = ""
|
|
OIDC_CLIENT_SECRET: str = ""
|
|
OIDC_REDIRECT_URI: str = "" # backend callback, e.g. https://hf-api.example.com/auth/oidc/callback
|
|
OIDC_SCOPES: str = "openid email profile"
|
|
OIDC_POST_LOGIN_REDIRECT: str = "" # frontend URL to return to (token in fragment). Falls back to "/"
|
|
|
|
# When true: no password login at all. Password login endpoint rejects,
|
|
# user creation ignores any password (passwordless user that can only use
|
|
# API keys / OIDC), and the frontend hides all password UI.
|
|
HARBORFORGE_OIDC_ONLY: bool = False
|
|
|
|
class Config:
|
|
env_file = ".env"
|
|
|
|
|
|
settings = Settings()
|
|
|
|
# Fail fast on a weak/default JWT signing key (prevents token forgery).
|
|
_WEAK_SECRETS = {
|
|
"change-me-in-production",
|
|
"change_me_in_production",
|
|
"change-me-use-openssl-rand-hex-32",
|
|
"secret",
|
|
"changeme",
|
|
"",
|
|
}
|
|
if settings.SECRET_KEY in _WEAK_SECRETS or len(settings.SECRET_KEY) < 32:
|
|
raise RuntimeError(
|
|
"Insecure SECRET_KEY: set a strong random value "
|
|
"(e.g. `openssl rand -hex 32`) via the SECRET_KEY env var. "
|
|
"Refusing to start with a default/short key."
|
|
)
|
|
|
|
# Resolve DB URL: wizard config volume > env > default
|
|
_db_url = _resolve_db_url(settings.DATABASE_URL)
|
|
engine = create_engine(_db_url, pool_pre_ping=True)
|
|
SessionLocal = sessionmaker(autocommit=False, autoflush=False, bind=engine)
|
|
Base = declarative_base()
|
|
|
|
|
|
def get_db():
|
|
db = SessionLocal()
|
|
try:
|
|
yield db
|
|
finally:
|
|
db.close()
|