giorgio/read.markets
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
read.markets/app/auth.py
Giorgio Gilestro 6e7f57c6b2 phase G: data minimisation + passwordless auth + DeepSeek-first LLM 
Server no longer holds portfolios. Holdings live in the browser
(localStorage); the server publishes an anonymous ticker_universe and a
gzipped /api/universe payload identical for every authenticated user, so
access patterns can't betray which tickers a user holds. AI commentary
is generated ephemerally from the browser-supplied pie and the cost
ledger row records no positions. Migrations 0009-0011 added the
universe table and dropped positions / portfolio_snapshots /
portfolios.

Authentication is now e-mail OTP only. Migration 0010 dropped
password_hash and email_verified (every active session is by
construction proof of email control). The /signup endpoint is gone;
signup and login share a single email-entry page. Email rendering is
HTML+plain-text multipart with a shared brand palette (app/branding.py)
asserted in sync with the CSS by a drift-detection test.

LLM provider defaults to DeepSeek-direct (cheaper, api.deepseek.com)
with OpenRouter as automatic fallback if DeepSeek fails. ai_log_job and
indicator_summary_job now iterate the two tones (NOVICE, INTERMEDIATE)
per cycle so the dashboard's tone toggle is instant; PROMPT_VERSION
bumped to 6 with an educational anti-TA / anti-gambling stance baked
into _CORE. NOVICE mode renders a curated glossary inline (CBOE VIX,
yield curve, HY OAS, etc.) with JS-positioned tooltips that survive
viewport edges and sticky bars. Model name and tokens hidden from the
user UI; still recorded in StrategicLog.model and AICall for admin.

Layout adds a sticky top nav, a sticky bottom markets bar (one chip per
exchange with status LED + headline index + 1d change), and
Phase H feedback reporting is queued in tasks/todo.md.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-18 14:16:57 +01:00

165 lines
5.8 KiB
Python
Raw Blame History

"""Request-level authentication.
Two paths accepted:
1. **Session cookie** (`cassandra_session`) — set by /login. Signed with
`CASSANDRA_SESSION_SECRET` via itsdangerous; carries just the user id.
On each request we deserialise, then load the User from the DB so the
tier value is always fresh.
2. **Bearer token** (`Authorization: Bearer …`) — the legacy single-user
path kept as an admin/dev escape hatch and for programmatic API access
(CLI, curl, scripts). Matches `CASSANDRA_TOKEN` if set.
If neither matches:
- HTML requests get 303 → /login
- API / curl-style requests get 401
For backwards-compat, `require_token` is an alias for `require_auth` so
existing routers that do `dependencies=[Depends(require_token)]` keep
working without edit.
"""
from __future__ import annotations
import secrets
from dataclasses import dataclass
from fastapi import Header, HTTPException, Request, status
from itsdangerous import BadSignature, SignatureExpired, URLSafeTimedSerializer
from app.config import get_settings
from app.db import get_session_factory
from app.models import User
from app.services.auth_service import get_user
SESSION_COOKIE_NAME = "cassandra_session"
SESSION_TTL_SECONDS = 14 * 24 * 60 * 60 # 14 days
# Short-lived cookie set during signup / unverified-login. Carries the email
# under verification so the /verify page knows who's verifying without making
# the user retype the address. NOT an auth cookie — never grants access to
# anything beyond /verify and /verify/resend.
PENDING_COOKIE_NAME = "cassandra_pending"
PENDING_TTL_SECONDS = 60 * 60 # 1 hour
@dataclass
class CurrentUser:
"""The authenticated principal for the current request.
`user` is None when the bearer token was used (admin/dev path with no
matching DB row). Routes that need per-user scoping should check
`is_admin` and either use a sentinel admin scope or 403."""
is_admin: bool
user: User | None
@property
def id(self) -> int | None:
return self.user.id if self.user else None
@property
def email(self) -> str | None:
return self.user.email if self.user else None
def _serializer() -> URLSafeTimedSerializer:
s = get_settings()
secret = s.CASSANDRA_SESSION_SECRET or s.CASSANDRA_TOKEN or "dev-insecure-secret"
return URLSafeTimedSerializer(secret, salt="cassandra-session-v1")
def sign_session(user_id: int) -> str:
return _serializer().dumps({"uid": int(user_id)})
def verify_session(cookie: str) -> int | None:
try:
data = _serializer().loads(cookie, max_age=SESSION_TTL_SECONDS)
return int(data["uid"])
except (BadSignature, SignatureExpired, KeyError, TypeError, ValueError):
return None
def _pending_serializer() -> URLSafeTimedSerializer:
s = get_settings()
secret = s.CASSANDRA_SESSION_SECRET or s.CASSANDRA_TOKEN or "dev-insecure-secret"
return URLSafeTimedSerializer(secret, salt="cassandra-pending-v1")
def sign_pending(email: str, user_id: int) -> str:
return _pending_serializer().dumps({"email": email, "uid": int(user_id)})
def verify_pending(cookie: str) -> dict | None:
"""Returns {"email": str, "uid": int} or None if signature/expiry bad."""
try:
data = _pending_serializer().loads(cookie, max_age=PENDING_TTL_SECONDS)
return {"email": str(data["email"]), "uid": int(data["uid"])}
except (BadSignature, SignatureExpired, KeyError, TypeError, ValueError):
return None
def _wants_html(request: Request) -> bool:
accept = request.headers.get("accept", "").lower()
# Treat a missing Accept header as HTML for browser navigations.
if not accept:
return True
return "text/html" in accept and "application/json" not in accept
async def require_auth(
request: Request,
authorization: str | None = Header(default=None),
) -> CurrentUser:
"""Resolve the current authenticated principal. Raises HTTPException
on failure (303 redirect to /login for HTML, 401 for API)."""
s = get_settings()
# --- 1) Bearer token (admin / dev / scripts) ---
if s.CASSANDRA_TOKEN and authorization and authorization.lower().startswith("bearer "):
provided = authorization.split(" ", 1)[1].strip()
if secrets.compare_digest(provided.encode(), s.CASSANDRA_TOKEN.encode()):
principal = CurrentUser(is_admin=True, user=None)
request.state.current_user = principal
return principal
# --- 2) Session cookie (browser) ---
cookie = request.cookies.get(SESSION_COOKIE_NAME)
if cookie:
uid = verify_session(cookie)
if uid is not None:
async with get_session_factory()() as db_session:
user = await get_user(db_session, uid)
if user is not None:
principal = CurrentUser(is_admin=False, user=user)
request.state.current_user = principal
return principal
# --- 3) Unauthenticated ---
if _wants_html(request):
# Preserve the originally-requested path so /login can redirect back.
path = request.url.path
if request.url.query:
path += "?" + request.url.query
return _raise_redirect_to_login(next_path=path)
raise HTTPException(
status_code=status.HTTP_401_UNAUTHORIZED,
detail="Authentication required",
headers={"WWW-Authenticate": "Bearer"},
)
def _raise_redirect_to_login(next_path: str = "/") -> None:
# Some pages (login itself) are paths a redirect loop would be silly
# to send back to. The auth router opts out of this dependency
# entirely, so we don't need to filter here.
raise HTTPException(
status_code=status.HTTP_303_SEE_OTHER,
detail="Login required",
headers={"Location": f"/login?next={next_path}"},
)
# Backwards compatibility: every existing router uses Depends(require_token).
require_token = require_auth
Reference in a new issue View git blame Copy permalink