giorgio/read.markets
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
read.markets/app/auth.py
Giorgio Gilestro f1903e1e61 public: landing + pricing + legal pages, apex-ready, lawyer-reviewed 
Adds the unauthenticated surface that's needed to invite outsiders:

  - Landing (/) — dual-purpose root: dashboard for logged-in users,
    landing for everyone else. New maybe_current_user soft-auth helper
    in app/auth.py supports it without disturbing the per-route
    require_token deps on /news, /log, /upload, /settings.
  - About, Pricing, Disclaimer, Terms, Privacy — own router
    (app/routers/public.py), no auth dep, shared public_base layout
    (brand link, thin nav, footer with legal links + ICO ref + date).
  - Editorial positioning: news aggregator with a macro brain; tagline
    "Understand markets. Don't gamble on them."; anti-trading-as-gambling
    stance carried through About and Landing.

Legal pass following an independent lawyer-style review:

  - Privacy: explicit UK-GDPR Art. 6 lawful-basis section; Art. 22
    automated-decision line; explicit consent for sessionStorage sync
    key (PECR); 30-day IP-log retention; Art. 21 objection right;
    Children clause; Art. 33/34 breach-notification clause;
    international-transfer mechanism (IDTA + UK Addendum). ICO
    registration ZC098928 surfaced at the top.
  - Pricing: paid-card AI-portfolio-analysis bullet rewritten to remove
    advice-shaped wording ("what would invalidate the posture" gone);
    added italic carve-out citing FSMA / FCA COBS.
  - Disclaimer: separate EU/EEA carve-out + MAR 596/2014 Art. 3(1)(34)
    commentator safe-harbour; "qualifies the Terms" line; hallucination
    wording fixed.
  - Terms: cl.4 explicit AI-training prohibition + harassment line;
    cl.5 CCR 2013 14-day cancellation; cl.7 softened AI copyright
    claim under CDPA s.9(3) ambiguity; cl.8 proportionate suspension +
    pro-rata refund for paid users; cl.10 CRA 2015 Pt 1 statutory-rights
    carve-out from the liability cap; cl.11 right to close account on
    material change; cl.12 non-exclusive jurisdiction + UK consumer
    local courts.

Code-side enforcement of the Privacy claim:

  - openrouter.py: outbound OpenRouter calls now carry
    X-OR-Allow-Training: false. DeepSeek doesn't expose a per-request
    flag; the Privacy page discloses this caveat verbatim.

Apex domain prep:

  - branding.APP_URL flipped to https://read.markets (was app.). DNS for
    the apex already resolves; pending operator NPM step is a cert that
    covers the bare apex + a 301 from app.read.markets. No hard-coded
    subdomain references remain in code (verified with grep).

Nav + chrome:

  - app dropdown gains Pricing / Terms / Privacy / Disclaimer links.
  - login.html gains a small legal-links footer for the
    highest-leverage moment to surface them.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-05-24 00:08:02 +02:00

207 lines
7.6 KiB
Python
Raw Blame History

"""Request-level authentication.
Two paths accepted:
1. **Session cookie** (`cassandra_session`) — set by /login. Signed with
`CASSANDRA_SESSION_SECRET` via itsdangerous; carries just the user id.
On each request we deserialise, then load the User from the DB so the
tier value is always fresh.
2. **Bearer token** (`Authorization: Bearer …`) — the legacy single-user
path kept as an admin/dev escape hatch and for programmatic API access
(CLI, curl, scripts). Matches `CASSANDRA_TOKEN` if set.
If neither matches:
- HTML requests get 303 → /login
- API / curl-style requests get 401
For backwards-compat, `require_token` is an alias for `require_auth` so
existing routers that do `dependencies=[Depends(require_token)]` keep
working without edit.
"""
from __future__ import annotations
import secrets
from dataclasses import dataclass
from fastapi import Header, HTTPException, Request, status
from itsdangerous import BadSignature, SignatureExpired, URLSafeTimedSerializer
from app.config import get_settings
from app.db import get_session_factory
from app.models import User
from app.services.auth_service import get_user
SESSION_COOKIE_NAME = "cassandra_session"
SESSION_TTL_SECONDS = 14 * 24 * 60 * 60 # 14 days
# Short-lived cookie set during signup / unverified-login. Carries the email
# under verification so the /verify page knows who's verifying without making
# the user retype the address. NOT an auth cookie — never grants access to
# anything beyond /verify and /verify/resend.
PENDING_COOKIE_NAME = "cassandra_pending"
PENDING_TTL_SECONDS = 60 * 60 # 1 hour
@dataclass
class CurrentUser:
"""The authenticated principal for the current request.
`user` is None when the bearer token was used (admin/dev path with no
matching DB row). Routes that need per-user scoping should check
`is_admin` and either use a sentinel admin scope or 403."""
is_admin: bool
user: User | None
@property
def id(self) -> int | None:
return self.user.id if self.user else None
@property
def email(self) -> str | None:
return self.user.email if self.user else None
def _serializer() -> URLSafeTimedSerializer:
s = get_settings()
secret = s.CASSANDRA_SESSION_SECRET or s.CASSANDRA_TOKEN or "dev-insecure-secret"
return URLSafeTimedSerializer(secret, salt="cassandra-session-v1")
def sign_session(user_id: int) -> str:
return _serializer().dumps({"uid": int(user_id)})
def verify_session(cookie: str) -> int | None:
try:
data = _serializer().loads(cookie, max_age=SESSION_TTL_SECONDS)
return int(data["uid"])
except (BadSignature, SignatureExpired, KeyError, TypeError, ValueError):
return None
def _pending_serializer() -> URLSafeTimedSerializer:
s = get_settings()
secret = s.CASSANDRA_SESSION_SECRET or s.CASSANDRA_TOKEN or "dev-insecure-secret"
return URLSafeTimedSerializer(secret, salt="cassandra-pending-v1")
def sign_pending(email: str, user_id: int, ref: str | None = None) -> str:
"""Signed payload for the pending-verify cookie. Carries the email
+ user_id under verification, and optionally a referral code captured
at signup (so it survives the GET → POST → /verify hop)."""
payload: dict = {"email": email, "uid": int(user_id)}
if ref:
payload["ref"] = ref
return _pending_serializer().dumps(payload)
def verify_pending(cookie: str) -> dict | None:
"""Returns {"email": str, "uid": int, "ref": str|None} or None if
signature/expiry bad."""
try:
data = _pending_serializer().loads(cookie, max_age=PENDING_TTL_SECONDS)
return {
"email": str(data["email"]),
"uid": int(data["uid"]),
"ref": data.get("ref"),
}
except (BadSignature, SignatureExpired, KeyError, TypeError, ValueError):
return None
def _wants_html(request: Request) -> bool:
accept = request.headers.get("accept", "").lower()
# Treat a missing Accept header as HTML for browser navigations.
if not accept:
return True
return "text/html" in accept and "application/json" not in accept
async def require_auth(
request: Request,
authorization: str | None = Header(default=None),
) -> CurrentUser:
"""Resolve the current authenticated principal. Raises HTTPException
on failure (303 redirect to /login for HTML, 401 for API)."""
s = get_settings()
# --- 1) Bearer token (admin / dev / scripts) ---
if s.CASSANDRA_TOKEN and authorization and authorization.lower().startswith("bearer "):
provided = authorization.split(" ", 1)[1].strip()
if secrets.compare_digest(provided.encode(), s.CASSANDRA_TOKEN.encode()):
principal = CurrentUser(is_admin=True, user=None)
request.state.current_user = principal
return principal
# --- 2) Session cookie (browser) ---
cookie = request.cookies.get(SESSION_COOKIE_NAME)
if cookie:
uid = verify_session(cookie)
if uid is not None:
async with get_session_factory()() as db_session:
user = await get_user(db_session, uid)
if user is not None:
principal = CurrentUser(is_admin=False, user=user)
request.state.current_user = principal
return principal
# --- 3) Unauthenticated ---
if _wants_html(request):
# Preserve the originally-requested path so /login can redirect back.
path = request.url.path
if request.url.query:
path += "?" + request.url.query
return _raise_redirect_to_login(next_path=path)
raise HTTPException(
status_code=status.HTTP_401_UNAUTHORIZED,
detail="Authentication required",
headers={"WWW-Authenticate": "Bearer"},
)
async def maybe_current_user(
request: Request,
authorization: str | None = Header(default=None),
) -> CurrentUser | None:
"""Soft-auth: same resolution as `require_auth`, but returns None on
miss instead of raising. Used on dual-purpose routes (e.g. `/` where
a logged-in user sees the dashboard and a logged-out visitor sees the
landing page) and on the public marketing/legal pages, so their
templates can show a "Dashboard" link when a session is present."""
s = get_settings()
if s.CASSANDRA_TOKEN and authorization and authorization.lower().startswith("bearer "):
provided = authorization.split(" ", 1)[1].strip()
if secrets.compare_digest(provided.encode(), s.CASSANDRA_TOKEN.encode()):
principal = CurrentUser(is_admin=True, user=None)
request.state.current_user = principal
return principal
cookie = request.cookies.get(SESSION_COOKIE_NAME)
if cookie:
uid = verify_session(cookie)
if uid is not None:
async with get_session_factory()() as db_session:
user = await get_user(db_session, uid)
if user is not None:
principal = CurrentUser(is_admin=False, user=user)
request.state.current_user = principal
return principal
return None
def _raise_redirect_to_login(next_path: str = "/") -> None:
# Some pages (login itself) are paths a redirect loop would be silly
# to send back to. The auth router opts out of this dependency
# entirely, so we don't need to filter here.
raise HTTPException(
status_code=status.HTTP_303_SEE_OTHER,
detail="Login required",
headers={"Location": f"/login?next={next_path}"},
)
# Backwards compatibility: every existing router uses Depends(require_token).
require_token = require_auth
Reference in a new issue View git blame Copy permalink