giorgio/read.markets
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
read.markets/app/config.py
Giorgio Gilestro 480fd311c5 phase A: user accounts + session-cookie auth 
Replaces the static bearer-token gate with a real auth boundary. The
existing CASSANDRA_TOKEN path is retained as an admin / scripting escape
hatch — kept compatible by aliasing require_token to require_auth.

- New users table (migration 0007): email, argon2 password_hash, tier,
  email_verified (declared but not enforced until phase E), settings_json
  for the tone/analysis/anchor knobs we'll wire in phase D.
- app/services/auth_service.py: argon2-cffi password hashing with timing-
  attack-resistant authenticate() (always runs a hash verify even on
  unknown-email to deny a username-enumeration oracle).
- app/auth.py rewritten: require_auth returns a CurrentUser with either
  is_admin=True (bearer path) or a User object (session path). Failing
  requests get 303 → /login for HTML, 401 for API. Sessions signed with
  itsdangerous against CASSANDRA_SESSION_SECRET; 14-day TTL.
- app/routers/auth.py: /login, /signup, /logout. Login form preserves the
  ?next=… param for redirect-after-login. Signup respects a new
  CASSANDRA_SIGNUP_ENABLED flag.
- Standalone /login + /signup templates (no app chrome). base.html grows
  a user chip + logout link in the header (reads request.state.current_user).

Phase A's main known limitations are documented in the plan: email
verification is declared but not enforced; session revocation is
best-effort (cookie-only, not DB-backed). Both land in phase E.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-16 11:12:10 +01:00

125 lines
4.3 KiB
Python
Raw Blame History

"""Runtime configuration — environment via Pydantic Settings + TOML-loaded data tables.
Settings come from .env / process env. The TOML files (default.toml, portfolio.toml)
define *what to track* — they're declarative content, not config knobs, so they
stay separate from the settings model.
"""
from __future__ import annotations
import tomllib
from functools import lru_cache
from pathlib import Path
from typing import Any
from pydantic import Field
from pydantic_settings import BaseSettings, SettingsConfigDict
CONFIG_DIR = Path(__file__).resolve().parent.parent / "config"
class Settings(BaseSettings):
"""All runtime knobs. Read from process env, .env not needed in-container
because compose injects vars directly; .env is supported for local dev."""
model_config = SettingsConfigDict(
env_file=".env",
env_file_encoding="utf-8",
extra="ignore",
)
# Database
DATABASE_URL: str = "mysql+aiomysql://cassandra:changeme@db:3306/cassandra"
# API keys (mirror prototype .env names)
API_KEY: str = "" # Trading 212 key
SECRET_KEY: str = "" # Trading 212 secret
FRED_API_KEY: str = ""
OPENROUTER_API_KEY: str = ""
# App
CASSANDRA_TOKEN: str = ""
CASSANDRA_PORT: int = 8000
# Signing key for session cookies. Generate with:
# python -c "import secrets; print(secrets.token_urlsafe(32))"
# Falls back to CASSANDRA_TOKEN if unset (acceptable for single-host dev).
CASSANDRA_SESSION_SECRET: str = ""
# Set to false (or 0/no) to disable /signup after the first account is
# created. Phase A leaves this open so the operator can self-onboard.
CASSANDRA_SIGNUP_ENABLED: bool = True
CASSANDRA_BASE_CURRENCY: str = "GBP"
CASSANDRA_ANCHOR_DATE: str = ""
CASSANDRA_MOCK: bool = False
# AI log
OPENROUTER_MODEL: str = "deepseek/deepseek-v4-flash"
OPENROUTER_MONTHLY_CAP_USD: float = 20.0
CASSANDRA_TONE: str = "INTERMEDIATE" # NOVICE | INTERMEDIATE | PRO
CASSANDRA_ANALYSIS: str = "SPECULATIVE" # DRY | SPECULATIVE
# Config file locations (overridable for tests)
BASELINE_TOML: Path = Field(default_factory=lambda: CONFIG_DIR / "default.toml")
PORTFOLIO_TOML: Path = Field(default_factory=lambda: CONFIG_DIR / "portfolio.toml")
@lru_cache
def get_settings() -> Settings:
return Settings()
# --- TOML data tables --------------------------------------------------------
def _merge_toml(*paths: Path) -> dict[str, Any]:
"""Read TOML files in order; later ones override earlier at the top level
(with shallow dict-merge for nested tables)."""
out: dict[str, Any] = {}
for path in paths:
if not path.exists():
continue
with path.open("rb") as f:
data = tomllib.load(f)
for k, v in data.items():
if isinstance(v, dict) and isinstance(out.get(k), dict):
out[k].update(v)
else:
out[k] = v
return out
def load_groups(*paths: Path) -> dict[str, list[tuple[str, str, str]]]:
"""[(symbol, label, note), ...] per group name."""
data = _merge_toml(*paths)
out: dict[str, list[tuple[str, str, str]]] = {}
for name, items in (data.get("groups") or {}).items():
out[name] = [
(it["symbol"], it.get("label", it["symbol"]), it.get("note", ""))
for it in items
]
return out
def load_feeds(*paths: Path) -> dict[str, list[tuple[str, str]]]:
"""[(name, url), ...] per category name."""
data = _merge_toml(*paths)
out: dict[str, list[tuple[str, str]]] = {}
for cat, items in (data.get("feeds") or {}).items():
out[cat] = [(it["name"], it["url"]) for it in items]
return out
def load_presets(*paths: Path) -> dict[str, list[str]]:
"""Keyword presets for news filtering."""
data = _merge_toml(*paths)
presets = (data.get("news") or {}).get("presets") or {}
return {name: list(kw) for name, kw in presets.items()}
def load_all() -> tuple[dict, dict, dict]:
"""Shortcut: groups, feeds, presets using the configured TOML paths."""
s = get_settings()
return (
load_groups(s.BASELINE_TOML, s.PORTFOLIO_TOML),
load_feeds(s.BASELINE_TOML, s.PORTFOLIO_TOML),
load_presets(s.BASELINE_TOML, s.PORTFOLIO_TOML),
)
Reference in a new issue View git blame Copy permalink