Harden auth, redaction, upload size checks, and compose token requirements

2026-02-21 13:48:55 -03:00
parent 5792586a90
commit 3cbad053cc
21 changed files with 1168 additions and 85 deletions
--- a/backend/app/api/auth.py
+++ b/backend/app/api/auth.py
@@ -0,0 +1,87 @@
+"""Token-based authentication and authorization dependencies for privileged API routes."""
+
+import hmac
+from typing import Annotated
+
+from fastapi import Depends, HTTPException, status
+from fastapi.security import HTTPAuthorizationCredentials, HTTPBearer
+
+from app.core.config import Settings, get_settings
+
+
+bearer_auth = HTTPBearer(auto_error=False)
+
+
+class AuthRole:
+    """Declares supported authorization roles for privileged API operations."""
+
+    ADMIN = "admin"
+    USER = "user"
+
+
+def _raise_unauthorized() -> None:
+    """Raises an HTTP 401 response with bearer authentication challenge headers."""
+
+    raise HTTPException(
+        status_code=status.HTTP_401_UNAUTHORIZED,
+        detail="Invalid or missing API token",
+        headers={"WWW-Authenticate": "Bearer"},
+    )
+
+
+def _configured_admin_token(settings: Settings) -> str:
+    """Returns required admin token or raises configuration error when unset."""
+
+    token = settings.admin_api_token.strip()
+    if token:
+        return token
+    raise HTTPException(
+        status_code=status.HTTP_503_SERVICE_UNAVAILABLE,
+        detail="Admin API token is not configured",
+    )
+
+
+def _resolve_token_role(token: str, settings: Settings) -> str:
+    """Resolves role from a bearer token using constant-time comparisons."""
+
+    admin_token = _configured_admin_token(settings)
+    if hmac.compare_digest(token, admin_token):
+        return AuthRole.ADMIN
+
+    user_token = settings.user_api_token.strip()
+    if user_token and hmac.compare_digest(token, user_token):
+        return AuthRole.USER
+
+    _raise_unauthorized()
+
+
+def get_request_role(
+    credentials: Annotated[HTTPAuthorizationCredentials | None, Depends(bearer_auth)],
+    settings: Annotated[Settings, Depends(get_settings)],
+) -> str:
+    """Authenticates request token and returns its authorization role."""
+
+    if credentials is None:
+        _raise_unauthorized()
+
+    token = credentials.credentials.strip()
+    if not token:
+        _raise_unauthorized()
+    return _resolve_token_role(token=token, settings=settings)
+
+
+def require_user_or_admin(role: Annotated[str, Depends(get_request_role)]) -> str:
+    """Requires a valid user or admin token and returns resolved role."""
+
+    return role
+
+
+def require_admin(role: Annotated[str, Depends(get_request_role)]) -> str:
+    """Requires admin role and rejects requests authenticated as regular users."""
+
+    if role != AuthRole.ADMIN:
+        raise HTTPException(
+            status_code=status.HTTP_403_FORBIDDEN,
+            detail="Admin token required",
+        )
+    return role