Add registration control, admin user management, and security hardening
- Registration auto-closes after first user; admin can toggle from /admin/users - Admin user management view with user list and delete - Password confirmation on registration form - Password change in Settings (PUT /api/auth/password) - Session cookie hardening: HttpOnly, SameSite=Lax, optional Secure flag - Startup warning when SECRET_KEY is default - Production deployment docs: reverse proxy, rate limiting, CSP headers - Fix assist prompt to preserve markdown headings in target sections - Simplify prod compose networking Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
@@ -26,6 +26,15 @@ def create_app() -> Quart:
|
||||
|
||||
app = Quart(__name__, static_folder=None)
|
||||
app.secret_key = Config.SECRET_KEY
|
||||
app.config["SESSION_COOKIE_HTTPONLY"] = True
|
||||
app.config["SESSION_COOKIE_SAMESITE"] = "Lax"
|
||||
app.config["SESSION_COOKIE_SECURE"] = Config.SECURE_COOKIES
|
||||
|
||||
if Config.SECRET_KEY == "dev-secret-change-me":
|
||||
logger.warning(
|
||||
"SECRET_KEY is set to the default value — session cookies are insecure. "
|
||||
"Set SECRET_KEY or SECRET_KEY_FILE for production use."
|
||||
)
|
||||
|
||||
app.register_blueprint(admin_bp)
|
||||
app.register_blueprint(api)
|
||||
|
||||
@@ -25,4 +25,5 @@ class Config:
|
||||
OLLAMA_URL: str = os.environ.get("OLLAMA_URL", "http://localhost:11434")
|
||||
OLLAMA_MODEL: str = os.environ.get("OLLAMA_MODEL", "llama3.1")
|
||||
SECRET_KEY: str = _read_secret("SECRET_KEY", "SECRET_KEY_FILE", "dev-secret-change-me")
|
||||
SECURE_COOKIES: bool = os.environ.get("SECURE_COOKIES", "").lower() in ("1", "true", "yes")
|
||||
LOG_LEVEL: str = os.environ.get("LOG_LEVEL", "INFO")
|
||||
|
||||
@@ -3,6 +3,12 @@ import json
|
||||
from quart import Blueprint, Response, jsonify, request
|
||||
|
||||
from fabledassistant.auth import admin_required, login_required, get_current_user_id
|
||||
from fabledassistant.services.auth import (
|
||||
delete_user,
|
||||
is_registration_open,
|
||||
list_users,
|
||||
set_registration_open,
|
||||
)
|
||||
from fabledassistant.services.backup import (
|
||||
export_full_backup,
|
||||
export_user_backup,
|
||||
@@ -45,3 +51,43 @@ async def restore():
|
||||
|
||||
stats = await restore_full_backup(data)
|
||||
return jsonify({"status": "ok", "stats": stats})
|
||||
|
||||
|
||||
@admin_bp.route("/users", methods=["GET"])
|
||||
@admin_required
|
||||
async def get_users():
|
||||
users = await list_users()
|
||||
return jsonify({"users": [u.to_dict() for u in users]})
|
||||
|
||||
|
||||
@admin_bp.route("/users/<int:user_id>", methods=["DELETE"])
|
||||
@admin_required
|
||||
async def remove_user(user_id: int):
|
||||
current_uid = get_current_user_id()
|
||||
if user_id == current_uid:
|
||||
return jsonify({"error": "Cannot delete your own account"}), 400
|
||||
|
||||
deleted = await delete_user(user_id)
|
||||
if not deleted:
|
||||
return jsonify({"error": "User not found"}), 404
|
||||
return jsonify({"status": "ok"})
|
||||
|
||||
|
||||
@admin_bp.route("/registration", methods=["GET"])
|
||||
@admin_required
|
||||
async def get_registration():
|
||||
open_status = await is_registration_open()
|
||||
return jsonify({"open": open_status})
|
||||
|
||||
|
||||
@admin_bp.route("/registration", methods=["PUT"])
|
||||
@admin_required
|
||||
async def toggle_registration():
|
||||
data = await request.get_json()
|
||||
open_val = data.get("open")
|
||||
if open_val is None:
|
||||
return jsonify({"error": "Missing 'open' field"}), 400
|
||||
|
||||
uid = get_current_user_id()
|
||||
await set_registration_open(uid, bool(open_val))
|
||||
return jsonify({"status": "ok", "open": bool(open_val)})
|
||||
|
||||
@@ -3,9 +3,11 @@ from quart import Blueprint, jsonify, request, session
|
||||
from fabledassistant.auth import login_required, get_current_user_id
|
||||
from fabledassistant.services.auth import (
|
||||
authenticate,
|
||||
change_password,
|
||||
create_user,
|
||||
get_user_by_id,
|
||||
get_user_count,
|
||||
is_registration_open,
|
||||
)
|
||||
|
||||
auth_bp = Blueprint("auth", __name__, url_prefix="/api/auth")
|
||||
@@ -13,6 +15,9 @@ auth_bp = Blueprint("auth", __name__, url_prefix="/api/auth")
|
||||
|
||||
@auth_bp.route("/register", methods=["POST"])
|
||||
async def register():
|
||||
if not await is_registration_open():
|
||||
return jsonify({"error": "Registration is closed"}), 403
|
||||
|
||||
data = await request.get_json()
|
||||
username = (data.get("username") or "").strip()
|
||||
password = data.get("password") or ""
|
||||
@@ -64,7 +69,28 @@ async def me():
|
||||
return jsonify(user.to_dict())
|
||||
|
||||
|
||||
@auth_bp.route("/password", methods=["PUT"])
|
||||
@login_required
|
||||
async def update_password():
|
||||
data = await request.get_json()
|
||||
current = data.get("current_password") or ""
|
||||
new_pw = data.get("new_password") or ""
|
||||
|
||||
if not current:
|
||||
return jsonify({"error": "Current password is required"}), 400
|
||||
if len(new_pw) < 8:
|
||||
return jsonify({"error": "New password must be at least 8 characters"}), 400
|
||||
|
||||
uid = get_current_user_id()
|
||||
success = await change_password(uid, current, new_pw)
|
||||
if not success:
|
||||
return jsonify({"error": "Current password is incorrect"}), 403
|
||||
|
||||
return jsonify({"status": "ok"})
|
||||
|
||||
|
||||
@auth_bp.route("/status", methods=["GET"])
|
||||
async def status():
|
||||
count = await get_user_count()
|
||||
return jsonify({"has_users": count > 0})
|
||||
reg_open = await is_registration_open()
|
||||
return jsonify({"has_users": count > 0, "registration_open": reg_open})
|
||||
|
||||
@@ -20,6 +20,9 @@ def build_assist_messages(
|
||||
f"--- Full Document ---\n{truncated_body}\n--- End Document ---\n\n"
|
||||
"The user will give you a specific section of the document and an instruction. "
|
||||
"Output ONLY the replacement text for that section. "
|
||||
"If the target section starts with a markdown heading (e.g. ## Heading), "
|
||||
"your output MUST also start with a heading at the same level. "
|
||||
"You may revise the heading text but do not remove it. "
|
||||
"Do not include other sections, explanatory text, or markdown code fences around the output. "
|
||||
"Match the document's existing tone and style."
|
||||
)
|
||||
|
||||
@@ -63,6 +63,8 @@ async def create_user(
|
||||
.where(Setting.user_id == user.id)
|
||||
.values(user_id=user.id)
|
||||
)
|
||||
# Auto-close registration after first user setup
|
||||
session.add(Setting(user_id=user.id, key="registration_open", value="false"))
|
||||
await session.commit()
|
||||
logger.info("First user '%s' created as admin, claimed orphaned data", username)
|
||||
|
||||
@@ -83,3 +85,60 @@ async def authenticate(username: str, password: str) -> User | None:
|
||||
async def get_user_by_id(user_id: int) -> User | None:
|
||||
async with async_session() as session:
|
||||
return await session.get(User, user_id)
|
||||
|
||||
|
||||
async def change_password(user_id: int, current_password: str, new_password: str) -> bool:
|
||||
"""Change a user's password. Returns True on success, False if current password is wrong."""
|
||||
async with async_session() as session:
|
||||
user = await session.get(User, user_id)
|
||||
if not user:
|
||||
return False
|
||||
if not verify_password(current_password, user.password_hash):
|
||||
return False
|
||||
user.password_hash = hash_password(new_password)
|
||||
await session.commit()
|
||||
logger.info("Password changed for user %d (%s)", user_id, user.username)
|
||||
return True
|
||||
|
||||
|
||||
async def is_registration_open() -> bool:
|
||||
"""Check if new user registration is allowed.
|
||||
|
||||
Always open when no users exist (first-user setup).
|
||||
Otherwise reads the admin's 'registration_open' setting (default closed).
|
||||
"""
|
||||
user_count = await get_user_count()
|
||||
if user_count == 0:
|
||||
return True
|
||||
|
||||
async with async_session() as session:
|
||||
# Find the admin user's registration_open setting
|
||||
result = await session.execute(
|
||||
select(Setting)
|
||||
.join(User, Setting.user_id == User.id)
|
||||
.where(User.role == "admin", Setting.key == "registration_open")
|
||||
)
|
||||
setting = result.scalar_one_or_none()
|
||||
return setting.value == "true" if setting else False
|
||||
|
||||
|
||||
async def list_users() -> list[User]:
|
||||
async with async_session() as session:
|
||||
result = await session.execute(select(User).order_by(User.created_at))
|
||||
return list(result.scalars().all())
|
||||
|
||||
|
||||
async def delete_user(user_id: int) -> bool:
|
||||
async with async_session() as session:
|
||||
user = await session.get(User, user_id)
|
||||
if not user:
|
||||
return False
|
||||
await session.delete(user)
|
||||
await session.commit()
|
||||
logger.info("Deleted user %d (%s)", user_id, user.username)
|
||||
return True
|
||||
|
||||
|
||||
async def set_registration_open(admin_user_id: int, open: bool) -> None:
|
||||
from fabledassistant.services.settings import set_setting
|
||||
await set_setting(admin_user_id, "registration_open", "true" if open else "false")
|
||||
|
||||
Reference in New Issue
Block a user