b37e15d59a
Phase 18 changes: OAuth/OIDC SSO (Authorization Code + PKCE): - alembic/versions/0015_add_oauth_fields.py: add oauth_sub UNIQUE column, drop NOT NULL on password_hash - src/fabledassistant/services/oauth.py: OIDC discovery (cached), build_auth_url, exchange_code, get_userinfo, find_or_create_oauth_user (sub→email auto-link→create) - src/fabledassistant/routes/auth.py: GET /api/auth/oauth/login and GET /api/auth/oauth/callback; LOCAL_AUTH_ENABLED guards on login/register; /api/auth/status now returns oauth_enabled + local_auth_enabled - src/fabledassistant/config.py: OIDC_ISSUER, OIDC_CLIENT_ID, OIDC_CLIENT_SECRET, OIDC_SCOPES, LOCAL_AUTH_ENABLED, oidc_enabled() classmethod - src/fabledassistant/models/user.py: password_hash nullable, oauth_sub field, has_password bool in to_dict() - src/fabledassistant/services/auth.py: create_user accepts password=None + oauth_sub kwarg; authenticate returns None for OAuth-only users; add get_user_by_oauth_sub, link_oauth_sub, update_user_email - frontend: AuthStatus + User types updated; auth store exposes oauthEnabled + localAuthEnabled; LoginView shows SSO button / hides password form accordingly Email change: - PUT /api/auth/email: requires password confirmation for local-auth users, skips check for OAuth-only users; enforces email uniqueness - SettingsView.vue: new Email Address section pre-filled with current email, updates authStore.user in-place on success Docs: - docs/oauth-setup.md: step-by-step Authentik provider setup, example docker-compose env vars, account linking explanation, per-provider issuer URL table Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
59 lines
2.8 KiB
Python
59 lines
2.8 KiB
Python
import os
|
|
|
|
|
|
def _read_secret(env_var: str, secret_file_var: str, default: str) -> str:
|
|
"""Read a config value from env var, or from a Docker secrets file."""
|
|
value = os.environ.get(env_var)
|
|
if value:
|
|
return value
|
|
secret_file = os.environ.get(secret_file_var)
|
|
if secret_file:
|
|
try:
|
|
with open(secret_file) as f:
|
|
return f.read().strip()
|
|
except FileNotFoundError:
|
|
pass
|
|
return default
|
|
|
|
|
|
class Config:
|
|
DATABASE_URL: str = _read_secret(
|
|
"DATABASE_URL",
|
|
"DATABASE_URL_FILE",
|
|
"postgresql+asyncpg://fabled:fabled@localhost:5432/fabledassistant",
|
|
)
|
|
OLLAMA_URL: str = os.environ.get("OLLAMA_URL", "http://localhost:11434")
|
|
OLLAMA_MODEL: str = os.environ.get("OLLAMA_MODEL", "qwen3")
|
|
# Optional dedicated model for intent classification (should be small/fast).
|
|
# Falls back to OLLAMA_MODEL if not set. Can also be overridden per-user via settings.
|
|
OLLAMA_INTENT_MODEL: str = os.environ.get("OLLAMA_INTENT_MODEL", "")
|
|
SECRET_KEY: str = _read_secret("SECRET_KEY", "SECRET_KEY_FILE", "dev-secret-change-me")
|
|
SECURE_COOKIES: bool = os.environ.get("SECURE_COOKIES", "").lower() in ("1", "true", "yes")
|
|
LOG_LEVEL: str = os.environ.get("LOG_LEVEL", "INFO")
|
|
LOG_RETENTION_DAYS: int = int(os.environ.get("LOG_RETENTION_DAYS", "90"))
|
|
|
|
# Embedding model for semantic note search (served by Ollama)
|
|
EMBEDDING_MODEL: str = os.environ.get("EMBEDDING_MODEL", "nomic-embed-text")
|
|
|
|
# SMTP defaults (overridden by DB settings when configured via admin UI)
|
|
SMTP_HOST: str = os.environ.get("SMTP_HOST", "")
|
|
SMTP_PORT: int = int(os.environ.get("SMTP_PORT", "587"))
|
|
SMTP_USERNAME: str = os.environ.get("SMTP_USERNAME", "")
|
|
SMTP_PASSWORD: str = _read_secret("SMTP_PASSWORD", "SMTP_PASSWORD_FILE", "")
|
|
SMTP_FROM_ADDRESS: str = os.environ.get("SMTP_FROM_ADDRESS", "")
|
|
SMTP_FROM_NAME: str = os.environ.get("SMTP_FROM_NAME", "Fabled Assistant")
|
|
SMTP_USE_TLS: bool = os.environ.get("SMTP_USE_TLS", "true").lower() in ("1", "true", "yes")
|
|
BASE_URL: str = os.environ.get("BASE_URL", "http://localhost:5000").rstrip("/")
|
|
TRUST_PROXY_HEADERS: bool = os.environ.get("TRUST_PROXY_HEADERS", "").lower() in ("1", "true", "yes")
|
|
|
|
# OIDC / OAuth2 SSO (e.g. Authentik)
|
|
OIDC_ISSUER: str = os.environ.get("OIDC_ISSUER", "")
|
|
OIDC_CLIENT_ID: str = os.environ.get("OIDC_CLIENT_ID", "")
|
|
OIDC_CLIENT_SECRET: str = _read_secret("OIDC_CLIENT_SECRET", "OIDC_CLIENT_SECRET_FILE", "")
|
|
OIDC_SCOPES: str = os.environ.get("OIDC_SCOPES", "openid profile email")
|
|
LOCAL_AUTH_ENABLED: bool = os.environ.get("LOCAL_AUTH_ENABLED", "true").lower() not in ("0", "false", "no")
|
|
|
|
@classmethod
|
|
def oidc_enabled(cls) -> bool:
|
|
return bool(cls.OIDC_ISSUER and cls.OIDC_CLIENT_ID and cls.OIDC_CLIENT_SECRET)
|