add files infra docker service for data platform
This commit is contained in:
jigoong
0
03-apiservice/app/security/__init__.py
Normal file
0
03-apiservice/app/security/__init__.py
Normal file
22
03-apiservice/app/security/api_key.py
Normal file
22
03-apiservice/app/security/api_key.py
Normal file
@@ -0,0 +1,22 @@
|
||||
import secrets
|
||||
|
||||
import bcrypt
|
||||
|
||||
|
||||
def generate_api_key(prefix_len: int = 8, token_bytes: int = 32) -> str:
|
||||
prefix = secrets.token_urlsafe(prefix_len)[:prefix_len]
|
||||
token = secrets.token_urlsafe(token_bytes)
|
||||
return f"{prefix}.{token}"
|
||||
|
||||
|
||||
def get_prefix(api_key: str) -> str:
|
||||
return api_key.split(".", 1)[0]
|
||||
|
||||
|
||||
def hash_api_key(api_key: str) -> str:
|
||||
hashed = bcrypt.hashpw(api_key.encode("utf-8"), bcrypt.gensalt())
|
||||
return hashed.decode("utf-8")
|
||||
|
||||
|
||||
def verify_api_key(api_key: str, api_key_hash: str) -> bool:
|
||||
return bcrypt.checkpw(api_key.encode("utf-8"), api_key_hash.encode("utf-8"))
|
||||
54
03-apiservice/app/security/dependencies.py
Normal file
54
03-apiservice/app/security/dependencies.py
Normal file
@@ -0,0 +1,54 @@
|
||||
from typing import Annotated
|
||||
|
||||
from fastapi import Depends, HTTPException, Request, status
|
||||
from sqlalchemy import select
|
||||
from sqlalchemy.orm import Session, sessionmaker
|
||||
|
||||
from app.db.engine import engine
|
||||
from app.db.models import ApiKey
|
||||
from app.security.api_key import get_prefix, verify_api_key
|
||||
|
||||
|
||||
SessionLocal = sessionmaker(bind=engine, autoflush=False, autocommit=False)
|
||||
|
||||
|
||||
def get_db():
|
||||
db = SessionLocal()
|
||||
try:
|
||||
yield db
|
||||
finally:
|
||||
db.close()
|
||||
|
||||
|
||||
def get_bearer_token(request: Request) -> str:
|
||||
auth = request.headers.get("authorization")
|
||||
if not auth:
|
||||
raise HTTPException(status_code=status.HTTP_401_UNAUTHORIZED, detail="Missing Authorization")
|
||||
|
||||
parts = auth.split(" ", 1)
|
||||
if len(parts) != 2 or parts[0].lower() != "bearer" or not parts[1].strip():
|
||||
raise HTTPException(status_code=status.HTTP_401_UNAUTHORIZED, detail="Invalid Authorization")
|
||||
|
||||
return parts[1].strip()
|
||||
|
||||
|
||||
def require_permission(permission: str):
|
||||
def _dep(
|
||||
token: Annotated[str, Depends(get_bearer_token)],
|
||||
db: Annotated[Session, Depends(get_db)],
|
||||
) -> ApiKey:
|
||||
prefix = get_prefix(token)
|
||||
stmt = select(ApiKey).where(ApiKey.key_prefix == prefix, ApiKey.is_active.is_(True))
|
||||
api_key = db.execute(stmt).scalar_one_or_none()
|
||||
if not api_key:
|
||||
raise HTTPException(status_code=status.HTTP_401_UNAUTHORIZED, detail="Invalid API key")
|
||||
|
||||
if not verify_api_key(token, api_key.key_hash):
|
||||
raise HTTPException(status_code=status.HTTP_401_UNAUTHORIZED, detail="Invalid API key")
|
||||
|
||||
if permission not in (api_key.permissions or []):
|
||||
raise HTTPException(status_code=status.HTTP_403_FORBIDDEN, detail="Permission denied")
|
||||
|
||||
return api_key
|
||||
|
||||
return _dep
|
||||
Reference in New Issue
Block a user