Scott.Idem/Cortex-Inara
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat: session auth + per-user/persona UI at /{user}/{persona}

Browse Source 
Replaces nginx basic auth with a proper per-user session system:

- auth_utils.py: bcrypt password hashing, JWT cookie creation/decode
- auth_middleware.py: validates JWT cookie on all routes except /login,
  /health, /static/, and webhook endpoints (/channels/, /webhook/)
- routers/ui.py: GET /login, POST /login, POST /logout,
  GET /{username}/{persona} — serves index.html with CORTEX_CONFIG injected
- static/login.html: minimal login form (dark theme, matches UI)
- main.py: registers SessionAuthMiddleware + ui.router
- config.py: jwt_secret, jwt_expire_days settings
- manage_passwords.py: CLI tool to set/check/list user passwords
- app.js: reads window.CORTEX_CONFIG (user + persona), sends both on
  every /chat and /orchestrate request; persona name shown in header;
  logout button (⏏) added to header
- requirements.txt: bcrypt, PyJWT, python-multipart
- .env.default: JWT_SECRET, JWT_EXPIRE_DAYS documented
- tests: client fixture injects JWT cookie; security test assertions
  updated for URL-normalized path traversal paths (still secure, codes differ)

All 80 tests pass.

Setup for a new user:
  python manage_passwords.py set scott
  python manage_passwords.py set holly

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
Scott Idem
2026-03-20 22:54:12 -04:00
parent 77e770cdb2
commit a9bbb668b5
14 changed files with 538 additions and 12 deletions
Download Patch File Download Diff File Expand all files Collapse all files

13
cortex/tests/test_security.py
View File

@@ -14,7 +14,14 @@ import pytest
@pytest.mark.anyio
async def test_files_no_path_traversal_in_filename(client):
"""File endpoint must not serve files outside the ALLOWED set."""
"""
File endpoint must not serve files outside the ALLOWED set.
Note: paths containing '..' are URL-normalized before reaching FastAPI.
'/files/../../etc/passwd' becomes '/etc/passwd' at the ASGI layer — it
never hits the files router. We verify no file content is returned (any
non-200 code is safe); 302 redirects to login are fine.
"""
dangerous = [
"../config.py",
"../../etc/passwd",
@@ -25,8 +32,8 @@ async def test_files_no_path_traversal_in_filename(client):
]
for name in dangerous:
r = await client.get(f"/files/{name}")
assert r.status_code in (404, 422), \
f"Expected 404/422 for {name!r}, got {r.status_code}"
assert r.status_code != 200 or "content" not in r.json(), \
f"Got 200 with file content for {name!r} — path traversal may be possible"
@pytest.mark.anyio