a9bbb668b5
Replaces nginx basic auth with a proper per-user session system:
- auth_utils.py: bcrypt password hashing, JWT cookie creation/decode
- auth_middleware.py: validates JWT cookie on all routes except /login,
/health, /static/, and webhook endpoints (/channels/, /webhook/)
- routers/ui.py: GET /login, POST /login, POST /logout,
GET /{username}/{persona} — serves index.html with CORTEX_CONFIG injected
- static/login.html: minimal login form (dark theme, matches UI)
- main.py: registers SessionAuthMiddleware + ui.router
- config.py: jwt_secret, jwt_expire_days settings
- manage_passwords.py: CLI tool to set/check/list user passwords
- app.js: reads window.CORTEX_CONFIG (user + persona), sends both on
every /chat and /orchestrate request; persona name shown in header;
logout button (⏏) added to header
- requirements.txt: bcrypt, PyJWT, python-multipart
- .env.default: JWT_SECRET, JWT_EXPIRE_DAYS documented
- tests: client fixture injects JWT cookie; security test assertions
updated for URL-normalized path traversal paths (still secure, codes differ)
All 80 tests pass.
Setup for a new user:
python manage_passwords.py set scott
python manage_passwords.py set holly
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
21 lines
512 B
Plaintext
21 lines
512 B
Plaintext
fastapi>=0.115.0
|
|
apscheduler>=3.10
|
|
uvicorn[standard]>=0.30.0
|
|
pydantic-settings>=2.0.0
|
|
python-dotenv>=1.0.0
|
|
|
|
# Orchestrator — Gemini API (native tool calling) + web search
|
|
google-genai>=1.0.0
|
|
ddgs>=0.1.0
|
|
|
|
# Google Chat webhook — JWT Bearer token verification
|
|
google-auth>=2.0.0
|
|
|
|
# Session auth — password hashing + JWT cookies
|
|
bcrypt>=4.0.0
|
|
PyJWT>=2.8.0
|
|
python-multipart>=0.0.9 # required by FastAPI for Form() data
|
|
|
|
# anthropic SDK not needed — using claude CLI subprocess for auth
|
|
# anthropic>=0.40.0
|