Cortex-Inara/cortex/routers/auth.py

"""
CLI auth status for both Claude and Gemini backends.

GET /auth/status  — returns per-backend auth info and warning flags

Claude:  warns when OAuth token is < WARN_HOURS from expiry (requires
         user to re-run `claude` to refresh via browser flow).
Gemini:  warns only when oauth_creds.json is missing or has no
         refresh_token (access token rotates automatically every ~1h).
"""
import json
import logging
from datetime import datetime, timezone
from pathlib import Path
from fastapi import APIRouter

logger = logging.getLogger(__name__)
router = APIRouter(prefix="/auth")

CLAUDE_CREDS  = Path.home() / ".claude" / ".credentials.json"
GEMINI_CREDS  = Path.home() / ".gemini" / "oauth_creds.json"
GEMINI_ACCTS  = Path.home() / ".gemini" / "google_accounts.json"
WARN_HOURS = 24


def _claude_status() -> dict:
    try:
        data = json.loads(CLAUDE_CREDS.read_text())
        oauth = data["claudeAiOauth"]
        expires_dt = datetime.fromtimestamp(oauth["expiresAt"] / 1000, tz=timezone.utc)
        now = datetime.now(tz=timezone.utc)
        hours_remaining = (expires_dt - now).total_seconds() / 3600
        return {
            "ok": True,
            "expires_at": expires_dt.isoformat(),
            "hours_remaining": round(hours_remaining, 1),
            "warning": hours_remaining < WARN_HOURS,
            "expired": hours_remaining <= 0,
        }
    except Exception as e:
        logger.warning("claude auth check failed: %s", e)
        return {"ok": False, "error": str(e), "warning": True, "expired": False}


def _gemini_status() -> dict:
    try:
        creds = json.loads(GEMINI_CREDS.read_text())
        if not creds.get("refresh_token"):
            return {"ok": True, "authenticated": False, "warning": True, "account": None}
        account = None
        try:
            accts = json.loads(GEMINI_ACCTS.read_text())
            account = accts.get("active")
        except Exception:
            pass
        return {"ok": True, "authenticated": True, "warning": False, "account": account}
    except FileNotFoundError:
        return {"ok": True, "authenticated": False, "warning": True, "account": None}
    except Exception as e:
        logger.warning("gemini auth check failed: %s", e)
        return {"ok": False, "error": str(e), "warning": True, "authenticated": False}


@router.get("/status")
async def auth_status() -> dict:
    return {
        "claude": _claude_status(),
        "gemini": _gemini_status(),
    }