feat(dashboard-auth): auth gate middleware + /auth/* routes + /login HTML

Phase 3, Tasks 3.2 + 3.3 + 3.4. These three pieces are mutually dependent so they land together. middleware.py - gated_auth_middleware engages when app.state.auth_required is True. Allowlists /login, /auth/*, /api/auth/providers, and static asset paths; everything else demands a valid session_at cookie. Verifies by trying every registered provider's verify_session in turn (multi- provider stack); attaches verified Session to request.state.session. Returns 401 JSON for /api/* and 302 -> /login for HTML. ProviderError during verify -> 503. routes.py - APIRouter with: GET /login server-rendered HTML GET /auth/login?provider=N 302 to IDP + PKCE cookie GET /auth/callback?code,state completes login, sets session cookies POST /auth/logout clears cookies + best-effort revoke GET /api/auth/providers public bootstrap endpoint (503 if zero) GET /api/auth/me verified session as JSON (auth-required) login_page.py - Inline-CSS HTML template, no React, no JavaScript. web_server.py - Mounted gated_auth_middleware between host_header and auth_middleware (FastAPI runs middlewares in registration order: host check -> cookie auth -> token auth). auth_middleware short-circuits when auth_required so cookie auth is authoritative in gated mode. Router is included before mount_spa so the catch-all doesn't swallow /login or /auth/*. 17 new behavioural tests; loopback regression harness still green.
2026-06-08 08:11:38 +00:00 · 2026-05-21 15:19:44 +10:00 · 2026-05-21 15:19:44 +10:00 · 884f0da82a
commit 884f0da82a
parent 12142c0ca1
5 changed files with 838 additions and 0 deletions
--- a/hermes_cli/dashboard_auth/middleware.py
+++ b/hermes_cli/dashboard_auth/middleware.py
@ -0,0 +1,126 @@
+"""Auth-gate middleware for the dashboard.
+
+Engaged when ``app.state.auth_required is True``. The gate's job:
+
+  1. Allow a small set of routes through unauthenticated (login page,
+     ``/auth/*`` OAuth round trip, ``/api/auth/providers``, static
+     assets).
+  2. For everything else, demand a valid session cookie and attach the
+     verified :class:`Session` to ``request.state.session``.
+  3. On HTML routes, redirect missing/invalid cookies to ``/login``.
+     On ``/api/*`` routes, return 401 JSON.
+
+The middleware is a no-op when ``auth_required`` is False (loopback
+mode); the legacy ``_SESSION_TOKEN`` ``auth_middleware`` handles those
+binds.
+"""
+from __future__ import annotations
+
+import logging
+from typing import Awaitable, Callable
+
+from fastapi import Request
+from fastapi.responses import JSONResponse, RedirectResponse, Response
+
+from hermes_cli.dashboard_auth import list_providers
+from hermes_cli.dashboard_auth.audit import AuditEvent, audit_log
+from hermes_cli.dashboard_auth.base import ProviderError
+from hermes_cli.dashboard_auth.cookies import read_session_cookies
+
+_log = logging.getLogger(__name__)
+
+# Paths that bypass the auth gate. Order matters: prefix match.
+_GATE_PUBLIC_PREFIXES: tuple[str, ...] = (
+    "/auth/login",
+    "/auth/callback",
+    "/auth/logout",
+    "/login",
+    "/api/auth/providers",
+    "/assets/",
+    "/favicon.ico",
+    "/ds-assets/",
+    "/fonts/",
+    "/fonts-terminal/",
+)
+
+
+def _path_is_public(path: str) -> bool:
+    return any(
+        path == prefix or path.startswith(prefix)
+        for prefix in _GATE_PUBLIC_PREFIXES
+    )
+
+
+def _client_ip(request: Request) -> str:
+    fwd = request.headers.get("x-forwarded-for", "")
+    if fwd:
+        return fwd.split(",")[0].strip()
+    return request.client.host if request.client else ""
+
+
+def _unauth_response(path: str, *, reason: str) -> Response:
+    """API routes → 401 JSON; HTML routes → 302 → /login."""
+    if path.startswith("/api/"):
+        return JSONResponse(
+            {"detail": "Unauthorized", "reason": reason},
+            status_code=401,
+        )
+    return RedirectResponse(url="/login", status_code=302)
+
+
+async def gated_auth_middleware(
+    request: Request,
+    call_next: Callable[[Request], Awaitable[Response]],
+) -> Response:
+    """Engaged only when ``app.state.auth_required is True``.
+
+    No-op pass-through in loopback mode so the legacy auth_middleware can
+    handle those binds via ``_SESSION_TOKEN``.
+    """
+    if not getattr(request.app.state, "auth_required", False):
+        return await call_next(request)
+
+    path = request.url.path
+    if _path_is_public(path):
+        return await call_next(request)
+
+    at, _rt = read_session_cookies(request)
+    if not at:
+        return _unauth_response(path, reason="no_cookie")
+
+    # Try every registered provider's verify_session in turn. Providers
+    # MUST return None for tokens they don't recognise (not raise). This
+    # lets multiple providers stack — the first one that recognises a
+    # token wins.
+    session = None
+    for provider in list_providers():
+        try:
+            session = provider.verify_session(access_token=at)
+        except ProviderError as e:
+            _log.warning(
+                "dashboard-auth: provider %r unreachable during verify: %s",
+                provider.name, e,
+            )
+            audit_log(
+                AuditEvent.SESSION_VERIFY_FAILURE,
+                provider=provider.name,
+                reason="provider_unreachable",
+                ip=_client_ip(request),
+            )
+            return JSONResponse(
+                {"detail": f"Auth provider {provider.name!r} unreachable"},
+                status_code=503,
+            )
+        if session is not None:
+            break
+
+    if session is None:
+        audit_log(
+            AuditEvent.SESSION_VERIFY_FAILURE,
+            reason="no_provider_recognises",
+            ip=_client_ip(request),
+        )
+        return _unauth_response(path, reason="invalid_or_expired_session")
+
+    request.state.session = session
+    return await call_next(request)